Change log for F5_AFM
| Date | Changes |
|---|---|
| 2025-06-10 | Enhancement:
- Removed "tmsh", "tmm1", "mcpd" from the drop condition to parse the valid logs. - Changed name of "dest_ip" to "target_ip". - Removed "target" rename block as it is not required. - Modified Grok patterns to parse valid fields. - Added a Grok pattern to parse the unparsed logs. - Added a Grok pattern in "bigip_ip" to parse the valid data. - event.idm.read_only_udm.security_result.summary: Newly mapped `msg_data` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field - event.idm.read_only_udm.principal.process.pid: Newly mapped `pid` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field - event.idm.read_only_udm.principal.user.userid: Newly mapped `user` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field - event.idm.read_only_udm.principal.file.full_path: Newly mapped `folder_path` raw log field with `event.idm.read_only_udm.principal.file.full_path` UDM field - event.idm.read_only_udm.additional.fields: Newly mapped `status` and `cmd_data` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped `target_ip` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field |
| 2025-03-21 | Enhancement:
- Added Grok patterns to support new log formats. - Removed "icrd_child" and "logger" from conditional check of drop tag. - Mapped "desc" to "metadata.description". - Mapped "prin_port" to "principal.port". - Mapped "target_port" to "target.port". - Added conditional mapping for "protocol" to "network.ip_protocol" when the value is "TCP". - Mapped "ts2" to "metadata.event_timestamp". - Mapped "tls_ver" to "network.tls.version". - Mapped "cipher" to "network.tls.cipher". - Mapped "prod_event_type" to "metadata.product_event_type". - Mapped "path" to "target.url". - Mapped "response_size" to "network.sent_bytes". - Mapped "received_size" to "network.received_bytes". - Mapped "usr" to "principal.user.userid". - Mapped "schema_version" to "target.resource.attribute.labels". - Mapped "severity_info" to "security_result.severity_details". - Mapped "target_pid" to "target.process.pid". - Mapped "additional1" to "additional.fields". - Mapped "dvc" to "intermediary.hostname". - Added a Grok pattern to match IP before mapping "bigip_ip" to "intermediary.ip". - Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "has_principal_user" is "true". - Mapped "prin_ip" to "principal.ip" and "principal.asset.ip". |
| 2025-02-27 | Enhancement:
- Added support for CEF format logs. - Mapped "F5FlowID" to "additional.fields". - Mapped "F5TranslatedVlan" to "additional.fields". - Mapped "F5SrcTranslationType" to "additional.fields". - Mapped "F5SrcTranslationPool" to "additional.fields". - Mapped "F5SrcGeo" to "additional.fields". - Mapped "F5DstGeo" to "additional.fields". - Mapped "F5RouteDomain" to "additional.fields". |
| 2024-11-07 | Enhancement:
- Added support for CEF format logs. |
| 2024-04-05 | Enhancement:
- Added support to parse newly ingested unparsed logs. |
| 2023-09-11 | Enhancement:
- Mapped "Column12" to "security_result.detection_fields". - Mapped "Column14" to "security_result.action". |
| 2023-08-16 | Enhancement:
- Added Grok pattern to support new log formats. |
| 2023-05-05 | Newly created parser.
|