Change log for WORKSPACE_ACTIVITY

Date Changes
2024-11-22 - Mapped "from_header_address" raw log field to "network.email.from" UDM field.
- Mapped "actor.email" raw log field to "network.email.to" UDM field
2024-10-18 - Mapped "message_info.post_delivery_info.action_type" raw log field to "about.labels[post_delivery_action_type]" UDM field.
- Mapped "message_info.post_delivery_info.interaction.link_url" raw log field to "about.url" UDM field
2024-09-17 - Mapped each email address of raw log field "resource_recipients" separately to "principal.user.email_addresses" UDM field.
2024-09-17 - Mapped each email address of raw log field "resource_recipients" separately to "principal.user.email_addresses" UDM field.
2024-09-09 - Updated mapping of field "from_header_address" to "principal.network.email.from".
2024-07-26 - Added support to parse the logs having "events" marked as hidden and the logs that are out of scope parsed as GENERIC_EVENT.
2024-06-05 - Added support for "access_url", "access_item_content", and "sheets_import_url" events.
2024-05-15 - Added additional mapping for "target_user" field.
- Added support for "team_drive_settings_change", "presentation_stopped", and "content_unmatched" events.
- Added support for "BLOCKED_API_ACCESS" and "MONITOR_MODE_ACCESS_DENY_EVENT" events.
- Added support of field "TAB_URL" for event "MALWARE_TRANSFER".
2024-05-09 - Added support for logs of applicationName "google_meet".
2024-05-08 - Added support for "team_drive_membership_change", "change_owner_hierarchy_reconciled", and "publish_new_version" events.
- Added support of field "file_name" for Gmail logs.
2024-03-06 - Added support for "call_ended", "presentation_started", and "invitation_sent" events.
- Mapped "login_challenge_method" count to "security_result.detection_fields".
- Handled different timestamp format.
- Update mapping of actor.profileId field to noun.user.product_object_id.
- Added support of new events "DELETE_GROUP", "SECURITY_CENTER_RULE_THRESHOLD_TRIGGER", "RELEASE_FROM_QUARANTINE" and "deny".
2023-12-13 Added support for "ADD_TO_BLOCKED_OAUTH2_APPS", "ADD_TO_TRUSTED_OAUTH2_APPS",
"UPDATE_ACCESS_LEVEL_V2", "sharing_blocked", "UPDATE_AUTO_PROVISIONED_USER",
"SECURITY_INVESTIGATION_EXPORT_QUERY", and "SECURITY_INVESTIGATION_ACTION_CANCELLATION" events.
2023-11-29 - Added support for "email_collaborators", "message_deleted" and "unsubscribe_via_mail" events.
- Added additional mappings for deprecated labels.
2023-11-01 1. Added support for "download_forms_response", "ACTION_REQUESTED", "change_email_subscription_type", and "reaction_added" events.
2. Updated mapping of field "target" for "applicationName"="drive" to "target.user.email_addresses".
3. Enhancement to use "base64" hex decode function to parse IP addresses.
2023-10-04 Added support for "invitation_sent", "SECURITY_INVESTIGATION_ACTION_COMPLETION",
"CREATE_GMAIL_SETTING", "CHANGE_GMAIL_SETTING" and "DELETE_GMAIL_SETTING" events.
2023-09-20 Added logic to map "actor.key" to "noun.user.userid" where "actor.callType" is "KEY".
2023-09-06 Added support for new events.
2023-08-24 Modified the logic to parse "TARGET_USER_EMAIL" field for events.name "CHANGE_USER_ACCESS".
2023-08-23 Modified logic for "events.name=CHROME_OS_LOGIN_EVENT".
2023-08-09 1. Added support for GMAIL_LOGS.
2. Added support for events "CHANGE_EMAIL_SETTING",
"SECURITY_INVESTIGATION_ACTION",
"SECURITY_INVESTIGATION_OBJECT_CREATE_DRAFT_INVESTIGATION",
"REMOVE_GROUP_MEMBER",
"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", "UPDATE_GROUP_MEMBER",
and "SECURITY_CHART_DRILLDOWN".
2023-07-26 Added support for events "label_applied", "risky_sensitive_action_blocked",
"ALERT_CENTER_LIST_FEEDBACK", "ALERT_CENTER_GET_SIT_LINK",
"ALERT_CENTER_LIST_CHANGE", "ALERT_CENTER_LIST_RELATED_ALERTS",
"EMAIL_LOG_SEARCH", "SECURITY_INVESTIGATION_QUERY", "CHANGE_GROUP_SETTING",
"ADD_GROUP_MEMBER", "CREATE_GROUP", "USER_LICENSE_ASSIGNMENT",
"USER_LICENSE_REVOKE", and "blocked_sender".
2023-07-12 - Added support of event "label_field_value_changed" for "applicationName=rules".
2023-06-14 1. Additional mapping of "actor.email" field with "security_result.about.email" UDM field.
2. Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent".
2023-05-31 1. Added support of events "ASSIGN_ROLE", "CREATE_ROLE" for "applicationName=admin" and "events.type = DELEGATED_ADMIN_SETTINGS".
2. Added support of events "AUTHORIZE_API_CLIENT_ACCESS" for "applicationName=admin" and "events.type = DOMAIN_SETTINGS".
3. Added support of events "ALERT_CENTER_VIEW" for "applicationName=admin" and "events.type = ALERT_CENTER".
4. Added support of events "risky_sensitive_action_allowed" for "applicationName=login" and "events.type = login".
5. Modified logic for "USER_LOGIN" events.
2023-05-29 Update mapping of "actor" field for "USER_LOGIN" and "USER_LOGOUT" events.
2023-04-12 Promoted WORKSPACE_ACTIVITY parser to default.
For the field mapping reference, see Collect Google Workspace logs.