Change log for ZIMPERIUM
| Date | Changes |
|---|---|
| 2025-11-27 | Enhancement:
- `event.idm.read_only_udm.additional.fields`: Mapped multiple raw log fields to this UDM field. These were previously mapped to various deprecated label structures. The raw fields include: `sample`, all fields from `forensics.suspicious_profile` and `forensics.untrusted_profile`, `forensics.sideloaded_app_name`, `forensics.dynamic_internal_name`, `forensics.network_threat.basestation`, `forensics.network_threat.routing_table`, `forensics.network_threat.interface`, `forensics.network_threat.net_stat`, `forensics.dynamic_trigger`, `forensics.network_subnet`, `forensics.type`, `forensics.forensics_ziap_version`, `forensics.BSSID`, `forensics.network_encryption`, `forensics.responses`, `forensics.SSID`, `sideloaded_app_filehash_data`, `threat.general.sideloaded_app_name`, `team_id`, and `team_name`. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Removed mapping of `device_info.device_time`, `device_info.zdid`, `device_info.jailbroken`, and `threat.general.base_station` from this UDM field. - `event.idm.read_only_udm.principal.asset.labels`: Mapped `device_info.device_time`, `device_info.zdid`, `device_info.jailbroken`, and `threat.general.base_station` raw log fields to this UDM field. - Renamed from `sideloaded_app_name_label` to `forensics_sideloaded_app_name_label`. - Updated conditional check for `forensics.network_subnet`, `forensics.BSSID`, `forensics.network_encryption`, and `forensics.SSID` to ensure the fields are not empty strings before mapping. - Updated the data structure for label values to use a typed format (e.g., `value.string_value`) to align with the requirements for the `event.idm.read_only_udm.additional.fields` field. |
| 2025-11-24 | Enhancement:
- Updated the conditional logic for populating event.idm.read_only_udm.principal.asset.product_object_id. The logic now uses device_info.mdm_device_id as a fallback if the device_info.imei field is not present, rather than checking if it was an empty string. - Removed the initialization of device_info.imei to an empty string, allowing the parser to correctly check for the field's existence. |
| 2025-11-20 | Enhancement:
- `event.idm.read_only_udm.principal.asset.labels`: Removed mapping of `device_info.zdid`, `device_info.jailbroken`, `threat.general.base_station` from `event.idm.read_only_udm.principal.asset.labels` UDM field since it is a deprecated field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Mapped `device_info.zdid`, `device_info.jailbroken`, `threat.general.base_station` raw log field(s) to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.about.labels`: Removed mapping of `sample_field`, `forensics.profile.name`, `forensics.sideloaded_app_name`, `forensics.profile.type`, `forensics.profile.external_id`, `forensics.profile.category`, `forensics.profile.description`, `forensics.profile.information`, `forensics.untrusted_profile.name`, `forensics.untrusted_profile.type`, `forensics.untrusted_profile.external_id`, `forensics.untrusted_profile.category`, `forensics.untrusted_profile.description`, `forensics.untrusted_profile.information`, `forensics.dynamic.internal_name`, `forensics.network_threat.basestation`, `forensics.network_threat.routing_table`, `forensics.network_threat.interface`, `forensics.network_threat.net_stat`, `forensics.dynamic.trigger`, `forensics.network.subnet`, `forensics.type`, `forensics.forensics.ziap_version`, `forensics.BSSID`, `forensics.network.encryption`, `forensics.responses`, `forensics.SSID`, `team_id`, `team_name` from `event.idm.read_only_udm.about.labels` UDM field since it is a deprecated field. - `event.idm.read_only_udm.about.resource.attribute.labels`: Mapped these raw log fields to `event.idm.read_only_udm.about.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.security_result.about.labels`: Removed mapping of `data.file_hash`, `threat.general.sideloaded_app_name` from `event.idm.read_only_udm.security_result.about.labels` UDM field since it is a deprecated field. - `event.idm.read_only_udm.security_result.about.resource.attribute.labels`: Mapped `data.file_hash`, `threat.general.sideloaded_app_name` raw log field(s) to `event.idm.read_only_udm.security_result.about.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.additional.fields`: Mapped the `forensics.severity` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.principal.asset.platform_software.platform`: Mapped the `forensics.os` and `device_info.os` raw log fields to `event.idm.read_only_udm.principal.asset.platform_software.platform` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Mapped the `device_info.device_time` raw log field to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.group.product_object_id`: Mapped the `device_info.device_group_id` raw log field to `event.idm.read_only_udm.target.group.product_object_id` UDM field. - `event.idm.read_only_udm.principal.asset.product_object_id`: Added fallback mapping for `device_info.mdm_device_id` when `device_info.imei` is unavailable. - Added conditional check for `system_token` to not be empty. |
| 2025-02-26 | Enhancement:
- Mapped "sideloaded_app_filehash" to "security_result.about.labels". |
| 2025-02-11 | Enhancement:
- Mapped "threat.general.file_hash" to "event.idm.read_only_udm.principal.file.sha1". |
| 2024-12-19 | Enhancement:
- Changed the mapping of "data.value" from "security_result.threat_name" to "security_result.about.url". |
| 2024-12-02 | Enhancement:
- Mapped "device_info.device_group_name" to "target.group.group_display_name". |
| 2024-11-21 | Enhancement:
- Mapped "additional_public_forensics.Package Name" to "security_result.threat_name". |
| 2024-04-16 | Enhancement:
- Mapped "hostname" from syslog header to "intermediary.hostname". - Mapped "forensics.sideloaded_app_name" to "about.labels". - Mapped "threat.general.sideloaded_app_name" to "security_result.about.labels". |
| 2023-08-18 | - Newly created parser.
|