Change log for CYBERARK
| Date | Changes |
|---|---|
| 2025-07-24 | Enhancement:
- `event.idm.read_only_udm.principal.user.userid`: Newly Mapped `usrName` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.target.resource.name`: Newly Mapped `Safe` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly Mapped `src` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly Mapped `GatewayStation` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.security_result.summary`: Newly Mapped `Reason` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - `event.idm.read_only_udm.principal.location.name`: Newly Mapped `Location` raw log field with `event.idm.read_only_udm.principal.location.name` UDM field. - `event.idm.read_only_udm.target.file.full_path`: Newly Mapped `File` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - `security_result.detection_fields`: Newly Mapped `RequestId` raw log field with `security_result.detection_fields` UDM field. - `event.idm.read_only_udm.security_result`: Newly Mapped `sev` raw log field with `event.idm.read_only_udm.security_result` UDM field. - Added gsub to replace "\\t" with "#". - Added a grok pattern to parse unparsed logs. - `event.idm.read_only_udm.additional.fields`: Newly Mapped `Category`, `ExtraDetails`, `CAPolicy`, `status`, `class_name`, `vault_name`, `timeout`, `data_socket`, `control_socket`, `pasvc_action`, `line_number` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly Mapped `ip_address` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.target.file.full_path`: Newly Mapped `file_path` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly Mapped `tid` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.target.process.pid`: Newly Mapped `pid` raw log field with `event.idm.read_only_udm.target.process.pid` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly Mapped `date` and `time` raw log field `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.metadata.description` : Newly Mapped `EventMessage` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - Removed redundant code for event.idm.read_only_udm.security_result. - `event.idm.read_only_udm.principal.user.userid`: Newly Mapped `SourceUser` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.target.user.userid`: Newly Mapped `TargetUser` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - `event.idm.read_only_udm.target.user.user_display_name`: Newly Mapped `user_name` raw log field with `event.idm.read_only_udm.target.user.user_display_name` UDM field. |
| 2024-06-14 | Enhancement:
- Added a regex pattern to map "msg" to "security_result.description". |
| 2024-05-21 | Enhancement:
- Updated Grok pattern to retrieve `host`. - `event.idm.read_only_udm.observer.hostname`: Newly mapped `host` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field. - Removed word `HostName` from field `cs5`. - Removed redundant `_auth_mechanism` mapping and added common mapping for `_auth_mechanism`. - When `user` is present then map `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED`. - Added flag `has_principal` and `has_target`. - Set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION` when `has_principal` and `has_target` is true. - Added conditional check for `user` and domain. |
| 2024-04-30 | Enhancement:
- Added "affected user name", "reason", "app" and "device type" fields in additional UDM field. |
| 2024-04-05 | Enhancement:
- Added a Grok pattern to parse the new format of SYSLOG logs. |
| 2022-10-10 | - Declared fields "cs2","FileQualifier","msg","shost","dhost".
- Mapped "metadata.event_type" to "STATUS_UPDATE" where "metadata.event_type" is "GENERIC_EVENT" and "shost" is not null and "dhost" is null. |