Change log for WIZ_IO
| Date | Changes |
|---|---|
| 2025-10-24 | Enhancement:
- `event.idm.read_only_udm.additional.fields`: Newly mapped `record.trigger.source`, `record.cloudOrganizations`, `record.trigger.type`, `record.triggeringEventsCount`, `record.trigger.updatedFields`, `record.control.risks`, `record.resource.cloudPlatform` , `record.control.name`, `record.DetectionURL`, `record.threatURL`, `record.id`, `record.tdrId`, `record.tdrSource`, `mitreTactic`, `mitreTechniques`, `cloudAccounts.cloudPlatform`, `cloudAccounts.externalId`, `cloudAccounts.id`, `cloudAccounts.name`, `triggeringEvent.source`, `record.PrimaryResource.cloudAccount.cloudPlatform`, `record.PrimaryResource.externalId`, `record.primaryResource.nativeType`, `record.PrimaryResource.cloudAccount.id`, `record.PrimaryResource.providerUniqueId`, `record.PrimaryResource.status`, `record.PrimaryResource.VCSRepository`, `record.PrimaryResource.cloudOrganization`, `record.PrimaryResource.kubernetesNamespace`, `record.PrimaryResource.kubernetesCluster`, `record.trigger.updatedFields`, `record.resource.cloudPlatform`, `record.control.name` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.rule_id`: Newly mapped `record.trigger.ruleId` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `record.trigger.ruleName` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - `event.idm.read_only_udm.principal.user.product_object_id`: Newly mapped `record.trigger.changedBy` raw log field with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `record.issue.id`, `triggeringEvent.id` raw log fields with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.security_result.alert_state`: Newly mapped `record.issue.status` raw log field with `event.idm.read_only_udm.security_result.alert_state` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `record.issue.severity`, `record.severity` raw log fields with `event.idm.read_only_udm.security_result.severity` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `record.issue.created`, `record.timeframe.start`, `createdAt` raw log fields with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.target.resource.id`: Newly mapped `record.resource.id`, `record.PrimaryResource.id` raw log fields with `event.idm.read_only_udm.target.resource.id` UDM field. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `record.resource.name`, `resource.name`, `record.PrimaryResource.name` raw log fields with `event.idm.read_only_udm.target.resource.name` UDM field. - `event.idm.read_only_udm.target.resource.type`: Newly mapped `record.resource.type`, `resource.type`, `record.PrimaryResource.type` raw log fields with `event.idm.read_only_udm.target.resource.type` UDM field. - `event.idm.read_only_udm.target.cloud.project.id`: Newly mapped `record.resource.subscriptionId`, `record.PrimaryResource.cloudAccount.externalId` raw log fields with `event.idm.read_only_udm.target.cloud.project.id` UDM field. - `event.idm.read_only_udm.target.cloud.project.name`: Newly mapped `record.resource.subscriptionName`, `record.PrimaryResource.cloudAccount.name` raw log fields with `event.idm.read_only_udm.target.cloud.project.name` UDM field. - `event.idm.read_only_udm.target.asset.location.country_or_region`: Newly mapped `record.resource.region`, `record.PrimaryResource.region` raw log fields with `event.idm.read_only_udm.target.asset.location.country_or_region` UDM field. - `event.idm.read_only_udm.security_result.about.resource.attribute.labels`: Newly mapped `record.resource.status` raw log fields with `event.idm.read_only_udm.security_result.about.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.url`: Newly mapped `record.resource.cloudProviderURL`, `triggeringEvent.cloudProviderUrl`, `record.PrimaryResource.cloudProviderURL` raw log fields with `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `record.control.id`, `record.issue.projects`, `triggeringEvent.actorIPMeta.category`, `triggeringEvent.cloudPlatform` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.metadata.description`: Newly mapped `record.control.description`, `triggeringEvent.description` raw log fields with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.security_result.about.url`: Newly mapped `record.control.IssueURL` raw log field with `event.idm.read_only_udm.security_result.about.url` UDM field. - `event.idm.read_only_udm.security_result.threat_id`: Newly mapped `record.threatId` raw log field with `event.idm.read_only_udm.security_result.threat_id` UDM field. - `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `record.title` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - `event.idm.read_only_udm.security_result.description`: Newly mapped `record.description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.metadata.collected_timestamp`: Newly mapped `record.timeframe.end` raw log field with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `act.externalId` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `pactor.externalId` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `triggeringEvents.actor.id` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.principal.asset.location.country_or_region`: Newly mapped `triggeringEvent.actorIPMeta.country` raw log field with `event.idm.read_only_udm.principal.asset.location.country_or_region` UDM field. - `event.idm.read_only_udm.principal.labels`: Newly mapped `triggeringEvent.actorIPMeta.autonomousSystemNumber`, `triggeringEvent.actorIPMeta.autonomousSystemOrganization`, `triggeringEvent.actorIPMeta.isForeign`, `triggeringEvent.actorIPMeta.reputation`, `triggeringEvent.actorIPMeta.reputationSource`, raw log fields with `event.idm.read_only_udm.principal.labels` UDM field. - `event.idm.read_only_udm.principal.resource.product_object_id`: Newly mapped `triggeringEvent.externalId` raw log field with `event.idm.read_only_udm.principal.resource.product_object_id` UDM field. - `event.idm.read_only_udm.security_result.summary`: Newly mapped `triggeringEvent.name` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - `event.idm.read_only_udm.target.resource.product_object_id`: Newly mapped `resource.id` raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `resource.nativeType` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.location.country_or_region`: Newly mapped `resource.region` raw log field with `event.idm.read_only_udm.target.location.country_or_region` UDM field. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped `triggeringEvent.status` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - Added conditional check for `record.trigger.source`. If the value is "ISSUE", the `security_result.alert_state` is set to "ALERTING" for an "OPEN" status and "NOT_ALERTING" for a "RESOLVED" status. |
| 2025-06-04 | Enhancement:
- event.idm.read_only_udm.metadata.product_log_id: Newly Mapped `id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM Field. - event.idm.read_only_udm.metadata.timestamp: Newly Mapped `createdAt` raw log field with `event.idm.read_only_udm.metadata.timestamp` UDM Field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly Mapped `entitySnapshot.tags.io.kubernetes.pod.uid` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM Field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly Mapped `entitySnapshot.tags.io.kubernetes.pod.namespace` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM Field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly Mapped `entitySnapshot.tags.io.kubernetes.container.name` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM Field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly Mapped `entitySnapshot.tags.io.cri-containerd.kind` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM Field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly Mapped `entitySnapshot.tags.io.kubernetes.pod.name` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM Field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly Mapped `entitySnapshot.tags.maintainer` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM Field. - event.idm.read_only_udm.principal.group.product_object_id: Newly Mapped `entitySnapshot.externalId` raw log field with `event.idm.read_only_udm.principal.group.product_object_id` UDM Field. - event.idm.read_only_udm.principal.group.product_object_id: Newly Mapped `actionParameters.clientID` raw log field with `event.idm.read_only_udm.principal.group.product_object_id` UDM Field. - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `type` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM Field. - event.idm.read_only_udm.principal.namespace: Newly Mapped `entitySnapshot.tags.io.kubernetes.pod.namespace` raw log field with `event.idm.read_only_udm.principal.namespace` UDM Field. - event.idm.read_only_udm.principal.asset_id: Newly Mapped `entitySnapshot.id` raw log field with `event.idm.read_only_udm.principal.asset_id` UDM Field. - event.idm.read_only_udm.principal.cloud.vpc.name: Newly Mapped `entitySnapshot.cloudPlatform` raw log field with `event.idm.read_only_udm.principal.cloud.vpc.name` UDM Field. - event.idm.read_only_udm.principal.cloud.vpc.id: Newly Mapped `entitySnapshot.providerId` raw log field with `event.idm.read_only_udm.principal.cloud.vpc.id` UDM Field. - event.idm.read_only_udm.principal.cloud.project.id: Newly Mapped `entitySnapshot.type` raw log field with `event.idm.read_only_udm.principal.cloud.project.id` UDM Field. - event.idm.read_only_udm.principal.cloud.project.resource_subtype: Newly Mapped `entitySnapshot.nativeType` raw log field with `event.idm.read_only_udm.principal.cloud.project.resource_subtype` UDM Field. - event.idm.read_only_udm.principal.cloud.project.name: Newly Mapped `entitySnapshot.name` raw log field with `event.idm.read_only_udm.principal.cloud.project.name` UDM Field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `entitySnapshot.status` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM Field. - event.idm.read_only_udm.additional.fields: Newly Mapped `updatedAt` raw log field with `event.idm.read_only_udm.additional.fields` UDM Field. - event.idm.read_only_udm.additional.fields: Newly Mapped `dueAt` raw log field with `event.idm.read_only_udm.additional.fields` UDM Field. - event.idm.read_only_udm.additional.fields: Newly Mapped `statusChangedAt` raw log field with `event.idm.read_only_udm.additional.fields` UDM Field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `sourceRule.id` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM Field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `control.name` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM Field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `control.description` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM Field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `control.resolutionRecommendation` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM Field. - event.idm.read_only_udm.security_result.summary: Newly Mapped `subcategories.title` raw log field with `event.idm.read_only_udm.security_result.category` UDM Field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `subcategories.category.name` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM Field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `subcategories.category.framework.name` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM Field. - event.idm.read_only_udm.additional.fields: Newly Mapped `actionParameters.userPoolType` raw log field with `event.idm.read_only_udm.additional.fields` UDM Field. - event.idm.read_only_udm.additional.fields: Newly Mapped `actionParameters.userpoolID` raw log field with `event.idm.read_only_udm.additional.fields` UDM Field. - event.idm.read_only_udm.additional.fields: Newly Mapped `actionParameters.clientID` raw log field with `event.idm.read_only_udm.additional.fields` UDM Field. |
| 2024-03-04 | Enhancement:
- Mapped "actionParameters.selection.preferences", "actionParameters.input.patch.portalVisitHistory.dateTime", and "actionParameters.input.patch.portalVisitHistory.type" to "additional.fields" - Mapped "actionParameters.input.patch.portalVisitHistory.name", "actionParameters.input.patch.portalVisitHistory.resourceName", "actionParameters.input.patch.portalVisitHistory.resourceType", "actionParameters.input.patch.portalVisitHistory.ruleType", and "actionParameters.input.patch.portalVisitHistory.id" to "principal.resource.attribute.labels". |
| 2024-02-08 | Enhancement:
- Mapped "WIZ_IO" to "metadata.product_name" and "metadata.vendor_name". - Mapped "action" to "metadata.product_event_type". - Mapped "timestamp" to "metadata.event_timestamp". - Mapped "userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped "sourceIP" to "principal.ip". - When action value is "Report", then mapped "serviceAccount.name" to "principal.application". - Mapped "user.id" to "target.user.id". - Mapped "user.name" to "target.user.user_display_name". - Mapped "userEmail" to "target.user.email_addresses". - Mapped "actionParameters.role" to "target.user.attribute.roles". - Mapped "actionParameters.groups" and "actionParameters.products" to "security_result.detection_fields". |
| 2023-12-15 | - Newly created parser.
|