Change log for ORCA
| Date | Changes |
|---|---|
| 2025-08-13 | Enhancement:
- event.idm.read_only_udm.principal.user.userid: Newly mapped the `Details.User_Name` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.target.url: Newly mapped from the `URI` field extracted from the XML in TaskContent (within raw_event.EventData.Data) to `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `raw_event.EventData.Data` to `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Details.Scheduled_Task_Name` and `Details.Task_Execution_Count` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `TaskContent`, `Date`, `Author`, `Source`, `Description`, `SecurityDescriptor`, `boot_trigger_enabled`, `boot_trigger_delay`, `boot_trigger_repetition_interval`, `use_unified_scheduling_engine`, `multiple_instances_policy`, `disallow_start_if_on_batteries`, `execution_time_limit`, `stop_if_going_on_batteries`, `allow_start_on_demand`, `start_when_available`, `enabled`, `hidden`, and `run_only_if_idle` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-07-29 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `data.LastUpdated` raw log field to `event.idm.read_only_udm.metadata.event_timestamp`. - event.idm.read_only_udm.security_result.category_details: Newly mapped `data.Category` raw log field to `event.idm.read_only_udm.security_result.category_details`. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `id` raw log field to `event.idm.read_only_udm.metadata.product_log_id`. - event.idm.read_only_udm.metadata.product_name: Newly mapped `data.RuleSource` raw log field to `event.idm.read_only_udm.metadata.product_name`. - event.idm.read_only_udm.principal.resource.product_object_id: Newly mapped `data.Inventory.id` raw log field to `event.idm.read_only_udm.principal.resource.product_object_id`. - event.idm.read_only_udm.principal.resource.resource_subtype: Newly mapped `data.Inventory.type` raw log field to `event.idm.read_only_udm.principal.resource.resource_subtype`. - event.idm.read_only_udm.principal.hostname: Newly mapped `data.Hostname` raw log field to `event.idm.read_only_udm.principal.hostname`. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `data.Hostname` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - event.idm.read_only_udm.security_result.severity: Newly mapped `data.Severity` raw log field to `event.idm.read_only_udm.security_result.severity`. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `data.Severity` raw log field to `event.idm.read_only_udm.security_result.severity_details`. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `customerName` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - event.idm.read_only_udm.intermediary: Newly mapped `intermediary` raw log field to `event.idm.read_only_udm.intermediary`. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `data.AlertType`, `data.RiskLevel`, `data.CreatedAt`, `data.LastSeen`, `data.ClosedTime`, `data.StatusTime` raw log fields to `event.idm.read_only_udm.security_result.detection_fields`. |
| 2025-06-30 | Enhancement:
- event.idm.read_only_udm.additional.fields`: Newly Mapped `related_compliances`, `Event Viewer File`, and `data.remediation_console` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.attack_details.techniques and event.idm.read_only_udm.security_result.attack_details.tactics: Newly Mapped `data.mitre_technique` and `data.mitre_techniques` with `event.idm.read_only_udm.security_result.attack_details.techniques` and `event.idm.read_only_udm.security_result.attack_details.tactics` UDM fields. |
| 2025-02-28 | Enhancement:
- Mapped "ACCOUNT", "EVENT_CATEGORY", "subject.srcEvent.recipientAccountAlias", "DERIVED_FIELDS.SOURCE", "subject.srcEvent.event.userIdentity.accessKeyId", "subject.srcEvent.event.userIdentity.arn", "subject.srcEvent.event.errorCode", "subject.srcEvent.event.errorMessage", "subject.srcEvent.event.eventID", "subject.srcEvent.event.eventSource", "subject.srcEvent.event.userIdentity.sessionContext.attributes.mfaAuthenticated", "subject.srcEvent.username", "subject.startTime", "subject.srcEvent.eventName", "DERIVED_FIELDS.CATEGORY", "DERIVED_FIELDS.SUBCATEGORY", "subject.dstEvent.gbm_version", "subject.dstEvent.is_visible", "subject.dstEvent.severity", "subject.dstEvent.recipientAccountAlias", "subject.srcEvent.api", "subject.srcEvent.calltype", "subject.srcEvent.gbm_version", "subject.srcEvent.is_visible", "subject.srcEvent.severity" to "additional.fields". - Mapped "SUMMARY" to "metadata.description". - Mapped "EVENT_TYPE" to "metadata.product_event_type". - Mapped "EVENT_ID" to "metadata.product_log_id". - Mapped "LINK" to "metadata.url_back_to_product". - Mapped "subject.srcEvent.event.userAgent", "subject.srcEvent.source" to "network.http.user_agent". - Mapped "subject.srcEvent.recipientAccountId" to "principal.user.groupid". - Mapped "subject.srcEvent.principalId" to "principal.user.userid". - Mapped "subject.srcEvent.event.awsRegion" to "security_result.about.asset.attribute.cloud.availability_zone". - Mapped "subject.srcEvent.event.eventCategory" to "security_result.about.asset.category". - Mapped "EVENT_NAME" to "security_result.category" (ACL_VIOLATION or AUTH_VIOLATION based on event name) - Mapped "EVENT_NAME" to "security_result.summary". - Mapped "subject.srcType" to "src.resource.resource_subtype". - Mapped "subject.srcEvent.event.userIdentity.sessionContext.attributes.creationDate" to "metadata.event_timestamp". - Mapped "subject.srcEvent.accountcaller" to "principal.resource.product_object_id". - Mapped "subject.dstEvent.region" to "target.asset.location.name". - Mapped "subject.dstEvent.accountcaller" to "target.resource.product_object_id". - Mapped "subject.dstType" to "target.resource.resource_subtype". - Mapped "subject.dstEvent.service" to "target.url". - Mapped "subject.dstEvent.username" to "target.user.userid". |
| 2025-02-06 | Enhancement: Added support for a new JSON log format.
|
| 2025-01-07 | Newly created parser for ORCA.
|