Change log for SOLARIS_SYSTEM
| Date | Changes |
|---|---|
| 2025-10-22 | Enhancement:
- `event.idm.read_only_udm.principal.ip`: Removed mapping of `dvc` from `event.idm.read_only_udm.principal.ip` UDM field when the `message` field contains "Accepted password for" since the log is a login event. - `event.idm.read_only_udm.target.ip`: Newly mapped `dvc` raw log field to `event.idm.read_only_udm.target.ip` UDM field when the `message` field contains "Accepted password for" since the log is a login event. - `event.idm.read_only_udm.principal.asset.ip`: Removed mapping of `dvc` from `event.idm.read_only_udm.principal.asset.ip` UDM field when the `message` field contains "Accepted password for" since the log is a login event. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dvc` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field when the `message` field contains "Accepted password for" since the log is a login event. - `event.idm.read_only_udm.principal.hostname`: Removed mapping of `dvc` from `event.idm.read_only_udm.principal.hostname` UDM field when the `message` field contains "Accepted password for" since the log is a login event. - `event.idm.read_only_udm.target.hostname`: Newly mapped `dvc` raw log field to `event.idm.read_only_udm.target.hostname` UDM field when the `message` field contains "Accepted password for" since the log is a login event. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `dvc` raw log field(s) with `event.idm.read_only_udm.target.asset.hostname` UDM field when the `message` field contains "Accepted password for" since the log is a login event. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `proto` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-09-30 | Enhancement:
- `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped "auid", "op", "algo", "size", and "fp" raw log fields to `event.idm.read_only_udm.security_result.detection_fields`. - `event.idm.read_only_udm.target.user.userid`: Newly mapped `acct_username` to `event.idm.read_only_udm.target.user.userid` UDM field. - `event.idm.read_only_udm.src.ip`: Removed mapping of `srcIp` from `event.idm.read_only_udm.src.ip` UDM field in order to introduce a more accurate mapping for the raw log field. - `event.idm.read_only_udm.principal.ip`, `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `srcIp` raw log field to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - `event.idm.read_only_udm.src.port`: Removed mapping of `srcPort` from `event.idm.read_only_udm.src.port` UDM field in order to introduce a more accurate mapping for the raw log field. - `event.idm.read_only_udm.principal.port`: Newly mapped `srcPort` raw log field to `event.idm.read_only_udm.principal.port` UDM field. - Added grok pattern to parse new format of logs. - Set `event.idm.read_only_udm.metadata.event_type` to `USER_LOGIN` for successful login events. |
| 2025-04-10 | Enhancement:
- Added GROK patterns to support new format of syslog logs. - Added GROK patterns to parse IP addresses in correct fields. - event.idm.read_only_udm.target.ip,event.idm.read_only_udm.target.asset.ip: Removed mapping of `HOST` from `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip: Mapped `HOST` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `target_url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - Added a null conditional check before mapping `desc` to `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.metadata.event_type: Set the `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION` if both `dstIp` and `prin_ip` are present. |
| 2025-04-08 | Enhancement:
- Added Grok patterns to parse new format of logs. - metadata.event_timestamp: Newly mapped "ts" raw log field with `metadata.event_timestamp` UDM field. |
| 2024-12-29 | Enhancement:
- Added support for a new format of syslog logs. - Mapped "prin_ip" to ""principal.ip". |
| 2024-12-06 | Enhancement:
- Added support for a new format of syslog logs. |
| 2024-04-05 | Enhancement:
- Mapped "targetDisplayName" to "target.user.user_display_name". - When "process" is "sudo", then mapped "user" to "principal.user.user_display_name". |
| 2024-02-13 | Newly created parser. |