Change log for MCAFEE_EPO

Date	Changes
2025-08-12	Enhancement: - Mapped the following raw log fields to `event.idm.read_only_udm.additional.fields`: `Error`, `ProductID`, `InitiatorID`, `InitiatorType`, `SiteName`, and `Locale`."
2025-05-12	Enhancement: - Added Grok pattern to support the `Trellix` pattern of logs with (SYSLOG + KV) format and relevant corresponding raw log fields. - event.idm.read_only_udm.metadata.vendor_name: Set the value of `event.idm.read_only_udm.metadata.vendor_name` to `Trellix` for `Trellix` pattern of logs. - event.idm.read_only_udm.observer.hostname: Newly mapped `sys_host` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field. - event.idm.read_only_udm.metadata.product_name: Newly mapped `product_name` field with `event.idm.read_only_udm.metadata.product_name` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `event_name` and `workflowid` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `alertId` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `agentGUID` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `alertType` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `eventType` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.principal.hostname & event.idm.read_only_udm.principal.asset.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM fields and set `has_principal` to `true`. - event.idm.read_only_udm.principal.ip & event.idm.read_only_udm.principal.asset.ip: Newly mapped `sourceIP` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields and set `has_principal` to `true`. - event.idm.read_only_udm.target.ip & event.idm.read_only_udm.target.asset.ip: Newly mapped `targetIP` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields and set `has_target` to `true`. - event.idm.read_only_udm.principal.platform: Newly mapped `operatingSystem` raw log field with `event.idm.read_only_udm.principal.platform` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `eventname` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `eventTimestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.target.process.file.full_path: Newly mapped `eventObject` raw log field with `event.idm.read_only_udm.target.process.file.full_path` UDM field and set `has_target_resource` to `true`. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `eventProgramName` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `eventProgramUser` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.process.command_line: Newly mapped `eventCommandLine` raw log field with `event.idm.read_only_udm.principal.process.command_line` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `threatSeverity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.metadata.event_type: Set the value of `event.idm.read_only_udm.metadata.event_type` to `USER_RESOURCE_ACCESS` if `has_user` is `true` and `has_target_resource` is `true`. - event.idm.read_only_udm.metadata.event_type: Set the value of `event.idm.read_only_udm.metadata.event_type` to `STATUS_UPDATE` if `has_principal` is `true`.
2025-05-02	Enhancement: - event.idm.read_only_udm.security_result.severity_details: Newly mapped `ThreatSeverity` and `Severity` raw log fields with `event.idm.read_only_udm.security_result.severity_details` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `Name` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.target.file.md5: Newly mapped `TargetHash` raw log field with `event.idm.read_only_udm.target.file.md5` UDM field. - event.idm.read_only_udm.target.file.full_path: Removed mapping of `filename` from `event.idm.read_only_udm.target.file.full_path` UDM field. - event.idm.read_only_udm.principal.file.full_path: Mapped `filename` field with `event.idm.read_only_udm.principal.file.full_path` UDM field. - event.idm.read_only_udm.target.administrative_domain: Removed mapping of `domain` from `event.idm.read_only_udm.target.administrative_domain` UDM field. - event.idm.read_only_udm.principal.administrative_domain: Mapped `domain` field with `event.idm.read_only_udm.principal.administrative_domain` UDM field. - event.idm.read_only_udm.target.user.userid: Removed mapping of `userid` from `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.principal.user.userid: Mapped `userid` field with `event.idm.read_only_udm.principal.user.userid` UDM field. - Added a new Grok pattern to add support for logs getting dropped even after having some important data. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `custom_date` field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.principal.ip & event.idm.read_only_udm.principal.asset.ip: Newly mapped `src_ip` field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields and set `has_principal` to `true`.
2025-04-24	Enhancement: - If "ThreatActionTaken" raw log field value is "IDS_ALERT_ACT_TAK_DEN", then set "security_result.action" as "BLOCK".
2025-03-19	Enhancement: - Removed the mapping of "username" from "target.user.userid" and changed to "principal.user.userid". - Removed the mapping of "agentdomainname" from "target.administrative_domain" and changed to "principal.administrative_domain". - Mapped "filepath" to "principal.file.full_path". - Mapped "Actionname" to "security_result.detection_fields". - Added IP Address check for "agentipaddress".
2024-11-20	Enhancement: - Added additional field mapping for XML logs.
2024-10-01	Enhancement: - When "tvdeventid" is "1027" or "scantype" is "Scan", then mapped "username" to "target.user.userid". - When "tvdeventid" is "1027" or "scantype" is "Scan", then mapped "agentdomainname" to "target.administrative_domain". - When "tvdeventid" is "1027" or "scantype" is "Endpoint Security Threat Prevention", then mapped "domain" and "userid" from "UserName" to "target.administrative_domain" and "target.user.userid" respectively.
2024-08-29	Enhancement: - Added support to handle dropped logs.
2024-08-12	Enhancement: - Changed mapping for "Description" from "metadata.description" to "security_result.description". - Mapped "Name" to "metadata.description". - Mapped "ThreatAction" to "security_result.action_details".
2024-08-07	Enhancement: - Added support to handle unparsed JSON logs. - Mapped "ActionID", "ReasonID", "RatingID", "ListID", "PhishingRatingID", "DownloadRatingID", "SpamRatingID", "PopupRatingID", "BadLinkRatingID", "ExploitRatingID", and "ContentID" to "additional.fields".
2023-10-15	Enhancement: - Handeled XML logs having "product_name" as "MOVE AV Agentless" or "MSME".
2023-06-20	Enhancement: - Added grok pattern to handle xml logs.
2023-01-02	Enhancement - Added gsub to remove empty namespace with prefix.
2022-12-16	Bug-fix - Added code block to handle "is_DLPAGENT11600". - Added code block for product names specific. - Added "GENERIC_EVENT" wherever possible if principal and target UDM fields are null. - Mapped normalized_ip_address to "principal.ip". - Mapped normalized_mac_address to "principal.mac" wherever possible.
2022-09-14	Enhancement - Merged The customer specific-version to default by Handling Log formats of type Key-value pairs. - Provided on_error check for "Content.ParentProcessFileName".
2022-09-09	Enhancement - Parsed logs of type "Solidifier" which were being dropped earlier. - Logs are present in CSV format so following additional mappings have been defined for the particular columns : - Mapped "column8" to "principal.hostname". - Mapped "column11" to "principal.mac". - Mapped "column25" to "target.process.file.full_path". - Mapped "column30" to "security_result.action". It is mapped to "BLOCK" if value contains "deny" else mapped as "ALLOW" in case of some other value apart from none. - Mapped "metadata.event_type" to "STATUS_UPDATE".
2022-08-11	Bug-Fix - - Remapped AnalyzerHostname to intermediary.hostname. - Remapped sys_host to observer.hostname.
2022-07-27	Enhancement - Mapped the following field: - Mapped "csv_mcafee_security.column4" to "principal.asset.first_seen_time".
2022-07-14	Enhancement - Mapped the following fields: - Mapped "product_version" to "metadata.product_version". - Mapped "FileSHA1Hash" to "target.process.file.sha1". - Added code block to handle event_id "35103". - Changed event_type from "GENERIC_EVENT" to "STATUS_UPDATE" wherever possible.
2022-05-05	Enhancement - Mapped the following fields: - SourceHostname to principal.hostname. If SourceHostname is null mapped AnalyserHostname to principal.hostname. - MachineName to observer.hostname. - AnalyserHostname to intermediate.hostname. - IP header csv 9 to principal.ip. - IP header csv 17 to target.ip. - ThreatName header csv 28 to security_result.threat_name commonly for all.
2022-04-12	Added generic string for Vendor name and replaced different product names to a generic value string.