Change log for CHECKPOINT_FIREWALL

Date	Changes
2025-04-08	Enhancement: - event.idm.read_only_udm.network.http.user_agent: Removed mapping of `web_client_type` from `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.additional.fields: Mapped `web_client_type` raw log field with `event.idm.read_only_udm.additional.fields` UDM field.
2025-03-27	Enhancement: - Added a JSON block to parse the unparsed logs. - Mapped "acks_total", "attachments_num", "arrival_time","attack_status", "attack_traffic_bps", "attack_traffic_pps", "audit_status", "auth_method", "bandwidth", "best_practice_id", "blade_name", "cb_rate", "cb_recommendation", "cb_relevantobjectname", "cb_relevantobjectstatus", "file_count", "cb_scan_id", "from", "to", "cb_status", "cb_bp_blade", "controller", "delivery_time", "device_identification", "direction", "discard_traffic_bps", "discard_traffic_pps", "dlp_data_type_name", "dlp_relevant_data_types", "dlp_rule_name", "dlp_transport", "dns_query_type", "failure_reason", "file_size", "file_type" and "file_direction" to "additional.fields". - Mapped "client_name", "d_name", "data_type_name", "email_queue_id", "email_status", "email_queue_name", "user_status" and "vendor_list" to security_result.detection_fields". - Mapped "destination_dns_hostname" to "target.hostname" and "target.asset.hostname". - Mapped "email_content" to "security_result.description". - Mapped "email_subject" to "network.email.subject". - Mapped "event_name" to "metadata.description". - Mapped "web_client_type" to "network.http.user_agent". - Mapped "file_size" to "target.file_size". - Mapped "from" to "network.email.from" - Mapped "to" to "network.email.to".
2025-03-24	Enhancement: - Modified "security_result.severity" from "LOW" to "INFORMATIONAL" when "severity" is "0".
2025-03-10	Enhancement: - Changed mapping of "contract_name" from "security_result.description" to "security_result.detection_fields" to prevent overriding in "security_result.description". - Added a condition check to remove the duplicate mapping of intermediary.ip.
2025-03-06	Enhancement: - Mapped "verdict" to "security_result.verdict_response". - Mapped "file_name" to "target.file.names". - Mapped "file_md5" to "target.file.md5". - Mapped "file_sha1" to "target.file.sha1". - Mapped "file_sha256" to "target.file.sha256".
2025-02-28	Enhancement: - If Severity is "0", "1", and "2" then set "security_result.severity" to "LOW". - If Severity is "3" then set "security_result.severity" to "MEDIUM". - If Severity is "4" then set "security_result.severity" to "HIGH". - If Severity is "5" then set "security_result.severity" to "CRITICAL".
2025-02-26	Enhancement: - Mapped "description" to "security_result.description".
2025-02-13	Enhancement: - Removed conditional check for "Severity" and "severity".
2025-02-11	Enhancement: - Added Grok patterns to parse "Severity". - Mapped "Name" to "security_result.detection_fields" and "security_result.about.resource.attribute.labels". - Mapped "Level" to "security_result.confidence_details". - Mapped "Impact" to "additional.fields". - Added a new Grok pattern including a conditional check for "Reference".
2025-02-07	Enhancement: - Mapped "security_result.action" to "BLOCK" when "additional_info" is "Administrator failed to log". - Changed "origin" mapping from "principal.ip" and "principal.asset.ip" to "intermediary.ip" and "intermediary.asset.ip". - Changed "administrator" mapping from "security_result.detection_fields" to "target.user.userid". - Mapped "machine" to "target.hostname" and "target.asset.hostname".
2025-02-06	Enhancement: - When "severity" is "5" then set "security_result.severity" to "HIGH".
2025-01-31	Enhancement: - Mapped value of "CN" under "originsicname" to "intermediary.hostname".
2025-01-09	Enhancement: - Removed extra space from "principal.ip". - Mapped "user" to "principal.user.user_display_name".
2025-01-08	Enhancement: - Mapped "src" to "principal.hostname" when "src" is not a valid IP.
2025-01-01	Enhancement: - Mapped "security_result.action" to "ALLOW" when "_action" is "Bypass,bypass".
2024-11-27	Enhancement: - Mapped "operation_number" to "security_result.detection_fields". - Mapped "client_ip" to "principal.ip" and "principal.asset.ip".
2024-11-26	Enhancement: - Mapped "src" to "principal.hostname" and "principal.asset.hostname".
2024-11-21	Enhancement: - Added a Grok pattern to map "resource" to "target.url".
2024-11-04	Enhancement: - Mapped "cu_rule_category" value to "security_result.rule_name".
2024-10-30	Enhancement: - Modified the Grok pattern to extract correct "service" data.
2024-10-14	Enhancement: - Mapped "log Update" value to "additional.fields". - Mapped "log_sys_message" to "metadata.description".
2024-09-18	Enhancement: - When "Action" is equal to "Prevent", then mapped "security_result.action" to "BLOCK".
2024-08-30	Enhancement: - Mapped "layer_name" to "security_result.detection_fields".
2024-08-28	Enhancement: - Modified the condition to parse new format of SYSLOG + KV logs.
2024-08-14	Enhancement: - Added a "gsub" for field "service".
2024-08-14	Enhancement: - Added a "gsub" for field "service".
2024-08-13	Enhancement: - Removed "target.ip" and "target.asset.ip" mappings for "origin".
2024-08-02	Enhancement: - Mapped "feature_name" and "securexl_message" to "additional.fields".
2024-07-30	Enhancement: - Mapped "emailSubject" to "network.email.subject". - Mapped "cat" to "security_result.detection_fields". - Mapped "url" to "principal.url". - Mapped "srcPostNAT" to "principal.nat_ip". - Mapped "dstPostNAT" to "target.nat_ip". - Mapped "srcPostNATPort" to "principal.nat_port". - Mapped "dstPostNATPort" to "target.nat_port". - Removed mapping for field "origin" from "target.ip".
2024-07-18	Enhancement: - Added support for some of the unmapped fields for product "Application Control"
2024-07-11	Reviewer-suggested edit Enhancement: - Mapped svc to the target port. - Added if block for the "action.details" value "0". - Added null check for "security_result.detection_fields".
2024-06-26	Enhancement: - Added support for some of the unmapped fields(CEF format logs) for product "VPN-1 & FireWall-1" - list of fields added: - fw_subproduct - src_user_dn - hll_key - nat_rulenum - security_inzone - security_outzone - snid - drop_reason - reason - match_id - parent_rule - ifname - logid - sequencenum - version - service_id - community - lastupdatetime - vpn_feature_name - conn_direction - contextnum - context_num - certificate_validity - nat_addtnl_rulenum - nat_rule_uid - needs_browse_time - sig_id - sni - tls_server_host_name - log_delay - dst_user_dn - rpc_interface_uuid - icmp
2024-06-26	Enhancement: - Added support for some of the unmapped fields(CEF format logs) for product "VPN-1 & FireWall-1" - list of fields added: - fw_subproduct - src_user_dn - hll_key - nat_rulenum - security_inzone - security_outzone - snid - drop_reason - reason - match_id - parent_rule - ifname - logid - sequencenum - version - service_id - community - lastupdatetime - vpn_feature_name - conn_direction - contextnum - context_num - certificate_validity - nat_addtnl_rulenum - nat_rule_uid - needs_browse_time - sig_id - sni - tls_server_host_name - log_delay - dst_user_dn - rpc_interface_uuid - icmp
2024-06-14	Enhancement: - If "Action" is "Detect" or "detect", then changed the mapping of "security_result.action" from "QUARANTINE" to "ALLOW".
2024-06-11	Enhancement: - Mapped "dns_query" to "network.dns.questions".
2024-05-29	Enhancement: - Mapped "layer_uuid_rule_uuid" to "security_result.rule_id". - Mapped "domain" to "principal.administrative_domain". - Mapped "fservice", "appi_name", "app_risk", and "policy_name" to "security_result.detection_fields". - Mapped "packets", "__id", "dedup_time", "browse_time", "bytes", "product_family", "hll_key", and "calc_service" to "additional.fields". - Mapped "id" to "metadata.product_log_id". - Mapped "orig_log_server" to "principal.resource.product_object_id". - Mapped "environment_id" to "target.resource.product_object_id". - Mapped "client_outbound_packets" and "client_inbound_packets" to "principal.resource.attribute.labels". - Mapped "server_outbound_bytes" and "server_inbound_bytes" to "target.resource.attribute.labels". - Mapped "orig" to "principal.hostname" and "principal.asset.hostname". - Mapped "orig_log_server_ip" to "principal.ip" and "principal.asset.ip". - Mapped "proto" to "network.ip_protocol".
2024-05-20	Enhancement: - Added a Grok pattern to extract "inter_host". - Mapped "inter_host" to "intermediary.hostname".
2024-04-19	Enhancement and Bug-Fix: - Mapped "origin" to "target.ip" and "target.asset.ip". - Added new Grok patterns to parse new format of SYSLOG logs. - Mapped "smartdefense_profile", "malware_rule_id", and "malware_rule_name" to "security_result.detection_fields". - Mapped "sequencenum", "description_url", "industry_reference", "mitre_execution", "packet_capture_name", "packet_capture_unique_id", "packet_capture_time", and "performance_impact" to "additional.fields". - Mapped "version" to "metadata.product_version". - Mapped "http_host" to "target.resource.attribute.labels". - Mapped "log_id" to "metadata.product_log_id". - Mapped "user_agent" to "network.http.user_agent" and "http.parsed_user_agent". - Mapped "hostname", "dvc", and "principal_hostname" to "target.hostname" and "target.asset.hostname". - If "has_principal" is "true", "has_target" is "true", and "Action"/"action" is "Log In" or "Failed Log In" or "Failed Login" or "Update", then set "metadata.event_type" to "USER_LOGIN" and "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED". - If "has_principal" is "true", "has_target" is "true", and "Action"/"act"/"event_type" is "Log Out" or "Logout", then set "metadata.event_type" to "USER_LOGOUT" and "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED". - If "has_principal" is "true", "has_target" is "true", then set "metadata.event_type" to "NETWORK_CONNECTION". - If "has_principal" is "true", "has_target" is "false", then set "metadata.event_type" to "STATUS_UPDATE".
2024-02-07	Enhancement: Added mapping for the following fields: - Mapped "protection_id", "malware_action", "malware_family,protection_name", "protection_type" to "security_result.detection_fields". - Mapped "confidence_level" to "security_result.confidence" and "security_result.confidence_details".
2024-02-05	Enhancement: Added mapping for the following fields: - Mapped "method" to "network.http.method".
2024-01-24	Enhancement: Added mapping for the following fields: - Mapped "method" to "network.http.method". - Mapped "duration" to "network.session_duration.seconds". - Mapped "additional_info" to "security_result.description". - Mapped "operation" to "security_result.summary". - Mapped "subject" to "metadata.description". - Mapped "principal_hostname" to "intermediary.hostname". - Mapped "tcp_packet_out_of_state", "aggregated_log_count", "connection_count", "appi_name", "src_user_dn", "update_count", "additional_info", "administrator", "operation", "sendtotrackerasadvancedauditlog", "subject", "fieldschanges", "logic_changes", "objecttype", "session_description", "session_name" to "security_result.detection_fields".
2023-12-27	Enhancement: Added mapping for the following fields: - Mapped "flags" to "security_result.detection_fields". - Mapped "tcp_flags" to "security_result.detection_fields". - Mapped "tcp_packet_out_of_state" to "security_result.detection_fields".
2023-12-11	Enhancement: - If "principal_hostname" is a valid ip, mapped it to "principal.ip". - If "principal_hostname" is not a valid ip, mapped it to "principal.hostname". - Mapped "sport_svc" to "principal.port". - Mapped "ProductFamily" to "additional.fields". - Mapped "mitre_initial_access" to "security_result.detection_fields". - Mapped "policy_time" to "security_result.detection_fields". - Mapped "profile" to "security_result.detection_fields". - Mapped "reject_id_kid" to "security_result.detection_fields". - Mapped "ser_agent_kid" to "security_result.detection_fields".
2023-10-11	Enhancement: - If "product" is "New Anti Virus", then the mapping from "firewall management node" to "principal.hostname" is removed and instead mapped to "security_result.detection_fields".
2023-07-06	Enhancement: Added mapping for the following fields: - Mapped "app_category" to "security_result.category_details". - Mapped "matched_category" to "security_result.detection_fields". - Mapped "app_properties" to "security_result.detection_fields".
2023-06-14	Enhancement: Added mapping for following fields - Mapped "conn_direction" to "additional.fields". - Modified gsub's so as not to replace the ":" with "=" from actual values.
2023-05-12	Enhancement: Added mapping for following fields - Mapped "rule_name" to "security_result.rule_name". - Mapped "rule","sub_policy_name","sub_policy_uid","smartdefense_profile","tags","flexString2" to "security_result.detection_fields". Enhancement: - Added new Grok pattern to support the new log formats. - Mapped "dvc" to "intermediary.hostname". - Mapped "hostname" to "intermediary.hostname". - Mapped "origin_sic_name" to "intermediary.asset_id". - Mapped "conn_direction" to "network.ip_protocol". - Mapped "ifname" to "security_result.detection_fields". - Mapped "security_inzone" to "security_result.detection_fields". - Mapped "match_id" to "security_result.detection_fields". - Mapped "parent_rule" to "security_result.detection_fields". - Mapped "security_outzone" to "security_result.detection_fields". - Mapped "sub_policy_name" to "security_result.detection_fields". - Mapped "sub_policy_uid" to "security_result.detection_fields". - Mapped "drop_reason" to "security_result.summary". - Mapped "reason" to "security_result.summary". - Mapped "xlatesport" to "principal.nat_port". - Mapped "xlatedport" to "target.nat_port". - Mapped "ipv6_dst" to "target.ip". - Mapped "ipv6_src" to "principal.ip".
2023-04-24	Enhancement: - Added support for logs with CEF format.
2022-11-18	Enhancement: - Modified mapping for "service" and mapped it to "target.port".
2022-10-27	Enhancement: - Added conditional check for "attack","attack_info","policy_name". - Added grok pattern to retrieve "principal_hostname". - Added gsub to change "=" to ":". - Modified mapping for "service" and mapped it to "target.resource.attribute.labels".
2022-10-13	Enhancement: - Mapped the field 'fw_subproduct' to 'metadata.product_name'. - Added grok pattern to extract the ip form the field 'src'.
2022-08-30	Enhancement: - Merged the changes of Customer-specific versions to default. - Undropped the logs containing "*****" in UserCheck.
2022-08-18	Enhancement: - Mapped "portal_message" to "security_result.description". - Mapped "security_result.category" as "SOFTWARE_MALICIOUS" in case "portal_message" contains keywords "malware/malicious". - Mapped "URL" to "security_result.about.url". - Mapped "Activity" to "security_result.summary". - Mapped "Reference" to "security_result.about.resource.attribute.labels". - Modified "event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" by replicating the value of "intermediary.ip" to "principal.ip".
2022-08-12	Enhancement: - Mapped "malware_action", "malware_family,protection_name", "protection_type" to "security_result.about.resource.attribute.labels". - Mapped "src_machine_name" to "security_result.detection_fields".
2022-06-30	Enhancement: - Mapped "message_info" to "metadata.description".
2022-06-17	Enhancement: - Added conditional checks for fields "nat_rulenum", "rule", "sent_bytes", "received_bytes", "s_port", "service". - Modified event_types for the following cases: - "GENERIC_EVENT" to "NETWORK_CONNECTION" where "principal.ip or principal.hostname" and "target.ip or target.hostname" are not null. - "GENERIC_EVENT" to "STATUS_UNCATEGORIZED" where "principal.ip or principal.hostname" is not null.
2022-06-14	Enhancement: - Modified the parser to parse more logs by removing the condition check for passwd.
2022-06-07	Enhancement: - Mapped src_machine_name to security_result.detection_fields.
2022-05-19	Enhancement: - Mapped inzone, outzone, layer_name, layer_uuid and policy_name to security_result.detection_fields. - Mapped service_id to principal.application.