Change log for MCAFEE_EPO
| Date | Changes |
|---|---|
| 2025-05-12 | Enhancement:
- Added Grok pattern to support the `Trellix` pattern of logs with (SYSLOG + KV) format and relevant corresponding raw log fields. - event.idm.read_only_udm.metadata.vendor_name: Set the value of `event.idm.read_only_udm.metadata.vendor_name` to `Trellix` for `Trellix` pattern of logs. - event.idm.read_only_udm.observer.hostname: Newly mapped `sys_host` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field. - event.idm.read_only_udm.metadata.product_name: Newly mapped `product_name` field with `event.idm.read_only_udm.metadata.product_name` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `event_name` and `workflowid` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `alertId` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `agentGUID` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `alertType` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `eventType` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.principal.hostname & event.idm.read_only_udm.principal.asset.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM fields and set `has_principal` to `true`. - event.idm.read_only_udm.principal.ip & event.idm.read_only_udm.principal.asset.ip: Newly mapped `sourceIP` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields and set `has_principal` to `true`. - event.idm.read_only_udm.target.ip & event.idm.read_only_udm.target.asset.ip: Newly mapped `targetIP` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields and set `has_target` to `true`. - event.idm.read_only_udm.principal.platform: Newly mapped `operatingSystem` raw log field with `event.idm.read_only_udm.principal.platform` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `eventname` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `eventTimestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.target.process.file.full_path: Newly mapped `eventObject` raw log field with `event.idm.read_only_udm.target.process.file.full_path` UDM field and set `has_target_resource` to `true`. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `eventProgramName` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `eventProgramUser` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.process.command_line: Newly mapped `eventCommandLine` raw log field with `event.idm.read_only_udm.principal.process.command_line` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `threatSeverity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.metadata.event_type: Set the value of `event.idm.read_only_udm.metadata.event_type` to `USER_RESOURCE_ACCESS` if `has_user` is `true` and `has_target_resource` is `true`. - event.idm.read_only_udm.metadata.event_type: Set the value of `event.idm.read_only_udm.metadata.event_type` to `STATUS_UPDATE` if `has_principal` is `true`. |
| 2025-05-02 | Enhancement:
- event.idm.read_only_udm.security_result.severity_details: Newly mapped `ThreatSeverity` and `Severity` raw log fields with `event.idm.read_only_udm.security_result.severity_details` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `Name` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.target.file.md5: Newly mapped `TargetHash` raw log field with `event.idm.read_only_udm.target.file.md5` UDM field. - event.idm.read_only_udm.target.file.full_path: Removed mapping of `filename` from `event.idm.read_only_udm.target.file.full_path` UDM field. - event.idm.read_only_udm.principal.file.full_path: Mapped `filename` field with `event.idm.read_only_udm.principal.file.full_path` UDM field. - event.idm.read_only_udm.target.administrative_domain: Removed mapping of `domain` from `event.idm.read_only_udm.target.administrative_domain` UDM field. - event.idm.read_only_udm.principal.administrative_domain: Mapped `domain` field with `event.idm.read_only_udm.principal.administrative_domain` UDM field. - event.idm.read_only_udm.target.user.userid: Removed mapping of `userid` from `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.principal.user.userid: Mapped `userid` field with `event.idm.read_only_udm.principal.user.userid` UDM field. - Added a new Grok pattern to add support for logs getting dropped even after having some important data. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `custom_date` field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.principal.ip & event.idm.read_only_udm.principal.asset.ip: Newly mapped `src_ip` field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields and set `has_principal` to `true`. |
| 2025-04-24 | Enhancement:
- If "ThreatActionTaken" raw log field value is "IDS_ALERT_ACT_TAK_DEN", then set "security_result.action" as "BLOCK". |
| 2025-03-19 | Enhancement:
- Removed the mapping of "username" from "target.user.userid" and changed to "principal.user.userid". - Removed the mapping of "agentdomainname" from "target.administrative_domain" and changed to "principal.administrative_domain". - Mapped "filepath" to "principal.file.full_path". - Mapped "Actionname" to "security_result.detection_fields". - Added IP Address check for "agentipaddress". |
| 2024-11-20 | Enhancement:
- Added additional field mapping for XML logs. |
| 2024-10-01 | Enhancement:
- When "tvdeventid" is "1027" or "scantype" is "*Scan*", then mapped "username" to "target.user.userid". - When "tvdeventid" is "1027" or "scantype" is "*Scan*", then mapped "agentdomainname" to "target.administrative_domain". - When "tvdeventid" is "1027" or "scantype" is "Endpoint Security Threat Prevention", then mapped "domain" and "userid" from "UserName" to "target.administrative_domain" and "target.user.userid" respectively. |
| 2024-08-29 | Enhancement:
- Added support to handle dropped logs. |
| 2024-08-12 | Enhancement:
- Changed mapping for "Description" from "metadata.description" to "security_result.description". - Mapped "Name" to "metadata.description". - Mapped "ThreatAction" to "security_result.action_details". |
| 2024-08-07 | Enhancement:
- Added support to handle unparsed JSON logs. - Mapped "ActionID", "ReasonID", "RatingID", "ListID", "PhishingRatingID", "DownloadRatingID", "SpamRatingID", "PopupRatingID", "BadLinkRatingID", "ExploitRatingID", and "ContentID" to "additional.fields". |
| 2023-10-15 | Enhancement:
- Handeled XML logs having "product_name" as "MOVE AV Agentless" or "MSME". |
| 2023-06-20 | Enhancement:
- Added grok pattern to handle xml logs. |
| 2023-01-02 | Enhancement - Added gsub to remove empty namespace with prefix.
|
| 2022-12-16 | Bug-fix - Added code block to handle "is_DLPAGENT11600". - Added code block for product names specific. - Added "GENERIC_EVENT" wherever possible if principal and target UDM fields are null. - Mapped normalized_ip_address to "principal.ip". - Mapped normalized_mac_address to "principal.mac" wherever possible. |
| 2022-09-14 | Enhancement - Merged The customer specific-version to default by Handling Log formats of type Key-value pairs.
- Provided on_error check for "Content.ParentProcessFileName". |
| 2022-09-09 | Enhancement - Parsed logs of type "Solidifier" which were being dropped earlier.
- Logs are present in CSV format so following additional mappings have been defined for the particular columns : - Mapped "column8" to "principal.hostname". - Mapped "column11" to "principal.mac". - Mapped "column25" to "target.process.file.full_path". - Mapped "column30" to "security_result.action". It is mapped to "BLOCK" if value contains "deny" else mapped as "ALLOW" in case of some other value apart from none. - Mapped "metadata.event_type" to "STATUS_UPDATE". |
| 2022-08-11 | Bug-Fix -
- Remapped AnalyzerHostname to intermediary.hostname. - Remapped sys_host to observer.hostname. |
| 2022-07-27 | Enhancement - Mapped the following field:
- Mapped "csv_mcafee_security.column4" to "principal.asset.first_seen_time". |
| 2022-07-14 | Enhancement - Mapped the following fields:
- Mapped "product_version" to "metadata.product_version". - Mapped "FileSHA1Hash" to "target.process.file.sha1". - Added code block to handle event_id "35103". - Changed event_type from "GENERIC_EVENT" to "STATUS_UPDATE" wherever possible. |
| 2022-05-05 | Enhancement - Mapped the following fields:
- SourceHostname to principal.hostname. If SourceHostname is null mapped AnalyserHostname to principal.hostname. - MachineName to observer.hostname. - AnalyserHostname to intermediate.hostname. - IP header csv 9 to principal.ip. - IP header csv 17 to target.ip. - ThreatName header csv 28 to security_result.threat_name commonly for all. |
| 2022-04-12 | Added generic string for Vendor name and replaced different product names to a generic value string. |