Change log for GITHUB

Date	Changes
2025-09-22	Enhancement: - event.idm.read_only_udm.target.user.email_addresses: Newly mapped `invitation.email` raw log field(s) with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `invitation.created_at` raw log field(s) with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `invitation.id` raw log field(s) with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `invitation.invitation_teams_url` raw log field(s) with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.target.user.attribute.roles: Newly mapped `invitation.role` raw log field(s) with `event.idm.read_only_udm.target.user.attribute.roles` UDM field. - event.idm.read_only_udm.principal.user.product_object_id: Newly mapped `invitation.inviter.id` raw log field(s) with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `invitation.inviter.login` raw log field(s) with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.url: Newly mapped `invitation.inviter.html_url` raw log field(s) with `event.idm.read_only_udm.principal.url` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `invitation.login` raw log field(s) with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.principal.user.attribute.labels: Newly mapped `invitation.inviter.url`, `invitation.inviter.avatar_url`, `invitation.inviter.type` raw log field(s) with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `organization.url`, `invitation.invitation_source`, `invitation.team_count`, `invitation.node_id`, `invitation.failed_at`, `invitation.failed_reason`, `invitation.inviter.url`, `invitation.inviter.avatar_url`, `invitation.inviter.type`, `invitation.inviter.events_url`, `invitation.inviter.followers_url`, `invitation.inviter.following_url`, `invitation.inviter.gists_url`, `invitation.inviter.gravatar_id`, `invitation.inviter.node_id`, `invitation.inviter.organizations_url`, `invitation.inviter.received_events_url`, `invitation.inviter.repos_url`, `invitation.inviter.site_admin`, `invitation.inviter.starred_url`, `invitation.inviter.subscriptions_url`, `invitation.inviter.user_view_type` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field.
2025-09-05	Enhancement: - Added new grok patterns for the `message` and `content` fields to parse additional log formats. - Added a gsub mutation to replace `=>` with `=` in the `kv_data` field before Key-Value processing to ensure correct parsing. - `event.idm.read_only_udm.target.resource.attribute.labels` : Newly mapped `job_type` raw log field to `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.additional.fields` : Newly mapped `metric` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - Refactored the mapping of the `job_name`, `catalog_service` data field: The previous unconditional merge of `job_name`, `catalog_service` data field was removed and replaced with the conditional block described under "Dynamic Field Addition", now including error handling. - `event.idm.read_only_udm.additional.fields` : Newly mapped `column7`, `column8` data fields to `event.idm.read_only_udm.additional.fields` UDM field when `process_type` data field is equal to `github_access` or `alambic_assets` or `alambic_avatars` values. - `event.idm.read_only_udm.additional.fields` : Newly mapped `gc_duration`, `db_cached_queries`, `db_queries`, `activerecord_duration`, `views_duration` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field.
2025-09-02	Enhancement: - `event.idm.read_only_udm.target.user.user_display_name`: Newly mapped `membership.user.login` raw log field to `event.idm.read_only_udm.target.user.user_display_name`. - `event.idm.read_only_udm.target.user.product_object_id`: Newly mapped `membership.user.id` raw log field to `event.idm.read_only_udm.target.user.product_object_id`. - `event.idm.read_only_udm.target.user.title`: Newly mapped `membership.user.type` raw log field to `event.idm.read_only_udm.target.user.title`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `membership.url`, `membership.state`, `membership.role`, `membership.organization_url`, `membership.user.node_id`, `membership.user.html_url`, `membership.user.site_admin`, `membership.user.avatar_url`, `membership.user.url`, `membership.user.followers_url`, `membership.user.following_url`, `membership.user.gists_url`, `membership.user.starred_url`, `membership.user.subscriptions_url`, `membership.user.organizations_url`, `membership.user.repos_url`, `membership.user.events_url`, `membership.user.received_events_url`, `membership.user.user_view_type` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. - Updated condition for adding repo label: value is added only if repo is not in ["", "nil"]. - Updated condition for adding device_cookie label: value is added only if device_cookie is not in ["", "nil"]. - Updated condition for mapping hashed_token: Mapped only if hashed_token is not in ["", "nil"]. - Updated condition for mapping user_session_id: Mapped only if user_session_id is not in ["", "nil"]. - Removed gsub transformation on the "message" field, so literal "nil" strings will no longer be replaced with empty strings during preprocessing.
2025-07-23	Enhancement: - event.idm.read_only_udm.security_result.rule_labels: Newly Mapped "check_run.check_suite.app.permissions",check_run.app.permissions","check_suite.app.permissions","comment.performed_via_github_app.permissions" raw log fields with "event.idm.read_only_udm.security_result.rule_labels" UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly Mapped "check_run.check_suite.app.owner",check_run.head_sha","check_run.check_suite.head_sha" raw log fields with "event.idm.read_only_udm.principal.resource.attribute.labels" UDM field. - event.idm.read_only_udm.principal.user.attribute.labels: Newly Mapped "issue.user","comment.user" raw log fields with "event.idm.read_only_udm.principal.user.attribute.labels" UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped "check_run.status","check_run.check_suite.status","check_run.check_suite.head_branch" raw log fields with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly Mapped "check_run.html_url", "check_run.details_url","check_run.url" raw log fields with "event.idm.read_only_udm.target.resource.attribute.labels" UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped "check_run.id","check_run.name","check_run.node_id","check_run.external_id","check_run.check_suite.node_id","check_run.check_suite.before","check_run.check_suite.after" raw log fields with "event.idm.read_only_udm.additional.fields" UDM field.
2025-05-27	Enhancement: - event.idm.read_only_udm.additional.fields: Added support to parse unparsed `alert` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field.
2025-05-22	Enhancement: - event.idm.read_only_udm.metadata.description: Newly Mapped `commit_message` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `commit` value if message contains `committer` with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.src.user.title : Newly Mapped `sender.type` raw log field with `event.idm.read_only_udm.src.user.title` UDM field. - event.idm.read_only_udm.target.file.sha1: Newly Mapped `sha` raw log field with `event.idm.read_only_udm.target.file.sha1` UDM field. - event.idm.read_only_udm.target.url: Newly Mapped `target_url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.security_result.description: Newly Mapped `description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `avatar_url` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `context` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_node_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_committer_name` raw log field with `event.id.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `state` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_committer_name` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.email: Newly Mapped `commit_committer_email` raw log field with `event.idm.read_only_udm.principal.email` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_tree_sha` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `comment_count` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `html_url` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.summary: Newly Mapped `reason` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.principal.url: Newly Mapped `commit_url` raw log field with `event.idm.read_only_udm.principal.url` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `comments_url` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly Mapped `commit_user_name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `commit_user_id` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.asset_id: Newly Mapped `principal.assetid` raw log field with `event.idm.read_only_udm.principal.asset_id` UDM field. - event.idm.read_only_udm.src.user.user_display_name: Newly Mapped `sender_login` raw log field with `event.idm.read_only_udm.src.user.user_display_name` UDM field. - event.idm.read_only_udm.src.user.product_object_id: Newly Mapped `sender_id` raw log field with `event.idm.read_only_udm.src.user.product_object_id` UDM field. - event.idm.read_only_udm.src.asset_id : Newly Mapped `sender_assetid` raw log field with `event.idm.read_only_udm.src.asset_id` UDM field. - event.idm.read_only_udm.src.url: Newly Mapped `sender_url` raw log field with `event.idm.read_only_udm.src.url` UDM field.
2025-05-16	Enhancement: Fixed flakiness issue caused by repetition of keys in additional fields by appending an index to each key and modifying redundant variable names.
2025-05-02	Enhancement: - event.idm.read_only_udm.target.url: Newly mapped `alert.url` raw log filed with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `alert.created_at`, `alert.html_url`, `alert.locations_url`, `alert.multi_repo`, `alert.number`, `alert.publicly_leaked`, `alert.push_protection_bypassed`, `alert.secret_type`, `alert.secret_type_display_name`, `alert.updated_at`, `alert.validity` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
2025-02-27	Enhancement: - Mapped "repository_selection", "user_programmatic_access_name", and "permissions_added.*" to "additional.fields".
2025-02-20	Enhancement: - If "external_identity_nameid" is present, then mapped "external_identity_nameid" to "principal.user.userid".Otherwise, mapped "actor_id" to "principal.user.userid".
2025-02-12	Enhancement: - Mapped "new_repo_permission", "user", and "actor" to "additional.fields".
2025-02-11	Enhancement: - Mapped "secret_type_display_name" to "additional.fields". - Changed "metadata.vendor_name" mapping from "GITHUB" to "GitHub".
2025-01-24	Enhancement: - Added support for new pattern of JSON logs.
2024-12-16	Enhancement: - Changed mapping of "user" from "principal.user.user_display_name" to "target.user.user_display_name". - Changed mapping of "actor" from "principal.user.userid" to "principal.user.user_display_name". - Changed mapping of "actor_id" from "target.user.userid" to "principal.user.userid". - Mapped "user_id" to "target.user.userid". - Removed the Grok pattern of "external_identity_nameid" as it is not required.
2024-12-05	Enhancement: - Mapped "push_protection_bypass_reason" to "security_result.detection_fields".
2024-11-14	Enhancement: - Added support for new pattern of JSON logs.
2024-11-06	Enhancement: - Mapped "actor" to "principal.resource.attribute.labels". - Changed the mapping of "user" from "target.user.user_display_name" to "principal.user.user_display_name". - Changed the mapping of "external_identity_nameid" from "target.user.email_addresses" to "principal.user.email_addresses". - Changed the mapping of "userid" from "target.user.userid" to "principal.user.userid".
2024-09-18	Enhancement: - Mapped "pull_request_url" to "target.url". - Mapped "pull_request_title", "pull_request_id" ,and "previous_visibility" to "additional.fields".
2024-08-26	Enhancement: - Mapped "explanation" to "additional.fields".
2024-08-13	Enhancement: - Mapped "invitee_email" and "email" to "additional.fields".
2024-07-02	Enhancement: - Fixed the mapping of "config_was". - Changed the mapping of "admin_enforced" from "security_result.action" to "additional.fields". - Mapped "required_status_checks_enforcement_level", "events_were" and "old_permission" to "additional.fields".
2024-06-13	Enhancement: - Mapped "name", "manager", "pull_request_reviews_enforcement_level", "hook_id", "events", "config_was", "key", "fingerprint", "permission", and "title" to "additional.fields". - When "admin_enforced" is "true", then mapped "security_result.action" to "ALLOW". - When "admin_enforced" is "false", then mapped "security_result.action" to "BLOCK".
2023-12-18	Bug-Fix: - If "process_type" is "github_production", added a Grok pattern to extract "kv_data". - If "process_type" is "github_production", mapped "user" to "target.user.user_display_name". - If "process_type" is "github_production", mapped "user_id" to "target.user.userid". - Mapped "referrer" to "network.http.referral_url". - Mapped "user_session_id" to "network.session_id". - Mapped "ip" to "principal.ip". - Mapped "from" to "additional.fields". - Mapped "request_category" to "additional.fields". - Mapped "device_cookie" to "additional.fields". - Mapped "operation_type" to "additional.fields". - Mapped "category_type" to "additional.fields". - Mapped "note" to "additional.fields". - Mapped "read" to "additional.fields". - Mapped "pre_perform_allocation_count" to "additional.fields". - Mapped "backend" to "additional.fields". - Mapped "queue" to "additional.fields". - Mapped "class" to "additional.fields". - Mapped "success" to "additional.fields". - Mapped "controller_action" to "security_result.detection_fields". - Mapped "two_factor" to "security_result.detection_fields".
2023-10-25	Enhancement: - When "public_repo" is "false", set "target.location.name" to "PRIVATE", else set to "PUBLIC".
2023-10-11	Enhancement: - Mapped "user_agent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped "request_method" to "network.http.method". - Mapped "application_name" to "target.application". - Mapped "status_code" to "network.http.response_code". - Mapped "url_path" to "target.url". - Mapped "user_id" to "target.userid". - Mapped "transport_protocol_name" to "network.application_protocol". - Mapped "raw.now" to "metadata.event_timestamp". - Mapped "raw.ip" to "principal.ip". - Mapped "raw.request_id" to "metadata.product_log_id". - Mapped "raw.repo" to "target.url". - Mapped "raw.action" to "security_result.summary". - Mapped "raw.protocol" to "network.application_protocol". - Mapped "raw.message" to "metadata.description". - Mapped "raw.at" to "security_result.action". - Mapped "raw.login" to "target.user_display_name". - Mapped "raw.user_id" to "target.userid". - Mapped "raw.failure_reason", "raw.failure_type", "raw.raw_login" and "raw.from" to "additional.fields". - Mapped "programmatic_access_type", "actor_id", "token_id", "token_scopes", "integration", "query_string", "rate_limit_remaining", "request_body", "route", "business", "org_id", "repo_id", "public_repo", "_document_id", "operation_type", "repository_public" to "additional.fields".
2023-07-31	Bug-Fix - - Added "on_error" to Grok patterns. - Mapped "workflow_run.id" to "target.resource.attribute.labels". - Mapped "workflow_run.event" to "additional.fields". - Mapped "workflow_run.actor.login" to "principal.user.userid". - Mapped "workflow_run.head_branch" to "security_result.about.labels". - Mapped "workflow_run.head_sha" to "target.file.sha256". - Mapped "enterprise.name" to "additional.fields". - Mapped "workflow.name" to "security_result.about.labels". - Mapped "workflow_run.workflow_id" to "security_result.about.labels".
2023-06-22	Enhancement- - Added support for the "github_auth", "haproxy", "github_access", "github_unicorn", "github_production", "hookshot-go", "babeld", "github_gitauth", "babeld2hydro", "authzd", "gitrpcd", "agent", "git-daemon", "github_resqued", "sudo", "systemd" and "github_audit" syslog log formats.
2023-06-09	Enhancement- - Mapped "external_identity_nameid" to "target.user.email_addresses" if in email format. - Fetch the username from "external_identity_nameid" and map to "target.user.userid".
2023-01-13	Enhancement- - Mapped "actor_ip" to" "principal.ip". - Mapeed "hashed_token" to "network.session_id". - Mapped "external_identity_nameid" to "target.user.userid " - Mapped "external_identity_username" to target.user.user_display_name".
2022-11-28	Enhancement - Mapped "config.url" to "target.url".
2022-07-07	Enhancement - The newly ingested JSON format logs having action "git.clone","git.push" and "workflows.prepared_workflow_job" have been handled and parsed. - 'job_name' mapped to 'target.resource.attribute.labels'. - 'job_workflow_ref' mapped to 'target.resource.attribute.labels'. - 'runner_group_id' mapped to 'target.resource.attribute.labels'. - 'runner_group_name' mapped to 'target.resource.attribute.labels'. - 'runner_name' mapped to 'target.resource.attribute.labels'. - 'runner_id' mapped to 'target.resource.attribute.labels'. - 'workflow_run_id' mapped to 'target.resource.attribute.labels'. - 'actor_location.country_code' mapped to 'principal.location.country_or_region'.