Change log for CIPHERTRUST_MANAGER
| Date | Changes |
|---|---|
| 2025-10-13 | - Added a new grok pattern to support new format of SYSLOG logs.
- event.idm.read_only_udm.security_result.action_details: Newly mapped `details.errorMessage` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `uid` field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `sev` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.metadata.product_name: Newly mapped `product_name` field with `event.idm.read_only_udm.metadata.product_name` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `event_time` field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-09-16 | - event.idm.read_only_udm.additional.fields: Newly mapped details.format, details.requestIdentifier, details.requestIdentifierType, details.version, details.app_connector_type, details.meta, details.interfaceName, details.interfaceType, and service raw log field(s) with event.idm.read_only_udm.additional.fields UDM field.
- event.idm.read_only_udm.target.port: Newly mapped details.port raw log field(s) with event.idm.read_only_udm.target.port UDM field. - Added conditional check for cef_message field. Logic that populates event.idm.read_only_udm.principal.user.userid now also executes if cef_message contains "Export Key". - Added conditional check for message field. If message is "SSL Handshake failed", "Terminating KMIP Connection", "ADPReadClientProfile", or "Update License Usage", client_ip is mapped to event.idm.read_only_udm.principal.ip. Otherwise, client_ip is mapped to event.idm.read_only_udm.src.ip. - event.idm.read_only_udm.metadata.event_type: If message is SSL Handshake failed or Terminating KMIP Connection, updated to NETWORK_CONNECTION. - event.idm.read_only_udm.metadata.event_type: If message is ADPReadClientProfile or Reject access, updated to USER_RESOURCE_ACCESS. - event.idm.read_only_udm.metadata.event_type: If message is Export Key, updated to USER_RESOURCE_UPDATE_CONTENT. - Updated Grok patterns to support new log formats. |
| 2025-04-23 | - Added a Grok pattern to parse the unparsed logs.
- Added a gsub to parse the unparsed logs. - 'event.idm.read_only_udm.src.user.product_object_id': Newly mapped `cust_client_id' raw log field with 'event.idm.read_only_udm.src.user.product_object_id' UDM field. - 'event.idm.read_only_udm.principal.user.userid': Newly mapped `user_id' raw log field with 'event.idm.read_only_udm.principal.user.userid' UDM field. - Added "has_user" flag as a conditional check for 'user_id' raw log field to populate "USER_UNCATEGORIZED" event_type. - 'event.idm.read_only_udm.target.application': Newly mapped `service_name' raw log field with 'event.idm.read_only_udm.target.application' UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped 'record_type_id', 'details.aliases', 'details_algorithm', 'details_assignSelfAsOwner', 'details_emptyMaterial', 'details_feature', 'details_undeletable', 'details_unexportable', 'details_xts', 'details_padded', 'details_generateKeyId', 'details_id', 'details_objectType' and 'details_ownerId' raw log fields with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.target.resource.attribute.labels' - Newly mapped 'details_name', 'details_uri' and 'details_usageMask' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field. - 'event.idm.read_only_udm.target.file.size' - Newly mapped 'details.size' raw log field with 'event.idm.read_only_udm.target.file.size' UDM field. - Added a gsub to map the 'principal' raw log field to 'log_principal. - 'event.idm.read_only_udm.additional.fields': Mapped 'details.label', 'details.domain', 'details.switch_domain_id', 'details.user_id', 'details.refresh_token_id', 'details.renew_refresh_token', 'details.user_metadata_current_persistedData', 'details.refresh_token_counts.labels', 'details_scope', 'details.refresh_token_counts.no_label', 'details.refresh_token_counts.total', 'details.user_metadata.current_domain.id', 'details.user_metadata.current_domain.name', 'details.meta.permissions', 'details.meta.ownerId', 'details.meta.customAttributes', 'details.errorMessage', 'details.zone_id', 'details.client_type', 'details.grant_type', 'details.client_name', 'details.username', 'details.idType', 'details.identifier', 'details.client_id', 'details.auth_domain', 'details.connection', 'details.userid', 'details.codeDesc', 'details.code' and 'details.Internal' raw log fields with third variable to map to 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.security_result.description': Newly mapped 'prev_msg' raw log field with 'event.idm.read_only_udm.security_result.description' UDM field. - 'event.idm.read_only_udm.security_result.severity_details': Newly mapped 'severity' raw log field with 'event.idm.read_only_udm.security_result.severity_details' UDM field. - 'event.idm.read_only_udm.security_result.action': Newly mapped 'success' raw log field with 'event.idm.read_only_udm.security_result.action' UDM field. - 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped 'details.usage' raw log field with 'event.idm.read_only_udm.security_result.detection_fields' UDM field. |
| 2024-06-24 | Newly created parser.
|