Change log for IBM_ZSECURE_ALERT

Date	Changes
2025-03-14	Newly created parser. Supported log format: SYSLOG. Mapped the following fields: - `priority` to `security_result.detection_fields` - `timestamp` to `metadata.event_timestamp` - `hostname` to `principal.hostname` and `principal.asset.hostname` - `app_name` to `target.application` - `parameter` to `target.resource.attribute.labels` - `class` to `target.resource.attribute.labels` - `profile` to `target.resource.attribute.labels` - `uacc` to `target.resource.attribute.labels` - `parm` to `target.resource.attribute.labels` - `action` to `security_result.action_details` - `racf_user` to `target.resource.attribute.labels` - `racf_name` to `target.resource.attribute.labels` - `racfcmd` to `target.resource.attribute.labels` - `dnsname` to `target.resource.attribute.labels` - `volume` to `target.resource.attribute.labels` - `poe` to `target.resource.attribute.labels` - `resource` to `target.resource.attribute.labels` - `granted` to `additional.fields` - `allowed` to `additional.fields` - `intent` to `additional.fields` - `userid` to `principal.user.userid` - `name` to `principal.user.user_display_name` - `jobname` to `additional.fields` - `system` to `additional.fields` - `attempts` to `additional.fields` - `terminal` to `principal.asset.attribute.labels` - `srcip` to `principal.ip` and `principal.asset.ip` - `msg` to `security_result.description` - `mesg` to `security_result.detection_fields` - `wto_msg` to `security_result.detection_fields` - `desc` to `security_result.detection_fields` - `svcno` to `target.resource.attribute.labels` - `esrno` to `target.resource.attribute.labels` - `curr_address` to `target.resource.attribute.labels` - `curr_apf` to `target.resource.attribute.labels` - `unix_path` to `target.file.full_path` - Set `event_type` to `USER_RESOURCE_ACCESS` if principal, target and action are present. - Set `event_type` to `STATUS_UPDATE` if only principal is present. - Set `event_type` to `GENERIC_EVENT` if none of the above conditions are met.

Date

Changes

2025-03-14

Newly created parser.
Supported log format: SYSLOG.
Mapped the following fields:
- `priority` to `security_result.detection_fields`
- `timestamp` to `metadata.event_timestamp`
- `hostname` to `principal.hostname` and `principal.asset.hostname`
- `app_name` to `target.application`
- `parameter` to `target.resource.attribute.labels`
- `class` to `target.resource.attribute.labels`
- `profile` to `target.resource.attribute.labels`
- `uacc` to `target.resource.attribute.labels`
- `parm` to `target.resource.attribute.labels`
- `action` to `security_result.action_details`
- `racf_user` to `target.resource.attribute.labels`
- `racf_name` to `target.resource.attribute.labels`
- `racfcmd` to `target.resource.attribute.labels`
- `dnsname` to `target.resource.attribute.labels`
- `volume` to `target.resource.attribute.labels`
- `poe` to `target.resource.attribute.labels`
- `resource` to `target.resource.attribute.labels`
- `granted` to `additional.fields`
- `allowed` to `additional.fields`
- `intent` to `additional.fields`
- `userid` to `principal.user.userid`
- `name` to `principal.user.user_display_name`
- `jobname` to `additional.fields`
- `system` to `additional.fields`
- `attempts` to `additional.fields`
- `terminal` to `principal.asset.attribute.labels`
- `srcip` to `principal.ip` and `principal.asset.ip`
- `msg` to `security_result.description`
- `mesg` to `security_result.detection_fields`
- `wto_msg` to `security_result.detection_fields`
- `desc` to `security_result.detection_fields`
- `svcno` to `target.resource.attribute.labels`
- `esrno` to `target.resource.attribute.labels`
- `curr_address` to `target.resource.attribute.labels`
- `curr_apf` to `target.resource.attribute.labels`
- `unix_path` to `target.file.full_path`
- Set `event_type` to `USER_RESOURCE_ACCESS` if principal, target and action are present.
- Set `event_type` to `STATUS_UPDATE` if only principal is present.
- Set `event_type` to `GENERIC_EVENT` if none of the above conditions are met.