Change log for AZURE_FIREWALL
| Date | Changes |
|---|---|
| 2025-06-23 | Enhancement:
- `event.idm.read_only_udm.metadata.security_result.severity`: Modified mapping of `properties.Severity` raw log field with `event.idm.read_only_udm.metadata.security_result.severity` UDM field. - When `properties.Severity` is `1` then changed mapping of `event.idm.read_only_udm.metadata.security_result.severity` from `INFORMATIONAL` to `CRITICAL`. - When `properties.Severity` is `2` then changed mapping of `event.idm.read_only_udm.metadata.security_result.severity` from `LOW` to `HIGH`. - When `properties.Severity` is `4` then changed mapping of `event.idm.read_only_udm.metadata.security_result.severity` from `HIGH` to `LOW`. - When `properties.Severity` is `5` then changed mapping of `event.idm.read_only_udm.metadata.security_result.severity` from `CRITICAL` to `INFORMATIONAL`. |
| 2025-06-17 | Enhancement:
- event.idm.read_only_udm.security_result.summary: Newly mapped `properties.ActionReason` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `properties.Flag` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `loggingSourceName`, `properties.IsTlsInspected`, and `properties.IsExplicitProxyRequest` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-05-28 | Enhancement:
- event.idm.read_only_udm.security_result.action_details: Newly mapped `properties.Action` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.metadata.additional.fields: Newly mapped `properties.SignatureId`, `properties.Fqdn` raw log field with `event.idm.read_only_udm.metadata.additional.fields` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `properties.Description` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `properties.Severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `properties.Url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `properties.ThreatDescription` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.security_result.description: Newly mapped `properties.Category` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. |
| 2025-05-13 | Enhancement:
- event.idm.read_only_udm.metadata.product_name: Removed mapping of `Azure Firewall Application Rule` from `event.idm.read_only_udm.metadata.product_name` UDM field and mapped `Azure Firewall` instead - event.idm.read_only_udm.metadata1.product_name: Removed mapping of `Azure Firewall Application Rule` from `event.idm.read_only_udm.metadata1.product_name` UDM field and mapped `Azure Firewall` instead |
| 2025-03-11 | Enhancement:
- Mapped "Policy", "RuleCollection", and "RuleCollectionGroup" to "additional.fields". - Changed mapping for "rulecollection" from "security_result.detection_fields" to "additional.fields". - Changed mapping for "Properties.RuleCollection" from "security_result.detection_fields" to "additional.fields". - Changed mapping for "Properties.RuleCollectionGroup" from "security_result.detection_fields" to "additional.fields". - Changed mapping for "Properties.Policy" from "security_result.detection_fields" to "additional.fields". |
| 2025-03-05 | Enhancement:
- Mapped "DestinationIp" to "target.ip" and "target.asset.ip". |
| 2025-02-25 | Enhancement:
- Added support to parse the unparsed logs. - Mapped "IpAddress" to "principal.ip". - Mapped "DNSport" to "principal.port". - Mapped "DNSMessage" to "security_result.description". |
| 2025-02-17 | Enhancement:
- Added support to parse the unparsed logs. - Mapped "SourcePort" to "principal.port". - Mapped "DestinationPort" to "target.port". - Mapped "SourceIp" tp "principal.ip". - Mapped "Fqdn" to "principal.hostname". - Mapped "ActionReason" to "security_result.summary". - Mapped "IsTlsInspected" , "Policy" , "RuleCollection" , "Rule" and "IsExplicitProxyRequest" to "additional.fields". - Mapped "_ItemId" to "metadata.product_log_id". - Mapped "_ResourceId" to "principal.resource.id". - Mapped "Type" to "metadata.product_event_type". - Mapped "TenantId" to "principal.user.product_object_id". - Mapped "_Internal_WorkspaceResourceId" to "principal.resource.attribute.labels". - Mapped "TargetUrl" to "target.url". - Mapped "RuleCollectionGroup" to "observer.group.group_display_name". |
| 2024-12-26 | Bug fix:
- When the logs contain the keyword "Alert", mapped "security_result.action" to "ALLOW". |
| 2024-11-13 | Enhancement:
- Mapped "Action" to "security_result.detection_fields". - Mapped "Signature" to "security_result.detection_fields". - Mapped "IDS" to "security_result.detection_fields". - Mapped "Priority" to "security_result.priority_details". - Mapped "Classification" to "security_result.detection_fields". |
| 2024-09-04 | Enhancement:
- Mapped "from_ip" to "dns.questions.name" for DNS events. |
| 2024-07-02 | Enhancement:
- Added support to handle a new format of timestamp. |
| 2024-04-29 | Enhancement
- Added support to handle a new format of ingested logs. |
| 2024-02-07 | Enhancement
- Mapped "ICMP type" to "additional.fields". - Mapped "Action" and "properties.Action" to "security_result.action_details". |
| 2023-06-01 | Enhancement
- Newly ingested JSON logs of category "AZFWDnsQuery" are parsed. - Mapped "properties.msg" in newly ingested JSON logs of category "AzureFirewallNetworkRule". |
| 2022-04-29 | Bug fix - Newly ingested JSON logs are parsed to increase the overall parsing percentage.
- operationName mapped to metadata.product_event_type. - resourceId mapped to metadata.product_log_id. |