Change log for GITHUB

Date Changes
2024-12-05 Enhancement:
- Mapped "push_protection_bypass_reason" to "security_result.detection_fields".
2024-11-14 Enhancement:
- Added support for new pattern of JSON logs.
2024-11-06 Enhancement:
- Mapped "actor" to "principal.resource.attribute.labels".
- Changed the mapping of "user" from "target.user.user_display_name" to "principal.user.user_display_name".
- Changed the mapping of "external_identity_nameid" from "target.user.email_addresses" to "principal.user.email_addresses".
- Changed the mapping of "userid" from "target.user.userid" to "principal.user.userid".
2024-09-18 Enhancement:
- Mapped "pull_request_url" to "target.url".
- Mapped "pull_request_title", "pull_request_id" ,and "previous_visibility" to "additional.fields".
2024-08-26 Enhancement:
- Mapped "explanation" to "additional.fields".
2024-08-13 Enhancement:
- Mapped "invitee_email" and "email" to "additional.fields".
2024-07-02 Enhancement:
- Fixed the mapping of "config_was".
- Changed the mapping of "admin_enforced" from "security_result.action" to "additional.fields".
- Mapped "required_status_checks_enforcement_level", "events_were" and "old_permission" to "additional.fields".
2024-06-13 Enhancement:
- Mapped "name", "manager", "pull_request_reviews_enforcement_level", "hook_id", "events", "config_was", "key", "fingerprint", "permission", and "title" to "additional.fields".
- When "admin_enforced" is "true", then mapped "security_result.action" to "ALLOW".
- When "admin_enforced" is "false", then mapped "security_result.action" to "BLOCK".
2023-12-18 Bug-Fix:
- If "process_type" is "github_production", added a Grok pattern to extract "kv_data".
- If "process_type" is "github_production", mapped "user" to "target.user.user_display_name".
- If "process_type" is "github_production", mapped "user_id" to "target.user.userid".
- Mapped "referrer" to "network.http.referral_url".
- Mapped "user_session_id" to "network.session_id".
- Mapped "ip" to "principal.ip".
- Mapped "from" to "additional.fields".
- Mapped "request_category" to "additional.fields".
- Mapped "device_cookie" to "additional.fields".
- Mapped "operation_type" to "additional.fields".
- Mapped "category_type" to "additional.fields".
- Mapped "note" to "additional.fields".
- Mapped "read" to "additional.fields".
- Mapped "pre_perform_allocation_count" to "additional.fields".
- Mapped "backend" to "additional.fields".
- Mapped "queue" to "additional.fields".
- Mapped "class" to "additional.fields".
- Mapped "success" to "additional.fields".
- Mapped "controller_action" to "security_result.detection_fields".
- Mapped "two_factor" to "security_result.detection_fields".
2023-10-25 Enhancement:
- When "public_repo" is "false", set "target.location.name" to "PRIVATE", else set to "PUBLIC".
2023-10-11 Enhancement:
- Mapped "user_agent" to "network.http.user_agent" and "network.http.parsed_user_agent".
- Mapped "request_method" to "network.http.method".
- Mapped "application_name" to "target.application".
- Mapped "status_code" to "network.http.response_code".
- Mapped "url_path" to "target.url".
- Mapped "user_id" to "target.userid".
- Mapped "transport_protocol_name" to "network.application_protocol".
- Mapped "raw.now" to "metadata.event_timestamp".
- Mapped "raw.ip" to "principal.ip".
- Mapped "raw.request_id" to "metadata.product_log_id".
- Mapped "raw.repo" to "target.url".
- Mapped "raw.action" to "security_result.summary".
- Mapped "raw.protocol" to "network.application_protocol".
- Mapped "raw.message" to "metadata.description".
- Mapped "raw.at" to "security_result.action".
- Mapped "raw.login" to "target.user_display_name".
- Mapped "raw.user_id" to "target.userid".
- Mapped "raw.failure_reason", "raw.failure_type", "raw.raw_login" and "raw.from" to "additional.fields".
- Mapped "programmatic_access_type", "actor_id", "token_id", "token_scopes", "integration", "query_string", "rate_limit_remaining",
"request_body", "route", "business", "org_id", "repo_id", "public_repo", "_document_id", "operation_type", "repository_public" to "additional.fields".
2023-07-31 Bug-Fix -
- Added "on_error" to Grok patterns.
- Mapped "workflow_run.id" to "target.resource.attribute.labels".
- Mapped "workflow_run.event" to "additional.fields".
- Mapped "workflow_run.actor.login" to "principal.user.userid".
- Mapped "workflow_run.head_branch" to "security_result.about.labels".
- Mapped "workflow_run.head_sha" to "target.file.sha256".
- Mapped "enterprise.name" to "additional.fields".
- Mapped "workflow.name" to "security_result.about.labels".
- Mapped "workflow_run.workflow_id" to "security_result.about.labels".
2023-06-22 Enhancement-
- Added support for the "github_auth", "haproxy", "github_access", "github_unicorn", "github_production", "hookshot-go",
"babeld", "github_gitauth", "babeld2hydro", "authzd", "gitrpcd", "agent", "git-daemon",
"github_resqued", "sudo", "systemd" and "github_audit" syslog log formats.
2023-06-09 Enhancement-
- Mapped "external_identity_nameid" to "target.user.email_addresses" if in email format.
- Fetch the username from "external_identity_nameid" and map to "target.user.userid".
2023-01-13 Enhancement-
- Mapped "actor_ip" to" "principal.ip".
- Mapeed "hashed_token" to "network.session_id".
- Mapped "external_identity_nameid" to "target.user.userid "
- Mapped "external_identity_username" to target.user.user_display_name".
2022-11-28 Enhancement - Mapped "config.url" to "target.url".
2022-07-07 Enhancement - The newly ingested JSON format logs having action "git.clone","git.push" and "workflows.prepared_workflow_job" have been handled and parsed.
- 'job_name' mapped to 'target.resource.attribute.labels'.
- 'job_workflow_ref' mapped to 'target.resource.attribute.labels'.
- 'runner_group_id' mapped to 'target.resource.attribute.labels'.
- 'runner_group_name' mapped to 'target.resource.attribute.labels'.
- 'runner_name' mapped to 'target.resource.attribute.labels'.
- 'runner_id' mapped to 'target.resource.attribute.labels'.
- 'workflow_run_id' mapped to 'target.resource.attribute.labels'.
- 'actor_location.country_code' mapped to 'principal.location.country_or_region'.