Change log for BEYONDTRUST_BEYONDINSIGHT
| Date | Changes |
|---|---|
| 2025-12-02 | Enhancement:
- `event.idm.read_only_udm.principal.ip`: Removed mapping of `ips` from `event.idm.read_only_udm.principal.ip` since it is target field. - `event.idm.read_only_udm.target.ip`: Mapped `ips` raw log field to `event.idm.read_only_udm.target.ip` since it is target field. - `event.idm.read_only_udm.principal.asset.ip`: Removed mapping of `ips` from `event.idm.read_only_udm.principal.asset.ip` since it is target field. - `event.idm.read_only_udm.target.asset.ip`: Mapped `ips` raw log field to `event.idm.read_only_udm.target.asset.ip` since it is target field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `ManagedSystem` raw log field to `event.idm.read_only_udm.target.hostname`. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `ManagedSystem` raw log field to `event.idm.read_only_udm.target.asset.hostname`. - `event.idm.read_only_udm.target.user.userid`: Newly mapped `ManagedAccount` raw log field to `event.idm.read_only_udm.target.user.userid`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `TicketNumber`, `TicketSystem`, `LogTime`, `Failed`, `Reason`, `Approver`, `bt_Category` raw log fields to `event.idm.read_only_udm.additional.fields`. - Added grok patterns to extract `ReleaseRequestId` from the `msg` field. - Added KV filter to parse the `Target` field. |
| 2025-11-19 | Enhancement:
- Added support for JSON format embedded within the `message` field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `facility`, `Category`, `AuditID`, `ActionType`, `AppUserID`, `FolderId`, `Folder`, `SecretType`, `CanManageOwnership`, `CanShareSecret`, `priority`, `Password`, `Title`, `version`, `CreateDate` raw log fields to `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.intermediary.ip`: Newly mapped `hostname` raw log field to `event.idm.read_only_udm.intermediary.ip`. - `event.idm.read_only_udm.intermediary.asset.ip`: Newly mapped `hostname` raw log field to `event.idm.read_only_udm.intermediary.asset.ip`. - `event.idm.read_only_udm.principal.user.user_display_name`: Newly mapped `Name` raw log field to `event.idm.read_only_udm.principal.user.user_display_name`. - `event.idm.read_only_udm.target.resource.id`: Newly mapped `SecretId` raw log field to `event.idm.read_only_udm.target.resource.id`. - `event.idm.read_only_udm.principal.user.email_addresses`: Newly mapped `username` raw log field to `event.idm.read_only_udm.principal.user.email_addresses`. - `event.idm.read_only_udm.target.url`: Newly mapped `URL` raw log field to `event.idm.read_only_udm.target.url`. - `event.idm.read_only_udm.principal.user.product_object_id`: Newly mapped `userId` raw log field to `event.idm.read_only_udm.principal.user.product_object_id`. - `event.idm.read_only_udm.metadata.product_name`: Newly mapped `appname` raw log field to `event.idm.read_only_udm.metadata.product_name`. - Added `gsub` mutations to sanitize field names from the JSON payload before key-value extraction. |
| 2025-11-07 | Enhancement:
- `event.idm.read_only_udm.target.user.userid`: Newly mapped `dst_user` raw log field to `event.idm.read_only_udm.target.user.userid`. - `event.idm.read_only_udm.target.hostname`: Newly mapped `dst_host` raw log field to `event.idm.read_only_udm.target.hostname`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `src_user` raw log field to `event.idm.read_only_udm.principal.user.userid`. - `event.idm.read_only_udm.principal.ip`: Newly mapped `src_ip` raw log field to `event.idm.read_only_udm.principal.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `src_ip` raw log field to `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `nvps.source` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - `event.idm.read_only_udm.intermediary.asset.hostname`: Newly mapped `nvps.source` raw log field to `event.idm.read_only_udm.intermediary.asset.hostname`. - `event.idm.read_only_udm.target.application`: Newly mapped `"BeyondInsight Application GUI"` raw log field to `event.idm.read_only_udm.target.application`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `nvps.areaname`, `nvps.context`, `nvps.active`, `nvps.genericappliancehealthactive`, `nvps.beyondinsightapplicationauditactive`, `nvps_hostname`, `nvps.port`, `nvps.genericappliancehealthenabled`, `nvps.beyondinsightapplicationauditenabled`, `nvps.genericappliancehealthseverity`, `nvps.outputpipeline`, `nvps.name` raw log fields to `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `nvps.hostname` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - `event.idm.read_only_udm.intermediary.asset.hostname`: Newly mapped `nvps.hostname` raw log field to `event.idm.read_only_udm.intermediary.asset.hostname`. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `sourcehost` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `shost` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `src_host` raw log field to `event.idm.read_only_udm.principal.hostname`. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `src_host` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.extensions.auth.type`: Newly mapped `"MACHINE"` raw log field to `event.idm.read_only_udm.extensions.auth.type`. - `event.idm.read_only_udm.target.application`: Newly mapped `"BeyondInsight Appliance Management GUI"` raw log field to `event.idm.read_only_udm.target.application`. - `event.idm.read_only_udm.intermediary.asset.ip`: Newly mapped `inter_ip` raw log field to `event.idm.read_only_udm.intermediary.asset.ip`. - `event.idm.read_only_udm.principal.ip`: Removed mapping of `sourceip` from `event.idm.read_only_udm.principal.ip` as `sourceip` is a intermediary field. - `event.idm.read_only_udm.intermediary.ip`: Mapped `sourceip` raw log field to `event.idm.read_only_udm.intermediary.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Removed mapping of `sourceip` from `event.idm.read_only_udm.principal.asset.ip` as `sourceip` is a intermediary field. - `event.idm.read_only_udm.intermediary.asset.ip`: Mapped `sourceip` raw log field to `event.idm.read_only_udm.intermediary.asset.ip`. - `event.idm.read_only_udm.target.hostname`: Removed mapping of `nvps.clienthost` from `event.idm.read_only_udm.target.hostname` as `nvps.clienthsot` is mapped to intermediary.hostname as it is a intermediary. - `event.idm.read_only_udm.intermediary.hostname`: Mapped `nvps.clienthost` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - `event.idm.read_only_udm.target.asset.hostname`: Removed mapping of `nvps.clienthost` from `event.idm.read_only_udm.target.asset.hostname` as `nvps.clienthsot` is mapped to intermediary.asset.hostname as it is a intermediary. - `event.idm.read_only_udm.intermediary.asset.hostname`: Mapped `nvps.clienthost` raw log field to `event.idm.read_only_udm.intermediary.asset.hostname`. - `event.idm.read_only_udm.principal.hostname`: Removed mapping of `nvps.name` from `event.idm.read_only_udm.principal.hostname` as this is not the hostname. It is the name of the forwarder that has been configured. - `event.idm.read_only_udm.principal.asset.hostname`: Removed mapping of `nvps.name` from `event.idm.read_only_udm.principal.asset.hostname` as this is not the hostname. It is the name of the forwarder that has been configured. - Added grok patterns to extract `dst_user`, `dst_host`, `src_user`, `src_host`, and `src_ip` from the `eventdesc` field. - Conditionally set `event.idm.read_only_udm.metadata.event_type` to `USER_LOGIN` or `USER_LOGOUT` based on `eventdesc` content and `agentid`. - Added grok pattern to handle IP addresses within the `nvps.hostname` field, extracting to `nvps_hostname`. |
| 2025-07-23 | Enhancement:
- Added gsubs to ensure proper mapping of KV format logs. - Modified a gsub to ensure proper mapping of `OS` and `Agent Version` raw log fields. - event.idm.read_only_udm.additional.fields: Newly mapped `EventType` raw log field to `event.idm.read_only_udm.additional.fields` (with key `Event Type`). - Added a grok pattern to check if `souirceip` is a valid IP address before mapping it to `event.idm.read_only_udm.principal.ip` UDM field. |
| 2025-05-13 | Enhancement:
- Added support to handle the '#' character in the UDM Fields. - Added support for the parsing the metadata.event_type. - Added support required null checks while doing the mapping. |
| 2025-04-21 | Enhancement:
- Added a grok pattern to support new format of SYSLOG logs. - Added gsub to fix the kv parsing issue. |
| 2025-02-06 | Enhancement:
- Added support to map the unparsed fields. |
| 2024-11-22 | - Newly created parser.
|