Change log for CS_EDR
| Date | Changes |
|---|---|
| 2025-08-26 | - additional.fields[offset]: Newly mapped `offset` raw log field with `additional.fields[offset]` UDM field for event `UserActivityAuditEvent`.
- additional.fields[OperationName]: Newly mapped `OperationName` raw log field with `additional.fields[OperationName]` UDM field for event `UserActivityAuditEvent`. - Removed duplicate field mappings for raw log fields that were previously present in both `about.labels` and `additional.fields`. All such mappings have been consolidated under `additional.fields`. - For `IdentityProtectionEvent`, the raw log field `Username` is now parsed in the `DOMAIN\userid` format (if present) and mapped to `principal.administrative_domain` and `principal.user.userid`. - metadata.event_type: Updated `metadata.event_type` to `REGISTRY_*` based on the value of the raw log field `RegOperationType` for all registry-related events. |
| 2025-08-26 | - additional.fields[offset]: Newly mapped `offset` raw log field with `additional.fields[offset]` UDM field for event `UserActivityAuditEvent`.
- additional.fields[OperationName]: Newly mapped `OperationName` raw log field with `additional.fields[OperationName]` UDM field for event `UserActivityAuditEvent`. - Removed duplicate field mappings for raw log fields that were previously present in both `about.labels` and `additional.fields`. All such mappings have been consolidated under `additional.fields`. - For `IdentityProtectionEvent`, the raw log field `Username` is now parsed in the `DOMAIN\userid` format (if present) and mapped to `principal.administrative_domain` and `principal.user.userid`. - metadata.event_type: Updated `metadata.event_type` to `REGISTRY_*` based on the value of the raw log field `RegOperationType` for all registry-related events. |
| 2025-08-22 | - target.resource.attribute.labels: Newly mapped `VolumeLabel` raw log field with `target.resource.attribute.labels` UDM field for event `RemovableMediaVolumeMounted`.
|
| 2025-08-20 | Enhanced consistency for raw log fields, now maps directly to `target` entity support for Process events:
- target.process.file.authentihash Updated Mapping `AuthenticodeHashData` raw log field with `target.process.file.authentihash` UDM field from `principal.process.file.authentihash`. - target.process.command_line Updated Mapping `CommandLine` raw log field with `target.process.command_line` UDM field from `principal.process.command_line`. - target.process.parent_process.file.names Updated Mapping `GrandParentBaseFileName` raw log field with `target.process.parent_process.file.names` UDM field from `principal.process.parent_process.file.names`. - target.process.file.full_path Updated Mapping `ImageFileName` raw log field with `target.process.file.full_path` UDM field from `principal.process.file.full_path`. - target.process.file.md5 Updated Mapping `MD5HashData` raw log field with `target.process.file.md5` UDM field from `principal.process.file.md5`. - target.process.file.exif_info.original_file Updated Mapping `OriginalFilename` raw log field with `target.process.file.exif_info.original_file` UDM field from `principal.process.file.exif_info.original_file`. - target.process.file.names Updated Mapping `ParentBaseFileName` raw log field with `target.process.file.names` UDM field from `principal.process.file.names`. - target.process.parent_process.product_specific_process_id Updated Mapping `ParentProcessId` raw log field with `target.process.parent_process.product_specific_process_id` UDM field from `principal.process.parent_process.product_specific_process_id`. - target.process.file.sha256 Updated Mapping `SHA256HashData` raw log field with `target.process.file.sha256` UDM field from `principal.process.file.sha256`. - target.process.command_line Updated Mapping `ParentCommandLine` raw log field with `target.process.command_line` UDM field from `principal.process.command_line`. - target.process.parent_process.file.full_path Updated Mapping `ParentImageFileName` raw log field with `target.process.parent_process.file.full_path` UDM field from `principal.process.parent_process.file.full_path`. - target.application Updated Mapping `AppIdentifier` raw log field with `target.application` UDM field from `principal.application`. - target.group.product_object_id Updated Mapping `GID` raw log field with `target.group.product_object_id` UDM field from `principal.group.product_object_id`. - principal.process.product_specific_process_id Added Mapping `ParentProcessId` raw log field with `principal.process.product_specific_process_id` UDM field Where `ContextProcessId` raw log field is empty. - The following mappings are changed in order to introduce more accurate mappings. |
| 2025-08-11 | - `IdentityProtectionEvent`: Added support for the event `IdentityProtectionEvent` and relevant corresponding raw log fields.
- security_result.description: Newly mapped `Description` raw log field with `security_result.description` UDM field for event `IdpDetectionSummaryEvent`. - security_result.detection_fields[most_recent_activity_time_stamp]: Newly mapped `MostRecentActivityTimeStamp` raw log field with `security_result.detection_fields[most_recent_activity_time_stamp]` UDM field for event `IdpDetectionSummaryEvent`. - additional.fields[activity_browser]: Newly mapped `ActivityBrowser` raw log field with `additional.fields[activity_browser]` UDM field for event `IdpDetectionSummaryEvent`. - metadata.url_back_to_product: Newly mapped `FalconHostLink` raw log field with `metadata.url_back_to_product` UDM field for event `IncidentSummaryEvent`. - principal.user.userid: Newly mapped `UserId` raw log field with `principal.user.userid` UDM field for event `AuthActivityAuditEvent`. |
| 2025-07-31 | `ScriptFileWrittenInfo`: Added support for the event `ScriptFileWrittenInfo` and relevant corresponding raw log fields.
- `TargetFileName`: Newly mapped `TargetFileName` raw log field with `target.file.full_path` UDM field - `ScriptContent` : Newly mapped `ScriptContent` raw log field with `additional.fields[script_content]` UDM field - `FileFormatString`: Newly mapped `FileFormatString` raw log field with `additional.fields[file_format_string]` UDM field - `OriginalContentLength`: Newly mapped `OriginalContentLength` raw log field with `target.file.size` UDM field - `SHA256HashData`: Newly mapped `SHA256HashData` raw log field with `target.file.sha256` UDM field - `WritingProcessId`: Newly mapped `WritingProcessId` raw log field with `target.process.pid` UDM field - `CscStatus`: Newly mapped `CscStatus` raw log field with `additional.fields[csc_status]` UDM field |
| 2025-07-30 | - additional.fields: Newly mapped `IdpEntityPreviousRiskScoreSeverity` raw log field with `additional.fields` UDM field.
- additional.fields: Newly mapped `IdpEntityRiskScoreSeverity` raw log field with `additional.fields` UDM field. - additional.fields: Newly mapped `IdpEntityRiskScoreChangeType` raw log field with `additional.fields` UDM field. - additional.fields: Newly mapped `IdpEntityType` raw log field with `additional.fields` UDM field. |
| 2025-07-08 | - Corrected typo: changed 'FalconGrouppingTags' to 'FalconGroupingTags'.
|
| 2025-07-01 | - additional.fields: Removed mapping of `FalconHostLink` from `additional.fields` UDM field
- metadata.url_back_to_product: Mapped `FalconHostLink` raw log field with `metadata.url_back_to_product` UDM field |
| 2025-06-26 | - about.resource.product_object_id: Newly mapped `cid` raw log field with `about.resource.product_object_id` UDM field
- about.resource.resource_type: Mapped `CLOUD_ORGANIZATION` with `about.resource.resource_type` UDM field. |
| 2025-06-16 | - target.namespace: Removed mapping of `WmiNamespaceName` from `target.namespace` UDM field.
- additional.fields: Mapped `WmiNamespaceName` raw log field with `additional.fields` UDM field. |
| 2025-05-15 | - Enhanced the backward compatibility support for the "IncidentSummaryEvent" event
|
| 2025-04-09 | - additional.fields.con_host_id: Newly mapped `ConHostId` raw log field with `additional.fields` UDM field.
- additional.fields.cycle_time: Newly mapped `CycleTime` raw log field with `additional.fields` UDM field. - additional.fields.max_thread_count: Newly mapped `MaxThreadCount` raw log field with `additional.fields` UDM field. - additional.fields.kernel_time: Newly mapped `KernelTime` raw log field with `additional.fields` UDM field. - additional.fields.user_time: Newly mapped `UserTime` raw log field with `additional.fields` UDM field. - additional.fields.context_timestamp: Newly mapped `ContextTimeStamp` raw log field with `additional.fields` UDM field. |
| 2025-04-01 | - Promoted CS_EDR gold parser to default.
- This version includes many changes to improve the parser mappings (parser overhaul) - contact your Google representative to get a detailed list with all changes - This version will have an extended RC period - we encourage you to opt-in and make the required adjustments before it'll be automatically promoted to Default |