Change log for TENABLE_SC
| Date | Changes |
|---|---|
| 2025-08-11 | Enhancement:
- Added GROK pattern for `msg` field. - Modified the grok pattern from `DATA` to `IP` to specifically capture IP addresses in the `target_ips` field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `facility`, `Tenable_Message_Type`, `Alert_ID_Tenable`, `AD_Object`, `Tenable_deviance_ID`, `Tenable_Profile_ID`, `Tenable_Event_ID`, `LimitMemberCount`, and `GroupMemberCount` raw log fields to event.idm.read_only_udm.security_result.detection_fields. - event.idm.read_only_udm.target.resource.name: Newly mapped `Forest_Name` raw log field to event.idm.read_only_udm.target.resource.name. - event.idm.read_only_udm.target.administrative_domain: Newly mapped `Domain_Name` raw log field to event.idm.read_only_udm.target.administrative_domain. - event.idm.read_only_udm.security_result.rule_name: Newly mapped `Tenable_Codename` raw log field to event.idm.read_only_udm.security_result.rule_name. - event.idm.read_only_udm.security_result.severity: Newly mapped `Severity_Level` raw log field to event.idm.read_only_udm.security_result.severity. - event.idm.read_only_udm.security_result.description: Newly mapped `AD_Reason_Codename` raw log field to event.idm.read_only_udm.security_result.description. - event.idm.read_only_udm.target.group.group_display_name: Newly mapped `GroupCn` raw log field to event.idm.read_only_udm.target.group.group_display_name. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `PrivilegesPath` raw log field to event.idm.read_only_udm.target.resource.attribute.labels. - event.idm.read_only_udm.target.resource.parent: Newly mapped `ParentContainer` raw log field to event.idm.read_only_udm.target.resource.parent. |
| 2025-07-21 | Enhancement:
- event.idm.read_only_udm.principal.application: Newly mapped `principal_application` raw log field to `event.idm.read_only_udm.principal.application UDM field`. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `security_severity_details` raw log field to `event.idm.read_only_udm.security_result.severity_details UDM field`. - event.idm.read_only_udm.metadata.description: Newly mapped `log_msg` raw log field to `event.idm.read_only_udm.metadata.description UDM field`. - event.idm.read_only_udm.principal.process.pid: Newly mapped `process_id` raw log field to `event.idm.read_only_udm.principal.process.pid UDM field`. - event.idm.read_only_udm.network.session_id: Newly mapped `session_id` raw log field to `event.idm.read_only_udm.network.session_id UDM field`. - event.idm.read_only_udm.target.user.userid: Newly mapped `target_user_id` raw log field to `event.idm.read_only_udm.target.user.userid UDM field`. - event.idm.read_only_udm.security_result.description: Newly mapped `security_description` raw log field to `event.idm.read_only_udm.security_result.description UDM field`. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `error_code` raw log field to `event.idm.read_only_udm.security_result.detection_fields UDM field`. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `timestamp` raw log field to `event.idm.read_only_udm.metadata.event_timestamp UDM field`. - event.idm.read_only_udm.metadata.collected_timestamp: Newly mapped `collected_time` raw log field to `event.idm.read_only_udm.metadata.collected_timestamp UDM field`. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `product_event_type` raw log field to `event.idm.read_only_udm.metadata.product_event_type UDM field`. - event.idm.read_only_udm.metadata.product_version: Newly mapped `version` raw log field to `event.idm.read_only_udm.metadata.product_version UDM field`. - event.idm.read_only_udm.about.url: Newly mapped `uri_query` raw log field to `event.idm.read_only_udm.about.url UDM field`. - event.idm.read_only_udm.target.application: Newly mapped `target_application` raw log field to `event.idm.read_only_udm.target.application UDM field`. - event.idm.read_only_udm.additional.fields: Newly mapped `product` and `log_type` raw log field to `event.idm.read_only_udm.additional.fields UDM field`. - Refactored event type classification logic to enhance accuracy for NETWORK_CONNECTION, USER_LOGIN, and STATUS_UPDATE events. - Updated severity mapping to classify 'warning' as 'MEDIUM'. - event.idm.read_only_udm.principal.hostname: Newly mapped `principal_hostname` raw log field to `event.idm.read_only_udm.principal.hostname UDM field`. - event.idm.read_only_udm.target.ip: Newly mapped `target_ip` raw log field (extracted from log_msg) to `event.idm.read_only_udm.target.ip UDM field`. |
| 2025-07-17 | Enhancement:
- Added support for JSON+SYSLOG format. - Introduced new grok patterns to extract fields from the JSON msg attribute. - event.idm.read_only_udm.principal.asset.network_domain: Newly mapped `domain` raw log field to `event.idm.read_only_udm.principal.asset.network_domain` UDM field. - event.idm.read_only_udm.principal.administrative_domain: Newly mapped `admin_domain` raw log field to `event.idm.read_only_udm.principal.administrative_domain` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Newly mapped `principal_ip` raw log field to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip: Newly mapped `principal_ips` raw log field to `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip: Newly mapped `target_ip` raw log field to `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.target.ip, event.idm.read_only_udm.target.asset.ip: Newly mapped `target_ips` raw log field to `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `principal_userid` raw log field to `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname: Newly mapped `principal_hostname` raw log field to `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname: Newly mapped `target_hostname` raw log field to `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.intermediary.hostname: Newly mapped `hostname` raw log field to `event.idm.read_only_udm.intermediary.hostname` UDM field. - event.idm.read_only_udm.intermediary.process.pid: Newly mapped `proc_id` raw log field to `event.idm.read_only_udm.intermediary.process.pid` UDM field. - event.idm.read_only_udm.intermediary.application: Newly mapped `appname` raw log field to `event.idm.read_only_udm.intermediary.application` UDM field. - event.idm.read_only_udm.security_result.rule_type: Newly mapped `rule_type` raw log field to `event.idm.read_only_udm.security_result.rule_type` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly mapped `security_action_details` raw log field to `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.security_result.severity: Newly mapped `security_severity` raw log field to `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.security_result.threat_id: Newly mapped `threat_id` raw log field to `event.idm.read_only_udm.security_result.threat_id` UDM field. - event.idm.read_only_udm.security_result.priority_details: Newly mapped `priority` raw log field to `event.idm.read_only_udm.security_result.priority_details` UDM field. - event.idm.read_only_udm.metadata.description: Newly mapped `msg` raw log field to `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `total_plugins`, `added`, `updated` and `removed` raw log field to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.user.userid: Added grok pattern to extract `target_user_id` raw log field and mapped it to `event.idm.read_only_udm.target.user.userid` UDM field. - Dynamically sets metadata.event_type to NETWORK_CONNECTION, USER_UNCATEGORIZED, or STATUS_UPDATE based on the presence of principal user/ip and target ip fields. |
| 2024-11-21 | Enhancement:
- Added support for new format of syslog logs. |