Change log for SYMANTEC_EDR

Date	Changes
2025-04-18	- Added a Grok pattern to parse the json format of logs. - event.idm.read_only_udm.metadata.event_timestamp:Newly mapped "device_time" raw log field with "event.idm.read_only_udm.metadata.event_timestamp" UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly mapped "ref_incident_uid" raw log field with "event.idm.read_only_udm.security_result.rule_id" UDM field. - event.idm.read_only_udm.security_result.rule_name: Newly mapped "rule_name" raw log field with "event.idm.read_only_udm.security_result.rule_name" UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped "type_id" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped "incident_uid" raw log field with "event.idm.read_only_udm.metadata.product_log_id" UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped "type" raw log field with "event.idm.read_only_udm.metadata.product_event_type" UDM field. - event.idm.read_only_udm.security_result.description: Newly mapped "remediation" raw log field with "event.idm.read_only_udm.security_result.description" UDM field. - event.idm.read_only_udm.security_result.priority_details: Newly mapped "priority_id" raw log field with "event.idm.read_only_udm.security_result.priority_details" UDM field. - event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname: Newly mapped "logging_device_name" raw log field with "event.idm.read_only_udm.principal.hostname" and "event.idm.read_only_udm.principal.asset.hostname UDM field. - event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip: Newly mapped "logging_device_ip" raw log field into "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM field. - event.idm.read_only_udm.security_result.category_details: Newly mapped "detection_type" raw log field into "event.idm.read_only_udm.security_result.category_details" UDM field. - Added "has_principal" flag for "internalIP","device_ip","internalHost" raw log fields. - Added "has_target" flag for "external_ip","user_agent_ip","device_uid" raw log field. - Added "has_target" and "has_principal" flags as a conditional check before mapping "NETWORK"CONNECTION" event_type. - Added "has_principal" flag as a conditional check before mapping "STATUS_UPDATE" event_type. - Added ([logging_device_name] == "") and ([logging_device_ip] == "") as a conditional check before mapping "GENERIC_EVENT" event_type. - Added "on_error" check for "event_actor.pid","log_time","asset_id" raw log fields. - Added a separate mutate block for "internalHost","event_actor.pid","event_actor.file.path","type_id","product_name","product_ver","uuid","message" raw log fields. - Added a conditional check before mapping "message" raw log field to "event.idm.read_only_udm.metadata.description" UDM fields. - Added a separate mutate block for "device_name","device_ip" raw log field ,replacing "rename" with "replace". - Replacing "rename" with "replace" for "device_name" raw log field. - event.idm.read_only_udm.principal.asset_id: Newly mapped "device_uid" raw log field with "event.idm.read_only_udm.principal.asset_id" UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped "incident" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. - event.idm.read_only_udm.principal.process.pid: Newly mapped "event_actor_pid" raw log field with "event.idm.read_only_udm.principal.process.pid" UDM field. - event.idm.read_only_udm.principal.resource.id: Newly mapped "event_actor_uid" raw log field with "event.idm.read_only_udm.principal.resource.id" UDM field. - event.idm.read_only_udm.principal.process.command_line: Newly mapped "event_actor_cmd_line" raw log field with "event.idm.read_only_udm.principal.process.command_line" UDM field. - event.idm.read_only_udm.principal.process.file.md5: Newly mapped "event_actor_file.md5" raw log field with "event.idm.read_only_udm.principal.process.file.md5" UDM field. - event.idm.read_only_udm.principal.process.file.sha256: Newly mapped "event_actor_file.sha2" raw log field with "event.idm.read_only_udm.principal.process.file.sha256" UDM field. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped "event_actor_file.path" raw log field with "event.idm.read_only_udm.principal.process.file.full_path" UDM field. - event.idm.read_only_udm.security_result.rule_name: Newly mapped "enriched_data_rule_name" raw log field with "event.idm.read_only_udm.security_result.rule_name" UDM field. - event.idm.read_only.udm.security_result.detection_fields: Newly mapped "enriched_data_suspicion_score" raw log field with "event.idm.read_only.udm.security_result.detection_fields" UDM field. - event.idm.read_only.udm.security_result.category_details: Newly mapped "enriched_data_category_name" raw log field with "event.idm.read_only.udm.security_result.category_details" UDM field. - event.idm.read_only.udm.security_result.detection_fields: Newly mapped "enriched_data_rule_description" raw log field with "event.idm.read_only.udm.security_result.detection_fields" UDM field. - event.idm.read_only.udm.additional.fields: Newly mapped "ref_uid" raw log field with "event.idm.read_only.udm.additional.fields" UDM field. - event.idm.read_only.udm.additional.fields: Newly mapped "correlation_uid" raw log field with "event.idm.read_only.udm.additional.fields" UDM field. - event.idm.read_only.udm.additional.fields: Newly mapped "ref_orig_uid" raw log field with "event.idm.read_only.udm.additional.fields" UDM field. - event.idm.read_only_udm.target.administrative_domain: Newly mapped "user_domain" raw log field with "event.idm.read_only_udm.target.administrative_domain" UDM field. - Added "has_target" flag for "asset_id" raw log field. - Added a separate mutate block for "principal_hostname","target_hostname" raw log field, replacing "rename" with "replace". - Added a separate mutate block for "principal_ip","target_ip" raw log field.
2022-03-31	- Added Device Id prefix to asset details. - Added CEF parsing support.

Date

Changes

2025-04-18

- Added a Grok pattern to parse the json format of logs.
- event.idm.read_only_udm.metadata.event_timestamp:Newly mapped "device_time" raw log field with "event.idm.read_only_udm.metadata.event_timestamp" UDM field.
- event.idm.read_only_udm.security_result.rule_id: Newly mapped "ref_incident_uid" raw log field with "event.idm.read_only_udm.security_result.rule_id" UDM field.
- event.idm.read_only_udm.security_result.rule_name: Newly mapped "rule_name" raw log field with "event.idm.read_only_udm.security_result.rule_name" UDM field.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped "type_id" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field.
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped "incident_uid" raw log field with "event.idm.read_only_udm.metadata.product_log_id" UDM field.
- event.idm.read_only_udm.metadata.product_event_type: Newly mapped "type" raw log field with "event.idm.read_only_udm.metadata.product_event_type" UDM field.
- event.idm.read_only_udm.security_result.description: Newly mapped "remediation" raw log field with "event.idm.read_only_udm.security_result.description" UDM field.
- event.idm.read_only_udm.security_result.priority_details: Newly mapped "priority_id" raw log field with "event.idm.read_only_udm.security_result.priority_details" UDM field.
- event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname: Newly mapped "logging_device_name" raw log field with "event.idm.read_only_udm.principal.hostname" and "event.idm.read_only_udm.principal.asset.hostname UDM field.
- event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip: Newly mapped "logging_device_ip" raw log field into "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM field.
- event.idm.read_only_udm.security_result.category_details: Newly mapped "detection_type" raw log field into "event.idm.read_only_udm.security_result.category_details" UDM field.
- Added "has_principal" flag for "internalIP","device_ip","internalHost" raw log fields.
- Added "has_target" flag for "external_ip","user_agent_ip","device_uid" raw log field.
- Added "has_target" and "has_principal" flags as a conditional check before mapping "NETWORK"CONNECTION" event_type.
- Added "has_principal" flag as a conditional check before mapping "STATUS_UPDATE" event_type.
- Added ([logging_device_name] == "") and ([logging_device_ip] == "") as a conditional check before mapping "GENERIC_EVENT" event_type.
- Added "on_error" check for "event_actor.pid","log_time","asset_id" raw log fields.
- Added a separate mutate block for "internalHost","event_actor.pid","event_actor.file.path","type_id","product_name","product_ver","uuid","message" raw log fields.
- Added a conditional check before mapping "message" raw log field to "event.idm.read_only_udm.metadata.description" UDM fields.
- Added a separate mutate block for "device_name","device_ip" raw log field ,replacing "rename" with "replace".
- Replacing "rename" with "replace" for "device_name" raw log field.
- event.idm.read_only_udm.principal.asset_id: Newly mapped "device_uid" raw log field with "event.idm.read_only_udm.principal.asset_id" UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped "incident" raw log field with "event.idm.read_only_udm.additional.fields" UDM field.
- event.idm.read_only_udm.principal.process.pid: Newly mapped "event_actor_pid" raw log field with "event.idm.read_only_udm.principal.process.pid" UDM field.
- event.idm.read_only_udm.principal.resource.id: Newly mapped "event_actor_uid" raw log field with "event.idm.read_only_udm.principal.resource.id" UDM field.
- event.idm.read_only_udm.principal.process.command_line: Newly mapped "event_actor_cmd_line" raw log field with "event.idm.read_only_udm.principal.process.command_line" UDM field.
- event.idm.read_only_udm.principal.process.file.md5: Newly mapped "event_actor_file.md5" raw log field with "event.idm.read_only_udm.principal.process.file.md5" UDM field.
- event.idm.read_only_udm.principal.process.file.sha256: Newly mapped "event_actor_file.sha2" raw log field with "event.idm.read_only_udm.principal.process.file.sha256" UDM field.
- event.idm.read_only_udm.principal.process.file.full_path: Newly mapped "event_actor_file.path" raw log field with "event.idm.read_only_udm.principal.process.file.full_path" UDM field.
- event.idm.read_only_udm.security_result.rule_name: Newly mapped "enriched_data_rule_name" raw log field with "event.idm.read_only_udm.security_result.rule_name" UDM field.
- event.idm.read_only.udm.security_result.detection_fields: Newly mapped "enriched_data_suspicion_score" raw log field with "event.idm.read_only.udm.security_result.detection_fields" UDM field.
- event.idm.read_only.udm.security_result.category_details: Newly mapped "enriched_data_category_name" raw log field with "event.idm.read_only.udm.security_result.category_details" UDM field.
- event.idm.read_only.udm.security_result.detection_fields: Newly mapped "enriched_data_rule_description" raw log field with "event.idm.read_only.udm.security_result.detection_fields" UDM field.
- event.idm.read_only.udm.additional.fields: Newly mapped "ref_uid" raw log field with "event.idm.read_only.udm.additional.fields" UDM field.
- event.idm.read_only.udm.additional.fields: Newly mapped "correlation_uid" raw log field with "event.idm.read_only.udm.additional.fields" UDM field.
- event.idm.read_only.udm.additional.fields: Newly mapped "ref_orig_uid" raw log field with "event.idm.read_only.udm.additional.fields" UDM field.
- event.idm.read_only_udm.target.administrative_domain: Newly mapped "user_domain" raw log field with "event.idm.read_only_udm.target.administrative_domain" UDM field.
- Added "has_target" flag for "asset_id" raw log field.
- Added a separate mutate block for "principal_hostname","target_hostname" raw log field, replacing "rename" with "replace".
- Added a separate mutate block for "principal_ip","target_ip" raw log field.

2022-03-31

- Added Device Id prefix to asset details.
- Added CEF parsing support.