Stay organized with collections
Save and categorize content based on your preferences.
Change log for SAP_SM20
Date
Changes
2024-04-16
- Mapped "ALGSYSTEM" to "principal.hostname" and "principal.asset.hostname".
2024-01-29
- Added support for newly ingested logs.
- Mapped "WP_PID" to "target.process.pid".
- Mapped "WP_SERVER" to "intermediary.hostname".
- Mapped "WP_STATUS" to "security_result.summary".
- Mapped "INSTANCE_NAME" to "principal.hostname" and "principal.asset.hostname".
- Mapped "TXSEVERITY" to "security_result.severity".
- Mapped "TXSUBCLSID" to "security_result.description".
- Mapped "ALGSYSTEM" to "principal.hostname" and "principal.asset.hostname".
- If "ALGLTERM" is an IP address, then mapped it to "target.ip" and "target.asset.ip", else mapped it to "target.hostname" and "target.asset.hostname".
- Mapped "ALGCLIENT" and "ALGINST" to "target.resource.attribute.labels".
- Mapped "ALGUSER" to "target.user.userid".
- Mapped "ALGTEXT" to "metadata.description".
- If "ALGTEXT" is nearly equals to "logon successful" and "has_principal" and "has_target" is equals to "true" then "metadata.event_type" is set to "USER_LOGIN".
- Mapped "WP_TYP", "ALGREPNA", "ALGAREA", "ALGFILENO", "ALGFILEPOS", "ALGSUBID", "UTCDIFF", "ALGTASKNO", "ALGTASKTYPE", "ALGTCODE" to "additional.fields".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-13 UTC."],[[["The SAP_SM20 parser has been recently created, with the initial version released on 2023-12-07."],["On 2024-01-29, the parser received an update that added support for new logs and performed mappings for several fields, such as WP_PID to target.process.pid and ALGUSER to target.user.userid."],["The parser has continued to evolve as shown on 2024-04-16, where it added a mapping from ALGSYSTEM to principal.hostname and principal.asset.hostname."],["Several fields are being mapped to various locations, such as \"ALGLTERM\" to target ip or hostname, depending on its content."]]],[]]
