Change log for CISCO_IRONPORT
| Date | Changes |
|---|---|
| 2025-06-18 | Enhancement:
- Added a Grok pattern to parse new type of SYSLOG logs. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Removed mapping of `hostname` from `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field in order to introduce a more accurate mapping for the raw log field. - event.idm.read_only_udm.intermediary.hostname and event.idm.read_only_udm.intermediary.asset.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname` UDM fields. - event.idm.read_only_udm.target.port: Newly mapped `dst_port` raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `useragent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly mapped `response_code` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. |
| 2025-06-06 | Enhancement:
- Modified the Grok pattern to parse `s_hostname` value properly from `x_hierarchy_origin` raw log field. - event.idm.read_only_udm.additional.fields: Removed mapping of `cs_x_forwarded_for` from `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Mapped `cs_x_forwarded_for` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. |
| 2025-05-28 | Enhancement:
- Added grok patterns to parse new pattern of syslog logs. - event.idm.read_only_udm.target.hostname: Newly mapped `target_host` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.about.hostname: Newly mapped `about_hostname` raw log field with `event.idm.read_only_udm.about.hostname` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `cs_user_agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.method: Newly mapped `cs_method` raw log field with `event.idm.read_only_udm.network.http.method` UDM field. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `cs_url` raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Added Grok pattern to match IP address then mapped `c_ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.port: Newly mapped `c_port` raw log field with `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `cs_username` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip: Added Grok pattern to match IP address then mapped `s_ip` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.target.port: Newly mapped `s_port` raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `time` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `session_time`, `x_webcat_code_full`, `x_result_code`, `cs_version`, `cs_x_forwarded_for`, `cs_mime_type`, `cs_referer`, `x_req_dvs_scanverdict`, `x_sophos_file_name`, `x_elapsed_time`, `s_hierarchy`, `cs_auth_group`, `cs_bytes`, `cs_uri`, `x_acltag`, `x_ids_verdict`, `x_resp_dvs_canverdict`, `x_resp_dvs_threat_name`, `x_resp_dvs_verdictname`, `user_type`, `x_suspect_user_agent`, `x_wbrs_threat_type`,`x_webcat_req_code_abbr`, `x_webroot_scanverdict`, `x_webroot_threat_name`, `x_webroot_trace_id`, `x_webroot_trr`, `x_webcat_resp_code_abbr`, `x_wbrs_score`, `x_sophos_virus_name`, `x_sophos_scanverdict`,`x_sophos_scanerror`, `x_mcafee_av_virustype`, `x_mcafee_av_virusname`, `x_mcafee_av_scanerror`,`x_req_dvs_verdictname`,`x_mcafee_av_scanverdict`, `x_mcafee_filename`,`x_mcafee_av_detecttype`, `x_icap_server`,`x_avc_behaviour`,`x_app_type`,`x_app`,`x_amp_verdict`,`x_amp_upload_indicator`,`x_amp_sha`,`x_amp_score`, `x_amp_malware_name`, `x_amp_filename`, `sc_result_code_denial` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - Added gsub to remove `\\"` from `x_mcafee_av_virustype`, `x_webcat_resp_code_abbr` and `x_wbrs_threat_type` raw log fields. - event.idm.read_only_udm.about: Merged `about` raw log field with `event.idm.read_only_udm.about` UDM field. |
| 2025-03-18 | Enhancement:
- Modified Grok patterns to parse "hostname" to "principal.hostname" field. - Mapped the "hostname" to "principal.hostname" properly ,previously processName was getting mapped to "principal.hostname" field. - Mapped "processName" to "principal.process.file.full_path". - Added a grok checker to extract the Ip address properly. |
| 2025-02-26 | Enhancement:
- Added support for syslog logs. |
| 2025-01-31 | Enhancement:
- Added support for SYSLOG logs. |
| 2024-10-16 | Enhancement:
- Mapped "res" to "security_result.action_details". - Mapped "dkim" to "security_result.summary". - Mapped "email" to "principal.user.email_addresses". |
| 2024-09-19 | Enhancement:
- Mapped "subject" to "additional.fields". - Mapped "antivirus" to "security_result.detection_fields". - Mapped "threat_level" to "security_result.detection_fields". - Mapped "threat_category" to "security_result.detection_fields". - Mapped "suspected_domain" to "security_result.detection_fields". |
| 2024-06-11 | Enhancement:
- Added Grok patterns to parse new format unparsed logs. |
| 2024-02-07 | Newly created parser. |