Change log for PAN_FIREWALL

Date Changes
2024-10-09 Enhancement:
- Added the mapping of "High Resolution Timestamp" for the auth subtype logs of SYSTEM.
2024-09-09 Enhancement:
- Added Grok pattern in "security_result_threat_id" to parse the unparsed data.
- Mapped "malware_family" to "security_result.detection_fields".
- Mapped "suspicious_dns_name" to "network.dns.questions".
2024-08-22 - Modified grok pattern to extract values from "description" field with lowercase and special characters.
2024-06-11 - Modified the Grok pattern to extract "device_version" from the "message" field.
- Mapped "device_version" to "metadata.product_version".
2024-06-05 - Updated the mapping condition for the "security_result.action" for the TRAFFIC logs.
- Updated the Grok pattern to extract the IP address from the "description" field.
2024-05-22 - Added mapping for the "product_version" in the CEF formatted logs.
2024-05-16 - Updated the Grok pattern to extract the userid "msg" field.
- Added mapping of "app" raw log field to "target.application" for the TRAFFIC logs.
- Added support for audit event logs.
2024-04-17 - Updated the "metadata.event_type" to "USER_LOGIN" where logtype value is "System" and message describes "Logged In" activity.
2024-03-28 - Added new time format in date filter.
2024-03-13 - Handle mapping of "characteristic_of_app" with "security_result.summary".
2024-02-19 - Prioritized the "High Resolution Timestamp" raw field for the mapping of "metadata.event_timesatamp".
2024-02-14 - Updated the Grok pattern to extract the correct userid and IP address from "msg" field.
- Updated the Grok pattern to extract URL and hostname from "misc" field.
2024-01-31 - Extracted domain and userid from "Source User" field.
- Updated the typo for "PanOSTimeGeneratedHighResolution" field for the logs of type "GLOBALPROTECT".
2024-01-17 Updated the typo for "PanOSTimeGeneratedHighResolution" field.
Extracted "domain" and "userid" from "Source User" for "TRAFFIC" log type.
Updated the Grok pattern to extract URL and hostname from "misc" field.
Updated the Grok pattern to extract the correct user ID and IP address from "msg" field.
2024-01-03 Updated the "metadata.event_type" to "USER_LOGIN" where logtype value is "System" and subtype value is "auth".
Supported new field names for the CEF format logs for "DECRYPTION", "GLOBALPROTECT" and "AUTHENTICATION" log type.
Extracted all possible values from the "msg" field and mapped accordingly.
2023-11-29 Aligned 'principal/target.hostname' and 'principal/target.asset.hostname' mapping.
Added additional mapping by extracting values from "msg" field.
Added mappings of the raw log fields which were mapped to the deprecated field "noun.labels".
2023-09-20 Updated the mapping of "msg" field to "metadata.description" field for LEEF log format.
2023-09-06 Changed regular expression pattern to map all authentication events to "USER_LOGIN".
2023-06-28 Updated the parser to include "security_result.severity" field.
2023-06-14 Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent".
2023-05-02 - Changed the mapping of the "network.sent_bytes" and "network.received_bytes" fields.
2023-03-29 - "security_result.action" field is set to "BLOCK" when the value of raw log field "act/action" is "drop-packet".
2023-03-15 - Handled rename failure error for "GLOBALPROTECT" type logs in CEF format.
2023-03-01 - Added mapping of field bytes sent and bytes received to "about.labels" if the field value is 0.
2023-02-15 - Extracted numerical 'threat_id' from "security_result.threat_name" and mapped it to "security_result.threat_id".
2023-02-01 - Added mapping of "Application" field to "target.application" for "THREAT" type logs in CSV format.
2022-12-09 - Handled unnecessary double quotes.
2022-11-16 - Added gsub filters to handle unnecessary double quotes.
- Changed mapping of 'misc' value for THREAT type logs. Now, in case of subtype 'spyware' and 'vulnerability', value in misc variable will be mapped with 'target.url' and 'target.file.full_path` both. Also, restored 'target.hostname' mapping for subtype 'url' .
- Added validation check for network.session_duration.seconds
2022-11-04 - Modified mapping of 'misc' field for subtype 'spyware', 'misc' field value is mapped with 'target.file.full_path'.
2022-10-04 - Added condition to parse newly injested csv format logs.
2022-09-28 Promoted PAN_FIREWALL parser to default.
For the field mapping differences, see field mapping changes
2022-03-28 Enhancement-Added mappings for certain fields when log is of type TRAFFIC/THREAT.
- Sequence Number to event.idm.read_only_udm.metadata.product_log_id.
- Session End Reason to event.idm.read_only_udm.security_result.summary.
- Session ID to event.idm.read_only_udm.network.session_id.