Package cloudflare/zerotrust Release Notes

Added support for new datasets: email-security-alerts, browser-isolation, sinkhole-http, warp-changes, ssh, dex-application-tests, dlp-forensic-copies, dns-firewall, workers-trace, dex-device-state, ipsec
Enhanced timestamp parsing with additional timestamp fields (EventTimestampMs, ActionTimestamp)
Added support for SSO action in access-requests dataset
Improved audit event categorization with view action support
Enhanced source address handling with ActorIPAddress support
Updated event outcome logic for audit events to support success/fail patterns
Added comprehensive field mappings for new datasets including process, error, DNS, and network fields
Enhanced email security alerts with attachment processing and threat categorization
Added browser isolation event processing with decision-based outcomes
Implemented workers trace event handling with exception-based outcome determination
Added SSH session tracking with start/end event types
Enhanced DEX application tests with HTTP performance metrics
Added DLP forensic copies processing with rule-based categorization
Implemented DNS firewall event handling with query type and response code processing
Added IPsec event processing with connection status tracking
Enhanced device state monitoring with network and client metrics
Updated parser version to 4.0.0

Updated ECS version to 9.2.0
Enhanced field mapping with improved global field normalizations
Added support for spectrum dataset
Improved DNS answer parsing with dynamic array handling
Enhanced client, destination, and source field processing with address/IP/domain logic
Added comprehensive threat indicator confidence mapping
Improved TLS version extraction with regex patterns
Enhanced event categorization for malware detection in gateway-http
Added new fields: file.extension, email.message_id, email.reply_to.address[], rule.description, network.iana_number, destination.as.number, source.as.number, source.nat.ip, cloud.account.id, server.as.number
Updated parser version to 3.0.0

Added severity mapping based on risk score
Added event.kind = alert for zone-scoped-http-requests when severity is present
Added event.action mapping from Vendor.SecurityAction
Added array deduplication for event.category[] and event.type[]
Updated email field normalization to convert all email addresses to lowercase
Enhanced DNS event action mapping to use coalesce function for better field resolution
Updated parser version to 2.3.0 and CPS version to 1.1.0

Improved JSON parsing with support for message prefix removal
Enhanced event categorization with proper event.category and event.type arrays
Added comprehensive email attachment parsing for Area1 security logs
Improved HTTP response status code handling for better event outcome determination
Added support for bulk log processing with improved detection logic

Improves the case statement to only look for fields that are not possibly null
Reassigns as.number to client.as.number and interface.id to observer.egress.interface.id to comply with ECS standards

Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support parser assertions in yaml files.
Adds support of Network Analytics, Magic IDS and Zone-scoped HTTP Requests logs.
Adds event.reason , message , interface.name , email.from.address , email.sender.address , email.to.address , file.name , file.size , file.sizefile.size , device.id fields and more.
Renames the parser to cloudflare-one .

Adds new event.module and Cps.version fields
Removes the Product , related.user and related.ip fields
Sets following tags: Cps.version , Vendor , ecs.version , event.dataset , event.kind , event.module , event.outcome , observer.type