Change log for WATCHGUARD
| Date | Changes |
|---|---|
| 2024-09-24 | Enhancement:
- Added JSON pattern to parse the unparsed logs. - Mapped "USERNAME" to "principal.user.userid". - Mapped "DEST_PORT" to "target.port". - Mapped "PROTOCOL_TR" to "network.ip_protocol". - Mapped "DEST_INTERFACE" to "target.resource.attributes.labels". - Mapped "SOURCE_INTERFACE" to "principal.resource.attributes.labels". - Mapped "SOURCE_PORT" to "principal.port". - Mapped "PRIVATE_IP" to "target.ip". - Mapped "SOURCE_IP" to "principal.ip". - Mapped "DEST_IP" to "target.ip". - Mapped "COMMON_REPORT_NAME", "DOMAIN", "IENAME", "FACILITY", "MESSAGESTART", "POLICY_ID", "ARCHIVETYPE", "MESSAGELEN", "OPERATION", "IEGROUP", "ESID", and "PACK_HEADER_LEN" to "additional.fields". - Mapped "SEVERITY" to "security_result.severity_details". |
| 2024-07-02 | Enhancement:
- Modified the Grok pattern to parse new fields. - Modified few Grok patterns to parse the new formats of "identified_log". - Added a Grok pattern to parse "identified_log" with "msg_id" value as "1600-0066". - Mapped "area", "interface_name", and "network_name" to "additional.fields". - Mapped "virtual_ip" to "intermediary.ip". - Mapped "flags" to "security_result.detection_fields". - Mapped "duration" to "network.session_duration.seconds". - Mapped "sent_pkts" to "network.sent_packets". - Mapped "rcvd_pkts" to "network.received_packets". - Removed the mapping of "src_host" to "principal.hostname" and "dst_host" to "target.hostname". |
| 2023-12-03 | Enhancement:
- Modified a Grok pattern to parse new fields. - Modified few Grok pattern to parse new patterns of "identified_log". - Added a new Grok pattern to parse "identified_log" having "msg_id" value as "1600-0066". |
| 2023-11-27 | Enhancement:
- Mapped "signature_name" to "additional.fields" for logs having "msg_id" equal to "3000-0150". - Mapped "signature_id", "signature_cat" to "additional.fields". |
| 2023-11-24 | Enhancement:
- Modified few Grok patterns to parse new fields. - Mapped "firewallname" to "event.idm.read_only_udm.intermediary.hostname". - Mapped "firewall_id" to "event.idm.read_only_udm.intermediary.asset_id". - Mapped "prin_host" to "event.idm.read_only_udm.intermediary.labels" |
| 2023-11-10 | Enhancement:
- Removed redundant code. - Mapped "signature_name" to "additional.fields". |
| 2023-09-28 | Bug-fix:
- Modified the "date" filter to support the following formats "yyyy-MM-dd HH:mm:ss", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601", "yyyy-MM-ddTHH:mm:ss". |
| 2023-05-25 | Bug-fix:
- Changed mapping for the field "src_vpn_ip" from "principal.ip" to "target.ip" for event "Received DPD message from target host through gateway". |
| 2023-05-04 | Enhancement - Added Grok patterns to handle unparsed logs with event 'dnsmasq', 'dhcpd', 'iked', 'admd'.
|
| 2023-01-20 | Enhancement - Added grok to handle unparsed logs.
- Mapped "dst_port" to target.port. - Mapped "src_port" to principal.port. - Mapped "rcvd_bytes" to network.received_bytes. - Mapped "geo_src" to principal.location.country_or_region. - Mapped "geo_dst" to target.location.country_or_region. - Mapped "prin_host" to "principal.hostname". - Added conditional check for "dhcp_type", "intermediary_host", "protocol" - For "msg_id" equal to "1600-0066" - Added grok pattern for "msg_id" equal to "1600-0066". - Mapped "description" to "metadeta.description". - For "msg_id" equal to "2DFF-0000" - Mapped "proxy_act" to "security_result.rule_name". |
| 2022-12-17 | Enhancement - Mapped firewall name to "principal.asset_id" for the logs containing Member1.
- Modified "event_type" from "SERVICE_MODIFICATION" to "NETWORK_CONNECTION". - Mapped "src_user" to "principal.user.email_addresses" if it' an Email, else mapped it to "principal.user.user_display_name". |
| 2022-12-16 | Enhancement -
- Added grok to handle unparsed log with event_name 'firewall'. - Reduced GENERIC_EVENT type. |
| 2022-11-16 | Enhancement - Mapped 'reason' field to 'security_result.action_details'.
- Added grok to handle unparsed log with event_name 'firewall'. - Added additional conditional blocks to parse logs with event_name 'loggerd', 'sigd', 'sessiond', 'admd', 'iked'. |
| 2022-11-07 | Bug-fix:
- Mapped path given in the http header from 'target.file.full_path' to 'target.url' instead. |
| 2022-06-17 | Enhancement - Parsed logs with events related to "firewall", "http-proxy", "https-proxy".
|