Change log for AZURE_AD
| Date | Changes |
|---|---|
| 2025-06-10 | Enhancement:
- event.idm.read_only_udm.principal.location.country_or_region: Newly mapped `properties.location` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - Removed the redundant code block. |
| 2025-05-06 | Enhancement:
- `event.idm.ready_only_udm.security_result.description`: Newly mapped `policy.result` raw log field with `event.idm.ready_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Removed mapping of `apc.displayName` from `event.idm.read_only_udm.security_result.rule_name` UDM field and mapped `policy.displayName` instead - `event.idm.read_only_udm.security_result.rule_id`: Removed mapping of `apc.id` from `event.idm.read_only_udm.security_result.rule_id` UDM field and mapped `policy.id` instead - `event.idm.read_only_udm.security_result.rule_labels`: Removed mapping of `apc.Result` from `event.idm.read_only_udm.security_result.rule_labels` UDM field and mapped `policy.Result` instead - `event.idm.ready_only_udm.about.user.user_display_name`: Removed mapping of `policy.displayName` from `event.idm.ready_only_udm.about.user.user_display_name` UDM field. - `event.idm.ready_only_udm.about.user.userid`: Removed mapping of `policy.id` from `event.idm.ready_only_udm.about.user.userid` UDM field. - `event.idm.read_only_udm.about.labels`: Removed mapping of `policy.result` from `event.idm.read_only_udm.about.labels` UDM field. |
| 2025-04-22 | Enhancement:
- 'event.idm.read_only_udm.target.user.userid' : Newly mapped 'properties.servicePrincipalName' raw log field with 'event.idm.read_only_udm.target.user.userid'. - 'event.idm.read_only_udm.target.user.product_object_id' : Newly mapped 'properties.servicePrincipalId' raw log field with 'event.idm.read_only_udm.target.user.product_object_id'. - 'event.idm.read_only_udm.additional.fields' : Newly mapped 'properties.riskLevelAggregated' and 'properties.riskLevelDuringSignIn' raw log field with 'event.idm.read_only_udm.additional.fields'. - Added a null check condition before mapping 'properties.authenticationProcessingDetails' to 'event.idm.read_only_udm.additional.fields'. |
| 2025-03-18 | Enhancement:
- Mapped "record.AuthenticationProtocol" to "security_result.detection_fields". - Mapped "properties.authenticationProtocol" to "security_result.detection_fields". - Mapped "authenticationProtocol" to "security_result.detection_fields". - Mapped "properties.sessionId" to "network.session_id". - Mapped "properties.uniqueTokenIdentifier" to "additional.fields". - Mapped "properties.appServicePrincipalId" to "additional.fields". - Mapped "properties.autonomousSystemNumber" to "additional.fields". - Mapped "properties.resourceOwnerTenantId" to "additional.field". |
| 2025-02-27 | Enhancement:
- Mapped "operationName" to "additional.fields". - Mapped "displayName" to "principal.hostname". - When "has_target_user" is "true" and "has_principal_user" is "true", then mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS". |
| 2025-02-13 | Enhancement:
- Mapped "ActorIpAddress" to "principal.ip" and "principal.asset.ip". - Mapped "ClientIP" to "target.ip" and "target.asset.ip". - Mapped "ApplicationId", "ActorContextId", "InterSystemsId", and "IntraSystemId" to "security_result.detection_fields". - Mapped "ObjectId" to "principal.resource.product_object_id". - Mapped "Operation" to "metadata.product_event_type". - Mapped "OrganizationId" to "principal.resource.id". - Mapped "RecordType", "SupportTicketId", and "TargetContextId" to "security_result.detection_fields". - Mapped "targets.ID" and "targets.Type" to "target.resource.attribute.labels". - Mapped "UserId" to "principal.user.userid". - Mapped "ResultStatus", "ErrorNumber", and "Workload" to "additional.fields". - Mapped "Version" to "metadata.product_version". - Mapped "UserKey" and "UserType" to "principal.user.attribute.labels" - Mapped "DeviceProperties.ID" to "principal.asset_id". - Mapped "DeviceProperties.DisplayName" to "principal.user.user_display_name". - Mapped "DeviceProperties.SessionId" to "network.session_id". - Mapped "extendedproperty.UserAgent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped "Actor.ID" and "Actor.Type" to "principal.resource.attribute.labels". - Mapped "AssociatedAdminUnits" to "security_result.detection_fields". - Mapped "AzureActiveDirectoryEventType" to "security_result.summary". - Mapped "CreationTime" to "metadata.event_timestamp". |
| 2025-01-11 | Enhancement:
- Moved "security_result.summary", "security_result.severity", "security_result.rule_id", "security_result.action", and "security_result.category" out of conditional check. |
| 2024-12-05 | Enhancement:
- Added support for new format of JSON logs. |
| 2024-10-07 | Enhancement:
- Mapped "properties.userPrincipalName" to "target.user.userid". |
| 2024-09-04 | Enhancement:
- Removed mapping of "correlationId" from "network.session_id". |
| 2024-08-22 | Enhancement:
- When "displayName" is "iphone", then mapped to "principal.resource.attribute.labels". |
| 2024-07-05 | Enhancement:
- Mapped "isInteractive" to "security_result.detection_fields". |
| 2024-06-03 | - Changed mapping of "policies.displayName" from "about.user.user_display_name" to "security_result.rule_name".
- Changed mapping of "policies.id" from "about.user.userid" to "security_result.rule_id". - Changed mapping of "policies.result" from "about.labels" to "security_result.detection_fields". |
| 2024-05-29 | Enhancement:
- When "status.errorCode" is "0", then set "security_result.action" to "ALLOW". |
| 2024-05-13 | Bug-Fix:
- Mapped "userPrincipalName" to "target.user.userid". |
| 2024-05-10 | Enhancement:
- Mapped "networkLocationDetails.n.networkNames", "properties.networkLocationDetails.n.networkNames", "networkLocationDetails.n.networkType" and "properties.networkLocationDetails.n.networkType" to "additional.fields". - Mapped "properties.userAgent" and "userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent". |
| 2024-05-03 | Bug-Fix:
- Added "on_error" check before mapping "target.modifiedProperties.n.newValue". - Mapped "target.modifiedProperties.n.oldValue" and "target.modifiedProperties.n.displayName" to "target.resource.attribute.labels". - Mapped "activityDisplayName" to "security_result.summary". |
| 2024-04-30 | Enhancement:
- Mapped "properties.authenticationDetails", "properties.networkLocationDetails", "properties.authenticationRequirementPolicies", "networkLocationDetails" and "authenticationRequirementPolicies" to "security_result.detection_fields". |
| 2024-04-02 | Enhancement:
- Mapped "authenticationRequirement" to "additional.fields". |
| 2024-04-02 | Enhancement:
- Mapped "authenticationRequirement" to "additional.fields". |
| 2024-04-02 | Enhancement:
- Mapped "authenticationRequirement" to "additional.fields". |
| 2024-02-26 | Enhancement:
- Mapped "appliedConditionalAccessPolicies" to "security_result". - Mapped "isInteractive" to "extensions.auth.mechanism". - Mapped "location.geoCoordinates.altitude" to "additional.fields". |
| 2024-02-09 | Enhancement:
- Mapped "authenticationDetails.authenticationMethod", "authenticationDetails.authenticationMethodDetail", "authenticationDetails.authenticationStepResultDetail", "authenticationDetails.authenticationStepDateTime", and "authenticationDetails.authenticationStepRequirement" to "security_result.detection_fields". - Mapped "authenticationDetails.succeeded" to "security_result.action". - Mapped "status.additionalDetails" to "security_result.description". |
| 2024-01-11 | Enhancement:
- Mapped "correlationId" to "security_result.detection_fields". |
| 2023-11-20 | Enhancement:
- Mapped "tenantId" to "metadata.product_deployment_id". - Mapped "Level" to "security_result.severity_details" and "security_result.severity". - Mapped "properties.userDisplayName" to "target.user.user_display_name". - Mapped "identity" to "target.user.user_display_name". - Mapped "properties.activityDateTime" to "metadata.event_timestamp". - Mapped "properties.activity" to "security_result.summary". - Mapped "resultSignature", "properties.riskLevel", "properties.isGuest", "properties.isDeleted", "properties.isProcessing", "properties.riskLastUpdatedDateTime", "properties.riskType", "properties.riskEventType", "properties.riskState", "properties.riskDetail", "properties.source", "properties.detectionTimingType" "properties.detectedDateTime", "properties.lastUpdatedDateTime", "properties.tokenIssuerType", "properties.homeTenantId", "properties.userType", "properties.crossTenantAccessType", "durationMs" to "additional.fields". - Mapped "resourceId" to "target.resource.product_object_id". - Mapped "properties.location.geoCoordinates.longitude" and "location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude". - Mapped "properties.location.geoCoordinates.latitude" and "location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude". |
| 2023-07-12 | Enhancement:
- Mapped "deviceDetail.isCompliant", "deviceDetail.isManaged", "deviceDetail.trustType" to "principal.asset.attribute.labels". - Mapped "deviceDetail.deviceId" to "principal.asset.asset_id". - Mapped "deviceDetail.browser" to "network.http.user_agent". - Mapped "deviceDetail.operatingSystem" to "principal.platform_version". - Mapped "status.failureReason" to "additional.fields". - Mapped "status.errorCode" to "security_result.rule_id". - Mapped "deviceDetail.displayName" to "principal.asset.hardware". |
| 2023-03-14 | Enhancement:
- Mapped "browser" to "principal.resource.attribute.labels". - Mapped "isCompliant", "isManaged", "trustType", to "principal.asset.attribute.labels". - Mapped "domain" form "userPrincipalName" to "principal.administrative_domain". |
| 2022-12-16 | Enhancement:
- Added conditional check for the field 'initiatedBy.user.userPrincipalName' and mapped to 'principal.user.email_addresses'. |
| 2022-10-28 | Enhancement:
- Mapped "additionalDetails.0.value" to "network.http.user_agent". - Mapped "additionalDetails.1.value" to "target.resource.attribute.labels". - Mapped "Id" to "metadata.product_log_id". - Mapped "initiatedBy.user.id" to "principal.user.userid". - Mapped "initiatedBy.user.displayName" to "principal.user.user_display_name". - Mapped "initiatedBy.user.ipAddress" to "principal.ip". - Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses". - Mapped "operationType" to "security_result.action_details". - Mapped "target.displayName" to "target.resource.name". - Mapped "target.id" to "target.resource.id". - Mapped "target.type" to "target.resource.type". - Mapped "field.newValue" to "target.resource.product_object_id" if field.displayName is "AppRole.Id" else mapped "field.newValue" to "target.resource.attribute.labels". - Added check for errorCode. - Mapped "loggedByService" to "target.application". - Mapped "activityDisplayName" to "metadata.product_event_type". - Mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS" where "activityDisplayName" is "Add app role assignment to service principal". |
| 2022-08-25 | Enhancement:
- If "properties.initiatedBy.user.userPrincipalName" matches "email regex pattern" then mapped to "principal.user.email_addresses" else mapped to "principal.user.userid". - If "properties.userPrincipalName" or "userPrincipalName" matches "email regex pattern" then mapped to "target.user.email_addresses" else mapped to "target.user.userid". |
| 2022-08-11 | Enhancement:
- Removed drop tag "TAG_MALFORMED_ENCODING". - Added "event_type" "GENERIC_EVENT". |
| 2022-05-29 | Enhancement - Modified the for loop for the field 'riskEventTypes_v2' mapped to 'additional.fields'.
Mapped the field 'level' to 'security_result.severity_details'. Mapped the field 'properties.result' to 'security_result.action_details'. |
| 2022-04-20 | Bug-fix - Parsed the logs with event "appDisplayName": "NotApplicable".
- Modified the for loop for the field 'riskEventTypes'. |