Change log for QUEST_AD
Date | Changes |
---|---|
2025-08-13 | Enhancement:
- Added gsub for `message` to parse the logs in proper format. - Added gsub for `kv_data` to parse the logs in proper format. - Added a grok pattern for `message` data field to parse new format of logs. - Added new kv filter for `kv_data` field to parse the logs in proper format. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `ts` raw log field with `event.idm.read_only_udm.metadata.event_timestamp`. - Modified the drop condition to drop logs only if `not_json` is true and `not_json_error` is true. - Added conditional check for `Source_Network_Address` to not be empty, "N/A", "null", or "-". - Added conditional check for `Source_Port` to not be empty, "N/A", "null", or "-". - event.idm.read_only_udm.target.user.userid: Newly mapped `ComputerName` raw log field with `event.idm.read_only_udm.target.user.userid` when `description` contains "logged on". - event.idm.read_only_udm.target.user.product_object_id: Newly mapped `Environment` raw log field with `event.idm.read_only_udm.target.user.product_object_id` when `description` contains "logged on". - event.idm.read_only_udm.metadata.event_type: If `description` contains "logged on", then set the `event.idm.read_only_udm.metadata.event_type` UDM field as USER_LOGIN. - event.idm.read_only_udm.security_result.about.resource.attribute.labels: Newly mapped `Logon_Process` raw log field with `event.idm.read_only_udm.security_result.about.resource.attribute.labels`. - event.idm.read_only_udm.metadata.event_type: If `has_principal_user` is true, then set as USER_UNCATEGORIZED. - event.idm.read_only_udm.metadata.event_type: If `has_principal` is true, then set as STATUS_UPDATE. |
2024-11-07 | Enhancement:
- Added a Grok pattern to parse "suser" from the log. |
2024-10-21 | Enhancement:
- Added support for new format logs. |
2024-02-09 | - Added support for JSON format logs.
|