Change log for SYMANTEC_DLP

Date Changes
2025-08-21 Enhancement:
- Renamed from `policy_rule` field to `subject` in the grok pattern because it maps to a `subject` field, not a `rule_name` field.
- `event.idm.read_only_udm.security_result.rule_name`: Removed mapping of `policy_rule` from `event.idm.read_only_udm.security_result.rule_name` UDM field.
event.idm.read_only_udm.network.email.subject: Mapped `subject` raw log field with `event.idm.read_only_udm.network.email.subject` UDM field.
- `event.idm.read_only_udm.metadata.event_type`: If the event_type is `SCAN_NETWORK`, updated to `EMAIL_TRANSACTION`.
2025-07-22 Enhancement:
- Added a grok pattern to parse the log.
- event.idm.read_only_udm.security_result.rule_id: Newly mapped 'policies' raw log field to event.idm.read_only_udm.security_result.rule_id.
- event.idm.read_only_udm.security_result.rule_name: Newly mapped 'rule' raw log field to event.idm.read_only_udm.security_result.rule_name.
- event.idm.read_only_udm.security_result.rule_name: Removed mapping of 'asunto' raw log field from event.idm.read_only_udm.security_result.rule_name as asunto represents the email subject, not the rule name.
- event.idm.read_only_udm.network.email.subject: Mapped 'asunto' raw log field to event.idm.read_only_udm.network.email.subject.
2025-07-10 Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `end` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- Added a separate date filter for timestamp which do not have year and updated `rebase` to `true`.
- Added a grok pattern for `dhost` and `temp_dhost` to validate the hostname.
- Added 'N/A' with null check for `fname` before mapping it with `event.idm.read_only_udm.additional.fields` UDM field.
- event.idm.read_only_udm.network.session_duration.seconds: Newly mapped `cnt` raw log field with `event.idm.read_only_udm.network.session_duration.seconds` UDM field.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `resolution` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
- event.idm.read_only_udm.network.http.referral_url : Added a check to ensure if `dhost` is a URL before mapping it with `event.idm.read_only_udm.network.http.referral_url` UDM field.
- event.idm.read_only_udm.target.user.email_addresses: Newly mapped `dhost` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field when it contains email .
- Added a grok pattern for `dhost` to extract hostname from URL.
2025-06-05 Enhancement:
- Added Grok to handle the `occurredOn` field properly.
2025-05-15 Enhancement:
- Added support to handle the `occurredOn` field properly.
- event.idm.read_only_udm.security_result.verdict.response_count : Newly Mapped `Total Count` raw log field to `event.idm.read_only_udm.security_result.verdict.response_count` UDM field.
2025-02-04 Enhancement:
- Added support for SYSLOG logs.
2025-01-08 Enhancement:
- Mapped "ATTACHMENT_FILENAME" to "principal.file.full_path".
- When "DATAOWNER_NAME" is present, then mapped "DATAOWNER_NAME" to "principal.user.userid".
- When "DATAOWNER_NAME" is not present, then mapped "ENDPOINT_USERNAME" to "principal.user.userid".
2024-12-27 Enhancement:
- Added support to parse the new log format.
2024-12-04 Enhancement:
- Added support to parse the new log format.
2024-11-11 Enhancement:
- Added support to parse the new log format.
2024-09-05 Enhancement:
- Added support to parse the new log format.
2024-06-17 Enhancement:
- Added support to parse the new format of field "recipients".
2024-06-14 Enhancement:
- Added support for CEF Logs.
2024-05-16 Enhancement:
- Mapped "dlp_type" to "security_result.detection_fields".
2024-04-26 Bug-Fix:
- Mapped "recipients" to "target.user.email_addresses".
2024-03-10 Enhancement:
- Added new Grok patterns to parse logs of new SYSLOG formats.
- Mapped "server" to "target.application".
- Mapped "url" to "target.url".
- Mapped "dataowner_mail" to "principal.user.email_addresses".
- Mapped "reported_on" and "monitor_name" to "additional.fields".
- Mapped "sender" to "network.email.from".
- Mapped "subject" to "network.email.subject".
2024-02-20 Enhancement:
- Mapped "blocked" to "security_result.action_details" and "security_result.action".
2024-01-12 Enhancement:
- Mapped "incident_id" and "DLP_EP_Incident_ID" to "security_result.detection_fields".
- Added a Grok pattern to parse logs of new SYSLOG formats.
- Mapped "location" to "principal.resource.attribute.labels".
- Mapped "target_type" to "target.resource.attribute.labels".
2023-12-06 Enhancement:
- Added a Grok pattern to parse logs of new formats.
- Mapped "application" to "principal.application".
- Mapped "application_name" to "target.application".
- Mapped "policy_name" to "security_result.detection_fields".
2023-09-02 Enhancement:
- Added support to parse failing logs and mapped the fields accordingly.
2023-08-17 Enhancement:
- Mapped "Occurred on" to "principal.labels".
- When "act" is "Modified", set "security_result.action" to "ALLOW_WITH_MODIFICATION".
- Mapped "status" to "principal.labels".