Change log for TRENDMICRO_STELLAR
| Date | Changes |
|---|---|
| 2025-04-16 | Enhancement:
- Added grok patterns in order to parse the logs with variation. - `event.idm.read_only_udm.target.ip`: Newly mapped `dst` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dst` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `src` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `src` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - Updated "has_user" to "true" when `event.idm.read_only_udm.principal.user.userid` and `event.idm.read_only_udm.target.user.user` is present. |
| 2025-02-12 | Enhancement:
- Added support to parse the unparsed logs. |
| 2025-01-23 | Enhancement:
Added a Grok pattern to parse the logs. - Mapped "eventTime" to "metadata.event_timestamp". - Mapped "start" to "metadata.event_timestamp". - Mapped "severity" to "security_result.severity". - Mapped "event_id" to "metadata.product_log_id". - Mapped "security_result.action" for "event_id" in ["5888","8193","5377","8194"]. - Mapped "event_name" to "metadata.product_event_type". - Mapped "serverIP" to "intermediary.hostname". - Changed "metadata.event_type" for "event_id" in ["5888","4609","523","8197","8214","8209","8211"] |
| 2024-12-05 | Enhancement:
- Mapped "sourceIP" to "principal.ip"and "principal.asset.ip". - Mapped "fileHashAllowed" to "target.file.sha256". - Mapped "programHash" to "target.file.sha256". - Mapped "certificate" to "network.tls.client.certificate.issuer". - Mapped "programSize" to "principal.process.file.size". - Mapped "programPath" to "principal.process.file.full_path". - Mapped "domain" to "principal.administrative_domain" |
| 2024-11-21 | Newly created parser.
|