Change log for NOZOMI_GUARDIAN
| Date | Changes |
|---|---|
| 2025-06-19 | - Added a Grok pattern to check whether "from" and "to" are `ip` or `mac` and if "from" is `ip` then mapped "from_ip" to "principal.ip" and "principal.asset.ip" and if "to" is `ip` then mapped "to_ip" to "target.ip" and "target.asset.ip" and if "from" is `mac` then mapped "from_mac" to "principal.mac" and "principal.asset.mac" and if "to" is `mac` then mapped "to_mac" to "target.mac" and "target.asset.mac".
- Removed "security_result_attach" label instead using "security_result" label as it is already being initialized. - event.idm.read_only_udm.additional.fields: Removed mapping of `type_id` and `name` from `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Mapped `type_id` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field - event.idm.read_only_udm.security_result.summary: Mapped `name` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field - event.idm.read_only_udm.security_result.rule_name: Newly mapped `properties_rule_name` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field , if `properties_rule_name` is empty then use `type_name` field value. - event.idm.read_only_udm.security_result.threat_name: Newly mapped `threat_name` raw log field with `event.idm.read_only_udm.security_result.threat_name` UDM field - event.idm.read_only_udm.security_result.rule_id: Newly mapped `trigger_id` raw log field with `event.idm.read_only_udm.security_result.rule_id` UDM field - event.idm.read_only_udm.intermediary.hostname: Removed mapping of `appliance_host` from `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.observer.hostname: Mapped `appliance_host` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field - event.idm.read_only_udm.intermediary.ip: Removed mapping of `appliance_ip` from `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.observer.ip: Mapped `appliance_ip` raw log field with `event.idm.read_only_udm.observer.ip` UDM field |
| 2025-06-18 | Enhancement:
- Added Grok pattern for new pattern of logs. - `event.idm.read_only_udm.target.url`: Newly mapped `url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `srcip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `srcip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `suser` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field when `event.idm.read_only_udm.metadata.event_type` is `GENERIC_EVENT`. - `event.idm.read_only_udm.metadata.event_type`: Set `metadata.event_type` UDM field as `USER_UNCATEGORIZED` when `suser` is present and `event.idm.read_only_udm.metadata.event_type` is `GENERIC_EVENT`. |
| 2025-03-10 | Enhancement:
- Added support for JSON format logs. - Mapped "id" and "" to "metadata.product_log_id". - Mapped "type_id" to "additional.fields". - Mapped "name" to "additional.fields". - Mapped "mac_src" to "principal.mac". - Mapped "mac_dst" to "target.mac". - Mapped "ip_src" to "principal.ip". - Mapped "ip_dst" to "target.ip". - Mapped "risk" to "security_result.risk_score". - Mapped "protocol" to "network.ip_protocol" and "network.application_protocol". - Mapped "src_roles" to "additional.fields". - Mapped "dst_roles" to "additional.fields". - Mapped "port_src" to "principal.port". - Mapped "port_dst" to "target.port". - Mapped "appliance_host" to "intermediary.hostname". - Mapped "appliance_ip" to "intermediary.ip". - Mapped "is_security" to "security_result.detection_fields". - Mapped "is_incident" to "security_result.detection_fields". - Mapped "properties.raised_by" to "additional.fields". - Mapped "properties.base_risk" to "additional.fields". - Mapped "properties.learn_rules" to "security_result.detection_fields". - Mapped "properties.delete_rules" to "security_result.detection_fields". - Mapped "bpf_filter" to "additional.fields". - Mapped "status" to "additional.fields". - Mapped "capture_device" to "additional.fields". - Mapped sec_profile_visible to "additional.fields". - Mapped "zone_src" to "principal.location.country_or_region". - Mapped "zone_dst" to "target.location.country_or_region". - Mapped "from" to "principal.ip" and "principal.asset.ip". - Mapped "to" to "target.ip" and "target.asset.ip". - Mapped "from_zone" to "principal.location.country_or_region". - Mapped "to_zone" to "target.location.country_or_region". - Mapped "from_port" to "principal.port". - Mapped "to_port" to "target.port". - Mapped "transferred.packets" to "network.sent_packets". - Mapped "transferred.bytes" to "network.sent_bytes". - Mapped "throughput_speed" to "additional.fields". |
| 2025-01-30 | - Changed mapping for "dvchost" from "principal.hostname" to "intermediary.hostname".
- Changed mapping for "device_event_class_id" from "additional.fields" to "metadata.product_event_type". - Mapped "start" to "metadata.event_timestamp". - If "start" field is not present mapped "timestamp" from syslog header to "metadata.event_timestamp". - Mapped "spt" to "principal.port". - Mapped "smac" to "prinicipal.mac". - Mapped "proto" to "network.ip_protocol". - Mapped "app", "proto", "cs4", "cs4Label", "cs3", "cs3Label", "cs2", "cs2Label", "cs1", "cs1Label", "cs5", and "cs5Label" to "additional.fields". - Mapped "dst" to "target.ip". - Mapped "dpt" to "target.port". - Mapped "dmac" to "target.mac". |
| 2024-11-06 | - Newly created parser.
|