Change log for ATTIVO

Date Changes
2025-08-06 Enhancement:
- Added a new gsub block to add support for logs split into multiple lines.
- event.idm.read_only_udm.additional.fields: Newly mapped `forwarder` raw log field to `event.idm.read_only_udm.additional.fields` UDM field.
2025-07-01 Enhancement:
- Added a Grok to parse SYSLOG + KV (CEF) format of logs with any timezone pattern.
- Added a Grok to extract `process` and `pid` from `msg` raw log field.
- event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `process` log field to `event.idm.read_only_udm.principal.process.file.full_path` UDM field.
- event.idm.read_only_udm.principal.process.pid: Newly mapped `pid` log field to `event.idm.read_only_udm.principal.process.pid` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `timezone` log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.principal.port: Newly mapped `spt` raw log field to `event.idm.read_only_udm.principal.port` UDM field.
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `rt` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- Modified condition for dropping invalid logs by adding a `valid_log` flag.
- Set `has_principal` to `true` if `principal.ip` or `principal.hostname` is present.
- Set `has_target` to `true` if `target.ip` or `target.hostname` is present.
- Merged both conditions to map `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION`.
- Modified conditions to map `event.idm.read_only_udm.metadata.event_type` to `NETWORK_UNCATEGORIZED` and `STATUS_UPDATE`.
- Added mappings for `target.asset.ip` wherever `target.ip` is mapped and `principal.asset.ip` wherever `principal.ip` is mapped.
2025-01-10 Enhancement:
- Added a new Grok pattern to parse the unparsed logs.
- Added a JSON block to parse the unparsed logs.
- Mapped "Alert.subject" to "metadata.description".
- Mapped "Alert.body" to "metadata.description".
- Mapped "Alert.app" to "principal.application".
- Mapped "Alert.dest_ip" to "target.ip" and "target.assest.ip".
- Mapped "Alert.dest_host" to "target.hostname".
- Mapped "Alert.src_hostname" to "principal.hostname".
- Mapped "Alert.src_ip_domain" to "principal.domain.name".
- Mapped "Alert.dest_ip_domain" to "target.domain.name".
- Mapped "Alert.id" to "metadata.product_log_id".
- Mapped "Alert.des_os" to "target.asset.platform_software.platform_version".
- Mapped "Alert.src_ip" to "principal.ip" and "prinicipal.asset.ip".
- Mapped "Alert.src_mac" to "prinicipal.mac".
- Mapped "Alert.id" to "metadata.product_log_id".
- Mapped "Alert.bootsink_ip" to "intermediary.ip".
- Mapped "Alert.forwarder" and "Alert.service" to "additional.fields".
- Mapped "techinque_id" to "security_result.attack_details.tactics.id".
- Mapped "techinque_name" to "security_result.attack_details.tactics.name".
- Mapped "Alert.severity" to "security_result.severity".
- Mapped "Alert.src_category" to "security_result.threat_name".
2024-04-19 Enhancement:
- Added support for new event types "NETWORK_UNCATEGORIZED" and "SCAN_NETWORK".
- Added support for certain new attributes.
2023-08-14 Enhancement:
- Added conditional check for "ips".
- If "ips" format matches IP address format, then map "ips" to "principal.ip", else map it to "intermediary.hostname".
2023-07-21 Newly created parser.