Change log for CYBEREASON_EDR
| Date | Changes |
|---|---|
| 2025-07-02 | Enhancement:
- event.idm.read_only_udm.metadata.product_event_type: Newly mapped `LogType` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.guid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `status` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.guid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.fqdn` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.serviceStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.avDbVersion` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.documentProtectionMode` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.antiMalwareStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.documentProtectionStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.amStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.outdated` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.collectionStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.collectiveUuid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.privateServerIp` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.nat_ip: Newly mapped `Sensor.privateServerIp` raw log field with `event.idm.read_only_udm.target.nat_ip` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.status` raw log field with `event.idm.read_only_udm.additional.fields` UDM field - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.siteId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.isolated` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.exitReason` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.lastUpgradeResult` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.quickScanStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.policyName` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.groupId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.groupName` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.groupStickinessLabel` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.fullScanStatus` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `Sensor.siteName` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `machine.pylumId` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `needsAttention` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `id.malwareType` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `referenceGuid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `referenceElementType` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `schedulerScan` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `malwareDataModel` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `iconBase64` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity_details` UDM field. |
| 2025-04-24 | Enhancement:
- event.idm.read_only_udm.target.user.userid: Removed mapping of `Sensor.serverId` from `event.idm.read_only_udm.target.user.userid` UDM field for Malware logs. - event.idm.read_only_udm.principal.user.user_display_name: Removed mapping of `displayName` from `event.idm.read_only_udm.principal.user.user_display_name` UDM field for Malop logs. - event.idm.read_only_udm.additional.fields: Added mapping of `Sensor.serverId` to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Added mapping of `displayName` to `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-01-23 | Enhancement:
- Changed "metadata.event_type" from "NETWORK_CONNECTION" to "SCAN_FILE". - Changed mapping for externalIP from target.ip to principal.ip. - Mapped security_result.category to "SOFTWARE_MALICIOUS" if type is "knownMalware" and elementType is "File", else if type is "knownMalware" and elementType is not "File" then mapped it to "NETWORK_MALICIOUS". - Changed mapping for "name" from "principal.process.file.full_path" to "target.file.names". - Changed mapping for "malwareDataModel" from "principal.process.command_line" to "target.file.full_path". - Mapped type to security_result.summary. - Mapped status to security_result.action. |
| 2024-11-29 | Enhancement:
- Added support to parse logs when the LogType is "Malware" and "Malop". |
| 2024-01-25 | Enhancement:
- Mapped "cs3Label", "cs4Label", "cs5Label", "deviceCustomDate1Label", "deviceCustomDate2Label" and "deviceCustomDate3Label" to "security_result.detection_fields". - Aligned "principal.hostname", "target.hostname", "principal.asset.hostname", and "target.asset.hostname" mappings. - Aligned "principal.ip", "target.ip", "principal.asset.ip", and "target.asset.ip" mappings. |
| 2023-02-23 | Enhancement
- Mapped "malop_data.elementValues.affectedUsers.elementValues.0.guid" to "principal.user.userid". - Mapped "malop_data.elementValues.affectedUsers.elementValues.0.name" to "principal.user.user_display_name". - Mapped "malop_data.elementValues.affectedMachines.elementValues.0.guid" to "principal.asset.asset_id". - Mapped "malop_data.elementValues.affectedMachines.elementValues.0.name" to "principal.hostname". - Mapped "malop_data.simpleValues.malopActivityTypes.values.0", "malop_data.isMalicious" to "security_result.detection_fields". - Mapped "security_result.alert_state" to "ALERTING" if "is_alert" is "true". |
| 2023-02-06 | Enhancement
- Parsed logs ingested in CEF format. |