Change log for WINEVTLOG_XML
| Date | Changes |
|---|---|
| 2024-10-10 | Enhancement:
- Added support for a new pattern of syslog logs. - Changed EventId mapping from "column4" to "column6". |
| 2024-10-04 | Enhancement:
- Added support for new pattern of SYSLOG logs. |
| 2024-10-01 | Enhancement:
- Modified the XML pattern to parse "LogonProcessName". |
| 2024-09-24 | Enhancement:
- Added new Grok patterns to parse "task_command" and "task_arguments" fields. |
| 2024-09-03 | Enhancement:
- Mapped "DomainPolicyChanged" to "security_result.detection_fields". |
| 2024-08-30 | Enhancement:
- Added support to handle unparsed SYSLOG + KV logs. - Modified mappong for "AttributeLDAPDisplayName" from "target.resource.type" to "target.resource.resource_subtype". - Handled logs having "EventId" as 4826. - Mapped "MemberSid" to "principal.resource.attribute.labels". |
| 2024-08-27 | Enhancement:
- Modified FILE/USER/NETWORK/STATUS uncategorized events to appropriate event types. |
| 2024-08-21 | Enhancement:
- Added support to parse syslog and CSV logs. |
| 2024-08-16 | Enhancement:
- Mapped "source" to "about.process.command_line". |
| 2024-08-13 | Enhancement:
- Added support for new format of syslog and JSON logs. |
| 2024-08-08 | Enhancement:
- Mapped "task_command" to "principal.process.file.full_path" and "task_arguments" to "principal.process.command_line" for EventIDs "4698", "4699", "4700", "4701", and "4702". |
| 2024-08-06 | Enhancement:
- Added support to parse logs with EventIDs 1149, 21, and 4611. - Added support to map "CallerProcessName" to "target.file.full_path" for logs with EventId 4799. - Mapped "Param1" to "target.user.userid". - Mapped "Param2" to "principal.administrative_domain". - Mapped "Param3" to "principal.ip". - Added a grok pattern to parse UserData from field "Message". |
| 2024-07-26 | Enhancement:
- Added support to parse dropped logs. - Mapped "SubjectUserName" and "SubjectUserSid" to "additional.fields". |
| 2024-07-08 | Enhancement:
- Mapped "Hostname" to "additional.fields" with "src" as the key. - Added support to parse logs for EventID 5157. - Mapped "UserRight", and "AuditSourceName" to "security_result.detection_fields". - Added support for McAfee logs. |
| 2024-06-24 | Enhancement:
- Added support to parse dropped logs. - Mapped "PackageName" to "security_result.detection_fields". |
| 2024-06-10 | Bug-Fix, Enhancement:
- Added "gsub" for "NewProcessName" to restore "C~" to "C:". - Added "gsub" for "Task Name" and "Auditing Settings" to parse them properly. - Added a Grok pattern for "Logon Type" for EventID 4634. - Mapped "AgentLogFile" to "additional.fields". |
| 2024-05-20 | Enhancement, Bug-Fix:
- Added support to parse logs for EventIDs 5807, 5723, 5721, 5840, 5802. - Changed mapping of "TargetUserName" from "additional.fields" to "target.user.userid". - Mapped "SubjectAccountName" to "principal.user.userid" and "TargetAccountName" to "target.user.userid" for EventIDs 4648, 4624, and 4720. - Mapped "ProcessName" to "target.process.file.full_path" for EventID 1. - Mapped "TargetServerName" to "additional.fields". - Added "gsub" for "Source Workstation" and "Error Code" fields to avoid "Error" getting mapped to "principal.hostname". |
| 2024-05-14 | Enhancement:
- Added support to parse logs for EventID 4739. |
| 2024-05-06 | Enhancement:
- Mapped "Privileges" to "security_result.detection_fields". |
| 2024-04-23 | Enhancement:
- Added support to map "Logon Type" for logs with EventIds 4624. - Mapped "Logon Type" to "additional.fields". |
| 2024-04-23 | Enhancement:
- Added support to map "Logon Type" for logs with EventIds 4624. - Mapped "Logon Type" to "additional.fields". |
| 2024-04-16 | Enhancement:
- Mapped "IpAddress1" to "principal.ip" when "EventID" is 4625. - Mapped "AccessRight" to "additional.fields" as per its corresponding values. |
| 2024-03-25 | Enhancement:
- Added additional mapping of fields for logs with EventIds 4648, 4771. |
| 2024-03-15 | Enhancement:
- Changed mapping of "principal.user.user_display_name" to "target.user.user_display_name" for "EventIDs" 4732,4733,4728,4729,4756,4757,4746,4747,4751,4752,4761,4762 logs. - When "EventID" is 5140, then mapped "ShareName" to "target.file.names". - When "EventID" is 4624, then mapped "LmPackageName" to "target.labels". |
| 2024-02-20 | Enhancement:
- Added support for new pattern of XML logs embedded in JSON fields. - Added support for "EventIDs" 4947 and 8222. - When "EventID" is 4985, then mapped "SubjectDomainName" to "principal.administrative_domain". |
| 2024-02-13 | Enhancement:
- Added a block for "EventId" "1309" to parse unparsed logs. - Replaced redundant code with common code. - Mapped "Hostname" to "principal.asset.hostname". - Mapped "WorkstationName", "TargetAccountDomain", "SourceAddress", "DSName", "database_name", and "target_hostname" to "target.asset.hostname". |
| 2024-01-25 | Enhancement:
- Mapped "Properties" to "target.resource.attribute.labels". |
| 2024-01-05 | Enhancement:
- Mapped "TargetLogonId", "AccessMask", "CertIssuerName", "TicketOptions", "TargetUserName", "AttributeLDAPDisplayName", "AttributeValues", "ObjectDN" to "additional.fields". |
| 2023-12-29 | Enhancement:
- Added support for "EventIDs" 0, 208, 219, 233, 1000, 1026, 1315, 10000, 10001, 10002, 10003, 10114, 16969, 17573, 18453, 18454, 36867, 49930 logs. - Added a null check for "registry_key" before setting the "metadata.event_type" to "REGISTRY_MODIFICATION" for "EventID" 13. - Added a null check for "registry_key" before setting the "metadata.event_type" to "REGISTRY_CREATION" for "EventID" 12. - When "target.registry" is empty and "Hostname" is present, then set "metadata.event_type" to "STATUS_UPDATE" for "EventIDs" 12, 13. - Added a regular expression pattern as conditional check for "UserID" to match "windows_sid" pattern for "EventIDs" 7040, 7045. - When "UserID" does not match "windows_sid", then mapped "UserID" to "principal.user.userid" for "EventID" 4070. - When "UserID" does not match "windows_sid", then mapped "UserID" to "target.user.userid" for "EventID" 4075. |
| 2023-11-20 | Enhancement:
- Added a regular expression pattern as conditional check for "TargetUserSid" to match "windows_sid" pattern. - Added a regular expression pattern as conditional check for "TargetSid" to match "windows_sid" pattern. - Added a regular expression pattern as conditional check for "SubjectUserSid" to match "windows_sid" pattern. - Set "event1.idm.read_only_udm.metadata.event_type" from "STATUS_UPDATE" to "USER_RESOURCE_ACCESS" when "Event.System.EventID" value is "4797". - Mapped "Event.System.Provider@Name" to "event1.principal.application" when "Event.System.EventID" value is "4797". - Mapped "Event.System.Correlation@ActivityID" to "event1.security_result.detection_fields" when "Event.System.EventID" value is "4797". - Mapped "Event.System.Execution@ProcessID" to "event1.principal.process.pid" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@SubjectUserName" to "event1.idm.read_only_udm.principal.user.userid" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@SubjectDomainName" to "event1.idm.read_only_udm.principal.administrative_domain" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@Workstation" to "event1.idm.read_only_udm.target.hostname" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@TargetUserName" to "event1.idm.read_only_udm.target.user.userid" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@TargetDomainName" to "event1.idm.read_only_udm.target.administrative_domain" when "Event.System.EventID" value is "4797". |
| 2023-11-10 | Enhancement:
- Added support for EventIDs 4098, 14554 logs. - Mapped "Keywords" to "additional.fields". - Mapped "AttributeLDAPDisplayName" to "target.resource.attribute.labels" for EventId 5136. |
| 2023-11-02 | Enhancement:
- For logs with EventId 4624: - Added a new Grok pattern to parse log with EventId 4624. - Mapped "PrincipalDomain" to "principal.administrative_domain". - Mapped "PrincipalAccountName" to "principal.user.userid". - Mapped "TargetAccountName" to "target.user.userid". - Mapped "TargetDomain" to "target.administrative_domain". - Mapped "Logon GUID" to "principal.resource.id". - Mapped "ProcessID" to "target.process.pid". - Mapped "SourceAddress" to "principal.ip". - Mapped "Security_ID", "VirtualAccount", "EventCategory", "ImpersonationLevel", "LinkedLogonID", "NetworkAccountName", "NetworkAccountDomain",and "RestrictedAdminMode" to "security_result.detection_fields". - Mapped "LogonID" and "TargetLogonID" to "about.labels". - Mapped "AgentDevice" to "additional.fields". - Mapped "EventType" to "target.registry.registry_key". - Mapped "SourcePort" to "principal.port". - For logs with EventId 4794: - Mapped "Workstation" to "principal.hostname". - Mapped "ProcessId" to "principal.process.pid". - Mapped "SourceName" to "target.application". - Mapped "ProviderGuid" to "target.resource.product_object_id". |
| 2023-10-10 | Enhancement:
- Added support for EventIDs 403,404,410,510,1001,1502,1100,4105,4703,4793,4797,4954,5158,5379,5827,6417,10016,10028,18452,36871,1073748860,1073747010, 2147483684 logs. - Added support for logs that contain Task =~ "SE_ADT". - Added null check for "AccountName" for EventID=1704,4624,4625,5861. |
| 2023-09-12 | Bug-Fix:
- Removed mapping of "ProcessName" from "principal.user.userid". - Added support for new pattern of 4781 event logs. - Checked and added "on_error" for "ProviderGuid","LogonID","SourceName","Task","SourceModuleName","SourceModuleType" for EventID=4825. - Added null check for "UserID" for EventID=517. - Added support for new pattern of 4731 event logs. |
| 2023-08-25 | - Resolved issue caused due to mapping of "security_result.about.resource.type".
|
| 2023-08-21 | Bug-Fix:
- Mapped "Account Name" to "principal.user.userid" for EventID 4625 logs. - Mapped "Account Domain" to "principal.administrative_domain" for EventID 4625 logs. - Mapped "Workstation Name" to "principal.hostname" for EventID 4625 logs. - Mapped "Caller Process Id" to "principal.process.pid" for EventID 4625 logs. - Mapped "Source Network Address" to "principal.ip" for EventID 4625 logs. - Mapped "Source Port" to "principal.port" for EventID 4625 logs. - Mapped "Logon Process" to "additional.fields" for EventID 4625 logs. - Mapped "Opcode" to "about.labels". - Mapped "SubjectLogonId" to "principal.labels". - Mapped "SubjectUserSid" to "principal.user.windows_sid". - Mapped "ServiceName" to "target.application". - Mapped "ImpersonationLevel" to "about.labels". - Mapped "TargetHandleId" to "about.labels". - Mapped "RestrictedAdminMode" to "about.labels". - Mapped "TargetOutboundDomainName" to "target.user.attribute.labels". - Mapped "KeyLength" to "target.labels". - Mapped "LmPackageName" to "target.labels". - Mapped "TargetLogonId" to "target.labels". - Mapped "TransmittedServices" to "target.labels". - Mapped "TargetLinkedLogonId" to "target.labels". - Mapped "VirtualAccount" to "target.labels". - Mapped "OldSd" to "target.resource.attribute.labels". - Mapped "NewSd" to "target.resource.attribute.labels". |
| 2023-07-24 | Enhancement:
- Added support for EventID 16384 and 16394. - Handled nested XML EventID logs. |
| 2023-03-17 | Enhancement:
- Supported key-value format logs. - Mapped "Channel", "SubjectLogonId", and "ThreadId" to "additional.labels". Enhancement: Parsed the logs with EventID's 4674, 4932, and 4933. - When "EventID" is 4731, 4732, 4733, 4734, 4735, 4737, 4798, or 4799, mapped the following: - Mapped "TargetDomainName" to "target.administrative_domain". - Mapped "TargetSid" to "target.user.windows_sid". |
| 2023-01-15 | Enhancement:
- For "EventId": 8004. - Mapped "Task" to "target.resource.type". - Mapped "DomainName" to "principal.administrative_domain". - Mapped "Keywords","Channel","Level","SChannelName","SChannelType","Opcode" to "". - Mapped "ThreadID" to "target.resource.attribute.labels". |
| 2023-01-13 | Enhancement:
- Handled unparsed logs having "EventId": 5001, 5007. - Mapped "ProcessID" to "target.process.pid". - Mapped "ProviderGuid" to "target.resource.product_object_id". - Mapped "UserID" to "target.user.windows_sid". - Mapped "ProductName" and "ProductVersion" to "metadata.product_version". - Mapped "metadata.event_type" to "STATUS_UPDATE". |
| 2022-12-06 | Enhancement:
- Handled unparsed logs having "EventId": 8004. |