Change log for SANGFOR_NGAF
| Date | Changes |
|---|---|
| 2026-05-08 | Enhancement:
- Added new grok pattern to support new format of CEF logs. - `event.idm.read_only_udm.additional.fields`: Newly mapped `json_entry.appname`, `json_entry.facility`, `json_entry.priority`, `json_entry.proc_id`, `SessionType`, `SourceSystem`, `app`, `group` and `TimeCreated` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `PolicyUUID`, `SessionEndCause` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.location.name`: Newly mapped `SrcZone` raw log field with `event.idm.read_only_udm.principal.location.name` UDM field. - `event.idm.read_only_udm.target.location.name`: Newly mapped `DstZone` raw log field with `event.idm.read_only_udm.target.location.name` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `start` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.metadata.collected_timestamp`: Newly mapped `end` raw log field with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `principal_machine_id_present` is "true" and `target_machine_id_present` is "true", set the value of `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION`. |
| 2025-10-17 | Enhancement:
- Pre-processing of the 'kv_data' field was added using gsub to normalize keys and delimiters. - New grok patterns were added to parse 'ResourceAudit' and 'UserAudit' messages. - 'event.idm.read_only_udm.principal.user.userid': Newly mapped 'ra_user', 'ua_user', 'username_from_desc' raw log fields with 'event.idm.read_only_udm.principal.user.userid' UDM field. - 'event.idm.read_only_udm.principal.ip': Newly mapped 'ra_ip', 'ua_ip' raw log fields with 'event.idm.read_only_udm.principal.ip' UDM field. - 'event.idm.read_only_udm.target.hostname': Newly mapped 'hostname' raw log field with 'event.idm.read_only_udm.target.hostname' UDM field. - 'event.idm.read_only_udm.target.asset.hostname': Newly mapped 'hostname' raw log field with 'event.idm.read_only_udm.target.asset.hostname' UDM field. - 'event.idm.read_only_udm.target.ip': Newly mapped 'ra_target_ip' raw log field with 'event.idm.read_only_udm.target.ip' UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped 'System' raw log fields with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.principal.process.pid': Newly mapped 'pid' raw log fields with 'event.idm.read_only_udm.principal.process.pid' UDM field. - 'event.idm.read_only_udm.metadata.description': Newly mapped 'ra_description' raw log field with 'event.idm.read_only_udm.metadata.description' UDM field. - 'event.idm.read_only_udm.security_result.action': Conditionally mapped from 'ua_action' and 'ua_status' raw log fields to 'event.idm.read_only_udm.security_result.action' UDM field. - 'event.idm.read_only_udm.security_result.action_details': Conditionally mapped from 'ra_status' raw log field to 'event.idm.read_only_udm.security_result.action_details' UDM field. |
| 2024-01-31 | - Newly created parser.
|