Change log for MISP_IOC

Date Changes
2025-06-26 Enhancement:
- Merged the output only when the `event.idm.entity.metadata.entity_type` is set.
- event.idm.entity.metadata.product_entity_id: Newly mapped `log.uuid` raw log field with `event.idm.entity.metadata.product_entity_id` UDM field.
- event.idm.entity.metadata.description: Newly mapped `Event.info` raw log field with `event.idm.entity.metadata.description` UDM field.
- event.idm.entity.metadata.interval.start_time: Newly mapped `entity_first_seen` raw log field with `event.idm.entity.metadata.interval.start_time` UDM field.
- event.idm.entity.metadata.threat.category_details: Newly mapped `log.category` raw log field with `event.idm.entity.metadata.threat.category_details` UDM field.
- event.idm.entity.metadata.threat.summary: Newly mapped `log.comment` raw log field with `event.idm.entity.metadata.threat.summary` UDM field.
- event.idm.entity.entity.labels: Newly mapped `Event.threat_level_id` and `event_creator_email` raw log fields with `event.idm.entity.entity.labels` UDM field.
- event.idm.entity.entity.file.full_path:
Newly mapped `log.comment` raw log field with `event.idm.entity.entity.file.full_path` UDM field, if the type is md5, sha1, sha256, attachment or email-attachment and `log.comment` is not Artifacts dropped.
Newly mapped log.value raw log field with `event.idm.entity.entity.file.full_path` UDM field, if the type is filename.
Newly mapped file_name raw log field with `event.idm.entity.entity.file.full_path` UDM field, if the type is filename|sha256.
- event.idm.entity.entity.file.sha256:
Newly mapped `log.value` raw log field with `event.idm.entity.entity.file.sha256` UDM field, if the type is sha256.
Newly mapped `file_sha256` raw log field with `event.idm.entity.entity.file.sha256` UDM field, if the type is filename|sha256.
- event.idm.entity.entity.file.sha1: Newly mapped `log.value` raw log field with `event.idm.entity.entity.file.sha1` UDM field, if the type is sha1.
- event.idm.entity.entity.file.md5: Newly mapped `log.value` raw log field with `event.idm.entity.entity.file.md5` UDM field, if the type is md5.
- event.idm.entity.entity.hostname:
Newly mapped `log.value` raw log field with `event.idm.entity.entity.hostname` UDM field, if the type is domain or hostname.
- Mapped `Attribute.value` to `event.idm.entity.entity.hostname`, when log.type is hostname.
- event.idm.entity.entity.ip: Newly mapped `ip` raw log field with `event.idm.entity.entity.ip` UDM field, if the type is ip-dst|port, ip-dst or ip-src.
- event.idm.entity.entity.port: Newly mapped `port` raw log field with `event.idm.entity.entity.port` UDM field, if the type is ip-dst|port.
- event.idm.entity.entity.resource.name: Newly mapped `log.value` raw log field with `event.idm.entity.entity.resource.name` UDM field, if the type is mutex.
- event.idm.entity.entity.registry.registry_key: Newly mapped `log.value` raw log field with `event.idm.entity.entity.registry.registry_key` UDM field, if the type is regkey.
- event.idm.entity.entity.user.email_addresses: Newly mapped `log.value` raw log field with `event.idm.entity.entity.user.email_addresses` UDM field, if the type is threat-actor, email-src, email or email-subject.
- event.idm.entity.entity.user.user_display_name: Newly mapped `log.uuid` raw log field with `event.idm.entity.entity.user.user_display_name` UDM field, if the type is email or `email-subject`.
- event.idm.entity.entity.url: Newly mapped `log.value` raw log field with `event.idm.entity.entity.url` UDM field, if the `type` is `uri`, `url`, `URL` embedded in the email or link.
- event.idm.entity.metadata.entity_type: Set the `event.idm.entity.metadata.entity_type` based on the `log.type` field.
- event.idm.entity.metadata.threat.detection_fields: Newly mapped `log.id`, `log.event_id`, `log.to_ids`, `log.timestamp`, `log.comment`, `log.deleted`, `log.first_seen`, `Org.name`, `Feed.publish`, `published` and `Event.Tag` raw log fields with `event.idm.entity.metadata.threat.detection_fields` UDM field.
2025-04-10 Enhancement:
- Merged the output only when the `event.idm.entity.metadata.entity_type` is set.
- `syslog+json`: Added support for `syslog+json` format.
- event.idm.entity.metadata.entity_timestamp: Newly mapped `timestamp` raw log field with `event.idm.entity.metadata.entity_timestamp` UDM field.
- event.idm.entity.metadata.interval.start_time: Newly mapped `first_seen` raw log field with "event.idm.entity.metadata.interval.start_time` UDM field.
- event.idm.entity.metadata.interval.end_time: Newly mapped `last_seen` raw log field with "event.idm.entity.metadata.interval.end_time` UDM field.
- event.idm.entity.entity.file.sha1: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.sha1` UDM field, if the `type` is `sha1`.
- event.idm.entity.entity.file.md5: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.md5` UDM field, if the `type` is `md5`.
- event.idm.entity.entity.file.sha256: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.sha256` UDM field, if the `type` is `sha256`.
- event.idm.entity.entity.hostname: Newly mapped `indicator` raw log field with `event.idm.entity.entity.hostname` UDM field, if the `type` is `domain`.
- event.idm.entity.entity.ip: Newly mapped `indicator` raw log field with `event.idm.entity.entity.ip` UDM field, if the `type` is `IPv4`.
- event.idm.entity.entity.url: Newly mapped `indicator` raw log field with `event.idm.entity.entity.url` UDM field, if the `type` is `url`.
- event.idm.entity.metadata.threat.confidence_score: Newly mapped `confidence` raw log field with `event.idm.entity.metadata.threat.confidence_score` UDM field.
- event.idm.entity.metadata.threat.summary: Newly mapped `stix_package_title` raw log field with `event.idm.entity.metadata.threat.summary` UDM field.
- event.idm.entity.metadata.threat.category_details: Newly mapped `type` raw log field with `event.idm.entity.metadata.threat.category_details` UDM field.
- Set the `event.idm.entity.metadata.entity_type` to `USER` only when `event.idm.entity.entity.user.email_addresses` is present.
2025-03-20 Enhancement:
- Added gsub to parse array format of logs.
- Mapped "confidence" to "threat_.confidence_details".
- Mapped "value" to "entity.entity.url" when "type" is "url".
- Mapped "value" to "entity.entity.hostname" when "type" is "domain" or "domiain".
- Mapped "value" to "entity.entity.ip" when "type" is "ip".
- Mapped "value" to "entity.entity.file.sha256" when "type" is "sha256".
- Mapped "value" to "entity.entity.file.md5" when "type" is "md5".
- Mapped "value" to "entity.entity.file.sha1" when "type" is "hash".
- Set "entity.metadata.entity_type" based on the "type" field.
- Added "on_error" to "log.comment" mapping to handle the error when "log.comment" is not present in the log.
2025-01-29 Enhancement:
- Added support to parse new format of JSON unparsed logs.
2024-11-20 Enhancement:
- Added support to parse unparsed logs.
2024-09-05 Enhancement:
- Added support to parse unparsed logs.
2023-09-26 Enhancement:
- Mapped "published", "Feed.publish", "Org.name", "Attribute.id", "Attribute.event_id", "Attribute.to_ids", "Attribute.timestamp", "Attribute.comment", "Attribute.deleted", "Attribute.first_seen", all "tag.names" to "threat.detection_fields".
2023-08-17 Bug-Fix :
- Added a condition to perform a 'gsub' operation, that removes extra back-slash, only when log is not JSON.
2023-07-20 Bug-Fix :
- Changed 'metadata.entity_type' to 'MUTEX' when log is of type mutex.
2023-07-04 Newly created parser.