Change log for MISP_IOC
| Date | Changes |
|---|---|
| 2025-04-10 | Enhancement:
- Merged the output only when the `event.idm.entity.metadata.entity_type` is set. - `syslog+json`: Added support for `syslog+json` format. - event.idm.entity.metadata.entity_timestamp: Newly mapped `timestamp` raw log field with `event.idm.entity.metadata.entity_timestamp` UDM field. - event.idm.entity.metadata.interval.start_time: Newly mapped `first_seen` raw log field with "event.idm.entity.metadata.interval.start_time` UDM field. - event.idm.entity.metadata.interval.end_time: Newly mapped `last_seen` raw log field with "event.idm.entity.metadata.interval.end_time` UDM field. - event.idm.entity.entity.file.sha1: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.sha1` UDM field, if the `type` is `sha1`. - event.idm.entity.entity.file.md5: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.md5` UDM field, if the `type` is `md5`. - event.idm.entity.entity.file.sha256: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.sha256` UDM field, if the `type` is `sha256`. - event.idm.entity.entity.hostname: Newly mapped `indicator` raw log field with `event.idm.entity.entity.hostname` UDM field, if the `type` is `domain`. - event.idm.entity.entity.ip: Newly mapped `indicator` raw log field with `event.idm.entity.entity.ip` UDM field, if the `type` is `IPv4`. - event.idm.entity.entity.url: Newly mapped `indicator` raw log field with `event.idm.entity.entity.url` UDM field, if the `type` is `url`. - event.idm.entity.metadata.threat.confidence_score: Newly mapped `confidence` raw log field with `event.idm.entity.metadata.threat.confidence_score` UDM field. - event.idm.entity.metadata.threat.summary: Newly mapped `stix_package_title` raw log field with `event.idm.entity.metadata.threat.summary` UDM field. - event.idm.entity.metadata.threat.category_details: Newly mapped `type` raw log field with `event.idm.entity.metadata.threat.category_details` UDM field. - Set the `event.idm.entity.metadata.entity_type` to `USER` only when `event.idm.entity.entity.user.email_addresses` is present. |
| 2025-03-20 | Enhancement:
- Added gsub to parse array format of logs. - Mapped "confidence" to "threat_.confidence_details". - Mapped "value" to "entity.entity.url" when "type" is "url". - Mapped "value" to "entity.entity.hostname" when "type" is "domain" or "domiain". - Mapped "value" to "entity.entity.ip" when "type" is "ip". - Mapped "value" to "entity.entity.file.sha256" when "type" is "sha256". - Mapped "value" to "entity.entity.file.md5" when "type" is "md5". - Mapped "value" to "entity.entity.file.sha1" when "type" is "hash". - Set "entity.metadata.entity_type" based on the "type" field. - Added "on_error" to "log.comment" mapping to handle the error when "log.comment" is not present in the log. |
| 2025-01-29 | Enhancement:
- Added support to parse new format of JSON unparsed logs. |
| 2024-11-20 | Enhancement:
- Added support to parse unparsed logs. |
| 2024-09-05 | Enhancement:
- Added support to parse unparsed logs. |
| 2023-09-26 | Enhancement:
- Mapped "published", "Feed.publish", "Org.name", "Attribute.id", "Attribute.event_id", "Attribute.to_ids", "Attribute.timestamp", "Attribute.comment", "Attribute.deleted", "Attribute.first_seen", all "tag.names" to "threat.detection_fields". |
| 2023-08-17 | Bug-Fix :
- Added a condition to perform a 'gsub' operation, that removes extra back-slash, only when log is not JSON. |
| 2023-07-20 | Bug-Fix :
- Changed 'metadata.entity_type' to 'MUTEX' when log is of type mutex. |
| 2023-07-04 | Newly created parser.
|