Change log for CYOLO_OT
| Date | Changes |
|---|---|
| 2025-10-14 | Enhancement:
- Added support for new log format. - `event.idm.read_only_udm.security_result.outcome`: Newly mapped `result` to `event.idm.read_only_udm.security_result.outcome` and `event.idm.read_only_udm.security_result.action`. - `event.idm.read_only_udm.principal.user.attribute.labels`: Newly mapped `credentials_origin`, `credentials_id`, and `credentials_name` to `event.idm.read_only_udm.principal.user.attribute.labels`. - `event.idm.read_only_udm.target.asset.asset_id`: Newly mapped `asset_id` to `event.idm.read_only_udm.target.asset.asset_id`. - `event.idm.read_only_udm.target.asset.product_object_id`: Newly Mapped `asset_name` to `event.idm.read_only_udm.target.asset.product_object_id`. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `id` raw log field(s) with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `remote_address` raw log field(s) with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `remote_address` raw log field(s) with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `country_code` raw log field(s) with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `destination_host` raw log field(s) with `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `destination_host` raw log field(s) with `event.idm.read_only_udm.target.asset.hostname` UDM field. - `event.idm.read_only_udm.target.port`: Newly mapped `destination_port` raw log field(s) with `event.idm.read_only_udm.target.port` UDM field. - `event.idm.read_only_udm.metadata.description`: Newly mapped `message` raw log field(s) with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `subject_name` raw log field(s) with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.user.product_object_id`: Newly mapped `subject_id` raw log field(s) with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field(s) with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.target.application`: Newly mapped `object_name` raw log field(s) with `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.target.resource.product_object_id`: Newly mapped `object_id` raw log field(s) with `event.idm.read_only_udm.target.resource.product_object_id` UDM field. - `event.idm.read_only_udm.network.session_id`: Newly mapped `session_id` raw log field(s) with `event.idm.read_only_udm.network.session_id` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `duration_str` (from `message`), `subject_kind`, `authority_kind`, `log_level`, `object_kind` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `client` raw log field(s) with `event.idm.read_only_udm.network.http.user_agent` UDM field. - `event.idm.read_only_udm.network.http.parsed_user_agent`: Newly mapped `client` raw log field(s) with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - `event.idm.read_only_udm.security_result.rule_id`: Newly mapped `authority_id` raw log field(s) with `event.idm.read_only_udm.security_result.rule_id` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `authority_name` raw log field(s) with `event.idm.read_only_udm.security_result.rule_name` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `severity` raw log field(s) with `event.idm.read_only_udm.security_result.severity` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped fields from the `rules` array raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.observer.hostname`: Newly mapped `hostname` raw log field(s) with `event.idm.read_only_udm.observer.hostname` UDM field. - `event.idm.read_only_udm.observer.resource.product_object_id`: Newly mapped `node_id` raw log field(s) with `event.idm.read_only_udm.observer.resource.product_object_id` UDM field. - `event.idm.read_only_udm.observer.resource.attribute.labels`: Newly mapped `site_id`, `log_source`, `site_name`, `container_id`, `transaction_id`, `event_id` raw log field(s) with `event.idm.read_only_udm.observer.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `kind` raw log field(s) with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - `event.idm.read_only_udm.metadata.collected_timestamp`: Newly mapped `syslog_timestamp` raw log field(s) with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - `event.idm.read_only_udm.extensions.auth.type`: Newly mapped hardcoded value `MACHINE` with `event.idm.read_only_udm.extensions.auth.type` UDM field. - `event.idm.read_only_udm.network.application_protocol`: Newly mapped hardcoded value `RDP` with `event.idm.read_only_udm.network.application_protocol` UDM field. - Renamed from `observer` to `event.idm.read_only_udm.observer`. - Renamed from `network` to `event.idm.read_only_udm.network`. - `event.idm.read_only_udm.metadata.event_type`: If `message` contains `user disconnected` and `has_user` is `true`, updated to `USER_LOGOUT`. - Added a new grok pattern to support parsing for a new JSON-based log format in addition to the existing key-value format. |
| 2025-02-21 | - Newly created parser.
|