Change log for IMPERVA_SECURESPHERE
| Date | Changes |
|---|---|
| 2025-11-05 | Enhancement:
- `event.idm.read_only_udm.additional.fields`: Newly mapped `cs9`, `cs9Label` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - Added on_error for rt. - Modified the date filter to add support for the ISO8601 date format for the rt raw log field. - Modified conditional logic to process cs9 and cs9Label fields independently of the cs8 and cs8Label fields. |
| 2025-10-31 | Enhancement:
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `cs5` raw log field to `event.idm.read_only_udm.metadata.product_log_id` when `cs5Label` is "EventId". - event.idm.read_only_udm.principal.application: Newly mapped `cs10` raw log field to `event.idm.read_only_udm.principal.application` when `cs10Label` is "SourceApplication". - event.idm.read_only_udm.principal.application: Newly mapped `app` raw log field to `event.idm.read_only_udm.principal.application`. - event.idm.read_only_udm.principal.user.userid: Newly mapped `cs11` raw log field to `event.idm.read_only_udm.principal.user.userid` when `cs11Label` is "OSUser". - event.idm.read_only_udm.principal.user.userid: Newly mapped `osUser` raw log field to `event.idm.read_only_udm.principal.user.userid`. - event.idm.read_only_udm.principal.hostname: Newly mapped `cs12` raw log field to `event.idm.read_only_udm.principal.hostname` when `cs12Label` is "HostName". - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `cs12` raw log field to `event.idm.read_only_udm.principal.asset.hostname` when `cs12Label` is "HostName". - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `cs3` raw log field to `event.idm.read_only_udm.target.resource.attribute.labels` with `key` "ServiceName" when `cs3Label` is "ServiceName". - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `suser` raw log field to `event.idm.read_only_udm.principal.user.user_display_name`. - event.idm.read_only_udm.target.resource.name: Newly mapped `cs13` raw log field to `event.idm.read_only_udm.target.resource.name` when `cs13Label` is "Database". - event.idm.read_only_udm.target.resource.name: Newly mapped `dbName` raw log field to `event.idm.read_only_udm.target.resource.name`. - event.idm.read_only_udm.target.resource.resource_type: Newly mapped `cs13` raw log field to `event.idm.read_only_udm.target.resource.resource_type` (set to `DATABASE`) when `cs13Label` is "Database". - event.idm.read_only_udm.target.resource.resource_type: Newly mapped `dbName` raw log field to `event.idm.read_only_udm.target.resource.resource_type` (set to `DATABASE`). - event.idm.read_only_udm.additional.fields: Newly mapped `cs18` (with key from `cs18Label`), `cs19` (with key from `cs19Label`), `cs20` (with key from `cs20Label`), `cs21` (with key from `cs21Label`) raw log fields to `event.idm.read_only_udm.additional.fields`. Also mapped `cs5` raw log field to `event.idm.read_only_udm.additional.fields` with key "RawDBQuery" when `cs5Label` is "RawDBQuery". - event.idm.read_only_udm.principal.ip: Newly mapped `shost` raw log field to `event.idm.read_only_udm.principal.ip`. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `shost` raw log field to `event.idm.read_only_udm.principal.asset.ip`. - event.idm.read_only_udm.network.sent_bytes: Newly mapped `bytesOut` raw log field to `event.idm.read_only_udm.network.sent_bytes`. - event.idm.read_only_udm.target.process.command_line: Newly mapped `cs4` raw log field to `event.idm.read_only_udm.target.process.command_line` when `cs4Label` is "DBQuery". - event.idm.read_only_udm.security_result.action: Newly mapped `isAuthenticated` raw log field to `event.idm.read_only_udm.security_result.action` (set to `ALLOW`) when `isAuthenticated` is "True". - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `dbSchema` raw log field to `event.idm.read_only_udm.target.resource.attribute.labels` with key "dbSchema". - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `dbBindVariables` raw log field to `event.idm.read_only_udm.target.resource.attribute.labels` with key "dbBindVariables". - Updated `event.idm.read_only_udm.metadata.event_type` to `USER_LOGIN` for logs where `descrip` contains "SQL protocol" and `message` contains "login". |
| 2025-10-17 | Enhancement:
- `event.idm.read_only_udm.security_result.rule_id`: Newly mapped `ruleid` raw log field to `event.idm.read_only_udm.security_result.rule_id` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `cs3`, `deviceCustomDate1`, `cs8`, `cs9`, `cs10`, `cs11`, `cs13`, `cs4` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `src` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `src` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `cs5` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.target.application`: Newly mapped `cs6` raw log field to `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `dst` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dst` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.security_result.summary`: Newly mapped `cs7` raw log field to `event.idm.read_only_udm.security_result.summary` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `cs12` raw log field to `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.network.sent_bytes`: Newly mapped `cn1` raw log field to `event.idm.read_only_udm.network.sent_bytes` UDM field. - `event.idm.read_only_udm.principal.port`: Newly mapped `cn2` raw log field to `event.idm.read_only_udm.principal.port` UDM field. - `event.idm.read_only_udm.target.port`: Newly mapped `cn3` raw log field to `event.idm.read_only_udm.target.port` UDM field. - Added logic to set `metadata.event_type` to `NETWORK_CONNECTION`, `USER_UNCATEGORIZED`, `STATUS_UPDATE`, or `GENERIC_EVENT` based on the presence of principal, target, and user information for the new log format. - Added grok patterns to parse new pattern of syslog logs. |
| 2025-07-18 | Enhancement:
- Added mappings for `cs7` and `cs11` raw log fields globally. - Modified the condition to map `cs12` raw log field to `security_result.description` UDM field when `cs12Label` is not `OSUser`. - Modified the condition to map `cs17` raw log field to `event.idm.read_only_udm.target.resource.resource_subtype` UDM field when `cs17Label` is not `Error`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `cs17` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field when cs17Label is `Error`. |
| 2025-07-03 | Enhancement:
- Added Grok patterns to support new pattern of syslog logs. - `event.idm.read_only_udm.additional.fields`: Newly mapped `cs2`, `cs2Label`, and `additional_json_data` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field when cs2Label is `ServerGroup`. - `event.idm.read_only_udm.target.application`: Newly mapped `cs5` raw log field with `event.idm.read_only_udm.target.application` UDM field when cs5Label is `ApplicationName`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `cs4` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field when cs4Label is `ServiceName`. - `event.idm.read_only_udm.principal.application`: Newly mapped `cs6` raw log field with `event.idm.read_only_udm.principal.application` UDM field when cs11Label is `SrcApp`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `cs7` raw log field with `event.idm.read_only_udm.security_result.description` UDM field when cs7Label is `AlertDesc`. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `cs11` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field when cs11Label is `DatabaseName`. - `event.idm.read_only_udm.target.resource.resource_type`: Newly mapped `DATABASE` with `event.idm.read_only_udm.target.resource.resource_type` UDM field when cs11Label is `DatabaseName`. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `cs10` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field when cs10Label is `EventID`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `cs15` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field when cs15Label is not `ViolatedItem`. - `event.idm.read_only_udm.security_result.threat_id`: Newly mapped `cs9` raw log field with `event.idm.read_only_udm.security_result.threat_id` UDM field when cs9Label is `AlertID`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `cs12` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field when cs12Label is `OSUser` - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `inter_host` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `cs13` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field when cs13Label is `HostName`. - Modified condition such that `cs2` raw log field is mapped to `event.idm.read_only_udm.principal.group.group_display_name` when `cs2Label` is `ServerGroup`. - Modified condition such that `cs4` raw log field is mapped to `event.idm.read_only_udm.target.application` UDM field when `cs4Label` is `ApplicationName`. - Modified condition such that `cs5` raw log field is mapped to `event.idm.read_only_udm.metadata.description` UDM field when `cs5Label` is `Description`. - Modified condition such that `cs15` raw log field is mapped to `security_result.summary` UDM field when `cs15Label` is `ViolatedItem`. - Modified condition such that `cs9` raw log field is mapped to `event.idm.read_only_udm.principal.user.userid` UDM field when `cs9Label` is `osUser`. - Modified condition such that `cs8` raw log field is mapped to `event.idm.read_only_udm.target.resource.name` UDM field when `cs8Label` is `DatabaseName` or `ApplicationName`. |
| 2024-04-01 | Enhancement -
- Added support for JSON logs. |
| 2023-04-26 | Enhancement -
- Mapped "cs1" to "security_result.rule_name". - Mapped "cs2" to "principal.group.group_display_name". - Mapped "cs3" to "principal.hostname". - Mapped "cs6" to "target.resource_ancestors.name". - Mapped "cs7" to "target.resource_ancestors.resource_subtype". - Mapped "cs5" to "metadata.description". - Mapped "cs12" to "security_result.description". - Mapped "cs14" to "target.resource.attribute.labels". - Mapped "cs15" to "security_result.summary". - Mapped "cs16" to "principal.process.command_line". - Mapped "cs17" to "target.resource.resource_subtype". - Parsed "severity" field. - Mapped "act" to "security_result.action_details". - Mapped "cs13" to "metadata.product_log_id". |
| 2022-07-24 | Enhancement -
- Mapped "proto" to "network.ip_protocol". - Mapped "severity" to "security_result.severity_details". - Mapped "cs1Label" to "security_result.detection_fields". - Mapped "cs2Label" to "security_result.detection_fields". - Mapped "cs3Label" to "security_result.detection_fields". - Mapped "cs4" to "target.application". - Mapped "cs5Label" to "security_result.detection_fields". - Mapped "cs8" to "target.resource.name". - Mapped "cs9" to "principal.user.userid". - Mapped "cs10Label" to "additional.fields". - Mapped "cs11" to "principal.application". - Mapped "cs12Label" to "additional.fields". - Mapped "cs13Label" to "additional.fields". - Mapped "cs14Label" to "additional.fields". - Mapped "cs16Label" to "additional.fields". - Mapped "cs17Label" to "additional.fields". |