Change log for CS_DETECTS

Date Changes
2024-11-11 - Updated mapping of pattern_disposition_description field from security_results.detection_fields to security_result.action_details.
- Added logic for security_result.action.
- Updated the mapping of the "display_name" raw log field from "security_result.description" to "security_result.summary".
- Updated the mapping of the "sha256" raw log field from "target.process.file.sha256" to "target.file.sha256".
- Updated the mapping of the "filepath" raw log field from "target.process.file.full_path" to "target.file.full_path".
- Mapped the "filename" raw log field to the "security_result.threat_name" UDM field.
- Mapped the "technique" raw log field to the "security_result.rule_name" UDM field.
- Mapped the "technique_id" raw log field to the "security_result.rule_id" UDM field.
2024-10-11 - Added support for the crowdstrike alert logs.
2024-09-12 Enhancement:
- Mapped "status" to "security_result.detection_fields".
- When "status" is not "cleared", then removed mapping of "security_result.threat_status".
2024-04-02 Enhancement:
- Mapped "first_behavior" to "metadata.event_timestamp".
- Mapped "created_timestamp" to "metadata.collected_timestamp".
- Mapped "url_back_to_product" to "metadata.url_back_to_product".
- Changed mapping of "device.external_ip" from "target.ip"" to "principal.nat_ip".
- Changed mapping of "device.platform_name" from "target.asset.platform_software.platform" to "principal.asset.platform_software.platform".
- Changed mapping of "device.os_version" from "target.asset.platform_software.platform_version" to "principal.asset.platform_software.platform_version".
- Changed mapping of "device.agent_version" from "target.asset.platform_software.platform_patch_level" to "principal.asset.platform_software.platform_patch_level".
- Changed mapping of "device.first_seen" from "target.asset.first_seen_time" to "principal.asset.first_seen_time".
- Changed mapping of "device.last_seen" from "target.asset.attribute.labels" to "principal.asset.attribute.labels".
- Changed mapping of "device.product_type_desc" from "target.asset.type" to "principal.asset.type".
- Changed mapping of "behavior.device_id" from "target.asset_id" to "principal.asset_id".
2024-03-20 Enhancement:
- Mapped "behavior.display_name" to "security_result.summary".
- When index is "0", then mapped "behavior.technique" to "security_result.rule_name".
- When index is "0", then mapped "behavior.technique_id" to "security_result.rule_id".
- When index is "0", then mapped "behavior.confidence" to "security_result.confidence_details".
2024-01-31 Bug-Fix:
- Added data check before mapping "behavior.ioc_value" to "target.file.sha256".
- Added data check before mapping "behavior.sha256" to "target.file.sha256".
- Added data check before mapping "behavior.md5" to "target.process.file.md5".
- Added data check before mapping "behavior.parent_details.parent_md5" to "target.process.file.md5".
- Added data check before mapping "behavior.parent_details.parent_sha256" to "target.process.parent_process.file.sha256".
2023-07-21 - Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
2023-06-07 - Mapped "behaviors.tactic" to "security_result.attack_details.tactics.name".
- Mapped "behaviors.tactic_id" to "security_result.attack_details.tactics.id".
- Mapped "behaviors.technique" to "security_result.attack_details.techniques.name".
- Mapped "behaviors.technique_id" to "security_result.attack_details.techniques.id".
2023-04-26 Fix -
- Mapped "metadata.event_type" to "GENERIC_EVENT" if both "device.local_ip" and "device.hostname" are null.
- Mapped "behavior.ioc_source" to "metadata.product_event_type".
- Mapped "behavior.ioc_description" to "target.file.full_path".
- If "behavior.ioc_type" is "exe", then "target.file.file_type" is set to "FILE_TYPE_PE_EXE".
- Mapped "behavior.ioc_value" to "target.file.sha256".
- Mapped "behavior.filename" to "security_result.threat_name".
2023-02-28 Enhancement -
- Mapped "device.platform_name" to "target.asset.platform_software.platform".
- Mapped "device.os_version" to "target.asset.platform_software.platform_version".
- Mapped "device.agent_version" to "target.asset.platform_software.platform_patch_level".
- Mapped "device.first_seen" to "target.asset.first_seen_time".
- Mapped "device.last_seen" to "target.asset.attribute.labels".
- Mapped "device.product_type_desc" as follow:
- if "device.product_type_desc" is "Mobile" then mapped "target.asset.type" as "Mobile".
- if "device.product_type_desc" is "WORKSTATION" then mapped "target.asset.type" as "Compute" or "Workstation".
- if "device.product_type_desc" is "IOT" then mapped "target.asset.type" as "Iot".
- if "device.product_type_desc" is "SERVER" then mapped "target.asset.type" as "Server".
- else mapped the field "device.product_type_desc" to "target.asset.attribute.labels".
- Mapped "max_severity_displayname" to "security_result.severity".
2023-02-17 Enhancement -
- If "detection_id" is not null and "url_back_to_product" is not null then mapped "url_back_to_product/activity/detections/detail/detection_id_values.1/detection_id_values.2?_cid=%{cid}" to "metadata.url_back_to_product".
2023-02-07 Enhancement -
- Mapped "behavior.timestamp" to "security_result.detection_fields".
- Mapped "behavior.behavior_id" to "security_result.detection_fields".
- Mapped each behavior into a different security_result.
2023-02-01 Enhancement -
- Mapped "max_severity_displayname" to "security_result.severity".
- Mapped "security_result.action" to "BLOCK" and "security_result.threat_status" to "CLEARED" if any of ["kill_process", "kill_subprocess", "kill_parent", "operation_blocked", "process_blocked", "registry_operation_blocked", "fs_operation_blocked", "suspend_process", "suspend_parent"] are true.
- Mapped "security_result.action" to "QUARANTINE" and "security_result.threat_status" to "CLEARED" if "quarantine_file" or "quarantine_machine" are true.
2022-09-29 Enhancement -
- Mapped "metadata.product_name" to "Falcon".
- Mapped "metadata.vendor_name" to "Crowdstrike".
- Mapped "security_result.alert_state" to "ALERTING".
2022-09-21 Enhancement -
- Changed "metadata.event_type" from PROCESS_UNCATEGORIZED to SCAN_UNCATEGORIZED where technique is Indicator of Compromise.
- Added sha256 format regex check for "behavior.sha256" and "behavior.parent_details.parent_sha256" prior mapping them to udm.
2022-08-25 Bug:
- Added md5 format regex check for "behavior.md5" and "behavior.parent_details.parent_md5" prior mapping them to udm.
- Dropped the logs that are malformed and has no valid data.
2022-08-16 Enhancement -
- Modified mapping of cid from metadata.product_log_id to metadata.product_deployment_id.
- Mapped detection_id to metadata.product_log_id.
- Mapped created_timestamp to metadata.event_timestamp.
2022-08-09 Newly created parser.