Change log for CYBEREASON_EDR
| Date | Changes |
|---|---|
| 2025-04-24 | Enhancement:
- event.idm.read_only_udm.target.user.userid: Removed mapping of `Sensor.serverId` from `event.idm.read_only_udm.target.user.userid` UDM field for Malware logs. - event.idm.read_only_udm.principal.user.user_display_name: Removed mapping of `displayName` from `event.idm.read_only_udm.principal.user.user_display_name` UDM field for Malop logs. - event.idm.read_only_udm.additional.fields: Added mapping of `Sensor.serverId` to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Added mapping of `displayName` to `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-01-23 | Enhancement:
- Changed "metadata.event_type" from "NETWORK_CONNECTION" to "SCAN_FILE". - Changed mapping for externalIP from target.ip to principal.ip. - Mapped security_result.category to "SOFTWARE_MALICIOUS" if type is "knownMalware" and elementType is "File", else if type is "knownMalware" and elementType is not "File" then mapped it to "NETWORK_MALICIOUS". - Changed mapping for "name" from "principal.process.file.full_path" to "target.file.names". - Changed mapping for "malwareDataModel" from "principal.process.command_line" to "target.file.full_path". - Mapped type to security_result.summary. - Mapped status to security_result.action. |
| 2024-11-29 | Enhancement:
- Added support to parse logs when the LogType is "Malware" and "Malop". |
| 2024-01-25 | Enhancement:
- Mapped "cs3Label", "cs4Label", "cs5Label", "deviceCustomDate1Label", "deviceCustomDate2Label" and "deviceCustomDate3Label" to "security_result.detection_fields". - Aligned "principal.hostname", "target.hostname", "principal.asset.hostname", and "target.asset.hostname" mappings. - Aligned "principal.ip", "target.ip", "principal.asset.ip", and "target.asset.ip" mappings. |
| 2023-02-23 | Enhancement
- Mapped "malop_data.elementValues.affectedUsers.elementValues.0.guid" to "principal.user.userid". - Mapped "malop_data.elementValues.affectedUsers.elementValues.0.name" to "principal.user.user_display_name". - Mapped "malop_data.elementValues.affectedMachines.elementValues.0.guid" to "principal.asset.asset_id". - Mapped "malop_data.elementValues.affectedMachines.elementValues.0.name" to "principal.hostname". - Mapped "malop_data.simpleValues.malopActivityTypes.values.0", "malop_data.isMalicious" to "security_result.detection_fields". - Mapped "security_result.alert_state" to "ALERTING" if "is_alert" is "true". |
| 2023-02-06 | Enhancement
- Parsed logs ingested in CEF format. |