Change log for SALESFORCE
| Date | Changes |
|---|---|
| 2025-01-30 | Enhancement:
- Mapped "region" to "principal.location.country_or_region". - Mapped "account" to "principal.user.userid". - Mapped "detail.payload.ConnectedAppId" to "additional.fields". - Mapped "detail.payload.Platform" to "additional.fields". - Mapped "detail.payload.Query" to "additional.fields". - Mapped "detail.payload.EvaluationTime" to "additional.fields". - Mapped "detail.payload.Operation" to "additional.fields". - Mapped "detail.payload.LoginHistoryId" to "additional.fields". - Mapped "detail.payload.CreatedById" to "additional.fields". - Mapped "detail.payload.SessionKey" to "additional.fields". - Mapped "detail.payload.ApiType" to "additional.fields". - Mapped "detail.payload.UserAgent" to "network.http.user_agent". - Mapped "detail.payload.Client" to "principal.asset.hostname". - Mapped "detail.payload.PolicyOutcome" to "security_result.detection_fields". - Mapped "detail.payload.EventIdentifier" to "additional.fields". - Mapped "detail.payload.RequestIdentifier" to "additional.fields". - Mapped "detail.payload.ApiVersion" to "additional.fields". - Mapped "detail.payload.RelatedEventIdentifier" to "additional.fields". - Mapped "detail.payload.Username" to "target.user.email_addresses". - Mapped "detail.payload.RowsProcessed" to "additional.fields". - Mapped "detail.payload.RowsReturned" to "additional.fields". - Mapped "detail.payload.SourceIp" to "principal.ip". - Mapped "detail.payload.UserId" to "target.user.userid". - Mapped "totalSize" to "additional.fields". - Mapped "done" to "additional.fields". - Mapped "detail.payload.CreatedDate" to "additional.fields". - Mapped "detail.payload.LoginKey" to "additional.fields". - Mapped "detail.payload.Application" to "additional.fields". - Mapped "detail.payload.PolicyId" to "additional.fields". - Mapped "detail.payload.QueriedEntities" to "additional.fields". - Mapped "detail.payload.SessionLevel" to "additional.fields". - Mapped "detail.schemaId" to "additional.fields". - Mapped "detail.id" to "target.resource.id". - Mapped "records_index.attributes.type" to "security_result.detection_fields". |
| 2025-01-21 | Enhancement:
- Mapped "column25" to "network.http.user_agent". - Mapped "column28" to "principal.ip" and "principal.asset.ip". - If "column24" contain "User-Agent", then mapped "column24" to "network.http.user_agent". Otherwise, mapped "column24" to "network.http.method". |
| 2025-01-15 | Enhancement:
- Mapped "Name" to "principal.user.user_display_name". - Mapped "Email" to "principal.user.email_addresses". - Mapped "FederationIdentifier" to "additional.fields". - Mapped "CreatedBy.Email" to "principal.user.email_addresses". - Mapped "CreatedBy.Name" to "principal.user.user_display_name". - Mapped "CreatedBy.FederationIdentifier" to "additional.fields". - Mapped "Section" to "additional.fields". - Mapped "DelegateUser" to "additional.fields". - Mapped "ResponsibleNamespacePrefix" to "additional.fields". - Mapped "CreatedByContext" to "additional.fields". - Mapped "CreatedByIssuer" to "additional.fields". - Mapped "Browser" to "additional.fields". - When "Platform" is nearly equal to "Windows", then mapped "principal.platform" to "WINDOWS". - When "Platform" is nearly equal to "Linux", then mapped "principal.platform" to "LINUX". - When "Platform" is nearly equal to "Mac", then mapped "principal.platform" to "MAC". - Mapped "Status" to "security_result.action_details". - Mapped "CountryIso" to "additional.fields". |
| 2025-01-10 | Enhancement:
- Added support for new pattern of "Login" and "LoginAs" logs. |
| 2025-01-09 | Enhancement:
- Mapped "payload.PreviousPageUrl" to "metadata.url_back_to_product". - Mapped "payload.OsVersion" to "principal.platform_version". - Mapped "payload.PreviousPageEntityId", "payload.SdkVersion", "payload.Operation", "payload.PageUrl", "HasEffectivePageTimeDeviation_label", "payload.EffectivePageTime", "payload.EffectivePageTimeDeviationReason", "payload.DeviceSessionId", "payload.PreviousPageAppName", and "payload.PreviousPageEntityType" to "additional.fields". - Mapped "payload.SessionKey" to "network.session_id". - Mapped "payload.UserAgent" to "network.http.user_agent". - Mapped "payload.RecordId" to "target.resource.id". - Mapped "payload.EventIdentifier" to "metadata.product_log_id". - Mapped "payload.OsName" to "principal.platform". |
| 2024-12-10 | Enhancement:
- Mapped "user_permission" to "principal.user.attribute.labels". |
| 2024-12-03 | Enhancement:
- Added support for new pattern of "Login" logs. |
| 2024-11-29 | Enhancement:
- Added support for a new format of JSON logs. |
| 2024-10-07 | Enhancement:
- Added "deactivateduser", "PermSetUnassign", and "PermSetAssign" as conditional check. |
| 2024-09-20 | Enhancement:
- Mapped "column9" to "metadata.product_log_id". - Mapped "column5" to "security_result.rule_author". - Mapped "column10" to "security_result.summary". - Mapped "column4" to "security_result.rule_name". |
| 2024-09-16 | Enhancement:
- Mapped "description" to "security_result.description". - Mapped "client_ip" to "principal.ip" and "principal.asset.ip". - Fixed mapping of "target_username" and "tls_protocol". |
| 2024-07-08 | Enhancement:
- Mapped "domain" to "target.administrative_domain". - Mapped "user_display" to "principal.user.userid". - Mapped "section" to "additional.fields". - Fixed the mapping to parse all fields. |
| 2024-06-04 | Enhancement:
- Added support for newly ingested logs. |
| 2024-03-06 | Enhancement:
- Changed mapping of the field "Id" from "metadata.product_log_id" to "principal.user.userid". - Changed mapping of the field "CreatedById" from "principal.user.userid" to "principal.resource.attribute.labels". - Mapped "IsDeleted" to "principal.resource.attribute.labels". - Mapped "LogFileLength" to "principal.resource.attribute.labels". - Mapped "LogFileContentType" to "principal.resource.attribute.labels". - Mapped "ApiVersion" to "principal.resource.attribute.labels". - Mapped "LogFile" to "principal.resource.attribute.labels". |
| 2023-02-24 | Enhancement-
- "security_result.action" mapped to ALLOW instead of BLOCK if the action is "LOGIN_NO_ERROR". - For "Login" events : - "action" mapped to "security_result.action". - "target_user_name" mapped to "target.user.userid". - "tls_protocol" mapped to "network.tls.version_protocol". - "cipher_suite" mapped to "network.tls.cipher". - Added "on_error" check for "OsVersion" and "date" block. |
| 2022-12-13 | Enhancement-
-Mapped "LoginType" to "security_result.description". -Mapped "LoginUrl" to "principal.url". -Added empty check for "ApiType" and "LoginGeo.City". |
| 2022-09-02 | Enhancement-
Migrated the custom parsers into default parser. |
| 2022-07-04 | Enhancement-
- Enhanced the parser to parse the logs having event_type 'LoginHistory'. - Added condition to parse different formats of timestamp. - Added condition for event_type 'USER_UNCATEGORIZED' where 'user_id' or 'UserId' or 'target_user_name' is not null. - Added validation for parsing src_ip. |
| 2022-04-18 | Enhancement-Modified mapping for DOWNLOAD_FORMAT from 'metadata.ingestion_labels' to 'target.resource.attribute.labels'.
|
| 2022-03-30 | Enhancement-Changed event_type for 'LoginEventStream' to USER_LOGIN.
Corrected mapping for the fields DOWNLOAD_FORMAT and ConnectedAppId. Added mappings for certain fields when log is of type LoginEventStream, WaveDownload, ApiEventStream. |