Change log for TRENDMICRO_VISION_ONE

Date	Changes
2025-04-22	Enhancement: - `event.idm.read_only.udm.additional.fields`: Removed mapping of `endpoint.name` from `event.idm.read_only.udm.additional.fields` UDM field. - `event.idm.read_only.udm.principal.hostname`: Mapped `endpoint.name` raw log field with `event.idm.read_only.udm.principal.hostname` UDM field. - `event.idm.read_only.udm.principal.asset.hostname`: Mapped `endpoint.name` raw log field with `event.idm.read_only.udm.principal.asset.hostname` UDM field. - `event.idm.read_only.udm.principal.ip`: Mapped `endpoint.ips` raw log field with `event.idm.read_only.udm.principal.ip` UDM field if valid IP, esle mapped it to `event.idm.read_only.udm.additional.fields`. - `event.idm.read_only.udm.principal.asset.ip`: Mapped `endpoint.ips` raw log field with `event.idm.read_only.udm.principal.asset.ip` UDM field if valid IP, esle mapped it to `event.idm.read_only.udm.additional.fields`. - `event.idm.read_only.udm.additional.fields`: Newly mapped `actResult` raw log list field with `event.idm.read_only.udm.additional.fields` UDM field. - `event.idm.read_only.udm.security_result.action`: Newly mapped `event.idm.read_only.udm.security_result.action` UDM field as `ALLOW` if `actResult` raw log field value is `Passed` else mapped it to `BLOCK`.
2025-03-21	Enhancement: - If "objecttype" is "command_line" and "objectfield" is "objectCmd" and "target_commandline_process_set" is false then mapped "object.CustomValue" to "target.process.command_line". - If "objecttype" is "command_line" and "objectfield" is "parentCmd" and "target_commandline_parent_process_set" is false then mapped "object.CustomValue" to "target.process.parent_process.command_line". - If "objecttype" is "command_line" and "objectfield" is not "processCmd" and "objectCmd" then mapped "object.CustomValue" to "target.resource.attribute.labels". - If "objecttype" is "file_sha1" and "objectfield" is "processFileHashSha1" and "target_filesha1_set" is false then mapped "object.CustomValue" to "target.file.sha1" and "target.process.file.sha1". - If "objecttype" is "file_sha1" and "objectfield" is "parentFileHashSha1" and "target_parent_filesha1_set" is false then mapped "object.CustomValue" to "target.process.parent_process.file.sha1". - If "objecttype" is "file_sha1" and "objectfield" is not "parentFileHashSha1" and "processFileHashSha1" then mapped "object.CustomValue" to "target.resource.attribute.labels". - If "objecttype" is "fullpath" and "objectfield" is "processFilePath" and "target_filepath_set" is false then mapped "object.CustomValue" to "target.file.full_path" and "target.process.file.full_path". - If "objecttype" is "fullpath" and "objectfield" is "parentFilePath" and "target_parent_filepath_set" is false then mapped "object.CustomValue" to "target.process.parent_process.file.full_path". - If "objecttype" is "fullpath" and "objectfield" is not "processFilePath" and "processFilePath" then mapped "object.CustomValue" to "target.resource.attribute.labels".
2025-03-17	Enhancement: - Removed the mapping of "uuid" from "principal.user.userid". - Added the mapping of "uuid" to "principal.resource.product_object_id".
2025-03-06	Enhancement: - Added a for loop to handle multiple "Impactscopedetails" and "Accounts". - Added a for loop to handle multiple "Impactscopedetails" and "EndpointDesktops". - Mapped "endpointdesktop.Hostname" to "principal.hostname". - Mapped "guid" to "principal.asset.asset_id". - Mapped "Ips" to "principal.ip". - If "objecttype" is "text" then mapped "object.CustomValue" to "security_result.detection_fields". - If "objecttype" is "command_line" then mapped "object.CustomValue" to "target.process.command_line". - If "objecttype" is "file_sha1" then mapped "object.CustomValue" to "target.process.file.sha1". - If "objecttype" is "fullpath" then mapped "object.CustomValue" to "target.file.full_path". - Mapped "IP_address" to "principal.ip". - Mapped "pliance_IP_address" to "Appliance_IP_address".
2025-02-11	Enhancement: - When "object_field" is "parentCmd", it is mapped to "principal.process.command_line". - When "object_field" is "parentFilePath", it is mapped to "principal.process.file.full_path". - Removed "principal.process.command_line" and "principal.process.file.full_path" when "object_field" is "processCmd".
2025-01-31	Enhancement: - When "object_field" is "processCmd" mapped to "principal.process.command_line" and "principal.process.file.full_path". - When "object_field" is "malName" mapped to "security_result.threat_name". - When "object_field" is "actResult" mapped to "security_result.action_details" and "security_result.action".
2025-01-24	Enhancement: - Removed mappings for "target". - Mapped "detail.eventSubId" should be mapped from "metadata.product_event_type" - Mapped "endpoint.guid" and "detail.endpointGuid" to "principal.asset_id" and "principal.asset.asset_id" - Mapped "detail.uuid" to "metadata.product_log_id" - Mapped "filters.0.unique_id" to "security_result.rule_id" - Mapped "filters.0.name" to "security_result.summary" - Mapped "filters.0.id" to "security_result.rule_name"
2025-01-17	Enhancement: - Removed mapping of "highlightedObjects" to "additional.fields" and mapped them to respective "process" and "file" fields.
2024-12-06	Enhancement: - Added date match pattern for firstSeen, createdDateTime, and lastSeen.
2024-11-15	Enhancement: - Added support for dropped logs.
2024-11-04	Enhancement: - When "severity" value is "info", then mapped "security_result.severity" to "INFORMATIONAL". - Added support for IPv6 logs.
2024-10-10	Enhancement: - Mapped "detectionTime" to "metadata.event_timestamp".
2024-10-03	Enhancement: - Added support for new pattern of JSON logs. - Changed mapping of "details.ipAddr" from "principal.ip" and "principal.asset.ip" to "target.ip" and "target.asset.ip".
2024-08-15	Enhancement: - Added support for new pattern of JSON logs.
2024-08-01	Enhancement: - Initialized "about" to null and added a check before merging.
2024-05-24	Enhancement: - Added support for the new pattern of JSON logs.
2024-05-13	Enhancement: - Added support for JSON logs.
2023-03-24	Newly created parser.