Change log for MENLO_SECURITY
| Date | Changes |
|---|---|
| 2025-07-29 | Enhancement:
- event.idm.read_only_udm.metadata.log_type: Newly mapped `log_type` raw log field to `event.idm.read_only_udm.metadata.log_type`. - event.idm.read_only_udm.principal.user.userid: Newly mapped `userid` raw log field to `event.idm.read_only_udm.principal.user.userid`. - event.idm.read_only_udm.target.ip: Newly mapped `dst` raw log field to `event.idm.read_only_udm.target.ip`. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `user`-agent raw log field to `event.idm.read_only_udm.network.http.user_agent`. - event.idm.read_only_udm.security_result.about.url: Newly mapped `url` raw log field to `event.idm.read_only_udm.security_result.about.url`. - event.idm.read_only_udm.security_result.category_details: Newly mapped `categories` raw log field to `event.idm.read_only_udm.security_result.category_details`. - event.idm.read_only_udm.network.application_protocol: Newly mapped `protocol` raw log field to `event.idm.read_only_udm.network.application_protocol`. - event.idm.read_only_udm.metadata.product_version: Newly mapped `version` raw log field to `event.idm.read_only_udm.metadata.product_version`. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `severity` raw log field to `event.idm.read_only_udm.security_result.severity_details`. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `pe_reason` raw log field to `event.idm.read_only_udm.security_result.detection_fields`. - event.idm.read_only_udm.principal.ip: Newly mapped `x-client-ip` raw log field to `event.idm.read_only_udm.principal.ip`. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `customer_name` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - event.idm.read_only_udm.security_result.confidence_details: Newly mapped `risk_score` raw log field to `event.idm.read_only_udm.security_result.confidence_details`. - Modified the parser to handle JSON format with key `event` into `event_data` to avoid conflict. - Added logic to handle multiple destination IPs in `dst` field. - Added logic to map `customer_name` to `intermediary.ip` or `intermediary.hostname` according to the value. |
| 2025-06-26 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Modified date filter to add support for new format of event_timestamp. - event.idm.read_only_udm.principal.location.country_or_region : Newly mapped `region` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - event.idm.read_only_udm.principal.location.name : Newly mapped `region_name` raw log field with `event.idm.read_only_udm.principal.location.name` UDM field. - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped `src_ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - event.idm.read_only_udm.principal.group.product_object_id : Newly mapped `groups` raw log field with `event.idm.read_only_udm.principal.group.product_object_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `content-type` and `product` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.target.file.mime_type : Newly mapped `mimeType` raw log fields with `event.idm.read_only_udm.target.file.mime_type` UDM field. - event.idm.read_only_udm.intermediary.ip: Added support for `xff_ip` raw log field to map ip(s) in case of multiple ip addresses. - event.idm.read_only_udm.security_result.detection_fields: All the fields were not parsing before which are parsing now. - Added grok check for `top_url` to check whether it is a valid url or not. |
| 2025-03-19 | Enhancement:
- Added support to map "categories" to "security_result.category_details" when it is in form of an array. - Added Grok patterns to check for valid ips. - Added condition checks before setting "metadata.event_type". - Added a condition check before mapping "sha256" to "target.file.sha256". |
| 2023-08-03 | Newly created parser. |