Change log for SYMANTEC_MAIL

Date	Changes
2025-12-22	Enhancement: - Added a grok pattern to parse the new log formats. - `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.process.file.names`: Newly mapped `process` raw log field with `event.idm.read_only_udm.principal.process.file.names` UDM field. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `pid` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field. - `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `tag` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `loglevel` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `log_id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `internal_id`, `ruleset`, `ttl`, `source`, `allow_redirect`, `transaction_id`, `component`, `msg_code` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.url`: Newly mapped `url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.network.http.response_code`: Newly mapped `status` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - `event.idm.read_only_udm.security_result.description`: Newly mapped `description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.metadata.ingestion_labels`: Newly mapped `priority` raw log field with `event.idm.read_only_udm.metadata.ingestion_labels` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
2025-03-14	- Newly created parser. - Mapped "emailInfo.xMsgRef" to "metadata.product_log_id". - Mapped "emailInfo.longMsgRef", "emailInfo.messageId", "emailInfo.isOutbound", "emailInfo.HELOString", "emailInfo.authResults.raw_header", "emailInfo.authResults.dkim", "emailInfo.authResults.dkim_signing_domain", "emailInfo.authResults.spf", "emailInfo.authResults.dmarc", "emailInfo.authResults.dmarc_policy", "emailInfo.authResults.dmarc_override_action", "emailInfo.tlsInfo.tlsAdvertised", "emailInfo.tlsInfo.tlsUsed", "emailInfo.tlsInfo.tlsKeyLength", "emailInfo.tlsInfo.tlsFallbackReason", "emailInfo.tlsInfo.tlsForwardSecrecy", "emailInfo.tlsInfo.tlsNegotiationFailed", "emailInfo.messageSize", "emailInfo.avQuarantinePenId", "emailInfo.rawHeaderFrom", "emailInfo.headerReplyTo", "emailInfo.newDomainAge", "emailInfo.timeInCynicSandboxMs", and "incidents" to "additional.fields". - Mapped "emailInfo.subject" to "network.email.subject". - Mapped "emailInfo.envFrom" to "principal.user.email_addresses". - Mapped "emailInfo.headerFrom" to "network.email.from". - Mapped "emailInfo.envTo" to "network.email.to". - Mapped "emailInfo.headerTo" to "network.email.to". - Mapped "emailInfo.senderMailserver" to "principal.hostname". - Mapped "emailInfo.filesAndLinks" to about field. - Mapped file.urlCategories to about.labels. - Mapped file.urlRiskScore to about.labels. - Mapped "emailInfo.tlsInfo.tlsPolicy" to "network.tls.version". - Mapped "emailInfo.tlsInfo.tlsProtocol" to "network.tls.version_protocol". - Mapped "emailInfo.tlsInfo.tlsCipher" to "network.tls.cipher". - Mapped "emailInfo.senderIp" to "principal.ip". - Mapped "emailInfo.senderMailserver" to "network.tls.client.server_name". - Mapped "emailInfo.country" to "principal.location.country_or_region".

Date

Changes

2025-12-22

Enhancement:
- Added a grok pattern to parse the new log formats.
- `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field.
- `event.idm.read_only_udm.principal.process.file.names`: Newly mapped `process` raw log field with `event.idm.read_only_udm.principal.process.file.names` UDM field.
- `event.idm.read_only_udm.principal.process.pid`: Newly mapped `pid` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field.
- `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `tag` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field.
- `event.idm.read_only_udm.security_result.severity`: Newly mapped `loglevel` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field.
- `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `log_id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- `event.idm.read_only_udm.additional.fields`: Newly mapped `internal_id`, `ruleset`, `ttl`, `source`, `allow_redirect`, `transaction_id`, `component`, `msg_code` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field.
- `event.idm.read_only_udm.target.url`: Newly mapped `url` raw log field with `event.idm.read_only_udm.target.url` UDM field.
- `event.idm.read_only_udm.network.http.response_code`: Newly mapped `status` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field.
- `event.idm.read_only_udm.security_result.description`: Newly mapped `description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field.
- `event.idm.read_only_udm.metadata.ingestion_labels`: Newly mapped `priority` raw log field with `event.idm.read_only_udm.metadata.ingestion_labels` UDM field.
- `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.

2025-03-14

- Newly created parser.
- Mapped "emailInfo.xMsgRef" to "metadata.product_log_id".
- Mapped "emailInfo.longMsgRef", "emailInfo.messageId", "emailInfo.isOutbound", "emailInfo.HELOString", "emailInfo.authResults.raw_header", "emailInfo.authResults.dkim", "emailInfo.authResults.dkim_signing_domain", "emailInfo.authResults.spf", "emailInfo.authResults.dmarc", "emailInfo.authResults.dmarc_policy", "emailInfo.authResults.dmarc_override_action", "emailInfo.tlsInfo.tlsAdvertised", "emailInfo.tlsInfo.tlsUsed", "emailInfo.tlsInfo.tlsKeyLength", "emailInfo.tlsInfo.tlsFallbackReason", "emailInfo.tlsInfo.tlsForwardSecrecy", "emailInfo.tlsInfo.tlsNegotiationFailed", "emailInfo.messageSize", "emailInfo.avQuarantinePenId", "emailInfo.rawHeaderFrom", "emailInfo.headerReplyTo", "emailInfo.newDomainAge", "emailInfo.timeInCynicSandboxMs", and "incidents" to "additional.fields".
- Mapped "emailInfo.subject" to "network.email.subject".
- Mapped "emailInfo.envFrom" to "principal.user.email_addresses".
- Mapped "emailInfo.headerFrom" to "network.email.from".
- Mapped "emailInfo.envTo" to "network.email.to".
- Mapped "emailInfo.headerTo" to "network.email.to".
- Mapped "emailInfo.senderMailserver" to "principal.hostname".
- Mapped "emailInfo.filesAndLinks" to about field.
- Mapped file.urlCategories to about.labels.
- Mapped file.urlRiskScore to about.labels.
- Mapped "emailInfo.tlsInfo.tlsPolicy" to "network.tls.version".
- Mapped "emailInfo.tlsInfo.tlsProtocol" to "network.tls.version_protocol".
- Mapped "emailInfo.tlsInfo.tlsCipher" to "network.tls.cipher".
- Mapped "emailInfo.senderIp" to "principal.ip".
- Mapped "emailInfo.senderMailserver" to "network.tls.client.server_name".
- Mapped "emailInfo.country" to "principal.location.country_or_region".