Change log for CISCO_IRONPORT
| Date | Changes |
|---|---|
| 2025-08-20 | Enhancement:
- Added grok pattern to remove port from url. |
| 2025-08-06 | Enhancement:
- Replaced `cs_url` with `request_method_uri` in grok patterns to map it with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.network.referral_url : Removed mapping of `cs_url` from `event.idm.read_only_udm.network.referral_url` UDM field in order to introduce a more accurate mapping for the raw log field. - event.idm.read_only_udm.target.url : Removed mapping of `cs_url` from `event.idm.read_only_udm.target.url` UDM field in order to introduce a more accurate mapping for the raw log field. |
| 2025-07-14 | Enhancement:
- Added support for Syslog of CEF format. - Added gsub to replace `'` with `"` in `ESAAttachmentDetails` and `ESASPFVerdict` raw log field. - event.idm.read_only_udm.about.file.full_path: Newly mapped `file_name` raw log field with `event.idm.read_only_udm.about.file.full_path` UDM field. - event.idm.read_only_udm.about.file.sha256: Newly mapped `AMP.fileHash` raw log field with `event.idm.read_only_udm.about.file.sha256` UDM field. - event.idm.read_only_udm.about.url: Newly mapped `ESAURLDetails` raw log field with `event.idm.read_only_udm.about.url` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `ESASenderGroup`, `ESAAMPVerdict`, `ESAASVerdict`, `ESAAVVerdict`, `Verdict` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.intermediary.ip: Newly mapped `column2` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `column3` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `column1` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.network.email.from: Newly mapped `mailfrom.sender` raw log field with `event.idm.read_only_udm.network.email.from` UDM field. - Added null condition check for `msg1` raw log field before mapping it to `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `ESAAttachmentDetails`, `result`, `ESADCID`, `ESAICID`, `ESAMID`, 'content_type', 'elapsed_time' raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - Remove redundant code for additional fields mapping. - Remove redundant code for `security_result.detection_fields` mapping. |
| 2025-07-08 | Enhancement:
- Added Grok patterns to `msg1` data field to parse it following fields. - Added a Grok pattern for `dst_ip1` data field to parse it following IP address correctly. - `event.idm.read_only_udm.additional.fields` : Newly mapped `sc_bytes`, `uritype`, `proto`, `vendorid`, `varianttype`, and `uriidvalue` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.url` : Newly mapped `cs_url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.network.http.parsed_user_agent` : Newly mapped `cs_user_agent` raw log field with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - When `c_ip` is mapped to `event.idm.read_only_udm.principal.ip` UDM field then set `has_principal_ip` to `true`. - When `s_ip` is mapped to `event.idm.read_only_udm.target.ip` UDM field then set `has_target_ip` to `true`. - When `s_computerName` is mapped to `event.idm.read_only_udm.target.hostname` then set `has_target` to `true`. |
| 2025-06-18 | Enhancement:
- Added a Grok pattern to parse new type of SYSLOG logs. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Removed mapping of `hostname` from `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field in order to introduce a more accurate mapping for the raw log field. - event.idm.read_only_udm.intermediary.hostname and event.idm.read_only_udm.intermediary.asset.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname` UDM fields. - event.idm.read_only_udm.target.port: Newly mapped `dst_port` raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `useragent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly mapped `response_code` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. |
| 2025-06-06 | Enhancement:
- Modified the Grok pattern to parse `s_hostname` value properly from `x_hierarchy_origin` raw log field. - event.idm.read_only_udm.additional.fields: Removed mapping of `cs_x_forwarded_for` from `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Mapped `cs_x_forwarded_for` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. |
| 2025-05-28 | Enhancement:
- Added grok patterns to parse new pattern of syslog logs. - event.idm.read_only_udm.target.hostname: Newly mapped `target_host` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.about.hostname: Newly mapped `about_hostname` raw log field with `event.idm.read_only_udm.about.hostname` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `cs_user_agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.method: Newly mapped `cs_method` raw log field with `event.idm.read_only_udm.network.http.method` UDM field. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `cs_url` raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Added Grok pattern to match IP address then mapped `c_ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.port: Newly mapped `c_port` raw log field with `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `cs_username` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip: Added Grok pattern to match IP address then mapped `s_ip` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.target.port: Newly mapped `s_port` raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `time` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `session_time`, `x_webcat_code_full`, `x_result_code`, `cs_version`, `cs_x_forwarded_for`, `cs_mime_type`, `cs_referer`, `x_req_dvs_scanverdict`, `x_sophos_file_name`, `x_elapsed_time`, `s_hierarchy`, `cs_auth_group`, `cs_bytes`, `cs_uri`, `x_acltag`, `x_ids_verdict`, `x_resp_dvs_canverdict`, `x_resp_dvs_threat_name`, `x_resp_dvs_verdictname`, `user_type`, `x_suspect_user_agent`, `x_wbrs_threat_type`,`x_webcat_req_code_abbr`, `x_webroot_scanverdict`, `x_webroot_threat_name`, `x_webroot_trace_id`, `x_webroot_trr`, `x_webcat_resp_code_abbr`, `x_wbrs_score`, `x_sophos_virus_name`, `x_sophos_scanverdict`,`x_sophos_scanerror`, `x_mcafee_av_virustype`, `x_mcafee_av_virusname`, `x_mcafee_av_scanerror`,`x_req_dvs_verdictname`,`x_mcafee_av_scanverdict`, `x_mcafee_filename`,`x_mcafee_av_detecttype`, `x_icap_server`,`x_avc_behaviour`,`x_app_type`,`x_app`,`x_amp_verdict`,`x_amp_upload_indicator`,`x_amp_sha`,`x_amp_score`, `x_amp_malware_name`, `x_amp_filename`, `sc_result_code_denial` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - Added gsub to remove `\\"` from `x_mcafee_av_virustype`, `x_webcat_resp_code_abbr` and `x_wbrs_threat_type` raw log fields. - event.idm.read_only_udm.about: Merged `about` raw log field with `event.idm.read_only_udm.about` UDM field. |
| 2025-03-18 | Enhancement:
- Modified Grok patterns to parse "hostname" to "principal.hostname" field. - Mapped the "hostname" to "principal.hostname" properly ,previously processName was getting mapped to "principal.hostname" field. - Mapped "processName" to "principal.process.file.full_path". - Added a grok checker to extract the Ip address properly. |
| 2025-02-26 | Enhancement:
- Added support for syslog logs. |
| 2025-01-31 | Enhancement:
- Added support for SYSLOG logs. |
| 2024-10-16 | Enhancement:
- Mapped "res" to "security_result.action_details". - Mapped "dkim" to "security_result.summary". - Mapped "email" to "principal.user.email_addresses". |
| 2024-09-19 | Enhancement:
- Mapped "subject" to "additional.fields". - Mapped "antivirus" to "security_result.detection_fields". - Mapped "threat_level" to "security_result.detection_fields". - Mapped "threat_category" to "security_result.detection_fields". - Mapped "suspected_domain" to "security_result.detection_fields". |
| 2024-06-11 | Enhancement:
- Added Grok patterns to parse new format unparsed logs. |
| 2024-02-07 | Newly created parser. |