Stay organized with collections
Save and categorize content based on your preferences.
Change log for THREATLOCKER
Date
Changes
2023-06-18
Bug-Fix - Modified Grok pattern to fetch source IP address and destination IP address for "fp" when "at" is "network".
2023-05-24
Enhancement - Modified mapping of "security_result.outcomes.key" to "Monitor mode status" and value to "monitor mode on" and "monitor mode off".
- Added mapping "s256" to "target.file.sha256" and "target.process.file.sha256".
- When "at" is "network", mapped "metadata.event_type" to "NETWORK_CONNECTION"
. Mapped "fp" to "target.hostname", "target.ip" and "target.port".
- When "at" is "execute", "install", mapped "metadata.event_type" to "PROCESS_LAUNCH".
. Mapped "fp" to "target.process.file.full_path".
- When "at" is "newprocess", mapped "metadata.event_type" to "PROCESS_OPEN".
. Mapped "fp" to "target.process.file.full_path".
- When "at" is "write", mapped "metadata.event_type" to "FILE_MODIFICATION".
. Mapped "fp" to "target.file.full_path".
- When "at" is "read", mapped "metadata.event_type" to "FILE_READ".
. Mapped "fp" to "target.file.full_path".
- When "at" is "delete", mapped "metadata.event_type" to "FILE_DELETION".
. Mapped "fp" to "target.file.full_path".
- When "at" is "move", mapped "metadata.event_type" to "FILE_MODIFICATION".
. Mapped "fp" to "target.file.full_path".
- When "at" is "registry", mapped "metadata.event_type" to "REGISTRY_UNCATEGORIZED".
. Mapped "fp" to "target.registry.registry_key".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe THREATLOCKER parser was initially created on December 16, 2022.\u003c/p\u003e\n"],["\u003cp\u003eOn May 24, 2023, multiple enhancements were made to the parser's mapping capabilities, including mapping different event types and associated fields based on the "at" parameter, such as mapping to "NETWORK_CONNECTION", "PROCESS_LAUNCH", and more, along with the "fp" parameter to different "target" fields based on context.\u003c/p\u003e\n"],["\u003cp\u003eOn June 18, 2023, a bug fix was implemented, modifying the Grok pattern to accurately fetch source and destination IP addresses when "at" is set to "network" and "fp" is used.\u003c/p\u003e\n"],["\u003cp\u003eOn May 24, 2023, mapping of "security_result.outcomes.key" was changed to "Monitor mode status", with values of "monitor mode on" or "monitor mode off", and mapping of "s256" to both "target.file.sha256" and "target.process.file.sha256" was added.\u003c/p\u003e\n"]]],[],null,["Change log for THREATLOCKER\n\n| Date | Changes |\n|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| 2023-06-18 | Bug-Fix - Modified Grok pattern to fetch source IP address and destination IP address for \"fp\" when \"at\" is \"network\". |\n| 2023-05-24 | Enhancement - Modified mapping of \"security_result.outcomes.key\" to \"Monitor mode status\" and value to \"monitor mode on\" and \"monitor mode off\". - Added mapping \"s256\" to \"target.file.sha256\" and \"target.process.file.sha256\". - When \"at\" is \"network\", mapped \"metadata.event_type\" to \"NETWORK_CONNECTION\" . Mapped \"fp\" to \"target.hostname\", \"target.ip\" and \"target.port\". - When \"at\" is \"execute\", \"install\", mapped \"metadata.event_type\" to \"PROCESS_LAUNCH\". . Mapped \"fp\" to \"target.process.file.full_path\". - When \"at\" is \"newprocess\", mapped \"metadata.event_type\" to \"PROCESS_OPEN\". . Mapped \"fp\" to \"target.process.file.full_path\". - When \"at\" is \"write\", mapped \"metadata.event_type\" to \"FILE_MODIFICATION\". . Mapped \"fp\" to \"target.file.full_path\". - When \"at\" is \"read\", mapped \"metadata.event_type\" to \"FILE_READ\". . Mapped \"fp\" to \"target.file.full_path\". - When \"at\" is \"delete\", mapped \"metadata.event_type\" to \"FILE_DELETION\". . Mapped \"fp\" to \"target.file.full_path\". - When \"at\" is \"move\", mapped \"metadata.event_type\" to \"FILE_MODIFICATION\". . Mapped \"fp\" to \"target.file.full_path\". - When \"at\" is \"registry\", mapped \"metadata.event_type\" to \"REGISTRY_UNCATEGORIZED\". . Mapped \"fp\" to \"target.registry.registry_key\". |\n| 2022-12-16 | Newly created parser. |"]]