Change log for AZURE_NSG_FLOW
| Date | Changes |
|---|---|
| 2025-05-20 | Enhancement:
- Modified the conditional statement for `message` to exclude messages that also contain "flowRecords". - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `record.time` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `record.flowLogGUID` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.about.resource.name: Newly mapped `record.flowLogResourceID` raw log field with `event.idm.read_only_udm.security_result.about.resource.name` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `record.flowLogVersion` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - event.idm.read_only_udm.principal.mac: Newly mapped `record.macAddress` raw log field with `event.idm.read_only_udm.principal.mac` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `record.operationName` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `records.flowRecords.flows.aclID` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `record.flowRecords.flows.flowGroups.rule` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `record.flowRecords.flows.flowGroups.flowTuples` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-02-24 | Enhancement:
- Mapped "properties.primaryIPv4Address" to "principal.ip" and "principal.asset.ip". - Mapped "properties.macAddress" to "principal.mac". - Mapped "properties.ruleName" to "security_result.rule_name". - Mapped "properties.direction", "properties.conditions.sourcePortRange", "properties.conditions.destinationPortRange", "properties_priority" and "properties.type" to "security_result.about.labels". - Mapped "systemId" to "target.asset_id". - Mapped "properties_vnetResourceGuid" to "principal.asset_id". - Mapped "record_resourceId" to "target.resource.product_object_id". - Mapped "appname" to "target.application". - Mapped "subcriptionid", "rscgrp" and "rscname" to "target.resource.attribute.labels". |
| 2025-01-16 | Enhancement:
- Changed "match" mapping from "record.time" to "time". |
| 2024-11-26 | Enhancement:
- Added support for new format of JSON logs. |
| 2022-04-18 | Enhancement-Added mappings for principal.ip in place of src.ip.
|