Change log for PAN_CORTEX_XDR_EVENTS
| Date | Changes |
|---|---|
| 2025-07-18 | Enhancement:
- event.idm.read_only_udm.metadata.description: Newly mapped description raw log field to event.idm.read_only_udm.metadata.description. - event.idm.read_only_udm.metadata.product_version: Newly mapped agent_version raw log field to event.idm.read_only_udm.metadata.product_version. - event.idm.read_only_udm.principal.mac: Newly mapped mac raw log field to event.idm.read_only_udm.principal.mac. - event.idm.read_only_udm.principal.platform: Newly mapped agent_os_type raw log field to event.idm.read_only_udm.principal.platform. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped agent_hostname raw log field to event.idm.read_only_udm.principal.asset.hostname. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped host_name raw log field to event.idm.read_only_udm.principal.asset.hostname. - event.idm.read_only_udm.principal.asset.ip: Newly mapped action_local_ip raw log field to event.idm.read_only_udm.principal.asset.ip. - event.idm.read_only_udm.principal.asset.ip: Newly mapped host_ip raw log field to event.idm.read_only_udm.principal.asset.ip. - event.idm.read_only_udm.principal.asset.mac: Newly mapped mac raw log field to event.idm.read_only_udm.principal.asset.mac. - event.idm.read_only_udm.principal.asset.asset_id: Newly mapped endpoint_id raw log field to event.idm.read_only_udm.principal.asset.asset_id. - event.idm.read_only_udm.principal.asset.hardware: Newly mapped hardware raw log field to event.idm.read_only_udm.principal.asset.hardware. - event.idm.read_only_udm.target.hostname: Newly mapped action_external_hostname raw log field to event.idm.read_only_udm.target.hostname. - event.idm.read_only_udm.target.asset.hostname: Newly mapped action_external_hostname raw log field to event.idm.read_only_udm.target.asset.hostname. - event.idm.read_only_udm.target.asset.ip: Newly mapped action_remote_ip raw log field to event.idm.read_only_udm.target.asset.ip. - event.idm.read_only_udm.target.user.userid: Newly mapped user_name raw log field to event.idm.read_only_udm.target.user.userid. - event.idm.read_only_udm.target.administrative_domain: Newly mapped agent_device_domain raw log field to event.idm.read_only_udm.target.administrative_domain. - event.idm.read_only_udm.target.user.product_object_id: Newly mapped dst_agent_id raw log field to event.idm.read_only_udm.target.user.product_object_id. - event.idm.read_only_udm.target.location.country_or_region: Newly mapped dst_action_country raw log field to event.idm.read_only_udm.target.location.country_or_region. - event.idm.read_only_udm.target.resource.name: Newly mapped cluster_name raw log field to event.idm.read_only_udm.target.resource.name. - event.idm.read_only_udm.intermediary.process.file.sha256: Newly mapped actor_process_image_sha256 raw log field to event.idm.read_only_udm.intermediary.process.file.sha256. - event.idm.read_only_udm.intermediary.process.product_specific_process_id: Newly mapped actor_process_causality_id raw log field to event.idm.read_only_udm.intermediary.process.product_specific_process_id. - event.idm.read_only_udm.intermediary.process.file.names: Newly mapped actor_process_image_name raw log field to event.idm.read_only_udm.intermediary.process.file.names. - event.idm.read_only_udm.intermediary.process.file.md5: Newly mapped actor_process_image_md5 raw log field to event.idm.read_only_udm.intermediary.process.file.md5. - event.idm.read_only_udm.intermediary.process.pid: Newly mapped actor_process_os_pid raw log field to event.idm.read_only_udm.intermediary.process.pid. - event.idm.read_only_udm.intermediary.process.file.full_path: Newly mapped actor_process_image_path raw log field to event.idm.read_only_udm.intermediary.process.file.full_path. - event.idm.read_only_udm.intermediary.process.command_line: Newly mapped actor_process_command_line raw log field to event.idm.read_only_udm.intermediary.process.command_line. - event.idm.read_only_udm.network.http.user_agent: Newly mapped user_agent raw log field to event.idm.read_only_udm.network.http.user_agent. - event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped user_agent raw log field to event.idm.read_only_udm.network.http.parsed_user_agent. - event.idm.read_only_udm.network.session_id: Newly mapped action_network_connection_id raw log field to event.idm.read_only_udm.network.session_id. - event.idm.read_only_udm.network.sent_bytes: Newly mapped action_total_upload raw log field to event.idm.read_only_udm.network.sent_bytes. - event.idm.read_only_udm.network.received_bytes: Newly mapped action_total_download raw log field to event.idm.read_only_udm.network.received_bytes. - event.idm.read_only_udm.network.ip_protocol: Newly mapped ip_protocol_out raw log field to event.idm.read_only_udm.network.ip_protocol. - event.idm.read_only_udm.network.email.subject: Newly mapped fw_email_subject raw log field to event.idm.read_only_udm.network.email.subject. - event.idm.read_only_udm.network.email.to: Newly mapped fw_email_recipient raw log field to event.idm.read_only_udm.network.email.to. - event.idm.read_only_udm.network.email.from: Newly mapped fw_email_sender raw log field to event.idm.read_only_udm.network.email.from. - event.idm.read_only_udm.security_result.about.location.country_or_region: Newly mapped action_country raw log field to event.idm.read_only_udm.security_result.about.location.country_or_region. - event.idm.read_only_udm.security_result.threat_name: Newly mapped name raw log field to event.idm.read_only_udm.security_result.threat_name. - event.idm.read_only_udm.security_result.rule_type: Newly mapped source raw log field to event.idm.read_only_udm.security_result.rule_type. - event.idm.read_only_udm.security_result.rule_id: Newly mapped fw_rule_id raw log field to event.idm.read_only_udm.security_result.rule_id. - event.idm.read_only_udm.security_result.category_details: Newly mapped category raw log field to event.idm.read_only_udm.security_result.category_details. - event.idm.read_only_udm.additional.fields: Newly mapped action_file_last_writer_actor, action_network_creation_time, action_file_access_time, action_file_create_time, action_file_mod_time, action_file_attributes, event_rpc_func_opnum, event_rpc_interface_uuid, action_socket_type. action_network_is_server, action_file_device_type, action_file_previous_file_name, action_file_name, agent_id, agent_version, agent_os_type, actor_thread_thread_id, action_file_type, action_file_prev_type, os_actor_process_logon_id, agent_content_version, detection_timestamp, events_length, local_insert_ts, matching_status, module_id raw log fields to event.idm.read_only_udm.additional.fields. These are added as key-value pairs. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped dst_action_external_hostname, dst_action_external_port, dns_query_name, dst_causality_actor_process_execution_time, dst_association_strength raw log fields to event.idm.read_only_udm.target.resource.attribute.labels. These are added as key-value pairs. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped action_process_signature_status, actor_process_signature_status, actor_process_signature_vendor, actor_process_image_name, actor_process_instance_id, agent_data_collection_status, agent_fqdn, agent_install_type, starred, causality_actor_process_signature_status, causality_actor_process_image_name, causality_actor_process_command_line, causality_actor_process_image_path, causality_actor_process_signature_vendor, causality_actor_causality_id, causality_actor_process_execution_time, causality_actor_process_image_md5, causality_actor_process_image_sha256, is_whitelisted, alert_id, agent_is_vdi, is_pcap, contains_featured_host, contains_featured_user, contains_featured_ip, action_process_instance_id, actor_causality_id, os_actor_effective_username, os_actor_process_image_name, os_actor_process_signature_vendor, os_actor_process_causality_id, os_actor_causality_id, os_actor_process_os_pid, tags, matching_service_rule_id, attempt_counter, bioc_category_enum_key, case_id, mitre_tactic_id_and_name, mitre_technique_id_and_name, action_local_ip_v6, action_remote_ip_v6, action_process_signature_vendor, action_file_macro_sha256, action_registry_full_key, external_id, fw_app_id, fw_interface_from, fw_interface_to, fw_rule, fw_url_domain, fw_app_subcategory, fw_app_category, fw_app_technology, fw_vsys, fw_xff, fw_misc, fw_is_phishing, end_match_attempt_ts, last_modified_ts, bioc_indicator, deduplicate_tokens, filter_rule_id, agent_host_boot_time, event_sub_type, association_strength, story_id, image_name, image_id, container_id, container_name, namespace, referenced_resource, operation_name, identity_sub_type, identity_type, project, cloud_provider, resource_type, resource_sub_type, alert_type, resolution_status, resolution_comment, dynamic_fields, malicious_urls, action_pretty, original_tags, event_version, agent_ip_addresses_v6 raw log fields to event.idm.read_only_udm.security_result.detection_fields. These are added as key-value pairs. - Updated unloac to unload. - Updated conditional check for `event_sub_type` to 9, 10 and 11 when `event_type` is `4`. |
| 2025-06-12 | Enhancement:
- event.idm.read_only_udm.metadata.product_version: Newly mapped `event_version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - event.idm.read_only_udm.principal.file.full_path: Newly mapped `action_file_previous_file_path` raw log field with `event.idm.read_only_udm.principal.file.full_path` UDM field. - event.idm.read_only_udm.observer.ip: Newly mapped `agent_interface_map.ipv4` raw log field with `event.idm.read_only_udm.observer.ip` UDM field. - event.idm.read_only_udm.observer.mac: Newly mapped `agent_interface_map.mac` raw log field with `event.idm.read_only_udm.observer.mac` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `action_file_last_writer_actor`, `action_file_device_type`, `action_file_previous_file_name`, `action_file_name`, `agent_id`, `agent_version`, `agent_os_type`, `os_actor_thread_thread_id`, `action_file_type`, `action_file_prev_type`, `os_actor_process_signature_status`, `os_actor_process_logon_id`, `agent_content_version` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.file.size: Newly mapped `action_module_image_size` raw log field with `event.idm.read_only_udm.target.file.size` UDM field if `event_type` raw log field is equal to "6". |
| 2025-05-15 | Enhancement:
- event.idm.read_only_udm.target.file.md5: Newly mapped `action_file_md5` raw log field with `event.idm.read_only_udm.target.file.md5` UDM field - event.idm.read_only_udm.target.file.sha256: Newly mapped `action_file_sha256` raw log field with `event.idm.read_only_udm.target.file.sha256` UDM field |
| 2025-03-19 | Enhancement:
- Mapped "action_module_md5" to "target.process.file.md5". - Mapped "action_module_sha256" to "target.process.file.sha256". |
| 2023-12-15 | Enhancement:
- Mapped "event_timestamp" to "metadata.event_timestamp". - When "event_type" is "5/6" and "action_remote_ip", "action_local_ip", "agent_hostname" are null, then mapped "metadata.event_type" to "GENERIC_EVENT." |
| 2023-02-01 | Newly created parser. |