Stay organized with collections
Save and categorize content based on your preferences.
Change log for ANOMALI_IOC
Date
Changes
2024-02-09
Enhancement:
- Mapped "can_add_public_tags_label", "owner_organization_id_label", "created_by_label", "is_public_label", "is_editable_label", "rdns_label", "source_created_label", "source_modified_label", "subtype_label", "uuid_label" and "update_id_label" to "entity.additional.fields".
- Mapped "is_anonymous_label", "source_reported_confidence_label", "feed_id_label" and "threat_type_label" to "entity.metadata.threat.detection_fields".
- Mapped "obj.source" to "entity.metadata.threat.threat_feed_name".
- Mapped "obj.itype" to "entity.metadata.threat.threat_name".
- Mapped "obj.meta.severity" to "entity.metadata.threat.severity_details".
- Initialized "id_label" and "name_label" to null inside the "for loop".
- Mapped "obj.threatscore" to "entity.metadata.threat.risk_score".
- If "obj.type" is "md5" or "obj.itype" is "mal_md5", then map "obj.value" to "entity.entity.file.md5" and set "metadata.entity_type" as "FILE".
- If "obj.type" is "url", then map "obj.value" to "entity.entity.url".
- Mapped "obj.meta.severity" to "entity.metadata.threat.severity_details".
- Mapped "obj.retina_confidence" to "metadata.threat.confidence_score".
- Changed mapping of "obj.resource_uri" from "entity.entity.url" to "metadata.threat.url_back_to_product".
2024-01-25
Enhancement:
- Mapped "obj.status" to "entity.metadata.source_labels".
2024-01-19
Bug-Fix:
- Added support for the new format of unparsed JSON logs by converting them into an array.
- If "event_name" is "domain" and "shost" is not null then set "entity.metadata.entity_type" as "DMOMAIN_NAME".
2023-12-28
Enhancement:
- Mapped "obj.created.ts" to "entity.metadata.creation_timestamp" and "entity.metadata.threat.first_discovered_time".
- Mapped "obj.modified_ts" to "entity.metadata.threat.last_updated_time".
- Mapped "obj.confidence" to "entity.metadata.threat.confidence".
- Mapped "obj.tags" to "entity.metadata.source_labels".
- Mapped "obj.status" to "entity.metadata.threat.threat_status".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eRecent updates to ANOMALI_IOC include mapping various fields to \u003ccode\u003eentity.additional.fields\u003c/code\u003e and \u003ccode\u003eentity.metadata.threat.detection_fields\u003c/code\u003e for enhanced data organization.\u003c/p\u003e\n"],["\u003cp\u003eThe system now supports mapping \u003ccode\u003eobj.source\u003c/code\u003e, \u003ccode\u003eobj.itype\u003c/code\u003e, \u003ccode\u003eobj.meta.severity\u003c/code\u003e, and \u003ccode\u003eobj.threatscore\u003c/code\u003e to corresponding fields within \u003ccode\u003eentity.metadata.threat\u003c/code\u003e, improving threat data management.\u003c/p\u003e\n"],["\u003cp\u003eNew mappings have been introduced for file-related data, where if \u003ccode\u003eobj.type\u003c/code\u003e is "md5" or \u003ccode\u003eobj.itype\u003c/code\u003e is "mal_md5", \u003ccode\u003eobj.value\u003c/code\u003e is mapped to \u003ccode\u003eentity.entity.file.md5\u003c/code\u003e, with the corresponding metadata entity type being set to "FILE".\u003c/p\u003e\n"],["\u003cp\u003eBug fixes include the ability to handle unparsed JSON logs by converting them into an array and specific handling for when the event name is "domain".\u003c/p\u003e\n"],["\u003cp\u003eUpdates included mapping of several fields such as created timestamp and confidence from the obj fields into the entity.metadata fields.\u003c/p\u003e\n"]]],[],null,["# Change log for ANOMALI_IOC\n=========================="]]