Change log for CS_DETECTS
Date | Changes |
---|---|
2024-11-11 | - Updated mapping of pattern_disposition_description field from security_results.detection_fields to security_result.action_details.
- Added logic for security_result.action. - Updated the mapping of the "display_name" raw log field from "security_result.description" to "security_result.summary". - Updated the mapping of the "sha256" raw log field from "target.process.file.sha256" to "target.file.sha256". - Updated the mapping of the "filepath" raw log field from "target.process.file.full_path" to "target.file.full_path". - Mapped the "filename" raw log field to the "security_result.threat_name" UDM field. - Mapped the "technique" raw log field to the "security_result.rule_name" UDM field. - Mapped the "technique_id" raw log field to the "security_result.rule_id" UDM field. |
2024-10-11 | - Added support for the crowdstrike alert logs.
|
2024-09-12 | Enhancement:
- Mapped "status" to "security_result.detection_fields". - When "status" is not "cleared", then removed mapping of "security_result.threat_status". |
2024-04-02 | Enhancement:
- Mapped "first_behavior" to "metadata.event_timestamp". - Mapped "created_timestamp" to "metadata.collected_timestamp". - Mapped "url_back_to_product" to "metadata.url_back_to_product". - Changed mapping of "device.external_ip" from "target.ip"" to "principal.nat_ip". - Changed mapping of "device.platform_name" from "target.asset.platform_software.platform" to "principal.asset.platform_software.platform". - Changed mapping of "device.os_version" from "target.asset.platform_software.platform_version" to "principal.asset.platform_software.platform_version". - Changed mapping of "device.agent_version" from "target.asset.platform_software.platform_patch_level" to "principal.asset.platform_software.platform_patch_level". - Changed mapping of "device.first_seen" from "target.asset.first_seen_time" to "principal.asset.first_seen_time". - Changed mapping of "device.last_seen" from "target.asset.attribute.labels" to "principal.asset.attribute.labels". - Changed mapping of "device.product_type_desc" from "target.asset.type" to "principal.asset.type". - Changed mapping of "behavior.device_id" from "target.asset_id" to "principal.asset_id". |
2024-03-20 | Enhancement:
- Mapped "behavior.display_name" to "security_result.summary". - When index is "0", then mapped "behavior.technique" to "security_result.rule_name". - When index is "0", then mapped "behavior.technique_id" to "security_result.rule_id". - When index is "0", then mapped "behavior.confidence" to "security_result.confidence_details". |
2024-01-31 | Bug-Fix:
- Added data check before mapping "behavior.ioc_value" to "target.file.sha256". - Added data check before mapping "behavior.sha256" to "target.file.sha256". - Added data check before mapping "behavior.md5" to "target.process.file.md5". - Added data check before mapping "behavior.parent_details.parent_md5" to "target.process.file.md5". - Added data check before mapping "behavior.parent_details.parent_sha256" to "target.process.parent_process.file.sha256". |
2023-07-21 | - Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
|
2023-06-07 | - Mapped "behaviors.tactic" to "security_result.attack_details.tactics.name".
- Mapped "behaviors.tactic_id" to "security_result.attack_details.tactics.id". - Mapped "behaviors.technique" to "security_result.attack_details.techniques.name". - Mapped "behaviors.technique_id" to "security_result.attack_details.techniques.id". |
2023-04-26 | Fix -
- Mapped "metadata.event_type" to "GENERIC_EVENT" if both "device.local_ip" and "device.hostname" are null. - Mapped "behavior.ioc_source" to "metadata.product_event_type". - Mapped "behavior.ioc_description" to "target.file.full_path". - If "behavior.ioc_type" is "exe", then "target.file.file_type" is set to "FILE_TYPE_PE_EXE". - Mapped "behavior.ioc_value" to "target.file.sha256". - Mapped "behavior.filename" to "security_result.threat_name". |
2023-02-28 | Enhancement -
- Mapped "device.platform_name" to "target.asset.platform_software.platform". - Mapped "device.os_version" to "target.asset.platform_software.platform_version". - Mapped "device.agent_version" to "target.asset.platform_software.platform_patch_level". - Mapped "device.first_seen" to "target.asset.first_seen_time". - Mapped "device.last_seen" to "target.asset.attribute.labels". - Mapped "device.product_type_desc" as follow: - if "device.product_type_desc" is "Mobile" then mapped "target.asset.type" as "Mobile". - if "device.product_type_desc" is "WORKSTATION" then mapped "target.asset.type" as "Compute" or "Workstation". - if "device.product_type_desc" is "IOT" then mapped "target.asset.type" as "Iot". - if "device.product_type_desc" is "SERVER" then mapped "target.asset.type" as "Server". - else mapped the field "device.product_type_desc" to "target.asset.attribute.labels". - Mapped "max_severity_displayname" to "security_result.severity". |
2023-02-17 | Enhancement -
- If "detection_id" is not null and "url_back_to_product" is not null then mapped "url_back_to_product/activity/detections/detail/detection_id_values.1/detection_id_values.2?_cid=%{cid}" to "metadata.url_back_to_product". |
2023-02-07 | Enhancement -
- Mapped "behavior.timestamp" to "security_result.detection_fields". - Mapped "behavior.behavior_id" to "security_result.detection_fields". - Mapped each behavior into a different security_result. |
2023-02-01 | Enhancement -
- Mapped "max_severity_displayname" to "security_result.severity". - Mapped "security_result.action" to "BLOCK" and "security_result.threat_status" to "CLEARED" if any of ["kill_process", "kill_subprocess", "kill_parent", "operation_blocked", "process_blocked", "registry_operation_blocked", "fs_operation_blocked", "suspend_process", "suspend_parent"] are true. - Mapped "security_result.action" to "QUARANTINE" and "security_result.threat_status" to "CLEARED" if "quarantine_file" or "quarantine_machine" are true. |
2022-09-29 | Enhancement -
- Mapped "metadata.product_name" to "Falcon". - Mapped "metadata.vendor_name" to "Crowdstrike". - Mapped "security_result.alert_state" to "ALERTING". |
2022-09-21 | Enhancement -
- Changed "metadata.event_type" from PROCESS_UNCATEGORIZED to SCAN_UNCATEGORIZED where technique is Indicator of Compromise. - Added sha256 format regex check for "behavior.sha256" and "behavior.parent_details.parent_sha256" prior mapping them to udm. |
2022-08-25 | Bug:
- Added md5 format regex check for "behavior.md5" and "behavior.parent_details.parent_md5" prior mapping them to udm. - Dropped the logs that are malformed and has no valid data. |
2022-08-16 | Enhancement -
- Modified mapping of cid from metadata.product_log_id to metadata.product_deployment_id. - Mapped detection_id to metadata.product_log_id. - Mapped created_timestamp to metadata.event_timestamp. |
2022-08-09 | Newly created parser.
|