Change log for CB_APP_CONTROL

Date Changes
2025-08-14 Enhancement:
- To enhance the mapping, remove the UDM mapping from "about" and assign it to "principal."
- event.idm.read_only_udm.about.process.command_line: Removed mapping of deviceProcessName from event.idm.read_only_udm.about.process.command_line UDM field.
- event.idm.read_only_udm.principal.process.parent_process.command_line: Mapped deviceProcessName log field to event.idm.read_only_udm.principal.process.parent_process.command_line UDM field.
- event.idm.read_only_udm.about.file.full_path: Removed mapping of filePath from event.idm.read_only_udm.about.file.full_path UDM field.
- event.idm.read_only_udm.principal.process.file.names: Mapped filePath log field to event.idm.read_only_udm.principal.process.file.names UDM field.
- event.idm.read_only_udm.about.file.sha256: Removed mapping of fileHash from event.idm.read_only_udm.about.file.sha256 UDM field.
- event.idm.read_only_udm.principal.process.file.sha256: Mapped fileHash log field to event.idm.read_only_udm.principal.process.file.sha256 UDM field.
- Transferred ap_app_udm_mapping_json.include code to conf file.
- Consolidated all mapping for event.idm.read_only_udm.additional.fields.
- If "principal_userid" is not empty, then set event.idm.read_only_udm.metadata.event_type to SYSTEM_AUDIT_LOG_UNCATEGORIZED and set event.idm.read_only_udm.principal.user.userid to the value of "principal_userid".
- Else if "has_target_user" is true and "has_principal" is true, then set event.idm.read_only_udm.metadata.event_type to USER_LOGIN and set event.idm.read_only_udm.extensions.auth.type to AUTHTYPE_UNSPECIFIED.
- Else if "has_principal" is true and "has_target" is true, then set event.idm.read_only_udm.metadata.event_type to NETWORK_CONNECTION.
- Else if "has_principal" is true, then set event.idm.read_only_udm.metadata.event_type to STATUS_UPDATE.
- Else (if none of the above conditions are met), then set event.idm.read_only_udm.metadata.event_type to GENERIC_EVENT.
2025-06-17 Enhancement:
- Modified a conditional mapping for the `log_source` field. Added a grok pattern to identify IP addresses. When an IP is found, it is mapped to `event.idm.read_only_udm.intermediary.ip` and `event.idm.read_only_udm.intermediary.asset.ip`.Otherwise, Added a grok pattern to identify hostnames. When a hostname is found, it is mapped to `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname`. Otherwise, the existing mapping to `event.idm.read_only_udm.security_result.about.labels` is used.
- event.idm.read_only_udm.principal.file.full_path: Newly mapped `process` raw log field with `event.idm.read_only_udm.principal.file.full_path` UDM field.
2025-05-21 Enhancement
- `log_format`: Added `grok` support for `syslog` format.
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `time` log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- event.idm.read_only_udm.security_result.severity_details: Newly mapped `syslog_priority` log field with `event.idm.read_only_udm.security_result.severity_details` UDM field.
- event.idm.read_only_udm.metadata.product_event_type: Newly mapped `event_type_data` log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field.
- event.idm.read_only_udm.security_result.about.labels: Newly mapped `log_source` log field with `event.idm.read_only_udm.security_result.about.labels` UDM field.
- event.idm.read_only_udm.metadata.description: Newly mapped `text` raw log field with `event.idm.read_only_udm.metadata.description` UDM field.
- event.idm.read_only_udm.security_result.category_details: Newly mapped `type` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field.
- event.idm.read_only_udm.security_result.category_details: Newly mapped `subtype` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field.
- event.idm.read_only_udm.principal.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field.
- event.idm.read_only_udm.target.user.userid: Newly mapped `username` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field.
- event.idm.read_only_udm.metadata.collected_timestamp: Newly mapped `date` raw log field with `event.idm.read_only_udm.metadata.collected_timestamp` UDM field.
- event.idm.read_only_udm.principal.ip: Newly mapped `ip_address` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field.
- event.idm.read_only_udm.target.file.full_path: Newly mapped `file_path` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field.
- event.idm.read_only_udm.target.process.file.names: Newly mapped `file_name` raw log field with `event.idm.read_only_udm.target.process.file.names` UDM field.
- event.idm.read_only_udm.target.file.sha256: Newly mapped `file_hash` raw log field with `event.idm.read_only_udm.target.file.sha256` UDM field.
- event.idm.read_only_udm.security_result.rule_name: Newly mapped `policy` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field.
- event.idm.read_only_udm.metadata.product_version: Newly mapped `server_version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field.
- event.idm.read_only_udm.security_result.about.labels: Newly mapped `file_trust` raw log field with `event.idm.read_only_udm.security_result.about.labels` UDM field.
- event.idm.read_only_udm.security_result.about.labels: Newly mapped `file_threat` raw log field with `event.idm.read_only_udm.security_result.about.labels` UDM field.
- Modified conditional logic for JSON messages if `message` =~ `^{` are processed by `json` filter and then processed by `cb_app_udm_mapping_json.include`.
- Modified conditional logic for CEF messages if `message` =~ `CEF` are processed by `cef_extraction.include`, `cef_udm_mapping.include`
- Added a conditional logic for `message` !~ `^{` and `message` !~ `CEF` are processed by `drop` with `TAG_MALFORMED_MESSAGE`.
- Initialized the `hostId` field with empty strings to ensure proper data mapping. This field was previously uninitialized.
- Refactored `msg_data.HostId`, `msg_data.FileTrust`, `msg_data.Message`, `msg_data.PathName`, `msg_data.HostName`, `msg_data.FileHash`, `msg.host.hostname`, `msg_data.ProcessPathName`, `msg_data.ProcessPath`, `msg.log.file.path`, `msg_data.HostIP`, `msg_data.UserName`, `msg.agent.id`, `msg.agent.type`, `msg.agent.name`, `msg.agent.ephemeral_id`, `msg.host.id`, `msg.host.architecture` and `msg.host.os.platform` these fields mapping from the single `rename` block with multiple `replace` blocks with individual `on_error` handlers, improving robustness.
- Modified `mac` address Changed the source field from `host_mac` to `msg.host.mac` in the `for` loop.
2024-07-29 Enhancement
- Added a Grok pattern to extract the hostname and mapped it to "intermediary.hostname".
2022-07-01 Enhancement
- Mapped the field 'agent.type' to 'observer.application'.
- Mapped the field 'agent.name' to 'observer.user.userid'.
- Mapped the field 'host.name' to 'observer.hostname'.
- Mapped the field 'agent.type' and 'agent.name' to 'observer.asset_id'.
- Mapped the field 'agent.ephemeral_id' to 'observer.labels'.
- Mapped the field 'host.os.platform' to 'target.platform'.
- Mapped the field 'host.os.version' to 'target.platform_version'.
- Mapped the field 'host.os.kernel' to 'target.platform_patch_level'.
- Mapped the field 'cloud.instance.id' to 'principal.resource.product_object_id'.
- Mapped the field 'cloud.instance.name' to 'principal.resource.name'.
- Mapped the field 'host.mac' to 'target.mac'.
- Mapped the field 'host.ip' to 'target.asset.ip'.
- Mapped the field 'host.id' to 'target.asset.asset_id'.
- Mapped the field 'host.architecture' to 'target.asset.hardware'.
- Mapped the field 'message.UserSID' to 'principal.user.userid'.
- Mapped the field 'message.ProcessPath' to 'about.process.command_line'.
- Mapped the field 'cloud.machine.type' and 'cloud.provider' to 'principal.resource.attribute.labels'.
- Added conditional checks for 'message.Bit9Server' and 'message.HostId' mapped to 'metadata.url_back_to_product'.
2022-06-22 Bug-Fix
- Mapped hostId to principal.asset_id
- Mapped Bit9Server and HostId combination to metadata.url_back_to_product
2022-05-19 Bug-Fix
-parsed requested logs in the bug
-parsed api failed logs