Vendor fields are now aliased to the client namespace where source was previously used, as client better describes the role of devices initiating authentication flows whereas source is intended for network details

client fields are aliased to source at the end of the parser to avoid a breaking change. This allows the source fields to be easily removed from the parser at a later date

event.dataset of duo.administrator is now assigned when Vendor.action = * AND Vendor.isotimestamp = * rather than when Vendor.description = * (as "description":null often occurs, meaning that the Vendor.description field is not created)

Categorization now matches on event.dataset first, then event.action to handle repeat event.action values across different log types (e.g., event.action of enrollment appears in both Authentication and Telephony logs)

Added use of user.target fields - with logic implemented to make sure this is only applied on applicable event

Added parsing of nested JSON in duo.activity logs from the fields: Vendor.actor.details/Vendor.target.details/Vendor.old_target.details

Removed the Host fields section for duo.authentication and duo.trustmonitor events. As auth_device is the MFA device used in the auth process - not the host on which the event happened. Also Vendor.target fields are not present in this log type. So this section was not accurate

Moved the determination of event.outcome after the default values are set in categorization - so that these default values can be overwritten when outcome information is available in the event

Updated the handling of object arrays to use objectArray:eval() instead of concatArray and splitString

Added observer.type := "identity"

Additional normalization of ECS fields

Updates to the assignment of event.category for cloudsso_update_routing_rule and user_restore events

Updated CPS version to 1.1.0

Updated ECS version to 9.0.0

Updated parser version to 3.0.0

Updated field mapping to use direct assignment instead of rename function

Updated ECS version to 8.17.0

Updated parser version to 2.1.1

Updated parser to use array:append for array declaration

Adds normalization using the Vendor.auth_device.* fields.

Updates the field mapping for Cisco Duo Authentication events. To improve the accuracy and consistency of field normalization previously mapped source.user.* fields have been updated to user.* fields. This is a breaking change and some of the search queries, dasbhboards or alers that rely on the source.user.* fields may stop working. Update all affected search queries to use user.* fields to restore functionality.

duo-authentication-json

duo-activity-json

duo-admin-json

duo-telephony-json

duo-trustmonitor-json

are deprecated and all future changes will only go into the new cisco-duo parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old parsers will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

Vendor.access_device.browser

Vendor.access_device.browser_version

Vendor.access_device.hostname

Vendor.access_device.ip

Vendor.access_device.location.city

Vendor.access_device.location.country

Vendor.access_device.location.state

Vendor.access_device.os

Vendor.access_device.os_version

Vendor.access_device.port

Vendor.action

Vendor.action.name

Vendor.activity_id

Vendor.actor.details.group.name

Vendor.actor.key

Vendor.actor.name

Vendor.applications

Vendor.context

Vendor.description.admin_email

Vendor.description.email

Vendor.description.hostname

Vendor.description.ip_address

Vendor.description.realname

Vendor.description.uname

Vendor.description.user_agent

Vendor.email

Vendor.enabled_by.key

Vendor.enabled_by.name

Vendor.enabled_for.key

Vendor.enabled_for.name

Vendor.object

Vendor.reason

Vendor.sekey

Vendor.surfaced_auth.access_device.browser

Vendor.surfaced_auth.access_device.browser_version

Vendor.surfaced_auth.access_device.hostname

Vendor.surfaced_auth.access_device.ip

Vendor.surfaced_auth.access_device.location.city

Vendor.surfaced_auth.access_device.location.country

Vendor.surfaced_auth.access_device.location.state

Vendor.surfaced_auth.access_device.os

Vendor.surfaced_auth.access_device.os_version

Vendor.surfaced_auth.email

Vendor.surfaced_auth.reason

Vendor.surfaced_auth.user.key

Vendor.surfaced_auth.user.name

Vendor.telephony_id

Vendor.triage_event_uri

Vendor.user.key

Vendor.user.name

Vendor.username

Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

Includes improved event categorization and outcome determination.

Includes improved field normalization.

Bug fix: Sets a timestamp format to seconds for Trust Monitor authentication events.

Sets a timestamp based on the isotimestamp field for the duo-authentication-json parser.

Updates the duo-telephony-json parser to work with new log structure introduced in V2 Telephony API.

Adds new parser for Trust Monitor events.

Bug fix: Renames the Parser_version to Parser.version

Adds new event.module , event.dataset and Cps.version fields

Removes the Product , related.user and related.ip fields

Sets following tags: Cps.version , Vendor , ecs.version , event.dataset , event.kind , event.module , event.outcome , observer.type

Removes data_stream fields, since the same information is now standardized in event.dataset