Change log for VECTRA_DETECT

Date Changes
2025-05-26 Enhancement:
- `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `detection_id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field.
- `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `id`, `entity_id`, `detail.event_id`, `detail.account_id`, `detail.dst_host.id`, `detail.dst_host.session_luid`, `detail.src_account.id` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
- `event.idm.read_only_udm.additional.fields`: Newly mapped , `detection_type`, `entity_type`, `entity_uid`, `detail.event_name`, `detail.sensor.count`, `detail.count`, `detail.first_timestamp`, `detail.last_timestamp`, `detail.additional_details.client_name`, `detail.additional_details.cookie`, `detail.additional_details.encrypted`, `detail.additional_details.normal`, `phase1_bytes.sent`, `phase1_bytes.recv`, `phase2_bytes.sent`, `phase2_bytes.recv`, `breadth_contrib`, `entity_importance`, `importance`, `is_prioritized`, `urgency_score`, `velocity_contrib`, `attack_rating`, `active_detection_types`, `last_detection_type`, `last_detection_id` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field.
- `event.idm.read_only_udm.security_result.severity`: Newly mapped `threat` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field.
- `event.idm.read_only_udm.security_result.confidence`: Newly mapped `certainty` raw log field with `event.idm.read_only_udm.security_result.confidence` UDM field.
- `event.idm.read_only_udm.principal.url`: Nelwy mapped `detection_href` raw log field with `event.idm.read_only_udm.principal.url` UDM field.
- `event.idm.read_only_udm.principal.ip`: Newly mapped `detail.src_host.ip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field.
- `event.idm.read_only_udm.principal.hostname`: Newly mapped `detail.src_host.name` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field.
- `event.idm.read_only_udm.target.ip`: Newly mapped `detail.dst_host.ip` raw log field with `event.idm.read_only_udm.target.ip` UDM field.
- `event.idm.read_only_udm.target.hostname`: Newly mapped `detail.dst_host.name` raw log field with `event.idm.read_only_udm.target.hostname` UDM field.
- `event.idm.read_only_udm.target.user.user_display_name`: Newly mapped `detail.src_account.name` raw log field with `event.idm.read_only_udm.target.user.user_display_name` UDM field.
- `event.idm.read_only_udm.target.user.userid`: Newly mapped `detail.dst_account.id` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field.
- `event.idm.read_only_udm.target.user.user_display_name`: Newly mapped `detail.dst_account.name` raw log field with `event.idm.read_only_udm.target.user.user_display_name` UDM field.
- `event.idm.read_only_udm.observer.hostname`: Newly mapped `detail.sensor.name` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field.
- `event.idm.read_only_udm.target.port`: Newly mapped `detail.dst_port`, `detail.additional_details.dst_ips` raw log fields with `event.idm.read_only_udm.target.port` UDM field.
- `event.idm.read_only_udm.network.sent_bytes`: Nelwy mapped `detail.bytes_received` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field.
- `event.idm.read_only_udm.target.url`: Newly mapped `last_detection_url` raw log field with `event.idm.read_only_udm.target.url` UDM field.
- `event.idm.read_only_udm.principal.user.email_addresses` - Newly mapped `detail.account_uid` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field.
2025-05-14 - New label VECTARA_XDR created for RUX data and this label support only QUX data.
- Updated parser to support only JSON format logs.
- Added support for detection, entities, match, lockdown, audit and health log types.
2025-01-16 Enhancement:
- Mapped "certainty" to "additional.fields".
2024-08-21 Enhancement:
- Added support for a new pattern of syslog logs.
2024-07-22 Enhancement:
- Mapped "threat", "certainty", and "score_decreases" to "additional.fields".
2024-05-03 Enhancement:
- Mapped "detection_profile.name", "detection_profile.vname", and "detection_profile.scoringDetections" to "security_result.detection_fields".
2024-04-18 Enhancement:
- Mapped "msg.quadrant" to "security_result.priority_details".
2024-03-04 Enhancement:
- Added support for new pattern of "Audit" type logs.
- When "suser" is a valid email, then mapped "suser" to "principal.user.email_addresses".
- When "suser" is not a valid email, then mapped "suser" to "principal.user.userid".
- Added a conversion fail check for "flexNumber1" and "flexNumber2".
- When "src" is not empty, then set "metadata.event_type" to "STATUS_UPDATE".
- When "user_present" is "true", then set "metadata.event_type" to "USER_UNCATEGORIZED".
- When "principal_present" is "true" and "target_present" is "true", then set "mnetadata.event_type" to "NETWORK_CONNECTION".
- Aligned "target.ip" and "target.asset.ip" mappings.
- Aligned "target.hostname" and "target.asset.hostname" mappings.
- Aligned "principal.ip" and "principal.asset.ip" mappings.
- Aligned "principal.hostname" and "principal.asset.hostname" mappings.
2024-01-11 Enhancement:
- Added support for "Audit" and "Health" type logs.
- Mapped "message" to "security_result.summary".
- Mapped "security_result.action" to "BLOCK" when "result" is "failure".
- Mapped "security_result.action" to "ALLOW" when "result" is "true".
- Mapped "result" to "security_result.detection_fields".
- Mapped "type" to "metadata.product_event_type".
2023-10-12 Enhancement:
- Mapped "quadrant" to "security_result.priority_details".
- Added conditions to map "threat" to "security_result.severity" as "INFORMATIONAL", "LOW", "MEDIUM", "HIGH" and "CRITICAL".
- Added conditions to map "certainty" to "security_result.confidence" as "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE" and "HIGH_CONFIDENCE".
2023-04-14 Enhancement -
- Mapped "device_version" to "metadata.product_version".
- Mapped "externalId" to "metadata.product_log_id".
- Mapped "event_name" and "device_event_class_id" to "metadata.product_event_type".
- Mapped "cat" to "security_result.category_details".
- Mapped "dvc" to "observer.ip".
- Mapped "dvchost" to "observer.hostname".
- Mapped "shost" to "principal.hostname".
- Mapped "src" to "principal.ip".
- Mapped "dst" to "target.ip".
- Mapped "dhost" to "target.hostname".
- Mapped "cs5" to "additional.fields".
- Mapped "cs4" to "metadata.target.url".
- Mapped "out" to "network.sent_bytes".
- Mapped "in" to "network.received_bytes".
- Mapped "dpt" to "target.port".
- Mapped "cs5" to read_only_udm.alert.
- Mapped "severity" to security_result.severity_details.
- Mapped "flexNumber1" to security_result.severity.
- Mapped "flexNumber2" to security_result.confidence.
- Mapped "proto" to "network.ip_protocol".
- Added "on_error" check for "severity" parameter.
2022-09-26 Enhancement -
- Mapped "version" to "metadata.product_version".
- Mapped "detection_id" to "metadata.product_log_id".
- Mapped "category" to "security_result.category_details".
- Mapped "d_type" to "additional.fields".
- Mapped "d_type_vname" to "additional.fields".
- Mapped "triaged" to "additional.fields".
- Mapped "headend_addr" to "observer.ip".
- Mapped "href" to "metadata.target.url".
- Mapped "dd_bytes_sent" to "network.sent_bytes".
- Mapped "account_uid" to "additional.fields".
2022-08-25 Enhancement -
- Converted the parser from SDM to UDM.
- Mapped "triage" to read_only_udm.alert.
- Mapped severity to security_result.severity_details.