Change log for FORTINET_FORTIANALYZER
| Date | Changes |
|---|---|
| 2025-06-04 | Enhancement:
- event.idm.read_only_udm.security_result2.rule_type: Removed mapping of `eventtype` from `event.idm.read_only_udm.security_result2.rule_type` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Mapped `eventtype` from `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result1.rule_name: Removed mapping of `catdesc` from `event.idm.read_only_udm.security_result1.rule_name` UDM field. - event.idm.read_only_udm.security_result.rule_name: Mapped `catdesc` from `event.idm.read_only_udm.security_result.rule_name` UDM field. - event.idm.read_only_udm.security_result1.detection_fields: Removed mapping of `crscore` from `event.idm.read_only_udm.security_result1.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Mapped `crscore` from `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-05-12 | Enhancement:
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `dtype` raw log field with event.idm.read_only_udm.security_result.detection_fields UDM field. |
| 2025-04-30 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Added support for variation of date, time and timezone format. - event.idm.read_only_udm.target.asset.hostname: Newly Mapped `device_id` raw field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.security_result.description: Newly Mapped `operation` raw field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly Mapped `log_id` raw field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `pri` raw field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. |
| 2025-04-20 | Enhancement:
- `SYSLOG`: Added support for `SYSLOG` format. - Modified gsub pattern in order to parse the logs with `SYSLOG` Format |
| 2025-04-02 | Enhancement:
- event.idm.read_only_udm.network.http.user_agent,event.idm.read_only_udm.network.http.parsed_user_agent:Newly mapped `agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` and `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. |
| 2025-02-27 | Enhancement:
- Mapped "dstname" to "target.hostname" and "target.asset.hostname". |
| 2025-01-31 | Enhancement:
- Mapped "catdesc" to "security_result.rule_name". - Mapped "crscore" to "security_result.detection_fields". - Mapped "method" to "network.http.method". - Mapped "cat" to "security_result.rule_id". |
| 2025-01-02 | Enhancement:
- When "action" is "login" and "status" is "success", then mapped "ALLOW" to "security_result.action". - When "action" is "login" and "status" is "failure", then mapped "BLOCK" to "security_result.action". |
| 2024-11-28 | Enhancement:
- Mapped "filename" to "target.file.full_path". |
| 2024-11-19 | Enhancement:
- Mapped "dstuser" to "target.user.userid". |
| 2024-11-13 | Enhancement:
- Mapped "fsaverdict" to "additional.fields". |
| 2024-10-28 | Enhancement:
- Changed "srcinf", "dstinf", "srcintfrole", and "dstintfrole" mapping from "security_result.detection_fields" to "additional.fields". |
| 2024-10-16 | Enhancement:
- Mapped "type", "subtype", and "level" to "metadata.ingestion_labels". |
| 2024-10-01 | Enhancement:
- Mapped "logdesc" to "metadata.description". |
| 2024-10-01 | Enhancement:
- Mapped "logdesc" to "metadata.description". |
| 2024-09-23 | Enhancement:
- Modified mapping for "devname" to "principal.resource.attribute.labels". - Mapped "srcname" to "principal.hostname" and "principal.asset.hostname". |
| 2024-09-12 | Enhancement:
- Added conditional checks to map the value "BLOCK" to the "security_result.action" UDM field when the "reason" value is "sslvpn_login_permission_denied". |
| 2024-07-22 | Enhancement:
- Added "gusb" to handle the unparsed logs. |
| 2024-07-04 | Enhancement:
- When "msg" contains "login", then set "event_type" to "USER_LOGIN". |
| 2024-04-25 | Enhancement:
- Mapped "httpmethod" to "network.http.method". - When "action" is "login", then map "ALLOW" to "security_result.action". - When "msg" contains "logged in successfully", then set "event_type" to "USER_LOGIN". - When "msg" contains "login failed", then set "event_type" to "USER_LOGOUT". |
| 2023-07-19 | Bug-Fix:
- Added gsub to remove "\n" to parse failing logs. |
| 2023-05-05 | - Added support for logs with CEF format.
|
| 2022-09-19 | Newly Created Parser
|