Change log for CS_DETECTS
| Date | Changes |
|---|---|
| 2025-08-26 | Changing existing mappings in order to introduce more accurate mappings for `target.process.command_line`, `target.file.full_path` and `target.file.sha256` for the epp product and ofp type. - target.process.command_line: Removed mapping of `cmdline` from `target.process.command_line` UDM field when `macros.cmdline` raw log field is not empty. - security_result.detection_fields[cmdline]: Mapped `cmdline` raw log field with `security_result.detection_fields[cmdline]` UDM field when `macros.cmdline` raw log field is not empty. - target.process.command_line: Newly mapped `macros.cmdline` raw log field with `target.process.command_line` UDM field. - target.file.full_path: Removed mapping of `filepath` from `target.file.full_path` UDM field when `macros.ioc_description` raw log field is not empty. - security_result.detection_fields[filepath]: Mapped `filepath` raw log field with `security_result.detection_fields[filepath]` UDM field when `macros.ioc_description` raw log field is not empty. - target.file.full_path: Newly mapped `macros.ioc_description` raw log field with `target.file.full_path` UDM field. - target.file.sha256: Removed mapping of `sha256` from `target.file.sha256` UDM field when `macros.ioc_value` raw log field is not empty and `macros.ioc_type` is equal to `hash_sha256`. - security_result.detection_fields[sha256]: Mapped `sha256` raw log field with `security_result.detection_fields[sha256]` UDM field when `macros.ioc_value` raw log field is not empty and `macros.ioc_type` is equal to `hash_sha256`. - target.file.sha256: Newly mapped `macros.ioc_value` raw log field with `target.file.sha256` UDM field when `macros.ioc_type` is equal to `hash_sha256`. - security_result.detection_fields[macros_display_name]: Newly mapped `macros.display_name` raw log field with `security_result.detection_fields[macros_display_name]` UDM field. - security_result.detection_fields[macros_ioc_source]: Newly mapped `macros.ioc_source` raw log field with `security_result.detection_fields[macros_ioc_source]` UDM field. - security_result.detection_fields[macros_md5]: Newly mapped `macros.md5` raw log field with `security_result.detection_fields[macros_md5]` UDM field when `macros.md5` raw log field is not equal to `N/A`. - security_result.detection_fields[macros_sha256]: Newly mapped `macros.sha256` raw log field with `security_result.detection_fields[macros_sha256]` UDM field. - security_result.detection_fields[macros_type]: Newly mapped `macros.type` raw log field with `security_result.detection_fields[macros_type]` UDM field. - security_result.detection_fields: Newly mapped `macros.ioc_type` raw log field with `security_result.detection_fields.key` UDM field and `macros.ioc_value` raw log field with `security_result.detection_fields.value` UDM field. |
| 2025-06-27 | - security_result.detection_fields: Newly mapped `ioc_value` raw log field with `security_result.detection_fields` UDM field
|
| 2025-06-06 | - metadata.product_event_type: Newly mapped `product` raw log field with `metadata.product_event_type` UDM field
|
| 2025-04-01 | - Newly created parser.
- Parser mappings improved. Contact your Google representative to get a detailed list of all changes. |