Change log for BIND_DNS
| Date | Changes |
|---|---|
| 2025-06-19 | Enhancement:
- `event.idm.read_only_udm.additional.fields`: Newly Mapped `dns_flags` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - Added a new grok patterns to parse an additional log formats and also parse logs that were `GENERIC_EVENT`. - Implemented conditional flag checks to determine `event_type` mapping for `NETWORK_CONNECTION` and `STATUS_UPDATE`. - Added checks to ensure `principal_machine_present` and `target_present` are only mapped to true if they are present and true in the source. - Added a condition to check for the existence of the `device` field before mapping it to `_principal.hostname` and `_principal.asset.hostname`. - Added a check to ensure the `_principal` local variable is not empty before renaming it to `event.idm.read_only_udm.principal`. - Updated `dhcp_qtype_mapping.include`: Added condition to map qtype_value to `256` if the value is `TYPE256`. |
| 2025-05-30 | Enhancement:
- Modified the grok pattern to fetch query_value and mapped it to 'event.idm.read_only_udm.network.dns.questions.name' UDM field. |
| 2025-04-30 | - Added new Grok patterns to parse the unparsed logs.
- 'event.idm.read_only_udm.metadata.event.timestamp' - Newly mapped event_date' raw log field with 'event.idm.read_only_udm.metadata.event_timestamp' UDM field. - 'event.idm.read_only_udm.additional.fields' - Newly mapped 'edns_udp_size' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. |
| 2024-11-25 | Bug-fix:
- Changed mapping of "client_string" from "principal.mac" to "security_result.detection_fields". - Changed mapping of "tar_host" from "target.hostname" to "observer.hostname". - Changed mapping of "response_ip" from "target.ip" to "observer.ip". - Mapped "query" to "target.hostname". |
| 2024-10-30 | Enhancement:
- Mapped "mac_address" to "principal.mac" and "dns_record_type" to "security_result.detection_fields". |
| 2024-07-08 | Enhancement:
- Added new Grok patterns to parse unparsed fields in the log. - Mapped "view" to "additional.fields". - Mapped "domain_name" to "network.dns.questions.type". - Mapped "src_host" to "principal.hostname". |
| 2024-02-24 | Enhancement:
- Added new Grok patterns to parse unparse fields in the log. - If "principal.hostname" is present, then mapped "metadata.event_type" to "STATUS_UPDATE". - If "generic_message" is similar to "checkhints", then added a Grok pattern to extract "tar_host" and "response_ip". - If "generic_message" is similar to "update" or "zone transfer", then added a Grok pattern to extract "tar_host" and "action". - If "generic_message" is similar to "REFUSED unexpected RCODE", then added a Grok pattern to extract "tar_host", "src_ip", and "src_port". - If "generic_message" is similar to "check_mk", then added a Grok pattern to extract "src_app", "src_ip", "src_port", "response_ip" and "response_port". |
| 2024-01-30 | Enhancement
- Added a new Grok pattern to extract "query". |
| 2023-12-20 | Enhancement
- Added new Grok patterns to parse new format logs. - Mapped "pid" to "principal.process.pid". - Mapped "response_ip_2" to "target.ip". - If action value is similar to "denied" or "deny", mapped "security_result.action" to "BLOCK". - If action value is similar to "allowed" or "allow", mapped "security_result.action" to "ALLOW". |
| 2023-09-19 | Enhancement
- Added new Grok patterns to parse dropped logs. |
| 2023-07-10 | Enhancement
- Added a new Grok pattern to handle syslog format logs. |
| 2022-11-16 | Enhancement
- Added a new Grok pattern for failing query-error logs. - Updated Grok patterns to parse logs which have additional data after port number. - Concatenated "query_int_1" and "query_int_2" to "query". - Mapped "dns_resp_2" and "error_loc" to "description". - Added conditions in "dhcp_qtype_mapping.include" to check for Types TYPE0, TYPE65521, TYPE65400 and converted them to integer values. |
| 2022-04-22 | Enhancement - Parsed logs that failed earlier
|