Change log for AWS_CLOUDWATCH
| Date | Changes |
|---|---|
| 2025-04-11 | Enhancement
- `JSON`: Added support for `JSON` format. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `logevent.id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `owner` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.security_result.about.resource.name`: Newly mapped `logGroup` raw log field with `event.idm.read_only_udm.security_result.about.resource.name` UDM field. - `event.idm.read_only_udm.security_result.about.resource.attribute.labels`: Newly mapped `logStream` raw log field with `event.idm.read_only_udm.security_result.about.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.security_result.description`: Newly mapped `logevent.message` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped `act_det` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `src_ip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `tar_ip` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `tar_host` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.port`: Newly mapped `tar_port` raw log field with `event.idm.read_only_udm.target.port` UDM field. - `event.idm.read_only_udm.network.http.response_code`: Newly mapped `resp_code` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - `event.idm.read_only_udm.network.received_bytes`: Newly mapped `rec_bytes` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field. - `event.idm.read_only_udm.network.http.method`: Newly mapped `meth` raw log field with `event.idm.read_only_udm.network.http.method` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `event.idm.read_only_udm.network.http.user_agent` as `NETWORK_CONNECTION` when "src_ip" and "tar_ip" raw log fields are not null. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped event.idm.read_only_udm.metadata.event_type UDM field as USER_UNCATEGORIZED when owner raw log field is not null. - `event.idm.read_only_udm.metadata.event_type`: Newly mapped `event.idm.read_only_udm.metadata.event_type` UDM field as `GENERIC_EVENT` when "src_ip" , "tar_ip" and "tar_port" raw log fields are null. - `event.idm.read_only_udm.security_result.about.resource.attribute.labels`: Newly mapped `subscriptionFilter` raw log field with `event.idm.read_only_udm.security_result.about.resource.attribute.labels` UDM field. |
| 2025-03-05 | Enhancement
- Mapped "log_processed_control_data_sampling_interval", "log_processed_cpus_per_sock_avg", "log_processed_cpus_per_sock_max", "log_processed_cpus_per_sock_min", "flow_aggregation_result" fields, "flows_after", "flows_before", "level", "message", "sock_add_result" fields, "sock_cache_len", "sock_delta_result" fields, "sock_eviction_result" fields, "sock_nat_result" fields, "container_hash", "container_image" to "additional.fields". - Mapped "kubernetes_host_details" to "principal.hostname" and "principal.asset.hostname". - Mapped "prin_ip" to "principal.ip" and "principal.asset.ip". - Mapped "kubernetes_pod_id" to "principal.product_object_id". - Mapped "kubernetes_pod_name" to "principal.namespace" if "has_namespace" is "false" else mapped to "additional.fields". - Mapped "log_processed_level" to "sec_result.severity". |
| 2025-02-22 | Enhancement
- Added support to parse unparsed logs. |
| 2025-02-04 | Enhancement
- Added support to parse unparsed logs. |
| 2024-11-12 | Enhancement
- Added support to parse unparsed logs. |
| 2024-10-18 | Enhancement
- Added support to parse unparsed logs. |
| 2024-08-29 | Enhancement
- Added support to parse unparsed logs. - Mapped "connectionTesterClassName" to "principal.hostname". - Mapped "identityToken" to "principal.user.userid". - Mapped "jdbcUrl" to "target.url". - Mapped "driverClass" to "target.application". - Mapped "uid" to "metadata.product_log_id". - Mapped "summary" to "security_result.summary". - Mapped "script" to "security_result.description". |
| 2024-02-12 | Enhancement
- Mapped timestamp to UNIX_MS. |
| 2023-09-02 | Enhancement
- Added a "kv block" to parse key-value format logs. - Mapped "SourceIP" to "principal.ip". - Mapped "prin_host" to "principal.hostname". - Mapped "User" to "principal.user.userid". - Mapped "Ciphers" to "network.tls.client.supported_ciphers". - Mapped "executionId" to "principal.process.pid". - Mapped "transferDetails.sessionId" to "network.session_id". - Mapped "transferDetails.username" to "principal.user.user_display_name". - Mapped "transferDetails.serverId", "workflowId", "details.input.initialFileLocation.etag", "details.input.initialFileLocation.backingStore", "details.input.initialFileLocation.bucket", "details.input.initialFileLocation.key", "Mode", "Kex" to "additional.fields". - Mapped "BytesIn" to "network.received_bytes". - Mapped "Role" to "target.resource.product_object_id". |
| 2023-08-18 | Enhancement
- Added a Grok pattern to parse the unparsed raw logs. |
| 2023-07-07 | Enhancement
- Added support for 'logEvents'-related JSON logs. |
| 2022-12-17 | Enhancement:
- Mapped "CloudType" to "target.resource.attribute.cloud.environment". - Mapped "AlertId" to "metadata.product_log_id". - Mapped "ResourceType" to "target.resource.resource_subtype". - Mapped "ResourceRegion" to "target.location.country_or_region". - Mapped "Recommendation" to "security_result.detection_fields". - Mapped "PolicyName","detail.additionalEventData.configRuleName" to "security_result.rule_name". - Mapped "detail-type" to "metadata.product_event_type". - Mapped "region","detail.awsRegion" to "principal.location.name". - Mapped "detail.eventSource" to "target.application". - Mapped "detail.requestID" to "target.resource.attribute.labels". - Mapped "detail.userAgent" to "network.http.user_agent". - Mapped "detail.eventVersion" to "metadata.product_version". - Mapped "detail.userIdentity.accountId" to "metadata.product_deployment_id". - Mapped "detail.userIdentity.accessKeyId" to "target.user.userid". - Mapped "detail.userIdentity.type" to "principal.resource.type". - Mapped "detail.userIdentity.principalId" to "principal.user.product_object_id". - Mapped "detail.user.arn" to "target.user.userid". - Mapped "detail.user.sessionContext.sessionIssuer.userName" to "target.user.user_display_name". - Mapped "detail.user.mfaAuthenticated" to "principal.user.attribute.labels". - Mapped "detail.recipientAccountId" to "target.resource.attribute.labels". - Mapped "detail.managementEvent", "detail.eventType", "detail.readOnly", "detail.eventName", "detail.additionalEventData.notificationJobType", "detail.additionalEventData.managedRuleIdentifier", "duration", "billed_duration", "memory_used" to "additional.fields". - Mapped "detail.eventCategory" to "security_result.category_details". - Mapped "detail.eventID" to "metadata.product_log_id". - Mapped "detail.additionalEventData.configRuleArn" to "security_result.rule_id". - Mapped "level" to "security_result.severity". - Mapped "src_port" to "principal.port". - Mapped "request_id" to "target.resource.attribute.labels". - Mapped "url" to "target.url". |
| 2022-09-03 | Enhancement
- Added grok to parse newly ingested logs. - Mapped "package" to "event.idm.read_only_udm.principal.process.command_line". - Mapped "session_id" to "event.idm.read_only_udm.network.session_id". - Mapped "network_dir" to "event.idm.read_only_udm.network.direction". - Mapped "port" to "event.idm.read_only_udm.target.port". - Remapped "digestPublicKeyFingerprint" from "additional.fields" to "event.idm.read_only_udm.target.file.sha1". - Added other log levels like "AUDIT", "TRACE", "DEBUG", "NOTICE", "ERROR" for severity mapping. - Duplicated the value in "target.ip" to "principal.ip" to set event_type as "STATUS_UPDATE" thereby reducing generic percentage. - Added conditions for "event_type" "USER_UNCATEGORIZED", "NETWORK_HTTP", "NETWORK_CONNECTION", "STATUS_UPADTE" to reduce generic percentage. |
| 2022-08-11 | Bug Fix - Remapped "digestS3Bucket" to "principal.resource.name".
Remapped "kubernetes.pod_name" to "additional.fields". |
| 2022-05-27 | Enhancement - Modified the value stored in metadata.product_name to 'AWS CloudWatch' and metadata.vendor_name to 'AMAZON'.
|