Change log for FIREEYE_NX
| Date | Changes |
|---|---|
| 2025-06-05 | Enhancement:
- Added Grok patterns to parse the unparsed logs. - Added JSON block to support the new format of SYSLOG+JSON logs. - 'event.idm.read_only_udm.metadata.event_timestamp' - Newly Mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM Field. - 'event.idm.read_only_udm.' - Newly Mapped `event_type` raw log field with `event.idm.read_only_udm.metadata.event_type` UDM Field. - 'event.idm.read_only_udm.principal.user.userid' - Newly Mapped `user_name` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM Field. - 'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname' - Newly Mapped `hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM Field. - 'event.idm.read_only_udm.principal.user.userid' - Newly Mapped `user` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM Field. - 'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip' - Newly Mapped `dstip` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM Field. - 'event.idm.read_only_udm.target.file.sha1' - Newly Mapped `file_hash` raw log field with `event.idm.read_only_udm.target.file.sha1` UDM Field. - 'event.idm.read_only_udm.target.file.sha256' - Newly Mapped `file_sha256` raw log field with `event.idm.read_only_udm.target.file.sha256` UDM Field. - 'event.idm.read_only_udm.target.file.full_path' - Newly Mapped `file_name` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM Field. - 'event.idm.read_only_udm.target.file.size' - Newly Mapped `size` raw log field with `event.idm.read_only_udm.target.file.size` UDM Field. - 'event.idm.read_only_udm.principal.port' - Newly Mapped `srcports` raw log field with `event.idm.read_only_udm.principal.port` UDM Field. - 'event.idm.read_only_udm.target.file.mime_type' - Newly Mapped `file_type` raw log field with `event.idm.read_only_udm.target.file.mime_type` UDM Field. - 'event.idm.read_only_udm.security_result.detection_fields' - Newly Mapped `file_id`,'ba_sid', 'reqid', 'conn_count', 'failed_conn_count', 'message_id', 'app_data.service_app_id', 'accept',, 'message_type, 'app_data.client_app_id', 'attackdir', 'oversize', 'smb', 'is_icap', 'ha_is_active', 'ha_is_mirror_traffic', 'is_vxlan', 'is_websocket' and 'attack_time' raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM Field. - 'event.idm.read_only_udm.target.port' - Newly Mapped `dstports` raw log field with `event.idm.read_only_udm.target.port` UDM Field. - 'event.idm.read_only_udm.primcipal.mac' and 'event.idm.read_only_udm.principal.asset.mac' - Newly Mapped `src_mac` raw log field with `event.idm.read_only_udm.principal.mac` and `event.idm.read_only_udm.principal.asset.mac` UDM Field. - 'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac' - Newly Mapped `dst_mac` raw log field with `event.idm.read_only_udm.target.mac` and `event.idm.read_only_udm.target.asset.mac` UDM Field. - 'event.idm.read_only_udm.principal.application' - Newly Mapped `process` raw log field with `event.idm.read_only_udm.principal.application` UDM Field. - 'event.idm.read_only_udm.network.ip_protocol' - Newly Mapped `protocol` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM Field. - 'event.idm.read_only_udm.target.resource.attribute.labels' - Newly Mapped `db_action` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM Field. - 'event.idm.read_only_udm.principal.process.pid' - Newly Mapped `pid` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM Field. - 'event.idm.read_only_udm.additional.fields' - Newly Mapped `tid`, 'sa_only', 'incomplete', 'clientapp', 'is_erspan', 'thread_pool', 'updated_meas_list', 'inserted_meas_list', 'insert_count', 'update_count', 'epoch_time', 'segment_date', 'request_message_id' and 'ssl_decrypted' raw log field with `event.idm.read_only_udm.additional.fields` UDM Field. - 'event.idm.read_only_udm.target.resource.name' - Newly Mapped `db_pool` raw log field with `event.idm.read_only_udm.target.resource.name` UDM Field. - 'event.idm.read_only_udm.target.resource.product_object_id' - Newly Mapped `db_handler` raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM Field. - 'event.idm.read_only_udm.security_result.summary' - Newly Mapped `db_details` raw log field with `event.idm.read_only_udm.security_result.summary` UDM Field. - 'event.idm.read_only_udm.security_result.severity' - Newly Mapped `log_level` raw log field with `event.idm.read_only_udm.security_result.severity` UDM Field. - 'event.idm.read_only_udm.security_result.description' - Newly Mapped `log_message` raw log field with `event.idm.read_only_udm.security_result.description` UDM Field. - 'event.idm.read_only_udm.target.process.command_line' - Newly Mapped `command_line` raw log field with `event.idm.read_only_udm.target.process.command_line` UDM Field. - 'event.idm.read_only_udm.network.http.method' - Newly Mapped `http_method` raw log field with `event.idm.read_only_udm.network.http.method` UDM Field. - 'event.idm.read_only_udm.target.url' - Newly Mapped `request_uri` raw log field with `event.idm.read_only_udm.target.url` UDM Field. - 'event.idm.read_only_udm.network.http.referral_url' - Newly Mapped `http_referer` raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM Field. - 'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip' - Newly Mapped `srcip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM Field - 'event.idm.read_only_udm.network.http.user_agent' - Newly Mapped `user_agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM Field. - 'event.idm.read_only_udm.target.port' - Newly Mapped `http_port` raw log field with `event.idm.read_only_udm.target.port` UDM Field. - 'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname' - Newly Mapped `http_host' raw log field with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM Field. - 'event.idm.read_only_udm.network.received_bytes' - Newly Mapped `request_length` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM Field. - 'event.idm.read_only_udm.network.application_protocol_version' - Newly Mapped `http_version` raw log field with `event.idm.read_only_udm.network.application_protocol_version` UDM Field. - 'event.idm.read_only_udm.target.process.file.full_path' - Newly Mapped `binary_path` raw log field with `event.idm.read_only_udm.target.process.file.full_path` UDM Field. - 'event.idm.read_only_udm.target.resource.name' - Newly Mapped `resource_path` raw log field with `event.idm.read_only_udm.target.resource.name` UDM Field. - 'event.idm.read_only_udm.target.user.userid' - Newly Mapped 'target_user' raw log field with `event.idm.read_only_udm.target.user.userid` UDM Field. - 'event.idm.read_only_udm.security_result.action' - Newly Mapped 'log_message' raw log field when it is nearly same as 'authorized' to ALLOW and 'denied' to BLOCK with `event.idm.read_only_udm.security_result.action` UDM Field. - 'event.idm.read_only_udm.intermediary.hostname' and 'event.idm.read_only_udm.intermediary.asset.hostname' - Newly Mapped 'incoming_peer_name' raw log field with `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname` UDM Field. - 'event.idm.read_only_udm.network.session_id' - Newly Mapped 'incoming_session_id' and 'session_id' raw log field with `event.idm.read_only_udm.network.session_id` UDM Field. - 'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname' - Newly Mapped 'client' raw log field with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM Field. - 'event.idm.read_only_udm.principal.group_product_object_id' - Newly Mapped 'group_id' raw log field with `event.idm.read_only_udm.principal.group_product_object_id` UDM Field. - 'event.idm.read_only_udm.target.process.pid' - Newly Mapped 'target_pid' raw log field with `event.idm.read_only_udm.target.process.pid` UDM Field. |
| 2024-10-17 | Enhancement:
- Added "gsub" for "dvcmac" to parse CEF pattern logs. |
| 2024-10-10 | Enhancement:
- Added support for new pattern of CEF logs. |
| 2022-05-18 | Enhancement - The newly ingested logs have been parsed and mapped to the following fields:
'_source.alert.attack-time' mapped to 'metadata.ingested_timestamp'. '_source.srcport' mapped to 'principal.port'. '_source.srcipv4' mapped to 'principal.ip'. '_source.mac' mapped to 'principal.mac'. '_source.dstport' mapped to 'target.port'. '_source.dstipv4' mapped to 'target.ip'. '_source.dstmac' mapped to 'target.mac'. '_source.alerturl' mapped to 'metadata.url_back_to_product'. '_source.alert_product' mapped to 'metadata.product_name'. '_source.alert_version' mapped to 'metadata.product_version'. '_source.eventlog' mapped to 'metadata.product_name'. '_source.virus' mapped to 'security_result.threatname'. '_source.url' mapped to 'target.url'. '_source.severity' mapped to 'security_result.severity'. '__source.detect_rulematches' mapped to 'security_result.rule_id'. '_source.alert_deviceid' mapped to 'principal.asset.asset_id'. '_source.deviceid' mapped to 'asset.asset_id'. '_source.devicename' mapped to 'target.asset.attribute.labels'. '_source.domain' mapped to 'target.hostname'. 'entry.data.alert.mitre-mapping.code.id' mapped to 'security_result.rule_id'. 'entry.data.alert.mitre-mapping.code.name' mapped to 'security_result.rule_name'. 'entry.data.alert.dst.smtp-to' mapped to 'network.email.to'. 'entry.data.alert.severity' mapped to 'security_result.severity'. '_source.action' mapped to 'security_result.action'. |