Migrated from manual array element declaration (e.g. event.category[0] := "value") to use the array:append() function (e.g. array:append(array="event.category[]", values=["values"])). This ensures that manual array element declarations won't collide with each other.

Bugfix to parse url.domain from hostname field

Updated parser to replace Backslash if present in logs with HEX value. This change was done as parseJson was throwing errors when "\" is present in any part of the json.

event.type and event.category values for alerts were updated to correctly reflect ecs standards.

Vendor.ClientIP

Vendor.action

Vendor.actiontaken

Vendor.adminid

Vendor.clientip

Vendor.clt_sip

Vendor.clt_sport

Vendor.company

Vendor.contenttype

Vendor.csip

Vendor.csport

Vendor.destcountry

Vendor.destinationip

Vendor.destinationport

Vendor.dns_req

Vendor.dns_reqtype

Vendor.dns_resp

Vendor.elogin

Vendor.event

Vendor.eventreason

Vendor.filename

Vendor.filesource

Vendor.filesubtype

Vendor.filetype

Vendor.filetypename

Vendor.fullurl

Vendor.hostname

Vendor.inbytes

Vendor.location

Vendor.login

Vendor.nwapp

Vendor.outbytes

Vendor.owner

Vendor.policy

Vendor.reason

Vendor.recordid

Vendor.refererURL

Vendor.requestmethod

Vendor.requestsize

Vendor.responsesize

Vendor.riskscore

Vendor.rulelabel

Vendor.rulename

Vendor.ruletype

Vendor.rxbytes

Vendor.sdip

Vendor.sdport

Vendor.serverip

Vendor.sourceip

Vendor.sourceport

Vendor.srv_dip

Vendor.srv_dport

Vendor.status

Vendor.threatname

Vendor.txbytes

Vendor.url

Vendor.user

Adds support for bulk event processing.

Categorizes threat events.

Updates the dashboards and saved queries to utilize normalized fields.

Bumps the ecs.version to 8.16.0.

Implements base64 decoding for the Vendor.url and url.path fields.

Corrects event categorization for event.category, which was incorrectly assigned as "admin" instead of "configuration" for zia.admin events.

Renames the dns.answers.name field to dns.answers[0].name to comply with CPS standard.

Consolidates dedicated parsers for ZIA feeds into one parser. *This is a breaking change as it forced to rename source fields*. When you install the latest version your search queries which rely on the Vendor specific fields might stop working.

Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

Improves the field extraction and performance.

Extends parser to normalize Audit, Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) events.

Adds new fields: event.id, source.geo.name.

Updates dashboards and saved queries to use event.dataset and event.action instead of type and Vendor.action fields respectively.

Adds new event.module, event.dataset and Cps.version fields

Removes the Product, related.ip, related.user and related.host fields

Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type

Bumps parser version to 1.0.0

Bumps ecs.version to 8.11.0

Changes the firewall, dns, tunnel, and web parsers to normalise event data to common schema.

Adds new dashboards and queries for working with web-logs.

Removes CASB parser, and old queries and dashboards from the package. To keep those, stay on the old version of the package.

Bumps minimum supported version of LogScale for the package to 1.102.