Change log for CYBEREASON_EDR

Date Changes
2025-07-02 Enhancement:
- event.idm.read_only_udm.metadata.product_event_type: Newly mapped `LogType` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.guid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.metadata.description: Newly mapped `status` raw log field with `event.idm.read_only_udm.metadata.description` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.guid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.fqdn` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.serviceStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.avDbVersion` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.documentProtectionMode` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.antiMalwareStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.documentProtectionStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.amStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.outdated` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.collectionStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.collectiveUuid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.privateServerIp` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.target.nat_ip: Newly mapped `Sensor.privateServerIp` raw log field with `event.idm.read_only_udm.target.nat_ip` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.status` raw log field with `event.idm.read_only_udm.additional.fields` UDM field
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.siteId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.isolated` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.exitReason` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.lastUpgradeResult` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.quickScanStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.policyName` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.groupId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.groupName` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.groupStickinessLabel` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.fullScanStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.siteName` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `machine.pylumId` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `needsAttention` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `id.malwareType` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `referenceGuid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `referenceElementType` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `schedulerScan` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `malwareDataModel` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `iconBase64` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field.
- event.idm.read_only_udm.security_result.severity_details: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity_details` UDM field.
2025-04-24 Enhancement:
- event.idm.read_only_udm.target.user.userid: Removed mapping of `Sensor.serverId` from `event.idm.read_only_udm.target.user.userid` UDM field for Malware logs.
- event.idm.read_only_udm.principal.user.user_display_name: Removed mapping of `displayName` from `event.idm.read_only_udm.principal.user.user_display_name` UDM field for Malop logs.
- event.idm.read_only_udm.additional.fields: Added mapping of `Sensor.serverId` to `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.additional.fields: Added mapping of `displayName` to `event.idm.read_only_udm.additional.fields` UDM field.
2025-01-23 Enhancement:
- Changed "metadata.event_type" from "NETWORK_CONNECTION" to "SCAN_FILE".
- Changed mapping for externalIP from target.ip to principal.ip.
- Mapped security_result.category to "SOFTWARE_MALICIOUS" if type is "knownMalware" and elementType is "File", else if type is "knownMalware" and elementType is not "File" then mapped it to "NETWORK_MALICIOUS".
- Changed mapping for "name" from "principal.process.file.full_path" to "target.file.names".
- Changed mapping for "malwareDataModel" from "principal.process.command_line" to "target.file.full_path".
- Mapped type to security_result.summary.
- Mapped status to security_result.action.
2024-11-29 Enhancement:
- Added support to parse logs when the LogType is "Malware" and "Malop".
2024-01-25 Enhancement:
- Mapped "cs3Label", "cs4Label", "cs5Label", "deviceCustomDate1Label", "deviceCustomDate2Label" and "deviceCustomDate3Label" to "security_result.detection_fields".
- Aligned "principal.hostname", "target.hostname", "principal.asset.hostname", and "target.asset.hostname" mappings.
- Aligned "principal.ip", "target.ip", "principal.asset.ip", and "target.asset.ip" mappings.
2023-02-23 Enhancement
- Mapped "malop_data.elementValues.affectedUsers.elementValues.0.guid" to "principal.user.userid".
- Mapped "malop_data.elementValues.affectedUsers.elementValues.0.name" to "principal.user.user_display_name".
- Mapped "malop_data.elementValues.affectedMachines.elementValues.0.guid" to "principal.asset.asset_id".
- Mapped "malop_data.elementValues.affectedMachines.elementValues.0.name" to "principal.hostname".
- Mapped "malop_data.simpleValues.malopActivityTypes.values.0", "malop_data.isMalicious" to "security_result.detection_fields".
- Mapped "security_result.alert_state" to "ALERTING" if "is_alert" is "true".
2023-02-06 Enhancement
- Parsed logs ingested in CEF format.