Change log for MEDIGATE_IOT
Date | Changes |
---|---|
2024-04-03 | Enhancement:
- Mapped "location" to "principal.location.country_or_region". - Mapped "server_name" to "network.tls.client.server_name". - Mapped "incident_id" to "metadata.product_log_id". - Mapped "incident_type" to "metadata.description". - Mapped "msg_category", "interface_name", "interface_type", and "status" to "additional.fields". |
2023-12-08 | Enhancement-
- Mapped "event_extra_info.malicious_ip_info.confidence" to "security_result.confidence_details". - Mapped "event_extra_info.malicious_ip_info.last_update" to "target.file.mime_type". - Mapped "event_extra_info.malicious_ip_info.tags" to "security_result.detection_fields". - Mapped "event_extra_info.malicious_ip_info.type" to "security_result.category_details". - Added mapping of "event_extra_info.malicious_ip_info.threat_type" to "security_result.about.labels". - Added gsub function to remove invalid characters from "inner_message". - Added a MAC address check to "comm_tuple.src_mac" and "comm_tuple.dst_mac". - Added a Grok pattern to parse new pattern of "comm_tuple.protocol". |
2023-11-08 | Enhancement-
- Mapped "events_extra_info.file_name" to "target.file.full_path". -Mapped "events_extra_info.file_type" to "target.file.mime_type". -Mapped "events_extra_info.sender_id" to "principal.user.userid". |
2022-07-08 | Enhancement-
-Mapped "events.timestamp" to "metadata.event_timestamp". -Mapped "events.description" to "metadata.description". -Mapped "events_extra_info.domain" to "principal.administrative_domain". -Mapped "events_extra_info.malicious_ip_info.source" to "security_result.about.labels". -Mapped "events_extra_info.malicious_ip_info.threat_type" to "security_result.threat_name". -Mapped "events_extra_info.malicious_ip_info.malicious_ip" to "intermediary.ip". -Mapped "events_extra_info.malicious_ip_info.severity" to "security_result.severity". -Mapped "events_extra_info.geo_location" to "target.location.country_or_region". -Mapped "events_extra_info.client_id" and "affected_device.site_name" to "additional_fields". -Mapped "comm_tuple.src_port" to "principal.port". -Mapped "comm_tuple.dst_port" to "target.port". -Mapped "comm_tuple.src_ip" to "principal.ip". -Mapped "comm_tuple.dst_ip" to "target.ip". -Mapped "comm_tuple.src_mac" to "principal.mac". -Mapped "comm_tuple.dst_mac" to "target.mac". -Mapped "affected_device.asset_id" to "principal.asset.asset_id". -Mapped "affected_device.device_category" to "principal.resource.resource_subtype". -Mapped "affected_device.device_type" to "principal.resource.name". -Mapped "events.type" to "metadata.product_event_type". -Mapped "affected_device.manufacturer" to "hardware.manufacturer". -Mapped "affected_device.model" to "hardware.model". -Mapped "version" to "network.tls.version". -Mapped "proto" to "tls.version_protocol". -Mapped "metadata.event_type" to "NETWORK_HTTP" where "comm_tuple.protocol" is "HTTP". -Mapped "metadata.event_type" to "NETWORK_FTP" where "comm_tuple.protocol" is "FTP". -Mapped "security_category" to "NETWORK_MALICIOUS" where "events.type" is "Malicious Internet Communication". -Mapped "metadata.event_type" to "USER_LOGIN", "events_extra_info.username" to "target.user.userid"and "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED" where "events.type" is "Weak/Default Password". -Mapped "events_extra_info.username" to "principal.user.userid". -Mapped "events_extra_info.certificate_info.ST" to "principal.location.state". -Mapped "events_extra_info.certificate_info.CN" to "principal.hostname". -Mapped "events_extra_info.certificate_info.C" to "principal.location.country_or_region". -Mapped "events_extra_info.certificate_info.L" to "principal.location.city". |