Change log for COFENSE_TRIAGE
| Date | Changes |
|---|---|
| 2024-06-18 | Enhancement:
- Retrieved "productlogid" from field "cs3" and mapped it to "metadata.product_log_id". |
| 2024-06-11 | Enhancement:
- Modified "gsub" to parse KV logs. - Added conditional check for "cs4". |
| 2024-03-04 | Enhancement:
- Mapped "event_data" to "metadata.description". - Mapped "cat" to "security_result.description". - Mapped "severity" to "security_result.rule_id". - Mapped "msg", "rule_id", "start", and "rt" to "additional.fields". - If "severity" is equal to "8, "10", "11", "12", "13", or "14", then "security_result.alert_state" is set to "ALERTING" else set it to "NOT_ALERTING". |
| 2023-04-19 | Enhancement:
- Added Grok pattern to handle new logs. - Mapped "ProcessID" to "principal.process.pid". - Mapped "host" to "principal.hostname". - Mapped "descrip" to "metadata.description". - Mapped "user_id" to "principal.user.userid". - Added conditional check for "rule_id", "sec_result", "ipaddress", "security_action". |