Change log for IMPERVA_SECURESPHERE
Date | Changes |
---|---|
2025-07-18 | Enhancement:
- Added mappings for `cs7` and `cs11` raw log fields globally. - Modified the condition to map `cs12` raw log field to `security_result.description` UDM field when `cs12Label` is not `OSUser`. - Modified the condition to map `cs17` raw log field to `event.idm.read_only_udm.target.resource.resource_subtype` UDM field when `cs17Label` is not `Error`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `cs17` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field when cs17Label is `Error`. |
2025-07-03 | Enhancement:
- Added Grok patterns to support new pattern of syslog logs. - `event.idm.read_only_udm.additional.fields`: Newly mapped `cs2`, `cs2Label`, and `additional_json_data` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field when cs2Label is `ServerGroup`. - `event.idm.read_only_udm.target.application`: Newly mapped `cs5` raw log field with `event.idm.read_only_udm.target.application` UDM field when cs5Label is `ApplicationName`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `cs4` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field when cs4Label is `ServiceName`. - `event.idm.read_only_udm.principal.application`: Newly mapped `cs6` raw log field with `event.idm.read_only_udm.principal.application` UDM field when cs11Label is `SrcApp`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `cs7` raw log field with `event.idm.read_only_udm.security_result.description` UDM field when cs7Label is `AlertDesc`. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `cs11` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field when cs11Label is `DatabaseName`. - `event.idm.read_only_udm.target.resource.resource_type`: Newly mapped `DATABASE` with `event.idm.read_only_udm.target.resource.resource_type` UDM field when cs11Label is `DatabaseName`. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `cs10` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field when cs10Label is `EventID`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `cs15` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field when cs15Label is not `ViolatedItem`. - `event.idm.read_only_udm.security_result.threat_id`: Newly mapped `cs9` raw log field with `event.idm.read_only_udm.security_result.threat_id` UDM field when cs9Label is `AlertID`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `cs12` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field when cs12Label is `OSUser` - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `inter_host` raw log field with `event.idm.read_only_udm.intermediary.hostname` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `cs13` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field when cs13Label is `HostName`. - Modified condition such that `cs2` raw log field is mapped to `event.idm.read_only_udm.principal.group.group_display_name` when `cs2Label` is `ServerGroup`. - Modified condition such that `cs4` raw log field is mapped to `event.idm.read_only_udm.target.application` UDM field when `cs4Label` is `ApplicationName`. - Modified condition such that `cs5` raw log field is mapped to `event.idm.read_only_udm.metadata.description` UDM field when `cs5Label` is `Description`. - Modified condition such that `cs15` raw log field is mapped to `security_result.summary` UDM field when `cs15Label` is `ViolatedItem`. - Modified condition such that `cs9` raw log field is mapped to `event.idm.read_only_udm.principal.user.userid` UDM field when `cs9Label` is `osUser`. - Modified condition such that `cs8` raw log field is mapped to `event.idm.read_only_udm.target.resource.name` UDM field when `cs8Label` is `DatabaseName` or `ApplicationName`. |
2024-04-01 | Enhancement -
- Added support for JSON logs. |
2023-04-26 | Enhancement -
- Mapped "cs1" to "security_result.rule_name". - Mapped "cs2" to "principal.group.group_display_name". - Mapped "cs3" to "principal.hostname". - Mapped "cs6" to "target.resource_ancestors.name". - Mapped "cs7" to "target.resource_ancestors.resource_subtype". - Mapped "cs5" to "metadata.description". - Mapped "cs12" to "security_result.description". - Mapped "cs14" to "target.resource.attribute.labels". - Mapped "cs15" to "security_result.summary". - Mapped "cs16" to "principal.process.command_line". - Mapped "cs17" to "target.resource.resource_subtype". - Parsed "severity" field. - Mapped "act" to "security_result.action_details". - Mapped "cs13" to "metadata.product_log_id". |
2022-07-24 | Enhancement -
- Mapped "proto" to "network.ip_protocol". - Mapped "severity" to "security_result.severity_details". - Mapped "cs1Label" to "security_result.detection_fields". - Mapped "cs2Label" to "security_result.detection_fields". - Mapped "cs3Label" to "security_result.detection_fields". - Mapped "cs4" to "target.application". - Mapped "cs5Label" to "security_result.detection_fields". - Mapped "cs8" to "target.resource.name". - Mapped "cs9" to "principal.user.userid". - Mapped "cs10Label" to "additional.fields". - Mapped "cs11" to "principal.application". - Mapped "cs12Label" to "additional.fields". - Mapped "cs13Label" to "additional.fields". - Mapped "cs14Label" to "additional.fields". - Mapped "cs16Label" to "additional.fields". - Mapped "cs17Label" to "additional.fields". |