Change log for CHECKPOINT_EDR
Date | Changes |
---|---|
2025-07-15 | Enhancement
- event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Newly mapped `src_machine_name` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly mapped `user_name` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `src_user_name` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.user.windows_sid: Newly mapped `user_sid` raw log field with `event.idm.read_only_udm.principal.user.windows_sid` UDM field. - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped `src`, and `origin` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped `dst` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `process_exe_path` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `resource` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname: Newly mapped `appi_name` raw log field with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly mapped `matched_category` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.principal.resource.name: Newly mapped `policy_name` raw log field with `event.idm.read_only_udm.principal.resource.name` UDM field. - event.idm.read_only_udm.principal.resource.product_object_id: Newly mapped `policy_number` raw log field with `event.idm.read_only_udm.principal.resource.product_object_id` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `reason` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `action` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `action` raw log field with `event.idm.read_ - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `protection_name`, and `protection_type` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `loguid`, `sequencenum`, `policy_date`, `usercheck_incident_uid`, `tenant_id`, `exclusion_engine_type`, `exclusion_type` and `virtual_groups` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `client_name` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `client_version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - event.idm.read_only_udm.principal.asset.platform_software.platform: Newly mapped `os_name` raw log field with `event.idm.read_only_udm.principal.asset.platform_software.platform` UDM field. - event.idm.read_only_udm.principal.asset.platform_software.platform_version: Newly mapped `os_version` raw log field with `event.idm.read_only_udm.principal.asset.platform_software.platform_version` UDM field. - event.idm.read_only_udm.metadata.product_name: Newly mapped `product` raw log field with `event.idm.read_only_udm.metadata.product_name` UDM field. - event.idm.read_only_udm.principal.asset.software: Newly mapped `installed_products` raw log field with `event.idm.read_only_udm.principal.asset.software` UDM field. - event.idm.read_only_udm.network.direction: Set `event.idm.read_only_udm.network.direction` to `INBOUND` if `ifdir` raw log field is `Inbound` else if `ifdir` raw log field is `Outbound` set to `OUTBOUND`. - event.idm.read_only_udm.metadata.description: Newly mapped `description` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. |
2024-05-09 | Enhancement- Parsed logs with "event_type" as "empty".
- Added support for the MEPP, Compliance, Anti-Malware, and Threat Emulation logs. |
2022-09-07 | Enhancement- Parsed logs with event_type as "empty".
- mapped "client_ip" to "event.edr.network.target_ip". - mapped "origin" to "event.edr.network.target_ip" if client_ip empty. - mapped "subject" to "event.edr.task.task_name". - mapped "host_name" to "event.edr.client.hostname". - mapped "ifdir" to "event.edr.network.direction". |