Change log for CLAROTY_CTD
| Date | Changes |
|---|---|
| 2026-01-20 | - Added grok patterns to extract fields.
- event.idm.read_only_udm.principal.user.userid: Newly mapped `user1` field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `user2` field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `server` field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `session_id` field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `cn3Label` and `cn3` fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `update_values` field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `groups` field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `site`, `site_id` fields with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `disk_space_threshold_percent`, `partition`, `disk_usage_percent`, `disk_free_space`, `asset_name`, `type` fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.event_type: If `has_principal_user` is true and `msg` contains "disconnected the server" or "logged off" or "disconnected", updated to `USER_LOGOUT`. - event.idm.read_only_udm.metadata.event_type: If `has_principal_user` is true and `has_target_user` is true and msg contains "added user", updated to `GROUP_MODIFICATION`. - event.idm.read_only_udm.metadata.event_type: If `has_principal_user` is true or `has_target_user` is true, updated to `USER_UNCATEGORIZED`. |
| 2025-12-18 | - event.idm.read_only_udm.metadata.event_timestamp: Changed mapping for 'event.idm.read_only_udm.metadata.event_timestamp' UDM field from 'start' to 'timestamp'(syslog header timestamp).
- event.idm.read_only_udm.metadata.event_timestamp: Removed mapping of 'start' from 'event.idm.read_only_udm.metadata.event_timestamp' UDM field because the difference between the event and ingested timestamps should be minimal, with only a delay of a few seconds as expected. - event.idm.read_only_udm.additional.fields: Mapped 'start' raw log field to 'event.idm.read_only_udm.additional.fields' UDM field. - event.idm.read_only_udm.metadata.event_type: If `ctdeventtype` is `Online Edit` AND `has_principal_device` is true AND `shost` is empty AND `smac` is empty, the event type is updated to `DEVICE_CONFIG_UPDATE`. - The raw field 'rt' is now used as a fallback to populate 'event.idm.read_only_udm.metadata.event_timestamp' if the timestamp field is not available. |
| 2025-11-20 | - Added a grok pattern to parse `logging_device_name` and mapped it to `intermediary.hostname`.
- `event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `CtdAlertsAreCreated`, `CtdScheduledBackups`, `CtdLicense`, `CtdCriticalServices`, `CtdInterfacesBitRate` raw log fields with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. |
| 2025-10-09 | - `event.idm.read_only_udm.additional.fields`: Newly mapped `cn2`, `cn2Label` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field.
|
| 2025-06-18 | - Added `threat_name` in state data by defining and initializing it at the beginning of the code.
|
| 2024-12-04 | - Added additional mappings for logs when "eventclass" is "Event" , "Alert" , "HealthCheck" , and "Insight".
|
| 2024-11-13 | - Added Grok patterns to parse the hostname and the IP address from the syslog header and map it to "observer.hostname" and "observer.ip" respectively.
- Added support for unparsed logs. |
| 2024-10-07 | - Added support to parse new format of unparsed KV logs.
|
| 2024-08-28 | - Newly created parser.
|