Change log for UMBRELLA_DNS
Date | Changes |
---|---|
2025-08-22 | - event.idm.read_only_udm.principal.user.user_display_name: Newly Mapped `username` raw log field to `event.idm.read_only_udm.principal.user.user_display_name` UDM field.
- event.idm.read_only_udm.principal.user.email_addresses: Newly Mapped `email` raw log field to `event.idm.read_only_udm.principal.user.email_addresses` UDM field. when column4 does not have IP and column5 and column3 have IP then below mapping follows : - event.idm.read_only_udm.principal.ip: Newly Mapped `column3` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column3` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.port: Newly Mapped `column4` raw log field to `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.target.port: Newly Mapped `column6` raw log field to `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column8` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly Mapped `column1` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. when column16 and column17 have IP then below mapping follows : - event.idm.read_only_udm.principal.location.name: Newly Mapped `column4` raw log field to `event.idm.read_only_udm.principal.location.name` UDM field. - event.idm.read_only_udm.principal.location.city: Newly Mapped `column12` raw log field to `event.idm.read_only_udm.principal.location.city` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `column17` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `column17` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `column18` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column20` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column22` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column23` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column24` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column25` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column26` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column27` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column28` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. when column5 and column6 have IP then below mapping follows : - event.idm.read_only_udm.metadata.event_timestamp: Newly Mapped `column1` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.principal.namespace: Newly Mapped `column2` raw log field to `event.idm.read_only_udm.principal.namespace` UDM field. - event.idm.read_only_udm.target.namespace: Newly Mapped `column3` raw log field to `event.idm.read_only_udm.target.namespace` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `column4` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `column6` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `column6` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column9` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column11` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column12` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column13` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column14` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column15` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly Mapped `column19` raw log field to `event.idm.read_only_udm.security_result.rule_id` UDM field. when column4 does not have IP and column14 and column15 have IP,which are the part of csvData (sub string of the message) then below mapping follows : - event.idm.read_only_udm.metadata.event_timestamp: Newly Mapped `column1` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `column2` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.location.city: Newly Mapped `column11` raw log field to `event.idm.read_only_udm.principal.location.city` UDM field. - event.idm.read_only_udm.principal.location.name: Newly Mapped `column12` raw log field to `event.idm.read_only_udm.principal.location.name` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `c_pip` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `c_pip` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `c_tip` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `c_tip` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column18` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column19` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column20` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column21` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column22` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column23` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column24` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column25` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column26` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column27` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. when column4 does not have IP and column10 and column11 have IP then below mapping follows : - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `column2` raw log field to `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `column8` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `column10_ip` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column10_ip` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `column11_ip` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `column11_ip` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `column12` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column14` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column17` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column18` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column19` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column20` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column21` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. when column8 and column9 have IP then below mapping follows : - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `column2` raw log field to `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `column8_ip` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column8_ip` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `column9_ip` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `column9_ip` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `column10` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column12` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column13` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column14` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column15` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column18` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column19` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column20` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column21` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. when column7 and column8 have IP then below mapping follows : - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `column2` raw log field to `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `column8` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `column8` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `column9` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column11` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column13` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column14` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column17` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column18` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. when column6 and column7 have IP then below mapping follows : - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `column2` raw log field to `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `column6` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column6` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `column8` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column10` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column12` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column13` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column14` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column15` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column16` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column17` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column19` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column20` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. when column7 have IP and column3 have email then below mapping follows : - event.idm.read_only_udm.principal.user.email_addresses: Newly Mapped `column3` raw log field to `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column7` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column4` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `column6` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. when column4 contains "create" word and column5 have IP then below mapping follows : - event.idm.read_only_udm.principal.ip: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `column5` raw log field to `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly Mapped `column3` raw log field to `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `userid` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. |
2025-01-08 | Enhancement:
- Added a new GROK pattern to parse SYSLOG data. - Added a new Grok pattern for the fields "responsecode" and "_internalip" |
2024-05-28 | Enhancement:
- Mapped "dns_record_type" to "additional.fields". |
2024-03-05 | Bug-Fix:
- Added a new Grok pattern to check if "column3" is having "internal_ip" and "internal_port". - Added support for Network Tunnel CSV logs. - Mapped "rule_id" to "security_result.rule_id". - Mapped "dstport" to "target.port". - Mapped "srcPort" to "principal.port". - Mapped "_internalip" to "principal.ip". - Mapped "dstip" to "target.ip". - Mapped "direction" to "network.direction". - Mapped "tunnel_name" to "additional.fields". - Mapped "tunnel_type" to "metadata.product_event_type". - Mapped "origin_id" to "metadata.product_log_id". - Mapped "received_bytes" to "network.received_bytes". - Aligned mappings for "principal.ip" and "principal.asset.ip". - Aligned mappings for "target.ip" and "target.asset.ip". |
2023-11-07 | Enhancement:
- Mapped "first_name" to "principal.user.first_name" when "identityType" is "AD Users". - Mapped "last_name" to "principal.user.last_name" when "identityType" is "AD Users". - Added JSON mapping for "_identity_types" to support new pattern of "identity" value in logs. |
2023-09-29 | Enhancement:
- Mapped "returncode" to "network.dns.response_code". - Mapped "querytype" to "network.dns.question.type". - Mapped "type" to "additional.fields". - Mapped "categories" to "security_result.category_details". - Mapped "verdict" to "security_result.action" and "security_result.action_details". - Mapped "amp.disposition" to "security_result.detection_fields". - Mapped "amp.malware" to "security_result.detection_fields". - Mapped "amp.score" to "security_result.detection_fields". - Mapped "policy.rulesetid" to "security_result.detection_fields". - Mapped "requestsize" to "network.sent_bytes". - Mapped "responsesize" to "network.received_bytes". - Mapped "fileName" to "target.file.names". - Mapped "responsefilename" to "network.http.method". - Mapped "statuscode" to "network.http.response_code" - Mapped "tenantcontrols", "securityoverridden", and "forwardingmethod" to "additional.fields". |
2022-05-17 | Enhancement-Added conditional checks for 'security_result.action'.
|
2022-04-13 | Enhancement: Parsed IP logs And Proxy Logs which were dropped earlier.
|
2022-03-23 | Enhancement-Added new field mapping.
DNS Lookup Type mapped to labels. |