Change log for POWERSHELL
| Date | Changes |
|---|---|
| 2024-08-20 | Enhancement:
- Added "gsub" to remove extra characters to parse JSON logs. |
| 2024-08-14 | Enhancement:
- Mapped "Version" to "metadata.product_version". - Mapped "SystemTime" to "metadata.event_timestamp". - Mapped "channel", "keywords", "MessageNumber", "MessageTotal", and "ScriptBlockId" to "security_result.detection_fields". - Mapped "Path" to "target.process.file.full_path". |
| 2024-07-24 | Enhancement:
- Added support for a new pattern of JSON logs. |
| 2024-07-20 | Enhancement:
- Mapped "HostApplication" to "principal.application". - Mapped "HostId" to "principal.resource.product_object_id". - Mapped "System.Computer" to "principal.hostname" and "principal.asset.hostname". - Mapped "System.Version" to "metadata.product_version". - Mapped "System.ProcessID" to "principal.process.pid". - Mapped "System.ProviderName" to "principal.resource.attribute.labels". - Mapped "HostVersion", "RunspaceId", "PipelineId", "EngineVersion", "DetailSequence", "DetailTotal", "SequenceNumber", and "ScriptName" to "additional.fields". - Mapped "System.EventRecordID", "System.Task", "System.Keywords", "System.Opcode", and "System.ThreadID" to "security.detection_fields". |
| 2023-12-05 | Enhancement:
- Added mapping for unparsed JSON logs. - Mapped "Computer" to "principal.hostname". - Mapped "EventLevelName" to "security_result.severity". - Mapped "ManagementGroupName", "Source", "TenantId" to "additional_fields". - Mapped "RenderedDescription" to "security_result.description". - Mapped "UserName" to "principal.user.userid". |
| 2023-09-14 | Enhancement:
- Added mappings for unparsed JSON logs. - Mapped 'winlog.activity_id' to 'security_result.detection_fields'. - Mapped 'winlog.api' to 'additional.fields'. - Mapped 'winlog.channel', 'winlog.process.thread.id' to 'security_result.about.resource.attribute.labels'. - Mapped 'winlog.computer_name' to 'principal.hostname'. - Mapped 'winlog.event_id' to 'metadata.product_event_type' and 'security_result.rule_name'. - Mapped 'winlog.opcode' to 'metadata.description'. - Mapped 'winlog.process.pid' to 'principal.process.pid'. - Mapped 'winlog.provider_guid' to 'metadata.product_deployment_id'. - Mapped 'winlog.provider_name' to 'metadata.product_name'. - Mapped 'winlog.record_id' to 'metadata.product_log_id'. - Mapped 'winlog.user.domain' to 'principal.administrative_domain'. - Mapped 'winlog.user.identifier' to 'principal.user.windows_sid'. - Mapped 'winlog.user.name' to 'principal.user.userid'. |
| 2023-07-05 | Enhancement:
- For 'EventID = 403', mapped 'metadata.event_type' to 'STATUS_UPDATE' when the value for 'HostApplication' is not present. - Extracted the value for 'target.file.full_path' from the log using a Grok pattern when 'Path' is empty. - Added gsub function to rename '@timestamp' to 'EventTime'. |
| 2022-11-09 | Enhancement:
- The field 'ProviderGuid' is mapped to 'metadata.product_deployment_id'. - The field 'ExecutionProcessID' is mapped to 'principal.process.pid'. - The field 'ProcessID' or 'Process ID' is mapped to 'principal.process.pid'. - The field 'SourceModuleType' is mapped to 'principal.resource.resource_subtype'. - The field 'SourceModuleName' is mapped to 'principal.resource.name'. - The field 'Machine' is mapped to 'principal.asset.asset_id'. - The field 'MessageSourceAddress' is mapped to 'principal.ip'. - The field 'File' is mapped to 'target.process.file.full_path'. - The field 'Host Application' or 'Command' is mapped to 'target.process.command_line'. - The field 'Output' is mapped to 'security_result.detection_fields'. - The field 'Message' is mapped to 'security_result.description'. - The field 'ActivityID' is mapped to 'security_result.detection_fields'. - Added following mapping when EventID is '4103' - The field 'Host ID' or 'ContextInfo_Host ID' is mapped to 'target.asset.asset_id'. - The field 'Host Name' or 'ContextInfo_Host Name' is mapped to 'target.hostname'. - The field 'ContextInfo_Script Name' is mapped to 'target.process.file.full_path'. - The field 'ContextInfo_Host Application' is mapped to 'target.process.command_line'. - The field 'ContextInfo_Command Name' is mapped to 'security_result.detection_fields'. - The field 'ContextInfo_Command Type' is mapped to 'security_result.detection_fields'. - The field 'ContextInfo_Sequence Number' or 'Sequence Number' is mapped to 'security_result.detection_fields'. - Added following mapping when EventID is '800', '600' or '400' - The field 'UserId' is mapped to 'principal.user.userid'. - The field 'HostApplication' is mapped to 'target.process.command_line'. - The field 'HostId' is mapped to 'target.asset.asset_id'. - The field 'HostName' is mapped to 'target.hostname'. - The field 'ScriptName' is mapped to 'target.process.file.full_path'. - The field 'SequenceNumber' is mapped to 'security_result.detection_fields'. |
| 2022-10-13 | Bug-Fix:
- Parsed failed logs by making the following changes. - Added "on_error" checks on fields that failed parsing in case of no values. Fields like 'opcode', 'Host Application'. - Added new source,'ContextInfo' for KV parsing when 'Message' is not present in the logs. Enhancement: - Modified event_type from "GENERIC_EVENT" to "STATUS_UPDATE". |