Change log for TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES
Date | Changes |
---|---|
2025-07-25 | Enhancement:
- event.idm.read_only_udm.principal.asset.asset_id: Newly mapped endpoint.guid raw log field to event.idm.read_only_udm.principal.asset.asset_id. - event.idm.read_only_udm.security_result.rule_version: Newly mapped fl.unique_id raw log field to event.idm.read_only_udm.security_result.rule_version. - event.idm.read_only_udm.principal.user.userid: Newly mapped logonUser raw log field to event.idm.read_only_udm.principal.user.userid. - event.idm.read_only_udm.principal.user.userid: Newly mapped processUser raw log field to event.idm.read_only_udm.principal.user.userid. - event.idm.read_only_udm.principal.user.group_identifiers: Newly mapped userDomain raw log field to event.idm.read_only_udm.principal.user.group_identifiers. - event.idm.read_only_udm.principal.user.group_identifiers: Newly mapped processUserGroupSids raw log field to event.idm.read_only_udm.principal.user.group_identifiers. - event.idm.read_only_udm.principal.mac: Newly mapped endpointMacAddress raw log field to event.idm.read_only_udm.principal.mac. - event.idm.read_only_udm.principal.asset.mac: Newly mapped endpointMacAddress raw log field to event.idm.read_only_udm.principal.asset.mac. - event.idm.read_only_udm.principal.ip: Newly mapped endpointIp raw log field to event.idm.read_only_udm.principal.ip. - event.idm.read_only_udm.principal.asset.ip: Newly mapped endpointIp raw log field to event.idm.read_only_udm.principal.asset.ip. - event.idm.read_only_udm.target.user.group_identifiers: Newly mapped objectUserGroupSids raw log field to event.idm.read_only_udm.target.user.group_identifiers. - event.idm.read_only_udm.target.user.group_identifiers: Newly mapped objectUserDomain raw log field to event.idm.read_only_udm.target.user.group_identifiers. - event.idm.read_only_udm.principal.process.pid: Newly mapped processPid raw log field to event.idm.read_only_udm.principal.process.pid. - event.idm.read_only_udm.principal.process.file.md5: Newly mapped processFileHashMd5 raw log field to event.idm.read_only_udm.principal.process.file.md5. - event.idm.read_only_udm.principal.process.file.sha1: Newly mapped processFileHashSha1 raw log field to event.idm.read_only_udm.principal.process.file.sha1. - event.idm.read_only_udm.principal.process.file.sha256: Newly mapped processFileHashSha256 raw log field to event.idm.read_only_udm.principal.process.file.sha256. - event.idm.read_only_udm.principal.process.file.size: Newly mapped processFileSize raw log field to event.idm.read_only_udm.principal.process.file.size. - event.idm.read_only_udm.principal.process.file.names: Newly mapped processName raw log field to event.idm.read_only_udm.principal.process.file.names. - event.idm.read_only_udm.principal.process.file.names: Newly mapped processFileOriginalName raw log field to event.idm.read_only_udm.principal.process.file.names. - event.idm.read_only_udm.principal.process.file.first_seen_time: Newly mapped processFileCreation raw log field to event.idm.read_only_udm.principal.process.file.first_seen_time. - event.idm.read_only_udm.principal.process.integrity_level_rid: Newly mapped integrityLevel raw log field to event.idm.read_only_udm.principal.process.integrity_level_rid. - event.idm.read_only_udm.principal.process.parent_process.pid: Newly mapped parentPid raw log field to event.idm.read_only_udm.principal.process.parent_process.pid. - event.idm.read_only_udm.principal.process.parent_process.file.md5: Newly mapped parentFileHashMd5 raw log field to event.idm.read_only_udm.principal.process.parent_process.file.md5. - event.idm.read_only_udm.principal.process.parent_process.file.sha1: Newly mapped parentFileHashSha1 raw log field to event.idm.read_only_udm.principal.process.parent_process.file.sha1. - event.idm.read_only_udm.principal.process.parent_process.file.sha256: Newly mapped parentFileHashSha256 raw log field to event.idm.read_only_udm.principal.process.parent_process.file.sha256. - event.idm.read_only_udm.principal.process.parent_process.file.full_path: Newly mapped parentFilePath raw log field to event.idm.read_only_udm.principal.process.parent_process.file.full_path. - event.idm.read_only_udm.principal.process.parent_process.file.size: Newly mapped parentFileSize raw log field to event.idm.read_only_udm.principal.process.parent_process.file.size. - event.idm.read_only_udm.principal.process.parent_process.file.names: Newly mapped parentName raw log field to event.idm.read_only_udm.principal.process.parent_process.file.names. - event.idm.read_only_udm.principal.process.parent_process.file.names: Newly mapped parentFileOriginalName raw log field to event.idm.read_only_udm.principal.process.parent_process.file.names. - event.idm.read_only_udm.principal.process.parent_process.file.first_seen_time: Newly mapped parentFileCreation raw log field to event.idm.read_only_udm.principal.process.parent_process.file.first_seen_time. - event.idm.read_only_udm.principal.process.parent_process.integrity_level_rid: Newly mapped parentIntegrityLevel raw log field to event.idm.read_only_udm.principal.process.parent_process.integrity_level_rid. - event.idm.read_only_udm.target.process.pid: Newly mapped objectPid raw log field to event.idm.read_only_udm.target.process.pid. - event.idm.read_only_udm.target.user.userid: Newly mapped objectUser raw log field to event.idm.read_only_udm.target.user.userid. - event.idm.read_only_udm.target.process.file.md5: Newly mapped objectFileHashMd5 raw log field to event.idm.read_only_udm.target.process.file.md5. - event.idm.read_only_udm.target.process.file.sha1: Newly mapped objectFileHashSha1 raw log field to event.idm.read_only_udm.target.process.file.sha1. - event.idm.read_only_udm.target.process.file.sha256: Newly mapped objectFileHashSha256 raw log field to event.idm.read_only_udm.target.process.file.sha256. - event.idm.read_only_udm.target.process.file.names: Newly mapped objectName raw log field to event.idm.read_only_udm.target.process.file.names. - event.idm.read_only_udm.target.process.file.names: Newly mapped objectFileOriginalName raw log field to event.idm.read_only_udm.target.process.file.names. - event.idm.read_only_udm.target.process.file.first_seen_time: Newly mapped objectFileCreation raw log field to event.idm.read_only_udm.target.process.file.first_seen_time. - event.idm.read_only_udm.target.file.size: Newly mapped objectFileSize raw log field to event.idm.read_only_udm.target.file.size. - event.idm.read_only_udm.target.process.integrity_level_rid: Newly mapped objectIntegrityLevel raw log field to event.idm.read_only_udm.target.process.integrity_level_rid. - event.idm.read_only_udm.target.registry.registry_key: Newly mapped objectRegistryKeyHandle raw log field to event.idm.read_only_udm.target.registry.registry_key. - event.idm.read_only_udm.target.registry.registry_value_name: Newly mapped objectRegistryValue raw log field to event.idm.read_only_udm.target.registry.registry_value_name. - event.idm.read_only_udm.target.registry.registry_value_data: Newly mapped objectRegistryData raw log field to event.idm.read_only_udm.target.registry.registry_value_data. - event.idm.read_only_udm.principal.platform: Newly mapped osName raw log field to event.idm.read_only_udm.principal.platform. - event.idm.read_only_udm.principal.platform_version: Newly mapped osVer raw log field to event.idm.read_only_udm.principal.platform_version. - event.idm.read_only_udm.network.session_id: Newly mapped objectSessionId raw log field to event.idm.read_only_udm.network.session_id. - event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is processCmd. - event.idm.read_only_udm.principal.process.command_line: Mapped highlight.value raw log field to event.idm.read_only_udm.principal.process.command_line where highlight.field is processCmd. - event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is objectCmd. - event.idm.read_only_udm.target.process.command_line: Mapped highlight.value raw log field to event.idm.read_only_udm.target.process.command_line where highlight.field is objectCmd. - event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is parentCmd. - event.idm.read_only_udm.principal.process.parent_process.command_line: Mapped highlight.value raw log field to event.idm.read_only_udm.principal.process.parent_process.command_line where highlight.field is parentCmd. - event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is objectFilePath. - event.idm.read_only_udm.target.process.file.full_path: Mapped highlight.value raw log field to event.idm.read_only_udm.target.process.file.full_path where highlight.field is objectFilePath. - event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is processFilePath. - event.idm.read_only_udm.principal.process.file.full_path: Mapped highlight.value raw log field to event.idm.read_only_udm.principal.process.file.full_path where highlight.field is processFilePath. |
2025-04-07 | - Newly created parser.
- "event.idm.read_only_udm.principal.hostname" and "event.idm.read_only_udm.principal.asset.hostname": Newly mapped "endpoint.name" raw log field with "event.idm.read_only_udm.principal.hostname" and "event.idm.read_only_udm.principal.asset.hostname" UDM field. - "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip": Newly mapped "endpoint.ips" raw log field with "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM field. - "event.idm.read_only_udm.principal.user.userid": Newly mapped "entityName" raw log field with "event.idm.read_only_udm.principal.user.userid" UDM field when "entityType" is "identity". - "event.idm.read_only_udm.security_result.rule_id": Newly mapped "filters.id" raw log field with "event.idm.read_only_udm.security_result.rule_id" UDM field. - "event.idm.read_only_udm.security_result.rule_name": Newly mapped "filters.name" raw log field with "event.idm.read_only_udm.security_result.rule_name" UDM field. - "event.idm.read_only_udm.security_result.description": Newly mapped "filters.description" raw log field with "event.idm.read_only_udm.security_result.description" UDM field. - "event.idm.read_only_udm.security_result.severity": Newly mapped "filters.level" raw log field with "event.idm.read_only_udm.security_result.severity" UDM field. - "event.idm.read_only_udm.security_result.attack_details.tactics": Newly mapped "filters.tactics" raw log field with "event.idm.read_only_udm.security_result.attack_details.tactics" UDM field. - "event.idm.read_only_udm.security_result.attack_details.techniques": Newly mapped "filters.techniques" raw log field with "event.idm.read_only_udm.security_result.attack_details.techniques" UDM field. - "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "filters.highlightedObjects.field" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "filters.highlightedObjects.type" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "filters.highlightedObjects.value" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field. - "event.idm.read_only_udm.additional.fields": Newly mapped "detail" raw log field with "event.idm.read_only_udm.additional.fields" UDM field. |