Change log for ARMIS_ACTIVITIES
| Date | Changes |
|---|---|
| 2025-10-23 | Enhancement:
- Added support for an optional Syslog header before the JSON payload. - `event.idm.read_only_udm.principal.user.user_display_name`: Newly mapped `source_user` raw log field to `event.idm.read_only_udm.principal.user.user_display_name`. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field from syslog header to `event.idm.read_only_udm.metadata.event_timestamp`. - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `intermediary_hostname` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - `event.idm.read_only_udm.intermediary.asset.hostname`: Newly mapped `intermediary_hostname` raw log field to `event.idm.read_only_udm.intermediary.asset.hostname`. - `event.idm.read_only_udm.security_result.rule_id`: Newly mapped `id` raw log field to `event.idm.read_only_udm.security_result.rule_id`. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `severity` and `policy.actions.actionType` raw log fields to `event.idm.read_only_udm.security_result.severity`. - `event.idm.read_only_udm.security_result.risk_score`: Newly mapped `riskLevel` raw log field to `event.idm.read_only_udm.security_result.risk_score`. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `status` and `activities.decision_data.risk_factor_type` raw log fields to `event.idm.read_only_udm.security_result.detection_fields`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `policy.description` raw log field to `event.idm.read_only_udm.security_result.description`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `classification`,`policy.labels`, `policy.rules.and`, `policy.actions.actionParams.title`, `policy.actions.actionParams.alertDescription`, `policy.actions.actionParams.alertClassificationId`, `policy.actions.actionParams.endpoint`, `policy.actions.actionParams.timeBack`, `policy.actions.actionParams.emailRecipients`, `sources.sensor.name`, `sources.sensor.type`, `sources.boundaries`, `sources.dataSources`, `policy.isActive`, `policy.isBoundary`, `policy.isEditable`, `policy.creationTime`, `policy.modificationTime`, `policy.owner`, `activities.type`, `activities.decision_data.client_offered_suites`, `activities.decision_data.selected_suite`, `activities.decision_data.src_device_id`, `activities.decision_data.risk_factor_id`, `activities.decision_data.risk_factor_category`, `activities.decision_data.risk_factor_description`, `activities.decision_data.risk_factor_score`, `activities.decision_data.connection`, `activities.decision_data.category`, and `activities.decision_data.client_device_id` raw log fields to `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.security_result.severity_details`: Newly mapped `policy.actions.actionType` raw log field to `event.idm.read_only_udm.security_result.severity_details`. - `event.idm.read_only_udm.security_result.category_details`: Newly mapped `sources.category` raw log field to `event.idm.read_only_udm.security_result.category_details`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `sources.id` raw log field to `event.idm.read_only_udm.principal.user.userid`. - `event.idm.read_only_udm.principal.ip`: Newly mapped `sources.ip`, `sources.ipv6`, and `activities.decision_data.src_ip` raw log fields to `event.idm.read_only_udm.principal.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `sources.ip`, `sources.ipv6`, and `activities.decision_data.src_ip` raw log fields to `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `sources.name` raw log field to `event.idm.read_only_udm.principal.hostname`. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `sources.name` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.principal.location.name`: Newly mapped `sources.site.name` raw log field to `event.idm.read_only_udm.principal.location.name`. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `sources.site.location` raw log field to `event.idm.read_only_udm.principal.location.country_or_region`. - `event.idm.read_only_udm.principal.user.attribute.labels`: Newly mapped `sources.type` and `sources.model` raw log fields to `event.idm.read_only_udm.principal.user.attribute.labels`. - `event.idm.read_only_udm.principal.mac`: Newly mapped `sources.identifier` raw log field to `event.idm.read_only_udm.principal.mac`. - `event.idm.read_only_udm.principal.asset.mac`: Newly mapped `sources.identifier` raw log field to `event.idm.read_only_udm.principal.asset.mac`. - `event.idm.read_only_udm.principal.asset.product_object_id`: Newly mapped `sources.identifier` raw log field to `event.idm.read_only_udm.principal.asset.product_object_id` when it's not a valid MAC address. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `activities.UUID` raw log field to `event.idm.read_only_udm.metadata.product_log_id`. - `event.idm.read_only_udm.network.tls.version`: Newly mapped `activities.decision_data.version` raw log field to `event.idm.read_only_udm.network.tls.version`. - `event.idm.read_only_udm.target.ip`: Newly mapped `activities.decision_data.host` raw log field to `event.idm.read_only_udm.target.ip`. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `activities.decision_data.host` raw log field to `event.idm.read_only_udm.target.asset.ip`. - `event.idm.read_only_udm.target.hostname`: Newly mapped `activities.decision_data.host` raw log field to `event.idm.read_only_udm.target.hostname`. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `activities.decision_data.host` raw log field to `event.idm.read_only_udm.target.asset.hostname`. - `event.idm.read_only_udm.target.port`: Newly mapped `activities.decision_data.port` raw log field to `event.idm.read_only_udm.target.port`. - `event.idm.read_only_udm.security_result.confidence`: Newly mapped `activities.decision_data.confidence` raw log field to `event.idm.read_only_udm.security_result.confidence`. - `event.idm.read_only_udm.security_result.confidence_details`: Newly mapped `activities.decision_data.confidence` raw log field to `event.idm.read_only_udm.security_result.confidence_details`. - `event.idm.read_only_udm.network.application_protocol`: Newly mapped `activities.decision_data.protocol` raw log field to `event.idm.read_only_udm.network.application_protocol`. - `event.idm.read_only_udm.network.dns.questions.name`: Newly mapped `activities.decision_data.host` and `activities.decision_data.query_type` raw log fields to `event.idm.read_only_udm.network.dns.questions.name` for DNS_QUERY events. - `event.idm.read_only_udm.network.dns.answers.data`: Newly mapped `activities.decision_data.answer_ips` raw log field to `event.idm.read_only_udm.network.dns.answers.data` for DNS_QUERY events. - Modified grok patterns to handle the optional Syslog header and extract the JSON data. - The `metadata.event_type` is now dynamically set to `NETWORK_CONNECTION`, `USER_UNCATEGORIZED`, `STATUS_UPDATE`, or `GENERIC_EVENT` based on the presence of principal, target, and user information, replacing the previous hardcoded value. |