Change log for TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES

Date Changes
2025-07-25 Enhancement:
- event.idm.read_only_udm.principal.asset.asset_id: Newly mapped endpoint.guid raw log field to event.idm.read_only_udm.principal.asset.asset_id.
- event.idm.read_only_udm.security_result.rule_version: Newly mapped fl.unique_id raw log field to event.idm.read_only_udm.security_result.rule_version.
- event.idm.read_only_udm.principal.user.userid: Newly mapped logonUser raw log field to event.idm.read_only_udm.principal.user.userid.
- event.idm.read_only_udm.principal.user.userid: Newly mapped processUser raw log field to event.idm.read_only_udm.principal.user.userid.
- event.idm.read_only_udm.principal.user.group_identifiers: Newly mapped userDomain raw log field to event.idm.read_only_udm.principal.user.group_identifiers.
- event.idm.read_only_udm.principal.user.group_identifiers: Newly mapped processUserGroupSids raw log field to event.idm.read_only_udm.principal.user.group_identifiers.
- event.idm.read_only_udm.principal.mac: Newly mapped endpointMacAddress raw log field to event.idm.read_only_udm.principal.mac.
- event.idm.read_only_udm.principal.asset.mac: Newly mapped endpointMacAddress raw log field to event.idm.read_only_udm.principal.asset.mac.
- event.idm.read_only_udm.principal.ip: Newly mapped endpointIp raw log field to event.idm.read_only_udm.principal.ip.
- event.idm.read_only_udm.principal.asset.ip: Newly mapped endpointIp raw log field to event.idm.read_only_udm.principal.asset.ip.
- event.idm.read_only_udm.target.user.group_identifiers: Newly mapped objectUserGroupSids raw log field to event.idm.read_only_udm.target.user.group_identifiers.
- event.idm.read_only_udm.target.user.group_identifiers: Newly mapped objectUserDomain raw log field to event.idm.read_only_udm.target.user.group_identifiers.
- event.idm.read_only_udm.principal.process.pid: Newly mapped processPid raw log field to event.idm.read_only_udm.principal.process.pid.
- event.idm.read_only_udm.principal.process.file.md5: Newly mapped processFileHashMd5 raw log field to event.idm.read_only_udm.principal.process.file.md5.
- event.idm.read_only_udm.principal.process.file.sha1: Newly mapped processFileHashSha1 raw log field to event.idm.read_only_udm.principal.process.file.sha1.
- event.idm.read_only_udm.principal.process.file.sha256: Newly mapped processFileHashSha256 raw log field to event.idm.read_only_udm.principal.process.file.sha256.
- event.idm.read_only_udm.principal.process.file.size: Newly mapped processFileSize raw log field to event.idm.read_only_udm.principal.process.file.size.
- event.idm.read_only_udm.principal.process.file.names: Newly mapped processName raw log field to event.idm.read_only_udm.principal.process.file.names.
- event.idm.read_only_udm.principal.process.file.names: Newly mapped processFileOriginalName raw log field to event.idm.read_only_udm.principal.process.file.names.
- event.idm.read_only_udm.principal.process.file.first_seen_time: Newly mapped processFileCreation raw log field to event.idm.read_only_udm.principal.process.file.first_seen_time.
- event.idm.read_only_udm.principal.process.integrity_level_rid: Newly mapped integrityLevel raw log field to event.idm.read_only_udm.principal.process.integrity_level_rid.
- event.idm.read_only_udm.principal.process.parent_process.pid: Newly mapped parentPid raw log field to event.idm.read_only_udm.principal.process.parent_process.pid.
- event.idm.read_only_udm.principal.process.parent_process.file.md5: Newly mapped parentFileHashMd5 raw log field to event.idm.read_only_udm.principal.process.parent_process.file.md5.
- event.idm.read_only_udm.principal.process.parent_process.file.sha1: Newly mapped parentFileHashSha1 raw log field to event.idm.read_only_udm.principal.process.parent_process.file.sha1.
- event.idm.read_only_udm.principal.process.parent_process.file.sha256: Newly mapped parentFileHashSha256 raw log field to event.idm.read_only_udm.principal.process.parent_process.file.sha256.
- event.idm.read_only_udm.principal.process.parent_process.file.full_path: Newly mapped parentFilePath raw log field to event.idm.read_only_udm.principal.process.parent_process.file.full_path.
- event.idm.read_only_udm.principal.process.parent_process.file.size: Newly mapped parentFileSize raw log field to event.idm.read_only_udm.principal.process.parent_process.file.size.
- event.idm.read_only_udm.principal.process.parent_process.file.names: Newly mapped parentName raw log field to event.idm.read_only_udm.principal.process.parent_process.file.names.
- event.idm.read_only_udm.principal.process.parent_process.file.names: Newly mapped parentFileOriginalName raw log field to event.idm.read_only_udm.principal.process.parent_process.file.names.
- event.idm.read_only_udm.principal.process.parent_process.file.first_seen_time: Newly mapped parentFileCreation raw log field to event.idm.read_only_udm.principal.process.parent_process.file.first_seen_time.
- event.idm.read_only_udm.principal.process.parent_process.integrity_level_rid: Newly mapped parentIntegrityLevel raw log field to event.idm.read_only_udm.principal.process.parent_process.integrity_level_rid.
- event.idm.read_only_udm.target.process.pid: Newly mapped objectPid raw log field to event.idm.read_only_udm.target.process.pid.
- event.idm.read_only_udm.target.user.userid: Newly mapped objectUser raw log field to event.idm.read_only_udm.target.user.userid.
- event.idm.read_only_udm.target.process.file.md5: Newly mapped objectFileHashMd5 raw log field to event.idm.read_only_udm.target.process.file.md5.
- event.idm.read_only_udm.target.process.file.sha1: Newly mapped objectFileHashSha1 raw log field to event.idm.read_only_udm.target.process.file.sha1.
- event.idm.read_only_udm.target.process.file.sha256: Newly mapped objectFileHashSha256 raw log field to event.idm.read_only_udm.target.process.file.sha256.
- event.idm.read_only_udm.target.process.file.names: Newly mapped objectName raw log field to event.idm.read_only_udm.target.process.file.names.
- event.idm.read_only_udm.target.process.file.names: Newly mapped objectFileOriginalName raw log field to event.idm.read_only_udm.target.process.file.names.
- event.idm.read_only_udm.target.process.file.first_seen_time: Newly mapped objectFileCreation raw log field to event.idm.read_only_udm.target.process.file.first_seen_time.
- event.idm.read_only_udm.target.file.size: Newly mapped objectFileSize raw log field to event.idm.read_only_udm.target.file.size.
- event.idm.read_only_udm.target.process.integrity_level_rid: Newly mapped objectIntegrityLevel raw log field to event.idm.read_only_udm.target.process.integrity_level_rid.
- event.idm.read_only_udm.target.registry.registry_key: Newly mapped objectRegistryKeyHandle raw log field to event.idm.read_only_udm.target.registry.registry_key.
- event.idm.read_only_udm.target.registry.registry_value_name: Newly mapped objectRegistryValue raw log field to event.idm.read_only_udm.target.registry.registry_value_name.
- event.idm.read_only_udm.target.registry.registry_value_data: Newly mapped objectRegistryData raw log field to event.idm.read_only_udm.target.registry.registry_value_data.
- event.idm.read_only_udm.principal.platform: Newly mapped osName raw log field to event.idm.read_only_udm.principal.platform.
- event.idm.read_only_udm.principal.platform_version: Newly mapped osVer raw log field to event.idm.read_only_udm.principal.platform_version.
- event.idm.read_only_udm.network.session_id: Newly mapped objectSessionId raw log field to event.idm.read_only_udm.network.session_id.
- event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is processCmd.
- event.idm.read_only_udm.principal.process.command_line: Mapped highlight.value raw log field to event.idm.read_only_udm.principal.process.command_line where highlight.field is processCmd.
- event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is objectCmd.
- event.idm.read_only_udm.target.process.command_line: Mapped highlight.value raw log field to event.idm.read_only_udm.target.process.command_line where highlight.field is objectCmd.
- event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is parentCmd.
- event.idm.read_only_udm.principal.process.parent_process.command_line: Mapped highlight.value raw log field to event.idm.read_only_udm.principal.process.parent_process.command_line where highlight.field is parentCmd.
- event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is objectFilePath.
- event.idm.read_only_udm.target.process.file.full_path: Mapped highlight.value raw log field to event.idm.read_only_udm.target.process.file.full_path where highlight.field is objectFilePath.
- event.idm.read_only_udm.security_result.detection_fields: Removed mapping of highlight.value from event.idm.read_only_udm.security_result.detection_fields where highlight.field is processFilePath.
- event.idm.read_only_udm.principal.process.file.full_path: Mapped highlight.value raw log field to event.idm.read_only_udm.principal.process.file.full_path where highlight.field is processFilePath.
2025-04-07 - Newly created parser.
- "event.idm.read_only_udm.principal.hostname" and "event.idm.read_only_udm.principal.asset.hostname": Newly mapped "endpoint.name" raw log field with "event.idm.read_only_udm.principal.hostname" and "event.idm.read_only_udm.principal.asset.hostname" UDM field.
- "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip": Newly mapped "endpoint.ips" raw log field with "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM field.
- "event.idm.read_only_udm.principal.user.userid": Newly mapped "entityName" raw log field with "event.idm.read_only_udm.principal.user.userid" UDM field when "entityType" is "identity".
- "event.idm.read_only_udm.security_result.rule_id": Newly mapped "filters.id" raw log field with "event.idm.read_only_udm.security_result.rule_id" UDM field.
- "event.idm.read_only_udm.security_result.rule_name": Newly mapped "filters.name" raw log field with "event.idm.read_only_udm.security_result.rule_name" UDM field.
- "event.idm.read_only_udm.security_result.description": Newly mapped "filters.description" raw log field with "event.idm.read_only_udm.security_result.description" UDM field.
- "event.idm.read_only_udm.security_result.severity": Newly mapped "filters.level" raw log field with "event.idm.read_only_udm.security_result.severity" UDM field.
- "event.idm.read_only_udm.security_result.attack_details.tactics": Newly mapped "filters.tactics" raw log field with "event.idm.read_only_udm.security_result.attack_details.tactics" UDM field.
- "event.idm.read_only_udm.security_result.attack_details.techniques": Newly mapped "filters.techniques" raw log field with "event.idm.read_only_udm.security_result.attack_details.techniques" UDM field.
- "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "filters.highlightedObjects.field" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field.
- "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "filters.highlightedObjects.type" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field.
- "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "filters.highlightedObjects.value" raw log field with "event.idm.read_only_udm.security_result.detection_fields" UDM field.
- "event.idm.read_only_udm.additional.fields": Newly mapped "detail" raw log field with "event.idm.read_only_udm.additional.fields" UDM field.