Change log for CYBERARK_PAM
| Date | Changes |
|---|---|
| 2025-05-08 | Enhancement:
- `JSON`: Added support for `JSON` format. - Added gsub function to replace "message" with "msg" from `message" field. - Added conditional check before dropping logs. - event.idm.read_only_udm.metadata.description: Newly mapped `msg` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `actionType`, `action`, `auditType`, `customData.app_id`, `customData.end_time`, `customData.is_internal_application`, `customData.scopes`, `customData.start_time`, `customData.token_type`, `customData.user_guid`, `identityType`, `tenantId`, `component`, `serviceName`, `customData.DPA.ephemeral_user`, `customData.DPA.access_method`, `customData.DPA.assigned_domain_groups`, `customData.DPA.assigned_groups`, `customData.DPA.authentication_methods`, `customData.DPA.connection_string`, `customData.DPA.maximum_session_duration`, `customData.deny_by_user`, `customData.mfa_reason`, `customData.factors`, `customData.auth_method`, `customData.entity_type`, `customData.mfa_initiator`, `safe`, `cloudAssets`, `cloudIdentities` and `cloudResources` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.application: Newly mapped `applicationCode` raw log field with `event.idm.read_only_udm.target.application` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `auditCode` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `userId` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `username` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.cloud.environment: Newly mapped `cloudProvider` raw log field with `event.idm.read_only_udm.principal.cloud.environment` UDM field. - if `cloudProvider` similar to `aws` then mapped `AMAZON_WEB_SERVICES`. - if `cloudProvider` similar to `azure` then mapped `MICROSOFT_AZURE`. - if `cloudProvider` similar to `gcp` then mapped `GOOGLE_CLOUD_PLATFORM`. - event.idm.read_only_udm.principal.user.attribute.labels: Newly mapped `customData.client` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `uuid` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `source` raw log field with `event.idm.read_only_udm.principal.ip` UDM field (if it is an IP). - event.idm.read_only_udm.principal.asset.ip: Newly mapped `source` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field (if it is an IP). - event.idm.read_only_udm.extensions.auth.auth_details: Newly mapped `accessMethod` raw log field with `event.idm.read_only_udm.extensions.auth.auth_details` UDM field. - event.idm.read_only_udm.principal.user.product_object_id: Newly mapped `accountId` raw log field with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `sessionId` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `target` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `target` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.target.labels: Newly mapped `targetPlatform` raw log field with `event.idm.read_only_udm.target.labels` UDM field. - event.idm.read_only_udm.principal.hostname: Newly mapped `customData.DPA.source_hostname` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `customData.DPA.source_hostname` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.user.attributes.labels: Newly mapped `customData.DPA.source_user` raw log field with `event.idm.read_only_udm.principal.user.attributes.labels` UDM field. - event.idm.read_only_udm.target.labels: Newly mapped `customData.DPA.target_machine` raw log field with `event.idm.read_only_udm.target.labels` UDM field. - event.idm.read_only_udm.principal.hostname: Newly mapped `customData.entity_name` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `customData.entity_name` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.location.region_latitude: Newly mapped `customData.geoip_latitude` raw log field with `event.idm.read_only_udm.principal.location.region_latitude` UDM field. - event.idm.read_only_udm.principal.location.region_longitude: Newly mapped `customData.geoip_longitude` raw log field with `event.idm.read_only_udm.principal.location.region_longitude` UDM field. - event.idm.read_only_udm.principal.location.city: Newly mapped `customData.geoip_city_name` raw log field with `event.idm.read_only_udm.principal.location.city` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `customData.mfa_result` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.principal.location.country_or_region: Newly mapped `customData.geoip_country_name` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - event.idm.read_only_udm.principal.asset.platform_software.platform: Newly mapped `customData.request_device_os` raw log field with `event.idm.read_only_udm.principal.asset.platform_software.platform` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `customData.request_broswer_name` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `customData.geoip_country_code` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.user.attribute.labels: Newly mapped `accountName` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `targetAccount` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.target.user.attribute.labels: Newly mapped `customData.PAM.new_target` raw log field with `event.idm.read_only_udm.target.user.attribute.labels` UDM field. - event.idm.read_only_udm.target.file.full_path: Newly mapped `customData.PAM.target` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - event.idm.read_only_udm.principal.user.attribute.labels: Newly mapped `customData.directory_service_id` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - event.idm.read_only_udm.principal.user.attribute.labels: Newly mapped `customData.user_id` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - event.idm.read_only_udm.principal.user.attribute.labels: Newly mapped `customData.user_name` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - event.idm.read_only_udm.extensions.auth.type: Newly mapped `customData.mfa_initiator` raw log field with `event.idm.read_only_udm.extensions.auth.type` UDM field. - event.idm.read_only_udm.metadata.event_type: If the log has `event.idm.read_only_udm.principal.user.userid`, then the `event.idm.read_only_udm.metadata.event_type` is mapped to "USER_LOGIN". |
| 2025-02-06 | Enhancement:
- Mapped "signature_id" to "metadata.product_event_type". - If "severity" is 0, 1, 2, or 3, then "security_result.severity" is mapped to "LOW". Otherwise, if "severity" is 4, 5, or 6, then "security_result.severity" is mapped to "MEDIUM". Otherwise, if "severity" is 7 or 8, then "security_result.severity" is mapped to "HIGH". Otherwise, if "severity" is 9 or 10, then "security_result.severity' is mapped to "CRITICAL". |
| 2024-11-28 | Enhancement:
- Added a Grok pattern to parse "metadata.version". |
| 2024-11-21 | Enhancement:
- Mapped "act" to "metadata.product_event_type". - Mapped "app" to "target.application". |
| 2024-10-29 | - Added support for new log patterns.
|
| 2024-05-05 | - Newly created parser.
|