Change log for EFFICIENTIP_DDI
| Date | Changes |
|---|---|
| 2025-07-03 | Enhancement:
- Added grok pattern to parse new format of logs. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `process_id` with `event.idm.read_only_udm.principal.process.pid` UDM field. - Mapped `has_principal` to `true` when `event.idm.read_only_udm.principal.mac` is present. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `src_ip` with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - Added a conditional check to see if log has `dhcp` in it before setting event_type to `NETWORK_DHCP`. - Added an IP validation before mapping intermediary, If the value is IP `intermediary` is mapped to `event.idm.read_only_udm.intermediary.ip` else mapped to `event.idm.read_only_udm.intermediary.hostname`. |
| 2025-06-26 | Enhancement:
- Added Grok pattern to extract `domain_name` from `description`. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname : Newly mapped `domain_name` with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM fields, if `principal.hostname` and `principal.asset.hostname` is not mapped else it is mapped to `event.idm.read_only_udm.additional.fields`. - Removed duplicate `dns_domain` in same grok pattern overwrite. This has been removed because it is redundant. |
| 2025-05-13 | Enhancement:
- Added Grok patterns to parse new format of logs. - event.idm.read_only_udm.metadata.event_type: Setting `event.idm.read_only_udm.metadata.event_type` UDM field as `NETWORK_DNS` when `has_dns_questions` is "true", else `STATUS_UPDATE` when `has_principal` is "true" and `GENERIC_EVENT` for any other case. - event.idm.read_only_udm.metadata.event_type: Setting `event.idm.read_only_udm.metadata.event_type` UDM field as `USER_UNCATEGORIZED` when `has_user` is "true", else `STATUS_UPDATE` when `has_principal` is "true" and `GENERIC_EVENT` for any other case. |
| 2024-11-07 | Enhancement:
- Mapped "hostname" to "principal.hostname" and "principal.asset.hostname". - When "data.code" is "1", then set "additional.fields.key" to "subnet_mask". - When "data.code" is "2", then set "additional.fields.key" to "time_offset". - When "data.code" is "4", then set "additional.fields.key" to "time_server". - When "data.code" is "3", then set "additional.fields.key" to "default_router". - When "data.code" is "6", then set "additional.fields.key" to "dns". - When "data.code" is "12", then set "additional.fields.key" to "hostname". - When "data.code" is "15", then set "additional.fields.key" to "domain". - When "data.code" is "42", then set "additional.fields.key" to "ntp". - When "data.code" is "51", then set "additional.fields.key" to "lease_time". - When "data.code" is "58" or "59", then set "additional.fields.key" to "renewal_time". - When "data.code" is "60", then set "additional.fields.key" to "class_identifier". - When "data.code" is "61", then set "additional.fields.key" to "client_identifier". - When "data.code" is "69", then set "additional.fields.key" to "smtp". - When "data.code" is "70", then set "additional.fields.key" to "pop3". - When "data.code" is "81", then set "additional.fields.key" to "fqdn". - When "data.code" is "100", then set "additional.fields.key" to "posix". - When "data.code" is "101", then set "additional.fields.key" to "time_zone". - When "data.code" is "119", then set "additional.fields.key" to "dns_searchlist". - When "data.code" is "121", then set "additional.fields.key" to "static_route". |
| 2024-08-21 | Enhancement:
- When "activity-type" is dns related, then mapped "metadata.event_type" to "NETWORK_DNS". |
| 2024-06-11 | Enhancement:
- Handled unparsed JSON logs. |