Change log for CISCO_SECURE_ACCESS

Date	Changes
2025-10-21	- Newly Created Parser: - `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `column2`, `column3`, `column7` raw log fields with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `column4`, `column10`, `column15` raw log fields with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly mapped `column5`, `column16`, `column22` raw log fields with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `column7`, `column43` raw log fields with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `column1` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `column6`, `column8`, `column9`, `column10`, `column11`, `column13`, `column14`, `column16`, `column17`, `column18`, `column19`, `column23`, `column24`, `column25`, `column27`, `column28`, `column29`, `column32`, `column36`, `column42`, `column44`, `column46`, `column47`, `column48`, `column49`, `column50`, `column51`, `column52`, `column53`, `column54`, raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.network.sent_bytes`: Newly mapped `column12` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field. - `event.idm.read_only_udm.network.received_bytes`: Newly mapped `column15` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field. - `event.idm.read_only_udm.principal.user.email_addresses`: Newly mapped `column2` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - `event.idm.read_only_udm.network.session_id`: Newly mapped `column20` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `column5`, `column21` raw log fields with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field. - `event.idm.read_only_udm.target.port`: Newly mapped `column33` raw log field with `event.idm.read_only_udm.target.port` UDM field. - `event.idm.read_only_udm.network.ip_protocol`: Newly mapped `column34` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `column26` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.principal.user.user_display_name`: Newly mapped `column3` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - `event.idm.read_only_udm.principal.asset.software`: Newly mapped `column30` raw log field with `event.idm.read_only_udm.principal.asset.software` UDM field. - `event.idm.read_only_udm.principal.asset.product_object_id`: Newly mapped `column31` raw log field with `event.idm.read_only_udm.principal.asset.product_object_id` UDM field. - `event.idm.read_only_udm.network.application_protocol`: Newly mapped `column35` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field. - `event.idm.read_only_udm.principal.user.group_identifiers`: Newly mapped `column4` raw log field with `event.idm.read_only_udm.principal.user.group_identifiers` UDM field. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `column40` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field. - `event.idm.read_only_udm.principal.process.file.full_path`: Newly mapped `column41` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - `event.idm.read_only_udm.intermediary`: Newly mapped `column57` raw log field with `event.idm.read_only_udm.intermediary` UDM field. - `event.idm.read_only_udm.principal.platform_version`: Newly mapped `column7` raw log field with `event.idm.read_only_udm.principal.platform_version` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `column56` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - `event.idm.read_only_udm.security_result.action`: Newly mapped `column6` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `auth_event` is true, updated to "USER_LOGIN". - `event.idm.read_only_udm.metadata.event_type`: If `has_principal` is true and `has_target` is true, updated to "NETWORK_CONNECTION". - `event.idm.read_only_udm.metadata.event_type`: If `has_principal` is true, updated to "STATUS_UPDATE". - `event.idm.read_only_udm.metadata.event_type`: If `has_user` is true, updated to "USER_UNCATEGORIZED". - `event.idm.read_only_udm.metadata.event_type`: If none of the above conditions are met, updated to "GENERIC_EVENT". - `event.idm.read_only_udm.principal.user.windows_sid`: Newly mapped `column45` raw log field with `event.idm.read_only_udm.principal.user.windows_sid` UDM field. - `event.idm.read_only_udm.principal.application`: Newly mapped `column12` raw log field with `event.idm.read_only_udm.principal.application` UDM field.

Date

Changes

2025-10-21

- Newly Created Parser:
- `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `column2`, `column3`, `column7` raw log fields with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field.
- `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `column4`, `column10`, `column15` raw log fields with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field.
- `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly mapped `column5`, `column16`, `column22` raw log fields with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field.
- `event.idm.read_only_udm.principal.user.userid`: Newly mapped `column7`, `column43` raw log fields with `event.idm.read_only_udm.principal.user.userid` UDM field.
- `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `column1` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- `event.idm.read_only_udm.additional.fields`: Newly mapped `column6`, `column8`, `column9`, `column10`, `column11`, `column13`, `column14`, `column16`, `column17`, `column18`, `column19`, `column23`, `column24`, `column25`, `column27`, `column28`, `column29`, `column32`, `column36`, `column42`, `column44`, `column46`, `column47`, `column48`, `column49`, `column50`, `column51`, `column52`, `column53`, `column54`, raw log fields with `event.idm.read_only_udm.additional.fields` UDM field.
- `event.idm.read_only_udm.network.sent_bytes`: Newly mapped `column12` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field.
- `event.idm.read_only_udm.network.received_bytes`: Newly mapped `column15` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field.
- `event.idm.read_only_udm.principal.user.email_addresses`: Newly mapped `column2` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field.
- `event.idm.read_only_udm.network.session_id`: Newly mapped `column20` raw log field with `event.idm.read_only_udm.network.session_id` UDM field.
- `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `column5`, `column21` raw log fields with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field.
- `event.idm.read_only_udm.target.port`: Newly mapped `column33` raw log field with `event.idm.read_only_udm.target.port` UDM field.
- `event.idm.read_only_udm.network.ip_protocol`: Newly mapped `column34` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field.
- `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `column26` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- `event.idm.read_only_udm.principal.user.user_display_name`: Newly mapped `column3` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field.
- `event.idm.read_only_udm.principal.asset.software`: Newly mapped `column30` raw log field with `event.idm.read_only_udm.principal.asset.software` UDM field.
- `event.idm.read_only_udm.principal.asset.product_object_id`: Newly mapped `column31` raw log field with `event.idm.read_only_udm.principal.asset.product_object_id` UDM field.
- `event.idm.read_only_udm.network.application_protocol`: Newly mapped `column35` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field.
- `event.idm.read_only_udm.principal.user.group_identifiers`: Newly mapped `column4` raw log field with `event.idm.read_only_udm.principal.user.group_identifiers` UDM field.
- `event.idm.read_only_udm.principal.process.pid`: Newly mapped `column40` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field.
- `event.idm.read_only_udm.principal.process.file.full_path`: Newly mapped `column41` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field.
- `event.idm.read_only_udm.intermediary`: Newly mapped `column57` raw log field with `event.idm.read_only_udm.intermediary` UDM field.
- `event.idm.read_only_udm.principal.platform_version`: Newly mapped `column7` raw log field with `event.idm.read_only_udm.principal.platform_version` UDM field.
- `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `column56` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field.
- `event.idm.read_only_udm.security_result.action`: Newly mapped `column6` raw log field with `event.idm.read_only_udm.security_result.action` UDM field.
- `event.idm.read_only_udm.metadata.event_type`: If `auth_event` is true, updated to "USER_LOGIN".
- `event.idm.read_only_udm.metadata.event_type`: If `has_principal` is true and `has_target` is true, updated to "NETWORK_CONNECTION".
- `event.idm.read_only_udm.metadata.event_type`: If `has_principal` is true, updated to "STATUS_UPDATE".
- `event.idm.read_only_udm.metadata.event_type`: If `has_user` is true, updated to "USER_UNCATEGORIZED".
- `event.idm.read_only_udm.metadata.event_type`: If none of the above conditions are met, updated to "GENERIC_EVENT".
- `event.idm.read_only_udm.principal.user.windows_sid`: Newly mapped `column45` raw log field with `event.idm.read_only_udm.principal.user.windows_sid` UDM field.
- `event.idm.read_only_udm.principal.application`: Newly mapped `column12` raw log field with `event.idm.read_only_udm.principal.application` UDM field.