Change log for MCAFEE_EPO

Date Changes
2024-11-20 Enhancement:
- Added additional field mapping for XML logs.
2024-10-01 Enhancement:
- When "tvdeventid" is "1027" or "scantype" is "*Scan*", then mapped "username" to "target.user.userid".
- When "tvdeventid" is "1027" or "scantype" is "*Scan*", then mapped "agentdomainname" to "target.administrative_domain".
- When "tvdeventid" is "1027" or "scantype" is "Endpoint Security Threat Prevention", then mapped "domain" and "userid" from "UserName" to "target.administrative_domain" and "target.user.userid" respectively.
2024-08-29 Enhancement:
- Added support to handle dropped logs.
2024-08-12 Enhancement:
- Changed mapping for "Description" from "metadata.description" to "security_result.description".
- Mapped "Name" to "metadata.description".
- Mapped "ThreatAction" to "security_result.action_details".
2024-08-07 Enhancement:
- Added support to handle unparsed JSON logs.
- Mapped "ActionID", "ReasonID", "RatingID", "ListID", "PhishingRatingID", "DownloadRatingID", "SpamRatingID", "PopupRatingID", "BadLinkRatingID", "ExploitRatingID", and "ContentID" to "additional.fields".
2023-10-15 Enhancement:
- Handeled XML logs having "product_name" as "MOVE AV Agentless" or "MSME".
2023-06-20 Enhancement:
- Added grok pattern to handle xml logs.
2023-01-02 Enhancement - Added gsub to remove empty namespace with prefix.
2022-12-16 Bug-fix
- Added code block to handle "is_DLPAGENT11600".
- Added code block for product names specific.
- Added "GENERIC_EVENT" wherever possible if principal and target UDM fields are null.
- Mapped normalized_ip_address to "principal.ip".
- Mapped normalized_mac_address to "principal.mac" wherever possible.
2022-09-14 Enhancement - Merged The customer specific-version to default by Handling Log formats of type Key-value pairs.
- Provided on_error check for "Content.ParentProcessFileName".
2022-09-09 Enhancement - Parsed logs of type "Solidifier" which were being dropped earlier.
- Logs are present in CSV format so following additional mappings have been defined for the particular columns :
- Mapped "column8" to "principal.hostname".
- Mapped "column11" to "principal.mac".
- Mapped "column25" to "target.process.file.full_path".
- Mapped "column30" to "security_result.action". It is mapped to "BLOCK" if value contains "deny" else mapped as "ALLOW" in case of some other value apart from none.
- Mapped "metadata.event_type" to "STATUS_UPDATE".
2022-08-11 Bug-Fix -
- Remapped AnalyzerHostname to intermediary.hostname.
- Remapped sys_host to observer.hostname.
2022-07-27 Enhancement - Mapped the following field:
- Mapped "csv_mcafee_security.column4" to "principal.asset.first_seen_time".
2022-07-14 Enhancement - Mapped the following fields:
- Mapped "product_version" to "metadata.product_version".
- Mapped "FileSHA1Hash" to "target.process.file.sha1".
- Added code block to handle event_id "35103".
- Changed event_type from "GENERIC_EVENT" to "STATUS_UPDATE" wherever possible.
2022-05-05 Enhancement - Mapped the following fields:
- SourceHostname to principal.hostname. If SourceHostname is null mapped AnalyserHostname to principal.hostname.
- MachineName to observer.hostname.
- AnalyserHostname to intermediate.hostname.
- IP header csv 9 to principal.ip.
- IP header csv 17 to target.ip.
- ThreatName header csv 28 to security_result.threat_name commonly for all.
2022-04-12 Added generic string for Vendor name and replaced different product names to a generic value string.