Change log for GUARDICORE_CENTRA
| Date | Changes |
|---|---|
| 2025-06-10 | Enhancement:
- Added Gsub for `kv_data`. - Added conditional check for `kv_data`. - Added Grok patterns for field `src` to check if `src` is a IP or not. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `event_id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `Assetname` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `Assetname` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - `event.idm.read_only_udm.target.asset.asset_id`: Newly mapped `Assetid` raw log field with `event.idm.read_only_udm.target.asset.asset_id` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `IPAddresses` raw log fields with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `IPAddresses` raw log fields with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.port`: Newly mapped `prin_port` raw log fields with `event.idm.read_only_udm.principal.port` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `vCenterhost` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `vCenterhost` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.location.name`: Newly mapped `Location` raw log field with `event.idm.read_only_udm.principal.location.name` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `Addedlabels`, `Removedlabels`, and `Resultinglabels` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.group.attribute.labels`: Newly mapped `ResultinglabelGroups`,`AddedLabelGroups`, and `RemovedLabelGroups` raw log field with `event.idm.read_only_udm.target.group.attribute.labels` UDM field. - `event.idm.read_only_udm.security_result.description`: Newly mapped `Changecause` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `Changedby` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "0", "1", "2", or "3" then mapped `LOW` to `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "4", "5", or "6" then mapped `MEDIUM` to `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "7" or "8" then mapped `HIGH` to `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "9" or "10 then mapped `CRITICAL` to `event.idm.read_only_udm.security_result.severity` UDM field. |
| 2025-06-10 | Enhancement:
- Added Gsub for `kv_data`. - Added conditional check for `kv_data`. - Added Grok patterns for field `src` to check if `src` is a IP or not. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `event_id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `Assetname` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `Assetname` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - `event.idm.read_only_udm.target.asset.asset_id`: Newly mapped `Assetid` raw log field with `event.idm.read_only_udm.target.asset.asset_id` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `IPAddresses` raw log fields with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `IPAddresses` raw log fields with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.port`: Newly mapped `prin_port` raw log fields with `event.idm.read_only_udm.principal.port` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `vCenterhost` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `vCenterhost` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.location.name`: Newly mapped `Location` raw log field with `event.idm.read_only_udm.principal.location.name` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `Addedlabels`, `Removedlabels`, and `Resultinglabels` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.group.attribute.labels`: Newly mapped `ResultinglabelGroups`,`AddedLabelGroups`, and `RemovedLabelGroups` raw log field with `event.idm.read_only_udm.target.group.attribute.labels` UDM field. - `event.idm.read_only_udm.security_result.description`: Newly mapped `Changecause` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `Changedby` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "0", "1", "2", or "3" then mapped `LOW` to `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "4", "5", or "6" then mapped `MEDIUM` to `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "7" or "8" then mapped `HIGH` to `event.idm.read_only_udm.security_result.severity` UDM field. - When `severity` is equal to "9" or "10 then mapped `CRITICAL` to `event.idm.read_only_udm.security_result.severity` UDM field. |
| 2025-03-28 | Enhancement:
- Added Grok patterns to extract KV data from the logs. - Added "else if" conditional check for "cs1" and "cs1Label". - event.idm.read_only_udm.additional.fields: Newly mapped `cs1` and `cs1Label` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `act` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip: Newly mapped `src` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip,event.idm.read_only_udm.target.asset.ip: Newly mapped `dst` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.target.port: Newly mapped `dpt` raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.target.host,event.idm.read_only_udm.target.asset.hostname: Newly mapped `dhost` raw log field with `event.idm.read_only_udm.target.host` and `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.network.ip_protocol: Newly mapped `proto` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - event.idm.read_only_udm.target.asset.platform_software.platform: Newly mapped `os_type` raw log field with `event.idm.read_only_udm.target.asset.platform_software.platform` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `cs4` and `cs4Label` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.application: Newly mapped `Aplicacion` raw log field with `event.idm.read_only_udm.target.application` UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped `ConexionServ_RedRespaldoicio` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `Ambiente` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.resource_subtype: Newly mapped `Servicio` raw log field with `event.idm.read_only_udm.target.resource.resource_subtype` UDM field. - event.idm.read_only_udm.target.platform_version: Newly mapped `os_name` raw log field with `event.idm.read_only_udm.target.platform_version` UDM field. - event.idm.read_only_udm.target.process.command_line, event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `dproc` raw log field with `event.idm.read_only_udm.target.process.command_line` UDM field else mapped it to `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `cs15Label` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `cs6Label` and `cs6` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `cs7Label` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `Entorno` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `Gestion` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `cs10` and `cs10Label` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `duser` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `cs16Label` and `cs16` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.intermediary.asset.ip: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.intermediary.asset.ip` UDM field. |
| 2024-12-04 | Enhancement:
- Mapped start to "metadata.event_timestamp". |
| 2024-11-05 | Enhancement:
- Added support for new pattern of CEF logs. |
| 2024-10-09 | Enhancement:
- Added support to parse the unparsed logs. - Changed mapping of "os_name" , "enforcement" ,and "AssetType" from "additional.fields" to "security_result.detection_fields". |
| 2024-08-30 | Enhancement:
- Modified the Grok pattern to parse new log types. - Mapped "source.vm.name" to "principal.hostname". - Mapped "bucket_id", "policy_verdict", "network_profile", "source_process_hash", and "display_provider" to "security_result.detection_fields". - Mapped "display_type" to "principal.platform". |
| 2024-04-19 | Enhancement:
- Added support for CEF logs. |
| 2023-09-08 | - Newly created parser.
|