Change log for ARBOR_SIGHTLINE
| Date | Changes |
|---|---|
| 2025-04-22 | - Added Grok patterns to support new format of SYSLOG logs.
- 'event.idm.read_only_udm.additional.fields': Newly mapped `msg1` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.principal.user.userid': Newly mapped `prin_user` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `config_version` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `old_bgp_attributes` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `new_bgp_attributes` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `reason` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `sample_rate` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.network.ip_protocol': Newly mapped `proto` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field if 'proto' is equal to "6". - 'event.idm.read_only_udm.additional.fields': Newly mapped `proto` raw log field with `event.idm.read_only_udm.additional.fields` UDM field if 'proto' is not equal to "6". - 'event.idm.read_only_udm.network.sent_bytes': Newly mapped `bytes` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field. - 'event.idm.read_only_udm.network.sent_packets': Newly mapped `packets` raw log field with `event.idm.read_only_udm.network.sent_packets` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `flows` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `identifier` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `expected_bps` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `actual_bps` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `server` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `status` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `percent` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `rate` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `rateunit` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `flags` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `router` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `interface` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `ip_ver` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `protocol_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `router_name` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `interface_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped `interface_name` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - 'event.idm.read_only_udm.network.ip_protocol': Newly mapped `network_protocol` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - 'event.idm.read_only_udm.principal.url': Newly mapped `prin_url` raw log field with `event.idm.read_only_udm.principal.url` UDM field. - 'event.idm.read_only_udm.principal.port': Newly mapped `src_port` raw log field with `event.idm.read_only_udm.principal.port` UDM field. - 'event.idm.read_only_udm.target.port': Newly mapped `dst_port` raw log field with `event.idm.read_only_udm.target.port` UDM field. - 'event.idm.read_only_udm.target.ip': Newly mapped `dst_ip` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - 'event.idm.read_only_udm.security_result.severity': Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. If "severity" is in ["9","10"] then mapped "security_result.severity" to "INFORMATIONAL". If "severity" is in ["8","7"] then mapped "security_result.severity" to "LOW". If "severity" is "6" then mapped "security_result.severity" to "MEDIUM". If "severity" is in ["5","4"] then mapped "security_result.severity" to "HIGH". If "severity" is in ["3","2", "1"] then mapped "security_result.severity" to "CRITICAL". - `NETWORK_CONNECTION`: Added support for the event `NETWORK_CONNECTION` when either 'src_ip' is not empty and 'has_target_ip' is "true", or when 'src_ip' is not empty, 'has_target_ip' is "true", and 'has_network_protocol' is "true". - `STATUS_UPDATE`: Modified the support for the event `STATUS_UPDATE` if 'src_ip' is not empty. |
| 2024-04-22 | - Added support for new fields.
|
| 2022-12-16 | - Mapped "Active/Cleared" to "security_result.threat_status".
|
| 2022-11-16 | Enhancement:
- Added "timezone"="Europe/London" to match the date to BST format. |
| 2022-11-04 | - Added grok pattern to parse syslog log.
- Mapped "intem_host" to "target.group.product_object_id". - Mapped "alert_id","parent_managed_object" to "security_result.detection_fields". - When "message" is equal to "Host Detection" then mapped "metadata.product_event_type" to "Host Detection". - When "message" is equal to "started" then mapped "metadata.product_event_type" to "TMS Mitigation started". - When "message" is equal to "stopped" then mapped "metadata.product_event_type" to "TMS Mitigation stopped". |
| 2022-10-12 | Newly created parser.
|