Change log for CB_EDR
| Date | Changes |
|---|---|
| 2025-06-23 | Enhancement:
- event.idm.read_only_udm.metadata.product_log_id: Newly mapped `id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.alert_state: Set `event.idm.read_only_udm.security_result.alert_state` UDM field to `ALERTING` if `workflow.status` raw log field is equal to `OPEN` or `IN_PROGRESS`. - event.idm.read_only_udm.security_result.alert_state: Set `event.idm.read_only_udm.security_result.alert_state` UDM field to `NOT_ALERTING` if `workflow.status` raw log field is equal to `CLOSED`. |
| 2025-05-02 | Enhancement:
- Added new Grok patterns to parse new format of SYSLOG logs. - Added gsub function to remove " (\\\w+?)=" and "'" from `message" field. - Added a null conditional check when mapping `group` raw log field with `event.idm.read_only_udm.target.group.group_display_name` UDM field. - Added a null conditional check when mapping `comms_ip` raw log field with `event.idm.read_only_udm.additional.fields` UDM field if `type` is "alert.watchlist.hit.ingress.process", "feed.query.hit.process" and "feed.storage.hit.process". - event.idm.read_only_udm.principal.resource.id: Newly mapped `feed_id` raw log field with `event.idm.read_only_udm.principal.resource.id` UDM field. - event.idm.read_only_udm.intermediary.ip: Newly mapped `intermediary_ip` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `session_id` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Newly mapped `interface_ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.intermediary.ip, event.idm.read_only_udm.additional.fields: Added mapping for `comms_ip` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field when is different of interface_ip, otherwise mapped to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `reason` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `segment_id`, `index_type`, `search_query`, `start_time`, and `last_update` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.resource.id: Newly mapped `watchlist_id` raw log fields with `event.idm.read_only_udm.target.resource.id` UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped `watchlist_name` raw log fields with `event.idm.read_only_udm.target.resource.name` UDM field. - event.idm.read_only_udm.target.group.group_display_name: Newly mapped `group` raw log field with `event.idm.read_only_udm.target.group.group_display_name` UDM field. - event.idm.read_only_udm.target.resource.id: Newly mapped `report_id` and watchlist_id raw log fields with `event.idm.read_only_udm.target.resource.id` UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped `report_id` raw log fields with `event.idm.read_only_udm.target.resource.name` UDM field. - event.idm.read_only_udm.principal.process.file.sha256: Newly mapped `process_sha256` raw log field with `event.idm.read_only_udm.principal.process.file.sha256` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `alliance_data_attackframework` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `alliance_updated_attackframework` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.confidence_score: Newly mapped `alliance_score_attackframework` raw log field with `event.idm.read_only_udm.security_result.confidence_score` UDM field. - event.idm.read_only_udm.security_result.url_back_to_product: Newly mapped `alliance_link_attackframework` raw log field with `event.idm.read_only_udm.security_result.url_back_to_product` UDM field. - event.idm.read_only_udm.metadata.event_type: Set `event.idm.read_only_udm.metadata.event_type` UDM field to `NETWORK_CONNECTION` if both principal and target are present. - event.idm.read_only_udm.metadata.event_type: Set `event.idm.read_only_udm.metadata.event_type` UDM field to `STATUS_UPDATE` if only principal is present. |
| 2025-04-10 | Enhancement:
- event.idm.read_only_udm.intermediary.ip: Removed mapping of `comms_ip` from `event.idm.read_only_udm.intermediary.ip` UDM field when `comms_ip` is equal to `interface_ip`. - event.idm.read_only_udm.additional.fields: Newly mapped `comms_ip` raw log field with `event.idm.read_only_udm.additional.fields` UDM field when "comms_ip" is equal to `interface_ip`. |
| 2025-03-25 | Enhancement:
- Mapped fully qualified value of "device_name" to "intermediary.hostname", "intermediary.asset.hostname", "principal.hostname" and "principal.asset.hostname". - Removed mapping for "device_internal_ip from "additional.fields". - Mapped "device_internal_ip" to "intermediary.ip", "intermediary.asset.ip", "principal.ip" and "principal.asset.ip". - Removed mapping for "device_external_ip" from "principal.asset.ip" and "principal.ip". - Mapped "device_external_ip" to "principal.nat_ip". |
| 2025-03-19 | Bug-Fix:
- Added "on_error" to all the fields mapped from docs.*. - Added additional check for "sha256" and "md5" to avoid parsing errors. - Mapped "feed_name" to "principal.resource.name". - When "feed_name" is not null, then mapped "principal.resource.resource_subtype" to "Feed". |
| 2024-07-02 | Enhancement:
- Added "gsub" function to parse the unparsed fields. |
| 2024-05-13 | Enhancement:
- Mapped "alert_url" field to "metadata.url_back_to_product" UDM field. |
| 2024-01-19 | Enhancement:
- Added a null check for "filemod_hash.0" and "filemod_hash.1" before mapping. |
| 2023-12-27 | Enhancement:
- Initialized "filemod_hash.0" and "filemod_hash.1" to null to parse the unparsed logs. |
| 2023-10-26 | Enhancement:
- Added "gsub" function to parse the unparsed fields. |
| 2023-10-13 | Enhancement:
- Handled new JSON logs by adding JSON block. - Removed redundant code for fields "computer_name", "parent_name", "process_name", "pid", "process_path", "md5", "sha256", "process_guid", "parent_pid", "docs.0.process_pid", "cb_version", "process_hash.0", "process_hash.1", "parent_hash.0" and "parent_hash.1". |
| 2023-07-21 | - Added MITRE ATT&CK tactic and technique details to "security_result.attack_details".
|
| 2023-03-24 | - Mapped the field "protocol" to "network.ip_protocol".
- Added null conditional check for the field "child_username", "child_pid", "child_command_line". - Changed the "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" when "principal.hostname" or "principal.ip" is not null. |
| 2023-03-14 | Bug-fix:
- Mapped the following fields when the field "type" is null: - Mapped the field "process_guid" to "principal.process.product_specific_process_id". - Mapped the field "device_external_ip" to "target.ip". - Mapped the field "device_os" to "principal.platform". - Mapped the field "device_group" to "principal.group.group_display_name". - Mapped the field "process_pid" to "principal.process.pid". - Mapped the field "process_path" to "principal.process.file.full_path". - Mapped the field "process_cmdline" to "principal.process.command_line". - Mapped the field "process_hash.0" to "principal.process.file.md5". - Mapped the field "principal.1" to "principal.process.file.sha256". - Mapped the field "process_username" to "principal.user.userid". - Mapped the field "clientIp" to "principal.ip". - Mapped the field "description" to "metadata.description". - Mapped the field "orgName" to "principal.administrative_domain". - Mapped the following fields when the field "ruleName" contains "CYDERES": - Mapped the field "deviceInfo.internalIpAddress" to "principal.ip". - Mapped the field "deviceInfo.externalIpAddress" to "target.ip". - Mapped the field "ruleName" to "security_result.rule_name". - Mapped the field "deviceInfo.deviceType" to "principal.asset.platform_software.platform". - Mapped the field "domain" to "principal.administrative_domain". - Mapped the field "deviceInfo.groupName" to "principal.group.group_display_name". - Mapped the field "deviceInfo.deviceVersion" to "principal.asset.platform_software.platform_version". - Mapped the field "deviceInfo.deviceId" to "principal.asset.asset_id". - Mapped the field "eventId" to "additional.fields". - Changed the "metadata.event_type" from "GENERIC_EVENT" to "NETWORK_CONNECTION" when "principal.ip" and "target.ip" is not null. - Changed the "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" when "principal.ip" is not null. |
| 2023-02-03 | Bug-fix:
- Map "filemod_hash" to "target.file" instead of "target.process.file". |
| 2023-01-20 | Bug-fix:
- Stopped populating and mapping product_specific_process_id for empty process ids. |
| 2022-11-25 | - Mapped 'remote_ip' to 'principal.ip' and 'local_ip' to 'target.ip' for 'Inbound' TCP/UDP events.
- Mapped 'remote_port' to 'principal.port' and 'local_port' to 'target.port' for 'Inbound' TCP/UDP events. |
| 2022-10-06 | - Migrated all customer specific parsers to default parser.
|
| 2022-07-10 | - Updated mapping of 'event_type' to 'PROCESS_LAUNCH' for logs of type 'endpoint.event.'.
|