<html lang="en">
<body>
	
	<p>	
	<b>[OOTB] Microsoft Products. Version 10</b><br>
	Change log:
	Extra normalizer 1102 was updated:
		<ul>
			<li>Event field "Event.UserData.LogFileCleared.SubjectDomainName" was mapped to the SourceNtDomaint KUMA field.</li>
			<li>Event field "Event.UserData.LogFileCleared.SubjectUserName" was mapped to the SourceUserName KUMA field.</li>
		</ul>
	</p>	
			
	<p>	
	<b>[OOTB] Microsoft Products. Version 9</b><br>
	Change log:
	<ul>
		<li>Extra normalizer 4663 was updated:
			<ul>
				<li>Event field "Event.System.Task" was mapped to the KUMA field DeviceCustomString6.</li>
				<li>Event enrichment with dictionary "[OOTB] Windows. Task category codes" was added to the field DeviceCustomString6.</li>
			</ul>
		<li>New dictionary "[OOTB] Windows. Task category codes" was added. The dictionary contains the IDs of the Task Category parameter of Windows OS audit events and their corresponding names.</li>
		<li>Parsing of the event field "Event.EventData.Data.ContextInfo" was moved from the extra normalizer "4103" to the extra normalizer "4103 ContextInfo regexp".</li>
	</ul>
	</p>
	
	<p>	
	<b>[OOTB] Microsoft Products. Version 8</b><br>
	Change log:
	<ul>	
		<li>Event field mapping in the main normalizer was fixed. Event field name was changed from the "Event.System.Keyword" to the "Event.System.Keywords" (this field mapped the KUMA field EventOutcome).</li>
		
		<li>Extra normalizer 4662 was updated:
			<ul>
				<li>Event field "Event.EventData.Data.AccessMask" was mapped from the KUMA field DeviceCustomString1 to the KUMA field DeviceCustomString2.</li>
				<li>Event enrichment with dictionary of the KUMA field FilePermission was removed.</li>
				<li>Event field "Event.EventData.Data.Properties" was additional mapped to the KUMA field DeviceCustomString6.</li>
			</ul>
		</li>
		
		<li>Dictionary "[OOTB] Windows.Codes (4662)" was updated:
			<ul>
				<li>Additional operation codes were added.</li>
				<li>Description of the dictionary "[OOTB] Windows.Codes (4662)" was updated.</li>
			</ul>
		</li>
		
		<li>Extra normalizer 1 was updated:
			<ul>
				<li>Event field "Event.EventData.Data.Image" was mapped from the KUMA field FilePath to the KUMA field OldFilePath.</li>
				<li>Event enrichment with regular expressions were mapped to the KUMA fields OldFileName and OldFilePath. Regular expressions were updated.</li>
			</ul>
		</li>
		
		<li>Extra normalizer 7 was updated:
			<ul>
				<li>Event enrichment with regular expressions were added for the fields OldFileName and OldFilePath.</li>
				<li>Regular expressions that used in event enrichment in the KUMA fields FileName and FilePath were updated.</li>
			</ul>
		</li>
		
		<li>Extra normalizer 4104 was updated:
			<ul>
				<li>Event field "Event.EventData.Data.ScriptBlockText" mapping to the KUMA field Message was fixed.</li>
				<li>Event field "Event.EventData.Data.ScriptBlockId" mapping to the KUMA field DeviceCustomString2 was removed. This field still mapped to the KUMA field FileId.</li>
			</ul>
		</li>
		
		<li>Option "Keep extra fields" was disabled for the extra normalizers: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 255.</li>
		
		<li>New event mapping was added in the extra normalizer 4103 to the KUMA fields SourceUserName, DestinationUserName, FlexString2, DeviceCustomString4.</li>
		
		<li>Other minor improvements.</li>
	</ul>
	</p>
	
	<p>
	<b>[OOTB] Microsoft Products. Version 7</b><br>
	Change log:
		<ul>
			<li>Parsing of the events from the Microsoft Hyper-V have was added.</li>
			<li>New dictionary "[OOTB] Windows Hyper-V EventID-Name" was added.</li>
			<li>Event field Event.EventData.Data.SubjectLogonId was added to the KUMA field FlexSting1 in the extra normalizers: 4658, 4618, 4870, 4877, 5377, 5058, 4871, 4869, 4661, 4662, 4865, 5140, 4818, 4918, 4659, 4904, 5122, 5123, 4672, 4875, 4696, 4615, 5633, 4819, 5888, 5889, 4905, 4670, 4866, 4912, 4890, 4891, "Kerberos or DRA group for EFS or The audit policy (SACL) on an object policy was changed.", 5632, 4626, 4873, 4907, 5890, 4876, 5376, 4884, 4867, 4892, 5378, 4657, 4664, 4882, 5059, 4896, 4624, 4691, 4874, 4660, 4868, 5039.</li>
			<li>Event field Event.EventData.Data.SubjectUserSid was mapped to the KUMA field DestinationUserID in the extra normalizers: 4615, 4657, 4658, 4662, 4670, 4672, 4691, 4818, 4819, 4904, 4905, 4907, 4912, 4913, 5039, 5058, 5376, 5377, 5378.</li>
			<li>Additional field mapping was added in the extra normalizer 5632: "Event.EventData.Data.SSID" to the KUMA field DeviceCustomString3, "Event.EventData.Data.LocalMac" to the KUMA field DeviceMacAddress, "Event.EventData.Data.PeerMac" to the KUMA field DestinationMacAddress. Field mapping was changed in the extra normalizer: event field "Event.EventData.Data.ReasonText" mapped to the KUMA field DeviceCustomString4, event field "Event.EventData.Data.ErrorCode" mapped to the KUMA field DeviceCustomString5.</li>
			<li>Enrichment with a dictionary "[OOTB] Windows.Codes (4663)" in extra normalizer 4663 (in the field DeviceCustomString1) was replaced with event enrichment (replace operation).</li>
			<li>Normalizer structure optimization. Extra normalizers were combined with other extra normalizers: 4106, 4660, 4661, 4823, 4866, 4867, 4868, 4869, 4870, 4871, 4873,4874, 4875, 4876, 4877, 4882, 4883, 4884, 4885, 4890, 4891, 4892, 4896, 4902, 4909, 5056, 5059, 5888, 5889, 5890, 6272, 6278, 6279, 6280, "22 (TerminalServer)", "24 (TerminalServer)", "25 (TerminalServer)".</li>
			<li>Other minor improvements.</li>
		</ul>
  	</p>

	<p>
		<b>[OOTB] Microsoft Products. Version 6</b><br>
		Event parsing have been added for events: System 104, Sysmon 27, Sysmon 28, Sysmon 29.
  	</p>
  

  <p>
    <b>[OOTB] Microsoft Products. Version 5</b><br>
    Normalizer name changed to [OOTB] Microsoft Products.<br>
	Event parsing have been added for events with ID: 4698, 4699, 4700, 4701, 4702, 1105.<br> 
  
	Field mapping has been changed for events:
	<ul>
		<li>Event ID 1. Field Event.EventData.Data.CommandLine has been mapped to KUMA field DeviceCustomString4</li>
		<li>Event ID 1. Field Event.EventData.Data.ParentCommandLine has been mapped to KUMA field DeviceCustomString5</li>
		<li>Event ID 1. Field Event.EventData.Data.FileVersion has been mapped to KUMA field FileId</li>
	</ul>
	
	Additional field mapping has been added for events:
	<ul>
		<li>Event ID 4688. Field Event.EventData.Data.ParentProcessName has been mapped to KUMA field SourceProcessName</li>
		<li>Event ID 7045. Event.System.Execution.ProcessID has been mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 4897. Field Event.EventData.Data.ClientProcessId has been mapped to KUMA field DeviceCustomString3</li>
	</ul>
	
	Event ID and names have been added to the dictionary "[OOTB] Windows. EventIDs and Event Names mapping": 103, 106, 156, 157, 217, 251, 278, 335, 336, 337, 342, 349, 358, 364, 381, 385, 386, 388, 390, 399, 400, 401, 402, 417, 435, 436, 545, 1113, 1114.<br>
	
	Minor improvements:
	<ul>
		<li>Event enrichment has been added for the field "Event.System.Keyword" in the main normalizer</li>
		<li>Event enrichment has been added for the field "DestinationHostName" in the main normalizer</li>
		<li>Event ID 4625. Event enrichment for field DestinationHostName was added</li>
		<li>Event ID 5145. Event enrichment for field Event.EventData.Data.AccessList was added</li>
		<li>Event ID 5136. Event enrichment for field Event.EventData.Data.OperationType was added</li>
		<li>Other minor improvements</li>
	</ul>
	</p>


  <p>
  <b>[OOTB] Windows Extended v 1.0. Version 4</b><br>
  Parsing of new events was added:
  <ul>
	<li>Network Policy Server events. Event ID: 4928, 4929, 4930, 4931, 4932, 4933, 4935</li>
	<li>Event ID 107, 109</li>
	<li>Event ID 1108</li>
	<li>Event ID 4614</li>
	<li>Event ID 4622</li>
	<li>Event ID 12, 13</li>
	<li>Event ID 1074</li>
	<li>Event ID 42</li>
	<li>Event ID 4944</li>
	<li>Event ID 4951</li>
	<li>Event ID 4956</li>
	<li>Event ID 5031</li>
	<li>Event ID 6144</li>
	<li>Event ID 6145</li>
	<li>Event ID 6419</li>
	<li>Event ID 6420, 6421, 6422, 6423</li>
	<li>Event ID 6274, 6276</li>
  </ul>
  
	Event enrichment with product name was moved from main normalizer to first-level of extra normalizers (KUMA field DeviceProduct).
	Product names (KUMA field DeviceProduct) was changed:
  <ul>
  	<li>Powershell to PowerShell for events in extra normalizer "PowerShell"</li>
	<li>Windows to Terminal Server for events in extra normalizer "Terminal Server"</li>
  </ul>
  
	New dictionaries was added:    
	<ul>
	<li>[OOTB] Windows_Sysmon. EventIDs and Event Names mapping</li>
	<li>[OOTB] Windows_Terminal Server. EventIDs and Event Names mapping </li>
	</ul>
	
	New event names was added to dictionary "[OOTB] Windows_Sysmon. EventIDs and Event Names mapping":
  <ul>
  	<li>Event ID 107</li>
	<li>Event ID 1074</li>
	<li>Event ID 109</li>
	<li>Event ID 42</li>
  </ul>
  
  Additional field mapping was added for events Event ID 12(Sysmon), Event ID 13(Sysmon), Event ID 14(Sysmon), Event ID 4657:
  	<ul>
	<li>Data from DeviceHostName field to the DestinationHostName field</li>
	<li>Data from DeviceAddress field to the DestinationAddress field</li>
  	</ul>
	
  Field mapping was changed for events:
	<ul>
		<li>Event ID 4627. Field Event.EventData.Data.SubjectUserSid was mapped to KUMA field SourceUserID </li>
		<li>Event ID 4627. Field Event.EventData.Data.SubjectLogonId was mapped to KUMA field DeviceCustomString1 </li>
		<li>Event ID 4627. Field Event.EventData.Data.TargetUserSid was mapped to KUMA field DestinationUserID </li>
		<li>Event ID 4627. Field Event.EventData.Data.TargetLogonId was mapped to KUMA field DeviceCustomString2 </li>
	</ul>
	
  Minor improvements:
	<ul>
		<li>Сonstant with event journal name was added to KUMA field OldFyleType</li>
		<li>Event labels for DeviceCustom* fields  was updated</li>
		<li>Other minor changes</li>
	</ul>
  </p>

 
  <p>Minor improvements.
	<b>[OOTB] Windows Extended v 1.0. Version 3</b><br> 
  </p>


  <p>Minor improvements.
	<b>[OOTB] Windows Extended v 1.0. Version 2</b><br>  
  </p>
  
  <p>
	<b>[OOTB] Windows Extended v 1.0. Version 1</b><br>
   Parsing of new events was added:
	<ul>
		<li>Event ID 4100</li>
		<li>Event ID 4103</li>
		<li>Event ID 4104</li>
		<li>Event ID 4105</li>
		<li>Event ID 4106</li>
		<li>Event ID 8193</li>
		<li>Event ID 8194</li>
		<li>Event ID 8197</li>
		<li>Event ID 24577</li>
		<li>Event ID 24595</li>
		<li>Event ID 53249</li>
		<li>Event ID 53250</li>
		<li>Event ID 53504</li>
		<li>Event ID 24596</li>
		<li>Event ID 24597</li>
		<li>Event ID 24598</li>
		<li>Event ID 24599</li>
		<li>Event ID 5159</li>
		<li>Event ID 5447</li>
	</ul>
	
	New event enrichment was added for events:
	<ul>
		<li>Event ID 5136</li>
		<li>Event ID 4738</li>
		<li>Event ID 4104</li>
		<li>Event ID 8004</li>
		<li>Event ID 5159</li>
		<li>Event ID 4662</li>
	</ul>
		
	Event mapping was changed for events:
	<ul>
		<li>Event ID 7045. Field Event.System.Security.UserID was mapped to KUMA field SourceUserId</li>
		<li>Event ID 4688. Field Event.EventData.Data.ProcessId was mapped from DeviceCustomString5 to DeviceCustomString3 KUMA field</li>
		<li>Event ID 4688. Field Event.EventData.Data.NewProcessId was mapped from DeviceCustomString3 to DeviceCustomString5 KUMA field</li>
		<li>Event ID 4696. Field Event.EventData.Data.ProcessId was mapped from DeviceCustomString5 to DeviceCustomString3 KUMA field</li>
		<li>Event ID 4698, 4699. Field Event.EventData.Data.CallerProcessId was mapped from FileName to DeviceCustomString3 KUMA field</li>
		<li>Event ID 4649. Field Event.EventData.Data.SubjectLogonId was mapped from DestinationUserId to FlexString1 KUMA field</li>
		<li>Event ID 4649. Field Event.EventData.Data.SubjectUserSid was mapped from DestinationUserName to SourceUserId KUMA field</li>
		<li>Event ID 4649. Field Event.EventData.Data.SubjectUserName was mapped from DestinationUserName to SourceUserName KUMA field</li>
		<li>Sysmon event ID 13. Field Event.EventData.Data.TargetObject was mapped to KUMA field FileName</li>
		<li>Sysmon event ID 1. Field Event.EventData.Data.Hashes was mapped to KUMA field FileHash</li>
	</ul>
	
	Additional field mapping was added for events:
	<ul>
		<li>Event ID 4649. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 4649. Field Event.EventData.Data.AccountName was mapped to KUMA field DestinationUserName</li>
		<li>Event ID 4673. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 4673. Field Event.EventData.Data.Service was mapped to KUMA field SourceServiceName</li>
		<li>Event ID 4690. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 4690. Field Event.EventData.Data.TargetProcessId was mapped to KUMA field DeviceCustomString5</li>
		<li>Event ID 4691, Event ID 4818. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 4904, Event ID 4905. Field Event.EventData.Data.AuditSourceName was mapped to KUMA field FlexString1</li>
		<li>Event ID 4911, Event ID 4913. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 4985. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 4985. Field Event.EventData.Data.TransactionId was mapped to KUMA field FlexString1</li>
		<li>Event ID 5039. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 5039. Field Event.EventData.Data.KeyName was mapped to KUMA field FlexString1</li>
		<li>Event ID 5051. Field Event.EventData.Data.ProcessId was mapped to KUMA field DeviceCustomString3</li>
		<li>Event ID 5051. Field Event.EventData.Data.ObjectName was mapped to KUMA field FileName</li>
		<li>Event ID 5136. Field Event.EventData.Data.ObjectGUID was mapped to KUMA field FilePermission</li>
		<li>Event ID 4662. Field Event.EventData.Data.Properties was mapped to KUMA field FilePermission</li>
	</ul>
	
	DeviceProduct field was updated for PowerShell, Defender and Sysmon events.
	
	Event enrichment was fixed for events with ID 4866, 4867.
		
	Event Name was fixed for events:
	<ul>
		<li>Event ID 5145. Event's name was changed to "A network share object was checked to see whether 
		client can be granted desired access"</li>
		<li>Event ID 5379. Event's name was changed to "Credential Manager credentials were read"</li>
		<li>Event ID 5140. Event's name was changed to "A network share object was accessed"</li>
		<li>Event ID 7045. Event's name was changed to "A new service was installed in the system"</li>
		<li>Sysmon event names </li>
	</ul>
		
	Minor improvements:
	<ul>
		<li>Event enrichment with empty costants was deleted</li>
		<li>Event enrichment for DeviceCustom* labels was deleted</li>
		<li>Extra normalizer for event ID 5140 was placed to the root of the normalizer</li>
		<li>Other minor changes</li>
	</ul>
  </p>

</body>
</html>
