Enhanced email security alert filtering to only generate alerts for malicious, suspicious, or spoof dispositions

Added threat technique name mapping from ThreatCategories for email security alerts

Improved event categorization for email security with separate handling for threat techniques vs general emails

Updated WAF alert generation to trigger only when severity indicates likely attack or attack (severity <= 50)

Updated parser version to 4.2.0

Modified risk score to severity mapping: 1-20 (severity 70), 21-50 (severity 50), 51-80 (severity 30), 81-100 (severity 10)

Updatedparser version to 4.1.0

Added support for new datasets: email-security-alerts, browser-isolation, sinkhole-http, warp-changes, ssh, dex-application-tests, dlp-forensic-copies, dns-firewall, workers-trace, dex-device-state, ipsec

Enhanced timestamp parsing with additional timestamp fields (EventTimestampMs, ActionTimestamp)

Added support for SSO action in access-requests dataset

Improved audit event categorization with view action support

Enhanced source address handling with ActorIPAddress support

Updated event outcome logic for audit events to support success/fail patterns

Added comprehensive field mappings for new datasets including process, error, DNS, and network fields

Enhanced email security alerts with attachment processing and threat categorization

Added browser isolation event processing with decision-based outcomes

Implemented workers trace event handling with exception-based outcome determination

Added SSH session tracking with start/end event types

Enhanced DEX application tests with HTTP performance metrics

Added DLP forensic copies processing with rule-based categorization

Implemented DNS firewall event handling with query type and response code processing

Added IPsec event processing with connection status tracking

Enhanced device state monitoring with network and client metrics

Updated parser version to 4.0.0

Updated ECS version to 9.2.0

Enhanced field mapping with improved global field normalizations

Added support for spectrum dataset

Improved DNS answer parsing with dynamic array handling

Enhanced client, destination, and source field processing with address/IP/domain logic

Added comprehensive threat indicator confidence mapping

Improved TLS version extraction with regex patterns

Enhanced event categorization for malware detection in gateway-http

Added new fields: file.extension, email.message_id, email.reply_to.address[], rule.description, network.iana_number, destination.as.number, source.as.number, source.nat.ip, cloud.account.id, server.as.number

Updated parser version to 3.0.0

Enhanced bulk log processing with improved batched event handling

Added SHA256 hash generation for batched events to track event relationships

Improved JSON parsing structure for better event separation

Updated parser version to 2.4.0

Added severity mapping based on risk score

Added event.kind = alert for zone-scoped-http-requests when severity is present

Added event.action mapping from Vendor.SecurityAction

Added array deduplication for event.category[] and event.type[]

Updated email field normalization to convert all email addresses to lowercase

Enhanced DNS event action mapping to use coalesce function for better field resolution

Updated parser version to 2.3.0 and CPS version to 1.1.0

Enhanced JSON parsing with excludeEmpty and handleNull options

Updated event type categorization for email security logs

Added new test cases for improved coverage

Updated parser version to 2.2.0

Fixed handling of PROXY_CONN_REFUSED connection close reason

Improved bulk log processing by removing trailing newline characters

Updated parser version to 2.1.3

Fixed email attachment parsing by properly dropping temporary arrays

Updated ECS version to 8.17.0

Updated parser version to 2.1.2

Fixed email attachment parsing by properly dropping temporary arrays

Updated ECS version to 8.17.0

Updated parser version to 2.1.1

Improved JSON parsing with support for message prefix removal

Enhanced event categorization with proper event.category and event.type arrays

Added comprehensive email attachment parsing for Area1 security logs

Improved HTTP response status code handling for better event outcome determination

Added support for bulk log processing with improved detection logic

Improves the case statement to only look for fields that are not possibly null

Reassigns as.number to client.as.number and interface.id to observer.egress.interface.id to comply with ECS standards

Improves the field extraction and performance.

Bumps the minimum LogScale version to 1.142 to support parser assertions in yaml files.

Adds support of Network Analytics, Magic IDS and Zone-scoped HTTP Requests logs.

Adds event.reason, message, interface.name, email.from.address, email.sender.address, email.to.address, file.name, file.size, file.sizefile.size, device.id fields and more.

Renames the parser to cloudflare-one.

Adds new event.module and Cps.version fields

Removes the Product, related.user and related.ip fields

Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type