Change log for BARRACUDA_CLOUDGEN_FIREWALL
| Date | Changes |
|---|---|
| 2026-04-16 | - `event.idm.read_only_udm.additional.fields`: Newly mapped `server`, `service`, `box`, `startport`, `endport`, `request_type`, `request_key`, `syslogpriority` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field.
- `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `peer` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.application`: Newly mapped `origin` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - `event.idm.read_only_udm.metadata.description`: Newly mapped `desc` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `principal_user_id` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.user.group_identifiers`: Newly mapped `cn_data` raw log field with `event.idm.read_only_udm.principal.user.group_identifiers` UDM field. - `event.idm.read_only_udm.principal.port`: Newly mapped `src_port` raw log field with `event.idm.read_only_udm.principal.port` UDM field. - Added a Grok pattern on the `message` field to correctly parse the raw log fields. |
| 2026-04-02 | - `event.idm.read_only_udm.target.application`: Removed mapping of `action` from `event.idm.read_only_udm.target.application` UDM field, as it contains the `security action` details rather than `application` data.
- `event.idm.read_only_udm.security_result.action`: Mapped the `action` raw log field to `event.idm.read_only_udm.security_result.action` UDM field, mapped to `ALLOW` when `action` is `Allow` and to `BLOCK` when `action` is `Block`. - `event.idm.read_only_udm.security_result.action_details`: Mapped the `action` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - `event.idm.read_only_udm.target.user.userid`: Removed mapping of `column1` from `event.idm.read_only_udm.target.user.userid` UDM field, as it contains the `direction` data rather than `user id`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `column1` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.mac` and `event.idm.read_only_udm.target.asset.mac`: Removed mapping of the `column6` raw log field from `event.idm.read_only_udm.target.mac` and `event.idm.read_only_udm.target.asset.mac` UDM field, when it contains the `principal MAC` address rather than the `target MAC` address. - `event.idm.read_only_udm.principal.mac` and `event.idm.read_only_udm.principal.asset.mac`: Mapped `column6` raw log field to `event.idm.read_only_udm.principal.mac` and `event.idm.read_only_udm.principal.asset.mac` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `column3`, `column9` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.rule_id`: Newly mapped `column12` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `column4` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.network.ip_protocol`: Newly mapped `column2` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `ts_timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - Added a Grok pattern on the `message` field to correctly parse the raw log fields. |
| 2025-02-10 | Newly created parser.
|