Change log for FORTINET_FORTIANALYZER
| Date | Changes |
|---|---|
| 2025-07-07 | Enhancement:
- Corrected conditional logic to ensure the "app" field from raw logs is consistently mapped to the "target.application" UDM field when present. This resolves an issue where the mapping was previously skipped if other conditions were met. - Added 'on_error' handling to several mutate filters to improve parser robustness. |
| 2025-06-04 | Enhancement:
- event.idm.read_only_udm.security_result2.rule_type: Removed mapping of `eventtype` from `event.idm.read_only_udm.security_result2.rule_type` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Mapped `eventtype` from `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result1.rule_name: Removed mapping of `catdesc` from `event.idm.read_only_udm.security_result1.rule_name` UDM field. - event.idm.read_only_udm.security_result.rule_name: Mapped `catdesc` from `event.idm.read_only_udm.security_result.rule_name` UDM field. - event.idm.read_only_udm.security_result1.detection_fields: Removed mapping of `crscore` from `event.idm.read_only_udm.security_result1.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Mapped `crscore` from `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-05-12 | Enhancement:
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `dtype` raw log field with event.idm.read_only_udm.security_result.detection_fields UDM field. |
| 2025-04-30 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Added support for variation of date, time and timezone format. - event.idm.read_only_udm.target.asset.hostname: Newly Mapped `device_id` raw field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.security_result.description: Newly Mapped `operation` raw field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly Mapped `log_id` raw field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `pri` raw field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-04-20 | Enhancement:
- `SYSLOG`: Added support for `SYSLOG` format. - Modified gsub pattern in order to parse the logs with `SYSLOG` Format |
| 2025-04-02 | Enhancement:
- event.idm.read_only_udm.network.http.user_agent,event.idm.read_only_udm.network.http.parsed_user_agent:Newly mapped `agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` and `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. |
| 2025-02-27 | Enhancement:
- Mapped "dstname" to "target.hostname" and "target.asset.hostname". |
| 2025-01-31 | Enhancement:
- Mapped "catdesc" to "security_result.rule_name". - Mapped "crscore" to "security_result.detection_fields". - Mapped "method" to "network.http.method". - Mapped "cat" to "security_result.rule_id". |
| 2025-01-02 | Enhancement:
- When "action" is "login" and "status" is "success", then mapped "ALLOW" to "security_result.action". - When "action" is "login" and "status" is "failure", then mapped "BLOCK" to "security_result.action". |
| 2024-11-28 | Enhancement:
- Mapped "filename" to "target.file.full_path". |
| 2024-11-19 | Enhancement:
- Mapped "dstuser" to "target.user.userid". |
| 2024-11-13 | Enhancement:
- Mapped "fsaverdict" to "additional.fields". |
| 2024-10-28 | Enhancement:
- Changed "srcinf", "dstinf", "srcintfrole", and "dstintfrole" mapping from "security_result.detection_fields" to "additional.fields". |
| 2024-10-16 | Enhancement:
- Mapped "type", "subtype", and "level" to "metadata.ingestion_labels". |
| 2024-10-01 | Enhancement:
- Mapped "logdesc" to "metadata.description". |
| 2024-10-01 | Enhancement:
- Mapped "logdesc" to "metadata.description". |
| 2024-09-23 | Enhancement:
- Modified mapping for "devname" to "principal.resource.attribute.labels". - Mapped "srcname" to "principal.hostname" and "principal.asset.hostname". |
| 2024-09-12 | Enhancement:
- Added conditional checks to map the value "BLOCK" to the "security_result.action" UDM field when the "reason" value is "sslvpn_login_permission_denied". |
| 2024-07-22 | Enhancement:
- Added "gusb" to handle the unparsed logs. |
| 2024-07-04 | Enhancement:
- When "msg" contains "login", then set "event_type" to "USER_LOGIN". |
| 2024-04-25 | Enhancement:
- Mapped "httpmethod" to "network.http.method". - When "action" is "login", then map "ALLOW" to "security_result.action". - When "msg" contains "logged in successfully", then set "event_type" to "USER_LOGIN". - When "msg" contains "login failed", then set "event_type" to "USER_LOGOUT". |
| 2023-07-19 | Bug-Fix:
- Added gsub to remove "\n" to parse failing logs. |
| 2023-05-05 | - Added support for logs with CEF format.
|
| 2022-09-19 | Newly Created Parser
|