Change log for MICROSOFT_SENTINEL
| Date | Changes |
|---|---|
| 2025-08-13 | Enhancement:
- Added support for parsing errors. - event.idm.read_only_udm.principal.hostname: Newly Mapped `entity_Hostname` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - event.idm.read_only_udm.principal.asset.hostname: Newly Mapped `entity_Hostname` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `entity_SenderIP` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `Client_IP_Address` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `Client_IP_Address` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `entity_SenderIP` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `entity_Name` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly Mapped `entity_DisplayName` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.principal.user.product_object_id: Newly Mapped `entity_AadUserId` raw log field with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly Mapped `entity_UPNSuffix` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Alert_generation_status` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `OriginalQuery` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Query` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `SystemAlertId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Data_Sources` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Correlation_Id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `_Internal_WorkspaceResourceId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `_ItemId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Event_Grouping` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Query_End_Time_UTC` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Query_Start_Time_UTC` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Trigger_Threshold` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Trigger_Operator` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Search_Query_Results_Overall_Count` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Query_Period` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly Mapped `Analytic_Rule_Ids` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - event.idm.read_only_udm.security_result.threat_name: Newly Mapped `AlertType` raw log field with `event.idm.read_only_udm.security_result.threat_name` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `Previous_IP_Address` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `Previous_IP_Address` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.user.userid: Newly Mapped `Custom_Details` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. |
| 2025-02-03 | Enhancement:
- Added support for JSON logs. |
| 2023-11-03 | Enhancement:
- Mapped "ResourceId" to "target.resource.name". - When "ResourceId" is 'not null' and event has one of "principal" or "target" as 'not null', then map "metadata.event_type" to "USER_RESOURCE_ACCESS". |
| 2023-08-31 | - Newly created parser.
|