Change log for NOZOMI_GUARDIAN
| Date | Changes |
|---|---|
| 2025-06-19 | - Added a Grok pattern to check whether "from" and "to" are `ip` or `mac` and if "from" is `ip` then mapped "from_ip" to "principal.ip" and "principal.asset.ip" and if "to" is `ip` then mapped "to_ip" to "target.ip" and "target.asset.ip" and if "from" is `mac` then mapped "from_mac" to "principal.mac" and "principal.asset.mac" and if "to" is `mac` then mapped "to_mac" to "target.mac" and "target.asset.mac".
- Removed "security_result_attach" label instead using "security_result" label as it is already being initialized. - event.idm.read_only_udm.additional.fields: Removed mapping of `type_id` and `name` from `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Mapped `type_id` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field - event.idm.read_only_udm.security_result.summary: Mapped `name` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field - event.idm.read_only_udm.security_result.rule_name: Newly mapped `properties_rule_name` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field , if `properties_rule_name` is empty then use `type_name` field value. - event.idm.read_only_udm.security_result.threat_name: Newly mapped `threat_name` raw log field with `event.idm.read_only_udm.security_result.threat_name` UDM field - event.idm.read_only_udm.security_result.rule_id: Newly mapped `trigger_id` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field - event.idm.read_only_udm.intermediary.hostname: Removed mapping of `appliance_host` from `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.observer.hostname: Mapped `appliance_host` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field - event.idm.read_only_udm.intermediary.ip: Removed mapping of `appliance_ip` from `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.observer.ip: Mapped `appliance_ip` raw log field with `event.idm.read_only_udm.observer.ip` UDM field |
| 2025-06-18 | |
| 2025-03-10 | |
| 2025-01-30 | - Changed mapping for "dvchost" from "principal.hostname" to "intermediary.hostname".
- Changed mapping for "device_event_class_id" from "additional.fields" to "metadata.product_event_type". - Mapped "start" to "metadata.event_timestamp". - If "start" field is not present mapped "timestamp" from syslog header to "metadata.event_timestamp". - Mapped "spt" to "principal.port". - Mapped "smac" to "prinicipal.mac". - Mapped "proto" to "network.ip_protocol". - Mapped "app", "proto", "cs4", "cs4Label", "cs3", "cs3Label", "cs2", "cs2Label", "cs1", "cs1Label", "cs5", and "cs5Label" to "additional.fields". - Mapped "dst" to "target.ip". - Mapped "dpt" to "target.port". - Mapped "dmac" to "target.mac". |
| 2024-11-06 | - Newly created parser.
|