Change log for JUNIPER_FIREWALL
| Date | Changes |
|---|---|
| 2024-10-11 | Enhancement:
- Mapped "hostn" to "principal.hostname". - Mapped "app" to "principal.application". - Mapped "pid" to "principal.process.pid". - Mapped "event_title" to "metadata.product_event_type". - Mapped "event_message" to "metadata.description". - Mapped "Local-ip" to "principal.ip" and "principal.asset.ip". - Mapped "Gateway_Name", "vpn", "tunnel_id", "tunnel_if", "Local_IKE_ID", "Remote_IKE_ID", "AAA_username", "VR_id", "Traffic_selector", "Traffic_selector_Remote_ID", "Traffic_selector_local_ID", "SA_Type", "Reason", "threshold", "time-period", and "error-message_data" to "observer.resource.attribute.labels". - Mapped "target_ip" to "target.ip" and "target.asset.ip". - Mapped "data" to "target.ip" and "target.asset.ip". |
| 2024-06-28 | Enhancement:
- Modified the Grok patterns to parse unparsed logs. - Added Grok patterns over the field "msg_data" to extract the fields "user_id", "principal_host", "file_path", "pid_2", and "server_ip". - Mapped "principal_host" to "principal.hostname". - Mapped "user_id" to "target.user.userid". - Mapped "file_path" to "target.file.full_path". - Mapped "pid_2" to "target.process.pid". - Mapped "server_ip" to "target.ip". - Mapped "event_time" to "metadata.event_timestamp" correctly by removing "rebase" if year is present. |
| 2024-01-22 | Bug-Fix:
- Added new Grok patterns to parse "message" field with key-value data. - Mapped "ACTION" to "security_result.action_details". - Mapped "SESSION_ID" to "network.session_id". - Mapped "APPLICATION" to "principal.application". - Mapped "pingCtlOwnerIndex", "pingCtlTestName", "usp_lsys_max_num_rpd", "usp_lsys_max_num", "urlcategory_risk", "application_sub_category", "source-zone", "destination-zone", "NESTED-APPLICATION", "CATEGORY", "REASON", "PROFILE", "source_rule", "retrans_timer" and "arp_unicast_mode" to "additional.fields". - Mapped "time" to "metadata.event_timestamp". |
| 2023-12-31 | Bug-Fix:
- Added support for a new pattern of JSON logs. - Mapped "time" to "metadata.event_timestamp". - Mapped "host" to "principal.hostname". - Mapped "ident" to "target.application". - Mapped "pid" to "target.process.pid". - Added Grok patterns to parse "message" field. |
| 2023-12-15 | Enhancement:
- Mapped "internal-protocol" to "network.ip_protocol" . - Mapped "state" to "security_result.detection_fields". - Mapped "internal-ip" to "principal.ip". - Mapped "reflexive-ip" to "target.ip". - Mapped "internal-port" to "principle.port". - Mapped "reflexive-port" to "target.port". - Mapped "local-address" to "principal.ip". - Mapped "remote-address" to "target.ip". - Added KV filter with source as "task_summary". - Mapped "dns-server-address" to "principal.ip". - Mapped "domain-name" to "principal.administrative_domain". - Mapped "argument1" to "network.direction". - Mapped "state" to "security_result.detection_fields". - Mapped "test-owner" to "additional.fields". - Mapped "local-initiator" to "additional.fields". - Mapped "test-name" to "additional.fields". - Mapped "SPI" to "additional.fields". - Mapped "AUX-SPI" to "additional.fields". - Mapped "Type" to "additional.fields". - Mapped "error-message" to "security_result.summary". |
| 2023-11-02 | Enhancement:
- Added a new Grok pattern to parse logs of new "SYSLOG+KV" format. |
| 2023-08-24 | Enhancement:
- Added gsub function to remove special characters. |
| 2023-08-02 | Enhancement:
- Modified Grok pattern to support new log formats for NetScreen type. - Added support for type "RT_FLOW_SESSION_CREATE_LS", "RT_FLOW_SESSION_CLOSE_LS" and "RT_FLOW_SESSION_DENY_LS". - Mapped "sent" to "network.sent_bytes". - Mapped "rcvd" to "network.received_bytes". |
| 2023-05-05 | Enhancement:
- Mapped "rule-name" to "security_result.rule_id". - Mapped "rulebase-name" to "security_result.detection_fields". - Mapped "export-id" to "security_result.detection_fields". - Mapped "repeat-count" to "security_result.detection_fields". - Mapped "packet-log-id" to "security_result.detection_fields". - Mapped "alert" to "is_alert" when the value is "yes". - Mapped "outbound-packets" to "network.sent_packets". - Mapped "inbound-packets" to "network.received_packets". - Mapped "outbound-bytes" to "network.sent_bytes". - Mapped "inbound-bytes" to "network.received_bytes". |
| 2023-03-08 | Enhancement:
- Mapped "application" to "target.application". - Mapped "reason" to "security_result.description". - Mapped "application-characteristics" to "security_result.summary". - Mapped "application-risk" to "security_result.severity_details". - Mapped "application-category" to "security_result.detection_fields". - Mapped "application-sub-category" to "security_result.detection_fields". - Mapped "dst-nat-rule-name" to "security_result.detection_fields". - Mapped "dst-nat-rule-type" to "security_result.detection_fields". - Mapped "src-nat-rule-name" to "security_result.detection_fields". - Mapped "src-nat-rule-type" to "security_result.detection_fields". - Mapped "encrypted" to "security_result.detection_fields". - Mapped "nested-application" to "security_result.detection_fields". - Mapped "packet-incoming-interface" to "security_result.detection_fields". - Mapped "session-id-32" to "network.session_id". - Mapped "packets-from-client" to "network.sent_packets". - Mapped "packets-from-server" to "network.received_packets". - Mapped "bytes-from-client" to "network.sent_bytes". - Mapped "bytes-from-server" to "network.received_bytes". - Mapped "elapsed-time" to "network.session_duration.seconds". - Mapped "nat-destination-address" to "target.nat_ip". - Mapped "nat-destination-port" to "target.nat_port". - Mapped "source-destination-address" to "principal.nat_ip". - Mapped "source-destination-port" to "principal.nat_port". |
| 2023-01-18 | Bug-fix:
- Made the condition case insensitive to map "BLOCK" to "security_result.action", when "action" is "drop/DROP". - Mapped "msg_data" to "security_result.description" when "no_app_name" is false. - Mapped "threat-severity" to "security_result.severity". - Mapped the field "message" to "metadata.description". - Mapped "app_name" to "target.application". - Mapped "pid" to "target.process.pid". - Mapped "desc" to "metadata.description". - Mapped "username" to "principal.user.userid". - Mapped "command" to "target.process.command_line". - Mapped "action" to "security_result.action_details". - Mapped "sec_description" to "security_result.description". - Mapped "application-name" to "network.application_protocol". |
| 2023-01-15 | Enhancement-
- Modified Grok pattern to support unparsed logs containing type "UI_CMDLINE_READ_LINE", "UI_COMMIT_PROGRESS", "UI_CHILD_START", "UI_CFG_AUDIT_OTHER", "UI_LOGIN_EVENT", "UI_CHILD_STATUS", "UI_LOGOUT_EVENT", "UI_LOAD_EVENT", "JTASK_IO_CONNECT_FAILED", "UI_AUTH_EVENT", "UI_NETCONF_CMD", "UI_COMMIT_NO_MASTER_PASSWORD", "UI_CFG_AUDIT_SET", "UI_JUNOSCRIPT_CMD", "SNMPD_AUTH_FAILURE", "UI_CFG_AUDIT_NEW", "UI_COMMIT" , "LIBJNX_LOGIN_ACCOUNT_LOCKED", "UI_COMMIT_COMPLETED", "PAM_USER_LOCK_LOGIN_REQUESTS_DENIED", "RTPERF_CPU_USAGE_OK", "RTPERF_CPU_THRESHOLD_EXCEEDED", "LIBJNX_LOGIN_ACCOUNT_UNLOCKED", "JSRPD_SET_OTHER_INTF_MON_FAIL", "JSRPD_SET_SCHED_MON_FAILURE", "UI_CHILD_WAITPID", "UI_DBASE_LOGIN_EVENT". |
| 2022-11-07 | Enhancement-
- Mapped "subtype" to "metadata.product_event_type". - Mapped "attack-name" to "security_result.threat_name". - Mapped "policy-name" to "security_result.rule_name". - Mapped "action" to "security_result.action", where value "drop" is mapped to BLOCK others to ALLOW. - Mapped "source-interface-name" to "security_result.detection_fields". - Mapped "destination-interface-name" to "security_result.detection_fields". - Mapped "source-zone-name" to "security_result.detection_fields". - Mapped "destination-zone-name" to "security_result.detection_fields". - Mapped "service-name" to "security_result.detection_fields". - Mapped "application-name" to "security_result.detection_fields". - Mapped "metadata.product_name" - Mapped "metadata.vendor_name" |
| 2022-10-04 | Enhancement- Mapped attack-name to security_result.rule_name.
- Converted SDM mappings to following fields of UDM:- - Mapped "source-address" to "principal.ip". - Mapped "destination-address" to "target.ip". - Mapped "source-port" to "principal.port". - Mapped "host" to "principal.hostname". - Mapped "bytes-from-server" to "network.received_bytes". - Mapped "policy-name" to "security_result.rule_name". - Mapped "protocol-id" to "network.ip_protocol". |