Change log for TRIPWIRE_FIM
| Date | Changes |
|---|---|
| 2025-06-30 | Enhancement:
- Added Grok patterns to parse the `msg` field from the raw logs. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `file_path` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `user_id` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.security_result.summary: Newly mapped `summary` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `host` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseChangeType` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseElementId` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseElementName` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseNodeType` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseRule` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseRuleId` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `TripwireEnterpriseRuleType` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `TripwireEnterpriseSeverity` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `TripwireEnterpriseSeverityRange` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.metadata.url_back_to_product: Newly mapped `TripwireEnterpriseUrl` raw log field with `event.idm.read_only_udm.metadata.url_back_to_product` UDM field. - event.idm.read_only_udm.target.file.sha1: Newly mapped `TripwireEnterpriseVersionSha1` raw log field with `event.idm.read_only_udm.target.file.sha1` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `deviceExternalId` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.target.file.size: Newly mapped `fsize` raw log field with `event.idm.read_only_udm.target.file.size` UDM field. |
| 2025-06-02 | Enhancement:
- Modified the grok patterns in order to extract hostname. - event.idm.read_only_udm.observer.hostname: Newly mapped `hstname` raw log field with `event.idm.read_only_udm.observer.hostname` UDM field - event.idm.read_only_udm.observer.asset.hostname: Newly mapped `hstname` raw log field with `event.idm.read_only_udm.observer.asset.hostname` UDM field - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseIds` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseLogLevel` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `TripwireEnterpriseNodeId` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field - event.idm.read_only_udm.target.ip: Newly mapped `src` raw log field with `event.idm.read_only_udm.target.ip` UDM field - event.idm.read_only_udm.target.asset.ip: Newly mapped `src` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field - event.idm.read_only_udm.security_result.category_details: Newly mapped `cat` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field - event.idm.read_only_udm.principal.user.userid: Newly mapped `suser` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field - event.idm.read_only_udm.observer.resource.attribute.labels: Newly mapped `deviceFacility` raw log field with `event.idm.read_only_udm.observer.resource.attribute.labels` UDM field - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `externalId` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field - event.idm.read_only_udm.principal.hostname: Newly mapped `shost` raw log field with `event.idm.read_only_udm.target.hostname` UDM field - event.idm.read_only_udm.target.asset.hostname: Newly mapped `shost` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field - event.idm.read_only_udm.principal.asset.ip: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field - event.idm.read_only_udm.target.user.userid: Newly mapped `duser` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field - event.idm.read_only_udm.target.application: Newly mapped `application` raw log field with `event.idm.read_only_udm.target.application` UDM field - event.idm.read_only_udm.target.labels: Newly mapped `processes` raw log field with `event.idm.read_only_udm.target.labels` UDM field |
| 2024-11-07 | Bug-Fix:
- Initialized "cs4Label" to null. - Set "additional_cs4.key" to "cs4" if "cs4Label" is null. - Set "additional_cs4.value" to "cs4Label" if "cs4Label" is not null. |
| 2023-06-21 | Enhancement:
- Added gsub to handle CEF format logs. |
| 2023-06-07 | Enhancement:
- Added a Grok pattern to handle CEF formatted logs. |
| 2022-06-14 | Bug-Fix: - Added a new grok to parse "HKEY_" type logs without space between regestry_key and value.
- Added validation check for target_hostname or target_ip prior to mapping of event_type to NETWORK_CONNECTION. - Added null check for username prior to mapping to udm. |