Change log for FORCEPOINT_DLP
| Date | Changes |
|---|---|
| 2025-08-20 | Enhancement:
- event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname: Newly mapped `destinationDnsDomain` raw log field with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `ahost` raw log field to `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.intermediary.ip: Newly mapped `agt` raw log field to `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.intermediary.namespace: Newly mapped `agentZoneURI` raw log field to `event.idm.read_only_udm.intermediary.namespace` UDM field. - event.idm.read_only_udm.intermediary.mac: Newly mapped `amac` raw log field to `event.idm.read_only_udm.intermediary.mac` UDM field. - event.idm.read_only_udm.observer.ip: Newly mapped `dvc` raw log field to `event.idm.read_only_udm.observer.ip` UDM field. - event.idm.read_only_udm.observer.hostname: Newly mapped `dvchost` raw log field to `event.idm.read_only_udm.observer.hostname` UDM field. - event.idm.read_only_udm.observer.mac: Newly mapped `dvcmac` raw log field to `event.idm.read_only_udm.observer.mac` UDM field. - event.idm.read_only_udm.observer.namespace: Newly mapped `deviceZoneURI` raw log field to `event.idm.read_only_udm.observer.namespace` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `cs2`, `start`, `end`, `mrt`, `art`, `rt`, `fileType`, `atz`, `dtz`, `geid`, `cefVer`, `aid`, `maxMatches` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `categorySignificance`, `categoryBehavior`, `categoryDeviceGroup`, `catdt`, `categoryOutcome`, `categoryObject` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `header_severity` raw log field to `event.idm.read_only_udm.security_result.severity_details` UDM field. - Modified Grok pattern to include `header_severity` extraction from the CEF header. - Added gsub to pre-process kv_data to handle keys prefixed with `ad.`. - Added logic to use `header_severity` from the CEF header as a fallback for `security_result.severity` and `security_result.severity_details`. - Conditionally set `event.idm.read_only_udm.metadata.event_type` to `EMAIL_TRANSACTION` when `sourceServiceName` is "SMTP". - Adjusted conditional checks for `sourceHostname` and `sourceHost` to map them unless they are empty or exactly "N/A". |
| 2025-03-06 | Enhancement:
- Mapped "inter_host" to "intermediary.hostname". |
| 2025-02-19 | Enhancement:
- Mapped "violationTriggers.*" fields to "additional.fields". |
| 2025-01-03 | Enhancement:
- Mapped "violationTriggers.VZ CPNI" and "violationTriggers.Controlled Unclassified Information: Portion Marking" to "additional.fields". |
| 2024-11-19 | Enhancement:
- Added support for new CEF format logs. |
| 2024-08-05 | Enhancement:
- When "act" is "Quarantined", then mapped "act" to "security_result.action_details" and "security_result.action" to "ALLOW". - Mapped "caseDescription" to "metadata.description". - Mapped "eventIDs" to "metadata.product_event_type". - When "sourceServiceName" is a valid application_protocol, then mapped "sourceServiceName" to "network.application_protocol". - Mapped "productVersion" to "metadata.product_version". - Mapped "riskScore" to "additional.fields". |
| 2024-05-20 | Enhancement:
- Mapped "fname" to "target.file.full_path". - Mapped "destinationHosts" to "target.hostname" and "target.asset.hostname". - Mapped "productVersion" and "analyzedBy" to "additional.fields". |
| 2024-03-25 | Bug-fix:
- Added support for new format logs. - Mapped "timeStamp" to "metadata.event_timestamp". - Mapped "act" to "security_result.description". - Mapped "cat" to "security_result.category_details". - Mapped "severityType" to "security_result.severity". - Mapped "msg" to "metadata.description". - Mapped "eventId" to "metadata.product_log_id". - Mapped "sourceServiceName" to "principal.application". - Mapped "sourceHost" to "principal.hostname" and "principal.asset.hostname". - Mapped "sourceIp" to "principal.ip" and "principal.asset.ip". - Mapped "suser" to "principal.user.userid". - Mapped "loginName" to "principal.user.user_display_name". |
| 2022-11-07 | - Newly Created Parser.
|