Change log for F5_AFM
| Date | Changes |
|---|---|
| 2025-07-24 | Enhancement:
- Added JSON filter to parse new type of logs. - event.idm.read_only_udm.additional.fields: Newly mapped `acl_policy_name`, `acl_policy_type`, `chronicle_log_type`, `chronicle_namespace`, `flow_id`, `vlan`, `route_domain`, and `partition_name` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `source_ipint_categories`, `src_geo`, and `source_fqdn` raw log fields with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `dest_ipint_categories`, `dst_geo`, and `dest_fqdn` raw log fields with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.security_result.rule_name: Newly mapped `acl_rule_name` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `acl_rule_id` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `action` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.intermediary.ip : Newly mapped `bigip_mgmt_ip` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped `context_name` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field. - event.idm.read_only_udm.target.resource.type: Newly mapped `context_type` raw log field with `event.idm.read_only_udm.target.resource.type` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `date_time` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped `dest_ip` and `net.peer.ip` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.target.port: Newly mapped `dest_port` and `net.peer.port` raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `device_version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `drop_reason` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.network.ip_protocol: Newly mapped `ip_protocol` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped `source_ip` and `net.host.ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.port: Newly mapped `source_port` and `net.host.port` raw log field with `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `errdefs_msg_name` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `errdefs_msgno` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `source_user` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.user.group_identifiers: Newly mapped `source_user_group` raw log field with `event.idm.read_only_udm.principal.user.group_identifiers` UDM field. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity_details` UDM field. - event.idm.read_only_udm.metadata.event_type: Setting `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED` when `has_principal_user` is `true`. |
| 2025-07-10 | Enhancement:
- Added include files of "cef_extraction.include" and "cef_udm_mapping.include" to parse the following "CEF" logs when "cef_data" =~ "CEF" and "message" =~ "CEF". - `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname` : Newly mapped `dvchost` raw log field with `event.idm.read_only_udm.intermediary.hostname` and `event.idm.read_only_udm.intermediary.asset.hostname` UDM field. - `event.idm.read_only_udm.intermediary.ip` and `event.idm.read_only_udm.intermediary.asset.ip` : Newly mapped `dvc` raw log field with `event.idm.read_only_udm.intermediary.ip` and `event.idm.read_only_udm.intermediary.asset.ip` UDM field. - `event.idm.read_only_udm.principal.resource.attribute.labels` : Newly mapped `c6a2`, `F5SrcZone`, and `F5SrcFqdn` raw log fields with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.principal.user.attribute.labels` : Newly mapped `F5SrcUser` raw log field with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels` : Newly mapped `c6a3`, `F5DstZone`, `F5DstVlan` and `F5DstFqdn` raw log fields with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.additional.fields` : Newly mapped `F5SendToVs`, `F5SrcIpiCategories`, and `F5DstIpiCategories` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-07-03 | Enhancement:
- Removed "kernel", "CROND" from the drop condition to parse the valid logs. - Added syslog pattern to extract `cmd_line` from logs. - Added syslog pattern to extract `module`, `tid` and `cpu` value from `msg_data` field. - event.idm.read_only_udm.additional.fields: Newly mapped `module`, `tid` and `cpu` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.process.command_line: Newly mapped `cmd_line` raw log field with `event.idm.read_only_udm.target.process.command_line` UDM field. |
| 2025-06-10 | Enhancement:
- Removed "tmsh", "tmm1", "mcpd" from the drop condition to parse the valid logs. - Changed name of "dest_ip" to "target_ip". - Removed "target" rename block as it is not required. - Modified Grok patterns to parse valid fields. - Added a Grok pattern to parse the unparsed logs. - Added a Grok pattern in "bigip_ip" to parse the valid data. - event.idm.read_only_udm.security_result.summary: Newly mapped `msg_data` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field - event.idm.read_only_udm.principal.process.pid: Newly mapped `pid` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field - event.idm.read_only_udm.principal.user.userid: Newly mapped `user` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field - event.idm.read_only_udm.principal.file.full_path: Newly mapped `folder_path` raw log field with `event.idm.read_only_udm.principal.file.full_path` UDM field - event.idm.read_only_udm.additional.fields: Newly mapped `status` and `cmd_data` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped `target_ip` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field |
| 2025-03-21 | Enhancement:
- Added Grok patterns to support new log formats. - Removed "icrd_child" and "logger" from conditional check of drop tag. - Mapped "desc" to "metadata.description". - Mapped "prin_port" to "principal.port". - Mapped "target_port" to "target.port". - Added conditional mapping for "protocol" to "network.ip_protocol" when the value is "TCP". - Mapped "ts2" to "metadata.event_timestamp". - Mapped "tls_ver" to "network.tls.version". - Mapped "cipher" to "network.tls.cipher". - Mapped "prod_event_type" to "metadata.product_event_type". - Mapped "path" to "target.url". - Mapped "response_size" to "network.sent_bytes". - Mapped "received_size" to "network.received_bytes". - Mapped "usr" to "principal.user.userid". - Mapped "schema_version" to "target.resource.attribute.labels". - Mapped "severity_info" to "security_result.severity_details". - Mapped "target_pid" to "target.process.pid". - Mapped "additional1" to "additional.fields". - Mapped "dvc" to "intermediary.hostname". - Added a Grok pattern to match IP before mapping "bigip_ip" to "intermediary.ip". - Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "has_principal_user" is "true". - Mapped "prin_ip" to "principal.ip" and "principal.asset.ip". |
| 2025-02-27 | Enhancement:
- Added support for CEF format logs. - Mapped "F5FlowID" to "additional.fields". - Mapped "F5TranslatedVlan" to "additional.fields". - Mapped "F5SrcTranslationType" to "additional.fields". - Mapped "F5SrcTranslationPool" to "additional.fields". - Mapped "F5SrcGeo" to "additional.fields". - Mapped "F5DstGeo" to "additional.fields". - Mapped "F5RouteDomain" to "additional.fields". |
| 2024-11-07 | Enhancement:
- Added support for CEF format logs. |
| 2024-04-05 | Enhancement:
- Added support to parse newly ingested unparsed logs. |
| 2023-09-11 | Enhancement:
- Mapped "Column12" to "security_result.detection_fields". - Mapped "Column14" to "security_result.action". |
| 2023-08-16 | Enhancement:
- Added Grok pattern to support new log formats. |
| 2023-05-05 | Newly created parser.
|