Change log for CODE42_INCYDR
| Date | Changes |
|---|---|
| 2026-03-13 | - `event.idm.read_only_udm.security_result.detection_fields`: Changed key format for `filter.term` from `group_filter_term` to `group_filter_term_%{i}_%{j}`, changed key format for `filter.operator` from `group_filter_operator` to `group_filter_operator_%{i}_%{j}` and changed key format for `group.filterClause` from `group_filterclause` to `group_filterclause_%{i}`.
- `event.idm.read_only_udm.metadata.id`: Newly mapped `idme_evnt_id` raw log field with `event.idm.read_only_udm.metadata.id` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `audit_log` (key: type), `risk.score` (key: risk_score_parsed), `filter.value` (key: group_filter_value_%{i}_%{j}), `filter.display` (key: filter_display), `group.display` (key: group_display_%{i}) raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.action`: Updated the value of `event.idm.read_only_udm.security_result.action` to "ALLOW" and "BLOCK" based on conditional check. - `event.idm.read_only_udm.principal.user.userid`: If `parsed_actorName` is extracted and differs from `actorId`, mapped `parsed_actorName` to `event.idm.read_only_udm.principal.user.userid` UDM field and modified parsing logic for `actorName` raw log field. - `event.idm.read_only_udm.metadata.event_type`: Set the `event_type` to `FILE_DELETED` when there is target file and principal machine data. - `event.idm.read_only_udm.metadata.product_log_id`: Removed mapping of `filter.value` from `event.idm.read_only_udm.metadata.product_log_id` UDM field when it contains a date format. - Added a Grok pattern on `actorName` to extract `parsed_actorName`. - Added a conditional check for `risk.score` values equal to 0 are mapped to `event.idm.read_only_udm.additional.fields` with key risk_score_parsed. |
| 2025-09-24 | - Added gsub for the `message` data field to parse the logs in the correct format.
- `event.idm.read_only_udm.additional.fields`: Newly mapped `source.domains`, `destination.domains`, `source.domains`, `destination.domains`, `paste.mimeTypes`, `paste.visibleContentSize`, `origin`, `evnt.inserted` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `risk.activityTier`, `risk.activityTier` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels` : Newly mapped `source_tabs.title`, `source_tabs.url` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - Corrected the mapping for the `file.archiveId` raw log field and mapped to `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - Corrected the mapping for the `source.email.from` raw log field and mapped to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. |
| 2024-12-10 | - Newly created parser
|