Change log for CLOUDFLARE
| Date | Changes |
|---|---|
| 2025-08-01 | Enhancement:
- event.idm.read_only_udm.additional.fields: Newly mapped `CacheReserveUsed`, `CacheTieredFill`, `EdgeCFConnectingO2O`, `EdgePathingOp`, `EdgePathingSrc`, `EdgePathingStatus`, `EdgeResponseBodyBytes`, `EdgeResponseCompressionRatio`, `OriginResponseDurationMs`, `OriginResponseHeaderReceiveDurationMs` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped ClientMTLSAuthStatus raw log field(s) with event.idm.read_only_udm.security_result.detection_fields` UDM field. - Updated UDM fields mapping to parse raw log fields as integers: - event.idm.read_only_udm.security_result.labels, event.idm.read_only_udm.security_result.about.resource.attribute.labels: Removed mapping of `WAFAttackScore` from `event.idm.read_only_udm.security_result.labels` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `WAFAttackScore` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.labels, event.idm.read_only_udm.security_result.about.resource.attribute.labels: Removed mapping of `WAFFlags` from `event.idm.read_only_udm.security_result.labels` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `WAFFlags` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.labels, event.idm.read_only_udm.security_result.about.resource.attribute.labels: Removed mapping of `WAFRCEAttackScore` from `event.idm.read_only_udm.security_result.labels` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `WAFRCEAttackScore` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.labels, event.idm.read_only_udm.security_result.about.resource.attribute.labels: Removed mapping of `WAFSQLiAttackScore` from `event.idm.read_only_udm.security_result.labels` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `WAFSQLiAttackScore` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.labels, event.idm.read_only_udm.security_result.about.resource.attribute.labels: Removed mapping of `WAFXSSAttackScore` from `event.idm.read_only_udm.security_result.labels` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `WAFXSSAttackScore` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Removed mapping of `BotScore` from `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `BotScore` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - Added logic to default event.idm.read_only_udm.metadata.event_type to GENERIC_EVENT if it is not set by previous parsing logic. |
| 2025-06-24 | Enhancement:
- for field `ProtocolState` the key is updated from `IPProtocol` to `ProtocolState`. - Renamed `ClientTCPHandshakeDurationMs` to `log.ClientTCPHandshakeDurationMs`, `ClientTLSHandshakeDurationMs` to `log.ClientTLSHandshakeDurationMs`, `ConnectionCloseReason` to `log.ConnectionCloseReason`, `ConnectionReuse` to `log.ConnectionReuse`, `DestinationTunnelID` to `log.DestinationTunnelID`, `EgressColoName` to `log.EgressColoName`, `EgressRuleID` to `log.EgressRuleID`, `EgressRuleName` to `log.EgressRuleName`, `IngressColoName` to `log.IngressColoName`, `Offramp` to `log.Offramp`, `OriginTLSCertificateIssuer` to `log.OriginTLSCertificateIssuer`, `OriginTLSCertificateValidationResult` to `log.OriginTLSCertificateValidationResult`, `OriginTLSCipher` to `log.OriginTLSCipher`, `OriginTLSHandshakeDurationMs` to `log.OriginTLSHandshakeDurationMs`, `OriginTLSVersion` to `log.OriginTLSVersion`, `RuleEvaluationDurationMs` to `log.RuleEvaluationDurationMs`, `SessionEndTime` to `log.SessionEndTime`, `WAFAction` to `log.WAFAction`, `WAFProfile` to `log.WAFProfile`, `WAFFlags` to `log.WAFFlags`, `WAFRuleID` to `log.WAFRuleID`, `WAFAttackScore` to `log.WAFAttackScore`, `WAFRCEAttackScore` to `log.WAFRCEAttackScore`, `WAFSQLiAttackScore` to `log.WAFSQLiAttackScore`, `WAFXSSAttackScore` to `log.WAFXSSAttackScore`, `SecurityRuleID` to `log.SecurityRuleID`, `ClientRequestSource` to `log.ClientRequestSource`, `CacheCacheStatus` to `log.CacheCacheStatus`, `CacheResponseBytes` to `log.CacheResponseBytes`, `CacheResponseStatus` to `log.CacheResponseStatus`, `ClientDeviceType` to `log.ClientDeviceType`, `EdgeColoCode` to `log.EdgeColoCode`, `EdgeColoID` to `log.EdgeColoID`, `OriginResponseBytes` to `log.OriginResponseBytes`, `OriginResponseStatus` to `log.OriginResponseStatus`, `OriginResponseTime` to `log.OriginResponseTime`, `ZoneID` to `log.ZoneID`, `PostureCheckName` to `log.PostureCheckName`, `PostureCheckType` to `log.PostureCheckType`, `PostureEvaluatedResult` to `log.PostureEvaluatedResult`, `ClientASN` to `log.ClientASN`, `ClientRequestScheme` to `log.ClientRequestScheme`, `ClientASNDescription` to `log.ClientASNDescription`, `ClientIPClass` to `log.ClientIPClass`, `IPSourceSubnet` to `log.IPSourceSubnet`, `SourceASN` to `log.SourceASN`, `SourceASNName` to `log.SourceASNName`, `SourceGeoHash` to `log.SourceGeoHash`, `IPDestinationSubnet` to `log.IPDestinationSubnet`, `DestinationASN` to `log.DestinationASN`, `DestinationASNName` to `log.DestinationASNName`, `DestinationGeoHash` to `log.DestinationGeoHash`, `Connection` to `log.Connection`, `IntegrationDisplayName` to `log.IntegrationDisplayName`, `IntegrationPolicyVendor` to `log.IntegrationPolicyVendor`, `Ref` to `log.Ref`, `Source` to `log.Source`, `ColoCity` to `log.ColoCity`, `ColoName` to `log.ColoName`, `ColoCode` to `log.ColoCode`, `ColoCountry` to `log.ColoCountry`, `ColoGeoHash` to `log.ColoGeoHash`, `TCPFlagsString` to `log.TCPFlagsString`, `TCPOptions` to `log.TCPOptions`, `TCPAcknowledgementNumber` to `log.TCPAcknowledgementNumber`, `TCPChecksum` to `log.TCPChecksum`, `TCPDataOffset` to `log.TCPDataOffset`, `TCPFlags` to `log.TCPFlags`, `TCPMSS` to `log.TCPMSS`, `TCPSACKBlocks` to `log.TCPSACKBlocks`, `TCPSACKPermitted` to `log.TCPSACKPermitted`, `TCPSequenceNumber` to `log.TCPSequenceNumber`, `TCPTimestampECR` to `log.TCPTimestampECR`, `TCPTimestampValue` to `log.TCPTimestampValue`, `TCPUrgentPointer` to `log.TCPUrgentPointer`, `TCPWindowScale` to `log.TCPWindowScale`, `TCPWindowSize` to `log.TCPWindowSize`, `UDPChecksum` to `log.UDPChecksum`, `UDPPayloadLength` to `log.UDPPayloadLength`, `Verdict` to `log.Verdict`, `MitigationReason` to `log.MitigationReason`, `MitigationScope` to `log.MitigationScope`, `MitigationSystem` to `log.MitigationSystem`, `IPTTL` to `log.IPTTL`, `IPTTLBuckets` to `log.IPTTLBuckets`, `IPTotalLength` to `log.IPTotalLength`, `IPTotalLengthBuckets` to `log.IPTotalLengthBuckets`, `IPv4Checksum` to `log.IPv4Checksum`, `IPv4DSCP` to `log.IPv4DSCP`, `IPv4DontFragment` to `log.IPv4DontFragment`, `IPv4ECN` to `log.IPv4ECN`, `IPv4Identification` to `log.IPv4Identification`, `IPv4Options` to `log.IPv4Options`, `IPv6DSCP` to `log.IPv6DSCP`, `IPv6ECN` to `log.IPv6ECN`, `IPv6ExtensionHeaders` to `log.IPv6ExtensionHeaders`, `IPv6FlowLabel` to `log.IPv6FlowLabel`, `IPv6Identification` to `log.IPv6Identification`, `GREChecksum` to `log.GREChecksum`, `GREEtherType` to `log.GREEtherType`, `GREHeaderLength` to `log.GREHeaderLength`, `GREKey` to `log.GREKey`, `GRESequenceNumber` to `log.GRESequenceNumber`, `GREVersion` to `log.GREVersion`, `ICMPChecksum` to `log.ICMPChecksum`, `ICMPType` to `log.ICMPType`, `ICMPCode` to `log.ICMPCode`, `AttackCampaignID` to `log.AttackCampaignID`, `AttackID` to `log.AttackID`, `AttackVector` to `log.AttackVector`, `SampleInterval` to `log.SampleInterval`, `IPProtocol` to `log.IPProtocol`, `ProtocolState` to `log.ProtocolState`, `RulesetID` to `log.RulesetID`, `RulesetOverrideID` to `log.RulesetOverrideID`, `BotScore` to `log.BotScore`, `AssetMetadata.anonymous` to `log.anonymous`, and `AssetMetadata.nativeApp` to `log.nativeApp`. - Updated the mapping of `event.idm.read_only_udm.additional.fields` to utilize a generalized map for fields `Application`, `ClientAsn`, `ColoCode`, `OriginProto`, `Status`, `ProxyProtocol`, `ClientTCPHandshakeDurationMs`, `ClientTLSHandshakeDurationMs`, `ConnectionCloseReason`, `ConnectionReuse`, `DestinationTunnelID`, `EgressColoName`, `EgressRuleID`, `EgressRuleName`, `IngressColoName`, `Offramp`, `OriginTLSCertificateIssuer`, `OriginTLSCertificateValidationResult`, `OriginTLSCipher`, `OriginTLSHandshakeDurationMs`, `OriginTLSVersion`, `RuleEvaluationDurationMs`, `SessionEndTime`, `ClientRequestSource`, `CacheCacheStatus`, `CacheResponseBytes`, `CacheResponseStatus`, `ClientDeviceType`, `EdgeColoCode`, `EdgeColoID`, `OriginResponseBytes`, `OriginResponseStatus`, `OriginResponseTime`, `ZoneID`, `PostureCheckName`, `PostureCheckType`, `PostureEvaluatedResult`, `ClientASN`, `ClientRequestScheme`, `ClientASNDescription`, `ClientIPClass`, `Ref`, `Source`, `IntegrationDisplayName`, `IntegrationPolicyVendor`, `ColoCity`, `ColoName`, `ColoCountry`, `ColoGeoHash`, `TCPFlagsString`, `TCPOptions`, `TCPAcknowledgementNumber`, `TCPChecksum`, `TCPDataOffset`, `TCPFlags`, `TCPMSS`, `TCPSACKBlocks`, `TCPSACKPermitted`, `TCPSequenceNumber`, `TCPTimestampECR`, `TCPTimestampValue`, `TCPUrgentPointer`, `TCPWindowScale`, `TCPWindowSize`, `UDPChecksum`, `UDPPayloadLength`, `Verdict`, `MitigationReason`, `MitigationScope`, `MitigationSystem`, `IPTTL`, `IPTTLBuckets`, `IPTotalLength`, `IPTotalLengthBuckets`, `IPv4Checksum`, `IPv4DSCP`, `IPv4DontFragment`, `IPv4ECN`, `IPv4Identification`, `IPv4Options`, `IPv6DSCP`, `IPv6ECN`, `IPv6ExtensionHeaders`, `IPv6FlowLabel`, `IPv6Identification`, `GREChecksum`, `GREEtherType`, `GREHeaderLength`, `GREKey`, `GRESequenceNumber`, `GREVersion`, `ICMPChecksum`, `ICMPType`, `ICMPCode`, `AttackCampaignID`, `AttackID`, `AttackVector`, `SampleInterval`, `IPProtocol`, and `ProtocolState`. - Updated the mapping of `event.idm.read_only_udm.security_result.detection_fields` to utilize a generalized map for fields `anonymous`, `nativeApp`, `BotScore`, `RulesetID`, `RulesetOverrideID`, `ClientMatchedIpFirewall`, `Event`, `OriginBytes`, `IpFirewall`, `ConnectTimestamp`, `DisconnectTimestamp`, `PostureExpectedJSON.os`, `PostureExpectedJSON.operator`, `PostureExpectedJSON.connection_id`, `PostureReceivedJSON.os`, `PostureReceivedJSON.overall`, `PostureReceivedJSON.version`, and `PostureReceivedJSON.state`. - Updated the mapping of `event.idm.read_only_udm.security_result.about.labels` and `event.idm.read_only_udm.security_result.about.resource.attribute.labels` to utilize a generalized map for fields `WAFAction`, `SecurityRuleID`, `WAFRuleID`, `WAFProfile`, `WAFAttackScore`, `WAFFlags`, `WAFRCEAttackScore`, `WAFSQLiAttackScore`, and `WAFXSSAttackScore`. - Updated the mapping of `event.idm.read_only_udm.principal.resource.attribute.labels` to utilize a generalized map for fields `IPSourceSubnet`, `SourceASN`, `SourceASNName`, and `SourceGeoHash`. - Updated the mapping of `event.idm.read_only_udm.target.resource.attribute.labels` to utilize a generalized map for fields `IPDestinationSubnet`, `DestinationASN`, `DestinationASNName`, `DestinationGeoHash`, and `Connection`. - Updated the mapping of `event.idm.read_only_udm.principal.user.attribute.labels` to utilize a generalized map for fields `agreedToTerms`, `ipWhitelisted`, `isEnforcedIn2Sv`, `isEnrolledIn2Sv`, `isDelegatedAdmin`, `changePasswordAtNextLogin`, `includeInGlobalAddressList`, `isAdmin`, `suspended`, `lastLoginTime`, `site_admin`. - Removed redundant code for `event.idm.read_only_udm.network.sent_bytes`, `event.idm.read_only_udm.principal.ip`, `event.idm.read_only_udm.principal.asset.ip`, `event.idm.read_only_udm.principal.port`, `event.idm.read_only_udm.target.port`, `event.idm.read_only_udm.target.ip`, `event.idm.read_only_udm.target.asset.ip`, `event.idm.read_only_udm.target.hostname`, `event.idm.read_only_udm.network.ip_protocol`, `event.idm.read_only_udm.metadata.product_log_id`, `event.idm.read_only_udm.network.http.method`, `event.idm.read_only_udm.network.http.response_code`, `event.idm.read_only_udm.network.sent_bytes`, `event.idm.read_only_udm.network.http.user_agent`, `event.idm.read_only_udm.network.http.parsed_user_agent`, and `event.idm.read_only_udm.network.session_id`. - Added a common field `target_ip` and mapped it to `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`. - Added a common field `target_port` and mapped it to `event.idm.read_only_udm.target.port`. - Added a common field `target_hostname` and mapped it to `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname`. - Added a common field `principal_ip` and mapped it to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`. - Added a common field `principal_port` and mapped it to `event.idm.read_only_udm.principal.port`. - Added a common field `network_sent_bytes` and mapped it to `event.idm.read_only_udm.network.sent.bytes`. - Added conditonal check for fields `log.ClientCountry`, `log.OriginIP`, `log.OriginPort`, `log.Timestamp`, `log.ClientPort`, `log.ClientBytes`, `log.ClientProto`, `security_result` - Added on_error for `QueryName`. - If `event_type_value` is not set, `has_principal` is `true`, and `has_target` is `true`, then set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION`. - If `event_type_value` is not set and `has_principal_user` is `true`, then set `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED`. - If `event_type_value` is not set, `has_principal` is `true`, and `has_target` is `false`, then set `event.idm.read_only_udm.metadata.event_type` to `STATUS_UPDATE`. - If `event_type_value` is not set, `has_principal` is `false`, `has_target` is `false`, and `has_principal_user` is `false`, then set `event.idm.read_only_udm.metadata.event_type` to `GENERIC_EVENT`. |
| 2025-06-09 | Enhancement:
- event.idm.read_only_udm.security_result.action_details : Newly Mapped `Action` raw log field with `event.idm.read_only_udm.security_result.action_details`. - Added conditional check before mapping to `event.idm.read_only_udm.security_result.action. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientRequestScheme` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientASN` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Ref` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Source` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `EdgeColoCode` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientASNDescription` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientIPClass` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.src.hostname: Newly Mapped `ClientRequestHost` raw log field with `event.idm.read_only_udm.src.hostname` UDM field. - event.idm.read_only_udm.src.file.full_path: Newly Mapped `ClientRequestPath` raw log field with `event.idm.read_only_udm.src.file.full_path` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly Mapped `ClientUserAgent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.security_result.description: Newly Mapped `Description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.principal.application: Newly Mapped `Kind` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.network.session_id: Newly Mapped `RayID` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.network.application_protocol: Newly Mapped `client_request_proto` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field. - event.idm.read_only_udm.network.application_protocol_version: Newly Mapped `version` raw log field with `event.idm.read_only_udm.network.application_protocol_version` UDM field. |
| 2025-03-20 | Enhancement:
- Added a null check before mapping "UserID" to "principal.user.product_object_id". - Added a regex expression check before mapping "QueryName" to "questions.name". - Added a condition check to set "metadata.event_type" to "STATUS_UPDATE". |
| 2025-03-03 | Enhancement:
- Mapped "log.Application", "log.ClientAsn", "log.ColoCode", "log.OriginProto", "log.Status" and "log.ProxyProtocol" to "additional.fields". - Mapped "log.ClientBytes" to "network.sent_bytes". - Mapped "log.ClientCountry" to "principal.location.country_or_region". - Mapped "log.ClientIP" to "principal.ip and principal.asset.ip". - Mapped "log.ClientMatchedIpFirewall" to "security_result.detection_fields". - Mapped "log.ClientPort" to "principal.port". - Mapped "log.ClientProto" to "network.ip_protocol". - Mapped "log.Event" to "security_result.detection_fields". - Mapped "log.OriginBytes" to "security_result.detection_fields". - Mapped "log.OriginIP" to "intermediary.ip". - Mapped "log.OriginPort" to "intermediary.port". - Mapped "log.IpFirewall" to "security_result.detection_fields". - Mapped "log.Timestamp" to "metadata.event_timestamp". - Mapped "log.ConnectTimestamp" to "security_result.detection_fields". - Mapped "log.DisconnectTimestamp" to "security_result.detection_fields". |
| 2025-01-15 | Enhancement:
- Mapped "AppDomain" to "target.administrative_domain". - Mapped "AppUUID" to "target.resource.product_object_id". - Mapped "UserUID" to "target.user.product_object_id". - Mapped "CreatedAt" to "metadata.event_timestamp". - Mapped "Connection" to "target.resource.attribute.labels". - Mapped "Country" to "target.location.country_or_region". - Mapped "IPAddress" to "target.ip" and "target.asset.ip". - Mapped "TemporaryAccessDuration" to "network.session_duration.seconds". - If only "target" is present and "event_type_value" is "NETWORK_CONNECTION", then mapped "metadata.event_type" to "USER_UNCATEGORIZED". |
| 2024-11-05 | Enhancement:
- Added support for a new pattern of JSON logs. |
| 2024-11-04 | Enhancement:
- When "Action" contains "skip", "SKIP", or "Skip", then set "security_result.action" to "ALLOW". |
| 2024-10-29 | Enhancement:
- Added support for unparsed logs. - Mapped "IPSourceAddress" to "principal.ip", and "principal.asset.ip". - Mapped "IPDestinationAddress" to "target.ip", and "target.asset.ip". - Mapped "DestinationPort" to "target.port". - Mapped "SourcePort" to "principal.port". - Mapped "IPProtocol" to "network.ip_protocol". - Mapped "IPDestinationSubnet", "DestinationASNNAME", "DestinationASN", and "DestinationGeoHash" to "target.resource.attribute.labels". - Mapped "IPSourceSubnet", "SourceASNNAME", "SourceASN", and "SourceGeoHash" to "principal.resource.attribute.labels". - MApped "SourceCountry" to "principal.location.country_or_region". - Mapped "DestinationCountry" to "target.location.country_or_region". - Mapped "ColoCity", "ColoCode", "ColoCountry", "ColoGeoHash", "ColoName", "GREChecksum", "GREEtherType", "GREHeaderLength", "GREKey", "GRESequenceNumber", and "GREVersion" to "additional.fields". - Mapped "ICMPChecksum", "ICMPType", "ICMPCode", "IPProtocol", "ProtocolState", "IPTTL", "IPTTLBuckets", "IPTotalLength", "IPTotalLengthBuckets", "IPv4Checksum", "IPv4DSCP", "IPv4DontFragment", "IPv4ECN", "IPv4Identification", "IPv6DSCP", "IPv6ECN", "IPv6FlowLabel", and "IPv6Identification" to "additional.fields". - Mapped "MitigationScope", "MitigationSystem", "SampleInterval", "TCPAcknowledgementNumber", "TCPChecksum", "TCPDataOffset", "TCPFlags", "TCPFlagsString", "TCPMSS", "TCPSACKPermitted", "TCPSequenceNumber", "TCPTimestampECR", "TCPTimestampValue", "TCPUrgentPointer", "TCPWindowScale", "TCPWindowSize", "UDPChecksum", "UDPPayloadLength", and "Verdict" to "additional.fields". - When "Outcome" is "drop", then set "security_result.action" to "BLOCK". - When "Direction" is "ingress", then set "network.direction" to "INBOUND". - Mapped "AttackCampaignID", "AttackID", and "AttackVector" to "additional.fields". - Mapped "RuleID" to "security_result.rule_id". - Mapped "RuleName" to "security_result.rule_name". - Mapped "RulesetID" and "RulesetOverrideID" to "security_result_detection_fields". |
| 2024-10-24 | Bug-Fix:
- When "Action" contains "bypass", then set "security_result.action" to "ALLOW". - Mapped "ClientVersion" to "metadata.product_version". - Mapped "DeviceID" to "principal.asset_id". - Mapped "DeviceManufacturer" to "principal.asset.hardware". - Mapped "DeviceModel" to "principal.asset.hardware". - Mapped "DeviceName" to "principal.asset.attribute.labels". - Mapped "DeviceSerialNumber" to "principal.resource.attribute.labels". - Mapped "DeviceType" to "principal.resource.name". - Mapped "Email" to "principal.user.email_addresses"". - Mapped "OSVersion" to "principal.platform_version". - Mapped "PolicyID" to "security_result.rule_id". - Mapped "PostureCheckName" to "additional.fields". - Mapped "PostureCheckType" to "additional.fields". - Mapped "PostureEvaluatedResult" to "additional.fields". - Mapped "PostureExpectedJSON.os" to "security_result.detection_fields". - Mapped "PostureExpectedJSON.operator" to "security_result.detection_fields". - Mapped "PostureExpectedJSON.connection_id" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.os" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.overall" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.version" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.state" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.last_seen" to "date". - If both "principal" and "event_type_value" are present, then mapped "metadata.event_type" to "USER_UNCATEGORIZED". |
| 2024-10-15 | Enhancement:
- Mapped "ClientRequestSource" to "additional.fields". |
| 2024-10-03 | Enhancement:
- Mapped "SecurityActions", "SecurityRuleIDs", and "SecuritySources" to "additional.fields". - Mapped "SecurityAction", "SecurityRuleID" to "security_result.about.resource.attribute.labels". - Mapped "SecurityRuleID" to "security_result.threat_id". - Mapped "SecurityRuleDescription" to "security_result.threat_name" and "security_result.rule_name". |
| 2024-02-19 | Bug-Fix:
- When there is no principal and target machine data, then mapped "metadata.event_type" to "GENERIC_EVENT". - When "Datetime" field is missing and "Timestamp" field is present, then mapped "Timestamp" to "metadata.event_timestamp". - Mapped "ClientIP" to "principal.ip". - Mapped "RayID" to "metadata.product_log_id". - Mapped "EdgeResponseStatus" to "network.http.response_code". - Mapped "ClientRequestMethod" to "network.http.method". - Mapped "ClientRequestURI" to "target.uri". - Mapped "ClientRequestHost" to "target.hostname". |
| 2024-01-31 | Enhancement:
- Mapped "BotScore" to "security_result.detection_fields". - Aligned "principal.hostname", "target.hostname", "principal.asset.hostname", and "target.asset.hostname" mappings. - Aligned "principal.ip", "target.ip", "principal.asset.ip", and "target.asset.ip" mappings. |
| 2024-01-08 | Enhancement:
- When "Action" contains "allow", then set "security_result.action" to "ALLOW". - Added mapping of "DeviceName" to "principal.hostname", "principal.asset.hostname". - Added mapping of "SourceIP" to "principal.ip" for DNS logs. - Added a null conditional check before mapping "principal" to "event.idm.read_only_udm.principal". - Added a null conditional check before mapping "target" to "event.idm.read_only_udm.target". |
| 2023-11-22 | Enhancement:
- Mapped "WAFRuleID" to "security_result.threat_id". - Mapped "WAFRuleMessage" to "security_result.threat_name". - Mapped "WAFRCEAttackScore", "WAFSQLiAttackScore", "WAFXSSAttackScore", "WAFAttackScore", "WAFFlags" to "security_result.about.resource.attribute.labels". |
| 2023-10-09 | Enhancement:
- When "SecurityAction" value is null or not present, then set "security_result.action" to "ALLOW". |
| 2023-09-26 | Enhancement:
- Modified mappings from using deprecated UDM fields to alternative fields. - Added mapping from "security_result.about.labels" to "security_result.about.resource.attribute.labels". - Added mapping from "about.labels" to "security_result.about.resource.attribute.labels". - Added mapping from "target.resource.id" to "target.resource.product_object_id". |
| 2023-04-25 | Enhancement to map the following raw log fields to UDM fields:
- Initialized "EdgeStartTimestamp", "ClientIP", "ClientRequestHost", "ClientRequestURI", "ClientRequestMethod", "Datetime", "ActorEmail", and "ActorIP" to null. - Mapped "AssetExternalID" to "principal.asset_id". - Mapped "AssetDisplayName" to "principal.asset.attribute.labels". - Mapped "AssetLink" to "principal.url". - Mapped "AssetMetadata.userKey" to "principal.user.attribute.labels". - Mapped "AssetMetadata.clientId" to "principal.user.userid". - Mapped "AssetMetadata.anonymous" to "security_result.detection_fields". - Mapped "AssetMetadata.nativeApp" to "security_result.detection_fields". - Mapped "DetectedTimestamp" to "metadata.event_timestamp". - Mapped "FindingTypeDisplayName" to "security_result.description". - Mapped "FindingTypeID" to "security_result.rule_id". - Mapped "FindingTypeSeverity" to "security_result.severity". - Mapped "InstanceID" to "principal.resource.product_object_id". - Mapped "IntegrationDisplayName" to "additional.fields". - Mapped "IntegrationID" to "metadata.product_deployment_id". - Mapped "IntegrationPolicyVendor" to "additional.fields". - Mapped "AssetMetadata.customerId" to "principal.user.userid". - Mapped "AssetMetadata.primaryEmail" to "principal.user.email_addresses". - Mapped "AssetMetadata.agreedToTerms" to "principal.user.attribute.labels". - Mapped "AssetMetadata.ipWhitelisted" to "principal.user.attribute.labels". - Mapped "AssetMetadata.lastLoginTime" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isEnforcedIn2Sv" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isEnrolledIn2Sv" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isDelegatedAdmin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.changePasswordAtNextLogin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.includeInGlobalAddressList" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isAdmin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.suspended" to "principal.user.attribute.labels". - Mapped "AssetMetadata.url" to "principal.url". - Mapped "AssetMetadata.site_admin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.login" to "principal.user.userid". - Mapped "AssetMetadata.owner.id" to "principal.user.userid". - Mapped "AssetMetadata.name.fullName" to "principal.user.user_display_name". - Mapped "AssetMetadata.name.givenName" to "principal.user.first_name". - Mapped "AssetMetadata.name.familyName" to "principal.user.last_name". - Mapped "Allowed" to "security_result.action". - Mapped "AppDomain" to "target.administrative_domain". - Mapped "AppUUID" to "target.resource.product_object_id". - Mapped "Connection" to "target.resource.attribute.labels". - Mapped "Country" to "target.location.country_or_region". - Mapped "CreatedAt" to "metadata.event_timestamp". - Mapped "IPAddress" to "target.ip". - Mapped "RayID" to "metadata.product_log_id". - Mapped "Email" to "principal.user.email_addresses" and "target.user.email_addresses". - Mapped "TemporaryAccessDuration" to "network.session_duration.seconds". - Mapped "UserUID" to "target.user.product_object_id". - Mapped "UserAgent" to "network.http.parsed_user_agent". - Mapped "ClientRequestUserAgent" to "network.http.parsed_user_agent". - Mapped "PolicyName" to "security_result.rule_name". - Mapped "SessionID" to "network.session_id". - Mapped "Transport" to "network.ip_protocol". - Mapped "SNI" to "tls.client.server_name". - Mapped "DeviceName" to "principal.asset.attribute.labels". - Mapped "BytesReceived" to "network.received_bytes". - Mapped "BytesSent" to "network.sent_bytes". - Mapped "Protocol" to "network.ip_protocol". - Mapped "ClientTCPHandshakeDurationMs" to "additional.fields". - Mapped "ClientTLSCipher" to "network.tls.cipher". - Mapped "ClientTLSHandshakeDurationMs" to "additional.fields". - Mapped "ClientTLSVersion" to "network.tls.version". - Mapped "ConnectionCloseReason" to "additional.fields". - Mapped "ConnectionReuse" to "additional.fields". - Mapped "DestinationTunnelID" to "additional.fields". - Mapped "EgressIP" to "principal.ip". - Mapped "EgressPort" to "principal.port". - Mapped "EgressRuleID" to "additional.fields". - Mapped "EgressRuleName" to "additional.fields". - Mapped "IngressColoName" to "additional.fields". - Mapped "Offramp" to "additional.fields". - Mapped "OriginIP" to "target.ip". - Mapped "OriginPort" to "target.port". - Mapped "OriginTLSCertificateIssuer" to "additional.fields". - Mapped "OriginTLSCertificateValidationResult" to "additional.fields". - Mapped "OriginTLSCipher" to "additional.fields". - Mapped "OriginTLSHandshakeDurationMs" to "additional.fields". - Mapped "OriginTLSVersion" to "additional.fields". - Mapped "RuleEvaluationDurationMs" to "additional.fields". - Mapped "SessionEndTime" to "additional.fields". - Mapped "SessionStartTime" to "metadata.event_timestamp". - Mapped "SourceIP" to "src.ip". - Mapped "SourcePort" to "src.port". - Mapped "UserID" to "principal.user.product_object_id". - Mapped "VirtualNetworkID" to "principal.resource.product_object_id". |
| 2023-04-06 | Enhancement - Declared the fields "WAFRuleMessage", "WAFAction", "QueryType", "RayID", "Email" at global level.
- Mapped "metadata.event_type" as "NETWORK_UNCATEGORIZED" where the field "QueryName" and "QueryNameReversed" are null. - Added on error checks for the following fields: RData[n].type, RData[n].data, EdgeResponseBytes, ClientRequestBytes, EdgeResponseStatus. - Added string conversion for the fields "SourcePort" and "DestinationPort". |
| 2022-10-10 | Enhancement
- Mapped "metadata.product_name" to "Web Application Firewall". - Mapped "metadata.vendor_name" to "Cloudflare". |
| 2022-05-23 | Enhancement to map following raw logs elements to UDM elements:
Mapped 'ClientASN' to 'network.asn'. Mapped 'ClientSSLCipher' to 'network.tls.cipher'. Mapped 'ClientSSLProtocol' to 'network.tls.version'. Mapped 'EdgeResponseContentType' to 'target.file.mime_type'. Mapped 'OriginIP' to 'intermediary.ip'. Mapped 'FirewallMatchesActions' to 'security_result.action'. Mapped 'FirewallMatchesRuleIDs' to 'security_result.rule_id'. Mapped 'FirewallMatchesSources' to 'security_result.rule_name'. Mapped 'WAFRuleID', 'WAFProfile' to 'security_result.about.labels'. Mapped 'CacheCacheStatus', 'CacheResponseBytes', 'CacheResponseStatus', 'ClientDeviceType', 'EdgeColoCode', 'EdgeColoID', 'OriginResponseBytes', 'OriginResponseStatus', 'OriginResponseTime', 'ZoneID' to 'additional.fields'. |