Change log for EXTRAHOP
Date | Changes |
---|---|
2025-01-15 | Enhancement:
- Mapped "dst" to "target.asset.ip" and "target.ip". |
2025-01-09 | Enhancement:
- Mapped "url" to "principal.url". - Mapped "type" to "metadata.product_event_type". - Mapped "title", "id", "description_format", "victims.name", "victims.external", "offenders.name", "offenders.externaal", "victim_primary.name", victim_primary.external", "offender_primary.name", and "offender_primary.external" to "additional.fields". - Mapped "dst.type" to "target.resource_type". - Mapped "dst.hostname" to "target.hostname" and "target.asset.hostname". - Mapped "dst.ipaddr" to "target.ip" and "target.asset.ip". - Mapped "dst.role" to "target_resource.attribute.roles". - Mapped "dst.device.macaddr" to "target.mac". - Mapped "src.type" to "principal.resource_type". - Mapped "src.hostname" to "principal.hostname" and "principal.asset.hostname". - Mapped "src.ipaddr" to "principal.ip" and "principal.asset.ip". - Mapped "src.role" to "principal_resource.attribute.roles". - Mapped "src.device.macaddr" to "principal.mac". - Mapped "api.ip", "api.status", "api.id", "api.start_time", "api.mod_time", "api.categories", "api.update_time", and "api.ticket_id" to "security_result.detection_fields". - Mapped "victims.ipaddr" to "principal.ip" and "principal.asset.ip". - Mapped "offenders.ipaddr" to "target.ip" and "target.asset.ip". - Mapped "victim_primary.ipaddr" to "principal.ip" and "principal.asset.ip". - Mapped "offender_primary.ipaddr" to "target.ip" and "target.asset.ip". - Mapped "api.participants.role", "api.participants.object_id", "api.participants.object_type", and "api.participants.external" to "section_details.fields". - Mapped "risk_score" and "api.risk_score" to "security_result.risk_score". - Mapped "src.endpoint" and "src.device.oid" to "principal.resource.attribute.labels". - Mapped "dst.endpoint" and "dst.device.oid" to "target.resource.attribute.labels". - Mapped "dst.device.ipaddr" to "target.ip" and "target.asset.ip". - Mapped "src.device.ipaddr" to "principal.ip" and "principal.asset.ip". - Mapped "categories_array" and "categories_id" to "additional.fields". |
2024-12-13 | Enhancement:
- Mapped "src" to "principal.asset.ip". - Mapped "dst" to "target.asset.ip" and "target.ip". - Mapped "device_version" to "metadata.product_version". - Mapped "signature" to "security_result.summary" and "section_details.rule_name". |
2024-11-26 | Enhancement:
- If "events.vulnerability.severity" equals "medium", then map "MEDIUM" to "security_result.severity". - Mapped "events.vulnerability.description" to "metadata.description". |
2024-10-28 | Enhancement:
- Added support to handle SYSLOG+JSON logs. |
2023-10-27 | Enhancement:
- Added JSON block to parse uparsed JSON logs. - Reduced the percentage of events with "metadata.event_type" set to "GENERIC_EVENT" to 0. |
2022-12-15 | Enhancement:
- Mapped the field 'macaddr' to 'principal.mac'. - Mapped the field 'ipaddr' to 'principal.ip'. - Mapped the field 'object_name' to 'target.resource.name'. - Mapped the field 'object_type' to 'target.resource.resource_type'. - Mapped the field 'object_id' to 'target.resource.product_object_id'. - Mapped the field 'event_id' to 'metadata.product_event_type'. - Mapped the field 'operation' to 'metadata.product_event_type'. - Mapped the field 'user' to 'principal.user.userid'. - Mapped the field 'facility' to 'principal.resource.resource_subtype'. - Mapped the field 'src_ip' to 'principal.ip'. - Mapped the field 'summary' to 'security_result.summary'. - Mapped the field 'name' to 'metadata.description'. - Mapped the field 'severity' to 'security_result.severity_details'. - Mapped the field 'priority' to 'security_result.severity' and 'security_result.severity_details'. - Mapped the field 'alert_name' to 'security_result.summary'. |
2022-06-30 | Enhancement:
- Mapped "detectionID" to "security_result.rule_labels". - When "product_event_type" is equal to "Unsafe LDAP Authentication" Mapped "event_type" to "STATUS_UPDATE". - Mapped "prin_url" to "principal.url". - Mapped "desc" to "metadata.description". |
2022-05-18 | Enhancement - The newly ingested logs have been parsed and mapped to the following fields:
'RDP Record.clientName' mapping changed to 'principal.hostname' from 'principal.user.userid'. 'RDP Record.cookie' mapped to 'principal.user.userid'. 'eh_event' mapping changed to 'network.application_protocol' from 'metadata.product_event_type'. |
2022-05-10 | Enhancement - The newly ingested logs have been parsed and mapped to the following fields:
server_ip' mapped to 'target.ip'. 'RDP Record.proto' mapped to 'network.ip_protocol'. 'RDP Record.clientPort' mapped to 'principal.port'. 'RDP Record.clientName' mapped to 'principal.user.userid'. 'RDP Record.clientBytes' mapped to 'network.sent_bytes'. 'RDP Record.serverBytes' mapped to 'network.received_bytes'. 'RDP Record.clientBuild' mapped to 'metadata.product_version'. 'RDP Record.selectedProtocol' mapped to 'security_result.description'. 'eh_event' mapped to 'metadata.product_event_type'. |