Change log for AZURE_RESOURCE_LOGS

Date Changes
2024-10-17 Enhancement:
- Mapped "count", "total", "minimum", "ApiName", "Authentication", "ScaleUnit", "pod", and "containerID" to "security_result.detection_fields".
- Mapped "Region" to "principal.location.name".
- Mapped "processId" to "principal.process.pid".
- Mapped "action" to "security_result.action_details".
2024-08-29 Enhancement:
- Added support for new pattern of JSON logs.
2024-07-24 Enhancement:
- Mapped "Role.DisplayName", "Role.TemplateId" to "security_result.detection_fields".
- Initialized "authenticationStepResultDetail" to parse unparsed logs.
2024-05-10 Bug-Fix:
- Changed mapping of "conditionalAccessStatus" from "security_result.about.labels" to "security_result.about.resource.attribute.labels".
2024-03-13 Enhancement:
- Mapped additional fields for "AADNonInteractiveUserSignInLogs", "AADManagedIdentitySignInLogs", "AADProvisioningLogs", and "AADServicePrincipalSignInLogs".
- Mapped "properties.correlationId" to "security_result.detection_fields".
2023-12-11 Enhancement:
- Mapped "properties.requestId", "properties.riskEventType", "properties.tokenIssuerType" and "properties.keyIds" to "target.resource.attribute.labels".
- Mapped "properties.detectionTimingType" to "additional.fields".
- Mapped "properties.appliedConditionalAccessPolicies" to "about.labels".
- Mapped "properties.authenticationProcessingDetails" to "security_result.detection_fields".
- Mapped "properties.additionalInfo.userAgent" to "network.http.user_agent".
- Mapped "properties.additionalInfo.alertUrl" to "target.url".
2023-10-04 Bug-Fix:
- When the JSON filter fails, added 'on_error' for the JSON filter and dropped the log with tag 'TAG_MALFORMED_MESSAGE'.
- When there is no error in 'CONVERT' filter which converts to integer for 'properties.ScStatus','properties.statusCode','statusCode','record.properties.ScStatus', and 'record.properties.statusCode', then mapped to 'network.http.response_code'.
- Added a condition for 'responseStatus.code' and 'record.responseStatus.code'. When 'on_error' for 'CONVERT' is not true, then mapped to 'network.http.response_code'.
2023-09-04 Enhancement:
-Mapped the following fields under "properties.additionalDetails":
- Mapped value as 'metadata.product_deployment_id' where key is 'TenantId'.
- Mapped value as 'security_result.rule_id' where key is 'PolicyId'.
- Mapped value as 'network.http.user_agent' where key is 'Client'.
- Mapped value as 'principal.user.email_addresses' where key is 'LocalAccountUsername'.
- Mapped value as 'principal.administrative_domain' where key is 'DomainName'.
- Mapped 'properties.targetResources.userPrincipalName' to 'target.user.email_addresses'.
- Mapped 'properties.initiatedBy.app.appId' to 'target.resource.attribute.labels'.
2023-08-04 Enhancement:
- Mapped "properties.initiatedBy.user.userPrincipalName" to "principal.user.userid".
2023-07-10 Enhancement:
- Initialized "UnderlayClass","record.UnderlayClass","UnderlayName","record.UnderlayName" fields and checked for null.
2022-11-18 Enhancement:
- "security_result.action" is BLOCK by default added condition to avoid that only if 'properties.succeeded' is 'false','statusText' is 'fail/false','resultType' is 'fail/failed' then security_result.action is "BLOCK".
2022-11-11 Bug-Fix - Added null check for "properties.log.annotations.authorization".
- Added on_error statement for "properties.log.annotations.authorization.k8s.io/decision", "properties.log.annotations.authorization.k8s.io/reason".
2022-10-20 Bug-fix
- Added a condition when resultType is "success" security_results.action should be ALLOW instead of BLOCK by default.
- Mapped event_type to "USER_LOGIN" and extensions.auth.type to "AUTH_UNSPECIFIED" when operationName is "Sign-in Activity".
- Mapped "callerIpAddress" to "principal.ip" when "properties.ipAddress" is empty.
- Mapped eventy_type to "USER_RESOURCE_ACCESS" when "callerIpAddress" is not empty and "target.resource" is not empty.
2022-10-03 Enhancement - Mapped following fields :
- mapped "statusCode" to "network.http.response_code".
- mapped "correlationId" to "security_result.detection_fields".
- mapped "properties.userAgentHeader" to "network.http.user_agent".
- mapped "properties.accountName" to "principal.user.userid".
- mapped "properties.objectKey" to "target.resource.attribute.labels".
- mapped "properties.clientRequestId" to "target.resource.attribute.labels".
- mapped "properties.responseMd5" to "target.resource.attribute.labels".
- mapped "properties.tlsVersion" to "network.tls.version".
- mapped "uri" to "network.http.referral_url".
- mapped "protocol" to "network.application_protocol".
- mapped "resourceType" to "target.resource.type".
- mapped "statusText" to "security_result.summary".
2022-08-11 Bug-fix
- remapped "properties.deviceDetail.displayName" to "principal.asset.hardware.model".
2022-07-18 Enhancement - Mapped following fields :
- mapped "properties.activity" to "metadata.description".
- mapped "properties.riskType" to "event.idm.read_only_udm.additional.fields".
- mapped "properties.riskLevelDuringSignIn" to "event.idm.read_only_udm.additional.fields".
- mapped "properties.riskLevelAggregated" to "event.idm.read_only_udm.additional.fields".
- mapped "properties.originalRequestId" to "event.idm.read_only_udm.additional.fields".
- mapped "Level","tenantId" to "event.idm.read_only_udm.additional.fields".
- mapped "properties.conditionalAccessStatus" to "security_result.about.labels".
- mapped "properties.userType" to "target.user.attribute.labels".
- mapped "properties.provisioningSteps.0.details.city" to "principal.location.city".
- mapped "properties.provisioningSteps.0.details.country" to "principal.location.country_or_region".
- mapped "properties.sourceSystem.Id" to "principal.resource.product_object_id".
- mapped "properties.sourceIdentity.details.id" to "principal.user.product_object_id".
- mapped "properties.sourceSystem.Name" to "principal.resource.name".
- mapped "properties.accountEnabled","properties.isProcessing","properties.isGuest","properties.isDeleted" to "event.idm.read_only_udm.additional.fields".
- mapped "properties.authenticationRequirement", "properties.status.errorCode", "properties.statusInfo.Status" to "event.idm.read_only_udm.additional.fields".
- mapped "properties.sourceIdentity.details.odatatype", "properties.provisioningSteps.0.details.appRoleAssignments" to "principal.user.attribute.labels".
- mapped "properties.sourceIdentity.details.UserPrincipalName", "properties.ServicePrincipalId" to "principal.user.userid".
- mapped "properties.source","correlationId", "properties.activityDateTime", "properties.detectedDateTime","properties.lastUpdatedDateTime" to "security_result.detection_fields".
- mapped "properties.sourceIdentity.details.DisplayName", "properties.ServicePrincipalDisplayName", "properties.servicePrincipalName" to "principal.user.user_display_name".
- mapped "properties.servicePrincipalType", "properties.servicePrincipalCredentialKeyId" to "principal.resource.attribute.labels".
- mapped "properties.deviceDetail.isCompliant", "properties.deviceDetail.isManaged" to "principal.asset.attribute.labels".
2022-06-26 Parsed logs having "category" value as "UserRiskEvents" , "RiskyUsers" , "RiskyServicePrincipals" , "ServicePrincipalSignInLogs" , "NonInteractiveUserSignInLogs" , "ProvisioningLogs" , "ADFSSignInLogs".
- mapped "properties.ipAddress" to "principal.ip".
- mapped "properties.id" to "metadata.product_log_id".
- mapped "properties.displayName" to "target.application".
- mapped "properties.location.city" to "principal.location.city".
- mapped "properties.location.state" to "principal.location.state".
- mapped "properties.userDisplayName" to "target.user.user_display_name".
- mapped "properties.userId" to "target.user.product_object_id".
- mapped "properties.appId" to "target.resource.attribute.labels".
- mapped "properties.resourceDisplayName" to "target.resource.name".
- mapped "properties.resourceId" to "target.resource.product_object_id".
- mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version".
- mapped "properties.deviceDetail.browser" to "network.http.user_agent".
- mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id".
- mapped "properties.deviceDetail.displayName" to "principal.asset.hostname".
- mapped "properties.sourceIdentity.details.id" to "principal.user.product_object_id".
- mapped "properties.location.countryOrRegion" to "principal.location.country_or_region".
- mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_latitude".
- mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_longitude".
- mapped "properties.sourceIdentity.details.DisplayName" to "principal.user.user_display_name".
- mapped "properties.authenticationDetails.0.authenticationMethodDetail" to "security_result.about.labels".
- mapped "properties.riskLevel", "properties.riskState", "properties.riskDetail" to "event.idm.read_only_udm.additional.fields".
- If value of "properties.authenticationDetails.0.authenticationMethod" is "Password", then mapped "extensions.auth.mechanism" to "USERNAME_PASSWORD".
- If value of "properties.userPrincipalName" is in email format then mapped it to "target.user.userid" and "target.user.email_addresses" , else mapped it only to "target.user.userid".
- If value of "properties.sourceIdentity.details.UserPrincipalName" is in email format then mapped it to "principal.user.userid" and "principal.user.email_addresses" , else mapped it only to "principal.user.userid".
For category "NonInteractiveUserSignInLogs" :
- mapped "properties.deviceDetail.trustType" to "event.idm.read_only_udm.additional.fields".
- mapped "properties.clientAppUsed" to "principal.application".
For category "UserRiskEvents" :
- If value of "properties.additionalInfo.Key" is "userAgent", then mapped "properties.additionalInfo.Value" to "network.http.user_agent".
2022-05-31 Newly created parser