Change log for AUDITD
| Date | Changes |
|---|---|
| 2024-10-15 | Enhancement:
- Mapped "sw", "sw_type", and "subj" to "security_result.detection_fields". |
| 2024-10-14 | Enhancement:
- Added a conditional check and mapped "metadata.event_type" to "USER_LOGIN" from "USER_UNCATEGORIZED". |
| 2024-10-10 | Enhancement:
- Added "gsub" to map "type" to "metadata.product_event_type". - Mapped "indicator.SYSCALL" to "security_result.detection_fields". |
| 2024-10-10 | Enhancement:
- Added "gsub" to map "type" to "metadata.product_event_type". - Mapped "indicator.SYSCALL" to "security_result.detection_fields". |
| 2024-10-09 | - Mapped "exe" to "principal.process.file.full_path".
|
| 2024-09-24 | Enhancement:
- Swapped mapping from "target.port" to "principal.port". - Added support to handle Syslog logs. |
| 2024-09-16 | Enhancement:
- Modified a Grok pattern to parse new patterns of logs. |
| 2024-08-13 | Enhancement:
- Converted "a2" from hexadecimal value to ASCII. |
| 2024-07-18 | - Added "gsub" to replace "\\r\\n" with " " from the message.
- Added a grok pattern for "msg2". - Mapped "target.user.userid" to "principal.user.userid". |
| 2024-07-09 | Enhancement:
- Added "gsubs" to handle invalid JSON logs. - When "type" is "SYSCALL" and "has_principal" is true and "exe" is not empty, then set "metadata.event_type" to "PROCESS_LAUNCH". |
| 2024-06-18 | Enhancement:
- Added new Grok patterns to handle authentication syslog logs. - Mapped "target_user_name" to "target.user.userid". - Handled the new patterns of "_timestamp". |
| 2024-05-08 | Enhancement:
- When the value is not "?", then mapped "field" to "field33" to "security_result.detection_fields". - When "type_name" is "CRYPTO_KEY_USER", then mapped "exe" to "principal.process.file.full_path". - When "type_name" is "CRYPTO_KEY_USER", then mapped "fp" to "network.tls.client.certificate.sha256". - When "type_name" is "CRYPTO_KEY_USER", then mapped "pid" to "principal.process.pid". - Added Grok patterns to parse new pattern of logs. - Mapped "syslog-tag" to "security_result.detection_fields". - Mapped "inter_ip" to "intermediary.ip". - Mapped "inter_hostname" to "intermediary.hostname". |
| 2024-05-02 | Enhancement:
- When "type_name" is "USER_MGMT", then mapped "grp" to "target.group.group_display_name". - When "type_name" is "USER_MGMT", then changed mapping of "uid" from "principal.user.userid" to "target.user.userid". - When "type_name" is "USER_MGMT" and "op" is equal to "deleting-user-from-group", then set "metadata.event_type" to "GROUP_MODIFICATION". - When "type_name" is "USER_MGMT", then changed mapping of "exe" from "target.process.file.full_path" to "principal.process.file.full_path". - When "type_name" is "USER_MGMT", then mapped "id" to "about.user.userid". |
| 2024-04-08 | Enhancement:
- When "type_name" is "ADD_USER", principal_user_present is "true", target_user_present is "true", and has_principal is "true", then set "metadata.event_type" to "USER_CREATION". - When "type_name" is "USER_AUTH", then mapped "acct" to "target.user.user_display_name". - When "type_name" is "USER_AUTH", then mapped "uid" to "principal.user.userid". - When "type_name" is not in "ADD_USER","USER_AUTH","CRED_ACQ", and "USER_MGMT", then mapped "auid" to "about.user.userid". - When "type_name" is "ADD_USER", then mapped "auid" to "target.user.userid". - When "type_name" is "ADD_USER" or "USER_AUTH" then mapped "exe" to "principal.process.file.full_path". - When "type_name" is "ADD_USER", then mapped "op" and "id" to "security_result.summary". - When "type_name" is "USER_AUTH", then mapped "op" and "acct" to "security_result.summary". |
| 2024-03-22 | Enhancement:
- Added support for new pattern of JSON logs. - Mapped "labels.compute.googleapis.com/resource_name","jsonPayload._HOSTNAME" , "CollectorHostName", "HOSTNAME", and "Computer" to "principal.hostname". - Mapped "HostIP" to "principal.ip". - Mapped "ProcessID" and "jsonPayload._PID" to "principal.process.pid". - Mapped "SyslogMessage" to "metadata.description". - Mapped "TenantId", "_ItemId", "_Internal_WorkspaceResourceId", "_ResourceId", and "Facility" to "additional.fields". - Mapped "SeverityLevel" to "security_result.severity". - Mapped "SourceSystem" to "principal.platform". - Mapped "jsonPayload._COMM" to "principal.application". - Mapped "jsonPayload._EXE" to "target.process.file.full_path". - Mapped "jsonPayload._AUDIT_FIELD_FILE" to "target.file.full_path". - Mapped "jsonPayload._AUDIT_FIELD_HASH" to "target.file.hash". - Mapped "jsonPayload._AUDIT_SESSION" to "network.session_id". - Mapped "jsonPayload._PPID" to "principal.process.parent_process.pid". - Mapped "jsonPayload._AUDIT_FIELD_A0", "jsonPayload._AUDIT_FIELD_A1", "jsonPayload._AUDIT_FIELD_A2", "jsonPayload._AUDIT_FIELD_A3", "jsonPayload._BOOT_ID", and "jsonPayload._AUDIT_FIELD_EXIT" to "security_result.detection_fields". |
| 2023-11-27 | Enhancement:
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_LOGIN". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_LOGOUT". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_CREATION". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_DELETION". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_UNCATEGORIZED". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_RESOURCE_ACCESS". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_CHANGE_PERMISSIONS". - When user details are present and principal machine details are not present then changed mapping of "metadata.event_type" from "USER_CREATION" to "USER_UNCATEGORIZED". - When user details are present and principal machine details are not present then changed mapping of "metadata.event_type" from "USER_DELETION" to "USER_UNCATEGORIZED". |
| 2023-09-06 | Enhancement:
- Added mapping of "CMD" to "target.process.command_line" for "cron daemon(CROND)". |
| 2023-06-20 | Enhancement - Added or modified the following mappings when type="ADD_USER" and "DEL_USER"-
- Modified the mapping of "uid" from "target.user.userid" to "principal.user.userid". - Mapped "id" to "target.user.userid". - Mapped "ID" to "target.user.user_display_name". - Modified the mapping of "UID" from "principal.user.userid" to "principal.user.user_display_name". - Modified the mapping of "acct" from "principal.user.user_display_name" to "target.user.user_display_name" and "target.user.userid". |
| 2023-06-09 | Enhancement - Modified "event_type" from "USER_LOGIN" to "USER_CREATION" when "type=ADD_USER".
|
| 2023-04-17 | Enhancement
- Added gsub function to replace "GS - Group separator" character which is breaking the JSON construction. |
| 2023-04-10 | Enhancement
- Added 'gid','euid','egid','suid','fsuid','sgid','fsgid','tty','items' fields to security_result.detection_fields. - Additionally mapped 'gid' to 'principal.user.group_identifiers'. - Mapped 'euid' to 'target.user.userid'. - Mapped 'egid' to 'target.user.group_identifiers'. |
| 2023-03-27 | Enhancement - Added support for "jsonPayload" containing logs.
|
| 2023-02-28 | Bug-fix - Enhanced parser to convert hex encoded string to ASCII.
|
| 2023-02-09 | Enhancement - Modified grok for logs containing "type=PATH" to fetch the correct hostname from logs.
|
| 2023-01-24 | Enhancement -
- Parsed log with eventType as "tac_plus". - Added conditions for mapping different event_types "NETWORK_CONNECTION", "NETWORK_HTTP", "USER_LOGIN". |
| 2022-12-02 | Enhancement -
- Mapped "user_name" to "principal.user.userid". - added conditional check for "dst_ip", "dst_port". |
| 2022-11-16 | Enhancement -
- Improved "GENERIC_EVENT" to "STATUS_UPDATE" for log types containing "Access Logs". |
| 2022-10-31 | Enhancement -
- Enhanced the parser to parse the log with type=ADD_USER, USER_MGMT, DEL_USER. - Added null checks for "principal_hostname". - Added on_error checks for "principal.process.file.full_path", "type_syscall_props.key", "type_syscall_props.arch", "msg2". - Added conditional checks for mapping to event_type="FILE_OPEN", "USER_UNCATEGORIZED", "STATUS_UPDATE", "USER_DELETION". - Mapped "principal_user_userid" to "principal.user.userid". |
| 2022-10-14 | Enhancement -
- Migrated customer parser to default parser. |
| 2022-10-13 | Enhancement - Mapped "vendor_name" to "Linux".
- Mapped "product_name" to "AuditD". - Parsed the logs containing "ProxySG" and mapped "ip" to "target.ip", "port" to "target.port" wherever possible. - Modified "event_type" from "GENERIC_EVENT" to "STATUS_UPDATE". - Modified mapping for "intermediary.hostname" to "principal.hostname". |
| 2022-07-28 | Enhancement -
- Mapped the field 'auid' to about.user.userid'. - Mapped the field 'AUID' to 'about.user.user_display_name'. - Mapped the field 'proctitle' to 'target.process.file.full_path'. - Enhanced the parser to parse the log with type=DAEMON_END, CRYPTO_SESSION, CONFIG_CHANGE, PROCTITLE, USER_ERR, CRYPTO_KEY_USER. - Added conditional check for laddr, addr, cipher, pfs, direction, acct, pid, ppid, cmd, exe, ses. |
| 2022-06-17 | Enhancement - Mapped/Modified the following fields :
- Changed mapping of "auid" from "security_result.about.user.userid" to "about.user.userid". - Changed "event_type" for type=SYSCALL from "SYSTEM_AUDIT_LOG_UNCATEGORIZED" to "USER_UNCATEGORIZED". - Mapped "success" to "security_result.summary". - Mapped "syscall", "exit", "tty", "a0", "a1", "a2", "a3" to "security_result.about.labels". - Dropped the logs in ASCII format. |
| 2022-06-14 | Enhancement - Enhanced the parser to parse the USER_CMD type of logs. - Mapped the field 'cmd' to 'principal.process.command_line'. - Mapped the field 'ses' to 'network.session_id'. - Mapped the field 'res' to 'security_result.action' and 'security_result.action_details'. - Mapped the fields 'auid' and 'cwd' to 'security_result.detection_fields'. |
| 2022-04-26 | Enhancement - Increased the parsing percentage by parsing all the unparsed logs. |