Change log for SANGFOR_NGAF

Date	Changes
2025-10-17	Enhancement: - Pre-processing of the 'kv_data' field was added using gsub to normalize keys and delimiters. - New grok patterns were added to parse 'ResourceAudit' and 'UserAudit' messages. - 'event.idm.read_only_udm.principal.user.userid': Newly mapped 'ra_user', 'ua_user', 'username_from_desc' raw log fields with 'event.idm.read_only_udm.principal.user.userid' UDM field. - 'event.idm.read_only_udm.principal.ip': Newly mapped 'ra_ip', 'ua_ip' raw log fields with 'event.idm.read_only_udm.principal.ip' UDM field. - 'event.idm.read_only_udm.target.hostname': Newly mapped 'hostname' raw log field with 'event.idm.read_only_udm.target.hostname' UDM field. - 'event.idm.read_only_udm.target.asset.hostname': Newly mapped 'hostname' raw log field with 'event.idm.read_only_udm.target.asset.hostname' UDM field. - 'event.idm.read_only_udm.target.ip': Newly mapped 'ra_target_ip' raw log field with 'event.idm.read_only_udm.target.ip' UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped 'System' raw log fields with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.principal.process.pid': Newly mapped 'pid' raw log fields with 'event.idm.read_only_udm.principal.process.pid' UDM field. - 'event.idm.read_only_udm.metadata.description': Newly mapped 'ra_description' raw log field with 'event.idm.read_only_udm.metadata.description' UDM field. - 'event.idm.read_only_udm.security_result.action': Conditionally mapped from 'ua_action' and 'ua_status' raw log fields to 'event.idm.read_only_udm.security_result.action' UDM field. - 'event.idm.read_only_udm.security_result.action_details': Conditionally mapped from 'ra_status' raw log field to 'event.idm.read_only_udm.security_result.action_details' UDM field.
2024-01-31	- Newly created parser.

Date

Changes

2025-10-17

Enhancement:
- Pre-processing of the 'kv_data' field was added using gsub to normalize keys and delimiters.
- New grok patterns were added to parse 'ResourceAudit' and 'UserAudit' messages.
- 'event.idm.read_only_udm.principal.user.userid': Newly mapped 'ra_user', 'ua_user', 'username_from_desc' raw log fields with 'event.idm.read_only_udm.principal.user.userid' UDM field.
- 'event.idm.read_only_udm.principal.ip': Newly mapped 'ra_ip', 'ua_ip' raw log fields with 'event.idm.read_only_udm.principal.ip' UDM field.
- 'event.idm.read_only_udm.target.hostname': Newly mapped 'hostname' raw log field with 'event.idm.read_only_udm.target.hostname' UDM field.
- 'event.idm.read_only_udm.target.asset.hostname': Newly mapped 'hostname' raw log field with 'event.idm.read_only_udm.target.asset.hostname' UDM field.
- 'event.idm.read_only_udm.target.ip': Newly mapped 'ra_target_ip' raw log field with 'event.idm.read_only_udm.target.ip' UDM field.
- 'event.idm.read_only_udm.additional.fields': Newly mapped 'System' raw log fields with 'event.idm.read_only_udm.additional.fields' UDM field.
- 'event.idm.read_only_udm.principal.process.pid': Newly mapped 'pid' raw log fields with 'event.idm.read_only_udm.principal.process.pid' UDM field.
- 'event.idm.read_only_udm.metadata.description': Newly mapped 'ra_description' raw log field with 'event.idm.read_only_udm.metadata.description' UDM field.
- 'event.idm.read_only_udm.security_result.action': Conditionally mapped from 'ua_action' and 'ua_status' raw log fields to 'event.idm.read_only_udm.security_result.action' UDM field.
- 'event.idm.read_only_udm.security_result.action_details': Conditionally mapped from 'ra_status' raw log field to 'event.idm.read_only_udm.security_result.action_details' UDM field.

2024-01-31

- Newly created parser.