Change log for CS_EDR

Date Changes
2025-08-26 - additional.fields[offset]: Newly mapped `offset` raw log field with `additional.fields[offset]` UDM field for event `UserActivityAuditEvent`.
- additional.fields[OperationName]: Newly mapped `OperationName` raw log field with `additional.fields[OperationName]` UDM field for event `UserActivityAuditEvent`.
- Removed duplicate field mappings for raw log fields that were previously present in both `about.labels` and `additional.fields`. All such mappings have been consolidated under `additional.fields`.
- For `IdentityProtectionEvent`, the raw log field `Username` is now parsed in the `DOMAIN\userid` format (if present) and mapped to `principal.administrative_domain` and `principal.user.userid`.
- metadata.event_type: Updated `metadata.event_type` to `REGISTRY_*` based on the value of the raw log field `RegOperationType` for all registry-related events.
2025-08-26 - additional.fields[offset]: Newly mapped `offset` raw log field with `additional.fields[offset]` UDM field for event `UserActivityAuditEvent`.
- additional.fields[OperationName]: Newly mapped `OperationName` raw log field with `additional.fields[OperationName]` UDM field for event `UserActivityAuditEvent`.
- Removed duplicate field mappings for raw log fields that were previously present in both `about.labels` and `additional.fields`. All such mappings have been consolidated under `additional.fields`.
- For `IdentityProtectionEvent`, the raw log field `Username` is now parsed in the `DOMAIN\userid` format (if present) and mapped to `principal.administrative_domain` and `principal.user.userid`.
- metadata.event_type: Updated `metadata.event_type` to `REGISTRY_*` based on the value of the raw log field `RegOperationType` for all registry-related events.
2025-08-22 - target.resource.attribute.labels: Newly mapped `VolumeLabel` raw log field with `target.resource.attribute.labels` UDM field for event `RemovableMediaVolumeMounted`.
2025-08-20 Enhanced consistency for raw log fields, now maps directly to `target` entity support for Process events:
- target.process.file.authentihash Updated Mapping `AuthenticodeHashData` raw log field with `target.process.file.authentihash` UDM field from `principal.process.file.authentihash`.
- target.process.command_line Updated Mapping `CommandLine` raw log field with `target.process.command_line` UDM field from `principal.process.command_line`.
- target.process.parent_process.file.names Updated Mapping `GrandParentBaseFileName` raw log field with `target.process.parent_process.file.names` UDM field from `principal.process.parent_process.file.names`.
- target.process.file.full_path Updated Mapping `ImageFileName` raw log field with `target.process.file.full_path` UDM field from `principal.process.file.full_path`.
- target.process.file.md5 Updated Mapping `MD5HashData` raw log field with `target.process.file.md5` UDM field from `principal.process.file.md5`.
- target.process.file.exif_info.original_file Updated Mapping `OriginalFilename` raw log field with `target.process.file.exif_info.original_file` UDM field from `principal.process.file.exif_info.original_file`.
- target.process.file.names Updated Mapping `ParentBaseFileName` raw log field with `target.process.file.names` UDM field from `principal.process.file.names`.
- target.process.parent_process.product_specific_process_id Updated Mapping `ParentProcessId` raw log field with `target.process.parent_process.product_specific_process_id` UDM field from `principal.process.parent_process.product_specific_process_id`.
- target.process.file.sha256 Updated Mapping `SHA256HashData` raw log field with `target.process.file.sha256` UDM field from `principal.process.file.sha256`.
- target.process.command_line Updated Mapping `ParentCommandLine` raw log field with `target.process.command_line` UDM field from `principal.process.command_line`.
- target.process.parent_process.file.full_path Updated Mapping `ParentImageFileName` raw log field with `target.process.parent_process.file.full_path` UDM field from `principal.process.parent_process.file.full_path`.
- target.application Updated Mapping `AppIdentifier` raw log field with `target.application` UDM field from `principal.application`.
- target.group.product_object_id Updated Mapping `GID` raw log field with `target.group.product_object_id` UDM field from `principal.group.product_object_id`.
- principal.process.product_specific_process_id Added Mapping `ParentProcessId` raw log field with `principal.process.product_specific_process_id` UDM field Where `ContextProcessId` raw log field is empty.
- The following mappings are changed in order to introduce more accurate mappings.
2025-08-11 - `IdentityProtectionEvent`: Added support for the event `IdentityProtectionEvent` and relevant corresponding raw log fields.
- security_result.description: Newly mapped `Description` raw log field with `security_result.description` UDM field for event `IdpDetectionSummaryEvent`.
- security_result.detection_fields[most_recent_activity_time_stamp]: Newly mapped `MostRecentActivityTimeStamp` raw log field with `security_result.detection_fields[most_recent_activity_time_stamp]` UDM field for event `IdpDetectionSummaryEvent`.
- additional.fields[activity_browser]: Newly mapped `ActivityBrowser` raw log field with `additional.fields[activity_browser]` UDM field for event `IdpDetectionSummaryEvent`.
- metadata.url_back_to_product: Newly mapped `FalconHostLink` raw log field with `metadata.url_back_to_product` UDM field for event `IncidentSummaryEvent`.
- principal.user.userid: Newly mapped `UserId` raw log field with `principal.user.userid` UDM field for event `AuthActivityAuditEvent`.
2025-07-31 `ScriptFileWrittenInfo`: Added support for the event `ScriptFileWrittenInfo` and relevant corresponding raw log fields.
- `TargetFileName`: Newly mapped `TargetFileName` raw log field with `target.file.full_path` UDM field
- `ScriptContent` : Newly mapped `ScriptContent` raw log field with `additional.fields[script_content]` UDM field
- `FileFormatString`: Newly mapped `FileFormatString` raw log field with `additional.fields[file_format_string]` UDM field
- `OriginalContentLength`: Newly mapped `OriginalContentLength` raw log field with `target.file.size` UDM field
- `SHA256HashData`: Newly mapped `SHA256HashData` raw log field with `target.file.sha256` UDM field
- `WritingProcessId`: Newly mapped `WritingProcessId` raw log field with `target.process.pid` UDM field
- `CscStatus`: Newly mapped `CscStatus` raw log field with `additional.fields[csc_status]` UDM field
2025-07-30 - additional.fields: Newly mapped `IdpEntityPreviousRiskScoreSeverity` raw log field with `additional.fields` UDM field.
- additional.fields: Newly mapped `IdpEntityRiskScoreSeverity` raw log field with `additional.fields` UDM field.
- additional.fields: Newly mapped `IdpEntityRiskScoreChangeType` raw log field with `additional.fields` UDM field.
- additional.fields: Newly mapped `IdpEntityType` raw log field with `additional.fields` UDM field.
2025-07-08 - Corrected typo: changed 'FalconGrouppingTags' to 'FalconGroupingTags'.
2025-07-01 - additional.fields: Removed mapping of `FalconHostLink` from `additional.fields` UDM field
- metadata.url_back_to_product: Mapped `FalconHostLink` raw log field with `metadata.url_back_to_product` UDM field
2025-06-26 - about.resource.product_object_id: Newly mapped `cid` raw log field with `about.resource.product_object_id` UDM field
- about.resource.resource_type: Mapped `CLOUD_ORGANIZATION` with `about.resource.resource_type` UDM field.
2025-06-16 - target.namespace: Removed mapping of `WmiNamespaceName` from `target.namespace` UDM field.
- additional.fields: Mapped `WmiNamespaceName` raw log field with `additional.fields` UDM field.
2025-05-15 - Enhanced the backward compatibility support for the "IncidentSummaryEvent" event
2025-04-09 - additional.fields.con_host_id: Newly mapped `ConHostId` raw log field with `additional.fields` UDM field.
- additional.fields.cycle_time: Newly mapped `CycleTime` raw log field with `additional.fields` UDM field.
- additional.fields.max_thread_count: Newly mapped `MaxThreadCount` raw log field with `additional.fields` UDM field.
- additional.fields.kernel_time: Newly mapped `KernelTime` raw log field with `additional.fields` UDM field.
- additional.fields.user_time: Newly mapped `UserTime` raw log field with `additional.fields` UDM field.
- additional.fields.context_timestamp: Newly mapped `ContextTimeStamp` raw log field with `additional.fields` UDM field.
2025-04-01 - Promoted CS_EDR gold parser to default.
- This version includes many changes to improve the parser mappings (parser overhaul) - contact your Google representative to get a detailed list with all changes
- This version will have an extended RC period - we encourage you to opt-in and make the required adjustments before it'll be automatically promoted to Default