Change log for MOBILEIRON
| Date | Changes |
|---|---|
| 2026-03-16 | Enhancement
- `event.idm.read_only_udm.additional.fields`: Newly mapped `log_source` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - Added a grok pattern to correctly parse a SYSLOG format where the time field was previously being misidentified as part of the SystemType field. The time value is now correctly extracted due to the addition of the new grok pattern. - `event.idm.read_only_udm.security_result.first_discovered_time`: Mapped `time` raw log field with `event.idm.read_only_udm.security_result.first_discovered_time` UDM field. - Added a regex pattern to remove trailing periods from `kv_msg` and `kv_data`. - Added a gsub function to remove commas from the `product` raw log field. |
| 2026-02-10 | Enhancement
- Added grok patterns to correctly parse the SYSLOG format of logs. - Added null check condition for `sr_action` field. - `event.idm.read_only_udm.metadata.event_timestamp`: Added support for `date_time` raw log field to parse `event.idm.read_only_udm.metadata.event_timestamp` UDM field in correct format. - `event.idm.read_only_udm.target.process.command_line`: Newly mapped `command` raw log field to `event.idm.read_only_udm.target.process.command_line` UDM field. - `event.idm.read_only_udm.metadata.event_type`: Setting `event.idm.read_only_udm.metadata.event_type` to `USER_RESOURCE_ACCESS` when `has_resource` is `true`. |
| 2025-12-05 | Enhancement
- event.idm.read_only_udm.principal.hostname: Removed mapping of `host` from `event.idm.read_only_udm.principal.hostname` UDM field in order to introduce a more accurate mapping for the raw log field. - event.idm.read_only_udm.principal.asset.hostname: Removed mapping of `host` from `event.idm.read_only_udm.principal.asset.hostname` UDM field in order to introduce a more accurate mapping for the raw log field. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.intermediary.asset.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.intermediary.asset.hostname` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `product`, `ip_in_bracket` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.vendor_name: The static value has been updated from "MOBILEIRON" to "Ivanti". - event.idm.read_only_udm.metadata.product_name: Changed mapping for event.idm.read_only_udm.metadata.product_name from 'product' raw log field to "Endpoint Manager Mobile" static value. - event.idm.read_only_udm.metadata.product_name: The static value has been updated from "MOBILEIRON" to "Endpoint Manager Mobile". |
| 2025-11-10 | Enhancement
- Added support for syslog format. - Set metadata.event_type to NETWORK_CONNECTION when both principal and target IP addresses are present. - `event.idm.read_only_udm.security_result.description`: Newly mapped `description` raw log field to `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.metadata.product_version`: Newly mapped `version` raw log field to `event.idm.read_only_udm.metadata.product_version` UDM field. - `event.idm.read_only_udm.principal.application`: Newly mapped `app_name` raw log field to `event.idm.read_only_udm.principal.application` UDM field. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `procid` raw log field to `event.idm.read_only_udm.principal.process.pid` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `msgid` raw log field to `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `target_host` raw log field to `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.url`: Newly mapped `url_1` raw log field to `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.target.user.userid`: Newly mapped `session_user` raw log fields to `event.idm.read_only_udm.target.user.userid` UDM field. - `event.idm.read_only_udm.network.received_bytes`: Newly mapped `response_size` raw log field to `event.idm.read_only_udm.network.received_bytes` UDM field. - `event.idm.read_only_udm.network.http.method`: Newly mapped `http_method` raw log field to `event.idm.read_only_udm.network.http.method` UDM field. - `event.idm.read_only_udm.network.http.referral_url`: Newly mapped `referrer` raw log field to `event.idm.read_only_udm.network.http.referral_url` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `user_agent` raw log field to `event.idm.read_only_udm.network.http.user_agent` UDM field. - `event.idm.read_only_udm.network.http.response_code`: Newly mapped `http_status` raw log field to `event.idm.read_only_udm.network.http.response_code` UDM field. - `event.idm.read_only_udm.metadata.collected_timestamp`: Newly mapped `date_time` raw log field to `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - `event.idm.read_only_udm.target.process.pid`: Newly mapped `pid` raw log field to `event.idm.read_only_udm.target.process.pid` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `client_ip` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `client_ip` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.port`: Newly mapped `client_port` raw log field to `event.idm.read_only_udm.principal.port` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `target_ip` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `target_ip` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.target.port`: Newly mapped `target_port` raw log field to `event.idm.read_only_udm.target.port` UDM field. - `event.idm.read_only_udm.intermediary.ip`: Newly mapped `ip_1` raw log field to `event.idm.read_only_udm.intermediary.ip` UDM field. - `event.idm.read_only_udm.security_result.first_discovered_time`: Newly mapped `time` raw log field to `event.idm.read_only_udm.security_result.first_discovered_time` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `t1`, `mem_percent`, `vsz`, `rss`, `stat`, `start`, `token_id`, `tag`, `safepoint_ns_1`, `safepoint_ns_2`, `ns_1`, `duration_ms`, `apache_error_code`, `log_year`, `module`, `error_code` and `attempts` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `run_user`, `systemd_user`, `type`, `safepoint_type` and `http_request` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped from the `loglevel` raw field, set to "INFORMATIONAL", "ERROR", or "MEDIUM" based on case-insensitive checks for "INFO", "Error", or "Warning" to `event.idm.read_only_udm.security_result.severity` UDM field. - `event.idm.read_only_udm.security_result.severity_details`: Newly mapped from the `loglevel` raw field when loglevel does not match the conditions for security_result.severity to `event.idm.read_only_udm.security_result.severity_details` UDM field. - `event.idm.read_only_udm.security_result.summary`: Newly mapped `summary` raw log field to `event.idm.read_only_udm.security_result.summary` UDM field. - `event.idm.read_only_udm.security_result.action`: Newly mapped `action` raw log field to `event.idm.read_only_udm.security_result.action` UDM field. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `program_name` raw log field to `event.idm.read_only_udm.target.resource.name` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `user`, `nice`, `iowait`, `steal`, `idle` and `system` raw log field to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. |
| 2024-11-07 | Enhancement
- Added support for syslog format. |
| 2023-02-02 | Enhancement
- Update the existing mapping "security_result.summary" to "security_result.description" for "complianceViolationTypeToReason.BLACKLIST_APPS". - Mapped 'complianceViolationTypeToReason.SA' to 'security_result.summary'. |
| 2022-04-25 | Enhancement - Modified event_type from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'
- Mapped 'policyViolatedAt' to 'metadata.event_timestamp' - Mapped 'platformType' to 'principal.asset.platform_software.platform' |