Change log for CS_STREAM
| Date | Changes |
|---|---|
| 2025-03-12 | Enhancement:
- Removed the mapping of "deviceId" from "principal.asset.asset_id". - Added the mapping of "deviceId" to "additional.fields". - Mapped "connectionDirection" to "additional.fields". |
| 2025-02-14 | Enhancement:
- Mapped "md5" to "target.process.file.md5". - Mapped "ipv4Addresses" to "principal.ip" and "principal.asset.ip". - Mapped "domainNames" to "additional.fields.value.list_value.values". - Mapped "exeWrittenFilePath" to "principal.process.file.full_path". - Mapped "sev" to "security_result.severity". - Mapped "exeWrittenFileName" and "fileName" to "target.file.names". - Mapped "patternDisposition" and "objective" to "security_result.detection_fields". |
| 2025-02-12 | Enhancement:
- If "event_data.SeverityName" is between 0 and 19 (inclusive), then "security_result.severity" is mapped to "INFORMATIONAL". - If "event_data.SeverityName" is between 20 and 39 (inclusive), then "security_result.severity" is mapped to "LOW". - If "event_data.SeverityName" is between 40 and 59 (inclusive), then "security_result.severity" is mapped to "MEDIUM". - If "event_data.SeverityName" is between 60 and 79 (inclusive), then "security_result.severity" is mapped to "HIGH". - If "event_data.SeverityName" is between 80 and 99 (inclusive), then "security_result.severity" is mapped to "CRITICAL". |
| 2025-02-10 | Bug-fix:
- Added Grok patterns to parse "event_data.IOCValue". - Mapped "NetworkAccesse.LocalAddress" to "principal.ip" and "principal.asset.ip". - Mapped "NetworkAccesse.LocalPort" to "principal.port". - Mapped "NetworkAccesse.ConnectionDirection" to "network.direction". - Mapped "NetworkAccesse.Protocol" to "network.ip_protocol". - Mapped "NetworkAccesse.RemoteAddress" to "principal.ip" and "principal.asset.ip". - Mapped "NetworkAccesse.RemotePort" to "target.port". - Mapped "NetworkAccesse.AccessType" to "additional.fields". - Mapped "NetworkAccesse.IsIPV6" to "security_result.detection_fields". - Mapped "NetworkAccesse.AccessTimestamp" to "security_result.detection_fields". |
| 2025-02-02 | Enhancement:
- Added support for LEEF logs. |
| 2025-01-28 | Enhancement:
- Added support to map "eventData.severityName" only if it is not empty. |
| 2025-01-10 | Enhancement:
- When "OperationBlocked" is "true", mapped "security_result.action" to "BLOCK". - When "OperationBlocked" is "false", mapped "security_result.action" to "ALLOW". - When "event_type" is "IdentityProtectionEvent", then mapped "event_data.IncidentDescription" to "security_result.summary". - When "event_type" is "IdentityProtectionEvent", then mapped "event_data.SeverityName" to "security_result.severity". |
| 2025-01-09 | Enhancement:
- Mapped "event_data.Technique" to "security_result.rule_name". - Mapped "event_data.CommandLine" to "target.process.command_line". - If "event_data.IOCType" is "ipv4", then mapped "event_data.IOCValue" to "target.ip" and "target.asset.ip". - If "event_data.IOCType" is "hash_sha256", then mapped "event_data.IOCValue" to "target.file.sha256". |
| 2024-12-12 | Enhancement:
- Mapped "event.SeverityName" to "security_result.severity". - Mapped "event.Description" to "security_result.summary". - Mapped "security_result.action" based on "event.PatternDispositionFlags.OperationBlocked". |
| 2024-10-29 | Enhancement:
- Added support for JSON format of logs. - Mapped "request" to "network.http.referral_url". - Mapped "networkDetectionType" to "security_result.detection_fields". |
| 2022-07-18 | Enhancement:
- Added following mapping for the LEEF format logs: - The field "version" mapped to "metadata.product_version". - The field "usrName" and "userName" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid". - The field "severityName" mapped to "security_result.severity". - The field "cat" mapped to "security_result.category_details". - The field "incidentType" mapped to "security_result.summary". - The field "falconHostLink" mapped to "security_result.about.url". - The field "numberOfCompromisedEntities" mapped to "security_result.detection_fields[n]". - The field "identityProtectionIncidentId" mapped to "security_result.detection_fields[n]". - The field "numbersOfAlerts" mapped to "security_result.detection_fields[n]". - The field "state" mapped to "security_result.detection_fields[n]". - Added following mapping for the CEF format logs: - The field "version" mapped to "metadata.product_version". - The field "deviceCustomDate1" mapped to "metadata.event_type". - The field "msg" mapped to "metadata.description". - The field "cs1" mapped to "security_result.summary" if the value of "cs1Label" is "incidentType" else mapped to "security_result.detection_fields[n]". - The field "cs2" mapped to "security_result.detection_fields[n]". - The field "cs3" mapped to "security_result.detection_fields[n]". - The field "cs1" mapped to "security_result.about.url" if the value of "cs4Label" is "falconHostLink" else mapped to "security_result.detection_fields[n]". - The field "cn1" mapped to "security_result.detection_fields[n]". - The field "cn2" mapped to "security_result.detection_fields[n]". - The field "cn3" mapped to "security_result.detection_fields[n]". - The field "duser" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid". |