Change log for NETSKOPE_WEBPROXY

Date	Changes
2025-05-22	Enhancement: - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `_id` and `product_id` raw log fields with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.target.url`: Newly mapped `url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.network.http.referral_url`: Newly mapped `referer` and `cs_referer` raw log fields with `event.idm.read_only_udm.network.http.referral_url` UDM field. - `event.idm.read_only_udm.principal.administrative_domain`: Newly mapped `organization_unit` raw log field with `event.idm.read_only_udm.principal.administrative_domain` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `user_id` and `cs_username` raw log fields with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `useragent` and `cs_user_agent` raw log fields with `event.idm.read_only_udm.network.http.user_agent` UDM field. - `event.idm.read_only_udm.network.http.parsed_user_agent`: Newly mapped `useragent` and `cs_user_agent` raw log fields with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - `event.idm.read_only_udm.network.session_duration.seconds`: Newly mapped `session_duration` raw log field with `event.idm.read_only_udm.network.session_duration.seconds` UDM field. - `event.idm.read_only_udm.principal.platform_version`: Newly mapped `os_version` raw log field with `event.idm.read_only_udm.principal.platform_version` UDM field. - `event.idm.read_only_udm.principal.platform`: Newly mapped `os` and `x_c_os` raw log fields with `event.idm.read_only_udm.principal.platform` UDM field. - `event.idm.read_only_udm.target.user.email_addresses`: Newly mapped `ur_normalized` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - `event.idm.read_only_udm.network.session_id`: Newly mapped `browser_session_id`, `network_session_id` and `x_cs_session_id` raw log fields with `event.idm.read_only_udm.network.session_id` UDM field. - `event.idm.read_only_udm.security_result.threat_id`: Newly mapped `malware_id` raw log field with `event.idm.read_only_udm..threat_id` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels`: Newly mapped `src_location`, `src_zipcode` and `src_geoip_src` raw log fields with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.network.ip_protocol`: Newly mapped `ip_protocol` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - `event.idm.read_only_udm.principal.file.size`: Newly mapped `file_size` and `x_rs_file_size` raw log fields with `event.idm.read_only_udm.principal.file.size` UDM field. - `event.idm.read_only_udm.target.file.mime_type`: Newly mapped `file_type` raw log field with `event.idm.read_only_udm.target.file.mime_type` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `srcip`, `s_ip`, `c_ip` and `x_cs_src_ip` raw log fields with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `srcip`, `s_ip`, `c_ip` and `x_cs_src_ip` raw log fields with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.port`: Newly mapped `srcport` and `x_cs_src_port` raw log fields with `event.idm.read_only_udm.principal.port` UDM field. - `event.idm.read_only_udm.principal.process.file.md5`: Newly mapped `file_md5` and `x_rs_file_md5` raw log fields with `event.idm.read_only_udm.principal.process.file.md5` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `computer_name` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `computer_name` and `cs_dns` and `cs_host` raw log fields with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.resource.type`: Newly mapped `device` raw log field with `event.idm.read_only_udm.principal.resource.type` UDM field. - `event.idm.read_only_udm.principal.resource.resource_subtype`: Newly mapped `device` raw log field with `event.idm.read_only_udm.principal.resource.resource_subtype` UDM field. - `event.idm.read_only_udm.principal.resource.id`: Newly mapped `device_sn` raw log field with `event.idm.read_only_udm.principal.resource.id` UDM field. - `event.idm.read_only_udm.principal.location.name`: Newly mapped `src_region` and `x_c_location` raw log fields with `event.idm.read_only_udm.principal.location.name` UDM field. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `src_country` and `x_c_country` raw log fields with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - `event.idm.read_only_udm.principal.location.region_coordinates.latitude`: Newly mapped `src_latitude` and `x_c_latitude` raw log fields with `event.idm.read_only_udm.principal.location.region_coordinates.latitude` UDM field. - `event.idm.read_only_udm.principal.location.region_coordinates.longitude`: Newly mapped `src_longitude` and `x_c_longitude` raw log fields with `event.idm.read_only_udm.principal.location.region_coordinates.longitude` UDM field. - `event.idm.read_only_udm.target.location.region_coordinates.latitude`: Newly mapped `dst_latitude` and `x_s_latitude` raw log fields with `event.idm.read_only_udm.target.location.region_coordinates.latitude` UDM field. - `event.idm.read_only_udm.target.location.region_coordinates.longitude`: Newly mapped `dst_longitude` and `x_s_longitude` raw log fields with `event.idm.read_only_udm.target.location.region_coordinates.longitude` UDM field. - `event.idm.read_only_udm.target.file.full_path`: Newly mapped `destination_file_path` and `dlp_file` raw log fields with `event.idm.read_only_udm.target.file.full_path` UDM field. - `event.idm.read_only_udm.target.file.sha256`: Newly mapped `sha256` raw log field with `event.idm.read_only_udm.target.file.sha256` UDM field. - `event.idm.read_only_udm.target.file.md5`: Newly mapped `md5` raw log field with `event.idm.read_only_udm.target.file.md5` UDM field. - `event.idm.read_only_udm.target.location.country_or_region`: Newly mapped `dst_country` and `x_s_country` raw log fields with `event.idm.read_only_udm.target.location.country_or_region` UDM field. - `event.idm.read_only_udm.target.location.state`: Newly mapped `x_s_region` raw log field with `event.idm.read_only_udm.target.location.state` UDM field. - `event.idm.read_only_udm.target.location.name`: Newly mapped `dst_region` and `x_s_location` raw log fields with `event.idm.read_only_udm.target.location.name` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `dst_zipcode` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `dsthost`, `dstip` and `x_cs_dst_ip` raw log fields with `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dsthost`, `dstip` and `x_cs_dst_ip` raw log fields with `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.target.port`: Newly mapped `dstport` and `x_cs_dst_port` raw log fields with `event.idm.read_only_udm.target.port` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `cci`, `alert_type`, `x_other_category_id`, `x_cs_userip`, `x_ssl_bypass`, `x_cs_ssl_fronting_error`, `x_cs_ssl_handshake_error`, `x_sr_ssl_handshake_error`, `x_sr_ssl_client_certificate_error`, `x_sr_ssl_malformed_ssl`, `x_s_custom_signing_ca_error`, `x_cs_ssl_engine_action`, `x_cs_ssl_engine_action_reason`, `x_sr_ssl_engine_action`, `x_sr_ssl_engine_action_reason`, `x_ssl_policy_src_ip`, `x_ssl_policy_dst_ip`, `x_ssl_policy_dst_host`, `x_ssl_policy_dst_host_source`, `x_ssl_policy_action`, `x_sr_ssl_version`, `x_sr_ssl_cipher`, `x_cs_src_ip_egress`, `x_policy_src_ip`, `x_policy_dst_ip`, `x_policy_dst_host`, `x_policy_dst_host_source`, `x_policy_justification_type`, `x_policy_justification_reason`, `x_sc_notification_name`, `x_cs_http_version`, `x_sr_dst_ip`, and `x_sr_dst_port` raw log fields with `event.idm.read_only_udm..detection_fields` UDM field. - `event.idm.read_only_udm.security_result.confidence_details`: Newly mapped `ccl` raw log field with `event.idm.read_only_udm..confidence_details` UDM field. - `event.idm.read_only_udm.security_result.confidence`: Newly mapped `ccl` raw log field with `event.idm.read_only_udm..confidence` UDM field. - `event.idm.read_only_udm.security_result.rule_type`: Newly mapped `dlp_profile_name` raw log field with `event.idm.read_only_udm..rule_type` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `policy_name`, `dlp_fingerprint_classification`, `dlp_fingerprint_match`, `dlp_fingerprint_score`, `dlp_rule_score`, `dlp_unique_count`, `acked`, `app_session_id`, `x_type`, `x_transaction_id`, `x_client_ssl_err`, `x_cs_domain_fronted_sni`, `x_cs_tunnel_id`, `x_request_id`, `x_s_zipcode`, `x_c_zipcode`, `x_c_browser`, `x_c_browser_version`, `x_c_device`, `x_cs_site`, `x_cs_page_id`, `x_cs_traffic_type`, `x_category_id`, `x_category`, `x_r_cert_valid`, `x_r_cert_expired`, `x_r_cert_untrusted_root`, `x_r_cert_incomplete_chain`, `x_r_cert_self_signed`, `x_r_cert_revoked`, `x_rs_file_type`, `x_rs_file_category`, `x_rs_file_language`, `x_r_cert_revocation_check`, `x_cs_app_category`, `x_cs_app_cci`, `x_cs_app_ccl`, `x_cs_app_tags`, `x_cs_app_suite`, `x_cs_app_instance_id`, `x_cs_app_instance_name`, `x_cs_app_instance_tag`, `x_cs_app_activity`, `x_cs_app_from_user`, `x_cs_app_to_user`, `x_cs_app_object_type`, `x_cs_app_object_name`, `x_cs_app_object_id`, `x_cs_uri_path`, `x_r_cert_mismatch`, `x_cs_access_method`, `cs_uri`, `cs_uri_port`, `cs_uri_query`, `cs_content_type` and `sc_content_type` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.application`: Newly mapped `app` raw log field with `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.extensions.auth.auth_details`: Newly mapped `access_method` raw log field with `event.idm.read_only_udm.extensions.auth.auth_details` UDM field. - `event.idm.read_only_udm.security_result.action`: Newly mapped `action` and `x_policy_action` raw log fields with `event.idm.read_only_udm..action` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Newly mapped `alert_name` and `x_ssl_policy_name` raw log fields with `event.idm.read_only_udm..rule_name` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `severity` raw log field with `event.idm.read_only_udm..severity` UDM field. - `event.idm.read_only_udm.security_result.description`: Newly mapped `activity` raw log field with `event.idm.read_only_udm..description` UDM field. - `event.idm.read_only_udm.security_result.category_details`: Newly mapped `appcategory` and `x_ssl_policy_categories` and `x_other_category` raw log fields with `event.idm.read_only_udm..category_details` UDM field. - `event.idm.read_only_udm.network.received_bytes`: Newly mapped `server_bytes` and `sc_bytes` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field. - `event.idm.read_only_udm.network.sent_bytes`: Newly mapped `client_bytes` and `cs_bytes` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field. - `event.idm.read_only_udm.network.sent_packets`: Newly mapped `client_packets` raw log field with `event.idm.read_only_udm.network.sent_packets` UDM field. - `event.idm.read_only_udm.network.received_packets`: Newly mapped `server_packets` raw log field with `event.idm.read_only_udm.network.received_packets` UDM field.
2025-05-09	Enhancement: - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - Added a new Grok pattern in order to parse `temp_data` raw log field. - Added `null` check condition for `hostname` and `url` raw log fields. - Added a new `regex` pattern for `sha256` raw log field.
2025-03-03	Enhancement: - Mapped "x-rs-file-md5" to "principal.process.file.md5". - Mapped "x-rs-file-size" to "principal.file.size".
2024-06-21	Enhancement: - Added Grok to support a new log format.
2024-06-04	Enhancement: - Added Grok to handle unparsed logs. - Mapped "url" to "target.url". - Mapped "appSessionId" to "network.session_id". - Mapped "page" to "network.http.referral_url". - Mapped "appcategory" to "security_result.category_details". - Mapped "clientBytes" to "network.sent_bytes". - Mapped "serverBytes" to "network.received_bytes". - Mapped "ccl" to "security_result.confidence_details". - Mapped "IncidentID", "applicationType", "browser", and "cci" to "security_result.detection_fields".
2024-04-22	Enhancement: - Mapped "x-cs-app-ccl","x-cs-app-instance-id","x-cs-app-tags" ,"x-cs-app-instance-name" ,"x-cs-app-instance-tag", "x-cs-app-to-user","x-cs-app-object-id" and "x-cs-app-from-user" to "additional.fields".
2024-02-26	Enhancement: - Changed mapping of "cs-bytes" from "network.received_bytes" to "network.sent_bytes". - Changed mapping of "sc-bytes" from "network.sent_bytes" to "network.received_bytes". - Mapped "x-cs-app-object-name" to "additional.fields". - Mapped "x-cs-app-from-user" to "principal.user.email_addresses".
2023-12-22	Enhancement: - If "cs-dns" value is "null", changed "cs-host" mapping from "principal.hostname" to "target.hostname". - Changed "cs-dns" mapping from "principal.hostname" to "target.hostname". - If "sc-status" value is "null", mapped "rs-status" to "network.http.response_code". - Mapped "x-cs-app" to "principal.application". - Mapped "x-cs-src-ip-egress" to "principal.ip".
2023-12-08	Enhancement: - Added on_error check to parse the failing logs. - Set "metadata.vendor_name" to "Netskope" and "metadata.product_name" to "Netskope Webproxy". - Added conditional check for "src_region", "src_country", "src_location", "dst_region", "dst_country", "dst_location" before mapping.
2023-10-09	Enhancement: - Mapped "dvchost" to "target.hostname" if "target.hostname" is not present. - Added a null check prior mapping "requestClientApplication".
2023-09-12	Enhancement: - Mapped "x-cs-dst-ip" to "target.ip". - Mapped "x-cs-src-ip" to "principal.ip". - Mapped "x-cs-src-port" to "principal.port". - Mapped "x-cs-dst-port" to "target.port". - Added on_error check for date filter. - Added conditional checks before mapping "metadata.event_type".
2023-08-28	Enhancement: - Mapped "cs-uri" to "additional.fields". - Mapped "cs-uri-port" to "additional.fields". - Mapped "x-s-zipcode" to "additional.fields". - Mapped "x-c-zipcode" to "additional.fields". - Mapped "x-cs-site" to "additional.fields". - Mapped "x-category" to "additional.fields". - Mapped "x-sr-ssl-version" to "security_result.detection_fields". - Mapped "x-sr-ssl-cipher" to "security_result.detection_fields". - Mapped "x-cs-src-ip-egress" to "security_result.detection_fields". - Mapped "x-cs-userip" to "security_result.detection_fields". - Mapped "x-cs-url" to "target.url". - Mapped "x-cs-uri-path" to "additional.fields". - Mapped "x-cs-app-cci" to "additional.fields". - Mapped "x-cs-app-object-type" to "additional.fields". - Mapped "x-rs-file-type" to "additional.fields". - Mapped "x-rs-file-category" to "additional.fields".
2023-08-17	Enhancement: - Added support for new JSON type log format.
2023-06-22	Enhancement: - Added support for new SYSLOG+JSON type log format.
2023-05-30	Enhancement: - Mapped "duser" to "target.user.email_addresses". - Mapped "requestClientApplication" to "network.http.parsed_user_agent".
2023-02-03	Enhancement: - Mapped "Domain" to "principal.administrative_domain".
2023-01-09	Enhancement: - Added conditional checks for mapping different event_type based on required parameters present. - Parsed different formats of "rt".
2022-04-06	Enhancement-Added mappings for new fields md5, mwDetectionEngine, mwProfile, mwType mapped to udm.