Change log for ATTIVO
| Date | Changes |
|---|---|
| 2025-01-10 | Enhancement:
- Added a new Grok pattern to parse the unparsed logs. - Added a JSON block to parse the unparsed logs. - Mapped "Alert.subject" to "metadata.description". - Mapped "Alert.body" to "metadata.description". - Mapped "Alert.app" to "principal.application". - Mapped "Alert.dest_ip" to "target.ip" and "target.assest.ip". - Mapped "Alert.dest_host" to "target.hostname". - Mapped "Alert.src_hostname" to "principal.hostname". - Mapped "Alert.src_ip_domain" to "principal.domain.name". - Mapped "Alert.dest_ip_domain" to "target.domain.name". - Mapped "Alert.id" to "metadata.product_log_id". - Mapped "Alert.des_os" to "target.asset.platform_software.platform_version". - Mapped "Alert.src_ip" to "principal.ip" and "prinicipal.asset.ip". - Mapped "Alert.src_mac" to "prinicipal.mac". - Mapped "Alert.id" to "metadata.product_log_id". - Mapped "Alert.bootsink_ip" to "intermediary.ip". - Mapped "Alert.forwarder" and "Alert.service" to "additional.fields". - Mapped "techinque_id" to "security_result.attack_details.tactics.id". - Mapped "techinque_name" to "security_result.attack_details.tactics.name". - Mapped "Alert.severity" to "security_result.severity". - Mapped "Alert.src_category" to "security_result.threat_name". |
| 2024-04-19 | Enhancement:
- Added support for new event types "NETWORK_UNCATEGORIZED" and "SCAN_NETWORK". - Added support for certain new attributes. |
| 2023-08-14 | Enhancement:
- Added conditional check for "ips". - If "ips" format matches IP address format, then map "ips" to "principal.ip", else map it to "intermediary.hostname". |
| 2023-07-21 | Newly created parser. |