Stay organized with collections
Save and categorize content based on your preferences.
Change log for VARONIS
Date
Changes
2025-08-25
- Added a new Grok pattern to parse "LEEF" pattern syslog logs.
2025-02-06
- Added a new Grok pattern for "LEEF" log type.
- Mapped "description" to "metadata.description".
- Mapped "usrName" to "principal.user.userid".
- Mapped "Event_Type" to "metadata.product_event_type".
- Mapped "domain" to "prinicipal.administrative_domain".
- Mapped "proto", "cat", "Event_Additional_Data", "Event_Status", "Email_Attachment_Name", "Email_Date", "Account_of_Changed_Permissions", "Permissions_Changes", "Permissions_before_Change", and "Permissions_after_Change" to "additional.fields".
- Mapped "Affected_Object_Path" to "taregt.file.full_path".
- Mapped "Affected_Object" to "security_result.detection_fields".
- Mapped "src" to "principal.ip" and "principal.assest.ip".
- Mapped "Alert_ID" to "security_result.rule_id".
- Mapped "Email_Recipients" to "network.email.to".
- Mapped "Email_Item", "Mailbox_Access_by_Owner", "Threshold_Value", "Threshold_First_Timestamp", "Event_by_MailboxOwner", and "Email_Sender" to "additional.fields".
- Mapped "Email_Sender" to "network.email.from".
- Mapped "accountName" to "target.user.userid".
- Mapped "Device_Name" to "taregt.hostname" and taregt.asset.hostname".
- Mapped "Event_Type_ID" to "metadata.product_log_id".
- Mapped "Event_File_Server_Domain" to "target.administrative_domain".
- Mapped "Alert_Page_URL" to "taregt.url".
- Mapped "devTime" to "metadata.event_timestamp".
- Mapped "sev" to "security_result.severity".
2022-10-08
- Added grok pattern for "LEEF" log type.
- Mapped "severity" to "security_result.severity".
- Mapped "device_version" to "metadata.product_version".
- Mapped "administrative_domain" to "target.administrative_domain"
- Added conditional check for "intermediary_host".
2022-10-07
Bug-Fix:
- Mapped "rt" to "metadata.event_timestamp" if "rt" is not null.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis changelog details updates to log mapping and Grok patterns for VARONIS, focusing on improved data organization and analysis.\u003c/p\u003e\n"],["\u003cp\u003eOn February 6, 2025, numerous fields were mapped to new destinations, including mapping various email-related fields to \u003ccode\u003enetwork.email\u003c/code\u003e, and updating multiple fields to \u003ccode\u003etarget\u003c/code\u003e, \u003ccode\u003eprincipal\u003c/code\u003e, or \u003ccode\u003emetadata\u003c/code\u003e categories for more precise classification.\u003c/p\u003e\n"],["\u003cp\u003eOn October 8, 2022, updates were made to the grok pattern for "LEEF" log types, in addition to several mappings, such as "severity" to "security_result.severity" and "administrative_domain" to "target.administrative_domain".\u003c/p\u003e\n"],["\u003cp\u003eOn October 7, 2022, a bug fix addressed the mapping of the field "rt" to "metadata.event_timestamp" when the field was present.\u003c/p\u003e\n"]]],[],null,["# Change log for VARONIS\n======================"]]