Change log for BARRACUDA_EMAIL
| Date | Changes |
|---|---|
| 2025-07-10 | Enhancement:
- Added Grok pattern to support for new pattern of SYSLOG+JSON logs. - event.idm.read_only_udm.metadata.event_timestamp: Mapped `time` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `log_header_end`, `payload.affected_mailboxes`, `payload.attachment` and `payload.body_text` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Mapped `accountId`, `accessTokenId`, `payload.type`, `payload.incident_id`, `payload.messages_received` and `payload.matched_email_count` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.metadata.product_name: Mapped `product` raw log field with `event.idm.read_only_udm.metadata.product_name` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Mapped `payload.sender` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.target.user.email_addresses: Mapped `payload.recipient` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - event.idm.read_only_udm.network.email.subject: Mapped `payload.subject` raw log field with `event.idm.read_only_udm.network.email.subject` UDM field. - event.idm.read_only_udm.metadata.collected_timestamp: Mapped `payload.date` raw log field with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - event.idm.read_only_udm.security_result.category_details: Mapped `payload.category` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Mapped `payload.created_by` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Mapped `payload.sender_display_name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Mapped `payload.sender_email` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.principal.location.country_or_region: Mapped `payload.login_country` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - event.idm.read_only_udm.principal.ip: Mapped `payload.login_ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.network.http.user_agent: Mapped `payload.login_user_agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Mapped `payload.user_display_name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Mapped `payload.user_email` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.security_result.about.url: Mapped `payload.body_links` raw log field with `event.idm.read_only_udm.security_result.about.url` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Mapped `payload.sender_name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. |
| 2024-05-28 | Enhancement-
- Mapped "attachments" to "additional.fields". |
| 2024-01-08 | Enhancement-
- Mapped "recipients.action" to "security_result.action_details". - Mapped "recipients.email" to "network.email.to". - Mapped "recipients.delivery_detail", "recipients.reason", "recipients.taxonomy", "recipients.reason_extra" and "recipient.delivered" to "security_result.detection_fields". - Mapped "dst_domain" to "target.hostname". - Mapped "geoip" to "target.location.country_or_region". |
| 2023-01-19 | Bug-Fix-
- Modified grok pattern to extract "subject" and mapped to "network.subject". |
| 2022-12-16 | Enhancement-
- Added grok pattern for new logs. - Mapped "host" to "principal.hostname". - Mapped "product_log_id" to "metadata.product_log_id". - Mapped "network.application_protocol" to "SMTP" where process includes "smtp". - Mapped "sender_email" to "network.email.from". - Mapped "recipient_email" to "network.email.to". - Mapped "network.direction" to "INBOUND" where process includes "inbound". - Mapped "network.direction" to "OUTBOUND" where process includes "outbound". - Mapped "target_ip" to "target.ip". - Mapped "queue_id" to "security_result.detection_fields". - Mapped "security_result.action" to "ALLOW" where "action_code" are "0" or "7" and "service" are "RECV" or "SCAN". - Mapped "security_result.action" to "BLOCK" where "action_code" is "2" and "service" are "RECV" or "SCAN". - Mapped "security_result.action" to "QUARANTINE" where "action_code" is "3" and "service" are "RECV" or "SCAN". |
| 2022-05-19 | Enhancement-modified data extraction for email and hdr_from to improve parsing
|