Change log for ARCSIGHT_CEF
| Date | Changes |
|---|---|
| 2025-08-04 | Enhancement:
- event.idm.read_only_udm.about.ip: Removed mapping of `dvc` from `event.idm.read_only_udm.about.ip` UDM field as the `dvc` field represents an intermediary system, not a system the event is directly about. - event.idm.read_only_udm.intermediary.ip: Newly mapped `dvc`log fields with `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.about.hostname: Removed mapping of `dvchost` from `event.idm.read_only_udm.about.hostname` UDM field as `dvchost` value in the raw logs represents an intermediary system communicating with the host and not the actual about. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `dvchost` log fields with `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.principal.mac: Newly mapped `amac` raw log field to `event.idm.read_only_udm.principal.mac`using regex validation `^(([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2})$` Invalid values are captured in `event.idm.read_only_udm.additional.fields` with the key `amac` to prevent data loss. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `geid` raw log field to `event.idm.read_only_udm.metadata.product_log_id`. - event.idm.read_only_udm.additional.fields: Newly mapped `aid` and `art` raw log fields to `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `categorySignificance`, `categoryBehavior`, `categoryObject`, and `deviceSeverity` raw log fields to `event.idm.read_only_udm.security_result.detection_fields`. - event.idm.read_only_udm.security_result.outcomes: Newly mapped `categoryOutcome` raw log field to `event.idm.read_only_udm.security_result.outcomes`. - Added a grok pattern to handle negative integer values and mapped `in` raw log field to `event.idm.read_only_udm.network.received_bytes`. - Added a grok pattern to handle negative integer values and mapped `out` raw log field to `event.idm.read_only_udm.network.sent_bytes`. |
| 2025-06-05 | Enhancement:
- Added support to remove unnecessary brackets from `event.idm.read_only_udm.metadata.product_event_type`. |
| 2025-03-11 | Enhancement:
- Mapped "cn3" to "network.duration.seconds". - Mapped "PanOSTenantID" to "additional.fields". - Added support for "User Login" events. |
| 2025-01-31 | Enhancement:
- Mapped "cn3" to "additional.fields". - Mapped "PanOSCortexDataLakeTenantID" to "additional.fields". |
| 2025-01-17 | Enhancement:
- Mapped "target_user" to "target.user.userid". - Mapped "principal_ip" to "principal.ip". - Mapped "PanOSStage", "PanOSConnectionError", and "PanOSEventDetails" to "additional.fields". - Mapped "outcome" to "security_result.action_details". |
| 2024-12-12 | Enhancement:
- Mapped "Name" to "additional.fields". - Mapped "PanOSDescription" to "metadata.description". - Mapped "PanOSSourceUser" to "principal.user.userid". - Mapped "outcome" to "security_result.action_details". - If "outcome" equals "success", mapped "security_result.action" to "ALLOW". |
| 2024-07-30 | Enhancement:
- Mapped "app" to "target.application". - Mapped "flexString2", "PanOSFileHash", and "filePath" to "additional.fields". - Mapped "threat_name" to "security_result.threat_name". - Mapped "threat_id" to "security_result.threat_id". - When "device_event_class_id" is not "THREAT", then mapped "cat" to "additional.fields". |
| 2024-06-18 | Enhancement:
- Added support to parse unparsed logs failing due to validation error. |
| 2024-04-03 | Enhancement:
- Mapped "principal_ip1" to "principal.ip" and "principal.asset.ip". - Mapped "deviceExternalId" to "about.asset.hardware.serial_number". - When principal data and target data is present, then set "metadata.event_type" to "NETWORK_CONNECTION". - When principal data and target resource data is present, then set "metadata.event_type" to "USER_RESOURCE_ACCESS". - When principal data is present, then set "metadata.event_type" to "STATUS_UPDATE". |
| 2024-02-18 | Enhancement -
- Added support to parse "PAN_FIREWALL" logs. - Mapped "metadata.event_type" to "NETWORK_CONNECTION" if "device_event_class_id" is in "TRAFFIC", "THREAT", "URL", "WILDFIRE", "DATA", "TUNNEL". - Mapped "PanOSConfigVersion" to "security_result.detection_fields". - Mapped "deviceOutboundInterface", "deviceInboundInterface" to "additional.fields". |
| 2024-02-12 | Enhancement -
- Mapped "query" to "additional fields". - Added a Grok pattern to parse logs with query value "json_data". |
| 2023-04-27 | Enhancement -
- Mapped "proto" to "network.ip_protocol". |
| 2022-11-15 | Enhancement -
- Mapped "PanOSThreatCategory" to "security_result.category_details". - Mapped "PanOSThreatID" to "security_result.threat_id", - Mapped "PanOSContentVersion" to "security_result.detection_fields". - Mapped "PanOSRuleUUID" to "metadata.product_log_id". - Mapped "PanOSDestinationLocation" to "target.location.country_or_region". - Mapped "PanOSDGHierarchyLevel1" to "security_result.detection_fields". |
| 2022-08-26 | Enhancement - Migrated the custom parsers into default parser.
|