Change log for SOPHOS_UTM
| Date | Changes |
|---|---|
| 2025-07-25 | Enhancement -
- `event.idm.read_only_udm.additional.fields` : Newly mapped `content-type`, `reason` , and `referer` raw log fields with `event.idm.read_only_udm.additional.fields` UDM fields. - Added a new grok for the `url` raw log field to parse the `HOSTNAME` from the `url` raw log field and map it to the `target.hostname` and `target.asset.hostname` UDM field. |
| 2024-12-18 | Enhancement -
- Mapped "size" to "target.file.size". - Mapped "subject" to "network.email.subject" - Mapped "from" to "network.email.from". - Mapped "to" to "network.email.to". |
| 2024-10-10 | Enhancement -
- Mapped "virus" to "security_result.detection_fields". - Mapped "filename" to "target.file.names". - Mapped "severity" to "security_result.severity_details". - Added "gsub" to parse unparsed logs. - Parsed "Authentication" logs to "USER_LOGIN" event type. |
| 2024-05-29 | Enhancement -
- Mapped "url" to "target.hostname" and "target.asset.hostname". |
| 2022-06-30 | Enhancement -
- Mapped "size" to "additional.fields". - Mapped "fullreqtime" to "additional.fields". - Mapped "category" to "security_result.detection_fields". - Mapped "device" to "additional.fields". - Mapped "exceptions" to "additional.fields". - When "action" is equal to "DROP" then Mapped "security_result.action" to "BLOCK". - Mapped "inter_host" to "intermediary.hostname". |
| 2022-04-13 | Enhancement - Added mappings for following fields:
- 'categoryname' to 'security_result.category_details'. - 'user' to 'target.user.userid' - 'ad_domain' to 'target.administrative_domain' - 'group' to 'target.group.group_display_name' - 'sys' to 'metadata.product_event_type' - 'application' to 'principal.application' - 'auth' to 'extensions.auth.auth_details' - 'profile' to 'security_result1.rule_name' - 'app-id', 'reputation', 'request', 'authtime', 'dnstime', 'aptptime', 'cattime', 'avscantime' to 'additional.fields' |