Change log for IBM_ZOS

Date Changes
2024-10-26 Enhancement:
- Added support to handle SYSLOG logs.
2023-07-25 Bug-Fix -
- Updated values set for "metadata.vendor_name" and "metadata.product_name".
2022-09-08 Fix -
- Corrected a typo error.
2022-08-09 Enhancement: Mapped following fields:
- user_out to target.user.userid.
- name_out to target.user.user_display_name.
- perf_out to target.user.employee_id.
- department_out to target.user.department.
- ug_out to target.user.office_address.name.
- timestamp to src.user.hire_date.
- timestamp_end to src.user.termination_date.
- user_in to src.user.userid.
- name_in to src.user.user_display_name.
- perf_in to src.user.employee_id.
- department_in to src.user.department.
- status to security_result.summary.
- userid to principal.user.userid.
- username to user.user_display_name.
- n_ex_fail to security_result.action_details and mapped security_result.action to FAIL.
- type_trx to target.resource.name and mapped TASK to target.resource.resource_type.
- email to principal.user.email_addresses.
- l_email to observer.user.email_addresses.
- class to target.resource.parent.
- resource to target.resource.name.
- mot to product_event_type.
- metadata.event_type to USER_UNCATEGORIZED where mot is not null.
- metadata.event_type to USER_RESOURCE_UPDATE_CONTENT where userid is not null.
- Added new Grok patterns for logs that has EVENT_TYPES in ALTUSER, CONNECT, ALTGROUP, ADDGROUP, DELGROUP, PERMIT, REMOVE, SETROPTS, RACDCERT and mapped followings fields:
- EVENT_QUAL to security_result.summary.
- SYSTEM_SMFID to principal.hostname.
- VIOLATION to security_result.category.
- USER_NDFND to principal.user.user_authentication_status.
- USER_WARNING to security_result.severity.
- EVT_USER_ID to principal.user.userid.
- EVT_GRP_ID to principal.group.group_display_name.
- LOG_CLASS, LOG_ACCESS, LOG_USER, LOG_SPECIAL, LOG_NONOMVS, LOG_OMVSNPRV, AUTH_OMVSSU, AUTH_OMVSSYS to security_result.outcomes.
- LOG_RACINIT, BACKOUT_FAIL, PROF_SAME, to security_result.action.
- TERM to principal.resource_ancestors.name.
- JOB_NAME to principal.resource.name.
- LOG_ALWAYS, LOG_CMDVIOL, TERM_LEVEL, LOG_GLOBAL, LOG_LEVEL, LOG_LOGOPT, LOG_SECL, LOG_COMPATM, LOG_APPLAUD to principal.resource.attribute.permissions.
- USR_SECL to principal.user.attribute.labels.
- RACF_VERSION to security_result.rule_version.
- ALU_OWN_ID to about.user.userid.
- ALU_OLD_SECL, ALU_UTK_SECL to target.user.attribute.labels.
- ALU_UTK_ENCR, ALU_UTK_PRE19, ALU_UTK_DEFAULT, ALU_UTK_VERPROF, ALU_UTK_ERROR, ALU_NOAUTH_CLAUTH, ALU_NOAUTH_GROUP, ALU_NOAUTH_PROF to security_result.outcomes.
- ALU_UTK_NJEUNUSR, ALU_UTK_LOGUSR, ALU_UTK_SPECIAL, ALU_UTK_UNKNUSR, ALU_UTK_PRIV, ALU_UTK_SURROGAT to target.user.attribute.roles.
- ALU_UTK_TRUSTED to target.user.group_identifiers.
- ALU_UTK_SESSTYPE, CON_UTK_SESSTYPE, ALG_UTK_SESSTYPE to metadata.description.
- ALU_UTK_REMOTE, ALU_UTK_SPCLASS, CON_UTK_REMOTE to principal.resource.resource_subtype.
- ALU_UTK_EXECNODE, ALG_UTK_EXECNODE about.resource.name.
- ALU_UTK_SUSER_ID, CON_UTK_SUSER_ID, ALG_UTK_SUSER_ID to src.user.userid.
- ALU_UTK_SNODE, CON_UTK_SNODE, ALG_UTK_SNODE to src.resource.name.
- ALU_UTK_SGRP_ID, CON_UTK_SGRP_ID, ALG_UTK_SGRP_ID to src.user.group_identifiers.
- ALU_UTK_SPOE, CON_UTK_SPOE, ALG_UTK_SPOE to principal.port.
- ALU_UTK_USER_ID, CON_OWN_ID, CON_UTK_USER_ID, ALG_OWN_ID, AG_OWN_ID, ALG_UTK_USER_ID to about.user.userid.
- ALU_USER_NAME, CON_USER_NAME, ALG_USER_NAME, AG_USER_NAME to about.user.user_display_name.
- ALU_UTK_GRP_ID, CON_UTK_GRP_ID, ALG_UTK_GRP_ID to about.group.product_object_id.
- ALU_UTK_DFT_GRP, CON_UTK_DFT_GRP, CON_UTK_DFT_SECL, ALG_UTK_DFT_GRP to target.group.attribute.labels.
- ALU_UTK_DFT_SECL, ALG_UTK_DFT_SECL to target.user.attribute.labels.
- ALU_APPC_LINK, CON_APPC_LINK, ALG_UTK_SECL, ALG_APPC_LINK to about.resource.attribute.labels.
- ALU_USER_ID, CON_USER_ID to target.user.userid.
- CON_UTK_ENCR, CON_UTK_PRE19, CON_UTK_VERPROF, CON_UTK_DEFAULT, CON_UTK_ERROR, ALG_UTK_ENCR, ALG_UTK_PRE19, ALG_UTK_VERPROF, ALG_UTK_DEFAULT, ALG_UTK_ERROR, AG_UTK_ENCR, AG_UTK_PRE19, AG_UTK_VERPROF, AG_UTK_DEFAULT, AG_UTK_ERROR to security_result.outcomes.
- CON_UTK_NJEUNUSR, CON_UTK_LOGUSR, CON_UTK_SPECIAL, CON_UTK_UNKNUSR, CON_UTK_SECL, ALG_UTK_NJEUNUSR, ALG_UTK_LOGUSR, ALG_UTK_SPECIAL, ALG_UTK_UNKNUSR, AG_UTK_NJEUNUSR, AG_UTK_LOGUSR, AG_UTK_SPECIAL, AG_UTK_UNKNUSR to target.user.attribute.roles.
- CON_UTK_TRUSTED, ALG_UTK_TRUSTED, AG_UTK_TRUSTED to target.user.group_identifiers.
- CON_UTK_SURROGAT, ALG_UTK_SURROGAT to target.user.attribute.roles.
- CON_UTK_SPCLASS, ALG_UTK_REMOTE, ALG_UTK_SPCLASS to about.resource.resource_subtype.
2022-06-03 Enhancement
- Enhanced parser to parse CSV logs.
- Mapped box field from log to udm principal.hostname.
- Added check for src and dst not null prior to mapping of event_type to NETWORK_CONNECTION.
- Added check for userName not null prior to mapping of event_type to USER_RESOURCE_UPDATE_CONTENT or USER_RESOURCE_ACCESS.
2022-05-04 Enhancement - Create a new default parser.