Change log for SPLUNK
| Date | Changes |
|---|---|
| 2023-11-29 | - Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping.
- Modified logic to map "security_result.action_details" UDM field even if the values of "action" raw log field does not match the logic. |
| 2023-05-17 | Added "auth.type" for login events. |
| 2023-01-04 | - Handled error and changed mapping for "Authentication" datamodel, if "user_id" variable is empty then "user" variable will be mapped to "principal.user.userid". Also, event_type is now mapped to USER_LOGIN.
- Handled unparsed log for "Endpoint" datamodel. - Modified mapping for "Change" datamodel. The "user" field is mapped to "target.user.user.userid", the "user_name" field is mapped to principal.user.user_display_name for tag `change` and `account`, the "src_user" field is mapped to principal.user.userid. Also, event_type is mapped to "USER_UNCATEGORIZED". - Modified mapping for the fields "result" and "result_id" in the "Change" datamodel to metadata.description and metadata.product_event_type. - Changed mapping for the "Network Traffic" datamodel. If "user_id" variable is empty then the "user" variable is mapped to "principal.user.userid". |
| 2022-11-09 | Newly created parser. |