Change log for SYMANTEC_EVENT_EXPORT

Date Changes
2024-12-04 Enhancement:
- Mapped "cybox.path" to "target.file.full_path".
- Mapped "cybox.size" to "target.file.size".
- If "id" is "1" then mapped "security_result.action" to "BLOCK" else if "id" is "2" then mapped "security_result.action" to "ALLOW" else if "id" is in "["3","4","5","6","7"]" then mapped "security_result.action" to "ALLOW_WITH_MODIFICATION" else if "id" is "12" then mapped "security_result.action" to "QUARANTINE".
- Mapped "audit" to "additional.fields".
- If "policy.rulename" has "File and Folder Access Attempts" then mapped "file.name" to "principal.file.names".
- If "device_os_type_id" is "100" then mapped "principal.platform" to "WINDOWS".
- If "device_os_type_id" is "200" then mapped "principal.platform" to "LINUX".
- If "device_os_type_id" is "300" then mapped value "SOLARIS" to "additional.fields" .
- If "device_os_type_id" is "301" then mapped value "AIX" to "additional.fields".
- If "device_os_type_id" is "302" then mapped value "HP-UX" to "additional.fields".
- If "device_os_type_id" is "400" then mapped value "MACINTOSH" to "additional.fields".
- If "device_os_type_id" is "500" then mapped "principal.platform" to "IOS".
- If "device_os_type_id" is "501" then mapped "principal.platform" to "ANDROID".
- If "device_os_type_id" is "502" then mapped value "WINDOWS MOBILE" to "additional.fields".
- If "device_os_type_id" is "503" then mapped value "IPADOS" to "additional.fields".
- If "device_os_type_id" is "1001" then mapped value "OTHER" to "additional.fields".
- If "device_os_type_id" is "0" then mapped "principal.platform" to "UNKNOWN".
- Modified the mapping of "product_uid" from "metadata.product_log_id" to "target.process.pid".
- Modified the mapping of "process_id" from "target.process.pid" to "_metadata.product_log_id".
2024-11-21 Enhancement:
- Modified mappings of "severity_id".
2024-10-25 Enhancement:
- Mapped "connection.url.port" to "target.port".
- Mapped "connection.url.host" to "target.hostname" and "target.asset.hostname".
- Mapped "connection.url.domain_name" to "target.administrative_domain".
- Mapped "connection.url.text" to "target.url".
- Mapped "connection.src_name" to "target.application".
- Mapped "parent.file.md5" to "principal.process.parent_process.file.md5".
- Mapped "parent.file.sha1" to "principal.process.parent_process.file.sha1".
- Mapped "parent.file.sha256" to "principal.process.parent_process.file.sha256".
- Mapped "parent.file.folder" to "principal.process.parent_process.file.full_path".
- Mapped "parent.file.product_name", "parent.file.company_name", "parent.file.created", "parent.file.normalized_path", "parent.file.signature_company_name", "parent.file.signature_value", and "parent.file.xattributes.portal" to "principal.resource.attribute.labels".
- Mapped "parent.file.signature_value_ids" to "additional.fields".
- Mapped "parent.file.version" to "network.tls.version".
- Mapped "parent.file.signature_issuer" to "network.tls.server.certificate.issuer".
2023-11-07 Enhancement:
- Added support for SYSLOG format logs.
- Added "not null" checks to "parent.cmd_line", "parent.pid", "actor.pid", "actor.cmd_line", "device_name", "device_group", "device_os_name", "device_group", "device_domain", "device_uid" prior mapping to UDM.
- Mapped "device_name" to "principal.hostname".
- Mapped "user_name" to "principal.user.user_display_name".
- Mapped "actor.user.name" to "principal.user.user_display_name".
- Mapped "actor.user.domain" to "principal.administrative_domain".
- Mapped "actor.user.sid" to "principal.user.windows_sid".
- Mapped "actor.file.size" to "principal.process.file.size".
- Mapped "device_public_ip" to "principal.ip".
- Mapped "device_networks.ipv6" to "intermediary.ip".
- Mapped "user_email" to "principal.user.email_addresses".
2022-08-19 Enhancement - Reduced Generic Event percentage.
- Mapped "type_id" to event.idm.read_only_udm.metadata.event_type
- Parsed logs for type_id = 21