Change log for SYMANTEC_DLP
| Date | Changes |
|---|---|
| 2025-06-05 | Enhancement:
- Added Grok to handle the `occurredOn` field properly. |
| 2025-05-15 | Enhancement:
- Added support to handle the `occurredOn` field properly. - event.idm.read_only_udm.security_result.verdict.response_count : Newly Mapped `Total Count` raw log field to `event.idm.read_only_udm.security_result.verdict.response_count` UDM field. |
| 2025-02-04 | Enhancement:
- Added support for SYSLOG logs. |
| 2025-01-08 | Enhancement:
- Mapped "ATTACHMENT_FILENAME" to "principal.file.full_path". - When "DATAOWNER_NAME" is present, then mapped "DATAOWNER_NAME" to "principal.user.userid". - When "DATAOWNER_NAME" is not present, then mapped "ENDPOINT_USERNAME" to "principal.user.userid". |
| 2024-12-27 | Enhancement:
- Added support to parse the new log format. |
| 2024-12-04 | Enhancement:
- Added support to parse the new log format. |
| 2024-11-11 | Enhancement:
- Added support to parse the new log format. |
| 2024-09-05 | Enhancement:
- Added support to parse the new log format. |
| 2024-06-17 | Enhancement:
- Added support to parse the new format of field "recipients". |
| 2024-06-14 | Enhancement:
- Added support for CEF Logs. |
| 2024-05-16 | Enhancement:
- Mapped "dlp_type" to "security_result.detection_fields". |
| 2024-04-26 | Bug-Fix:
- Mapped "recipients" to "target.user.email_addresses". |
| 2024-03-10 | Enhancement:
- Added new Grok patterns to parse logs of new SYSLOG formats. - Mapped "server" to "target.application". - Mapped "url" to "target.url". - Mapped "dataowner_mail" to "principal.user.email_addresses". - Mapped "reported_on" and "monitor_name" to "additional.fields". - Mapped "sender" to "network.email.from". - Mapped "subject" to "network.email.subject". |
| 2024-02-20 | Enhancement:
- Mapped "blocked" to "security_result.action_details" and "security_result.action". |
| 2024-01-12 | Enhancement:
- Mapped "incident_id" and "DLP_EP_Incident_ID" to "security_result.detection_fields". - Added a Grok pattern to parse logs of new SYSLOG formats. - Mapped "location" to "principal.resource.attribute.labels". - Mapped "target_type" to "target.resource.attribute.labels". |
| 2023-12-06 | Enhancement:
- Added a Grok pattern to parse logs of new formats. - Mapped "application" to "principal.application". - Mapped "application_name" to "target.application". - Mapped "policy_name" to "security_result.detection_fields". |
| 2023-09-02 | Enhancement:
- Added support to parse failing logs and mapped the fields accordingly. |
| 2023-08-17 | Enhancement:
- Mapped "Occurred on" to "principal.labels". - When "act" is "Modified", set "security_result.action" to "ALLOW_WITH_MODIFICATION". - Mapped "status" to "principal.labels". |