Change log for IBM_ZOS
| Date | Changes |
|---|---|
| 2023-07-25 | Bug-Fix -
- Updated values set for "metadata.vendor_name" and "metadata.product_name". |
| 2022-09-08 | Fix -
- Corrected a typo error. |
| 2022-08-09 | Enhancement: Mapped following fields:
- user_out to target.user.userid. - name_out to target.user.user_display_name. - perf_out to target.user.employee_id. - department_out to target.user.department. - ug_out to target.user.office_address.name. - timestamp to src.user.hire_date. - timestamp_end to src.user.termination_date. - user_in to src.user.userid. - name_in to src.user.user_display_name. - perf_in to src.user.employee_id. - department_in to src.user.department. - status to security_result.summary. - userid to principal.user.userid. - username to user.user_display_name. - n_ex_fail to security_result.action_details and mapped security_result.action to FAIL. - type_trx to target.resource.name and mapped TASK to target.resource.resource_type. - email to principal.user.email_addresses. - l_email to observer.user.email_addresses. - class to target.resource.parent. - resource to target.resource.name. - mot to product_event_type. - metadata.event_type to USER_UNCATEGORIZED where mot is not null. - metadata.event_type to USER_RESOURCE_UPDATE_CONTENT where userid is not null. - Added new Grok patterns for logs that has EVENT_TYPES in ALTUSER, CONNECT, ALTGROUP, ADDGROUP, DELGROUP, PERMIT, REMOVE, SETROPTS, RACDCERT and mapped followings fields: - EVENT_QUAL to security_result.summary. - SYSTEM_SMFID to principal.hostname. - VIOLATION to security_result.category. - USER_NDFND to principal.user.user_authentication_status. - USER_WARNING to security_result.severity. - EVT_USER_ID to principal.user.userid. - EVT_GRP_ID to principal.group.group_display_name. - LOG_CLASS, LOG_ACCESS, LOG_USER, LOG_SPECIAL, LOG_NONOMVS, LOG_OMVSNPRV, AUTH_OMVSSU, AUTH_OMVSSYS to security_result.outcomes. - LOG_RACINIT, BACKOUT_FAIL, PROF_SAME, to security_result.action. - TERM to principal.resource_ancestors.name. - JOB_NAME to principal.resource.name. - LOG_ALWAYS, LOG_CMDVIOL, TERM_LEVEL, LOG_GLOBAL, LOG_LEVEL, LOG_LOGOPT, LOG_SECL, LOG_COMPATM, LOG_APPLAUD to principal.resource.attribute.permissions. - USR_SECL to principal.user.attribute.labels. - RACF_VERSION to security_result.rule_version. - ALU_OWN_ID to about.user.userid. - ALU_OLD_SECL, ALU_UTK_SECL to target.user.attribute.labels. - ALU_UTK_ENCR, ALU_UTK_PRE19, ALU_UTK_DEFAULT, ALU_UTK_VERPROF, ALU_UTK_ERROR, ALU_NOAUTH_CLAUTH, ALU_NOAUTH_GROUP, ALU_NOAUTH_PROF to security_result.outcomes. - ALU_UTK_NJEUNUSR, ALU_UTK_LOGUSR, ALU_UTK_SPECIAL, ALU_UTK_UNKNUSR, ALU_UTK_PRIV, ALU_UTK_SURROGAT to target.user.attribute.roles. - ALU_UTK_TRUSTED to target.user.group_identifiers. - ALU_UTK_SESSTYPE, CON_UTK_SESSTYPE, ALG_UTK_SESSTYPE to metadata.description. - ALU_UTK_REMOTE, ALU_UTK_SPCLASS, CON_UTK_REMOTE to principal.resource.resource_subtype. - ALU_UTK_EXECNODE, ALG_UTK_EXECNODE about.resource.name. - ALU_UTK_SUSER_ID, CON_UTK_SUSER_ID, ALG_UTK_SUSER_ID to src.user.userid. - ALU_UTK_SNODE, CON_UTK_SNODE, ALG_UTK_SNODE to src.resource.name. - ALU_UTK_SGRP_ID, CON_UTK_SGRP_ID, ALG_UTK_SGRP_ID to src.user.group_identifiers. - ALU_UTK_SPOE, CON_UTK_SPOE, ALG_UTK_SPOE to principal.port. - ALU_UTK_USER_ID, CON_OWN_ID, CON_UTK_USER_ID, ALG_OWN_ID, AG_OWN_ID, ALG_UTK_USER_ID to about.user.userid. - ALU_USER_NAME, CON_USER_NAME, ALG_USER_NAME, AG_USER_NAME to about.user.user_display_name. - ALU_UTK_GRP_ID, CON_UTK_GRP_ID, ALG_UTK_GRP_ID to about.group.product_object_id. - ALU_UTK_DFT_GRP, CON_UTK_DFT_GRP, CON_UTK_DFT_SECL, ALG_UTK_DFT_GRP to target.group.attribute.labels. - ALU_UTK_DFT_SECL, ALG_UTK_DFT_SECL to target.user.attribute.labels. - ALU_APPC_LINK, CON_APPC_LINK, ALG_UTK_SECL, ALG_APPC_LINK to about.resource.attribute.labels. - ALU_USER_ID, CON_USER_ID to target.user.userid. - CON_UTK_ENCR, CON_UTK_PRE19, CON_UTK_VERPROF, CON_UTK_DEFAULT, CON_UTK_ERROR, ALG_UTK_ENCR, ALG_UTK_PRE19, ALG_UTK_VERPROF, ALG_UTK_DEFAULT, ALG_UTK_ERROR, AG_UTK_ENCR, AG_UTK_PRE19, AG_UTK_VERPROF, AG_UTK_DEFAULT, AG_UTK_ERROR to security_result.outcomes. - CON_UTK_NJEUNUSR, CON_UTK_LOGUSR, CON_UTK_SPECIAL, CON_UTK_UNKNUSR, CON_UTK_SECL, ALG_UTK_NJEUNUSR, ALG_UTK_LOGUSR, ALG_UTK_SPECIAL, ALG_UTK_UNKNUSR, AG_UTK_NJEUNUSR, AG_UTK_LOGUSR, AG_UTK_SPECIAL, AG_UTK_UNKNUSR to target.user.attribute.roles. - CON_UTK_TRUSTED, ALG_UTK_TRUSTED, AG_UTK_TRUSTED to target.user.group_identifiers. - CON_UTK_SURROGAT, ALG_UTK_SURROGAT to target.user.attribute.roles. - CON_UTK_SPCLASS, ALG_UTK_REMOTE, ALG_UTK_SPCLASS to about.resource.resource_subtype. |
| 2022-06-03 | Enhancement
- Enhanced parser to parse CSV logs. - Mapped box field from log to udm principal.hostname. - Added check for src and dst not null prior to mapping of event_type to NETWORK_CONNECTION. - Added check for userName not null prior to mapping of event_type to USER_RESOURCE_UPDATE_CONTENT or USER_RESOURCE_ACCESS. |
| 2022-05-04 | Enhancement - Create a new default parser.
|