Change log for CHECKPOINT_HARMONY
| Date | Changes |
|---|---|
| 2026-02-25 | Enhancement:
- `event.idm.read_only_udm.additional.fields`: Newly mapped `time`, origin`, `scrubbed_content` and `event_id` raw log field with event.idm.read_only_udm.additional.fields UDM field. - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `inter_host` raw log field with event.idm.read_only_udm.intermediary.hostname UDM field. - `event.idm.read_only_udm.network.email.to`: Mapped `to` raw log field to event.idm.read_only_udm.network.email.to UDM field when it is a valid email address. - `event.idm.read_only_udm.security_result.detection_fields`: Mapped `to` raw log field to event.idm.read_only_udm.security_result.detection_fields UDM field when it does not represent a valid email address. - `event.idm.read_only_udm.security_result.detection_fields: Newly mapped `indicator_type`, `max_count_detected`, `dlp_relevant_data_types`, `dlp_categories` and `matchedIndicators` raw log field with event.idm.read_only_udm.security_result.detection_fields UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field with event.idm.read_only_udm.metadata.event_timestamp UDM field. - `event.idm.read_only_udm.security_result.action`: Modified the logic for mapping `action` raw log field with event.idm.read_only_udm.security_result.action UDM field to include `Prevent` as a BLOCK action. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped `add_spam_header` raw log field with event.idm.read_only_udm.security_result.action_details UDM field. - `event.idm.read_only_udm.intermediary.ip`: A Grok pattern is applied to `origin`, and the field is only mapped to event.idm.read_only_udm.intermediary.ip if the Grok successfully extracts a valid IP address. - `event.idm.read_only_udm.principal.asset.ip`: Corrected the spelling of `principal.asset.ip`. - Added a Grok pattern to handle syslog+kv format logs,this is allowing the following UDM fields to be mapped correctly: - `event.idm.read_only_udm.metadata.description` - `event.idm.read_only_udm.metadata.event_type` - `event.idm.read_only_udm.metadata.product_event_type` - `event.idm.read_only_udm.metadata.product_log_id` - `event.idm.read_only_udm.metadata.product_name` - `event.idm.read_only_udm.metadata.vendor_name` - `event.idm.read_only_udm.network.email.from` - `event.idm.read_only_udm.network.email.reply_to` - `event.idm.read_only_udm.network.email.subject` - `event.idm.read_only_udm.principal.user.userid` - `event.idm.read_only_udm.security_result.action` - `event.idm.read_only_udm.target.file.md5` - `event.idm.read_only_udm.target.file.size` - `event.idm.read_only_udm.metadata.log_type` - `event.idm.read_only_udm.principal.administrative_domain` - `event.idm.read_only_udm.principal.ip` - `event.idm.read_only_udm.security_result.rule_id` - `event.idm.read_only_udm.security_result.severity` - `event.idm.read_only_udm.target.process.file.full_path` - `event.idm.read_only_udm.target.process.file.md5` |
| 2026-01-30 | Enhancement:
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `eventId` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `eventCreated` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `type` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `act.createTime`, `act.relatedEntityId`, `customerId`, `saas`, `state`, `entityId`, `connectivity_state` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `actions.actionType` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.security_result.category and event.idm.read_only_udm.security_result.category_details: If `confidenceIndicator` is similar to `malicious` map to `event.idm.read_only_udm.security_result.category` else map to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `entity_id`, `entity_type`, `disable_link`, `label` from data raw log fields with event.idm.read_only_udm.security_result.detection_fields UDM field. - event.idm.read_only_udm.network.email.from: Newly mapped `senderAddress` raw log field with `event.idm.read_only_udm.network.email.from` UDM field. |
| 2025-01-08 | - Added a Grok pattern to handle variations in logs.
- Added new fields. |
| 2024-12-12 | Enhancement:
- Added support for new log patterns. |
| 2023-11-10 | Created a new parser. |