Change log for CISCO_UCM
| Date | Changes |
|---|---|
| 2026-02-24 | Enhancement:
-`event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `AgreementId` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. -`event.idm.read_only_udm.target.url`: Newly mapped `LDAPHost` raw log field with `event.idm.read_only_udm.target.url` UDM field. -`event.idm.read_only_udm.additional.fields`: Newly mapped `ldap_host_protocol` from the `LDAPHost` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. -`event.idm.read_only_udm.target.ip`: Newly mapped `ldap_host_ip` from the `LDAPHost` raw log field with `event.idm.read_only_udm.target.ip` UDM field. -`event.idm.read_only_udm.target.port`: Newly mapped `ldap_host_port` from the `LDAPHost` raw log field with `event.idm.read_only_udm.target.port` UDM field. -`event.idm.read_only_udm.metadata.event_type`: If the raw field `EventType` is "UserAccess", the UDM event type is updated to "USER_RESOURCE_ACCESS". - Modified the grok patterns in order to parse the logs and following UDM fields are now being mapped correctly: -`event.idm.read_only_udm.additional.fields` -`event.idm.read_only_udm.intermediary.ip` -`event.idm.read_only_udm.metadata.description` -`event.idm.read_only_udm.metadata.product_event_type` -`event.idm.read_only_udm.observer.application` -`event.idm.read_only_udm.principal.application` -`event.idm.read_only_udm.principal.asset.hostname` -`event.idm.read_only_udm.principal.asset.ip` -`event.idm.read_only_udm.principal.hostname` -`event.idm.read_only_udm.principal.ip` -`event.idm.read_only_udm.principal.process.pid` -`event.idm.read_only_udm.principal.user.userid` -`event.idm.read_only_udm.security_result.category_details` -`event.idm.read_only_udm.security_result.description` -`event.idm.read_only_udm.security_result.severity` -`event.idm.read_only_udm.security_result.severity_details` -`event.idm.read_only_udm.target.application` -`event.idm.read_only_udm.target.asset.ip` -`event.idm.read_only_udm.target.resource.id` |
| 2025-10-08 | Enhancement:
- Added a grok pattern to parse new log formats. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `UserID` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `ClientAddress` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.target.resource.id`: Newly mapped `ResourceAccessed` raw log field with `event.idm.read_only_udm.target.resource.id` UDM field. - `event.idm.read_only_udm.security_result.description`: Newly mapped `AuditDetails` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.observer.application`: Newly mapped `ComponentID` raw log field with `event.idm.read_only_udm.observer.application` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `CorrelationID`, `ClusterID`, `CompulsoryEvent`, raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.application`: Newly mapped `AppID` raw log field with `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `NodeID` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `EventType` is "UserLogging", updated to "USER_UNCATEGORIZED". - Added conditional check for `EventStatus`: if the value is "Success", the action is set to "ALLOW"; otherwise, it is set to "FAIL". - `event.idm.read_only_udm.security_result.category_details`: Newly mapped `AuditCategory` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field. |
| 2024-10-15 | Enhancement:
- Added support to parse unparsed logs. - Mapped "inter_hostname" to "intermediary.hostname". - Mapped "inter_ip" to "intermediary.ip" and "intermediary.asset.ip". - Mapped "ClusterId" to "additional.fields". |
| 2022-08-18 | Newly created parser.
|