Change log for CS_ALERTS
| Date | Changes |
|---|---|
| 2025-11-14 | - security_result.severity: Updated the logic for mapping the `security_result.severity` UDM field based on the `incident.score` value when that field is available in the raw log.
- Below is the revised logic for populating the UDM field security_result.severity, based on the value ranges of the raw log field incident.score: - 80-100: CRITICAL - 60-79: HIGH - 40-59: MEDIUM - 20-39: LOW - 0-19: INFORMATIONAL |
| 2025-10-28 | - additional.fields[is_closed] : Newly mapped `is_closed` raw log field with `additional.fields[is_closed]` UDM field.
- security_result.detection_fields[lead_id] : Newly mapped `lead_id` raw log field with `security_result.detection_fields[lead_id]` UDM field. - security_result.detection_fields[lead_type] : Newly mapped `lead_type` raw log field with `security_result.detection_fields[lead_type]` UDM field. - security_result.confidence_score : Newly mapped `score` raw log field with `security_result.confidence_score` UDM field. - security_result.detection_fields[signal_start_timestamp] : Newly mapped `signal_start_timestamp` raw log field enum value with `security_result.detection_fields[signal_start_timestamp]` UDM field. - security_result.detection_fields[signal_end_timestamp] : Newly mapped `signal_end_timestamp` raw log field enum value with `security_result.detection_fields[signal_end_timestamp]` UDM field. - security_result.detection_fields[signal_updated_timestamp] : Newly mapped `signal_updated_timestamp` raw log field enum value with `security_result.detection_fields[signal_updated_timestamp]` UDM field. - Enhance the parser to parse the mitre_attack field. |
| 2025-10-27 | - Added support for new product alerts: `automated-lead-context`, `automated-lead`, `thirdparty`.
- Below mappings are updated to map more fields more accurately: - target.process.command_line: Removed mapping of `cmdline` from `target.process.command_line` UDM field and mapped `reconstructed_command_line` instead. - security_result.detection_fields[cmdline]: Newly mapped `cmdline` raw log field with `security_result.detection_fields[cmdline]` UDM field in case of `reconstructed_command_line` field is not empty. - security_result.about.hostname: Removed mapping of `host_names` first index value from `security_result.about.hostname` UDM field for thirdparty product alerts. - principal.hostname: Newly mapped `host_names` first index value with `principal.hostname` UDM field for thirdparty product alerts. |
| 2025-10-10 | - security_result.detection_fields[anomalous_ticket_content_classification] : Newly mapped `anomalous_ticket_content_classification` raw log field enum value with `security_result.detection_fields[anomalous_ticket_content_classification] ` UDM field.
- security_result.detection_fields[isp_classification] : Newly mapped `isp_classification` raw log field enum value with `security_result.detection_fields[isp_classification] ` UDM field. - security_result.detection_fields[ldap_search_query_attack] : Newly mapped `ldap_search_query_attack` raw log field enum value with `security_result.detection_fields[ldap_search_query_attack] ` UDM field. - security_result.detection_fields[model_anomaly_indicators] : Newly mapped `model_anomaly_indicators` raw log field enum value with `security_result.detection_fields[model_anomaly_indicators] ` UDM field. - security_result.detection_fields[protocol_anomaly_classification] : Newly mapped `protocol_anomaly_classification` raw log field enum value with `security_result.detection_fields[protocol_anomaly_classification] ` UDM field. - security_result.detection_fields[rpc_op_classification] : Newly mapped `rpc_op_classification` raw log field enum value with `security_result.detection_fields[rpc_op_classification] ` UDM field. - security_result.detection_fields[suspicious_machine_account_alteration_type] : Newly mapped `suspicious_machine_account_alteration_type` raw log field enum value with `security_result.detection_fields[suspicious_machine_account_alteration_type] ` UDM field. |
| 2025-09-29 | Updated field mapping for `incident.score`, `severity` and `severity_name` to map more accurately. - security_result.severity_details: Removed mapping of `severity` from `security_result.severity_details` UDM field and mapped `incident.score` field instead. - security_result.severity: Removed mapping of `severity_name` from `security_result.severity` UDM field and mapped `incident.score` field ranges 0-10 instead. - security_result.detection_fields[score]: Removed mapping of `incident.score` from `security_result.detection_fields[score]` UDM field and mapped `severity` instead. It will be mapped only when `incident.score` is available in the log. |
| 2025-09-19 | - This is a new Premium version for the CS_ALERTS parser.
- For the configuration details along with the list mapping which were changed in comparison to the existing default parser, please check the parser documentation page https://cloud.google.com/chronicle/docs/ingestion/default-parsers/cs-edr#udm-mapping-delta-cs-alerts |
| 2025-08-26 | Changing existing mappings in order to introduce more accurate mappings for `target.process.command_line`, `target.file.full_path` and `target.file.sha256` for the epp product and ofp type. - target.process.command_line: Removed mapping of `cmdline` from `target.process.command_line` UDM field when `macros.cmdline` raw log field is not empty. - security_result.detection_fields[cmdline]: Mapped `cmdline` raw log field with `security_result.detection_fields[cmdline]` UDM field when `macros.cmdline` raw log field is not empty. - target.process.command_line: Newly mapped `macros.cmdline` raw log field with `target.process.command_line` UDM field. - target.file.full_path: Removed mapping of `filepath` from `target.file.full_path` UDM field when `macros.ioc_description` raw log field is not empty. - security_result.detection_fields[filepath]: Mapped `filepath` raw log field with `security_result.detection_fields[filepath]` UDM field when `macros.ioc_description` raw log field is not empty. - target.file.full_path: Newly mapped `macros.ioc_description` raw log field with `target.file.full_path` UDM field. - target.file.sha256: Removed mapping of `sha256` from `target.file.sha256` UDM field when `macros.ioc_value` raw log field is not empty and `macros.ioc_type` is equal to `hash_sha256`. - security_result.detection_fields[sha256]: Mapped `sha256` raw log field with `security_result.detection_fields[sha256]` UDM field when `macros.ioc_value` raw log field is not empty and `macros.ioc_type` is equal to `hash_sha256`. - target.file.sha256: Newly mapped `macros.ioc_value` raw log field with `target.file.sha256` UDM field when `macros.ioc_type` is equal to `hash_sha256`. - security_result.detection_fields[macros_display_name]: Newly mapped `macros.display_name` raw log field with `security_result.detection_fields[macros_display_name]` UDM field. - security_result.detection_fields[macros_ioc_source]: Newly mapped `macros.ioc_source` raw log field with `security_result.detection_fields[macros_ioc_source]` UDM field. - security_result.detection_fields[macros_md5]: Newly mapped `macros.md5` raw log field with `security_result.detection_fields[macros_md5]` UDM field when `macros.md5` raw log field is not equal to `N/A`. - security_result.detection_fields[macros_sha256]: Newly mapped `macros.sha256` raw log field with `security_result.detection_fields[macros_sha256]` UDM field. - security_result.detection_fields[macros_type]: Newly mapped `macros.type` raw log field with `security_result.detection_fields[macros_type]` UDM field. - security_result.detection_fields: Newly mapped `macros.ioc_type` raw log field with `security_result.detection_fields.key` UDM field and `macros.ioc_value` raw log field with `security_result.detection_fields.value` UDM field. |
| 2025-08-14 | Changing existing mappings in order to introduce more accurate mappings for `security_result.rule_id` and `security_result.rule_name` for the CWPP, MOBILE, and OVERWATCH products. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `pattern_id` instead for `CWPP`, `MOBILE` and `OVERWATCH` product. - security_result.rule_name: Removed mapping of `technique` from `security_result.rule_name` UDM field and mapped `name` instead for `CWPP`, `MOBILE`, and `OVERWATCH` product. - security_result.detection_fields[pattern_id]: Removed mapping of `pattern_id` from `security_result.detection_fields[pattern_id]` UDM field for `CWPP`, `MOBILE` and `OVERWATCH` product. - security_result.detection_fields[name]: Removed mapping of `name` from `security_result.detection_fields[name]` UDM field for `CWPP`, `MOBILE` and `OVERWATCH` product. - security_result.detection_fields[xdr_rule_id]: Removed mapping of `xdr_rule_id` from `security_result.detection_fields[xdr_rule_id]` UDM field for `XDR` product. |
| 2025-08-08 | Changing existing mappings in order to introduce more accurate mappings for `security_result.rule_id` and `security_result.rule_name` for the XDR, IDP, NGSIEM, and EPP products. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `xdr_rule_id` instead for `XDR` product. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `correlation_rule_id` instead for `NGSIEM` product. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `pattern_id` instead for `IDP` product. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `rule_instance_id` if not empty otherwise mapped `pattern_id` field instead for `EPP` product. - security_result.rule_name: Removed mapping of `technique` from `security_result.rule_name` UDM field and mapped `name` instead for `EPP`, `NGSIEM`, `XDR` and `IDP` product. - security_result.detection_fields[pattern_id]: Removed mapping of `pattern_id` from `security_result.detection_fields[pattern_id]` UDM field for `IDP` product. - security_result.detection_fields[pattern_id]: Removed mapping of `pattern_id` from `security_result.detection_fields[pattern_id]` UDM field for `epp` product when `rule_instance_id` field is not present. - security_result.detection_fields[name]: Removed mapping of `name` from `security_result.detection_fields[name]` UDM field for `EPP`, `NGSIEM`, `XDR` and `IDP` product. |
| 2025-06-27 | - Enhance the parser to parse the host_type raw field.
|
| 2025-05-20 | - metadata.product_event_type: Newly mapped `product` raw log field with `metadata.product_event_type` UDM field
|
| 2025-05-08 | - Newly created CS_ALERTS parser.
|