Change log for MISP_IOC
| Date | Changes |
|---|---|
| 2025-06-26 | Enhancement:
- Merged the output only when the `event.idm.entity.metadata.entity_type` is set. - event.idm.entity.metadata.product_entity_id: Newly mapped `log.uuid` raw log field with `event.idm.entity.metadata.product_entity_id` UDM field. - event.idm.entity.metadata.description: Newly mapped `Event.info` raw log field with `event.idm.entity.metadata.description` UDM field. - event.idm.entity.metadata.interval.start_time: Newly mapped `entity_first_seen` raw log field with `event.idm.entity.metadata.interval.start_time` UDM field. - event.idm.entity.metadata.threat.category_details: Newly mapped `log.category` raw log field with `event.idm.entity.metadata.threat.category_details` UDM field. - event.idm.entity.metadata.threat.summary: Newly mapped `log.comment` raw log field with `event.idm.entity.metadata.threat.summary` UDM field. - event.idm.entity.entity.labels: Newly mapped `Event.threat_level_id` and `event_creator_email` raw log fields with `event.idm.entity.entity.labels` UDM field. - event.idm.entity.entity.file.full_path: Newly mapped `log.comment` raw log field with `event.idm.entity.entity.file.full_path` UDM field, if the type is md5, sha1, sha256, attachment or email-attachment and `log.comment` is not Artifacts dropped. Newly mapped log.value raw log field with `event.idm.entity.entity.file.full_path` UDM field, if the type is filename. Newly mapped file_name raw log field with `event.idm.entity.entity.file.full_path` UDM field, if the type is filename|sha256. - event.idm.entity.entity.file.sha256: Newly mapped `log.value` raw log field with `event.idm.entity.entity.file.sha256` UDM field, if the type is sha256. Newly mapped `file_sha256` raw log field with `event.idm.entity.entity.file.sha256` UDM field, if the type is filename|sha256. - event.idm.entity.entity.file.sha1: Newly mapped `log.value` raw log field with `event.idm.entity.entity.file.sha1` UDM field, if the type is sha1. - event.idm.entity.entity.file.md5: Newly mapped `log.value` raw log field with `event.idm.entity.entity.file.md5` UDM field, if the type is md5. - event.idm.entity.entity.hostname: Newly mapped `log.value` raw log field with `event.idm.entity.entity.hostname` UDM field, if the type is domain or hostname. - Mapped `Attribute.value` to `event.idm.entity.entity.hostname`, when log.type is hostname. - event.idm.entity.entity.ip: Newly mapped `ip` raw log field with `event.idm.entity.entity.ip` UDM field, if the type is ip-dst|port, ip-dst or ip-src. - event.idm.entity.entity.port: Newly mapped `port` raw log field with `event.idm.entity.entity.port` UDM field, if the type is ip-dst|port. - event.idm.entity.entity.resource.name: Newly mapped `log.value` raw log field with `event.idm.entity.entity.resource.name` UDM field, if the type is mutex. - event.idm.entity.entity.registry.registry_key: Newly mapped `log.value` raw log field with `event.idm.entity.entity.registry.registry_key` UDM field, if the type is regkey. - event.idm.entity.entity.user.email_addresses: Newly mapped `log.value` raw log field with `event.idm.entity.entity.user.email_addresses` UDM field, if the type is threat-actor, email-src, email or email-subject. - event.idm.entity.entity.user.user_display_name: Newly mapped `log.uuid` raw log field with `event.idm.entity.entity.user.user_display_name` UDM field, if the type is email or `email-subject`. - event.idm.entity.entity.url: Newly mapped `log.value` raw log field with `event.idm.entity.entity.url` UDM field, if the `type` is `uri`, `url`, `URL` embedded in the email or link. - event.idm.entity.metadata.entity_type: Set the `event.idm.entity.metadata.entity_type` based on the `log.type` field. - event.idm.entity.metadata.threat.detection_fields: Newly mapped `log.id`, `log.event_id`, `log.to_ids`, `log.timestamp`, `log.comment`, `log.deleted`, `log.first_seen`, `Org.name`, `Feed.publish`, `published` and `Event.Tag` raw log fields with `event.idm.entity.metadata.threat.detection_fields` UDM field. |
| 2025-04-10 | Enhancement:
- Merged the output only when the `event.idm.entity.metadata.entity_type` is set. - `syslog+json`: Added support for `syslog+json` format. - event.idm.entity.metadata.entity_timestamp: Newly mapped `timestamp` raw log field with `event.idm.entity.metadata.entity_timestamp` UDM field. - event.idm.entity.metadata.interval.start_time: Newly mapped `first_seen` raw log field with "event.idm.entity.metadata.interval.start_time` UDM field. - event.idm.entity.metadata.interval.end_time: Newly mapped `last_seen` raw log field with "event.idm.entity.metadata.interval.end_time` UDM field. - event.idm.entity.entity.file.sha1: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.sha1` UDM field, if the `type` is `sha1`. - event.idm.entity.entity.file.md5: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.md5` UDM field, if the `type` is `md5`. - event.idm.entity.entity.file.sha256: Newly mapped `indicator` raw log field with `event.idm.entity.entity.file.sha256` UDM field, if the `type` is `sha256`. - event.idm.entity.entity.hostname: Newly mapped `indicator` raw log field with `event.idm.entity.entity.hostname` UDM field, if the `type` is `domain`. - event.idm.entity.entity.ip: Newly mapped `indicator` raw log field with `event.idm.entity.entity.ip` UDM field, if the `type` is `IPv4`. - event.idm.entity.entity.url: Newly mapped `indicator` raw log field with `event.idm.entity.entity.url` UDM field, if the `type` is `url`. - event.idm.entity.metadata.threat.confidence_score: Newly mapped `confidence` raw log field with `event.idm.entity.metadata.threat.confidence_score` UDM field. - event.idm.entity.metadata.threat.summary: Newly mapped `stix_package_title` raw log field with `event.idm.entity.metadata.threat.summary` UDM field. - event.idm.entity.metadata.threat.category_details: Newly mapped `type` raw log field with `event.idm.entity.metadata.threat.category_details` UDM field. - Set the `event.idm.entity.metadata.entity_type` to `USER` only when `event.idm.entity.entity.user.email_addresses` is present. |
| 2025-03-20 | Enhancement:
- Added gsub to parse array format of logs. - Mapped "confidence" to "threat_.confidence_details". - Mapped "value" to "entity.entity.url" when "type" is "url". - Mapped "value" to "entity.entity.hostname" when "type" is "domain" or "domiain". - Mapped "value" to "entity.entity.ip" when "type" is "ip". - Mapped "value" to "entity.entity.file.sha256" when "type" is "sha256". - Mapped "value" to "entity.entity.file.md5" when "type" is "md5". - Mapped "value" to "entity.entity.file.sha1" when "type" is "hash". - Set "entity.metadata.entity_type" based on the "type" field. - Added "on_error" to "log.comment" mapping to handle the error when "log.comment" is not present in the log. |
| 2025-01-29 | Enhancement:
- Added support to parse new format of JSON unparsed logs. |
| 2024-11-20 | Enhancement:
- Added support to parse unparsed logs. |
| 2024-09-05 | Enhancement:
- Added support to parse unparsed logs. |
| 2023-09-26 | Enhancement:
- Mapped "published", "Feed.publish", "Org.name", "Attribute.id", "Attribute.event_id", "Attribute.to_ids", "Attribute.timestamp", "Attribute.comment", "Attribute.deleted", "Attribute.first_seen", all "tag.names" to "threat.detection_fields". |
| 2023-08-17 | Bug-Fix :
- Added a condition to perform a 'gsub' operation, that removes extra back-slash, only when log is not JSON. |
| 2023-07-20 | Bug-Fix :
- Changed 'metadata.entity_type' to 'MUTEX' when log is of type mutex. |
| 2023-07-04 | Newly created parser.
|