Change log for FIREEYE_EMPS
| Date | Changes |
|---|---|
| 2026-03-15 | Enhancement
- `event.idm.read_only_udm.additional.fields`: Removed mapping of `cs1` and `cs1Label` from `event.idm.read_only_udm.additional.fields` UDM field when `cs1Label` is equal to `sname` to map to a more appropriate UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Mapped `cs1` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field when `cs1Label` is equal to `sname`. - `event.idm.read_only_udm.additional.fields`: Removed mapping of `cs4` and `cs4Label` from `event.idm.read_only_udm.additional.fields` UDM field when `cs4Label` is equal to `link` to map to a more appropriate UDM field. - `event.idm.read_only_udm.metadata.url_back_to_product`: Mapped `cs4` raw log field with `event.idm.read_only_udm.metadata.url_back_to_product` UDM field when `cs4Label` is equal to `link`. - `event.idm.read_only_udm.principal.user.user_display_name`: Removed mapping of `suser` raw log field from `event.idm.read_only_udm.principal.user.user_display_name` UDM field since `suser` contains valid email addresses of the sender. - `event.idm.read_only_udm.network.email.from`: Mapped `suser` raw log field with `event.idm.read_only_udm.network.email.from` UDM field. - `event.idm.read_only_udm.target.user.user_display_name`: Removed mapping of `duser` raw log field from `event.idm.read_only_udm.target.user.user_display_name` UDM field since `duser` contains valid email addresses of the recipient. - `event.idm.read_only_udm.network.email.to`: Mapped `duser` raw log field with `event.idm.read_only_udm.network.email.to` UDM field. - `event.idm.read_only_udm.additional.fields`: Removed mapping of `fname` from `event.idm.read_only_udm.additional.fields` UDM field to map to a more appropriate UDM field since `fname` of the file's name. - `event.idm.read_only_udm.target.file.names`: Mapped `fname` raw log field with `event.idm.read_only_udm.target.file.names` UDM field. - `event.idm.read_only_udm.about.file.sha256`, `event.idm.read_only_udm.about.file.full_path`: Removed mapping of `fileHash` from `event.idm.read_only_udm.about.file.sha256` and `event.idm.read_only_udm.about.file.full_path` UDM field when `fileHash` contains a valid md5 hash value. The raw log field `filehash` represents the md5 hash value. - `event.idm.read_only_udm.target.file.md5`: Mapped `fileHash` raw log field with `event.idm.read_only_udm.target.file.md5` UDM field. - `event.idm.read_only_udm.additional.fields`: Removed mapping of `flexString1` and `flexString1Label` from `event.idm.read_only_udm.additional.fields` UDM field when `flexString1Label` is equal to `sha256sum` to map to a more appropriate UDM field. - `event.idm.read_only_udm.about.file.sha256`: Mapped `flexString1` raw log field with `event.idm.read_only_udm.about.file.sha256` UDM field when `flexString1Label` is equal to `sha256sum`. - `event.idm.read_only_udm.observer.application`: Newly mapped `observer_application` raw log field with `event.idm.read_only_udm.observer.application` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `syslog_severity_label` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.first_discovered_time`: Newly mapped `start` raw log field with `event.idm.read_only_udm.security_result.first_discovered_time` UDM field. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped `event.idm.read_only_udm.metadata.event_type` raw log field with `EMAIL_TRANSACTION` when sender and recipient email addresses are present. |
| 2024-10-29 | - Newly created parser.
|