Change log for TRELLIX_HX_ES

Date Changes
2025-08-06 Enhancement:
- Added on_error check condition for `parentProcess` raw log field before setting `has_principal_process` as `true`.
2025-08-03 Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Mapped the `timestamp` field to `event.idm.read_only_udm.metadata.event_timestamp`.
- event.idm.read_only_udm.network.dns.questions: Mapped the `hostname` field to `event.idm.read_only_udm.network.dns.questions.name` when it`s available.
- event.idm.read_only_udm.target.process.file.names: Mapped the `process` field to `event.idm.read_only_udm.target.process.file.names`.
- event.idm.read_only_udm.target.process.file.full_path: Mapped the `processPath` field to `event.idm.read_only_udm.target.process.file.full_path`.
- event.idm.read_only_udm.target.process.file.md5: Mapped the `md5` field to `event.idm.read_only_udm.target.process.file.md5`.
- event.idm.read_only_udm.target.process.command_line: Mapped the `processCmdLine` field to `event.idm.read_only_udm.target.process.command_line`.
- event.idm.read_only_udm.target.process.pid: Mapped the `pid` field to `event.idm.read_only_udm.target.process.pid`.
- event.idm.read_only_udm.target.file.names: Mapped the `fileName` field to `event.idm.read_only_udm.target.file.names`.
- event.idm.read_only_udm.target.file.mime_type: Mapped the `fileExtension` field to `event.idm.read_only_udm.target.file.mime_type`.
- event.idm.read_only_udm.target.file.full_path: Mapped `processPath` and `fileName` to `event.idm.read_only_udm.target.file.full_path` when both are available.
- event.idm.read_only_udm.principal.process.file.full_path: Mapped the `fullPath` field to `event.idm.read_only_udm.principal.process.file.full_path`.
- event.idm.read_only_udm.additional.fields: Newly mapped fields `sequence_num`, `drive`, `filePath`, `devicePath`,`args`,`ipv6`,`writes`,`numBytesSeenWritten`,`lowestFileOffsetSeen`,`dataAtLowestOffset`,`textAtLowestOffset`,`closed`,`openTimeRaw`,`openDuration`, `eventReason`,`AgentId`,`data`,`hive`,`keyPath`,`path` raw log fields to `event.idm.read_only_udm.additional.fields`.
- event.idm.read_only_udm.principal.process.pid: Mapped the `parentPid` field to `event.idm.read_only_udm.principal.process.pid`.
- event.idm.read_only_udm.principal.process.file.full_path: Mapped the `parentProcessPath` field to `event.idm.read_only_udm.principal.process.file.full_path`.
- event.idm.read_only_udm.principal.process.parent_process.file.names: Mapped the `parentProcess` field to `event.idm.read_only_udm.principal.process.parent_process.file.names`.
- event.idm.read_only_udm.principal.process.parent_process.file.full_path: Mapped the `parentPath` field to `event.idm.read_only_udm.principal.process.parent_process.file.full_path`.
- event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Mapped the `remoteIP` and `remoteIpAddress` field to `event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip`.
- event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Mapped the `localIP` field to `event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip`.
- event.idm.read_only_udm.principal.port: Mapped the `localPort` field to `event.idm.read_only_udm.principal.port`.
- event.idm.read_only_udm.target.port: Mapped the `remotePort` field to `event.idm.read_only_udm.target.port`.
- event.idm.read_only_udm.target.url: Mapped the `requestUrl` field to `event.idm.read_only_udm.target.url`.
- event.idm.read_only_udm.network.http.method: Mapped the `urlMethod` field to `event.idm.read_only_udm.network.http.method`.
- event.idm.read_only_udm.network.http.user_agent: Mapped the `userAgent` field to `event.idm.read_only_udm.network.http.user_agent`.
- event.idm.read_only_udm.metadata.product_event_type: Mapped the `EventType` or `eventType` field to `event.idm.read_only_udm.metadata.product_event_type`.
- event.idm.read_only_udm.network.application_protocol: Mapped the `proto` field to `event.idm.read_only_udm.network.application_protocol`.
- event.idm.read_only_udm.network.application_protocol_version: Mapped the `proto_version` field to `event.idm.read_only_udm.network.application_protocol_version`.
- event.idm.read_only_udm.target.registry.registry_key: Mapped the `originalPath` field to `event.idm.read_only_udm.target.registry.registry_key`.
- event.idm.read_only_udm.metadata.event_type:
- If EventID is "7036", and has principal and target, updated to SERVICE_STOP or SERVICE_START based on the `param2` field.
- If event_type is GENERIC_EVENT, `principal_machine_present` is true and `has_dns` is true, updated to `NETWORK_DNS`.
- If event_type is GENERIC_EVENT, `principal_machine_present` is true and `network_application_protocol` is `HTTP`, updated to `NETWORK_HTTP`.
- If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `eventType` is `start`, updated to `PROCESS_LAUNCH`.
- If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `eventType` is `end`, updated to `PROCESS_TERMINATION`.
- If event_type is GENERIC_EVENT, `has_file`, `principal_machine_present` is true and `eventType` is `fileWriteEvent`, updated to `FILE_MODIFICATION`.
- If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `has_principal` process, updated to `PROCESS_MODULE_LOAD`.
- If event_type is GENERIC_EVENT, `principal_machine_present` is true and `has_target_registry`, updated to `REGISTRY_MODIFICATION`.
- If event_type is GENERIC_EVENT, `has_target` and `has_principal`, updated to NETWORK_CONNECTION.
2025-02-28 Enhancement:
- Refreshed parser to map all fields correctly.
2024-11-28 Enhancement:
- Mapped "security_result.action" based on login status.
- When login is failed, then mapped "security_result.category" to "AUTH_VIOLATION".
- Mapped "Status", "FailureReason", "SubStatus", and "LogonType" to "additional.fields".
2024-11-14 Enhancement:
- Added support for new pattern of JSON logs.
2024-03-31 - Newly created parser.