Change log for UMBRELLA_IP
| Date | Changes |
|---|---|
| 2025-10-07 | Enhancement:
- Modified the conditional check for mapping `column15` to parse correctly for `event.idm.read_only_udm.security_result.about.file.sha256` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `column3` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `column4`, `column5` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.network.ip_protocol`: Newly mapped `column11` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly mapped `column15` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields. - `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `column22` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `column13` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - Added conditional checks involving "pattern_unmatched" and "pattern_not_matched" data fields before the final merge of the `security_result` variable into `event.idm.read_only_udm.security_result` UDM field. - Refactored parser logic to handle cases where `column3`, `column4`, and `column5` do not contain IP addresses by mapping them to alternative UDM fields. - Refactored parser logic to extract and map an IP address from `column13` to principal IP fields. - Refactored parser logic to extract and map an IP address from `column15` to target IP fields when it does not represent a SHA256 hash. |
| 2025-08-07 | Enhancement:
- Remove uneccesssary initialization of variables to correctly populate the fields. |
| 2025-02-27 | Enhancement:
- Added support to parse unparsed csv logs. |
| 2022-08-22 | Enhancement:
- Mapped the field 'action' to 'security_result.action' and 'security_result.action_details'. - Added grok for the field 'query_type' and mapped it to 'network.dns.questions.type'. - Mapped the field 'domain' to 'network.dns.questions.name'. - Mapped 'DNS' to 'network.application_protocol'. - Mapped the field 'response_code' to 'network.dns.response_code'. - Mapped 'security_result.category' to 'NETWORK_MALICIOUS' where the field 'categories' contains 'Malware' and 'NETWORK_SUSPICIOUS' where 'categories' contains 'Potentially Harmful'. - Mapped the field 'categories' to 'security_result.category_details'. |