Change log for TRENDMICRO_VISION_ONE_WORKBENCH
| Date | Changes |
|---|---|
| 2026-01-21 | Enhancement:
- `event.idm.read_only_udm.principal.user.user_display_name`: Removed mapping of `entity.entityValue` from event.idm.read_only_udm.principal.user.user_display_name UDM field when `entity.entityType` is equal to `account` and `entity.entityValue` is in the format `domain\\user` then domain value is mapped to `event.idm.read_only_udm.principal.user.user_display_name` UDM field and user value is mapped to `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.user.user_display_name`: Mapped `domain_value` raw log field to `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Removed mapping of entity.entityId from `event.idm.read_only_udm.principal.user.userid UDM field when `entity.entityType` is equal to `account` and `entity.entityValue` is in the format `domain\\user` then domain value is mapped to `event.idm.read_only_udm.principal.user.user_display_name` UDM field and user value is mapped to `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Mapped user_id_value raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Mapped entity.entityValue raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field to cature the account user identifier details if `entity.entityValue` is not the format `domain\\user` and `entity.entityType` is equal to `account`. - `event.idm.read_only_udm.additional.fields`: Newly mapped impactScope.cloudWorkloadCount raw log field with event.idm.read_only_udm.additional.fields UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `indicator.value`,`indicator.value.name`, `indicator.value.guid`,`indicator.value.ips`,`ownerIds` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.metadata.event_type`: Updated the conditional check to map `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED` if (`has_user` is "true" and `has_principal_email` is "true") or `has_principal_user_id` is "true". |
| 2025-12-12 | Enhancement:
- Added logic to check if `entity.entityValue.name` is mapped to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` if it's an IP address. If not an IP, the first entity's name is mapped to `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` (format: "%{entity.entityValue.name}"), while subsequent entity names go to `event.idm.read_only_udm.principal.resource.attribute.labels` (key: "hostname: %{index}"). - event.idm.read_only_udm.principal.ip: Newly mapped `entity.entityValue.name` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `entity.entityValue.name` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `entity.entityId`, `entity.managementScopeGroupId`, `entity.managementScopeInstanceId` and `entity.managementScopePartitionKey` raw log field to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `entity.entityId` raw log field to event.idm.read_only_udm.principal.user.userid. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `entity.relatedEntities`, `entity.relatedIndicatorIds`, `entity.provenance`, `indicator.id`, `indicator.relatedEntities`, `indicator.filterIds`, `indicator.provenance`, `filter.id`, `filter.name`, `filter.matchedDateTime`, `matchedEvent.uuid`, `matchedEvent.matchedDateTime` and `matchedEvent.type` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `impactScope.desktopCount`, `impactScope.serverCount`, `impactScope.accountCount`, `impactScope.emailAddressCount`, `impactScope.containerCount` and `impactScope.cloudIdentityCount` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-08-14 | Enhancement:
- event.idm.read_only_udm.security_result.detection_fields: Changed mapping for `event.idm.read_only_udm.security_result.detection_fields.key` from `indicator.type` to `indicator.field` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Changed mapping for `event.idm.read_only_udm.security_result.detection_fields.key` from field to `type` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Changed mapping for `event.idm.read_only_udm.security_result.detection_fields.value` from `indicator.field` to `indicator.type` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alertProvider` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `schemaVersion` raw log field(s) with `event.idm.read_only_udm.metadata.product_version` UDM field when schemaVersion is not empty. - event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field(s) with `event.idm.read_only_udm.security_result.severity` UDM field when severity is one of "CRITICAL", "HIGH", "MEDIUM", or "LOW". - event.idm.read_only_udm.network.email.mail_id: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.network.email.mail_id` UDM field when `indicator.type` is "email_message_id" and has_email_message_id is "false". - event.idm.read_only_udm.network.email.subject: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.network.email.subject` UDM field when `indicator.type` is "email_subject". - event.idm.read_only_udm.about.url: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.about.url` UDM field when `indicator.type` is "url" and has_url is "false". - event.idm.read_only_udm.principal.user.userid: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.user.userid` UDM field when `indicator.type` is "user_account" and has_user is "false". - event.idm.read_only_udm.principal.process.command_line: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.process.command_line` UDM field when `indicator.type` is "command_line", `indicator.field` is "processCmd", and has_principal_process is "false". - event.idm.read_only_udm.principal.process.parent_process.command_line: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.process.parent_process.command_line` UDM field when `indicator.type` is "command_line", `indicator.field` is "parentCmd", and has_parent_process is "false". - event.idm.read_only_udm.target.process.command_line: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.target.process.command_line` UDM field when `indicator.type` is "command_line", `indicator.field` is "objectCmd", and has_target_process is "false". - event.idm.read_only_udm.principal.process.file.sha256: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.process.file.sha256` UDM field when `indicator.type` is "file_sha256", `indicator.field` is "processFileHashSha256", has_principal_sha256 is "false", and indicator.value matches regex ^[0-9a-f]+$. - event.idm.read_only_udm.about.file.full_path: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.about.file.full_path` UDM field when `indicator.type` is "fullpath". - event.idm.read_only_udm.principal.user.email_addresses: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.user.email_addresses` UDM field when `indicator.type` is "email_sender". - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `modelId` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `modelType` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `incidentId` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.event_type: If has_user == "true" and has_principal_email == "true", updated to USER_UNCATEGORIZED. |
| 2025-07-31 | Enhancement:
- Added a new grok pattern to parse ip from raw logs field "src_ip" |
| 2025-05-13 | Enhancement:
- Added a condition to check if `entity.entityValue.name` is not empty before populating `principal.hostname` and `principal.asset.hostname` UDM fields. |
| 2024-10-27 | - Newly created parser.
|