Change log for AWS_WAF
| Date | Changes |
|---|---|
| 2025-08-12 | Enhancement:
- event.idm.read_only_udm.security_result.action: Newly mapped `matchingrules.overriddenAction` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `matchingrules.action` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field when `action` is `ALLOW` or `BLOCK`. - event.idm.read_only_udm.network.tls.client.ja3: Newly mapped `ja3Fingerprint` raw log field with `event.idm.read_only_udm.network.tls.client.ja3` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `ja4Fingerprint` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `labels` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-04-25 | Enhancement:
- event.idm.read_only_udm.target.hostname: Newly mapped `http_request.url.hostname` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `http_request.url.hostname` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `Http_request.Url.Hostname` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `Http_request.Url.Hostname` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. |
| 2025-02-17 | Enhancement:
- Added support for OCSF JSON format logs. |
| 2024-03-14 | Enhancement:
- Added gsub function to handle invalid escape characters "\" in the source logs to valid JSON format. |
| 2023-12-29 | Enhancement:
- Mapped "user-agent" and "User-Agent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped the base64 decoded value of "authorization" header from "httpRequest.header" to "target.user.userid". |
| 2023-12-08 | Bug-Fix:
- Modified the condition before mapping "header.value" to "target.hostname". - Modified the mapping of "target.url" from "http://%{header.value}%{httpRequest.uri}" to "httpRequest.uri". - If "terminatingRuleType" is "MANAGED_RULE_GROUP", then added a condition for mapping "ruleGroupList.terminatingRule". - Added "on_error" for mutate blocks wherever required". |
| 2023-09-11 | Enhancement:
- Added a Grok pattern to support a new log format. |
| 2023-08-16 | Enhancement:
- Mapped "ruleGroup.terminatingRule.action" to "security_result.detection_fields" when "terminatingRuleType" is "REGULAR". |
| 2022-12-16 | Enhancement:
- Combined two date filters into one and updated condition for date filter to if "timestamp" is not null. - Dropped logs when "json_failure" is true. - Mapped "httpRequest.headers.value" to "event.idm.read_only_udm.network.http.parsed_user_agent" when "httpRequest.headers.name" is "user-agent". |
| 2022-08-11 | Enhancement:- Removed the logic to handle CSV and SYSLOG message logs.
|
| 2022-07-22 | Newly Created Parser
|