Change log for RADWARE_FIREWALL

Date	Changes
2025-05-15	Enhancement: - Added gsub to replace '\"\\$\"' with "$" ,('\\\\\"' and '\"\\..\"') with "", '"%"' with '\\\"%\\\"' , '"="' with '\\\"=\\\"'. - Added a Grok pattern to extract "x_forwarded_for_ip" from "request" raw log field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Newly mapped `x_forwarded_for_ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields.
2025-05-14	Enhancement: - Added gsub function to replace character to parse the JSON logs `json_message` field. - Replaced `">` with `">`. - Replaced `="` with `='`. - Replaced `=',` with `=",`. - Replaced `"""` with ``. - Replaced `\\s"\\s` with ``. - Added GROK pattern to parse the JSON logs containing malformed characters. - Added gsub function to replace `\\\\\\\\r\\\\\\\\n"`, `"\\\\r\\\\n"` and `\\r\\n` with `,` on `request_data` field. - Added gsub function to remove `\\"` on `role` field. - Added kv filter on `request` field. - event.idm.read_only_udm.additional.fields: Newly mapped `apikey`, `canary`, `client-version`, `content-type`, `client-request-id`, `X-RDWR-APP-ID`, `X-RDWR-IP`, `X-RDWR-PORT`, `X-RDWR-PORT-MM`, `X-RDWR-PORT-MM-ORIG-FE-PORT`, `hpgrequestid`, `accept-language`, `purpose`, `upload-time`, `site` and `headers` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Converted `totalVolume` and `totalPackets` raw log field to string then mapped with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `client-request-id`, `client-id`, `category`, `policy_id`, `signature_pattern`, `status` and `violation_reason` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.network.http.user_agent,event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped `user-agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` and `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.network.http.user_agent,event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped `User-Agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` and `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `ID` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip: Newly mapped `destinationIP` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Newly mapped `sourceIP` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - event.idm.read_only_udm.security_result.description: Newly mapped `name` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `time` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.principal.location.country_or_region: Newly mapped `country_code` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - event.idm.read_only_udm.principal.application: Newly mapped `application_name` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Newly mapped `ip` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM fields. - event.idm.read_only_udm.network.session_id : Newly mapped `session_cookie` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `tid` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `url` raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field. - event.idm.read_only_udm.network.http.user_agent, event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped `ua` raw log field with `event.idm.read_only_udm.network.http.user_agent` and `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `sec_action` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - Set `sec_action` to `ALLOW` if `action` is `(?i)allow`. - Set `sec_action` to `BLOCK` if `action` is `(?i)deny`. - event.idm.read_only_udm.security_result.category_details: Newly mapped `bot_category` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.network.ip_protocol: Newly mapped `protocol` raw log field with `event.idm.read_only_udm.network.ip_protocol` UDM field. - Added a conditional check to drop malformed logs. - event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip: Newly mapped `externalIp` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM fields. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `Referer` raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `referrer` raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field.
2025-05-07	Enhancement: - Added support for new pattern of SYSLOG+KV logs. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `date` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `sev` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.principal.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `hostip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `hostip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.network.session_duration.seconds: Newly mapped `time` raw log field with `event.idm.read_only_udm.network.session_duration.seconds` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `et`, `total_bytes`, `blocked_bytes`, `passive_bytes`, `clean_bytes`, `tunnel_name`, and `tunnel_id` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field.
2025-05-06	Enhancement: - event.idm.read_only_udm.security_result.severity_details: Newly mapped `message_severity` raw log field with `event.idm.read_only_udm.security_result.severity_details` UDM field. - event.idm.read_only_udm.network.sent_bytes: Newly mapped `sent_bytes` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `severity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `rule_id` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `product` raw log field with `event.idm.read_only_udm.metadata.product_event_type` UDM field. - event.idm.read_only_udm.metadata.action_details: Newly mapped `action` raw log field with `event.idm.read_only_udm.metadata.action_details` UDM field.
2025-04-25	Enhancement: - `JSON`: Added support for `JSON` format. - subevent.idm.read_only_udm.sec_result.action, subevent.idm.read_only_udm.sec_result.action_details: Newly mapped `action` raw log field with `subevent.idm.read_only_udm.sec_result.action` UDM field and `subevent.idm.read_only_udm.sec_result.action_details` UDM field. - subevent.idm.read_only_udm.additional.fields: Newly mapped `application_id`, `accept_language`, `cookie` raw, `request`, `received_timestamp`, `tenant_name`, `x-forwarded-for` raw log field with `subevent.idm.read_only_udm.additional.fields` UDM field. - subevent.idm.read_only_udm.principal.application: Newly mapped `application_name` raw log field with `subevent.idm.read_only_udm.principal.application` UDM field. - subevent.idm.read_only_udm.principal.location.country_or_region: Newly mapped `country_code` raw log field with `subevent.idm.read_only_udm.principal.location.country_or_region` UDM field. - subevent.idm.read_only_udm.target.ip, subevent.idm.read_only_udm.target.asset.ip: Newly mapped `destination_ip` raw log field with `subevent.idm.read_only_udm.target.ip and subevent.idm.read_only_udm.target.asset.ip UDM fields. - subevent.idm.read_only_udm.target.port: Newly mapped `destination_port` raw log field with `subevent.idm.read_only_udm.target.port` UDM field. - subevent.idm.read_only_udm.principal.process.file.full_path: Newly mapped `directory` raw log field with `subevent.idm.read_only_udm.principal.process.file.full_path` UDM field. - subevent.idm.read_only_udm.principal.hostname, subevent.idm.read_only_udm.principal.asset.hostname: Newly mapped `host` raw log field with `subevent.idm.read_only_udm.principal.hostname and subevent.idm.read_only_udm.principal.asset.hostname UDM fields. - subevent.idm.read_only_udm.network.sent_bytes: Newly mapped `http_bytes_in` raw log field with `subevent.idm.read_only_udm.network.sent_bytes` UDM field. - subevent.idm.read_only_udm.network.received_bytes: Newly mapped `http_bytes_out` raw log field with `subevent.idm.read_only_udm.network.received_bytes` UDM field. - subevent.idm.read_only_udm.network.http.method: Newly mapped `http_method` raw log field with `subevent.idm.read_only_udm.network.http.method` UDM field. - subevent.idm.read_only_udm.network.application_protocol: Newly mapped `protocol` raw log field with `subevent.idm.read_only_udm.network.application_protocol` UDM field. - subevent.idm.read_only_udm.network.http.referral_url: Newly mapped referrer` raw log field with `subevent.idm.read_only_udm.network.http.referral_url UDM field. - subevent.idm.read_only_udm.network.http.response_code: Newly mapped `response_code` raw log field with `subevent.idm.read_only_udm.network.http.response_code` UDM field. - subevent.idm.read_only_udm.principal.ip, subevent.idm.read_only_udm.principal.asset.ip: Newly mapped `source_ip` raw log field with `subevent.idm.read_only_udm.principal.ip and subevent.idm.read_only_udm.principal.asset.ip UDM fields. - subevent.idm.read_only_udm.principal.port: Newly mapped `source_port` raw log field with `subevent.idm.read_only_udm.principal.port` UDM field. - subevent.idm.read_only_udm.metadata.event_timestamp: Newly mapped `time` raw log field with `subevent.idm.read_only_udm.metadata.event_timestamp UDM field, supporting dd/MMM/yyyy:HH:mm:ss.SSS Z and dd/MMMM/yyyy:HH:mm:ss.SSS Z formats. - subevent.idm.read_only_udm.network.http.user_agent: Newly mapped `user_agent` raw log field with `subevent.idm.read_only_udm.network.http.user_agent` UDM field. - subevent.idm.read_only_udm.metadata.vendor_name: Set vendor_name to Radware. - subevent.idm.read_only_udm.metadata.event_type: Implemented logic to set the event_type based on the presence of principal, target and network data. - Added a conditional check to check if the log is a JSON array of events or not. - Added a drop condition to drop malformed logs.
2025-04-05	Enhancement: - Added a Grok pattern to parse SYSLOG logs.
2025-02-11	Enhancement: - Mapped "applicationName" to "principal.application". - Mapped "action" to "security_result.action_details". - Mapped "appPath" to "principal.file.full_path". - Mapped "destinationIp" to "target.ip" and "target.asset.ip". - Mapped "destinationPort" to "target.port". - Mapped "directory" to "principal.process.file.full_path". - Mapped "enrichmentContainer.geoLocation.countryCode" to "principal.location.country_or_region". - Mapped "enrichmentContainer.contractId" to "additional.fields". - Mapped "applicationId" to "additional.fields". - Mapped "tenant" to "additional.fields". - Mapped "owaspCategory2021" to "additional.fields". - Mapped "externalIp" to "intermediary.ip". - Mapped "host" to "principal.hostname". - Mapped "method" to "network.http.method". - Mapped "passive" to "additional.fields". - Mapped "protocol" to "network.application_protocol". - Mapped "request" to "additional.fields". - Mapped "role" to "principal.user.role_name". - Mapped "security" to "additional.fields". - Mapped "sourceIp" to ""principal.ip" and "principal.asset.ip". - Mapped "sourcePort" to "principal.port". - Mapped "targetModule" to "additional.fields". - Mapped "title" to "metadata.description". - Mapped "transId" to "additional.fields". - Mapped "URI" to "target.file.full_path". - Mapped "user" to "principal.user.role_description". - Mapped "vhost" to "security_result.detection_fields". - Mapped "violationCategory" to "additional.fields". - Mapped "violationDetails" to "security_result.summary". - Mapped "violationType" to "security_result.description". - Mapped "webApp" to "additional.fields". - Mapped "severity" to "security_result.severity". - Mapped "paramName" to "additional.fields". - Mapped "paramValue" to "additional.fields". - Mapped "paramType" to "additional.fields". - Mapped "receivedTimeStamp" to "metadata.event_timestamp".
2024-09-17	Enhancement: - Added support to map all "src_ip" to "principal.ip" and "principal.asset.ip". - Added support to map all "dst_ip" to "target.ip" and "target.asset.ip".
2024-07-23	Enhancement: - Added Grok patterns to parse a new pattern of syslog logs.
2024-06-18	Enhancement: - Reordered the Grok patterns to optimize the parsing time.
2024-06-11	Enhancement: - Added Grok patterns to parse unparsed logs.
2023-12-08	Enhancement: - Modified a Grok pattern to properly parse "src_ip".
2023-11-23	Enhancement: - Added new Grok patterns to support new unparsed pattern of SYSLOGS. - Added support for new date pattern of "ts". - Initialized "attack_type", "attack_desc", "protocol_number_src", "security_result", "action", "product" to null. - Added null check to "product" before mapping to "event.idm.read_only_udm.metadata.product_name". - Added null check to "rule_id" before mapping to "event.idm.read_only_udm.security_result.rule_id". - Added null check to "attack_desc" before mapping to "event.idm.read_only_udm.security_result.description". - Added null check to "attack_type" before mapping to "event.idm.read_only_udm.security_result.threat_name". - Mapped "username" to "event.idm.read_only_udm.principal.user.userid". - Mapped "command" to "event.idm.read_only_udm.principal.process.command_line" - Mapped "description" to "event.idm.read_only_udm.security_result.description". - Mapped "intermediary_ip" to "event.idm.read_only_udm.intermediary.ip".