Change log for ARCSIGHT_CEF
| Date | Changes |
|---|---|
| 2025-06-05 | Enhancement:
- Added support to remove unnecessary brackets from `event.idm.read_only_udm.metadata.product_event_type`. |
| 2025-03-11 | Enhancement:
- Mapped "cn3" to "network.duration.seconds". - Mapped "PanOSTenantID" to "additional.fields". - Added support for "User Login" events. |
| 2025-01-31 | Enhancement:
- Mapped "cn3" to "additional.fields". - Mapped "PanOSCortexDataLakeTenantID" to "additional.fields". |
| 2025-01-17 | Enhancement:
- Mapped "target_user" to "target.user.userid". - Mapped "principal_ip" to "principal.ip". - Mapped "PanOSStage", "PanOSConnectionError", and "PanOSEventDetails" to "additional.fields". - Mapped "outcome" to "security_result.action_details". |
| 2024-12-12 | Enhancement:
- Mapped "Name" to "additional.fields". - Mapped "PanOSDescription" to "metadata.description". - Mapped "PanOSSourceUser" to "principal.user.userid". - Mapped "outcome" to "security_result.action_details". - If "outcome" equals "success", mapped "security_result.action" to "ALLOW". |
| 2024-07-30 | Enhancement:
- Mapped "app" to "target.application". - Mapped "flexString2", "PanOSFileHash", and "filePath" to "additional.fields". - Mapped "threat_name" to "security_result.threat_name". - Mapped "threat_id" to "security_result.threat_id". - When "device_event_class_id" is not "THREAT", then mapped "cat" to "additional.fields". |
| 2024-06-18 | Enhancement:
- Added support to parse unparsed logs failing due to validation error. |
| 2024-04-03 | Enhancement:
- Mapped "principal_ip1" to "principal.ip" and "principal.asset.ip". - Mapped "deviceExternalId" to "about.asset.hardware.serial_number". - When principal data and target data is present, then set "metadata.event_type" to "NETWORK_CONNECTION". - When principal data and target resource data is present, then set "metadata.event_type" to "USER_RESOURCE_ACCESS". - When principal data is present, then set "metadata.event_type" to "STATUS_UPDATE". |
| 2024-02-18 | Enhancement -
- Added support to parse "PAN_FIREWALL" logs. - Mapped "metadata.event_type" to "NETWORK_CONNECTION" if "device_event_class_id" is in "TRAFFIC", "THREAT", "URL", "WILDFIRE", "DATA", "TUNNEL". - Mapped "PanOSConfigVersion" to "security_result.detection_fields". - Mapped "deviceOutboundInterface", "deviceInboundInterface" to "additional.fields". |
| 2024-02-12 | Enhancement -
- Mapped "query" to "additional fields". - Added a Grok pattern to parse logs with query value "json_data". |
| 2023-04-27 | Enhancement -
- Mapped "proto" to "network.ip_protocol". |
| 2022-11-15 | Enhancement -
- Mapped "PanOSThreatCategory" to "security_result.category_details". - Mapped "PanOSThreatID" to "security_result.threat_id", - Mapped "PanOSContentVersion" to "security_result.detection_fields". - Mapped "PanOSRuleUUID" to "metadata.product_log_id". - Mapped "PanOSDestinationLocation" to "target.location.country_or_region". - Mapped "PanOSDGHierarchyLevel1" to "security_result.detection_fields". |
| 2022-08-26 | Enhancement - Migrated the custom parsers into default parser.
|