Stay organized with collections
Save and categorize content based on your preferences.
Change log for ATTIVO
Date
Changes
2025-01-10
Enhancement:
- Added a new Grok pattern to parse the unparsed logs.
- Added a JSON block to parse the unparsed logs.
- Mapped "Alert.subject" to "metadata.description".
- Mapped "Alert.body" to "metadata.description".
- Mapped "Alert.app" to "principal.application".
- Mapped "Alert.dest_ip" to "target.ip" and "target.assest.ip".
- Mapped "Alert.dest_host" to "target.hostname".
- Mapped "Alert.src_hostname" to "principal.hostname".
- Mapped "Alert.src_ip_domain" to "principal.domain.name".
- Mapped "Alert.dest_ip_domain" to "target.domain.name".
- Mapped "Alert.id" to "metadata.product_log_id".
- Mapped "Alert.des_os" to "target.asset.platform_software.platform_version".
- Mapped "Alert.src_ip" to "principal.ip" and "prinicipal.asset.ip".
- Mapped "Alert.src_mac" to "prinicipal.mac".
- Mapped "Alert.id" to "metadata.product_log_id".
- Mapped "Alert.bootsink_ip" to "intermediary.ip".
- Mapped "Alert.forwarder" and "Alert.service" to "additional.fields".
- Mapped "techinque_id" to "security_result.attack_details.tactics.id".
- Mapped "techinque_name" to "security_result.attack_details.tactics.name".
- Mapped "Alert.severity" to "security_result.severity".
- Mapped "Alert.src_category" to "security_result.threat_name".
2024-04-19
Enhancement:
- Added support for new event types "NETWORK_UNCATEGORIZED" and "SCAN_NETWORK".
- Added support for certain new attributes.
2023-08-14
Enhancement:
- Added conditional check for "ips".
- If "ips" format matches IP address format, then map "ips" to "principal.ip", else map it to "intermediary.hostname".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-13 UTC."],[[["The ATTIVO parser has undergone several enhancements, including the addition of a new Grok pattern and JSON block to improve the parsing of unparsed logs."],["Multiple fields within the \"Alert\" data have been remapped to more appropriate locations within the metadata, principal, target, and security result fields, increasing the mapping accuracy of data points."],["Support for new event types, such as \"NETWORK_UNCATEGORIZED\" and \"SCAN_NETWORK\", along with new attributes, has been integrated into the parser to better handle various types of events."],["Conditional checks have been implemented for the \"ips\" field to dynamically determine whether it should be mapped to \"principal.ip\" or \"intermediary.hostname\" based on its format."],["A new parser was introduced on July 21, 2023, marking a foundational update to the system's data handling capabilities."]]],[]]
