Change log for CIS_ALBERT_ALERT
| Date | Changes |
|---|---|
| 2025-04-16 | Enhancement -
- Added `overwrite` and `on_error` to `grok`. - Added `drop` for malformed logs. - `json_log`: Added support for `json_log` format. - `event.idm.read_only_udm.principal.ip`: Newly mapped `sourceip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `sourceip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - Updated `has_principal` to `true` when `event.idm.read_only_udm.principal.ip` or `event.idm.read_only_udm.principal.asset.ip` is not null. - `event.idm.read_only_udm.metadata.description`: Newly mapped `description` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `event_id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `queue`, `activity_summary`, `siem_event_id`, `previous_escalations` and `status` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.resource.id`: Newly mapped `logical_sensor_id` raw log field with `event.idm.read_only_udm.principal.resource.id` UDM field. - `event.idm.read_only_udm.security_result.severity`: Mapped `event.idm.read_only_udm.security_result.severity` raw log field with `LOW` if `severity` is `Informational`, `MEDIUM` if `severity` is `Warning` and `HIGH` if `severity` is `Critical`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `analysis` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.metadata.event_type`: Mapped `event.idm.read_only_udm.metadata.event_type` raw log field with `STATUS_UPDATE` if `has_principal` is `true`. |
| 2022-10-10 | Enhancement - Some logs contain malformed data (such as extra \") which cause JSON parsing to fail.
Added regex's and gsub's to transform logs into valid JSON format. - Added conditional check for fields "src_ip", "target_ip", "target_port", "protocol". |
| 2022-05-20 | Enhancement - Some logs contain malformed data (such as extra \") which cause JSON parsing to fail.
Added regex's and gsub's to transform logs into valid JSON format. |