Change log for SERVICENOW_AUDIT
| Date | Changes |
|---|---|
| 2025-11-14 | Enhancement:
- `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `sys_created_on` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `sys_id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `parm2` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `parm2` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.user.email_addresses`: Newly mapped `user_id`, `parm1`, and `parm2` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - `event.idm.read_only_udm.principal.user.user_display_name`: Newly mapped `user_name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `user_id` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `claimed_by` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `claimed_by` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `claimed_by_data` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `instance` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field. - `event.idm.read_only_udm.target.url`: Newly mapped `uri` raw log field with `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `system_property`, `name`, `derived_priority`, `sys_mod_count`, `partition`, `processing_duration`, `state`, `descriptive_name`, `process_on`, `processed`, `queue`, `sys_updated_on`, `sys_updated_by`, `sys_created_by`, and `table` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `desc` contains `login`, or `name` is `session.established` or `login` and a user is present, updated to `USER_LOGIN`. - `event.idm.read_only_udm.metadata.event_type` and `event.idm.read_only_udm.extensions.auth.type`: If `name` is `logout` or `session.terminated` and a user is present, updated to `USER_LOGOUT` and `event.idm.read_only_udm.extensions.auth.type` to `AUTHTYPE_UNSPECIFIED`. - `event.idm.read_only_udm.metadata.event_type`: If a user is present and the event is not a login or logout, updated to `USER_UNCATEGORIZED`. |
| 2025-05-21 | Enhancement:
- Added Grok pattern to provide support for SYSLOG logs. - Extracted the `User` from the log using the Grok pattern, which is mapped to `event.idm.read_only_udm.principal.user.userid`. - `event.idm.read_only_udm.principal.ip`: Newly mapped "statprin_ipus" raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped "statprin_ipus" raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "exportByteSize" and "exportRecordCount" raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - Set `event.idm.read_only_udm.metadata.event_type` to `STATUS_UPDATE` when `event.idm.read_only_udm.principal.ip` is getting populated. |
| 2025-05-16 | Enhancement:
- Added Grok pattern to provide support for SYSLOG logs. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped "status" raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - If `status` is equal to `successful` then set `security_result_action` to `ALLOW`. - If `status` is equal to `failure` then set `security_result_action` to `BLOCK`. - `event.idm.read_only_udm.security_result.action`: Newly mapped "security_result_action" raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - `event.idm.read_only_udm.security_result`: Newly merged "security_result" to "event.idm.read_only_udm.security_result" UDM field. |
| 2025-01-15 | - Newly created parser
|