Stay organized with collections
Save and categorize content based on your preferences.
Change log for COFENSE_TRIAGE
Date
Changes
2024-06-18
Enhancement:
- Retrieved "productlogid" from field "cs3" and mapped it to "metadata.product_log_id".
2024-06-11
Enhancement:
- Modified "gsub" to parse KV logs.
- Added conditional check for "cs4".
2024-03-04
Enhancement:
- Mapped "event_data" to "metadata.description".
- Mapped "cat" to "security_result.description".
- Mapped "severity" to "security_result.rule_id".
- Mapped "msg", "rule_id", "start", and "rt" to "additional.fields".
- If "severity" is equal to "8, "10", "11", "12", "13", or "14", then "security_result.alert_state" is set to "ALERTING" else set it to "NOT_ALERTING".
2023-04-19
Enhancement:
- Added Grok pattern to handle new logs.
- Mapped "ProcessID" to "principal.process.pid".
- Mapped "host" to "principal.hostname".
- Mapped "descrip" to "metadata.description".
- Mapped "user_id" to "principal.user.userid".
- Added conditional check for "rule_id", "sec_result", "ipaddress", "security_action".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-13 UTC."],[[["The COFENSE_TRIAGE change log documents updates and enhancements to the system, including mapping changes and conditional checks."],["Recent updates include retrieving \"productlogid\" and mapping it to \"metadata.product_log_id,\" as well as modifying \"gsub\" to parse KV logs."],["Changes in March 2024 involved mapping various fields such as \"event_data,\" \"cat,\" and \"severity,\" and establishing conditional logic for the \"security_result.alert_state\" field."],["The April 2023 update added a Grok pattern for new logs and mapped several fields like \"ProcessID,\" \"host,\" \"descrip,\" and \"user_id\" to appropriate metadata and principal fields."]]],[]]