Change log for SYMANTEC_WSS
Date | Changes |
---|---|
2024-11-24 | Enhancement :
- Added support to handle the unparsed syslog logs. |
2024-09-24 | Enhancement :
- Added support to handle JSON logs which were parsing as "GENERIC_EVENT". |
2024-08-07 | Enhancement :
- Added support to handle the unparsed JSON logs. |
2024-05-31 | Enhancement :
- When "when" is empty, then mapped "device_time" and "log_time" to "metadata.event_timestamp". |
2024-01-23 | Enhancement :
- Modified few Grok patterns to parse additional requested fields. - Mapped "device_name" to "target.hostname" and "target.asset.hostname". - Mapped "hostname" to "principal.hostname" and "principal.asset.hostname". - Mapped "target_ip" to "target.ip" and "target.asset.ip". - Mapped "result" to "security_result.action_details". - Mapped "product_data.x-client-device-id" and "device_id" to "target.resource.product_object_id". - If "has_principal" is "true" and "has_target" is "true", then set "metadata.event_type" as "NETWORK_CONNECTION". |
2023-06-19 | Bug-fix :
- Parsed JSON logs. - Mapped "proxy_connection.src_ip" to "intermediary.ip". - Mapped "connection.protocol_version" to "tls.version". - Mapped "user.full_name" to "user.user_display_name". - Mapped "connection.dst_location.country" to "target.location.country_or_region". - Mapped "ref_uid" to "metadata.product_log_id". - Mapped "network.ip_protocol" for "TCP" field. - Mapped events without "target.host" and "target.ip" to "NETWORK_UNCATEGORIZED" event type. - Parsed UNIX timestamp for "device_time" field. |
2023-01-31 | Enhancement:
- "product_data.x-client-device-name" mapped to "src.hostname". - "connection.src_ip" mapped to "src.ip". |
2022-08-29 | Enhancement -
- Added grok pattern to parse syslog logs. - Mapped field "supplier_country" to "principal.location.country_or_region". - Added conditional check for fields "product_data.x-cs-connection-negotiated-cipher","product_data.x-bluecoat-transaction-uuid","product_data.r-supplier-country","product_ver","product_data.x-cs-client-ip-country","product_name". - Added error check for field "product_data.sc-filter-result" - Mapped field "src_ip" to "principal.ip". - Mapped field "uri_scheme" to "network.application_protocol". - Mapped field "uuid" to metadata.product_log_id". - Mapped field "cs_connection_negotiated_cipher" to "network.tls.cipher". - Mapped field "certificate_hostname" to "tls.client.server_name". - Mapped field "cs_ssl_version" to "network.tls.version_protocol". - Mapped field "certificate_validate" to "network.tls.server.certificate.subject". - Mapped field "cs_icap_status" to "security_result.description". - Mapped field "sent_bytes" to "network.sent_bytes". - Mapped field "received_bytes" to "network.received_bytes". - Mapped field "device_name" to "target.resource.name". - Mapped field "device_id" to "target.resource.id". - Mapped field "agent_type" to "observer.application". - Mapped field "os_version" to "observer.platform_version". - Mapped field "s_action" to "metadata.description". |