Change log for THINKST_CANARY

Date Changes
2025-06-26 Enhancement:
- Added Grok patterns to parse the unparsed logs.
- Replaced "thinkst_canary_udm_host_port_scan_event.include", "thinkst_canary_udm_canary_disconnected_reconnected_event.include", "thinkst_canary_udm_custom_tcp_service_request_event.include", "thinkst_canary_udm_ssh_login_attempt_event.include", "thinkst_canary_udm_ftp_telnet_login_attempt_event.include", "thinkst_canary_udm_canary_settings_changed_event.include", "thinkst_canary_udm_http_page_load_event.include" with the actual code.
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `Request`, 'Command', 'PasswordHash', 'NTPCommand', 'Key', 'Salt', 'Password', 'ClientHash', 'connection', 'accept', 'FunctionName', 'FunctionData', 'TCPBannerID', 'IncidentHash', 'accept-encoding', 'VNCServerChallenge', 'VNCClientResponse', 'VNCPassword', 'Settings', 'LoginType' raw log field with `event.idm.read_only_udm.principal.ip` UDM field.
- event.idm.read_only_udm.target.resource.name: Newly mapped `Database' raw log field with `event.idm.read_only_udm.target.resource.name` UDM field.
- event.idm.read_only_udm.network.ftp.command: Newly mapped `Action' raw log field with `event.idm.read_only_udm.network.ftp.command` UDM field.
- event.idm.read_only_udm.principal.user.group_identifiers: Newly mapped `DistinguishedName' raw log field with `event.idm.read_only_udm.principal.user.group_identifiers` UDM field.
- event.idm.read_only_udm.network.http.referral_url: Newly mapped `Path' and 'URL' raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field.
- event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `ShareName', 'SMBVersion', 'CanaryID' raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field.
- Added KV block to extract values from the Headers field.
- event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Newly mapped `ReverseDNS' raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field.
- event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped `CanaryPublicIP' raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field.
- event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `User' raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field.
- event.idm.read_only_udm.target.resource.product_object_id: Newly mapped `EC2InstanceID' raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM field.
- event.idm.read_only_udm.target.location.country_or_region: Newly mapped `EC2Region' raw log field with `event.idm.read_only_udm.target.location.country_or_region` UDM field.
- event.idm.read_only_udm.principal.administrative_domain: Newly mapped `Domain' raw log field with `event.idm.read_only_udm.principal.administrative_domain` UDM field.
- event.idm.read_only_udm.target.files.names: Newly mapped `RemoteSMBName' raw log field with `event.idm.read_only_udm.target.files.names` UDM field.
- event.idm.read_only_udm.security_result.action: Newly mapped `Success' raw log field as ALLOW when `Success' is true and BLOCK when `Success' is false with `event.idm.read_only_udm.security_result.action` UDM field.
- event.idm.read_only_udm.target.location.name: Newly mapped `CanaryLocation' raw log field with `event.idm.read_only_udm.target.location.name` UDM field.
- event.idm.read_only_udm.principal.user.userid: Newly mapped `Username' raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field.
- event.idm.read_only_udm.security_result.description: Newly mapped `BackgroundContext' raw log field with `event.idm.read_only_udm.security_result.description` UDM field.
- Added null condition check for all the fields.
- Added on_error to all the mutate replace blocks.
- event.idm.read_only_udm.network.http.user_agent: Newly mapped `User-Agent' raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field.
- event.idm.read_only_udm.target.file.full_path: Newly mapped `Filename' raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field.
- event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Newly mapped `ThinkstCanary_Hostname' raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field.
- event.idm.read_only_udm.principal.application: Newly mapped `ThinkstCanary_Process' raw log field with `event.idm.read_only_udm.principal.application` UDM field.
- Removed redundant code for '_dst_hostname', 'CanaryIP', '_src_host_reverse', '_dst_host' and 'User-Agent'.
2025-02-26 Enhancement:
- When "_md_product_event_type" is "Host port scan", "description.logtype" is mapped to "security_result.detection_fields".
2025-02-04 Enhancement:
- When "_md_product_event_type" is "Host port scan" or "Custom TCP Service Request", "description.logtype" is mapped to "security_result.detection_fields".
2024-07-17 Enhancement:
- Added support for the following events: "Remote registry connection", "Canarytoken triggered", "File share connection", "RDP connection made", and "Canary settings changed".
2024-07-03 Enhancement:
- Added support for "dns" logs.
2024-05-10 Enhancement:
- Added support for "Flock Settings Changed" events.
- If value of "_md_product_event_type" is "Flock Settings Changed", added a Grok pattern to extract "user_id" from the field "elem.SETTINGS".
- Mapped "user_id" to "principal.user.userid".
2024-03-05 Enhancement:
- Added support for "SIP Request" events.
- Added support for "TFTP Request" events.
- Mapped "hash_id" to "principal.file.sha1".
- Mapped "HEADERS.user-agent" to "network.http.user_agent".
- Mapped "description.node_id" to "principal.resource.attribute.labels".
- Mapped "description.flock_id" to "principal.resource.attribute.labels".
- Mapped "description.flock_name" to "principal.resource.attribute.labels".
- Mapped "description.logtype" to "security_result.detection_fields".
- Mapped "description.events_count" to "security_result.detection_fields".
- Mapped "HEADERS.allow" to "security_result.detection_fields".
- Mapped "HEADERS.call-id" to "security_result.detection_fields".
- Mapped "HEADERS.contact" to "security_result.detection_fields".
- Mapped "HEADERS.sip" to "security_result.detection_fields".
- Mapped "HEADERS.cseq" to "security_result.detection_fields".
- Mapped "HEADERS.expires" to "security_result.detection_fields".
- Mapped "HEADERS.from" to "security_result.detection_fields".
- Mapped "HEADERS.to" to "security_result.detection_fields".
- Mapped "HEADERS.max-forwards" to "security_result.detection_fields".
2023-12-08 Enhancement:
- Since all "THINKST_CANARY" alerts are "critical" by default, set "is_alert" to "true" for all events.
- Since all "THINKST_CANARY" alerts are "critical" by default, set "is_significant" to "true" for all events.
- Since all "THINKST_CANARY" alerts are "critical" by default, set "security_result.severity" to "CRITICAL" for all events.
- Added support for "NMAP OS Scan Detected" events.
2023-12-07 Enhancement:
- Added support for "WinRM Login Attempt", "Telnet Login Attempt", "NMAP OS Scan Detected", "Redis Command" events.
- Added support to parse new pattern of "_metadata_event_timestamp","_event_time".
2023-09-15 Enhancement:
- Added support for 'VNC Login Attempt' events.
2023-08-04 Bug Fix:
Following changes have been made for Canarytoken triggered events:
- Mapped to more specific event_type, for example "NETWORK_CONNECTION".
- As 'resource.id' is deprecated, mapped 'canarytoken' to principal.resource.product_object_id.
- Also 'event.idm.is_alert' is set to 'true' for the given event.
- Set 'security_result.category' to 'NETWORK_SUSPICIOUS.
2023-05-12 Bug Fix - Added support for logs having "description.summary"="MSSQL Login Attempt" and mapped "event_type" to "USER_LOGIN";
2022-12-04 Bug Fix -
- Added support for "HTTP Login Attempt", "FTP Login Attempt", "Website Scan", "Console Settings Changed", "RDP Login Attempt".