Change log for ELASTIC_AUDITBEAT
Date | Changes |
---|---|
2024-12-10 | Enhancement:
- Added support for new pattern of syslog format. |
2024-07-31 | Enhancement:
- Mapped "file.owner", "file.uid", "file.drive_letter", "file.type", "file.inode", "file.ctime", and "file.mtime" to "target.resource.attribute.labels". - Mapped "event.dataset" and "event.type" to "additional.fields". |
2024-06-26 | Enhancement:
- Added "gsub" to replace "\\r\\n" and "\\n" with "" from the message. |
2024-06-13 | Enhancement:
- If the value of "message_not_json" is "true", added Grok patterns to support SYSLOG + JSON. - If the value of "host_os_platform" is similar to "debian" or "linux", then set "principal.platform" as "LINUX". - If the value of "host_os_platform" is similar to "mac" or "ios", then set "principal.platform" as "MAC". - If the value of "host_os_platform" is similar to "windows", then set "principal.platform" as "WINDOWS". - If the value of "audit_data_sycall" is null, then mapped "type" to "metadata.product_event_type". - Mapped "tag" to "security_result.category_details". - Mapped "agent_ephemeral_id" and "ts" to "additional.fields". - Mapped "os_name", "os_build", and "env" to "principal.resource.attribute.labels". |
2023-09-04 | Enhancement -
- Mapped 'auditd.data.syscal' field to 'metadata.product_event_type'. |
2023-03-03 | Enhancement -
- Replaced "-" with ":" in "host.mac" prior mapping to UDM with correct MAC address format. - Mapped "cloud.region" to "principal.cloud.availability_zone". - Mapped "VIRTUAL_MACHINE" to "principal.resource.resource_type" where "cloud.service.name" has "Virtual Machine". - Mapped "cloud.machine.type" to "principal.resource.resource_subtype". - Mapped "cloud.instance.id" to "principal.resource.id". |
2022-07-08 | Enhancement -
- Added on_error for @timestamp field in date filter. - Changed event_type from GENERIC_EVENT to USER_UNCATEGORIZED where target.user is not null. - Changed event_type from GENERIC_EVENT to PROCESS_UNCATEGORIZED where target.process is not null. - Changed event_type from GENERIC_EVENT to STATUS_UPDATE where principal.ip not null or principal.hostname not null. - Added auth.type to AUTHTYPE_UNSPECIFIED where event_type is USER_LOGIN or USER_LOGOUT. - Mapped httpRequest.serverIp to principal.ip. - Mapped httpRequest.remoteIp to target.ip. - Mapped httpRequest.requestSize to network.sent_bytes. - Mapped httpRequest.responseSize to network.received_bytes. - Mapped httpRequest.requestUrl to network.http.referral_url. - Mapped httpRequest.requestMethod to network.http.method. - Mapped httpRequest.status to network.http.response_code. - Mapped resource.labels.backend_service_name to target.resource.name. - Mapped resource.labels.project_id to target.resource.product_object_id. - Mapped resource.labels.target_proxy_name to target.resource.attribute.labels. - Mapped resource.labels.url_map_name to target.resource.attribute.labels. - Mapped trace to target.process.file.full_path. |
2022-05-31 | Enhancement- Mapped "jsonPayload.process.parent.process.pid" to "principal.process.pid".
Mapped "jsonPayload.process.parent.process.exe" to "principal.process.file.full_path". Mapped "jsonPayload.destination.ip" to "target.ip". Mapped "jsonPayload.destination.port" to "target.port". Mapped "jsonPayload.network.direction" to "network.direction". Added on_error statement to avoid failures if the key is not present in the log. Applied condition to check for presence of mandatory fields as listed below before mapping the relevant event_type. If these fields are not present, then event_type is set as GENERIC_EVENT. - "jsonPayload.host.hostname" is mandatory for event_type "NETWORK_CONNECTION" - "jsonPayload.host.id" is mandatory for event_type "PROCESS_OPEN" |
2022-05-23 | Enhancement- Mapped required attribute values to process.command_line.
|
2022-05-07 | Enhancement- Added support for parsing "jsonPayload".
|