Change log for MCAFEE_IPS
| Date | Changes |
|---|---|
| 2025-08-13 | - Newly added grok pattern for `message` data field to parse the `BTP` raw log field.
- `event.idm.read_only_udm.security_result.confidence` : Newly mapped `BTP` raw log field with `event.idm.read_only_udm.security_result.confidence` UDM field as `LOW_CONFIDENCE` when `BTP` is `Low` and `MEDIUM_CONFIDENCE` when `BTP` is `Medium` and `HIGH_CONFIDENCE` when `BTP` is `High` and `UNKNOWN_CONFIDENCE` when `BTP` is `Unknown`. - Newly added grok pattern for `timestamp` data field to fetch the `year` data. - `event.idm.read_only_udm.metadata.event_timestamp` : Newly mapped `header_timestamp` data field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-07.02 | - Added Grok patterns to parse the unparsed logs.
- Added split operation and for loop to convert Ip's into an array of principal_ip. - 'event.idm.read_only_udm.principal.asset.ip' and 'event.idm.read_only_udm.principal.ip': Newly mapped 'principal_ip' raw log field with 'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip' UDM fields. - Added has_principal and has_target to identify the event type. - Added on_error and if conditional statements wherever required. |