Change log for SYMANTEC_SA

Date	Changes
2025-03-12	- Newly created parser. - Added a Grok pattern to parse the logs. - Added a KV block to parse the logs. - Mapped "mac_address" to "principal.mac". - Mapped "sn" to "principal.mac". - Mapped "ip" to "principal.ip" and "principal.asset.ip". - Mapped "user" to "principal.user.userid". - Mapped "remote_ip" to "target.ip" and "target.asset.ip". - Mapped "ip_address" to "principal.ip" and "principal.asset.ip". - Mapped "host" to "principal.hostname" and "principal.asset.hostname". - Mapped "logmsg" to "metadata description". - Mapped "query_id" to "target.resource.attribute.labels". - Mapped "action_name" to "security_result.action_details". - Mapped "id" to "target.resource.id". - Mapped "category" to "target.resource.type". - Mapped "model" to "target.resource.name". - Mapped "path" to "target.file.full_path". - Mapped "evt" to "metadata.product_event_type". - Mapped "m" and "c" to "additional.fields". - Mapped "sequenceId" to "metadata.product_log_id". - Mapped "elapsed_time" to "security_result.detection_fields". - Mapped "version" to "metadata.product_version". - Mapped "event_id" to "security_result.rule_id". - Mapped "event_name" to "security_result.detection_fields". - Mapped "severity" to "security_result.severity". - Mapped "msgs" to "metadata.description". - Mapped "cs5" to "security_result.summary". - Mapped "cs4" to "security_result.description". - Mapped "dmac" to "target.mac". - Mapped "dst" to "target.ip" and "target.asset.ip". - Mapped "spt" to "principal.port". - Mapped "end" to "start" "additional.fields". - Mapped "smac" to "principal.mac". - Mapped "src" to "principal.ip" and "principal.asset.ip".

Date

Changes

2025-03-12

- Newly created parser.
- Added a Grok pattern to parse the logs.
- Added a KV block to parse the logs.
- Mapped "mac_address" to "principal.mac".
- Mapped "sn" to "principal.mac".
- Mapped "ip" to "principal.ip" and "principal.asset.ip".
- Mapped "user" to "principal.user.userid".
- Mapped "remote_ip" to "target.ip" and "target.asset.ip".
- Mapped "ip_address" to "principal.ip" and "principal.asset.ip".
- Mapped "host" to "principal.hostname" and "principal.asset.hostname".
- Mapped "logmsg" to "metadata description".
- Mapped "query_id" to "target.resource.attribute.labels".
- Mapped "action_name" to "security_result.action_details".
- Mapped "id" to "target.resource.id".
- Mapped "category" to "target.resource.type".
- Mapped "model" to "target.resource.name".
- Mapped "path" to "target.file.full_path".
- Mapped "evt" to "metadata.product_event_type".
- Mapped "m" and "c" to "additional.fields".
- Mapped "sequenceId" to "metadata.product_log_id".
- Mapped "elapsed_time" to "security_result.detection_fields".
- Mapped "version" to "metadata.product_version".
- Mapped "event_id" to "security_result.rule_id".
- Mapped "event_name" to "security_result.detection_fields".
- Mapped "severity" to "security_result.severity".
- Mapped "msgs" to "metadata.description".
- Mapped "cs5" to "security_result.summary".
- Mapped "cs4" to "security_result.description".
- Mapped "dmac" to "target.mac".
- Mapped "dst" to "target.ip" and "target.asset.ip".
- Mapped "spt" to "principal.port".
- Mapped "end" to "start" "additional.fields".
- Mapped "smac" to "principal.mac".
- Mapped "src" to "principal.ip" and "principal.asset.ip".