Change log for CYBERARK

Date Changes
2025-07-24 Enhancement:
- `event.idm.read_only_udm.principal.user.userid`: Newly Mapped `usrName` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field.
- `event.idm.read_only_udm.target.resource.name`: Newly Mapped `Safe` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field.
- `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly Mapped `src` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field.
- `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly Mapped `GatewayStation` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field.
- `event.idm.read_only_udm.security_result.summary`: Newly Mapped `Reason` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field.
- `event.idm.read_only_udm.principal.location.name`: Newly Mapped `Location` raw log field with `event.idm.read_only_udm.principal.location.name` UDM field.
- `event.idm.read_only_udm.target.file.full_path`: Newly Mapped `File` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field.
- `security_result.detection_fields`: Newly Mapped `RequestId` raw log field with `security_result.detection_fields` UDM field.
- `event.idm.read_only_udm.security_result`: Newly Mapped `sev` raw log field with `event.idm.read_only_udm.security_result` UDM field.
- Added gsub to replace "\\t" with "#".
- Added a grok pattern to parse unparsed logs.
- `event.idm.read_only_udm.additional.fields`: Newly Mapped `Category`, `ExtraDetails`, `CAPolicy`, `status`, `class_name`, `vault_name`, `timeout`, `data_socket`, `control_socket`, `pasvc_action`, `line_number` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly Mapped `ip_address` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field.
- `event.idm.read_only_udm.target.file.full_path`: Newly Mapped `file_path` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field.
- `event.idm.read_only_udm.metadata.product_log_id`: Newly Mapped `tid` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- `event.idm.read_only_udm.target.process.pid`: Newly Mapped `pid` raw log field with `event.idm.read_only_udm.target.process.pid` UDM field.
- `event.idm.read_only_udm.metadata.event_timestamp`: Newly Mapped `date` and `time` raw log field `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- `event.idm.read_only_udm.metadata.description` : Newly Mapped `EventMessage` raw log field with `event.idm.read_only_udm.metadata.description` UDM field.
- Removed redundant code for event.idm.read_only_udm.security_result.
- `event.idm.read_only_udm.principal.user.userid`: Newly Mapped `SourceUser` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field.
- `event.idm.read_only_udm.target.user.userid`: Newly Mapped `TargetUser` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field.
- `event.idm.read_only_udm.target.user.user_display_name`: Newly Mapped `user_name` raw log field with `event.idm.read_only_udm.target.user.user_display_name` UDM field.
2024-06-14 Enhancement:
- Added a regex pattern to map "msg" to "security_result.description".
2024-05-21 Enhancement:
- Updated Grok pattern to retrieve `host`.
- `event.idm.read_only_udm.observer.hostname`: Newly mapped `host` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field.
- Removed word `HostName` from field `cs5`.
- Removed redundant `_auth_mechanism` mapping and added common mapping for `_auth_mechanism`.
- When `user` is present then map `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED`.
- Added flag `has_principal` and `has_target`.
- Set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION` when `has_principal` and `has_target` is true.
- Added conditional check for `user` and domain.
2024-04-30 Enhancement:
- Added "affected user name", "reason", "app" and "device type" fields
in additional UDM field.
2024-04-05 Enhancement:
- Added a Grok pattern to parse the new format of SYSLOG logs.
2022-10-10 - Declared fields "cs2","FileQualifier","msg","shost","dhost".
- Mapped "metadata.event_type" to "STATUS_UPDATE" where "metadata.event_type" is "GENERIC_EVENT" and "shost" is not null and "dhost" is null.