Change log for ARUBA_CENTRAL

Date	Changes
2025-03-24	Enhancement: - Added support to parse JSON log format. - Mapped "id" to "metadata.product_log_id". - Mapped "cid" to "principal.user.product_object_id". - Mapped "alert_type" to "metadata.product_event_type". - Mapped "device_id" to "principal.user.userid". - Mapped "details.user" to "principal.user.userid". - Mapped "details.group_name" to "principal.group.group_display_name". - Mapped "details.config_change" to "security_result.summary". - Mapped "description" to "security_result.description". - Mapped "target_userid" to "target.user.userid". - Mapped "target_mac" to "target.mac". - Mapped "princ_mac" to "principal.mac". - Mapped "network_ssid" to "network.session_id". - Mapped "cluster_hostname" to "principal.hostname". - Mapped "timestamp" to "metadata.event_timestamp". - Mapped "__base_url" to "metadata.url_back_to_product". - Mapped "state" to "security_result.detection_fields". - Mapped "nid" , "setting_id" , "details.dev_type" , "webhook" and "operation" to "additional.fields". - Mapped "details.group" to "principal.group.product_object_id". - Mapped "details.labels" to "security_result.about.labels". - If "severity" in "CRITICAL" , "MAJOR" then map "severity" as "CRITICAL" to "security_result.severity". - Added conditional check if "alert_type" is "DEVICE_CONFIG_CHANGE_DETECTED" then map "event_type" to "USER_RESOURCE_UPDATE_CONTENT". - Enhanced validation check for "datetime" , "host" , "app" , "pid" , "desc" , "userid" , "amm" and "event_data" before mapping them.
2024-12-05	Newly created parser.

Date

Changes

2025-03-24

Enhancement:
- Added support to parse JSON log format.
- Mapped "id" to "metadata.product_log_id".
- Mapped "cid" to "principal.user.product_object_id".
- Mapped "alert_type" to "metadata.product_event_type".
- Mapped "device_id" to "principal.user.userid".
- Mapped "details.user" to "principal.user.userid".
- Mapped "details.group_name" to "principal.group.group_display_name".
- Mapped "details.config_change" to "security_result.summary".
- Mapped "description" to "security_result.description".
- Mapped "target_userid" to "target.user.userid".
- Mapped "target_mac" to "target.mac".
- Mapped "princ_mac" to "principal.mac".
- Mapped "network_ssid" to "network.session_id".
- Mapped "cluster_hostname" to "principal.hostname".
- Mapped "timestamp" to "metadata.event_timestamp".
- Mapped "__base_url" to "metadata.url_back_to_product".
- Mapped "state" to "security_result.detection_fields".
- Mapped "nid" , "setting_id" , "details.dev_type" , "webhook" and "operation" to "additional.fields".
- Mapped "details.group" to "principal.group.product_object_id".
- Mapped "details.labels" to "security_result.about.labels".
- If "severity" in "CRITICAL" , "MAJOR" then map "severity" as "CRITICAL" to "security_result.severity".
- Added conditional check if "alert_type" is "DEVICE_CONFIG_CHANGE_DETECTED" then map "event_type" to "USER_RESOURCE_UPDATE_CONTENT".
- Enhanced validation check for "datetime" , "host" , "app" , "pid" , "desc" , "userid" , "amm" and "event_data" before mapping them.

2024-12-05

Newly created parser.