Change log for SYMANTEC_WSS
| Date | Changes |
|---|---|
| 2025-07-11 | Enhancement :
- Removed the gsub from "message" field. - Added a gsub to replace "\\%20" with " " on "msg" field. - Added a date filter to correctly populate the field "when". - Modified a Grok pattern to parse "rule_name1" field. - Added a Grok pattern on "msg" field. - Added a gsub on "rule_name1" field to replace "^\"|\"$" with "" - event.idm.read_only_udm.security_result.rule_name: Newly mapped `rule_name1` field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - event.idm.read_only_udm.network.session_duration.seconds: Newly mapped `time_taken` field with `event.idm.read_only_udm.network.session_duration.seconds` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `content_type`,"rs_negotiated_cipher_size","architecture_" field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `hostname_categories` field with `event.idm.read_only_udm.additional.fields` UDM field. - Added a conditional check if "os_name" nearly equals to "macOS" then map "event.idm.read_only_udm.target.asset.platform_software.platform" to "MAC" |
| 2025-07-09 | Enhancement:
- Added Grok patterns to parse the new format of syslog logs. - 'event.idm.read_only_udm.target.ip_geo_artifact.location.name': Newly mapped "x_bluecoat_location_name" raw log field with "event.idm.read_only_udm.target.ip_geo_artifact.location.name" UDM field. - 'event.idm.read_only_udm.target.resource.product_object_id': Newly mapped "x_bluecoat_location_id" raw log field to "event.idm.read_only_udm.target.resource.product_object_id" UDM field. |
| 2025-06-25 | Enhancement :
- Added a conditional check before using gsub to replace "\\%20" with " ". - Modified a Grok pattern to parse the raw log. - Added a Grok pattern on "uuid" field . - event.idm.read_only_udm.intermediary.ip: Newly mapped `intermediary_ip` field with `event.idm.read_only_udm.intermediary.ip` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `session_id` field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.intermediary: Moved the merge block for `event.idm.read_only_udm.intermediary` from line number 827 to line number 1981 to populate the mapping of "intermediary.application". |
| 2025-02-25 | Enhancement :
- Mapped "application_name" from "cs_uri_path" to "target.application". |
| 2025-02-06 | Enhancement :
- Added a Grok pattern to parse the unparsed logs. |
| 2025-01-02 | Enhancement :
- If "host" is not an IP address, then Mapped "host" field to "target.url". |
| 2024-11-24 | Enhancement :
- Added support to handle the unparsed syslog logs. |
| 2024-09-24 | Enhancement :
- Added support to handle JSON logs which were parsing as "GENERIC_EVENT". |
| 2024-08-07 | Enhancement :
- Added support to handle the unparsed JSON logs. |
| 2024-05-31 | Enhancement :
- When "when" is empty, then mapped "device_time" and "log_time" to "metadata.event_timestamp". |
| 2024-01-23 | Enhancement :
- Modified few Grok patterns to parse additional requested fields. - Mapped "device_name" to "target.hostname" and "target.asset.hostname". - Mapped "hostname" to "principal.hostname" and "principal.asset.hostname". - Mapped "target_ip" to "target.ip" and "target.asset.ip". - Mapped "result" to "security_result.action_details". - Mapped "product_data.x-client-device-id" and "device_id" to "target.resource.product_object_id". - If "has_principal" is "true" and "has_target" is "true", then set "metadata.event_type" as "NETWORK_CONNECTION". |
| 2023-06-19 | Bug-fix :
- Parsed JSON logs. - Mapped "proxy_connection.src_ip" to "intermediary.ip". - Mapped "connection.protocol_version" to "tls.version". - Mapped "user.full_name" to "user.user_display_name". - Mapped "connection.dst_location.country" to "target.location.country_or_region". - Mapped "ref_uid" to "metadata.product_log_id". - Mapped "network.ip_protocol" for "TCP" field. - Mapped events without "target.host" and "target.ip" to "NETWORK_UNCATEGORIZED" event type. - Parsed UNIX timestamp for "device_time" field. |
| 2023-01-31 | Enhancement:
- "product_data.x-client-device-name" mapped to "src.hostname". - "connection.src_ip" mapped to "src.ip". |
| 2022-08-29 | Enhancement -
- Added grok pattern to parse syslog logs. - Mapped field "supplier_country" to "principal.location.country_or_region". - Added conditional check for fields "product_data.x-cs-connection-negotiated-cipher","product_data.x-bluecoat-transaction-uuid","product_data.r-supplier-country","product_ver","product_data.x-cs-client-ip-country","product_name". - Added error check for field "product_data.sc-filter-result" - Mapped field "src_ip" to "principal.ip". - Mapped field "uri_scheme" to "network.application_protocol". - Mapped field "uuid" to metadata.product_log_id". - Mapped field "cs_connection_negotiated_cipher" to "network.tls.cipher". - Mapped field "certificate_hostname" to "tls.client.server_name". - Mapped field "cs_ssl_version" to "network.tls.version_protocol". - Mapped field "certificate_validate" to "network.tls.server.certificate.subject". - Mapped field "cs_icap_status" to "security_result.description". - Mapped field "sent_bytes" to "network.sent_bytes". - Mapped field "received_bytes" to "network.received_bytes". - Mapped field "device_name" to "target.resource.name". - Mapped field "device_id" to "target.resource.id". - Mapped field "agent_type" to "observer.application". - Mapped field "os_version" to "observer.platform_version". - Mapped field "s_action" to "metadata.description". |