Stay organized with collections
Save and categorize content based on your preferences.
Change log for FORESCOUT_NAC
Date
Changes
2024-11-07
Enhancement:
- Mapped "cat" to "security_result.alert_state".
- Mapped "eventtype" to "security_result.category_details".
- Mapped "device_event_class_id" to "security_result.rule_id" and "event_name" to "security_result.summary".
2024-11-05
Bug-fix:
- Added support for new format of SYSLOG logs.
2024-04-22
Bug-fix:
- Removed drop condition to parse unparsed logs.
2024-02-05
Enhancement:
- Mapped "eventtype" to "additional.fields".
2024-01-29
Bug-Fix:
- Added new Grok patterns to parse CEF logs.
- Added condition to avoid conversion failure for "principal.port".
- Mapped "username" to "principal.user.userid".
- Mapped "action" to "security_result.action_details".
- Mapped "resource" to "principal.resource.name".
- Mapped "command" to "principal.process.command_line".
- Mapped "version" to "metadata.product_version".
- Added Grok patterns to parse the missing field values in description.
- Mapped "source_ip" to "principal.asset.ip".
- Mapped "target_ip" to "target.asset.ip".
- Mapped "computer_name" to "target.asset.hostname".
- Mapped "destination" to "target.asset.hostname".
- Mapped "Target" to "target.asset.hostname".
- Mapped "Hostname" to "principal.asset.hostname".
- Mapped "Source" to "principal.asset.hostname".
- Mapped "middle_ip" to "intermediary.asset.ip".
- Mapped "iporhost" to "intermediary.asset.hostname".
- Mapped "Host" to "principal.asset.hostname".
2023-12-21
Bug-Fix:
- Added new Grok patterns for unparsed SYSLOG logs.
- Mapped "CPU usage", "Available memory", "Used memory", "Available swap", "Used swap", "Application status", "Connected Clients", "EM connection status", "Assigned hosts", "Engine status" and "Installed plugins" to "additional.fields".
- Added condition to check if message contains "CEF:" to parse "CEF" logs.
2023-05-31
Enhancement:
- Enhanced parser to reduce "GENERIC_EVENT" and set the "metadata.event_type" to a more appropriate value.
2022-10-07
Enhancement:
- Enhanced the parser to support CEF format logs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eRecent enhancements include mapping various fields like "cat," "eventtype," "device_event_class_id," and "event_name" to corresponding fields within the \u003ccode\u003esecurity_result\u003c/code\u003e and \u003ccode\u003eadditional.fields\u003c/code\u003e objects.\u003c/p\u003e\n"],["\u003cp\u003eMultiple bug fixes have been implemented, such as adding support for new SYSLOG log formats, removing a drop condition for unparsed logs, and incorporating new Grok patterns for both CEF and SYSLOG logs.\u003c/p\u003e\n"],["\u003cp\u003eExtensive field mapping updates were implemented to correctly categorize information, including mapping fields like "username," "action," "resource," "command," and various IP and hostname fields, to their proper locations within the \u003ccode\u003eprincipal\u003c/code\u003e, \u003ccode\u003etarget\u003c/code\u003e, \u003ccode\u003eintermediary\u003c/code\u003e, \u003ccode\u003emetadata\u003c/code\u003e, \u003ccode\u003esecurity_result\u003c/code\u003e and \u003ccode\u003eadditional.fields\u003c/code\u003e data structures.\u003c/p\u003e\n"],["\u003cp\u003eThe parser has been enhanced to support CEF format logs, improving the processing of CEF formatted logs.\u003c/p\u003e\n"],["\u003cp\u003eImprovements to the parser help reduce "GENERIC_EVENT" occurrences, providing a more appropriate classification in the \u003ccode\u003emetadata.event_type\u003c/code\u003e field.\u003c/p\u003e\n"]]],[],null,["# Change log for FORESCOUT_NAC\n============================"]]