Change log for CLOUDFLARE_AUDIT
| Date | Changes |
|---|---|
| 2026-12-01 | Enhancement:
- Modified the condition to set the event type as USER_RESOURCE_UPDATE_CONTENT only when principal user id or principal email is present. - Modified the condition to set the event type as USER_RESOURCE_ACCESS only when principal user id and principal machine data is present. - event.idm.read_only_udm.metadata.event_type: Newly mapped to STATUS_UPDATE when principal machine data is present. |
| 2023-11-27 | Enhancement:
- Added a Grok pattern to match new log format. - Mapped "ResourceID" to "target.resource.product_object_id". - Mapped "metainfo_zone_name" to "principal.hostname". - Mapped "metainfo_user_id" to "principal.user.userid". - Mapped "metainfo_user_email" to "principal.user.email". - Mapped "metainfo_user_tag" to "principal.user.product_object_id". - Mapped "metainfo" fields to "security_result.detection_fields". - Mapped "newvalue_session_id" to "network.session_id". - Mapped "NewValue" to "security_result.detection_fields". - Mapped "OldValue" to "security_result.detection_fields". - If "ActorID" is present, set "metadata.event_type" to "USER_RESOURCE_ACCESS". |
| 2023-07-09 | New parser created.
|