Change log for AZURE_AD_SIGNIN
| Date | Changes |
|---|---|
| 2025-07-01 | Enhancement:
- Replaced values of new raw log field names to their corresponding old raw log field names to map data to UDM fields using existing mappings as follows: -- `RiskDetail` -> `riskDetail` -- `RiskLevelAggregated` -> `riskLevelAggregated` -- `RiskLevelDuringSignIn` -> `riskLevelDuringSignIn` -- `RiskState` -> `riskState` -- `ResourceDisplayName` -> `resourceDisplayName` -- `ResourceId` -> `resourceId` -- `ResultSignature` -> `resultSignature` - Added a condition check to process the `ConditionalAccessPolicies` raw log field only when it contains a string value it can enter into mappings of `ConditionalAccessPolicies` raw log field mapping to prevent parsing errors. - Newly added for loop for `ConditionalAccessPolicies` , `apc.enforcedSessionControls` , and `apc.enforcedGrantControls` raw log field to parse its respective fields. - `event.idm.read_only_udm.security_result.rule_name` : Newly mapped `apc.displayName` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - `event.idm.read_only_udm.security_result.rule_id` : Newly mapped `apc.id` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - `event.idm.read_only_udm.security_result.rule_labels` : Newly mapped `apc.Result`, `apc.conditionsSatisfied`, `apc.conditionsNotSatisfied` , `apc.enforcedGrantControls` , and `apc.enforcedSessionControls` raw log field with `event.idm.read_only_udm.security_result.rule_labels` UDM field. - `event.idm.read_only_udm.security_result.detection_fields` : Newly mapped `SourceSystem`, `SessionLifetimePolicies`, `SessionId`, `ResourceTenantId`, `ResourceOwnerTenantId`, `TokenProtectionStatusDetails.signInSessionStatusCode`, `TokenProtectionStatusDetails.signInSessionStatus`, `DeviceDetail.browser`, `DeviceDetail.operatingSystem` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.user.attribute.labels` : Newly mapped `ResourceServicePrincipalId` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels` : Newly mapped `ResourceIdentity` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.additional.fields` : Newly mapped `Resource`, `ProcessingTimeInMilliseconds`, `OriginalTransferMethod`, `OriginalRequestId`, `Status.additionalDetails`, `RiskEventTypes_V2`, `IncomingTokenType` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.principal.location.city` : Newly mapped `LocationDetails.city` raw log field with `event.idm.read_only_udm.principal.location.city` UDM field. - `event.idm.read_only_udm.principal.location.country_or_region` : Newly mapped `LocationDetails.countryOrRegion` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - `event.idm.read_only_udm.principal.location.state` : Newly mapped `LocationDetails.state` raw log field with `event.idm.read_only_udm.principal.location.state` UDM field. - `event.idm.read_only_udm.principal.location.region_coordinates.latitude` : Newly mapped `LocationDetails.geoCoordinates.latitude` raw log field with `event.idm.read_only_udm.principal.location.region_coordinates.latitude` UDM field. - `event.idm.read_only_udm.principal.location.region_coordinates.longitude` : Newly mapped `LocationDetails.geoCoordinates.longitude` raw log field with `event.idm.read_only_udm.principal.location.region_coordinates.longitude` UDM field. |
| 2024-10-17 | Enhancement:
- Mapped "userDisplayName" to "principal.user.user_display_name". - Mapped "userPrincipalName" to "principal.user.email_addresses". - Mapped "appDisplayName" to "principal.application". - Mapped "ipAddress" to "principal.ip" and "principal.asset.ip". - Mapped "userId" to "principal.user.userid". - Mapped "resourceDisplayName" to "target.application". - Mapped "status.errorCode" to "network.http.response_code". - Mapped "failureReason" to "security_result.summary". - Mapped "deviceDetail.operatingSystem" to "principal.platform". - Mapped "appId", "clientAppUsed", "conditionalAccessStatus", "deviceDetail.deviceId", "deviceDetail.deviceName", "deviceDetail.browser", "deviceDetail.isCompliant", "deviceDetail.isManaged", and "deviceDetail.trustType" to "security_result.detection_fields". - Mapped "location.city" to "principal.location.city". - Mapped "location.state" to "principal.location.state". - Mapped "location.countryOrRegion" to "principal.location.country_or_region". - Mapped "location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude". - Mapped "location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude". |
| 2024-07-18 | Enhancement:
- Added support for JSON logs containing array of logs. |
| 2024-05-07 | - Newly created parser.
|