Change log for AWS_API_GATEWAY
| Date | Changes |
|---|---|
| 2026-01-22 | Enhancement:
- `event.idm.read_only_udm.principal.resource.attribute.labels`: Removed mapping of `accountId` from `event.idm.read_only_udm.principal.resource.attribute.labels`. - `event.idm.read_only_udm.principal.resource.product_object_id`: Mapped `accountId` raw log field to `event.idm.read_only_udm.principal.resource.product_object_id`. - `event.idm.read_only_udm.security_result.detection_fields`: Removed mapping of `wafStatusCode` from `event.idm.read_only_udm.security_result.detection_fields`. - `event.idm.read_only_udm.additional.fields`: Mapped `wafStatusCode` raw log field to `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `wafResponseCode` raw log field to `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.security_result.detection_fields`: Removed mapping of `wafAclArn` from `event.idm.read_only_udm.security_result.detection_fields`. - `event.idm.read_only_udm.additional.fields`: Mapped `wafAclArn` raw log field to `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.security_result.detection_fields`: Removed mapping of `UniqueRequestId` from `event.idm.read_only_udm.security_result.detection_fields`. - `event.idm.read_only_udm.network.session_id`: Mapped `UniqueRequestId` raw log field to `event.idm.read_only_udm.network.session_id`. |
| 2025-12-26 | Enhancement:
- Added support for the new pattern of logs. - event.idm.read_only_udm.principal.ip: Newly mapped `identity_sourceIp` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `identity_sourceIp` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `identity_user` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `identity_userAgent` raw log field to `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped `identity_userAgent` raw log field to `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `identity_caller` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `integrationStatus` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `responseLatency` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `authorizer_property` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `authorizer_claims_property` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `extendedRequestId` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `authorizer_principalId` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `awsEndpointRequestId` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `authorizer_error_message` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `domainPrefix` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `identity_cognitoIdentityPoolId` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `identity_cognitoIdentityId` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `identity_cognitoAuthenticationType` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `identity_cognitoAuthenticationProvider` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `identity_accountId` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `identity_userArn` raw log field to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.security_result.description: Newly mapped `error_message` raw log field to `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `error_responseType` raw log field to `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `wafStatusCode` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `wafAclArn` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `UniqueRequestId` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `wafResponseCode` raw log field to `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `domainName` raw log field to `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `domainName` raw log field to `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.additional.fields: Removed mapping `accountId` from `event.idm.read_only_udm.additional.fields` and mapped `event.idm.read_only_udm.principal.resource.attribute.labels` instead in order to introduce a more accurate mapping for the raw log field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `authorizer_integrationlatency` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-12-03 | Enhancement:
event.idm.read_only_udm.principal.ip: Newly mapped `s3_remoteip` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. event.idm.read_only_udm.principal.asset.ip: Newly mapped `s3_remoteip` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. event.idm.read_only_udm.principal.user.userid: Newly mapped `s3_requester_user` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. event.idm.read_only_udm.network.http.response_code: Newly mapped `s3_httpstatus` raw log field to `event.idm.read_only_udm.network.http.response_code` UDM field. event.idm.read_only_udm.metadata.product_log_id: Newly mapped `s3_requestid` raw log field to `event.idm.read_only_udm.metadata.product_log_id` UDM field. event.idm.read_only_udm.target.resource.name: Newly mapped `s3_bucket` raw log field to `event.idm.read_only_udm.target.resource.name` UDM field. event.idm.read_only_udm.target.file.full_path: Newly mapped `s3_uri` raw log field to `event.idm.read_only_udm.target.file.full_path` UDM field. event.idm.read_only_udm.network.http.user_agent: Newly mapped `s3_useragent` raw log field to `event.idm.read_only_udm.network.http.user_agent` UDM field. event.idm.read_only_udm.network.http.method: Newly mapped `s3_http_capture` raw log field to `event.idm.read_only_udm.network.http.method` UDM field. event.idm.read_only_udm.target.url: Newly mapped `s3_hostheader` raw log field to `event.idm.read_only_udm.target.url` UDM field. event.idm.read_only_udm.network.sent_bytes: Newly mapped `s3_bytes_sent` raw log field to `event.idm.read_only_udm.network.sent_bytes` UDM field. event.idm.read_only_udm.target.file.size: Newly mapped `s3_objectsize` raw log field to `event.idm.read_only_udm.target.file.size` UDM field. event.idm.read_only_udm.additional.fields: Newly mapped `apiKeyId` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. event.idm.read_only_udm.additional.fields: Newly mapped `apiKey` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. event.idm.read_only_udm.additional.fields: Newly mapped `latency` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-09-05 | Enhancement:
- event.idm.read_only_udm.security_result.detection_fields: Removed mapping of `requestTime` from `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Mapped `requestTime` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-08-26 | Enhancement:
- event.idm.read_only_udm.target.resource.product_object_id: Newly mapped `apiId` raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `user, authorizerPrincipalId` raw log field(s) with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `authorizerPrincipalId` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `integrationLatency`, `xrayTraceId`, `accountId` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `requestTime` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.network.application_protocol: Added grok pattern to extract `app_protocol_src` and `http_version` from `protocol` raw log field else mapped `protocol` raw log field with `event.idm.read_only_udm.network.application_protocol_version` UDM field. - Newly mapped `app_protocol_src` field with `event.idm.read_only_udm.network.application_protocol` UDM field. - Newly mapped `http_version` field with `event.idm.read_only_udm.network.application_protocol_version` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `requestId` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.network.received_bytes: Newly mapped `responseLength` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `sourceIp` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `sourceIp` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly mapped `statusCode` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `userAgent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `resourcePath` raw log field with `event.idm.read_only_udm.target.url` UDM field. |
| 2025-02-13 | Enhancement:
- Added "gsub" to parse new type of logs. - Mapped "account_id", "api_id", "aws_endpoint_request_id", "caller", "domain_prefix", "extended_request_id", "identity_user_arn", "resource_path", "stage", "waf_response_code", and "web_acl_arn" to "additional.fields". - Mapped "domain_name" to "principal.administrative_domain". - Mapped "request_time" to "security_result.detection_fields". - Mapped "http_method" to "network.http.method". - Mapped "identity_principal_org_id" to "principal.resource.attribute.labels". - Mapped "identity_source_ip_address" to "principal.ip". - Mapped "identity_user" to "principal.user.userid". |
| 2024-07-24 | - Newly created parser.
|