Change log for AZURE_STORAGE_AUDIT
| Date | Changes |
|---|---|
| 2025-08-28 | Enhancement:
- `event.idm.read_only_udm.principal.ip`: Newly mapped `properties.primaryIPv4Address` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `properties.primaryIPv4Address` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `dest_IP` extracted from `properties.conditions.destinationIP` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dest_IP` extracted from `properties.conditions.destinationIP` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.target.port`: Newly mapped `dest_port` extracted from `properties.conditions.destinationIP` raw log field with `event.idm.read_only_udm.target.port` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `properties.ruleName` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - `event.idm.read_only_udm.network.direction`: Newly mapped `properties.direction` raw log field with `event.idm.read_only_udm.network.direction` UDM field. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped `properties.type` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - `event.idm.read_only_udm.network.ip_protocol`: Newly mapped `properties.protocol` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - `event.idm.read_only_udm.principal.mac`: Newly mapped `properties.macAddress` raw log field with `event.idm.read_only_udm.principal.mac` UDM field. - `event.idm.read_only_udm.network.session_duration`: Newly mapped `properties.duration` raw log field with `event.idm.read_only_udm.network.session_duration` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `AccountName` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `UserAgentHeader` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - `event.idm.read_only_udm.network.http.parsed_user_agent`: Newly mapped `UserAgentHeader` raw log field with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - `event.idm.read_only_udm.network.tls.version`: Newly mapped `TlsVersion` raw log field with `event.idm.read_only_udm.network.tls.version` UDM field. - `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `Type` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `systemId` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `ServerLatencyMs`, `clientRequestId`, `ContentLengthHeader`, `objectKey`, `requestBodySize`, `requestHeaderSize`, `responseBodySize`, `serviceType` , `sourceSystem`, `itemId`, `timeReceived`, `responseHeaderSize`, `aadTenantId`, `aadClientId`, `queryText`, `responseDurationMs`, `statsWorkspaceCount`, `statsRegionCount`, `isBillable` and `NodeType` raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `AuthenticationType`, `AuthenticationHash` and `priority` raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `TenantId`, `SubscriptionId`, `Internal_WorkspaceResourceId`,`destinationPortRange` and `requestTarget`raw log field with "event.idm.read_only_udm.target.resource.attribute.labels" UDM field. - `event.idm.read_only_udm.observer.resource.attribute.labels`: Newly mapped `vnetResourceGuid` raw log field with `event.idm.read_only_udm.observer.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `sourcePortRange` and `AssetIdentity` raw log field with "event.idm.read_only_udm.principal.resource.attribute.labels" UDM field. - `event.idm.read_only_udm.target.resource.id`: Removed mapping of `resourceId` from `event.idm.read_only_udm.target.resource.id` UDM field since it is a deprecated field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `TimeGenerated` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - Added `MetricResponseType` to the conditional checks for `security_action` and `security_result.summary`. - `event.idm.read_only_udm.principal.user.product_object_id`: Newly mapped `properties.aadObjectId` raw log field with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - `event.idm.read_only_udm.network.http.response_code`: Newly mapped `properties.responseCode` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - `event.idm.read_only_udm.target.location.name`: Newly mapped `properties.workspaceRegion` raw log field with `event.idm.read_only_udm.target.location.name` UDM field. |
| 2025-06-04 | - Added a grok pattern to fetch "inter_host" from "resource_id".
- `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `inter_host` raw log field with "event.idm.read_only_udm.intermediary.hostname" UDM field. |
| 2025-05-16 | - Added "parse_app_protocol.include" file to add support for "event.idm.read_only_udm.network.application_protocol" UDM field-
- `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.operationCount" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.requestHeaderSize" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.responseHeaderSize" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.requestBodySize" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.responseBodySize" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.network.session_id`: Newly mapped "properties.smbSessionId" raw log field with "event.idm.read_only_udm.network.session_id" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.smbTreeConnectID" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.smbPersistentHandleID" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.smbVolatileHandleID" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.smbCreditsConsumed" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.smbMessageID" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.smbCommandMajor" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped "properties.smbCommandDetail" raw log field with "event.idm.read_only_udm.target.resource.attribute.labels" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "properties.smbFileId" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "loggingSourceName" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - `event.idm.read_only_udm.security_result.summary`: Newly mapped "loggingSourceName" raw log field with "event.idm.read_only_udm.security_result.summary" UDM field. - `event.idm.read_only_udm.security_result.action`: Newly mapped "loggingSourceName" raw log field with "event.idm.read_only_udm.security_result.action" UDM field. |
| 2024-12-12 | - Mapped "identity.tokenHash", "identity.type", "identity.requester.appId", "identity.requester.tenantId", "identity.requester.tokenIssuer", "properties.sourceAccessTier", "principal.type", "auth.action", "auth.roleAssignmentId", and "auth.roleDefinitionId" to "additional.fields".
- Mapped "identity.requester.upn" to "src.user.userid". - Mapped "identity.requester.objectId" to "src.user.product_object_id". |
| 2024-12-06 | - Mapped "smbCommandMinor" to "security_result.action_details".
|
| 2024-07-31 | - Initialized "statusText" and "correlationId" to null.
|
| 2024-04-08 | - Created new parser.
|