Change log for ESET_AV
| Date | Changes |
|---|---|
| 2025-04-10 | Enhancement:
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `threatHandled` and 'needRestart' raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `actionTaken` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.security_result.threat_name: Newly mapped `threatName` raw log field with `event.idm.read_only_udm.security_result.threat_name` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `threatType` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - If 'threatHandled' value is '1' then map 'event.idm.read_only_udm.security_result.action' to "BLOCK" else if 'threatHandled' value is '0' then map 'event.idm.read_only_udm.security_result.action' to "ALLOW". - If 'severity' is in '7' or '8' then map 'event.idm.read_only_udm.security_result.severity' to "HIGH" else if 'severity' is '6' then map 'event.idm.read_only_udm.security_result.severity' to "MEDIUM" else if 'severity' is in '3' or '1' then map 'event.idm.read_only_udm.security_result.severity' to "LOW" else if 'severity' is '10' then map 'event.idm.read_only_udm.security_result.severity' to "CRITICAL". |
| 2025-03-04 | Enhancement:
- Added a new Grok pattern to parse new type of logs. - Mapped "time" to "metadata.event_timestamp". - Mapped "target" to "target.resource.attribute.labels". |
| 2024-06-25 | Enhancement:
- Mapped "object_uri" to "target.url". - Mapped "severity" to "security_result.severity_details" - Mapped "threat_flags" to "security_result.detection_fields". - Mapped "category" to "security_result.category_details". - Mapped "object_type" and "engine_version" to "principal.resource.attribute.labels" - If value of the field "detail" is null, then mapped "circumstances" to "security_result.description". - If value of the field "action_taken" is similar to "Block", then mapped "security_result_action" to "BLOCK". - If value of the field "action_taken" is similar to "Start" or "Allow", then mapped "security_result_action" to "ALLOW". - If the value of "not_json" is true, then added a Grok pattern over "json_data" to extract "category", "hostname", and "group_name". |
| 2024-05-31 | Enhancement:
- Mapped "action_taken" to "security_result.action_details". - Mapped "threat_type" to "security_result.threat_id". - Mapped "scan_id", "scanner_id", and "threat_handled" to "security_result.detection_fields". - Mapped "need_restart" to "additional.fields". |
| 2024-05-21 | Enhancement:
- Changed the case of the value of the field "hash" to lowercase, and then mapped "hash" to "principal.file.sha1". |
| 2024-03-14 | Enhancement:
- Mapped "username" to "principal.user.userid". - Mapped "group_name" to "principal.group_display_name". - Mapped "hash" to "principal.resource.attribute.labels". - Mapped "eiconsolelink" to "principal.url". - Mapped "os_name" to "principal.platform_version". - Mapped "processname" to "principal.process.file.full_path". - Mapped "rulename" to "security_result.rule_name". - Mapped "result" to "security_result.summary". - Mapped "eialarmid" to "security_result.detection_fields". - Mapped "severity_score" to "security_result.detection_fields". - Mapped "computer_severity_score" to "security_result.detection_fields". |
| 2023-01-10 | Newly created parser.
|