Change log for CLAROTY_XDOME
Date | Changes |
---|---|
2025-08-12 | - Newly added gsub for the `message` field to parse logs in proper manner.
- `event.idm.read_only_udm.principal.asset.attribute.labels`: Newly mapped `affected_device.retired` raw log field with `event.idm.read_only_udm.principal.asset.attribute.labels` UDM field. - Corrected the mapping for `vulnerability_info.name` raw log field and mapped it to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.asset.ip` and `event.idm.read_only_udm.principal.ip` : Newly mapped `management_ip` raw log field with `event.idm.read_only_udm.principal.asset.ip` and `event.idm.read_only_udm.principal.ip` UDM fields. - `event.idm.read_only_udm.metadata.event_timestamp` : Newly mapped `time` data field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
2025-07-31 | - 'event.idm.read_only_udm.security_result.rule_id': Removed 'alert_id' raw log field from 'event.idm.read_only_udm.security_result.rule_id' UDM field alert_id represents a unique identifier for the alert, and it doesn't fit to be mapped to rule_id.
- 'event.idm.read_only_udm.additional.fields': Mapped 'alert_id' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.additional.fields': Removed mapping for 'attack data' from 'event.idm.read_only_udm.additional.fields' UDM field because the security_result.attack_details field is specifically designed to store details about an attack. - 'event.idm.read_only_udm.security_result.attack_details': Mapped 'attack data' raw log field with 'event.idm.read_only_udm.security_result.attack_details' UDM field. - 'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname': Removed mapping for 'observer_hostname' from 'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname' UDM fields because it incorrectly associates the observer's information with the principal. - 'event.idm.read_only_udm.observer.hostname': Mapped 'observer_hostname' raw log field with 'event.idm.read_only_udm.observer.hostname' UDM field. - Changed 'event.idm.read_only_udm.metadata.product_event_type' to include both 'type' and 'category' raw log fields. - Utilized SCAN_VULN_HOST for vulnerability_affected_device product event type - 'event.idm.read_only_udm.security_result.detection_fields': Removed 'Vulnerabilities' raw log field from 'event.idm.read_only_udm.security_result.detection_fields' UDM field because it is having detailed vulnerability information. - 'event.idm.read_only_udm.extensions.vulns.vulnerabilities': Mapped 'vulnerabilities' raw log field with 'event.idm.read_only_udm.extensions.vulns.vulnerabilities' UDM field. - Changed the "host" field to "observer_hostname" in order to create "observer" UDM. - 'event.idm.read_only_udm.principal.user.userid': Removed mapping for 'client_id' raw log field with 'event.idm.read_only_udm.principal.user.userid' UDM field because 'client_id' is not a userid. - 'event.idm.read_only_udm.target.asset.asset_id': Mapped 'client_id' raw log field with 'event.idm.read_only_udm.target.asset.asset_id' UDM field. - 'event.idm.read_only_udm.additional.fields': Removed mapping for 'device_asset_id' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field because it refers to the asset that performed the action. - 'event.idm.read_only_udm.principal.asset.asset_id': Mapped 'device_asset_id' raw log field with 'event.idm.read_only_udm.principal.asset.asset_id' UDM field. - Improved logic on app protocol and IP's using libs. - Extracted signature information from nested json to security_result.rule_name and security result.rule_id. |
2025-01-29 | - Newly created parser
|