Change log for CS_ALERTS
Date | Changes |
---|---|
2025-08-26 | Changing existing mappings in order to introduce more accurate mappings for `target.process.command_line`, `target.file.full_path` and `target.file.sha256` for the epp product and ofp type. - target.process.command_line: Removed mapping of `cmdline` from `target.process.command_line` UDM field when `macros.cmdline` raw log field is not empty. - security_result.detection_fields[cmdline]: Mapped `cmdline` raw log field with `security_result.detection_fields[cmdline]` UDM field when `macros.cmdline` raw log field is not empty. - target.process.command_line: Newly mapped `macros.cmdline` raw log field with `target.process.command_line` UDM field. - target.file.full_path: Removed mapping of `filepath` from `target.file.full_path` UDM field when `macros.ioc_description` raw log field is not empty. - security_result.detection_fields[filepath]: Mapped `filepath` raw log field with `security_result.detection_fields[filepath]` UDM field when `macros.ioc_description` raw log field is not empty. - target.file.full_path: Newly mapped `macros.ioc_description` raw log field with `target.file.full_path` UDM field. - target.file.sha256: Removed mapping of `sha256` from `target.file.sha256` UDM field when `macros.ioc_value` raw log field is not empty and `macros.ioc_type` is equal to `hash_sha256`. - security_result.detection_fields[sha256]: Mapped `sha256` raw log field with `security_result.detection_fields[sha256]` UDM field when `macros.ioc_value` raw log field is not empty and `macros.ioc_type` is equal to `hash_sha256`. - target.file.sha256: Newly mapped `macros.ioc_value` raw log field with `target.file.sha256` UDM field when `macros.ioc_type` is equal to `hash_sha256`. - security_result.detection_fields[macros_display_name]: Newly mapped `macros.display_name` raw log field with `security_result.detection_fields[macros_display_name]` UDM field. - security_result.detection_fields[macros_ioc_source]: Newly mapped `macros.ioc_source` raw log field with `security_result.detection_fields[macros_ioc_source]` UDM field. - security_result.detection_fields[macros_md5]: Newly mapped `macros.md5` raw log field with `security_result.detection_fields[macros_md5]` UDM field when `macros.md5` raw log field is not equal to `N/A`. - security_result.detection_fields[macros_sha256]: Newly mapped `macros.sha256` raw log field with `security_result.detection_fields[macros_sha256]` UDM field. - security_result.detection_fields[macros_type]: Newly mapped `macros.type` raw log field with `security_result.detection_fields[macros_type]` UDM field. - security_result.detection_fields: Newly mapped `macros.ioc_type` raw log field with `security_result.detection_fields.key` UDM field and `macros.ioc_value` raw log field with `security_result.detection_fields.value` UDM field. |
2025-08-14 | Changing existing mappings in order to introduce more accurate mappings for `security_result.rule_id` and `security_result.rule_name` for the CWPP, MOBILE, and OVERWATCH products. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `pattern_id` instead for `CWPP`, `MOBILE` and `OVERWATCH` product. - security_result.rule_name: Removed mapping of `technique` from `security_result.rule_name` UDM field and mapped `name` instead for `CWPP`, `MOBILE`, and `OVERWATCH` product. - security_result.detection_fields[pattern_id]: Removed mapping of `pattern_id` from `security_result.detection_fields[pattern_id]` UDM field for `CWPP`, `MOBILE` and `OVERWATCH` product. - security_result.detection_fields[name]: Removed mapping of `name` from `security_result.detection_fields[name]` UDM field for `CWPP`, `MOBILE` and `OVERWATCH` product. - security_result.detection_fields[xdr_rule_id]: Removed mapping of `xdr_rule_id` from `security_result.detection_fields[xdr_rule_id]` UDM field for `XDR` product. |
2025-08-08 | Changing existing mappings in order to introduce more accurate mappings for `security_result.rule_id` and `security_result.rule_name` for the XDR, IDP, NGSIEM, and EPP products. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `xdr_rule_id` instead for `XDR` product. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `correlation_rule_id` instead for `NGSIEM` product. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `pattern_id` instead for `IDP` product. - security_result.rule_id: Removed mapping of `technique_id` from `security_result.rule_id` UDM field and mapped `rule_instance_id` if not empty otherwise mapped `pattern_id` field instead for `EPP` product. - security_result.rule_name: Removed mapping of `technique` from `security_result.rule_name` UDM field and mapped `name` instead for `EPP`, `NGSIEM`, `XDR` and `IDP` product. - security_result.detection_fields[pattern_id]: Removed mapping of `pattern_id` from `security_result.detection_fields[pattern_id]` UDM field for `IDP` product. - security_result.detection_fields[pattern_id]: Removed mapping of `pattern_id` from `security_result.detection_fields[pattern_id]` UDM field for `epp` product when `rule_instance_id` field is not present. - security_result.detection_fields[name]: Removed mapping of `name` from `security_result.detection_fields[name]` UDM field for `EPP`, `NGSIEM`, `XDR` and `IDP` product. |
2025-06-27 | - Enhance the parser to parse the host_type raw field.
|
2025-05-20 | - metadata.product_event_type: Newly mapped `product` raw log field with `metadata.product_event_type` UDM field
|
2025-05-08 | - Newly created CS_ALERTS parser.
|