Change log for SEP
| Date | Changes |
|---|---|
| 2024-10-08 | Enhancement:
- Added support for new format of syslog logs. |
| 2024-09-23 | Enhancement:
- Changed mapping of "rule_name" from "principal.resource.name" to "security_result.rule_name". - Removed mapping of "principal.resource.resource_type" as "FIREWALL_RULE". - Changed mapping of "security_result.category" from "ACL_VIOLATION" to "UNKNOWN_CATEGORY". |
| 2024-09-11 | Enhancement:
- Added support for array-type logs. |
| 2024-08-08 | - Mapped "REQUESTEDACTION" to "security_result.action_details".
- Mapped "SECONDARYACTION", "ACTUALACTION", "VIRUSNAME", and "NOOFVIRUSES" to "security_result.detection_fields". - Mapped "SOURCE" to "additional.fields". - Mapped "HPP_APP_HASH" to "target.file.sha256". - Mapped "HPP_APP_NAME" to "target.file.names". - Mapped "FILEPATH" to "target.file.full_path". - Mapped "CLIENT_GROUP" to "target.user.group_identifiers". |
| 2024-06-07 | - Added Support for KV format logs.
|
| 2024-05-27 | Enhancement:
- Mapped "target_file_name" from "target.file.full_path" to "target.file.names". |
| 2023-11-28 | Bug-Fix:
- When "event_time" present, mapped the same to "datetime". |
| 2023-11-08 | Bug-Fix:
- Removed mapping of "ServerName" to "target.asset.hostname" and mapped it to "intermediary.hostname". - When "Actualaction" is "Cleaned", then mapped "security_result.action" to "BLOCK" and "is_significant" to "false". - Added Grok pattern to parse the unparsed logs with varying patterns. - Mapped "type", "utility-sub-type", "lang", "service-sandbox-type", "mojo-platform-channel-handle", "field-trial-handle", "disable-features" to "security_result.detection_fields". - Mapped "target_arguments" to "read_only_udm.additional.fields". - Mapped "user-data-dir" to "sec_result.about.file.full_path". - Mapped "security-realm" to "security_result.summary". - Mapped "startup-url" to "principal.url". - Mapped "source_ip" to "target.ip". - Mapped "action_word" to "security_result.action_details". |
| 2023-10-12 | Bug-Fix:
- Added Grok pattern to parse the unparsed logs with varying patterns. |
| 2023-04-21 | Bug-Fix:
- Changed intermediate variable names in the include files. - Mapped "security_result.rule_name" for "File" related events. |
| 2023-04-10 | Enhancement:
- Handled the dropped logs with the logType "File Read", "File Write", "File Delete", or "Registry Write". - Mapped "payload.domain_name" to "principal.administrative_domain". - Added null check for "payload.device_id" and "event_description". |
| 2023-01-21 | Enhancement:
- Added conditional check for "targetComputerName","event_description1". - Added on_error check for "file_full_path","GroupName","ServerName". - Mapped "Applicationtype" to "principal.resource.attribute.labels". - Mapped "mail" to "target.user.email_addresses". - Mapped "server_name_1" to "principal.hostname". - For logtype "SEC": - Mapped "computer" to "principal.hostname". - Mapped "syslogServer" to "intermediary.hostname". - Mapped "event_description" to "metadata.description". - Added "for loop" for the logtype "SONAR","CVE","SEC". |
| 2022-11-24 | Enhancement:
- Added grok pattern to parse logs containaing "SONAR detection now allowed". |
| 2022-11-15 | Enhancement:
- Added grok pattern to parse failed logs of type "Virus Found" and "SONAR Scan". - Added conditional check for "Categorytype". |
| 2022-10-25 | Enhancement:
- Mapped "EventDescription" to "metadata.description". - Mapped "LocalHostIP","IPAddress","source_ip" to "principal.ip". - Mapped "LocalHostMAC" to "principal.mac". - Mapped "computer" to "principal.hostname" - Mapped "guid" to "principal.asset.asset_id". - Mapped "DeviceID" to "principal.resource.product_object_id". - Mapped "Filesize" to "target.file.size". - Mapped "SHA256" to "target.file.sha256". - Mapped "User1" to "principal.user.userid". - Mapped "file_path" to "target.file.full_path". - Mapped "GroupName" to "principal.group.group_display_name". - Mapped "action_word" to "security_result.action_details". - Mapped "Begin" to "vulnerabilities.scan_start_time". - Mapped "EndTime" to "vulnerabilities.scan_end_time". - Mapped "ScanID" to "principal.process.product_specific_process_id". - Mapped "inter_host" to "intermediary.hostname". - Mapped "inter_ip" to "intermediary.ip". - Mapped "ActionType" to "additional.fields". - Mapped "Rule" to "security_result.rule_name". |
| 2022-10-10 | - Mapped "category" to "security_result.category_details".
- Mapped "CIDS Signature ID" to "target.resource.attribute.labels". - Mapped "CIDS Signature SubID" to "target.resource.attribute.labels". - Mapped "CIDS Signature string" to "target.resource.attribute.labels". - Mapped "Intrusion URL" to "principal.url". - Mapped "User Name" to "principal.user.userid". - Mapped "Actual action" to "security_result.action_details". - Mapped "Application hash" to "target.file.sha256". - Mapped "Application name" to "target.application". - Mapped "Application type" to "target.resource.attribute.labels". - Mapped "Certificate issuer" to "network.tls.server.certificate.issuer". - Mapped "Certificate serial number" to "network.tls.server.certificate.serial". - Mapped "Certificate signer" to "network.tls.server.certificate.subject". - Mapped "Certificate thumbprint" to "network.tls.server.certificate.sha256". - Mapped "Secondary action" to "target.resource.attribute.labels". - Mapped "First Seen" to "security_result.detection_fields". - Mapped "Risk Name" to "security_result.detection_fields". - Mapped "Risk Type" to "security_result.detection_fields". - Mapped "Permitted application reason" to "security_result.detection_fields". - Mapped "Company name" to "target.user.company_name". - Mapped "Computer name" to "principal.hostname". - Mapped "Server Name" to "principal.asset.network_domain". - Mapped "Confidence" to "security_result.description". - Mapped "Detection Type" to "security_result.summary". - Mapped "Group Name" to "principal.group.group_display_name". - Mapped "Risk Level" to "security_result.severity_details". - Mapped "File size (bytes)" to "target.file.size". |
| 2022-09-21 | Enhancement - Migrated custom parsers to default parser.
|
| 2022-08-12 | Enhancement - Modified grok pattern to parse the logs.
Handled the dropped logs and mapped them to valid event_types. - Dropped logs had following logType, which are now handled: "REP", "SubmissionsMan", "SYLINK", "IPS", "SONAR", "SEC", "CVE", "LiveUpdate Manager; Messages related to definition updates", "Antivirus detection submission". - New conditions "msg1" containing "Create Process|GUP|RebootManager|Smc|WSS|Network Intrusion|Mitigation System" are handled. - event_description containing "client-server activity logs|Got a valid certificate.|Replication .*from remote site|The database|received the client log successfully". - Added new code block to handle the logType REP,SONAR,CVE,GUP,Smc,WSS made them parse. - Changed event type from "GENERIC_EVENT" to "STATUS_UPDATE", "USER_UNCATEGORIZED", "NETWORK_CONNECTION", "STATUS_UNCATEGORIZED" wherever possible. - Mapped "eventDescription" to "metadata.description". - Mapped "hostName" to "principal.hostname". - Mapped "machineDomainName" to "principal.administrative_domain". - Mapped "domainName" to "target.administrative_domain". - Mapped "serverName" to "intermediary.hostname". - Mapped "userName" to "principal.user.userid". - Mapped "siteName" to "read_only_udm.additional.fields". |
| 2022-07-26 | for the logs that has messageTmp as Site mapped the following fields:
- Mapped "eventDescription" to "metadata.description". - Mapped "hostName" to "target.hostname". - Mapped "machineDomainName" to "target.administrative_domain". - Mapped "domainName" to "principal.administrative_domain". - Mapped "serverName" to "principal.hostname". - Mapped "userName" to "principal.user.userid". - Mapped "siteName" to "read_only_udm.additional.fields". |
| 2022-05-11 | Parsed Event Timestamp log entries with the format "yyyy-MM-dd HH:mm:ss".
|