Change log for GTB_DLP

Date	Changes
2025-10-28	- Newly created parser - event.idm.read_only_udm.network.application_protocol: Newly mapped `proto` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field. - event.idm.read_only_udm.network.email.to: Newly mapped `dhost` raw log field with `event.idm.read_only_udm.network.email.to` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `suser`, `cs6` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.network.email.from: Newly mapped `shost` raw log field with `event.idm.read_only_udm.network.email.from` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `suser` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `src`, `cs13` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `src`, `cs13` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.port: Newly mapped `spt`, `port` raw log field with `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.target.port: Newly mapped `dpt` raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.target.user.email_addresses: Newly mapped `duser` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - event.idm.read_only_udm.intermediary.ip: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `rt` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.metadata.collected_timestamp: Newly mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `act`, `cs1`, `cs3`, `cs4`, `cs8`, `cs10`, `cs11`, `cs12`, `cs2`, `cs5`, `cs6`, `cs18`, `cs19`, `cert`, `deviceExternalId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.metadata.vendor_name: Newly mapped `vendor` raw log field with `event.idm.read_only_udm.metadata.vendor_name` UDM field. - event.idm.read_only_udm.metadata.product_name: Newly mapped `product` raw log field with `event.idm.read_only_udm.metadata.product_name` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - event.idm.read_only_udm.security_result.rule_name: Newly mapped `rulename` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `peventtype` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `externalId`, `error.innerError.client-request-id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `message_data` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `cs4` raw log field with `event.idm.read_only_udm.metadata.description` UDM field if it matches the grok pattern. - event.idm.read_only_udm.network.http.method: Newly mapped `http_method` raw log field with `event.idm.read_only_udm.network.http.method` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly mapped `http_response` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `target_url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.target.file.size: Newly mapped `cs7` raw log field with `event.idm.read_only_udm.target.file.size` UDM field. - event.idm.read_only_udm.target.file.full_path: Newly mapped `cs9` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `cs16`, `cs17`, `error.code`, `error.innerError.date` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.target.file.sha256: Newly mapped `sha256` raw log field with `event.idm.read_only_udm.target.file.sha256` UDM field. - event.idm.read_only_udm.security_result.description: Newly mapped `error.message` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `error.innerError.request-id` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.metadata.event_type: If has_principal is "true" and has_target is "true", updated to "NETWORK_CONNECTION". - event.idm.read_only_udm.metadata.event_type: If has_user is "true" and message contains "login", updated to "USER_LOGIN". - event.idm.read_only_udm.metadata.event_type: If has_user is "true" and message contains "logout", updated to "USER_LOGOUT". - event.idm.read_only_udm.metadata.event_type: If has_user is "true" and has_principal_email is "true" and has_target_email is "true", updated to "EMAIL_TRANSACTION". - event.idm.read_only_udm.metadata.event_type: If has_principal is "true", updated to "STATUS_UPDATE". - event.idm.read_only_udm.metadata.event_type: If has_user is "true", updated to "USER_UNCATEGORIZED". - event.idm.read_only_udm.metadata.event_type: Otherwise, updated to "GENERIC_EVENT".

Date

Changes

2025-10-28

- Newly created parser
- event.idm.read_only_udm.network.application_protocol: Newly mapped `proto` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field.
- event.idm.read_only_udm.network.email.to: Newly mapped `dhost` raw log field with `event.idm.read_only_udm.network.email.to` UDM field.
- event.idm.read_only_udm.principal.user.userid: Newly mapped `suser`, `cs6` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field.
- event.idm.read_only_udm.network.email.from: Newly mapped `shost` raw log field with `event.idm.read_only_udm.network.email.from` UDM field.
- event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `suser` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field.
- event.idm.read_only_udm.principal.ip: Newly mapped `src`, `cs13` raw log field with `event.idm.read_only_udm.principal.ip` UDM field.
- event.idm.read_only_udm.principal.asset.ip: Newly mapped `src`, `cs13` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field.
- event.idm.read_only_udm.principal.port: Newly mapped `spt`, `port` raw log field with `event.idm.read_only_udm.principal.port` UDM field.
- event.idm.read_only_udm.target.port: Newly mapped `dpt` raw log field with `event.idm.read_only_udm.target.port` UDM field.
- event.idm.read_only_udm.target.user.email_addresses: Newly mapped `duser` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field.
- event.idm.read_only_udm.intermediary.ip: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field.
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `rt` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- event.idm.read_only_udm.metadata.collected_timestamp: Newly mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `act`, `cs1`, `cs3`, `cs4`, `cs8`, `cs10`, `cs11`, `cs12`, `cs2`, `cs5`, `cs6`, `cs18`, `cs19`, `cert`, `deviceExternalId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.intermediary.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field.
- event.idm.read_only_udm.metadata.vendor_name: Newly mapped `vendor` raw log field with `event.idm.read_only_udm.metadata.vendor_name` UDM field.
- event.idm.read_only_udm.metadata.product_name: Newly mapped `product` raw log field with `event.idm.read_only_udm.metadata.product_name` UDM field.
- event.idm.read_only_udm.metadata.product_version: Newly mapped `version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field.
- event.idm.read_only_udm.security_result.rule_name: Newly mapped `rulename` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field.
- event.idm.read_only_udm.metadata.product_event_type: Newly mapped `peventtype` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field.
- event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field.
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `externalId`, `error.innerError.client-request-id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- event.idm.read_only_udm.metadata.description: Newly mapped `message_data` raw log field with `event.idm.read_only_udm.metadata.description` UDM field.
- event.idm.read_only_udm.metadata.description: Newly mapped `cs4` raw log field with `event.idm.read_only_udm.metadata.description` UDM field if it matches the grok pattern.
- event.idm.read_only_udm.network.http.method: Newly mapped `http_method` raw log field with `event.idm.read_only_udm.network.http.method` UDM field.
- event.idm.read_only_udm.network.http.response_code: Newly mapped `http_response` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field.
- event.idm.read_only_udm.target.url: Newly mapped `target_url` raw log field with `event.idm.read_only_udm.target.url` UDM field.
- event.idm.read_only_udm.target.file.size: Newly mapped `cs7` raw log field with `event.idm.read_only_udm.target.file.size` UDM field.
- event.idm.read_only_udm.target.file.full_path: Newly mapped `cs9` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `cs16`, `cs17`, `error.code`, `error.innerError.date` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
- event.idm.read_only_udm.target.file.sha256: Newly mapped `sha256` raw log field with `event.idm.read_only_udm.target.file.sha256` UDM field.
- event.idm.read_only_udm.security_result.description: Newly mapped `error.message` raw log field with `event.idm.read_only_udm.security_result.description` UDM field.
- event.idm.read_only_udm.network.session_id: Newly mapped `error.innerError.request-id` raw log field with `event.idm.read_only_udm.network.session_id` UDM field.
- event.idm.read_only_udm.metadata.event_type: If has_principal is "true" and has_target is "true", updated to "NETWORK_CONNECTION".
- event.idm.read_only_udm.metadata.event_type: If has_user is "true" and message contains "login", updated to "USER_LOGIN".
- event.idm.read_only_udm.metadata.event_type: If has_user is "true" and message contains "logout", updated to "USER_LOGOUT".
- event.idm.read_only_udm.metadata.event_type: If has_user is "true" and has_principal_email is "true" and has_target_email is "true", updated to "EMAIL_TRANSACTION".
- event.idm.read_only_udm.metadata.event_type: If has_principal is "true", updated to "STATUS_UPDATE".
- event.idm.read_only_udm.metadata.event_type: If has_user is "true", updated to "USER_UNCATEGORIZED".
- event.idm.read_only_udm.metadata.event_type: Otherwise, updated to "GENERIC_EVENT".