Change log for IBM_ZSECURE_ALERT
Date | Changes |
---|---|
2025-03-14 | Newly created parser.
Supported log format: SYSLOG. Mapped the following fields: - `priority` to `security_result.detection_fields` - `timestamp` to `metadata.event_timestamp` - `hostname` to `principal.hostname` and `principal.asset.hostname` - `app_name` to `target.application` - `parameter` to `target.resource.attribute.labels` - `class` to `target.resource.attribute.labels` - `profile` to `target.resource.attribute.labels` - `uacc` to `target.resource.attribute.labels` - `parm` to `target.resource.attribute.labels` - `action` to `security_result.action_details` - `racf_user` to `target.resource.attribute.labels` - `racf_name` to `target.resource.attribute.labels` - `racfcmd` to `target.resource.attribute.labels` - `dnsname` to `target.resource.attribute.labels` - `volume` to `target.resource.attribute.labels` - `poe` to `target.resource.attribute.labels` - `resource` to `target.resource.attribute.labels` - `granted` to `additional.fields` - `allowed` to `additional.fields` - `intent` to `additional.fields` - `userid` to `principal.user.userid` - `name` to `principal.user.user_display_name` - `jobname` to `additional.fields` - `system` to `additional.fields` - `attempts` to `additional.fields` - `terminal` to `principal.asset.attribute.labels` - `srcip` to `principal.ip` and `principal.asset.ip` - `msg` to `security_result.description` - `mesg` to `security_result.detection_fields` - `wto_msg` to `security_result.detection_fields` - `desc` to `security_result.detection_fields` - `svcno` to `target.resource.attribute.labels` - `esrno` to `target.resource.attribute.labels` - `curr_address` to `target.resource.attribute.labels` - `curr_apf` to `target.resource.attribute.labels` - `unix_path` to `target.file.full_path` - Set `event_type` to `USER_RESOURCE_ACCESS` if principal, target and action are present. - Set `event_type` to `STATUS_UPDATE` if only principal is present. - Set `event_type` to `GENERIC_EVENT` if none of the above conditions are met. |