Change log for DARKTRACE

Date	Changes
2025-05-20	Enhancement: - Added grok pattern for new log format. - Updated grok pattern for `dvc` raw field to parse IP correctly. - `event.idm.read_only_udm.security_result.rule_id`: Newly Mapped `issue_code` raw field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - `event.idm.read_only_udm.security_result.detection_fields` : Newly Mapped `tags` raw field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly Mapped `severity` raw field with `event.idm.read_only_udm.security_result.severity` UDM field. - 'event.idm.read_only_udm.security_result.attack_details.techniques': Newly Mapped `mitrld` raw field with `event.idm.read_only_udm.security_result.attack_details.techniques` UDM field. - `event.idm.read_only_udm.principal.mac`: Newly Mapped `DevicemacAddress` raw field with `event.idm.read_only_udm.principal.mac` UDM field. - `event.idm.read_only_udm.additional.fields`: Removed mapping of `externalId` raw field from `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.threat_id`: Newly Mapped `externalId` raw field with `event.idm.read_only_udm.security_result.threat_id` UDM field.
2025-05-19	Enhancement: - event.idm.read_only_udm.intermediary.ip: Newly mapped `host_ip` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - Replaced "event.idm.read_only_udm.intermediary" with "intermediary".
2025-05-19	Enhancement: - event.idm.read_only_udm.intermediary.ip: Newly mapped `host_ip` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - Replaced "event.idm.read_only_udm.intermediary" with "intermediary".
2025-05-09	Enhancement: - Added a gsub to replace "\r\n" with " " in "message" field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Removed mapping of `dvc` from `event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip` UDM field and mapped `dvc_ip` instead. - Added a `on_error` check before mapping `dvc_ip` to `principal_ip` raw log field. - Added a Grok pattern to extract `device_ip2_` from `device_ip2` raw log field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Removed mapping of `ip.ip` from `event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip` UDM field and mapped `device_ip2_` instead. - Added a `on_error` check before mapping `device_ip2_` to `principal_ip` raw log field. - event.idm.read_only_udm.security_result.attack_details.techniques: Newly mapped `technique_data` raw log field with `event.idm.read_only_udm.security_result.attack_details.techniques` UDM field. - event.idm.read_only_udm.security_result.attack_details.tactics: Newly mapped `tactics_data` raw log field with `event.idm.read_only_udm.security_result.attack_details.tactics` UDM field.
2025-04-28	Enhancement: - Added the Grok patterns to parse the new pattern of logs with SYSLOG format. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `event_time` and `timestamp` fields with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - Set `event.idm.read_only_udm.security_result.severity` UDM field to `INFORMATIONAL` if the value of `severity` field is 0, 1 or 2. - Set `event.idm.read_only_udm.security_result.severity` UDM field to `LOW` if the value of `severity` field is 3 or 4. - Set `event.idm.read_only_udm.security_result.severity` UDM field to `MEDIUM` if the value of `severity` field is 5 or 6. - Set `event.idm.read_only_udm.security_result.severity` UDM field to `HIGH` if the value of `severity` field is 7 or 8 and set `event.idm.is_alert` and `event.idm.is_significant` UDM fields to `true`. - Set `event.idm.read_only_udm.security_result.severity` UDM field to `CRITICAL` if the value of `severity` field is 9 or 10 and set `event.idm.is_alert` and `event.idm.is_significant` UDM fields to `true`.
2025-04-22	Enhancement: - event.idm.read_only_udm.security_result.severity: Newly mapped severity raw log field with event.idm.read_only_udm.security_result.severity UDM field.
2025-04-08	Enhancement: - `event.idm.read_only_udm.principal.user.userid`: Removed mapping of `model_uuid` raw field from `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Mapped `model_uuid` raw field to `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.metadata.product_version`: Newly Mapped `version` raw field to `event.idm.read_only_udm.metadata.product_version` UDM field. - `event.idm.read_only_udm.metadata.vendor_name`: Newly Mapped `vendor` raw field to `event.idm.read_only_udm.metadata.vendor_name` UDM field. - `event.idm.read_only_udm.metadata.product_name`: Newly Mapped `product` raw field to `event.idm.read_only_udm.metadata.product_name` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly Mapped `deviceExternalId` raw field to `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.principal.labels` : Newly Mapped `cs3` raw field to `event.idm.read_only_udm.principal.labels` UDM field. - Added a Grok pattern to support new `syslog` format.
2025-03-12	Enhancement: - When "model.created.userid" is present, then mapped "model.created.userid" to "principal.user.userid" and "model.uuid" to "principal.user.product_object_id". - Mapped "model.edited.userid" to "additional.fields" with key as "model.edited.by".
2025-01-16	Enhancement: - Added support to parse unparsed logs.
2024-11-21	Enhancement: - Corrected spelling of "email_direciton_error" to "email_direction_error".
2024-11-21	Enhancement: - Corrected spelling of "email_direciton_error" to "email_direction_error".
2024-10-30	Enhancement: - Added a Grok pattern to parse the SYSLOG+JSON logs.
2024-10-25	Enhancement: - Mapped "direction" to "network.direction" for "INBOUND," "OUTBOUND," or "BROADCAST." Otherwise, mapped it to "additional.fields".
2024-10-24	Enhancement: - Added a new Grok pattern to parse new JSON logs.
2024-10-08	Enhancement: - changed the "event_type" from "USER_UNCATEGORIZED" to "EMAIL_UNCATEGORIZED" when "from" field is present. - "from" mapped to "newtwork.email.from" & "principal.user.email_addresses". - "recipients" mapped to "newtwork.email.to" & "target.user.email_addresses". - changed "subject" mapping from "metadata.description" to "newtwork.email.subject". - changed "message_id" mapping from "additional.fields" to "newtwork.email.mail_id". - changed "uuid" mapping from "principal.user.userid" to "metadata.product_log_id".
2024-10-07	Enhancement: - Mapped "filterType" under "triggeredFilters" to "additional.fields". - When "trigger.value" is having non IP value, then mapped "trigger.value" under "triggeredFilters" to "additional.fields".
2024-09-25	Enhancement: - Mapped "description" to "metadata.description". - Mapped "score" field to "security_result.priority_details".
2024-09-19	Enhancement: - Mapped all fields under "triggeredFilters" to "additional.fields".
2024-09-09	Enhancement: - Mapped "uuid" to "principal.user.userid". - Mapped "from" to "principal.user.email_addresses". - Mapped "subject" to "metadata.description". - Mapped "anomaly_score", "tags", "link_hosts", and "message_id" to "additional.fields". - Mapped "recipients" to "observer.user.email_addresses". - Mapped "attachment_sha1s" and "attachment_sha256s" to "security_result.detection_fields".
2024-08-29	Enhancement: - Mapped "hostname" field to "principal.hostname" and "principal.asset.hostname". - Mapped "label" field to "security_result.attribute.label". - Mapped "ip_address" field to "principal.ip" and "principal.asset.ip". - Mapped "priority" field to "security_result.priority_details". - Mapped "priority_level" field to "security_result.priority". - Mapped "alert_name" field to "security_result.rule_name". - Mapped "message" field to "security_result.description". - Mapped "url" field to "security_result.url_back_to_product".
2024-08-06	Enhancement: - When "filterType" is "Destination IP", then mapped "triggeredFilter.trigger.value" to "target.ip". - When principal and target machine data is absent but user data is available then mapped "metadata.event_type" to "USER_UNCATEGORIZED".
2024-04-05	Bug-Fix: - Changed mapping for "model.name" and "model.now.name" from "principal.user.user_display_name" to "metadata.product_event_type". - When principal machine data and target machine data are present, then changed mapping for "metadata.event_type" from "GENERIC_EVENT" or "USER_UNCATEGORIZED" to "NETWORK_CONNECTION", else mapping it to "USER_RESOURCE_ACCESS".
2023-12-20	Bug-Fix: Fixed the flaky results for the mapping "sec_result.about.resource.attribute.labels" where "key" is "details".
2023-11-20	Enhancement, Bug-Fix: - Parsed subfields in the "message" field of the raw log. - Mapped "uuid" to "principal.user.userid" and set "metadata.event_type" to "USER_UNCATEGORIZED" when "uuid" is present. - Mapped "direction" to "network.direction". - Mapped "from" to "network.email.from". - Mapped "subject" to "network.email.subject". - Mapped "attachment_sha1s", "attachment_sha256s", "recipients", "link_hosts", "tags", "actions", "anomaly_score", "message_id" to "security_result.detection_fields". - Mapped "url" to "security_result.url_back_to_product". - Mapped "severity" to "security_result.severity". - Mapped "hostname" to "principal.hostname". - Added "on_error" to a JSON block to parse unparsed set of JSON logs. - Mapped "model.pid" to "principal.process.pid". - Mapped "model.uuid" to "principal.user.userid". - Mapped "model.name" to "principal.user.user_display_name". - Mapped "breachUrl" to "security_result.url_back_to_product". - Mapped "device.typelabel", "device.sid", "device.typename" to "principal.resource.attribute.labels". - Mapped "device.ip" to "principal.ip". - Mapped "device.ips.0.subnet" to "additional_fields". - Mapped "device.did" to "principal.asset.asset_id". - Mapped "device.customFields.DT-AUTO.macaddress" to "principal.mac". - Mapped "device.firstSeen" to "principal.asset.first_seen_time". - Mapped "device.device.lastSeen" to "principal.asset.last_seen_time". - Mapped "mitreTechniques" to "security_result.attack_details.techniques".
2023-09-26	Enhancement: - Adjusted the parser to support nested JSON. - Fixed the parser to handle special characters in the log. - Mapped the fields of new log type.
2023-08-29	Enhancement: - Mapped "details" to "sec_result.about.resource.attribute.labels". - Mapped "principal_port_no" to "principal.port". - Mapped "ip_protocol" to "network.ip_protocol". - Mapped "location" to "principal.location.country_or_region". - Mapped "target_host" to "target.hostname". - Mapped "target_ip" to "target.ip". - Mapped "source_ip" to "principal.ip". - Mapped "source_port" to "principal.port". - Mapped "dest_ip" to "target.ip". - Mapped "dest_port" to "target.port". - Mapped "@host" to "principal.hostname". - Mapped "uid" to "principal.user.userid". - Mapped "note" to "principal.application". - Mapped "@type" to "sec_result.about.resource.attribute.labels". - Mapped "opcode" to "sec_result.about.resource.attribute.labels". - Mapped "trans_id" to "sec_result.about.resource.attribute.labels". - Mapped "query_class" to "sec_result.about.resource.attribute.labels".
2023-07-14	Enhancement: - Mapped "dvchost" to "principal.hostname". - Mapped "deviceMacAddress" to "principal.mac". - Modified mapping of "dvc" to map to "principal.ip" only if it's a valid IP address.
2023-03-24	Enhancement: - Mapped 'model.now.category' to 'security_result.severity'. - Mapped 'model.now.message' to 'security_result.description'. - Mapped 'model.now.description' to 'metadata.description'. - Mapped 'model.now.uuid' to 'principal.user.userid'. - Mapped 'model.now.pid' to 'principal.process.pid'. - Mapped 'model.now.name' to 'principal.user.user_display_name'. - Mapped 'score' to 'security_result.priority'. - Mapped 'triggeredComponents.port' to 'intermediary.port'. - Mapped 'triggeredComponents.ip' to 'intermediary.ip'. - Mapped 'device.ip' to 'principal.ip'. - Mapped 'device.macaddress' to 'principal.mac'. - Mapped 'device.hostname' to 'principal.hostname'. - Mapped 'model.then.logic.data.cid', 'model.now.logic.data.cid', 'model.now.tags' to 'additional.fields'. - Mapped 'Mapped 'model.then.description', 'model.then.uuid', 'model.then.name', 'model.then.pid' to 'principal.resource.attribute.labels'. - Modified 'metadata.event_type' from 'GENERIC_EVENT' to 'STATUS_UPDATE' wherver 'principal.ip' or 'principal.hostname' is present.
2022-10-31	Enhancement: - Mapped the field 'time' to 'metadata.event_timestamp'. - Mapped the field 'model.description' to 'metadata.description'. - Mapped the field 'model.name' to 'principal.user.user_display_name'. - Mapped the field 'model.pid' to 'principal.process.pid'. - Mapped the field 'device.did' to 'principal.asset.asset_id'. - Mapped the field 'device.objecttype' to 'principal.asset.type'. - Mapped the field 'device.ips' to 'principal.ip'. - Mapped the field 'device.firstSeen' to 'principal.asset.first_seen_time'. - Mapped the field 'device.lastSeen' to 'principal.asset.last_discover_time'. - Mapped the fields 'device.sid', 'device.typename' and 'device.typelabel' to 'principal.resource.attribute.labels'. - Mapped the field 'model.tags' and 'model.logic.data' to 'additional.fields'. - Mapped the field 'breachUrl' to 'security_result.url_back_to_product'. - Mapped the field 'mitreTechniques' to 'security_result.detection_fields'. - Added conditional checks for 'details.0.0.contents.2.values.0' mapped to 'principal.port'. - Dropped the logs having incorrect json format.
2022-10-13	Added grok to parse new json type logs. Mapped 'category' to 'security_result.severity'. Mapped 'title' to 'security_result.summary'. Mapped 'details.0.0.contents.1.values.0.hostname' to 'principal.hostname'. Mapped 'details.0.0.contents.1.values.0.ip' to 'principal.ip'. Mapped 'details.0.0.contents.2.values.0' to 'principal.port'. Mapped 'details.0.0.contents.4.values.0' to 'principal.location.country_or_region'. Mapped 'details.0.1.contents.0.values.0.hostname' to 'target.hostname'. Mapped 'details.0.1.contents.0.values.0.ip' to 'target.ip'. Mapped 'incidentEventUrl' to 'principal.url'. Mapped 'summary' to 'metadata.description'. Mapped 'model.uuid' to 'principal.user.userid'. Mapped 'relatedBreaches.0.modelName' to 'security_result.description'.
2022-04-22	Added support for issue code being non-numeric in CEF message