Change log for PAN_PRISMA_CA
| Date | Changes |
|---|---|
| 2025-09-05 | Enhancement:
- Consolidated all mapping for event.idm.read_only_udm.additional.fields, event.idm.read_only_udm.security_result.detection_fields. |
| 2025-09-02 | Enhancement:
- `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `record.time` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `record.hostname` raw log field to `event.idm.read_only_udm.principal.hostname` UDM field. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `record.hostname` raw log field to `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `record.fqdn` raw log field to `event.idm.read_only_udm.principal.hostname` UDM field. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `record.fqdn` raw log field to `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.application`: Newly mapped `record.containerName` raw log field to `event.idm.read_only_udm.principal.application` UDM field. - `event.idm.read_only_udm.principal.resource.name`: Newly mapped `record.containerName` raw log field to `event.idm.read_only_udm.principal.resource.name` UDM field. - `event.idm.read_only_udm.principal.asset.asset_id`: Newly mapped `record.containerID` raw log field to `event.idm.read_only_udm.principal.asset.asset_id` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `record.imageName`, `record.imageID`, `record.cluster` raw log fields to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.principal.namespace`: Newly mapped `record.namespace` raw log field to `event.idm.read_only_udm.principal.namespace` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `record.accountID`, `record.provider` raw log fields to `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `record.region` raw log field to `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - `event.idm.read_only_udm.principal.platform_version`: Newly mapped `audit.os` raw log field to `event.idm.read_only_udm.principal.platform_version` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `audit.user` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `audit.type` raw log field to `event.idm.read_only_udm.metadata.product_event_type` UDM field. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped `audit.effect` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - `event.idm.read_only_udm.metadata.description`: Newly mapped `audit.msg` raw log field to `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `audit.pid` raw log field to `event.idm.read_only_udm.principal.process.pid` UDM field. - `event.idm.read_only_udm.principal.process.file.full_path`: Newly mapped `audit.processPath` raw log field to `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - `event.idm.read_only_udm.principal.process.command_line`: Newly mapped `audit.command` raw log field to `event.idm.read_only_udm.principal.process.command_line` UDM field. - `event.idm.read_only_udm.security_result.threat_name`: Newly mapped `audit.attackType` raw log field to `event.idm.read_only_udm.security_result.threat_name` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `audit.severity` raw log field to `event.idm.read_only_udm.security_result.severity` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `audit.attackTechniques`, `audit._id`, `audit.count`, `audit.container`, `record._id`, `record.serialNum`, `record.collections`, `record.profileID` and `record.shouldCollect` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `audit.ruleName` raw log field to `event.idm.read_only_udm.security_result.rule_name` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `record.acknowledged` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.security_result.category_details`: Newly mapped `record.category` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - `event.idm.read_only_udm.principal.resource.type`: Newly mapped `record.type` raw log field to `event.idm.read_only_udm.principal.resource.type` UDM field. |
| 2025-01-22 | Enhancement:
- Added a "gsub" to support new pattern of JSON logs. - Mapped "emailValue" to "principal.user.email_addresses". |
| 2024-12-19 | Enhancement:
- Mapped "account_id" to "target.user.userid". |
| 2024-12-14 | Enhancement:
- Added support for unparsed "aggregatedAlerts" fields. |
| 2024-12-05 | Enhancement:
- Mapped "record.region" to "principal.location.country_or_region". - Mapped "record.policy.name" to "security_result.description". - Mapped "record.account.cloudType" to "principal.cloud.environment". - Mapped "record.policy.policyType", "record.policy.recommendation", and "record.policy.description" to "security_result.detection_fields". - Mapped "record.policy.severity" to "security_result.severity". - Mapped "record.policy.labels" to "additional.fields". |
| 2024-11-27 | Enhancement:
- Refreshed parser to have multi-valued arrayed entries altered to access commonly used fields without duplication within the array index. |
| 2024-11-14 | Enhancement:
- Added support for a new pattern of JSON logs. - Mapped "callbackUrl" to "metadata.url_back_to_product". - Mapped "errorMessage" to "metadata.description". - Mapped "notificationRuleName" to "security_result.rule_name". - Mapped "body", "title" to "additional.fields". - Mapped "alarmType" to "principal.cloud.environment". - Mapped "severity" to "security_result.severity". |
| 2024-10-31 | Enhancement:
- Mapped all instances of "aggregatedAlert.compilanceIssues" to different "security_result" blocks. |
| 2024-10-17 | Enhancement:
- Mapped "aggregatedAlert.vulnerabilities.imageID" to "extensions.vulns.vulnerabilities.about.file.sha256". - Mapped "aggregatedAlert.vulnerabilities.imageName" to "extensions.vulns.vulnerabilities.about.file.path". - Mapped "aggregatedAlert.vulnerabilities.distribution" to "extensions.vulns.vulnerabilities.name". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.severity" to "extensions.vulns.vulnerabilities.severity". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.cve" to "extensions.vulns.vulnerabilities.cve_id" - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.link" to "extensions.vulns.vulnerabilities.about.url". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.status" to "extensions.vulns.vulnerabilities.description". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.packages", "aggregatedAlert.vulnerabilities.newVulnerabilities.packageVersion", and "aggregatedAlert.vulnerabilities.newVulnerabilities.sourcePackage" to "target.resource.attribute.labels". |
| 2024-09-15 | Enhancement:
- Added support for a new pattern of JSON logs. |
| 2024-06-21 | Enhancement:
- Added support for a new pattern of unparsed JSON logs. |
| 2024-06-18 | Enhancement:
- Mapped "policyLabels" to "additional.fields". - Mapped "policyType" to "security_result.detection_fields". |
| 2024-06-17 | Enhancement:
- Mapped "resource.unifiedAssetId" to "principal.asset.asset_id". - Mapped "policyName" to "security_result.description". - Mapped "resource.resourceConfigJsonAvailable", "resource.resourceDetailsAvailable", and "policy.deleted" to "additional.fields". - Mapped "policy.recommendation", "policy.policyType", and "policy.description" to "security_result.detection_fields". - Mapped "resource.url" to "principal.url". - Mapped "reason" to "security_result.summary". - Mapped "resource.region" to "principal.location.state". - Mapped "resource.regionId" to "principal.location.country_or_region". - Mapped "resource.resourceType" to "target.resource.resource_subtype". - Mapped "resource.accountId" to "target.resource.product_object_id" and "target.resource.id". - Mapped "resource.url" to "principal.url".' - Mapped "reason" to "security_result.summary". - If "resource.cloudType" value is "gcp", set "principal.cloud.environment" to "GOOGLE_CLOUD_PLATFORM". |
| 2023-12-10 | Enhancement:
- Added a Grok pattern to extract JSON part. - Mapped "resourceId" to "principal.resource.product_object_id". - Mapped "accountId" to "target.resource.product_object_id". - Mapped "alertRuleName" to "security_result.rule_name". - Mapped "accountName" to "target.resource.name". - Mapped "hasFinding" to "security_result.detection_fields". - Mapped "resourceRegionId" to "principal.cloud.availability_zone". - Mapped "source" to "principal.application". - Mapped "callbackUrl" to "metadata.url_back_to_product". - Mapped "alertRuleId" to "security_result.rule_id". - Mapped "alertId" to "security_result.detection_fields". - Mapped "policyLabels" to "additional.fields". - Mapped "policyName" to "security_result.description". - Mapped "resourceName" to "principal.resource.name". - Mapped "resourceRegion" to "principal.location.country_or_region". - Mapped "policyDescription" to "security_result.detection_fields". - Mapped "policyRecommendation" to "security_result.detection_fields". - Mapped "resourceCloudService" to "principal.resource.attribute.labels". - Mapped "resource.url" to "principal.url". - Mapped "alertTs" to "security_result.detection_fields". - Mapped "firstSeen" to "principal.asset.first_seen_time". - Mapped "lastSeen" to "principal.asset.last_discover_time". - Mapped "reason" to "security_result.summary". - Mapped "alertStatus" to "security_result.detection_fields". - If "severity" value is "HIGH", set "security_result.severity" to "HIGH". - If "cloudType" value is "gcp", set "principal.cloud.environment" to "GOOGLE_CLOUD_PLATFORM". |
| 2023-08-17 | Newly created parser.
|