Change log for SUBLIMESECURITY
| Date | Changes |
|---|---|
| 2025-12-22 | - "event.idm.read_only_udm.metadata.event_timestamp": Newly mapped "headers.date" raw log field with "event.idm.read_only_udm.metadata.event_timestamp" UDM field.
- "event.idm.read_only_udm.network.email.from": Newly mapped "headers.from.email.email" raw log field with "event.idm.read_only_udm.network.email.from" UDM field. - "event.idm.read_only_udm.principal.user.email_addresses": Newly mapped "headers.from.email.email" raw log field with "event.idm.read_only_udm.principal.user.email_addresses" UDM field. - "event.idm.read_only_udm.network.email.to": Newly mapped "recipients.to.email.email" raw log field with "event.idm.read_only_udm.network.email.to" UDM field. - "event.idm.read_only_udm.target.user.email_addresses": Newly mapped "recipients.to.email.email", "recipients.cc.email.email" raw log fields with "event.idm.read_only_udm.target.user.email_addresses" UDM field. - "event.idm.read_only_udm.network.email.cc": Newly mapped "recipients.cc.email.email" raw log field with "event.idm.read_only_udm.network.email.cc" UDM field. - "event.idm.read_only_udm.network.email.subject": Newly mapped "subject.subject" raw log field with "event.idm.read_only_udm.network.email.subject" UDM field. - "event.idm.read_only_udm.network.email.mail_id": Newly mapped "headers.message_id" raw log field with "event.idm.read_only_udm.network.email.mail_id" UDM field. - "event.idm.read_only_udm.network.email.reply_to": Newly mapped "headers.return_path.email" raw log field with "event.idm.read_only_udm.network.email.reply_to" UDM field. - "event.idm.read_only_udm.principal.ip": Newly mapped "headers.auth_summary.spf.details.client_ip.ip" raw log field with "event.idm.read_only_udm.principal.ip" UDM field. - "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "headers.auth_summary.dmarc.details.policy" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - "event.idm.read_only_udm.intermediary": Newly mapped "hop.received.source.raw", "hop.received.server.raw" raw log fields with "event.idm.read_only_udm.intermediary" UDM field. - "event.idm.read_only_udm.about.url": Newly mapped "link.href_url.url" raw log fields with "event.idm.read_only_udm.about.url" UDM field. - "event.idm.read_only_udm.metadata.product_log_id": Newly mapped "_meta.id" raw log field with "event.idm.read_only_udm.metadata.product_log_id" UDM field. - "event.idm.read_only_udm.additional.fields": Newly mapped "_meta.canonical_id" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - "event.idm.read_only_udm.about": Newly mapped "about" field with "event.idm.read_only_udm.about" UDM field. - "event.idm.read_only_udm.security_result": Newly mapped "security_result2" field with "event.idm.read_only_udm.security_result" UDM field. - "event.idm.read_only_udm.metadata.event_type": Set to "EMAIL_TRANSACTION". - Added Grok pattern to parse "hop_source" raw log field into "host" and "ip" temporary fields. - Set "event.idm.read_only_udm.network.application_protocol" to "SMTP". - Added mutate { merge => { "@output" => "event" } } at the end of the new conditional block for "headers" and "body". |
| 2025-03-27 | - Mapped "flagged_id" to "security_result.ruleid".
- Mapped "flagged_name" to "security_result.rule_name". - Mapped "flagged_severity" to "security_result.severity". - Mapped "canonical_id", "external_id", "mailbox_external_id", "mailbox_id", "start", "end", "key",and "message_source_id" to "additional.fields". - Mapped "message_id" to "metadata.product_log_id". - Mapped "eventdata.type" to "metadata.product_event_type". - Mapped "tags" to "security_result.detection_fields". - Mapped "eventdata.created_at" to "metadata.event_timestamp". |