Change log for CS_STREAM

Date Changes
2025-01-10 Enhancement:
- When "OperationBlocked" is "true", mapped "security_result.action" to "BLOCK".
- When "OperationBlocked" is "false", mapped "security_result.action" to "ALLOW".
- When "event_type" is "IdentityProtectionEvent", then mapped "event_data.IncidentDescription" to "security_result.summary".
- When "event_type" is "IdentityProtectionEvent", then mapped "event_data.SeverityName" to "security_result.severity".
2025-01-09 Enhancement:
- Mapped "event_data.Technique" to "security_result.rule_name".
- Mapped "event_data.CommandLine" to "target.process.command_line".
- If "event_data.IOCType" is "ipv4", then mapped "event_data.IOCValue" to "target.ip" and "target.asset.ip".
- If "event_data.IOCType" is "hash_sha256", then mapped "event_data.IOCValue" to "target.file.sha256".
2024-12-12 Enhancement:
- Mapped "event.SeverityName" to "security_result.severity".
- Mapped "event.Description" to "security_result.summary".
- Mapped "security_result.action" based on "event.PatternDispositionFlags.OperationBlocked".
2024-10-29 Enhancement:
- Added support for JSON format of logs.
- Mapped "request" to "network.http.referral_url".
- Mapped "networkDetectionType" to "security_result.detection_fields".
2022-07-18 Enhancement:
- Added following mapping for the LEEF format logs:
- The field "version" mapped to "metadata.product_version".
- The field "usrName" and "userName" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid".
- The field "severityName" mapped to "security_result.severity".
- The field "cat" mapped to "security_result.category_details".
- The field "incidentType" mapped to "security_result.summary".
- The field "falconHostLink" mapped to "security_result.about.url".
- The field "numberOfCompromisedEntities" mapped to "security_result.detection_fields[n]".
- The field "identityProtectionIncidentId" mapped to "security_result.detection_fields[n]".
- The field "numbersOfAlerts" mapped to "security_result.detection_fields[n]".
- The field "state" mapped to "security_result.detection_fields[n]".
- Added following mapping for the CEF format logs:
- The field "version" mapped to "metadata.product_version".
- The field "deviceCustomDate1" mapped to "metadata.event_type".
- The field "msg" mapped to "metadata.description".
- The field "cs1" mapped to "security_result.summary" if the value of "cs1Label" is "incidentType" else mapped to "security_result.detection_fields[n]".
- The field "cs2" mapped to "security_result.detection_fields[n]".
- The field "cs3" mapped to "security_result.detection_fields[n]".
- The field "cs1" mapped to "security_result.about.url" if the value of "cs4Label" is "falconHostLink" else mapped to "security_result.detection_fields[n]".
- The field "cn1" mapped to "security_result.detection_fields[n]".
- The field "cn2" mapped to "security_result.detection_fields[n]".
- The field "cn3" mapped to "security_result.detection_fields[n]".
- The field "duser" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid".