Change log for MICROSOFT_SENTINEL
| Date | Changes |
|---|---|
| 2025-10-16 | Enhancement:
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `eventUniqueId` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `object.properties.title` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly mapped `object.properties.labels.labelName` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.attack_details.techniques: Newly mapped `object.properties.additionalData.techniques` raw log field with `event.idm.read_only_udm.security_result.attack_details.techniques` UDM field. - event.idm.read_only_udm.security_result.attack_details.tactics: Newly mapped `object.properties.additionalData.tactics` raw log field with `event.idm.read_only_udm.security_result.attack_details.tactics` UDM field. - event.idm.read_only_udm.target.user.email_addresses: Newly mapped `object.properties.relatedEntities.properties.mailboxPrimaryAddress` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - event.idm.read_only_udm.network.email.to: Newly mapped `object.properties.relatedEntities.properties.recipient` raw log field with `event.idm.read_only_udm.network.email.to` UDM field. - event.idm.read_only_udm.network.email.from: Newly mapped `object.properties.relatedEntities.properties.p1Sender` raw log field with `event.idm.read_only_udm.network.email.from` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `object.properties.relatedEntities.properties.additionalData.UserPrincipalName` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `object.properties.relatedEntities.properties.senderIP` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `object.properties.relatedEntities.properties.senderIP` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.network.email.subject: Newly mapped `object.properties.relatedEntities.properties.subject` raw log field with `event.idm.read_only_udm.network.email.subject` UDM field. - event.idm.read_only_udm.target.administrative_domain: Newly mapped `object.properties.relatedEntities.properties.additionalData.DomainName` raw log field with `event.idm.read_only_udm.target.administrative_domain` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `object.properties.labels.labelType, `object.properties.additionalData.alertsCount, `object.properties.alerts.properties.systemAlertId, `object.properties.alerts.properties.alertDisplayName, `object.properties.alerts.properties.description, `object.properties.alerts.properties.severity, `object.properties.alerts.properties.alertType, `object.properties.alerts.properties.providerAlertId, `object.properties.alerts.properties.confidenceLevel, `object.properties.alerts.properties.endTimeUtc, `object.properties.alerts.properties.processingEndTime, `object.properties.alerts.properties.startTimeUtc, `object.properties.alerts.properties.timeGenerated, `object.properties.alerts.properties.friendlyName` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `object.properties.additionalData.tactics, `object.properties.additionalData.alertProductNames, `object.properties.additionalData.bookmarksCount, `object.properties.additionalData.commentsCount, `object.properties.relatedEntities.properties.recipient, `object.properties.relatedEntities.properties.p1Sender, `object.properties.relatedEntities.properties.networkMessageId, `object.properties.relatedEntities.properties.internetMessageId, `object.properties.alerts.properties.alertLink, `object.properties.alerts.properties.vendorName, `object.properties.alerts.properties.productName` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.user.attribute.labels: Newly mapped `object.properties.relatedEntities.properties.additionalData.UserPrincipalName, `object.properties.relatedEntities.properties.upnSuffix, `object.properties.relatedEntities.properties.isDomainJoined, `object.properties.relatedEntities.properties.additionalData.AccountName, `object.properties.relatedEntities.properties.displayName, `object.properties.relatedEntities.properties.upn` raw log field with `event.idm.read_only_udm.target.user.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `object.properties.relatedEntities.properties.accountName, `object.properties.relatedEntities.properties.sid, `object.properties.relatedEntities.properties.aadUserId, `object.properties.relatedEntities.properties.additionalData.DomainName` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. |
| 2025-08-13 | Enhancement:
- Added support for parsing errors. - event.idm.read_only_udm.principal.hostname: Newly Mapped `entity_Hostname` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - event.idm.read_only_udm.principal.asset.hostname: Newly Mapped `entity_Hostname` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `entity_SenderIP` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `Client_IP_Address` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `Client_IP_Address` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `entity_SenderIP` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `entity_Name` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly Mapped `entity_DisplayName` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.principal.user.product_object_id: Newly Mapped `entity_AadUserId` raw log field with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly Mapped `entity_UPNSuffix` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Alert_generation_status` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `OriginalQuery` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Query` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `SystemAlertId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Data_Sources` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Correlation_Id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `_Internal_WorkspaceResourceId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `_ItemId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Event_Grouping` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Query_End_Time_UTC` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Query_Start_Time_UTC` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Trigger_Threshold` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Trigger_Operator` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Search_Query_Results_Overall_Count` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `Query_Period` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly Mapped `Analytic_Rule_Ids` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - event.idm.read_only_udm.security_result.threat_name: Newly Mapped `AlertType` raw log field with `event.idm.read_only_udm.security_result.threat_name` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `Previous_IP_Address` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `Previous_IP_Address` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.user.userid: Newly Mapped `Custom_Details` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. |
| 2025-02-03 | Enhancement:
- Added support for JSON logs. |
| 2023-11-03 | Enhancement:
- Mapped "ResourceId" to "target.resource.name". - When "ResourceId" is 'not null' and event has one of "principal" or "target" as 'not null', then map "metadata.event_type" to "USER_RESOURCE_ACCESS". |
| 2023-08-31 | - Newly created parser.
|