Change log for MICROSOFT_SQL
| Date | Changes |
|---|---|
| 2025-04-17 | Enhancement
- Added a Grok to parse a new pattern of logs with SYSLOG + KV format. - Set `has_principal_user` to true where `server_principal_name` is mapped with `event1.idm.read_only_udm.principal.user.userid`. - event.idm.read_only_udm.additional.fields: Newly mapped `connection_id` raw log field with `event1.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.ip and `event1.idm.read_only_udm.principal.asset.ip`: Newly mapped "HOST" raw log field with "event1.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM fields and set "has_principal" to true. - Added a conditional to check if `host` raw log field is not null before mapping it with `event1.idm.read_only_udm.observer.hostname` UDM field. - Added a conditional to check if `ObjectName` raw log field is not null before mapping it with `event1.idm.read_only_udm.target.resource.name` UDM field. - Added a conditional to check if `SPID` raw log field is not null before mapping it with `event1.idm.read_only_udm.network.session_id` UDM field. |
| 2025-04-09 | - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `event_time` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field
- event.idm.read_only_udm.principal.ip and principal.asset.ip: Newly mapped `ipAddress` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - event.idm.read_only_udm.principal.asset.asset_id: Newly mapped `Id` raw log field with `event.idm.read_only_udm.principal.asset.asset_id` UDM field. - event.idm.read_only_udm.metadata.url_back_to_product: Newly mapped `alertWebUrl` raw log field with `event.idm.read_only_udm.metadata.url_back_to_product` UDM field. - event.idm.read_only_udm.security_result.description: Newly mapped `description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.metadata.product_deployment_id: Newly mapped `tenantId` raw log field with `event.idm.read_only_udm.metadata.product_deployment_id` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `detectorId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - USER_UNCATEGORIZED: Removed mapping of `metadata.event_type` from `USER_UNCATEGORIZED` UDM field. - USER_RESOURCE_DELETION: Mapped `metadata.event_type` with `USER_RESOURCE_DELETION` UDM field When the error_code are "118", "129", "47", "73", "77", "200", "131", "136", "140", "201". - USER_RESOURCE_ACCESS: Mapped `metadata.event_type` with `USER_RESOURCE_ACCESS` UDM field When the error_code are "28", "29", "69", "114", "30", "31". - USER_RESOURCE_UPDATE_CONTENT: Mapped `metadata.event_type` with `USER_RESOURCE_UPDATE_CONTENT` UDM field When the error_code are "176". - Added a null condition check for `host` raw log field before mapping "event1.idm.read_only_udm.observer.hostname" UDM field |
| 2025-03-19 | Enhancement
- Added support for csv format logs. - Mapped "column2" to "principal.hostname" and "principal.asset.hostname". - Mapped "column3" to "additional.fields". - Mapped "column4" to "principal.process.file.full_path". - Added a grok pattern to parse "event_time", "user", "msg" from the field "column7". |
| 2025-02-26 | Enhancement
- Added support for a new pattern of syslog logs. |
| 2024-11-28 | Bug-Fix:
- When "action_id" is "LGIF", then mapped "security_result.action" to "BLOCK". |
| 2024-10-29 | Enhancement:
- Added support for a new pattern of SYSLOG + JSON logs. |
| 2024-10-22 | Enhancement:
- Mapped "event_time" to "metadata.event_timestamp". |
| 2024-10-08 | Enhancement:
- Mapped "additional_information" to "additional.fields". |
| 2024-09-05 | Enhancement:
- Added support for SYSLOG + JSON logs. |
| 2024-09-04 | Enhancement:
- Added support to parse KV data in "EventData" field. |
| 2024-08-26 | Enhancement:
- Added support for a new pattern of KV logs. |
| 2024-07-23 | Enhancement:
- Added support for a new pattern of JSON logs. |
| 2024-06-18 | Enhancement:
- Added support to parse key-value data in the "MESSAGE" field. |
| 2024-05-17 | Enhancement:
- Added support to parse logs when "operationName" is "Microsoft Graph Activity". - Mapped "level" to "security_result.severity". - Mapped "resourceId" to "target.resource.attribute.labels". - Mapped "operationName" to "metadata.product_event_type". - Mapped "operationVersion" to "additional.fields". - Mapped "properties.ipAddress" to "principal.ip" and "principal.asset.ip". - Mapped "properties.apiVersion" to "metadata.product_version". - Mapped "properties.appId" to "target.resource.product_object_id". - Mapped "properties.clientAuthMethod" to "extensions.auth.auth_details". - Mapped "properties.clientRequestId" to "additional.fields". - Mapped "properties.signInActivityId" to "network.session_id". - Mapped "properties.identityProvider" to "security_result.detection_fields". - Mapped "properties.wids" to "security_result.detection_fields". - Mapped "properties.roles" to "security_result.detection_fields". - Mapped "correlationId" to "security_result.detection_fields". - Mapped "properties.tokenIssuedAt" to "additional.fields". - Mapped "properties.requestMethod" to "network.http.method". - Mapped "properties.responseStatusCode" to "network.http.response_code". - Mapped "properties.tenantId" to "metadata.product_deployment_id". - Mapped "properties.userAgent" to "network.http.user_agent". - Mapped "properties.requestUri" to "target.url". - Mapped "properties.durationMs" to "network.session_duration.seconds". - Mapped "properties.responseSizeBytes" to "network.received_bytes". - Mapped "properties.userId" and "properties.servicePrincipalId" to "principal.user.userid". - Mapped "properties.location" to "principal.location.name". - Mapped "properties.requestId" to "metadata.product_log_id". - Mapped "properties.operationId" to "security_result.detection_fields". |
| 2024-04-01 | Enhancement:
- Added a Grok pattern to parse unparsed SYSLOG + JSON logs. - Mapped "hostinfo.architecture" to "principal.asset.hardware". - Mapped "hostinfo.os.kernel" to "principal.platform_patch_level". - Mapped "hostinfo.os.version" to "principal.platform_version". - Mapped "hostinfo.os.platform" to "hostinfo.os.platform". - Mapped "hostinfo.os.name" and "hostinfo.os.build" to "additional.fields". |
| 2023-12-20 | Enhancement -
- Decoded the encoded log using gsub. - Mapped "host.ip" to "principal.ip". - Added a Grok pattern to map additional fields. - Mapped "error" to "security_result.detection_fields". - Mapped "err_msg" to "security_result.description". |
| 2023-10-09 | Enhancement -
- Added a Grok pattern to support the new log formats. - Mapped "SQlINstance" to "principal.hostname" when user information is not available. |
| 2023-08-17 | Enhancement -
- Provided a check that "event_type" is "STATUS_STARTUP" or "STATUS_SHUTDOWN" if the field "host" is not null. |
| 2023-07-04 | Bug-Fix -
- Changed "event_type" from "USER_LOGIN" to "USER_UNCATEGORIZED" and from "STATUS_UNCATEFORIZED" to "GENERIC_EVENT" for some logs since fields like "clientip" or "host" are not present. - Initialised "Date" and "Time" to null and provided null check before mapping. - Mapped "AgentDevice", "AgentLogFile", "Source", "ProcessInfo" to "additional.fields". - Mapped "SQlINstance" to "intermediary.hostname". |
| 2023-05-09 | Enhancement -
- Added JSON block to retrieve JSON data. - Mapped "source" to "principal.resource.attribute.labels". - Mapped "msg" to "metadata.description". |
| 2023-01-18 | Enhancement - Added null conditional check for the following fields: 'agent.type', 'agent.id', 'agent.hostname', 'agent.version', 'event.provider', 'event.code', 'log.level', 'ecs.version', 'timestamp'.
- Mapped the field 'EventID' to 'metadata.product_event_type'. - Mapped the field 'SourceModuleType' to 'observer.application'. - Mapped the field 'SourceModuleName' to 'additional.fields'. - Mapped the field 'Severity' to 'security_result.severity'. - Added following mapping when the event is 'Audit Event': - Mapped the field 'client_ip' to 'principal.ip'. - Mapped the field 'database_name' to 'target.resource_ancestors.name' and 'target.resource_ancestors.resource_type' mapped as 'DATABASE'. - Mapped the field 'schema_name' to 'target.resource_ancestors.resource_subtype'. - Mapped the field 'statement' to 'target.process.command_line'. - Mapped the field 'object_name' to 'target.resource.name' and 'target.resource.resource_type' mapped as 'TABLE'. - Mapped the field 'application_name' to 'target.application'. - Mapped the field 'sequence_number' to 'target.resource.attribute.labels'. - Mapped the field 'transaction_id' to 'target.resource.attribute.labels'. - Added following mapping when the field 'Message' contains 'Log was backed up': - Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'. - Mapped the field 'first LSN' to 'target.resource.attribute.labels'. - Mapped the field 'last LSN' to 'target.resource.attribute.labels'. - Mapped the field 'UserID' to 'principal.user.windows_sid'. - Added following mapping when the field 'Message' contains 'Starting up database': - Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'. - Mapped the field 'AccountName' to 'principal.user.userid'. - Mapped the field 'UserID' to 'principal.user.windows_sid'. |
| 2022-08-09 | Enhancement - Modified mapping for the field 'winlog.computer_name' from 'principal.asset.hostname' to 'event.idm.read_only_udm.about.hostname' for logs with JSON format.
|
| 2022-07-01 | Bug-fix - Mapped "host.name" to "observer.hostname" for logs with JSON format.
|
| 2022-05-31 | Enhancement - Parsed the new JSON format logs and the logs containing the key-value fields. Also, parsed the syslog logs having 'NXLOG'.
Moved customer-specific version to default. Mapped the following new fields : For JSON format logs : winlog.computer_name, agent.type, agent.version, agent.id, agent.hostname, ecs.version, log.level, event.provider, event.code, host.name, logstash.process.host, message, timestamp. For key-value format logs : TextData, HostName, ApplicationName, LoginName, ObjectName, ObjectType, DatabaseID,DatabaseName, SPID, SourceModuleName, SourceModuleType. |