Change log for CB_EDR
| Date | Changes |
|---|---|
| 2025-04-10 | Enhancement:
- event.idm.read_only_udm.intermediary.ip: Removed mapping of `comms_ip` from `event.idm.read_only_udm.intermediary.ip` UDM field when `comms_ip` is equal to `interface_ip`. - event.idm.read_only_udm.additional.fields: Newly mapped `comms_ip` raw log field with `event.idm.read_only_udm.additional.fields` UDM field when "comms_ip" is equal to `interface_ip`. |
| 2025-03-25 | Enhancement:
- Mapped fully qualified value of "device_name" to "intermediary.hostname", "intermediary.asset.hostname", "principal.hostname" and "principal.asset.hostname". - Removed mapping for "device_internal_ip from "additional.fields". - Mapped "device_internal_ip" to "intermediary.ip", "intermediary.asset.ip", "principal.ip" and "principal.asset.ip". - Removed mapping for "device_external_ip" from "principal.asset.ip" and "principal.ip". - Mapped "device_external_ip" to "principal.nat_ip". |
| 2025-03-19 | Bug-Fix:
- Added "on_error" to all the fields mapped from docs.*. - Added additional check for "sha256" and "md5" to avoid parsing errors. - Mapped "feed_name" to "principal.resource.name". - When "feed_name" is not null, then mapped "principal.resource.resource_subtype" to "Feed". |
| 2024-07-02 | Enhancement:
- Added "gsub" function to parse the unparsed fields. |
| 2024-05-13 | Enhancement:
- Mapped "alert_url" field to "metadata.url_back_to_product" UDM field. |
| 2024-01-19 | Enhancement:
- Added a null check for "filemod_hash.0" and "filemod_hash.1" before mapping. |
| 2023-12-27 | Enhancement:
- Initialized "filemod_hash.0" and "filemod_hash.1" to null to parse the unparsed logs. |
| 2023-10-26 | Enhancement:
- Added "gsub" function to parse the unparsed fields. |
| 2023-10-13 | Enhancement:
- Handled new JSON logs by adding JSON block. - Removed redundant code for fields "computer_name", "parent_name", "process_name", "pid", "process_path", "md5", "sha256", "process_guid", "parent_pid", "docs.0.process_pid", "cb_version", "process_hash.0", "process_hash.1", "parent_hash.0" and "parent_hash.1". |
| 2023-07-21 | - Added MITRE ATT&CK tactic and technique details to "security_result.attack_details".
|
| 2023-03-24 | - Mapped the field "protocol" to "network.ip_protocol".
- Added null conditional check for the field "child_username", "child_pid", "child_command_line". - Changed the "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" when "principal.hostname" or "principal.ip" is not null. |
| 2023-03-14 | Bug-fix:
- Mapped the following fields when the field "type" is null: - Mapped the field "process_guid" to "principal.process.product_specific_process_id". - Mapped the field "device_external_ip" to "target.ip". - Mapped the field "device_os" to "principal.platform". - Mapped the field "device_group" to "principal.group.group_display_name". - Mapped the field "process_pid" to "principal.process.pid". - Mapped the field "process_path" to "principal.process.file.full_path". - Mapped the field "process_cmdline" to "principal.process.command_line". - Mapped the field "process_hash.0" to "principal.process.file.md5". - Mapped the field "principal.1" to "principal.process.file.sha256". - Mapped the field "process_username" to "principal.user.userid". - Mapped the field "clientIp" to "principal.ip". - Mapped the field "description" to "metadata.description". - Mapped the field "orgName" to "principal.administrative_domain". - Mapped the following fields when the field "ruleName" contains "CYDERES": - Mapped the field "deviceInfo.internalIpAddress" to "principal.ip". - Mapped the field "deviceInfo.externalIpAddress" to "target.ip". - Mapped the field "ruleName" to "security_result.rule_name". - Mapped the field "deviceInfo.deviceType" to "principal.asset.platform_software.platform". - Mapped the field "domain" to "principal.administrative_domain". - Mapped the field "deviceInfo.groupName" to "principal.group.group_display_name". - Mapped the field "deviceInfo.deviceVersion" to "principal.asset.platform_software.platform_version". - Mapped the field "deviceInfo.deviceId" to "principal.asset.asset_id". - Mapped the field "eventId" to "additional.fields". - Changed the "metadata.event_type" from "GENERIC_EVENT" to "NETWORK_CONNECTION" when "principal.ip" and "target.ip" is not null. - Changed the "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" when "principal.ip" is not null. |
| 2023-02-03 | Bug-fix:
- Map "filemod_hash" to "target.file" instead of "target.process.file". |
| 2023-01-20 | Bug-fix:
- Stopped populating and mapping product_specific_process_id for empty process ids. |
| 2022-11-25 | - Mapped 'remote_ip' to 'principal.ip' and 'local_ip' to 'target.ip' for 'Inbound' TCP/UDP events.
- Mapped 'remote_port' to 'principal.port' and 'local_port' to 'target.port' for 'Inbound' TCP/UDP events. |
| 2022-10-06 | - Migrated all customer specific parsers to default parser.
|
| 2022-07-10 | - Updated mapping of 'event_type' to 'PROCESS_LAUNCH' for logs of type 'endpoint.event.'.
|