Stay organized with collections
Save and categorize content based on your preferences.
Change log for THREATLOCKER
Date
Changes
2023-06-18
Bug-Fix - Modified Grok pattern to fetch source IP address and destination IP address for "fp" when "at" is "network".
2023-05-24
Enhancement - Modified mapping of "security_result.outcomes.key" to "Monitor mode status" and value to "monitor mode on" and "monitor mode off".
- Added mapping "s256" to "target.file.sha256" and "target.process.file.sha256".
- When "at" is "network", mapped "metadata.event_type" to "NETWORK_CONNECTION"
. Mapped "fp" to "target.hostname", "target.ip" and "target.port".
- When "at" is "execute", "install", mapped "metadata.event_type" to "PROCESS_LAUNCH".
. Mapped "fp" to "target.process.file.full_path".
- When "at" is "newprocess", mapped "metadata.event_type" to "PROCESS_OPEN".
. Mapped "fp" to "target.process.file.full_path".
- When "at" is "write", mapped "metadata.event_type" to "FILE_MODIFICATION".
. Mapped "fp" to "target.file.full_path".
- When "at" is "read", mapped "metadata.event_type" to "FILE_READ".
. Mapped "fp" to "target.file.full_path".
- When "at" is "delete", mapped "metadata.event_type" to "FILE_DELETION".
. Mapped "fp" to "target.file.full_path".
- When "at" is "move", mapped "metadata.event_type" to "FILE_MODIFICATION".
. Mapped "fp" to "target.file.full_path".
- When "at" is "registry", mapped "metadata.event_type" to "REGISTRY_UNCATEGORIZED".
. Mapped "fp" to "target.registry.registry_key".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-06 UTC."],[[["The THREATLOCKER parser was initially created on December 16, 2022."],["On May 24, 2023, multiple enhancements were made to the parser's mapping capabilities, including mapping different event types and associated fields based on the \"at\" parameter, such as mapping to \"NETWORK_CONNECTION\", \"PROCESS_LAUNCH\", and more, along with the \"fp\" parameter to different \"target\" fields based on context."],["On June 18, 2023, a bug fix was implemented, modifying the Grok pattern to accurately fetch source and destination IP addresses when \"at\" is set to \"network\" and \"fp\" is used."],["On May 24, 2023, mapping of \"security_result.outcomes.key\" was changed to \"Monitor mode status\", with values of \"monitor mode on\" or \"monitor mode off\", and mapping of \"s256\" to both \"target.file.sha256\" and \"target.process.file.sha256\" was added."]]],[]]
