Change log for TRENDMICRO_VISION_ONE_WORKBENCH
| Date | Changes |
|---|---|
| 2025-08-14 | Enhancement:
- event.idm.read_only_udm.security_result.detection_fields: Changed mapping for `event.idm.read_only_udm.security_result.detection_fields.key` from `indicator.type` to `indicator.field` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Changed mapping for `event.idm.read_only_udm.security_result.detection_fields.key` from field to `type` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Changed mapping for `event.idm.read_only_udm.security_result.detection_fields.value` from `indicator.field` to `indicator.type` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alertProvider` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `schemaVersion` raw log field(s) with `event.idm.read_only_udm.metadata.product_version` UDM field when schemaVersion is not empty. - event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field(s) with `event.idm.read_only_udm.security_result.severity` UDM field when severity is one of "CRITICAL", "HIGH", "MEDIUM", or "LOW". - event.idm.read_only_udm.network.email.mail_id: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.network.email.mail_id` UDM field when `indicator.type` is "email_message_id" and has_email_message_id is "false". - event.idm.read_only_udm.network.email.subject: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.network.email.subject` UDM field when `indicator.type` is "email_subject". - event.idm.read_only_udm.about.url: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.about.url` UDM field when `indicator.type` is "url" and has_url is "false". - event.idm.read_only_udm.principal.user.userid: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.user.userid` UDM field when `indicator.type` is "user_account" and has_user is "false". - event.idm.read_only_udm.principal.process.command_line: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.process.command_line` UDM field when `indicator.type` is "command_line", `indicator.field` is "processCmd", and has_principal_process is "false". - event.idm.read_only_udm.principal.process.parent_process.command_line: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.process.parent_process.command_line` UDM field when `indicator.type` is "command_line", `indicator.field` is "parentCmd", and has_parent_process is "false". - event.idm.read_only_udm.target.process.command_line: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.target.process.command_line` UDM field when `indicator.type` is "command_line", `indicator.field` is "objectCmd", and has_target_process is "false". - event.idm.read_only_udm.principal.process.file.sha256: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.process.file.sha256` UDM field when `indicator.type` is "file_sha256", `indicator.field` is "processFileHashSha256", has_principal_sha256 is "false", and indicator.value matches regex ^[0-9a-f]+$. - event.idm.read_only_udm.about.file.full_path: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.about.file.full_path` UDM field when `indicator.type` is "fullpath". - event.idm.read_only_udm.principal.user.email_addresses: Newly mapped `indicator.value` raw log field(s) with `event.idm.read_only_udm.principal.user.email_addresses` UDM field when `indicator.type` is "email_sender". - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `modelId` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `modelType` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `incidentId` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.event_type: If has_user == "true" and has_principal_email == "true", updated to USER_UNCATEGORIZED. |
| 2025-07-31 | Enhancement:
- Added a new grok pattern to parse ip from raw logs field "src_ip" |
| 2025-05-13 | Enhancement:
- Added a condition to check if `entity.entityValue.name` is not empty before populating `principal.hostname` and `principal.asset.hostname` UDM fields. |
| 2024-10-27 | - Newly created parser.
|