Change log for SERVICENOW_AUDIT
Date | Changes |
---|---|
2025-05-21 | Enhancement:
- Added Grok pattern to provide support for SYSLOG logs. - Extracted the `User` from the log using the Grok pattern, which is mapped to `event.idm.read_only_udm.principal.user.userid`. - `event.idm.read_only_udm.principal.ip`: Newly mapped "statprin_ipus" raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped "statprin_ipus" raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped "exportByteSize" and "exportRecordCount" raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - Set `event.idm.read_only_udm.metadata.event_type` to `STATUS_UPDATE` when `event.idm.read_only_udm.principal.ip` is getting populated. |
2025-05-16 | Enhancement:
- Added Grok pattern to provide support for SYSLOG logs. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped "status" raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - If `status` is equal to `successful` then set `security_result_action` to `ALLOW`. - If `status` is equal to `failure` then set `security_result_action` to `BLOCK`. - `event.idm.read_only_udm.security_result.action`: Newly mapped "security_result_action" raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - `event.idm.read_only_udm.security_result`: Newly merged "security_result" to "event.idm.read_only_udm.security_result" UDM field. |
2025-01-15 | - Newly created parser
|