Change log for CLAROTY_XDOME
| Date | Changes |
|---|---|
| 2025-10-10 | Enhancement:
- `event.idm.read_only_udm.security_result.confidence_score`: Newly mapped `alert_info_signature_confidence` and `evnt_extra_info_ids_signature_info_signature_confidence` raw log field with `event.idm.read_only_udm.security_result.confidence_score` UDM field. - Modified the value of `event.idm.read_only_udm.metadata.product_name` from `CLAROTY_XDOME` to `xDome`. - Modified the value of `event.idm.read_only_udm.metadata.vendor_name` from `CLAROTY_XDOME` to `Claroty`. - `event.idm.read_only_udm.security_result.rule_version`: Newly mapped `evnt_extra_info.ids_signature_info.signature_active_rev` and `alert_info_signature_active_rev` raw log field with `event.idm.read_only_udm.security_result.rule_version` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `evnt_extra_info.ids_signature_info.signature_severity_description`, `alert_info.signature_severity_description` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - `event.idm.read_only_udm.principal.location.city`: Newly mapped `evnt_extra_info.geo_location` raw log field with `event.idm.read_only_udm.principal.location.city` UDM field. - `event.idm.read_only_udm.network.ip_protocol`: Newly mapped evnt_extra_info.ip_protocol raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `affected_device.management_status`, `affected_device.note`, `evnt_extra_info.domain`, `evnt_extra_info.src_domain`, `evnt_extra_info.src_geo_location`, `evnt_extra_info.ids_signature_info.signature_powered_by`, `evnt_extra_info.other_device` and `alert.note`and `affected_device.labels` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `alert_info.signature_severity_description`, `evnt_extra_info.ids_signature_info.signature_first_released`, `evnt_extra_info.ids_signature_info.signature_last_updated`, `evnt_extra_info.ids_signature_info.signature_last_updated_by_system` and `alert.name` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-09-05 | - `event.idm.read_only_udm.alert_info.signature_name`: Newly mapped `rule_name` raw log field with `event.idm.read_only_udm.alert_info.signature_name` UDM field.
- `event.idm.read_only_udm.alert_info.signature_severity`: Newly mapped `risk_severity` raw log field with `event.idm.read_only_udm.alert_info.signature_severity` UDM field. |
| 2025-08-12 | - Newly added gsub for the `message` field to parse logs in proper manner.
- `event.idm.read_only_udm.principal.asset.attribute.labels`: Newly mapped `affected_device.retired` raw log field with `event.idm.read_only_udm.principal.asset.attribute.labels` UDM field. - Corrected the mapping for `vulnerability_info.name` raw log field and mapped it to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.asset.ip` and `event.idm.read_only_udm.principal.ip` : Newly mapped `management_ip` raw log field with `event.idm.read_only_udm.principal.asset.ip` and `event.idm.read_only_udm.principal.ip` UDM fields. - `event.idm.read_only_udm.metadata.event_timestamp` : Newly mapped `time` data field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-07-31 | - 'event.idm.read_only_udm.security_result.rule_id': Removed 'alert_id' raw log field from 'event.idm.read_only_udm.security_result.rule_id' UDM field alert_id represents a unique identifier for the alert, and it doesn't fit to be mapped to rule_id.
- 'event.idm.read_only_udm.additional.fields': Mapped 'alert_id' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.additional.fields': Removed mapping for 'attack data' from 'event.idm.read_only_udm.additional.fields' UDM field because the security_result.attack_details field is specifically designed to store details about an attack. - 'event.idm.read_only_udm.security_result.attack_details': Mapped 'attack data' raw log field with 'event.idm.read_only_udm.security_result.attack_details' UDM field. - 'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname': Removed mapping for 'observer_hostname' from 'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname' UDM fields because it incorrectly associates the observer's information with the principal. - 'event.idm.read_only_udm.observer.hostname': Mapped 'observer_hostname' raw log field with 'event.idm.read_only_udm.observer.hostname' UDM field. - Changed 'event.idm.read_only_udm.metadata.product_event_type' to include both 'type' and 'category' raw log fields. - Utilized SCAN_VULN_HOST for vulnerability_affected_device product event type - 'event.idm.read_only_udm.security_result.detection_fields': Removed 'Vulnerabilities' raw log field from 'event.idm.read_only_udm.security_result.detection_fields' UDM field because it is having detailed vulnerability information. - 'event.idm.read_only_udm.extensions.vulns.vulnerabilities': Mapped 'vulnerabilities' raw log field with 'event.idm.read_only_udm.extensions.vulns.vulnerabilities' UDM field. - Changed the "host" field to "observer_hostname" in order to create "observer" UDM. - 'event.idm.read_only_udm.principal.user.userid': Removed mapping for 'client_id' raw log field with 'event.idm.read_only_udm.principal.user.userid' UDM field because 'client_id' is not a userid. - 'event.idm.read_only_udm.target.asset.asset_id': Mapped 'client_id' raw log field with 'event.idm.read_only_udm.target.asset.asset_id' UDM field. - 'event.idm.read_only_udm.additional.fields': Removed mapping for 'device_asset_id' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field because it refers to the asset that performed the action. - 'event.idm.read_only_udm.principal.asset.asset_id': Mapped 'device_asset_id' raw log field with 'event.idm.read_only_udm.principal.asset.asset_id' UDM field. - Improved logic on app protocol and IP's using libs. - Extracted signature information from nested json to security_result.rule_name and security result.rule_id. |
| 2025-01-29 | - Newly created parser
|