Change log for AWS_VPC_TRANSIT_GATEWAY

Date	Changes
2025-08-19	- Added a Grok pattern to parse the raw log fields for non-JSON formatted messages. - event.idm.read_only_udm.target.resource.product_object_id: Newly mapped "tgw_dst_vpc_id" raw log field with "event.idm.read_only_udm.target.resource.product_object_id" UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped "tgw_dst_subnet_id", "tgw_dst_eni", "pkt_dst_aws_service" raw log fields with "event.idm.read_only_udm.target.resource.attribute.labels" UDM field. - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped "srcaddr" raw log field with "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM fields and set "has_principal" to "true". - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped "dstaddr" raw log field with "event.idm.read_only_udm.target.ip" and "event.idm.read_only_udm.target.asset.ip" UDM fields and set "has_target" to "true". - event.idm.read_only_udm.principal.port: Newly mapped "srcport" raw log field with "event.idm.read_only_udm.principal.port" UDM field. - event.idm.read_only_udm.target.port: Newly mapped "dstport" raw log field with "event.idm.read_only_udm.target.port" UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped "protocol" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped "start_time", "type", "packets_lost_no_route", "packets_lost_blackhole", "packets_lost_mtu_exceeded", "packets_lost_ttl_expired", "tcp_flags" raw log fields with "event.idm.read_only_udm.additional.fields" UDM field. - event.idm.read_only_udm.network.sent_packets: Newly mapped "packets" raw log field with "event.idm.read_only_udm.network.sent_packets" UDM field. - event.idm.read_only_udm.network.sent_bytes: Newly mapped "bytes" raw log field with "event.idm.read_only_udm.network.sent_bytes" UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped "log_status" raw log field with "event.idm.read_only_udm.security_result.action" UDM field. - event.idm.read_only_udm.network.direction: Newly mapped "flow_direction" raw log field with "event.idm.read_only_udm.network.direction" UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped "end_time" raw log field with "event.idm.read_only_udm.metadata.event_timestamp" UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped "pkt_src_aws_service" raw log field with "event.idm.read_only_udm.principal.resource.attribute.labels" UDM field. - event.idm.read_only_udm.metadata.event_type: Newly mapped "event_type" as "NETWORK_CONNECTION" when "has_principal" is "true" and "has_target" is "true" else if "STATUS_UPDATE" when "has_principal" is "true" and "has_target" is "false" else if "USER_RESOURCE_ACCESS" when "principal_user_present" is "true" and "target_user_present" is "true" else "GENERIC_EVENT".
2024-11-15	- Newly created parser.

Date

Changes

2025-08-19

- Added a Grok pattern to parse the raw log fields for non-JSON formatted messages.
- event.idm.read_only_udm.target.resource.product_object_id: Newly mapped "tgw_dst_vpc_id" raw log field with "event.idm.read_only_udm.target.resource.product_object_id" UDM field.
- event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped "tgw_dst_subnet_id", "tgw_dst_eni", "pkt_dst_aws_service" raw log fields with "event.idm.read_only_udm.target.resource.attribute.labels" UDM field.
- event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped "srcaddr" raw log field with "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM fields and set "has_principal" to "true".
- event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped "dstaddr" raw log field with "event.idm.read_only_udm.target.ip" and "event.idm.read_only_udm.target.asset.ip" UDM fields and set "has_target" to "true".
- event.idm.read_only_udm.principal.port: Newly mapped "srcport" raw log field with "event.idm.read_only_udm.principal.port" UDM field.
- event.idm.read_only_udm.target.port: Newly mapped "dstport" raw log field with "event.idm.read_only_udm.target.port" UDM field.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped "protocol" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped "start_time", "type", "packets_lost_no_route", "packets_lost_blackhole", "packets_lost_mtu_exceeded", "packets_lost_ttl_expired", "tcp_flags" raw log fields with "event.idm.read_only_udm.additional.fields" UDM field.
- event.idm.read_only_udm.network.sent_packets: Newly mapped "packets" raw log field with "event.idm.read_only_udm.network.sent_packets" UDM field.
- event.idm.read_only_udm.network.sent_bytes: Newly mapped "bytes" raw log field with "event.idm.read_only_udm.network.sent_bytes" UDM field.
- event.idm.read_only_udm.security_result.action: Newly mapped "log_status" raw log field with "event.idm.read_only_udm.security_result.action" UDM field.
- event.idm.read_only_udm.network.direction: Newly mapped "flow_direction" raw log field with "event.idm.read_only_udm.network.direction" UDM field.
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped "end_time" raw log field with "event.idm.read_only_udm.metadata.event_timestamp" UDM field.
- event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped "pkt_src_aws_service" raw log field with "event.idm.read_only_udm.principal.resource.attribute.labels" UDM field.
- event.idm.read_only_udm.metadata.event_type: Newly mapped "event_type" as "NETWORK_CONNECTION" when "has_principal" is "true" and "has_target" is "true" else if "STATUS_UPDATE" when "has_principal" is "true" and "has_target" is "false" else if "USER_RESOURCE_ACCESS" when "principal_user_present" is "true" and "target_user_present" is "true" else "GENERIC_EVENT".

2024-11-15

- Newly created parser.