Change log for TRELLIX_HX_ES
Date | Changes |
---|---|
2025-08-06 | Enhancement:
- Added on_error check condition for `parentProcess` raw log field before setting `has_principal_process` as `true`. |
2025-08-03 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Mapped the `timestamp` field to `event.idm.read_only_udm.metadata.event_timestamp`. - event.idm.read_only_udm.network.dns.questions: Mapped the `hostname` field to `event.idm.read_only_udm.network.dns.questions.name` when it`s available. - event.idm.read_only_udm.target.process.file.names: Mapped the `process` field to `event.idm.read_only_udm.target.process.file.names`. - event.idm.read_only_udm.target.process.file.full_path: Mapped the `processPath` field to `event.idm.read_only_udm.target.process.file.full_path`. - event.idm.read_only_udm.target.process.file.md5: Mapped the `md5` field to `event.idm.read_only_udm.target.process.file.md5`. - event.idm.read_only_udm.target.process.command_line: Mapped the `processCmdLine` field to `event.idm.read_only_udm.target.process.command_line`. - event.idm.read_only_udm.target.process.pid: Mapped the `pid` field to `event.idm.read_only_udm.target.process.pid`. - event.idm.read_only_udm.target.file.names: Mapped the `fileName` field to `event.idm.read_only_udm.target.file.names`. - event.idm.read_only_udm.target.file.mime_type: Mapped the `fileExtension` field to `event.idm.read_only_udm.target.file.mime_type`. - event.idm.read_only_udm.target.file.full_path: Mapped `processPath` and `fileName` to `event.idm.read_only_udm.target.file.full_path` when both are available. - event.idm.read_only_udm.principal.process.file.full_path: Mapped the `fullPath` field to `event.idm.read_only_udm.principal.process.file.full_path`. - event.idm.read_only_udm.additional.fields: Newly mapped fields `sequence_num`, `drive`, `filePath`, `devicePath`,`args`,`ipv6`,`writes`,`numBytesSeenWritten`,`lowestFileOffsetSeen`,`dataAtLowestOffset`,`textAtLowestOffset`,`closed`,`openTimeRaw`,`openDuration`, `eventReason`,`AgentId`,`data`,`hive`,`keyPath`,`path` raw log fields to `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.principal.process.pid: Mapped the `parentPid` field to `event.idm.read_only_udm.principal.process.pid`. - event.idm.read_only_udm.principal.process.file.full_path: Mapped the `parentProcessPath` field to `event.idm.read_only_udm.principal.process.file.full_path`. - event.idm.read_only_udm.principal.process.parent_process.file.names: Mapped the `parentProcess` field to `event.idm.read_only_udm.principal.process.parent_process.file.names`. - event.idm.read_only_udm.principal.process.parent_process.file.full_path: Mapped the `parentPath` field to `event.idm.read_only_udm.principal.process.parent_process.file.full_path`. - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Mapped the `remoteIP` and `remoteIpAddress` field to `event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip`. - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Mapped the `localIP` field to `event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip`. - event.idm.read_only_udm.principal.port: Mapped the `localPort` field to `event.idm.read_only_udm.principal.port`. - event.idm.read_only_udm.target.port: Mapped the `remotePort` field to `event.idm.read_only_udm.target.port`. - event.idm.read_only_udm.target.url: Mapped the `requestUrl` field to `event.idm.read_only_udm.target.url`. - event.idm.read_only_udm.network.http.method: Mapped the `urlMethod` field to `event.idm.read_only_udm.network.http.method`. - event.idm.read_only_udm.network.http.user_agent: Mapped the `userAgent` field to `event.idm.read_only_udm.network.http.user_agent`. - event.idm.read_only_udm.metadata.product_event_type: Mapped the `EventType` or `eventType` field to `event.idm.read_only_udm.metadata.product_event_type`. - event.idm.read_only_udm.network.application_protocol: Mapped the `proto` field to `event.idm.read_only_udm.network.application_protocol`. - event.idm.read_only_udm.network.application_protocol_version: Mapped the `proto_version` field to `event.idm.read_only_udm.network.application_protocol_version`. - event.idm.read_only_udm.target.registry.registry_key: Mapped the `originalPath` field to `event.idm.read_only_udm.target.registry.registry_key`. - event.idm.read_only_udm.metadata.event_type: - If EventID is "7036", and has principal and target, updated to SERVICE_STOP or SERVICE_START based on the `param2` field. - If event_type is GENERIC_EVENT, `principal_machine_present` is true and `has_dns` is true, updated to `NETWORK_DNS`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true and `network_application_protocol` is `HTTP`, updated to `NETWORK_HTTP`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `eventType` is `start`, updated to `PROCESS_LAUNCH`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `eventType` is `end`, updated to `PROCESS_TERMINATION`. - If event_type is GENERIC_EVENT, `has_file`, `principal_machine_present` is true and `eventType` is `fileWriteEvent`, updated to `FILE_MODIFICATION`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `has_principal` process, updated to `PROCESS_MODULE_LOAD`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true and `has_target_registry`, updated to `REGISTRY_MODIFICATION`. - If event_type is GENERIC_EVENT, `has_target` and `has_principal`, updated to NETWORK_CONNECTION. |
2025-02-28 | Enhancement:
- Refreshed parser to map all fields correctly. |
2024-11-28 | Enhancement:
- Mapped "security_result.action" based on login status. - When login is failed, then mapped "security_result.category" to "AUTH_VIOLATION". - Mapped "Status", "FailureReason", "SubStatus", and "LogonType" to "additional.fields". |
2024-11-14 | Enhancement:
- Added support for new pattern of JSON logs. |
2024-03-31 | - Newly created parser.
|