Change log for FIREEYE_ETP
| Date | Changes |
|---|---|
| 2025-04-21 | Enhancement:
- Added Gsub to replace `"\\s+"to"` with `","to"` on "message" to parse the logs. - Initialised "about.file.full_path". - event.idm.read_only_udm.security_result.action_details: Newly mapped `alert.action` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.target.file.first_seen_time: Newly mapped `alert.attack-time` raw log field with `event.idm.read_only_udm.target.file.first_seen_time` UDM field. - event.idm.read_only_udm.target.user.email_addresses: Newly mapped `alert.dst.smtp-to` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - event.idm.read_only_udm.network.email.from: Newly mapped `alert.email-header.from` raw log field with `event.idm.read_only_udm.network.email.from` UDM field. - event.idm.read_only_udm.network.email.mail_id: Newly mapped `alert.email-header.message-id` raw log field with `event.idm.read_only_udm.network.email.mail_id` UDM field. - event.idm.read_only_udm.network.email.subject: Newly mapped `alert.email-header.subject` raw log field with `event.idm.read_only_udm.network.email.subject` UDM field. - event.idm.read_only_udm.target.user.email_addresses: Newly mapped `alert.email-header.to` raw log field with `event.idm.read_only_udm.target.user.email_addresses` UDM field. - event.idm.read_only_udm.target.labels: Newly mapped `alert.ack` raw log field with `event.idm.read_only_udm.target.labels` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.application` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.downloaded-at` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.executed-at` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.file.md5: Newly mapped `alert.explanation.malware-detected.malware.md5sum` raw log field with `event.idm.read_only_udm.target.file.md5` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.md5sum` raw log field with `event.idm.read_only_udm.additional.fields` UDM field if `event.idm.read_only_udm.target.file.md5` is already set. - event.idm.read_only_udm.target.file.names: Newly mapped `alert.explanation.malware-detected.malware.name` raw log field with `event.idm.read_only_udm.target.file.names` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `alert.explanation.malware-detected.malware.original` raw log field with `event.idm.read_only_udm.target.url` UDM field if `alert.explanation.malware-detected.malware.type` is `url`. - event.idm.read_only_udm.target.file.full_path: Newly mapped `alert.explanation.malware-detected.malware.original` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.original` raw log field with `event.idm.read_only_udm.additional.fields` UDM field if `event.idm.read_only_udm.target.file.full_path` is already set. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.profile` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.file.sha256: Newly mapped `alert.explanation.malware-detected.malware.sha256` raw log field with `event.idm.read_only_udm.target.file.sha256` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.sha256` raw log field with `event.idm.read_only_udm.additional.fields` UDM field if `event.idm.read_only_udm.target.file.sha256` is already set. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.stype` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.file.first_submission_time: Newly mapped `alert.explanation.malware-detected.malware.submitted-at` raw log field with `event.idm.read_only_udm.target.file.first_submission_time` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.explanation.malware-detected.malware.type` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.interface.interface` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.interface.mode` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `alert.name` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `alert.occurred` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.sc-version` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.severity UDM field,event.idm.read_only_udm.severity_details: Newly mapped `alert.severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field and `event.idm.read_only_udm.severity_details` UDM field. If "alert.severity" is `crit` then mapped `event.idm.read_only_udm.security_result.severity` to `CRITICAL` and `event.idm.read_only_udm.security_result.risk_score` to `5.0`. If "alert.severity" is `majr` then mapped `event.idm.read_only_udm.security_result.severity` to `HIGH` and `event.idm.read_only_udm.security_result.risk_score` to `10.0`. If "alert.severity" is `unkn` then mapped `event.idm.read_only_udm.security_result.severity` to `UNKNOWN_SEVERITY` and `event.idm.read_only_udm.security_result.risk_score` to `5.0`. If "alert.severity" is `minr` then mapped `event.idm.read_only_udm.security_result.severity` to `MEDIUM` and `event.idm.read_only_udm.security_result.risk_score` to `5.0`. If "alert.severity" is `low` then mapped `event.idm.read_only_udm.security_result.severity` to `LOW`. - event.idm.read_only_udm.intermediary.location.country_or_region: Newly mapped `alert.smtp-message.country` raw log field with `event.idm.read_only_udm.intermediary.location.country_or_region` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `alert.smtp-message.date` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly mapped `alert.smtp-message.from` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.intermediary.ip: Newly mapped `alert.smtp-message.ip_address` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.target.labels: Newly mapped `alert.smtp-message.last-malware` raw log field with `event.idm.read_only_udm.target.labels` UDM field. - event.idm.read_only_udm.target.labels: Newly mapped `alert.smtp-message.protocol` raw log field with `event.idm.read_only_udm.target.labels` UDM field. - event.idm.read_only_udm.target.labels: Newly mapped `alert.smtp-message.queue-id` raw log field with `event.idm.read_only_udm.target.labels` UDM field. - event.idm.read_only_udm.network.email.to: Newly mapped `alert.smtp-message.to` raw log field with `event.idm.read_only_udm.network.email.to` UDM field. - event.idm.read_only_udm.principal.administrative_domain: Newly mapped `alert.src.domain` raw log field with `event.idm.read_only_udm.principal.administrative_domain` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly mapped `alert.src.smtp-mail-from` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `alert.uuid` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `mitre_mapping.bale.bale_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `mitre_mapping.bale.name` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `mitre_mapping.bale.os_change_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `mitre_mapping.bale.severity` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `mitre_mapping.bale.description` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.attack_details.techniques: Newly mapped `mitre_mapping.bale.id` raw log field with `event.idm.read_only_udm.security_result.attack_details.techniques` UDM field. - event.idm.read_only_udm.security_result.attack_details.tactics: Newly mapped `tactics_data` raw log field with `event.idm.read_only_udm.security_result.attack_details.tactics` UDM field. - event.idm.read_only_udm.principal.url,event.idm.read_only_udm.additional.fields: Newly mapped `alert.src.url` raw log field with `event.idm.read_only_udm.principal.url` UDM field if `alert.explanation.malware-detected.malware.type` is `url` else mapped it to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.labels: Newly mapped `mta_msg_id` raw log field with `event.idm.read_only_udm.target.labels` UDM field. - event.idm.read_only_udm.about.labels: Newly mapped `msg` raw log field with `event.idm.read_only_udm.about.labels` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `parent_uuid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.verdict_info: Newly mapped `verdict` raw log field with `event.idm.read_only_udm.security_result.verdict_info` UDM field and `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `report_id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `object_uuid` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2024-08-14 | Enhancement:
- Added Grok pattern for a new pattern of JSON logs. - Mapped "type", "InternalId", "attributes.acceptedDateTime", "attributes.lastModifiedDateTime", "attributes.senderSMTP", "attributes.status", and "attributes.urlDomains" to "additional.fields". - Mapped "attributes.countryCode" to "principal.location.country_or_region". - Mapped "attributes.senderIP" to "principal.ip". - Mapped "attributes.recipientSMTP" to "network.email.to". - Mapped "attributes.senderHeader" to "network.email.from". - Mapped "attributes.subject" to "network.email.subject". - Mapped "attributes.domain" to "network.dns_domain". |
| 2024-08-08 | Enhancement:
- Added a new Grok pattern to parse unparsed SYSLOG logs. |
| 2024-03-07 | Enhancement:
- Mapped "alert.attributes.alert.malware_md5" to "about.file.md5". |
| 2024-01-30 | Enhancement:
- Added support for new pattern of JSON logs. - Mapped "id", "alert.explanation.analysis","alert.explanation.malware_os_analysis","email.dod_report_id" and "email.status" to "security_result.detection_fields". - Mapped "alert.malware_md5" to "about.file.md5". - Mapped "alert.sha256" to "about.file.sha256". - Mapped "email.attachment" to "about.file.full_path". - When "email.attachment" is valid URL, then mapped it to "about.url". - Mapped "alert.severity" to "security_result.severity". - Mapped "email.smtp.mail_from" to "network.email.from". - Mapped "email.smtp.recipients" to "network.email.to". - Mapped "email.headers.subject" to "network.email.subject". - Mapped "email.source_ip" to "principal.ip" and "principal.asset_ip". - Mapped "alert.explanation.malware_detected.malware.threat_type" to "security_result.category". - Mapped "alert.explanation.malware_detected.malware.trace_iden" to "security_result.threat_id". - Mapped "alert.explanation.malware_detected.malware.name" to "security_result.threat_name". - Mapped "email.source_country" to "principal.location.country_or_region". - Mapped "alert.action" to "security_result.action". |