Change log for SYSDIG

Date	Changes
2025-06-12	Enhancement: - Added a gusb to remove `` from raw logs. - event.idm.read_only_udm.principal.platform: Set `event.idm.read_only_udm.principal.platform` UDM field to `LINUX` if `rawEventOriginator` raw log field is `linuxAgent`. - event.idm.read_only_udm.principal.platform: Set `event.idm.read_only_udm.principal.platform` UDM field to `WINDOWS` if `rawEventOriginator` raw log field is `windowsAgent`. - event.idm.read_only_udm.security_result.severity: Removed mapping of `event.severity` and `severity` raw log fields with `security_result.severity` UDM field when `rawEventCategory` raw log field is `auditTrail`. - event.idm.read_only_udm.security_result.severity: Modified conditions to map "event.severity" raw log field with "security_result.severity" UDM field. Set "security_result.severity" UDM field to "HIGH" when `event.severity` is 0, 1, 2 or 3 and unset it from "HIGH" when `event.severity` is 7 or 8. Set "security_result.severity" UDM field to "MEDIUM" when `event.severity` is 4, 5 and unset it from "MEDIUM" when `event.severity` is 6. Set "security_result.severity" UDM field to "LOW" when `event.severity` is 6 and unset it from "LOW" when `event.severity` is 0, 1, 2 or 3. Set "security_result.severity" UDM field to "INFORMATIONAL" when `event.severity` is 7. Unset "security_result.severity" UDM field from `CRITICAL` when `event.severity` is 9, 10. - event.idm.read_only_udm.metadata.event_type: Set `event.idm.read_only_udm.metadata.event_type` UDM field to `PROCESS_LAUNCH` if `content.fields.evt.type` raw log field is `execve`, `fork`, `clone`, `setuid`, `CreateProcess`. - event.idm.read_only_udm.additional.fields: Newly mapped "rawEventOriginator" raw log field with "event.idm.read_only_udm.additional.fields" UDM field if "rawEventOriginator" raw log field is not `linuxAgent` and `windowsAgent`. - Modified a condition check for `labels.container.image.digest` raw log field before mapping it with `event.idm.read_only_udm.additional.fields` UDM field.
2025-06-11	Enhancement: - Added conditional check for `security_result_severity` to populate field `name` with appropriate severity.
2025-05-19	Enhancement: - event.idm.read_only_udm.metadata.url_back_to_product: Newly mapped `id` raw log field with `event.idm.read_only_udm.metadata.url_back_to_product` UDM field. - event.idm.read_only_udm.principal.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.target.resource.product_object_id: Newly mapped `pod_uid` raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM field. - event.idm.read_only_udm.security_result.about.resource.name: Newly mapped `pod` raw log field with `event.idm.read_only_udm.security_result.about.resource.name` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `container_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped `cluster_name` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field.
2025-05-02	Enhancement: - Removed Gsub which was replacing "content\":{" to "content_info\":{". - Added Gsub to replace "proc.ppid.ts" with "proc.ppid_ts". - Added Gsub to replace "proc.pid.ts" with "proc.pid_ts". - Added Gsub to replace "' '" with "". - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.hostname`: Newly mapped "Impactscopedetails.EndpointServers.Ips" raw log field with event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip UDM field if Impactscopedetails.EndpointServers.Ips is ip, else it will be mapped with event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname.
2025-03-19	Enhancement: - Mapped "_time", "time", "evnt.timestamp", "evnt.timestampRFC3339Nano", "evnt.originator", "evnt.source", "evnt.rawEventOriginator", "evnt.rawEventCategory", "evnt.sourceDetails.sourceType", "evnt.sourceDetails.sourceSubType", "evnt.engine", "evnt.name", "evnt.containerId", "evnt.machineId", "evnt.content.baselineId", "evnt.content.ruleType", "evnt.content.ruleTags", "evnt.content.output", "evnt.content.fields", "evnt.content.falsePositive", "evnt.content.matchedOnDefault", "evnt.labels.kubernetes.cluster.name", "evnt.labels.kubernetes.configmap.name", "evnt.labels.kubernetes.namespace.name", "index" and "sourcetype" to "additional.fields". - Mapped "evnt.description" to "security_result.description". - Mapped "evnt.id" to "metadata.product_log_id". - Mapped "evnt.type" to "metadata.product_event_type". - Mapped "evnt.category" to "security_result.category_details". - Mapped "evnt.content.policyId" to "security_result.rule_id". - Mapped "evnt.content.ruleName" to "security_result.rule_name". - Mapped "evnt.content.policyVersion" to "security_result.rule_labels". - Mapped "evnt.content.policyOrigin" to "security_result.rule_labels". - Mapped "evnt.severity" to "security_result.severity". - Mapped "evnt.id" to "metadata.url_back_to_product".
2025-01-16	Enhancement: - Mapped "content_entityPayload.items.items", "content_entityPayload.channels", "content_entityPayload.connectionInfo.chronicleCustomerId", "content_entityPayload.connectionInfo.region", "content_entityPayload.customer.accessKey", "content_entityPayload.products", and "content_entityPayload_status" to "additional.fields". - Mapped "content_entityPayload.firstName" to "principal.user.first_name". - Mapped "content_entityPayload.lastName" to "principal.user.last_name". - Mapped "teamrole.teamName" to "principal.group.group_display_name". - Mapped "teamrole.role" to "principal.user.role_name". - Mapped "teamrole.userName" to "principal.user.user_display_name".
2024-12-20	Enhancement: - Mapped "content_entityPayload.details.exceptions", "content_entityPayload.compression", "content_entityPayload.reportFormat", "content_entityPayload.reportType", "content_entityPayload.filters.conditionFilters.vulnName.value", and "content_entityPayload.notificationChannels" to "additional.fields".
2024-11-07	Enhancement: - Mapped "content.queryString", "content.entityType", "content_entityPayload.id", "content_entityPayload.name", "content_entityPayload.version", "content_entityPayload.details.priority", and "content_entityPayload.details.ruleType" to "additional.fields". - Mapped "content_entityPayload.description" to "security_result.summary".
2024-10-01	Enhancement: - Added support for new pattern of JSON logs.
2024-07-08	Enhancement: - Added conditional check for MAC address. - Added support to handle JSON logs.
2024-06-12	Enhancement: - Added support to handle unparsed JSON logs.
2024-01-05	- When "severity" is 0, 1, 2, 3, then changed mapping of "security_result.severity" from "LOW" to "HIGH". - When "severity" is 6, then changed mapping of "security_result.severity" from "HIGH" to "LOW". - When "severity" is 7, then changed mapping of "security_result.severity" from "HIGH" to "INFORMATIONAL". - Added "drop" for logs not in JSON format. - Added "on_error" to "timestampRFC3339Nano" date mapping.
2022-10-07	Newly created parser.