Change log for GITHUB
| Date | Changes |
|---|---|
| 2025-05-22 | Enhancement:
- event.idm.read_only_udm.metadata.description: Newly Mapped `commit_message` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `commit` value if message contains `committer` with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.src.user.title : Newly Mapped `sender.type` raw log field with `event.idm.read_only_udm.src.user.title` UDM field. - event.idm.read_only_udm.target.file.sha1: Newly Mapped `sha` raw log field with `event.idm.read_only_udm.target.file.sha1` UDM field. - event.idm.read_only_udm.target.url: Newly Mapped `target_url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.security_result.description: Newly Mapped `description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `avatar_url` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `context` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_node_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_committer_name` raw log field with `event.id.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `state` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_committer_name` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.email: Newly Mapped `commit_committer_email` raw log field with `event.idm.read_only_udm.principal.email` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `commit_tree_sha` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `comment_count` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `html_url` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.summary: Newly Mapped `reason` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.principal.url: Newly Mapped `commit_url` raw log field with `event.idm.read_only_udm.principal.url` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `comments_url` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly Mapped `commit_user_name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `commit_user_id` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.asset_id: Newly Mapped `principal.assetid` raw log field with `event.idm.read_only_udm.principal.asset_id` UDM field. - event.idm.read_only_udm.src.user.user_display_name: Newly Mapped `sender_login` raw log field with `event.idm.read_only_udm.src.user.user_display_name` UDM field. - event.idm.read_only_udm.src.user.product_object_id: Newly Mapped `sender_id` raw log field with `event.idm.read_only_udm.src.user.product_object_id` UDM field. - event.idm.read_only_udm.src.asset_id : Newly Mapped `sender_assetid` raw log field with `event.idm.read_only_udm.src.asset_id` UDM field. - event.idm.read_only_udm.src.url: Newly Mapped `sender_url` raw log field with `event.idm.read_only_udm.src.url` UDM field. |
| 2025-05-16 | Enhancement: Fixed flakiness issue caused by repetition of keys in additional fields by appending an index to each key and modifying redundant variable names.
|
| 2025-05-02 | Enhancement:
- event.idm.read_only_udm.target.url: Newly mapped `alert.url` raw log filed with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `alert.created_at`, `alert.html_url`, `alert.locations_url`, `alert.multi_repo`, `alert.number`, `alert.publicly_leaked`, `alert.push_protection_bypassed`, `alert.secret_type`, `alert.secret_type_display_name`, `alert.updated_at`, `alert.validity` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-02-27 | Enhancement:
- Mapped "repository_selection", "user_programmatic_access_name", and "permissions_added.*" to "additional.fields". |
| 2025-02-20 | Enhancement:
- If "external_identity_nameid" is present, then mapped "external_identity_nameid" to "principal.user.userid".Otherwise, mapped "actor_id" to "principal.user.userid". |
| 2025-02-12 | Enhancement:
- Mapped "new_repo_permission", "user", and "actor" to "additional.fields". |
| 2025-02-11 | Enhancement:
- Mapped "secret_type_display_name" to "additional.fields". - Changed "metadata.vendor_name" mapping from "GITHUB" to "GitHub". |
| 2025-01-24 | Enhancement:
- Added support for new pattern of JSON logs. |
| 2024-12-16 | Enhancement:
- Changed mapping of "user" from "principal.user.user_display_name" to "target.user.user_display_name". - Changed mapping of "actor" from "principal.user.userid" to "principal.user.user_display_name". - Changed mapping of "actor_id" from "target.user.userid" to "principal.user.userid". - Mapped "user_id" to "target.user.userid". - Removed the Grok pattern of "external_identity_nameid" as it is not required. |
| 2024-12-05 | Enhancement:
- Mapped "push_protection_bypass_reason" to "security_result.detection_fields". |
| 2024-11-14 | Enhancement:
- Added support for new pattern of JSON logs. |
| 2024-11-06 | Enhancement:
- Mapped "actor" to "principal.resource.attribute.labels". - Changed the mapping of "user" from "target.user.user_display_name" to "principal.user.user_display_name". - Changed the mapping of "external_identity_nameid" from "target.user.email_addresses" to "principal.user.email_addresses". - Changed the mapping of "userid" from "target.user.userid" to "principal.user.userid". |
| 2024-09-18 | Enhancement:
- Mapped "pull_request_url" to "target.url". - Mapped "pull_request_title", "pull_request_id" ,and "previous_visibility" to "additional.fields". |
| 2024-08-26 | Enhancement:
- Mapped "explanation" to "additional.fields". |
| 2024-08-13 | Enhancement:
- Mapped "invitee_email" and "email" to "additional.fields". |
| 2024-07-02 | Enhancement:
- Fixed the mapping of "config_was". - Changed the mapping of "admin_enforced" from "security_result.action" to "additional.fields". - Mapped "required_status_checks_enforcement_level", "events_were" and "old_permission" to "additional.fields". |
| 2024-06-13 | Enhancement:
- Mapped "name", "manager", "pull_request_reviews_enforcement_level", "hook_id", "events", "config_was", "key", "fingerprint", "permission", and "title" to "additional.fields". - When "admin_enforced" is "true", then mapped "security_result.action" to "ALLOW". - When "admin_enforced" is "false", then mapped "security_result.action" to "BLOCK". |
| 2023-12-18 | Bug-Fix:
- If "process_type" is "github_production", added a Grok pattern to extract "kv_data". - If "process_type" is "github_production", mapped "user" to "target.user.user_display_name". - If "process_type" is "github_production", mapped "user_id" to "target.user.userid". - Mapped "referrer" to "network.http.referral_url". - Mapped "user_session_id" to "network.session_id". - Mapped "ip" to "principal.ip". - Mapped "from" to "additional.fields". - Mapped "request_category" to "additional.fields". - Mapped "device_cookie" to "additional.fields". - Mapped "operation_type" to "additional.fields". - Mapped "category_type" to "additional.fields". - Mapped "note" to "additional.fields". - Mapped "read" to "additional.fields". - Mapped "pre_perform_allocation_count" to "additional.fields". - Mapped "backend" to "additional.fields". - Mapped "queue" to "additional.fields". - Mapped "class" to "additional.fields". - Mapped "success" to "additional.fields". - Mapped "controller_action" to "security_result.detection_fields". - Mapped "two_factor" to "security_result.detection_fields". |
| 2023-10-25 | Enhancement:
- When "public_repo" is "false", set "target.location.name" to "PRIVATE", else set to "PUBLIC". |
| 2023-10-11 | Enhancement:
- Mapped "user_agent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped "request_method" to "network.http.method". - Mapped "application_name" to "target.application". - Mapped "status_code" to "network.http.response_code". - Mapped "url_path" to "target.url". - Mapped "user_id" to "target.userid". - Mapped "transport_protocol_name" to "network.application_protocol". - Mapped "raw.now" to "metadata.event_timestamp". - Mapped "raw.ip" to "principal.ip". - Mapped "raw.request_id" to "metadata.product_log_id". - Mapped "raw.repo" to "target.url". - Mapped "raw.action" to "security_result.summary". - Mapped "raw.protocol" to "network.application_protocol". - Mapped "raw.message" to "metadata.description". - Mapped "raw.at" to "security_result.action". - Mapped "raw.login" to "target.user_display_name". - Mapped "raw.user_id" to "target.userid". - Mapped "raw.failure_reason", "raw.failure_type", "raw.raw_login" and "raw.from" to "additional.fields". - Mapped "programmatic_access_type", "actor_id", "token_id", "token_scopes", "integration", "query_string", "rate_limit_remaining", "request_body", "route", "business", "org_id", "repo_id", "public_repo", "_document_id", "operation_type", "repository_public" to "additional.fields". |
| 2023-07-31 | Bug-Fix -
- Added "on_error" to Grok patterns. - Mapped "workflow_run.id" to "target.resource.attribute.labels". - Mapped "workflow_run.event" to "additional.fields". - Mapped "workflow_run.actor.login" to "principal.user.userid". - Mapped "workflow_run.head_branch" to "security_result.about.labels". - Mapped "workflow_run.head_sha" to "target.file.sha256". - Mapped "enterprise.name" to "additional.fields". - Mapped "workflow.name" to "security_result.about.labels". - Mapped "workflow_run.workflow_id" to "security_result.about.labels". |
| 2023-06-22 | Enhancement-
- Added support for the "github_auth", "haproxy", "github_access", "github_unicorn", "github_production", "hookshot-go", "babeld", "github_gitauth", "babeld2hydro", "authzd", "gitrpcd", "agent", "git-daemon", "github_resqued", "sudo", "systemd" and "github_audit" syslog log formats. |
| 2023-06-09 | Enhancement-
- Mapped "external_identity_nameid" to "target.user.email_addresses" if in email format. - Fetch the username from "external_identity_nameid" and map to "target.user.userid". |
| 2023-01-13 | Enhancement-
- Mapped "actor_ip" to" "principal.ip". - Mapeed "hashed_token" to "network.session_id". - Mapped "external_identity_nameid" to "target.user.userid " - Mapped "external_identity_username" to target.user.user_display_name". |
| 2022-11-28 | Enhancement - Mapped "config.url" to "target.url".
|
| 2022-07-07 | Enhancement - The newly ingested JSON format logs having action "git.clone","git.push" and "workflows.prepared_workflow_job" have been handled and parsed.
- 'job_name' mapped to 'target.resource.attribute.labels'. - 'job_workflow_ref' mapped to 'target.resource.attribute.labels'. - 'runner_group_id' mapped to 'target.resource.attribute.labels'. - 'runner_group_name' mapped to 'target.resource.attribute.labels'. - 'runner_name' mapped to 'target.resource.attribute.labels'. - 'runner_id' mapped to 'target.resource.attribute.labels'. - 'workflow_run_id' mapped to 'target.resource.attribute.labels'. - 'actor_location.country_code' mapped to 'principal.location.country_or_region'. |