Change log for SALESFORCE
| Date | Changes |
|---|---|
| 2025-11-11 | Enhancement:
- Added support for new csv pattern of logs. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Removed mapping of `column26` raw log field with event.idm.read_only_udm.principal.hostname UDM field and event.idm.read_only_udm.principal.asset.hostname UDM field in order to introduce a more accurate mapping for the raw log fields. - event.idm.read_only_udm.security_result.description: Removed mapping of `column28` raw log field with event.idm.read_only_udm.security_result.description UDM field when log has `34 columns` in order to introduce a more accurate mapping for the raw log fields. - event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname: Newly mapped `target_host` raw log field with event.idm.read_only_udm.target.hostname UDM field and event.idm.read_only_udm.target.asset.hostname UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `api_token`,`api_type`,`loginkey` raw log field with event.idm.read_only_udm.additional.fields UDM field. |
| 2025-10-27 | Enhancement:
- 'event.idm.read_only_udm.target.process.command_line': Newly mapped 'QUERY_IDENTIFIER' raw log field with 'event.idm.read_only_udm.target.process.command_line' UDM field. - 'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped 'QUERY_TYPE' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field. - 'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped 'SQL_ID' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field. - 'event.idm.read_only_udm.network.session_id': Newly mapped 'LOGIN_KEY' raw log field with 'event.idm.read_only_udm.network.session_id' UDM field. - Updated conditional check for 'REQUEST_SIZE' to exclude values of '-1'. |
| 2025-10-01 | Enhancement:
- `event.idm.read_only_udm.metadata.description`: Newly mapped `properties.Description` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.principal.location.city`: Newly mapped `properties.City` raw log field with `event.idm.read_only_udm.principal.location.city` UDM field. - `event.idm.read_only_udm.target.application`: Newly mapped `properties.AppName` raw log field with `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.target.resource.product_object_id`: Newly mapped `properties.OrgId` raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM field. - `event.idm.read_only_udm.target.administrative_domain`: Newly mapped `properties.OrgName` raw log field with `event.idm.read_only_udm.target.administrative_domain` UDM field. - `event.idm.read_only_udm.principal.namespace`: Newly mapped `namespace` raw log field with `event.idm.read_only_udm.principal.namespace` UDM field. - `event.idm.read_only_udm.target.url`: Newly mapped `properties.LoginUrl, properties.PageUrl` raw log field with `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.principal.application`: Newly mapped `properties.Application` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - `event.idm.read_only_udm.metadata.collected_timestamp`: Newly mapped `recordDate` raw log field with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `name` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - `event.idm.read_only_udm.principal.user.email_addresses`: Newly mapped `properties.Username` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `properties.UserId` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.user.role_name`: Newly mapped `properties.UserType` raw log field with `event.idm.read_only_udm.principal.user.role_name` UDM field. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `properties.Country` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `properties.SourceIp` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `properties.SourceIp` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `properties.SourceIp (if not a valid IP), properties.OsName (if not Windows, Linux, or Mac), properties.DisplayedFieldEntities` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.network.tls.version`: Newly mapped `properties.TlsProtocol` raw log field with `event.idm.read_only_udm.network.tls.version` UDM field. - `event.idm.read_only_udm.network.tls.cipher`: Newly mapped `properties.CipherSuite` raw log field with `event.idm.read_only_udm.network.tls.cipher` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `properties.EventDate, startTime` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `properties.EventIdentifier` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.network.http.method`: Newly mapped `properties.HttpMethod` raw log field with `event.idm.read_only_udm.network.http.method` UDM field. - `event.idm.read_only_udm.network.application_protocol`: Newly mapped `properties.HttpMethod` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field. - `event.idm.read_only_udm.principal.location.region_latitude`: Newly mapped `properties.LoginLatitude` raw log field with `event.idm.read_only_udm.principal.location.region_latitude` UDM field. - `event.idm.read_only_udm.principal.location.region_longitude`: Newly mapped `properties.LoginLongitude` raw log field with `event.idm.read_only_udm.principal.location.region_longitude` UDM field. - `event.idm.read_only_udm.principal.platform`: Newly mapped `properties.OsName, properties.Platform` raw log field with `event.idm.read_only_udm.principal.platform` UDM field. - `event.idm.read_only_udm.principal.platform_version`: Newly mapped `properties.OsVersion` raw log field with `event.idm.read_only_udm.principal.platform_version` UDM field. - `event.idm.read_only_udm.target.resource.id`: Newly mapped `properties.RecordId` raw log field with `event.idm.read_only_udm.target.resource.id` UDM field. - `event.idm.read_only_udm.network.session_id`: Newly mapped `properties.SessionKey` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `properties.UserAgent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - `event.idm.read_only_udm.network.http.parsed_user_agent`: Newly mapped `properties.UserAgent` raw log field with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `properties.PageStartTime, properties.PreviousPageUrl, properties.Description, properties.ReportId` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `properties.Name` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped properties.Records.datacells, finishDate, mrId, properties.CountryIso, properties.CreatedById, properties.Subdivision, properties.Browser, properties.EvaluationTime, properties.LoginGeoId, properties.LoginHistoryId, properties.LoginKey, properties.LoginSubType, properties.NetworkId, spanId, startDate, _region, endTime, device, properties.DeviceSessionId, properties.Duration, properties.EffectivePageTime, properties.ConnectionType, properties.EffectivePageTimeDeviationErrorType, properties.EffectivePageTimeDeviationReason, properties.HasEffectivePageTimeDeviation, properties.DeviceId, properties.DeviceModel, properties.Operation, properties.PreviousPageAppName, properties.PreviousPageEntityId, properties.PreviousPageEntityType, properties.QueriedEntities, properties.RelatedEventIdentifier, properties.Sandbox, properties.SdkAppType, properties.SdkAppVersion, properties.SdkVersion, properties.SessionLevel, properties.UserType, properties.CreatedDate, properties.AdditionalInfo, properties.ApiType, properties.ApiVersion, properties.AuthMethodReference, properties.AuthServiceId, properties.PostalCode, properties.PolicyOutcome, properties.LoginType, properties.ForwardedForIp, properties.ClientVersion, properties.RowsProcessed, properties.ExecutionIdentifier, properties.IsScheduled, properties.EventSource, properties.ColumnHeaders, properties.DashboardId, properties.DashboardName, properties.ExportFileFormat, properties.Format, properties.GroupedColumnHeaders, properties.NumberOfColumns, properties.RowsReturned, properties.Scope, properties.Sequence` and `properties.OwnerId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-09-26 | Enhancement:
- "event.idm.read_only_udm.target.user.userid": Newly mapped column12 raw log fields with "event.idm.read_only_udm.target.user.userid" UDM field. - "event.idm.read_only_udm.extensions.auth.auth_details": Newly mapped column14 raw log fields with "event.idm.read_only_udm.extensions.auth.auth_details" UDM field. - "event.idm.read_only_udm.additional.fields": Newly mapped column10 raw log fields with "event.idm.read_only_udm.additional.fields" UDM field. - "event.idm.read_only_udm.network.http.user_agent": Newly mapped column15, column11 raw log fields with "event.idm.read_only_udm.network.http.user_agent" UDM field. - "event.idm.read_only_udm.principal.ip": Newly mapped principal_ip, column15 raw log fields with "event.idm.read_only_udm.principal.ip" UDM field. - "event.idm.read_only_udm.intermediary.ip": Newly mapped intermediary_ip raw log fields with "event.idm.read_only_udm.intermediary.ip" UDM field. - "event.idm.read_only_udm.target.resource.id": Newly mapped column8 raw log fields with "event.idm.read_only_udm.target.resource.id" UDM field. - "event.idm.read_only_udm.metadata.description": Newly mapped column12 raw log fields with "event.idm.read_only_udm.metadata.description" UDM field. - "event.idm.read_only_udm.principal.asset.ip": Newly mapped column15 raw log fields with "event.idm.read_only_udm.principal.asset.ip" UDM field. - "event.idm.read_only_udm.metadata.product_log_id": Newly mapped column3 raw log fields with "event.idm.read_only_udm.metadata.product_log_id" UDM field. - "event.idm.read_only_udm.principal.resource.product_object_id": Newly mapped column5 raw log fields with "event.idm.read_only_udm.principal.resource.product_object_id" UDM field. - "event.idm.read_only_udm.network.session_id": Newly mapped column14 raw log fields with "event.idm.read_only_udm.network.session_id" UDM field. - "event.idm.read_only_udm.principal.user.attribute.labels": Newly mapped column14 raw log fields with "event.idm.read_only_udm.principal.user.attribute.labels" UDM field. - "event.idm.read_only_udm.target.resource.product_object_id": Newly mapped column17 for LoginAs event type raw log fields with "event.idm.read_only_udm.target.resource.product_object_id" UDM field. - "event.idm.read_only_udm.target.resource.product_object_id": Newly mapped column13 for ApiTotalUsage event type raw log fields with "event.idm.read_only_udm.target.resource.product_object_id" UDM field. - "event.idm.read_only_udm.target.process.command_line": Newly mapped column8 for the Search event type has been added to "event.idm.read_only_udm.target.process.command_line" UDM field. - "event.idm.read_only_udm.principal.user.userid": Newly mapped column5 to column4 raw log fields with "event.idm.read_only_udm.principal.user.userid" UDM field. |
| 2025-08-26 | Enhancement:
- event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `profile_name` raw log field to `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.application: Newly mapped `src_app_name` raw log field to `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly mapped `STATUS_CODE` raw log field to `event.idm.read_only_udm.network.http.response_code` UDM field. - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped `CLIENT_IP` raw log field to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.network.http.method: Newly mapped `method` raw log field to `event.idm.read_only_udm.network.http.method` UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped `resource_name` raw log field to `event.idm.read_only_udm.target.resource.name` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `ApiVersion` raw log field to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.application: Newly mapped `app_name` raw log field to `event.idm.read_only_udm.target.application` UDM field. - event.idm.read_only_udm.principal.resource.product_object_id: Newly mapped `column13` raw log field to `event.idm.read_only_udm.principal.resource.product_object_id` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `ENTITY_NAME`, `COUNTS_AGAINST_API_LIMIT` and `column14` raw log field to `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. |
| 2025-01-30 | Enhancement:
- Mapped "region" to "principal.location.country_or_region". - Mapped "account" to "principal.user.userid". - Mapped "detail.payload.ConnectedAppId" to "additional.fields". - Mapped "detail.payload.Platform" to "additional.fields". - Mapped "detail.payload.Query" to "additional.fields". - Mapped "detail.payload.EvaluationTime" to "additional.fields". - Mapped "detail.payload.Operation" to "additional.fields". - Mapped "detail.payload.LoginHistoryId" to "additional.fields". - Mapped "detail.payload.CreatedById" to "additional.fields". - Mapped "detail.payload.SessionKey" to "additional.fields". - Mapped "detail.payload.ApiType" to "additional.fields". - Mapped "detail.payload.UserAgent" to "network.http.user_agent". - Mapped "detail.payload.Client" to "principal.asset.hostname". - Mapped "detail.payload.PolicyOutcome" to "security_result.detection_fields". - Mapped "detail.payload.EventIdentifier" to "additional.fields". - Mapped "detail.payload.RequestIdentifier" to "additional.fields". - Mapped "detail.payload.ApiVersion" to "additional.fields". - Mapped "detail.payload.RelatedEventIdentifier" to "additional.fields". - Mapped "detail.payload.Username" to "target.user.email_addresses". - Mapped "detail.payload.RowsProcessed" to "additional.fields". - Mapped "detail.payload.RowsReturned" to "additional.fields". - Mapped "detail.payload.SourceIp" to "principal.ip". - Mapped "detail.payload.UserId" to "target.user.userid". - Mapped "totalSize" to "additional.fields". - Mapped "done" to "additional.fields". - Mapped "detail.payload.CreatedDate" to "additional.fields". - Mapped "detail.payload.LoginKey" to "additional.fields". - Mapped "detail.payload.Application" to "additional.fields". - Mapped "detail.payload.PolicyId" to "additional.fields". - Mapped "detail.payload.QueriedEntities" to "additional.fields". - Mapped "detail.payload.SessionLevel" to "additional.fields". - Mapped "detail.schemaId" to "additional.fields". - Mapped "detail.id" to "target.resource.id". - Mapped "records_index.attributes.type" to "security_result.detection_fields". |
| 2025-01-21 | Enhancement:
- Mapped "column25" to "network.http.user_agent". - Mapped "column28" to "principal.ip" and "principal.asset.ip". - If "column24" contain "User-Agent", then mapped "column24" to "network.http.user_agent". Otherwise, mapped "column24" to "network.http.method". |
| 2025-01-15 | Enhancement:
- Mapped "Name" to "principal.user.user_display_name". - Mapped "Email" to "principal.user.email_addresses". - Mapped "FederationIdentifier" to "additional.fields". - Mapped "CreatedBy.Email" to "principal.user.email_addresses". - Mapped "CreatedBy.Name" to "principal.user.user_display_name". - Mapped "CreatedBy.FederationIdentifier" to "additional.fields". - Mapped "Section" to "additional.fields". - Mapped "DelegateUser" to "additional.fields". - Mapped "ResponsibleNamespacePrefix" to "additional.fields". - Mapped "CreatedByContext" to "additional.fields". - Mapped "CreatedByIssuer" to "additional.fields". - Mapped "Browser" to "additional.fields". - When "Platform" is nearly equal to "Windows", then mapped "principal.platform" to "WINDOWS". - When "Platform" is nearly equal to "Linux", then mapped "principal.platform" to "LINUX". - When "Platform" is nearly equal to "Mac", then mapped "principal.platform" to "MAC". - Mapped "Status" to "security_result.action_details". - Mapped "CountryIso" to "additional.fields". |
| 2025-01-10 | Enhancement:
- Added support for new pattern of "Login" and "LoginAs" logs. |
| 2025-01-09 | Enhancement:
- Mapped "payload.PreviousPageUrl" to "metadata.url_back_to_product". - Mapped "payload.OsVersion" to "principal.platform_version". - Mapped "payload.PreviousPageEntityId", "payload.SdkVersion", "payload.Operation", "payload.PageUrl", "HasEffectivePageTimeDeviation_label", "payload.EffectivePageTime", "payload.EffectivePageTimeDeviationReason", "payload.DeviceSessionId", "payload.PreviousPageAppName", and "payload.PreviousPageEntityType" to "additional.fields". - Mapped "payload.SessionKey" to "network.session_id". - Mapped "payload.UserAgent" to "network.http.user_agent". - Mapped "payload.RecordId" to "target.resource.id". - Mapped "payload.EventIdentifier" to "metadata.product_log_id". - Mapped "payload.OsName" to "principal.platform". |
| 2024-12-10 | Enhancement:
- Mapped "user_permission" to "principal.user.attribute.labels". |
| 2024-12-03 | Enhancement:
- Added support for new pattern of "Login" logs. |
| 2024-11-29 | Enhancement:
- Added support for a new format of JSON logs. |
| 2024-10-07 | Enhancement:
- Added "deactivateduser", "PermSetUnassign", and "PermSetAssign" as conditional check. |
| 2024-09-20 | Enhancement:
- Mapped "column9" to "metadata.product_log_id". - Mapped "column5" to "security_result.rule_author". - Mapped "column10" to "security_result.summary". - Mapped "column4" to "security_result.rule_name". |
| 2024-09-16 | Enhancement:
- Mapped "description" to "security_result.description". - Mapped "client_ip" to "principal.ip" and "principal.asset.ip". - Fixed mapping of "target_username" and "tls_protocol". |
| 2024-07-08 | Enhancement:
- Mapped "domain" to "target.administrative_domain". - Mapped "user_display" to "principal.user.userid". - Mapped "section" to "additional.fields". - Fixed the mapping to parse all fields. |
| 2024-06-04 | Enhancement:
- Added support for newly ingested logs. |
| 2024-03-06 | Enhancement:
- Changed mapping of the field "Id" from "metadata.product_log_id" to "principal.user.userid". - Changed mapping of the field "CreatedById" from "principal.user.userid" to "principal.resource.attribute.labels". - Mapped "IsDeleted" to "principal.resource.attribute.labels". - Mapped "LogFileLength" to "principal.resource.attribute.labels". - Mapped "LogFileContentType" to "principal.resource.attribute.labels". - Mapped "ApiVersion" to "principal.resource.attribute.labels". - Mapped "LogFile" to "principal.resource.attribute.labels". |
| 2023-02-24 | Enhancement-
- "security_result.action" mapped to ALLOW instead of BLOCK if the action is "LOGIN_NO_ERROR". - For "Login" events : - "action" mapped to "security_result.action". - "target_user_name" mapped to "target.user.userid". - "tls_protocol" mapped to "network.tls.version_protocol". - "cipher_suite" mapped to "network.tls.cipher". - Added "on_error" check for "OsVersion" and "date" block. |
| 2022-12-13 | Enhancement-
-Mapped "LoginType" to "security_result.description". -Mapped "LoginUrl" to "principal.url". -Added empty check for "ApiType" and "LoginGeo.City". |
| 2022-09-02 | Enhancement-
Migrated the custom parsers into default parser. |
| 2022-07-04 | Enhancement-
- Enhanced the parser to parse the logs having event_type 'LoginHistory'. - Added condition to parse different formats of timestamp. - Added condition for event_type 'USER_UNCATEGORIZED' where 'user_id' or 'UserId' or 'target_user_name' is not null. - Added validation for parsing src_ip. |
| 2022-04-18 | Enhancement-Modified mapping for DOWNLOAD_FORMAT from 'metadata.ingestion_labels' to 'target.resource.attribute.labels'.
|
| 2022-03-30 | Enhancement-Changed event_type for 'LoginEventStream' to USER_LOGIN.
Corrected mapping for the fields DOWNLOAD_FORMAT and ConnectedAppId. Added mappings for certain fields when log is of type LoginEventStream, WaveDownload, ApiEventStream. |