Change log for CISCO_FIREPOWER_FIREWALL

Date Changes
2025-1-22 Enhancement:
- Added support for new pattern of syslog logs.
2025-08-18 Enhancement:
- Added a grok pattern to parse `principal.ip`.
- `event.idm.read_only_udm.security_result.description`: Newly mapped `AccessControlRuleReason` raw log field with `event.idm.read_only_udm.security_result.description` UDM field.
- `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `Client` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field.
- `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `IPSCount`, `ConnectionDuration` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field.
- `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `ReferencedHost` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field.
2025-08-11 Enhancement:
- event.idm.read_only_udm.security_result.severity: Newly mapped CRITICAL raw log field with event.idm.read_only_udm.security_result.severity UDM field when severity is 0.
- event.idm.read_only_udm.security_result.severity: Newly mapped INFORMATIONAL raw log field with event.idm.read_only_udm.security_result.severity UDM field when severity is 7.
- event.idm.read_only_udm.security_result.severity_details: Newly mapped Emergency: System is unusable raw log field with event.idm.read_only_udm.security_result.severity_details UDM field when severity is 0.
- event.idm.read_only_udm.security_result.severity_details: Newly mapped Debugging: Debugging messages raw log field with event.idm.read_only_udm.security_result.severity_details UDM field when severity is 7.
- event.idm.read_only_udm.security_result.severity: Removed mapping of `INFORMATIONAL` from `event.idm.read_only_udm.security_result.severity` UDM field and mapped `HIGH` instead when severity is 1.
- event.idm.read_only_udm.security_result.severity: Removed mapping of `INFORMATIONAL` from `event.idm.read_only_udm.security_result.severity` UDM field and mapped `LOW` instead when severity is 4.
- event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Immediate action needed` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Alert: Immediate action needed` instead when severity is 1.
- event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Critical condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Critical: Critical conditions` instead when severity is 2.
- event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Error condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Error: Error conditions` instead when severity is 3.
- event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Warning condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Warning: Warning conditions` instead when severity is 4.
- event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Normal but significant condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Notice: Normal but significant condition` instead when severity is 5.
- event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Informational message only` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Informational: Informational messages only` instead when severity is 6.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped EventPriority, PrefilterPolicy, ClientAppDetector raw log field(s) with event.idm.read_only_udm.security_result.detection_fields UDM field.
- event.idm.read_only_udm.network.sent_packets: Mapped InitiatorPackets raw log field to event.idm.read_only_udm.network.sent_packets UDM field.
- event.idm.read_only_udm.network.received_packets: Mapped ResponderPackets raw log field to event.idm.read_only_udm.network.received_packets UDM field.
- event.idm.read_only_udm.principal.nat_port: Mapped NAT_InitiatorPort raw log field to event.idm.read_only_udm.principal.nat_port UDM field.
- event.idm.read_only_udm.target.nat_port: Mapped NAT_ResponderPort raw log field to event.idm.read_only_udm.target.nat_port UDM field.
- event.idm.read_only_udm.principal.nat_ip: Mapped NAT_InitiatorIP raw log field to event.idm.read_only_udm.principal.nat_ip UDM field.
- event.idm.read_only_udm.target.nat_ip: Mapped NAT_ResponderIP raw log field to event.idm.read_only_udm.target.nat_ip UDM field.
- event.idm.read_only_udm.principal.asset.attribute.labels: Mapped InstanceID, IngressVRF, EgressVRF raw log fields to event.idm.read_only_udm.principal.asset.attribute.labels UDM field.
2025-08-05 Enhancement:
- Added support for syslogs with eventId `199018` by adding a new Grok pattern.
- event.idm.read_only_udm.principal.user.userid: Newly mapped `src_user1` log field to `event.idm.read_only_udm.principal.user.userid` and set `has_user` to `true`.
- Added a condition to set `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED` when `has_user` is `true`.
- event.idm.read_only_udm.principal.ip: Newly mapped `srcip` log field to `event.idm.read_only_udm.principal.ip`.
- event.idm.read_only_udm.principal.asset.ip: Newly mapped `srcip` log field to `event.idm.read_only_udm.principal.asset.ip`.
- Concatenated `month`, `day` and `year` and `time` log fields to map with `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
2025-07-18 Enhancement:
- `event.idm.read_only_udm.principal.user.userid`: Removed the mapping of `event.idm.read_only_udm.principal.user.userid` by adding new grok pattern to avoid parsing dns data as user data.
- `event.idm.read_only_udm.principal.user.user_display_name`: Removed the mapping of `event.idm.read_only_udm.principal.user.user_display_name` by adding new grok pattern to avoid parsing dns data as user data.
- `event.idm.read_only_udm.network.dns.questions.name`: Newly mapped `dns_question` raw log field to `event.idm.read_only_udm.network.dns.questions.name`.
2025-07-16 Enhancement:
- Added support for SYSLOG format with `kernel` messages by adding a new Grok pattern.
- Enhanced date filter to separately handle formats having "year" data.
- Added grok pattern to parse `product`, `severity`, and `eventID` from src_app.
- event.idm.read_only_udm.metadata.product_event_type: Newly mapped `eventID` log field to `event.idm.read_only_udm.metadata.product_event_type`.
- Added grok pattern to parse `Reg` and `Value` from `sec_desc` field.
- event.idm.read_only_udm.additional.fields: Newly mapped `kernel_value` log field to event.idm.read_only_udm.additional.fields.
event.idm.read_only_udm.additional.fields: Newly mapped `Reg` log field to event.idm.read_only_udm.additional.fields.
event.idm.read_only_udm.additional.fields: Newly mapped `Value` log field to event.idm.read_only_udm.additional.fields.
2025-07-01 Enhancement:
- Added Grok pattern to correctly extract the value of `intermediary_ip` or `syslog` fields from the raw log.
- event.idm.read_only_udm.network.session_id: Newly mapped `ConnectionID` raw log field to `event.idm.read_only_udm.network.session_id`.
- Added a null check conditional for `sysloghost` field in "cisco_firepower_firewall_normalization.include" file.
2025-04-03 Enhancement:
- "event.idm.read_only_udm.network.http.user_agent": Mapped "UserAgent" to "event.idm.read_only_udm.network.http.user_agent".
- "event.idm.read_only_udm.network.http.parsed_user_agent": Mapped "UserAgent" to "event.idm.read_only_udm.network.http.parsed_user_agent".
- Modified the "message1" field by replacing all occurrences of "Prefilter Policy" with "Prefilter_Policy".
2025-03-19 Enhancement:
- Modified the Grok pattern to parse data to their respective mappings.
2025-02-25 Enhancement:
- Removed "is_alert" functionality from UDM mapping to avoid the discrepancy in the number of "ingested" events vs "normalized" events.
2025-02-14 Enhancement:
- Added "on_error" to fix the parsing errors.
2025-02-07 Enhancement:
- Changed mapping for "hostname" from "principal.hostname" and "principal.asset.hostname" to "intermediary.hostname" and "intermediary.asset.hostname".
- Modified mapping from "intermediary.ip" to "target.ip".
2025-01-30 Enhancement:
- Added a new Grok pattern to parse the unparsed logs
2025-01-23 Enhancement:
- Mapped "event_id" to "additional.fields".
2025-01-16 Enhancement:
- Added "gsub" to support the new JSON log formats.
2025-01-03 Enhancement:
- Added support for the parsing of "ASA" logs, which were previously not being parsed.
- Added a new Grok pattern to parse new log types.
2024-12-06 Enhancement:
- Added support for a new pattern of syslog logs.
- Mapped "path" to "principal.process.file.full_path".
- Mapped "event_name" to "metadata.product_event_type".
- Mapped "description" to "metadata.description".
- Mapped "host" to "principal.hostname" and "principal.asset.hostname".
- Mapped "srcuser" to "principal.user.userid" and "user_display_name" , and set "metadata.event_type" to "USER_UNCATEGORIZED"
- Mapped "src_ip" to "principal.ip" and "principal.asset.ip".
- Mapped "src_port" to "principal.port".
2024-12-05 Enhancement:
- Added support for a new pattern of JSON logs.
2024-11-28 Enhancement:
- Added support for a new pattern of syslog logs.
- Mapped "username2" to "target.user.userid".
- Mapped "pwd" to "target.file.full_path".
- Mapped "command" to "target.process.command_line".
2024-11-13 Enhancement:
- Added support for new pattern of syslog logs.
- Mapped "username" to "principal.user.userid".
- Mapped "action" to "metadata.ingestion_labels".
- Mapped "bytes_transferred" to "network.sent_bytes".
2024-11-06 Enhancement:
- Added support for new pattern of syslog logs.
2024-11-05 Enhancement:
- Added support to parse a new format of syslog logs.
2024-11-05 Enhancement:
- Added support to parse a new format of syslog logs.
2024-08-13 Enhancement:
- Added support to parse a new format of unparsed KV logs.
2024-08-08 Enhancement:
- Added support to parse a new format of unparsed logs.
2024-07-15 Enhancement:
- Added support to parse the unparsed logs with "eventId" as "106016", "302021", and "302020".
2024-07-08 Enhancement:
- Added validation before setting the "metadata.event_type" to "FILE_CREATION" and "FILE_UNCATEGORIZED".
- When "SrcIP" and "DstIP" are not null, set "metadata.event_type" to "NETWORK_CONNECTION".
2024-06-28 Enhancement:
- Changed mapping for "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes".
- Changed mapping for "ResponderBytes" from "network.sent_bytes" to "network.received_bytes".
2024-06-11 Enhancement:
- Modified a Grok pattern to parse the intermediary hostname.
2024-06-11 Enhancement:
- Modified a Grok pattern to parse the intermediary hostname.
2024-04-12 Enhancement:
- Mapped "HTTP_Hostname" to "target.resource.attribute.labels".
- Mapped "HTTP_URI" to "target.resource.attribute.labels".
- When "InlineResult" is nearly equal to "Alert", then set "security_result.action" to "ALLOW".
- When "InlineResult" is nearly equal to "Dropped", then set "security_result.action" to "BLOCK".
- Mapped "InlineResult" to "security_result.action_details".
2024-04-06 Enhancement -
- Added a Grok pattern to parse the unparsed logs with "eventId" as "302022".
- Changed mapping of "metadata.product_event_type" from "eventId" to "action".
- Changed mapping of "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes".
2024-01-04 Enhancement:
- Added support for SFAUDIT syslog logs.
- Mapped "user_id_field" to "principal.user.userid".
- Mapped "http_method" to "network.http.method".
- Mapped "HTTPReferer" to "network.http.referral_url".
- Mapped "HTTPResponse" to "network.http.response_code".
- Mapped "event_name" to "metadata.product_event_type".
- Mapped "event_description" to "metadata.description".
- Mapped "event_summary" to "security_result.summary".
- Added Grok patterns to parse "intermediary.hostname" properly for new pattern of syslog logs.
- When "sysloghost" is a valid IP, then mapped it to "intermediary.ip".
- Added support for JSON logs.
- Mapped "userId" to "principal.user.userid".
- Mapped "sourceIpAddress" to "principal.ip".
- Mapped "sourcePortOrIcmpType" to "principal.port".
- Mapped "@computed.sensor" to "principal.hostname".
- Mapped "@computed.user" to "principal.user.user_display_name".
- Mapped "@computed.clientApplication" to "principal.application".
- Mapped "@computed.ingressInterface" to "principal.asset.attribute.labels".
- Mapped "@computed.sourceIpCountry" to "principal.location.country_or_region".
- Mapped "destinationIpAddress" to "target.ip".
- Mapped "destinationPortOrIcmpType" to "target.port".
- Mapped "@computed.destinationIpCountry" to "target.location.country_or_region".
- Mapped "ipProtocolId" to "network.ip_protocol".
- Mapped "httpResponse" to "network.http.response_code".
- Mapped "@computed.applicationProtocol" to "network.application_protocol".
- Mapped "ruleId" to "security_result.rule_id".
- Mapped "priorityId" to "security_result.priority_details".
- Mapped "@computed.priority" to "security_result.priority".
- Mapped "@computed.firewallPolicy" to "security_result.rule_name".
- Mapped "@computed.message" to "security_result.threat_name".
- Mapped "iocNumber" to "security_result.detection_fields".
- Mapped "recordLength" to "security_result.detection_fields".
- Mapped "@computed.classificationDescription" "security_result.description".
- Mapped "@computed.recordTypeDescription" to "metadata.description".
- Mapped "@computed.recordTypeCategory" to "metadata.product_event_type".
2023-12-26 Enhancement -
- Added a Grok pattern to parse the unparsed logs of type "%FTD-6-302303".
- Added an on_error for a kv block.
2023-09-12 Enhancement -
- Mapped "user_name" to "principal.user.email_addresses" and "client_ip" to "principal.ip" for "metadata.product_event_type" = "716001".
- Added a Grok pattern to parse the unparsed logs where "product" = "Intrusion".
2023-08-08 Bug-Fix -
- Added a Grok pattern to map the complete value present in the raw log to "intermediary.hostname".
2023-06-15 Enhancement -
- Added support for JSON format logs.
2023-06-07 Enhancement -
- Added new Grok pattern and mapped fields accordingly to parse unparsed logs.
2023-05-03 Enhancement -
- Modified Grok pattern to parse the failing logs.
- Corrected the logic to correctly map "network.direction" to the values "INBOUND" and "OUTBOUND".
2023-04-19 Enhancement -
- Modified g=Grok pattern to get valid hostname.
2023-04-06 Enhancement -
- Added a Grok pattern and mappings for EventId 106006.
2023-03-09 Enhancement -
- Mapped hostname form Syslog header to "intermediary.hostname".
- Removed mapping of src_ip/src_host to "observer.ip"/"observer.hostname".
- Added new grok patterns and mappings for EventIds 106001, 302015, 302016, 713219, 302013, 305012, 305011.
- Mapped severity to "security_result.severity" and "security_result.severity_details".
- Modified "metadata.event_type" to "NETWORK_CONNECTION" where "eventId" is 305011,305012,607001,302303.
- Mapped "network.direction" to INBOUND/OUTBOUND based on "src_interface_name", "dst_interface_name".
- Mapped "src_interface_name","dst_interface_name" to "metadata.ingestion_labels".
- Added check to "ApplicationProtocol" prior mapping to UDM.
2023-02-27 Enhancement
- Added Grok patterns and mappings for EventIds 302016,302014.
2023-01-27 Enhancement
- Mapped "observer.hostname","observer.ip" for thees product_event_type 430002,430003,430004,430005.
- Modified grok patterns for these EventIds 721018, 722055, 722023, 113009, 722037 to parse data correctly.
2022-11-25 Enhancement
- Added grok pattern for product_event_type [199017].
- Mapped "AUTH_VIOLATION" to security_result.category for product_event_type [199017].
- Mapped "USER_LOGIN" and "STATUS_UPDATE" event_type for product_event_type [199017].
- Mapped "target.user.userid" for product_event_type [199017].
- Mapped "extensions.auth.auth_details" for product_event_type [199017].
- Added grok pattern and "on_error" for product_event_type [713902].
- Modified "event_description" mapping for product_event_type [713902].
- Added "on_error" in grok for product_event_type [713903].
2022-07-07 Enhancement
- Removed is_alert where product_event_type is [430002,430003,313005,419002].
- Added is_alert where product_event_type is 430005.
2022-06-27 Mapped the following unparsed events:
[1:1000171:1] (Nmap), [122:1:1] (Portscan), [122:2:1] (Portscan), [122:8:1] (Portscan), [122:19:1] (Portsweep), [122:21:1] (Portscan), [122:22:1] (Portscan), [122:23:1], (Portsweep), [122:24:1] (Portscan), [122:7:1] (Portsweep),LOGSTASH[-].
Mapped "category" to "security_result.threat_name" where eventId is "http_inspect".
Mapped "category" to "security_result.threat_name" where eventId is "0" and product is "SFIMS".
Mapped "Classification" to "security_result.threat_name" where eventId is "430001".
Mapped "DeviceUUID" to "principal.resource.id" where eventId is "430001".
2022-06-09 Bug-
Added new field mapping. ACPolicy mapped to "security_result.rule_labels".
Removed field name from "security_result.confidence_details" value.
Removed field name from "security_result.rule_name" value.
2022-05-20 Bug-Fixed an error where SFIMS product logs were not being parsed.
2022-05-05 Enhancement-Moved customer specific to default and fixed incorrectly parsed metadata.event_timestamp.
2022-04-22 Enhancement-Fixed incorrectly parsed metadata.event_timestamp.
2022-04-13 Enhancement- mapped metadata.event_timestamp correctly for some unparsed logs
2022-04-04 Enhancement- Zones, interfaces, policy, user, bytes, Urlcategory and urlreputation fields are mapped.
2022-03-22 Enhancement-IngressZone,EgressZone,Priority,GID,SID,Revision,IntrusionPolicy fields are mapped.