Change log for ATTIVO
| Date | Changes |
|---|---|
| 2025-08-06 | Enhancement:
- Added a new gsub block to add support for logs split into multiple lines. - event.idm.read_only_udm.additional.fields: Newly mapped `forwarder` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-07-01 | Enhancement:
- Added a Grok to parse SYSLOG + KV (CEF) format of logs with any timezone pattern. - Added a Grok to extract `process` and `pid` from `msg` raw log field. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `process` log field to `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - event.idm.read_only_udm.principal.process.pid: Newly mapped `pid` log field to `event.idm.read_only_udm.principal.process.pid` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `timezone` log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.port: Newly mapped `spt` raw log field to `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `rt` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - Modified condition for dropping invalid logs by adding a `valid_log` flag. - Set `has_principal` to `true` if `principal.ip` or `principal.hostname` is present. - Set `has_target` to `true` if `target.ip` or `target.hostname` is present. - Merged both conditions to map `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION`. - Modified conditions to map `event.idm.read_only_udm.metadata.event_type` to `NETWORK_UNCATEGORIZED` and `STATUS_UPDATE`. - Added mappings for `target.asset.ip` wherever `target.ip` is mapped and `principal.asset.ip` wherever `principal.ip` is mapped. |
| 2025-01-10 | Enhancement:
- Added a new Grok pattern to parse the unparsed logs. - Added a JSON block to parse the unparsed logs. - Mapped "Alert.subject" to "metadata.description". - Mapped "Alert.body" to "metadata.description". - Mapped "Alert.app" to "principal.application". - Mapped "Alert.dest_ip" to "target.ip" and "target.assest.ip". - Mapped "Alert.dest_host" to "target.hostname". - Mapped "Alert.src_hostname" to "principal.hostname". - Mapped "Alert.src_ip_domain" to "principal.domain.name". - Mapped "Alert.dest_ip_domain" to "target.domain.name". - Mapped "Alert.id" to "metadata.product_log_id". - Mapped "Alert.des_os" to "target.asset.platform_software.platform_version". - Mapped "Alert.src_ip" to "principal.ip" and "prinicipal.asset.ip". - Mapped "Alert.src_mac" to "prinicipal.mac". - Mapped "Alert.id" to "metadata.product_log_id". - Mapped "Alert.bootsink_ip" to "intermediary.ip". - Mapped "Alert.forwarder" and "Alert.service" to "additional.fields". - Mapped "techinque_id" to "security_result.attack_details.tactics.id". - Mapped "techinque_name" to "security_result.attack_details.tactics.name". - Mapped "Alert.severity" to "security_result.severity". - Mapped "Alert.src_category" to "security_result.threat_name". |
| 2024-04-19 | Enhancement:
- Added support for new event types "NETWORK_UNCATEGORIZED" and "SCAN_NETWORK". - Added support for certain new attributes. |
| 2023-08-14 | Enhancement:
- Added conditional check for "ips". - If "ips" format matches IP address format, then map "ips" to "principal.ip", else map it to "intermediary.hostname". |
| 2023-07-21 | Newly created parser. |