Change log for AUDITD

Date Changes
2024-11-21 Enhancement:
- Changed mapping of "username" from "principal.user.userid" to "target.user.userid".
- When "username" is not null, then mapped "metadata.event_type" to "USER_LOGIN".
- When "audit_message" is "PROCTITLE", then mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED".
2024-11-21 Enhancement:
- Changed mapping of "username" from "principal.user.userid" to "target.user.userid".
- When "username" is not null, then mapped "metadata.event_type" to "USER_LOGIN".
- When "audit_message" is "PROCTITLE", then mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED".
2024-11-19 Enhancement:
- Mapped "srcIP" to "principal.ip" and "srcPort" to "principal.port".
2024-11-15 Enhancement:
- Added Grok patterns to parse "username" field.
- Mapped "username" to "principal.user.user_display_name".
2024-11-15 Enhancement:
- Added Grok patterns to parse "username" field.
- Mapped "username" to "principal.user.user_display_name".
2024-11-06 Enhancement:
- Mapped "type_syscall_props.msg" to "additional.fields".
2024-10-31 Enhancement:
- Added support for the new pattern of SYSLOG logs.
2024-10-28 Enhancement:
- Added support for timestamps that include timezone offsets.
2024-10-15 Enhancement:
- Mapped "sw", "sw_type", and "subj" to "security_result.detection_fields".
2024-10-14 Enhancement:
- Added a conditional check and mapped "metadata.event_type" to "USER_LOGIN" from "USER_UNCATEGORIZED".
2024-10-10 Enhancement:
- Added "gsub" to map "type" to "metadata.product_event_type".
- Mapped "indicator.SYSCALL" to "security_result.detection_fields".
2024-10-10 Enhancement:
- Added "gsub" to map "type" to "metadata.product_event_type".
- Mapped "indicator.SYSCALL" to "security_result.detection_fields".
2024-10-09 - Mapped "exe" to "principal.process.file.full_path".
2024-09-24 Enhancement:
- Swapped mapping from "target.port" to "principal.port".
- Added support to handle Syslog logs.
2024-09-16 Enhancement:
- Modified a Grok pattern to parse new patterns of logs.
2024-08-13 Enhancement:
- Converted "a2" from hexadecimal value to ASCII.
2024-07-18 - Added "gsub" to replace "\\r\\n" with " " from the message.
- Added a grok pattern for "msg2".
- Mapped "target.user.userid" to "principal.user.userid".
2024-07-09 Enhancement:
- Added "gsubs" to handle invalid JSON logs.
- When "type" is "SYSCALL" and "has_principal" is true and "exe" is not empty, then set "metadata.event_type" to "PROCESS_LAUNCH".
2024-06-18 Enhancement:
- Added new Grok patterns to handle authentication syslog logs.
- Mapped "target_user_name" to "target.user.userid".
- Handled the new patterns of "_timestamp".
2024-05-08 Enhancement:
- When the value is not "?", then mapped "field" to "field33" to "security_result.detection_fields".
- When "type_name" is "CRYPTO_KEY_USER", then mapped "exe" to "principal.process.file.full_path".
- When "type_name" is "CRYPTO_KEY_USER", then mapped "fp" to "network.tls.client.certificate.sha256".
- When "type_name" is "CRYPTO_KEY_USER", then mapped "pid" to "principal.process.pid".
- Added Grok patterns to parse new pattern of logs.
- Mapped "syslog-tag" to "security_result.detection_fields".
- Mapped "inter_ip" to "intermediary.ip".
- Mapped "inter_hostname" to "intermediary.hostname".
2024-05-02 Enhancement:
- When "type_name" is "USER_MGMT", then mapped "grp" to "target.group.group_display_name".
- When "type_name" is "USER_MGMT", then changed mapping of "uid" from "principal.user.userid" to "target.user.userid".
- When "type_name" is "USER_MGMT" and "op" is equal to "deleting-user-from-group", then set "metadata.event_type" to "GROUP_MODIFICATION".
- When "type_name" is "USER_MGMT", then changed mapping of "exe" from "target.process.file.full_path" to "principal.process.file.full_path".
- When "type_name" is "USER_MGMT", then mapped "id" to "about.user.userid".
2024-04-08 Enhancement:
- When "type_name" is "ADD_USER", principal_user_present is "true", target_user_present is "true", and has_principal is "true", then set "metadata.event_type" to "USER_CREATION".
- When "type_name" is "USER_AUTH", then mapped "acct" to "target.user.user_display_name".
- When "type_name" is "USER_AUTH", then mapped "uid" to "principal.user.userid".
- When "type_name" is not in "ADD_USER","USER_AUTH","CRED_ACQ", and "USER_MGMT", then mapped "auid" to "about.user.userid".
- When "type_name" is "ADD_USER", then mapped "auid" to "target.user.userid".
- When "type_name" is "ADD_USER" or "USER_AUTH" then mapped "exe" to "principal.process.file.full_path".
- When "type_name" is "ADD_USER", then mapped "op" and "id" to "security_result.summary".
- When "type_name" is "USER_AUTH", then mapped "op" and "acct" to "security_result.summary".
2024-03-22 Enhancement:
- Added support for new pattern of JSON logs.
- Mapped "labels.compute.googleapis.com/resource_name","jsonPayload._HOSTNAME" , "CollectorHostName", "HOSTNAME", and "Computer" to "principal.hostname".
- Mapped "HostIP" to "principal.ip".
- Mapped "ProcessID" and "jsonPayload._PID" to "principal.process.pid".
- Mapped "SyslogMessage" to "metadata.description".
- Mapped "TenantId", "_ItemId", "_Internal_WorkspaceResourceId", "_ResourceId", and "Facility" to "additional.fields".
- Mapped "SeverityLevel" to "security_result.severity".
- Mapped "SourceSystem" to "principal.platform".
- Mapped "jsonPayload._COMM" to "principal.application".
- Mapped "jsonPayload._EXE" to "target.process.file.full_path".
- Mapped "jsonPayload._AUDIT_FIELD_FILE" to "target.file.full_path".
- Mapped "jsonPayload._AUDIT_FIELD_HASH" to "target.file.hash".
- Mapped "jsonPayload._AUDIT_SESSION" to "network.session_id".
- Mapped "jsonPayload._PPID" to "principal.process.parent_process.pid".
- Mapped "jsonPayload._AUDIT_FIELD_A0", "jsonPayload._AUDIT_FIELD_A1", "jsonPayload._AUDIT_FIELD_A2", "jsonPayload._AUDIT_FIELD_A3", "jsonPayload._BOOT_ID", and "jsonPayload._AUDIT_FIELD_EXIT" to "security_result.detection_fields".
2023-11-27 Enhancement:
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_LOGIN".
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_LOGOUT".
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_CREATION".
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_DELETION".
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_UNCATEGORIZED".
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_RESOURCE_ACCESS".
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_CHANGE_PERMISSIONS".
- When user details are present and principal machine details are not present then changed mapping of "metadata.event_type" from "USER_CREATION" to "USER_UNCATEGORIZED".
- When user details are present and principal machine details are not present then changed mapping of "metadata.event_type" from "USER_DELETION" to "USER_UNCATEGORIZED".
2023-09-06 Enhancement:
- Added mapping of "CMD" to "target.process.command_line" for "cron daemon(CROND)".
2023-06-20 Enhancement - Added or modified the following mappings when type="ADD_USER" and "DEL_USER"-
- Modified the mapping of "uid" from "target.user.userid" to "principal.user.userid".
- Mapped "id" to "target.user.userid".
- Mapped "ID" to "target.user.user_display_name".
- Modified the mapping of "UID" from "principal.user.userid" to "principal.user.user_display_name".
- Modified the mapping of "acct" from "principal.user.user_display_name" to "target.user.user_display_name" and "target.user.userid".
2023-06-09 Enhancement - Modified "event_type" from "USER_LOGIN" to "USER_CREATION" when "type=ADD_USER".
2023-04-17 Enhancement
- Added gsub function to replace "GS - Group separator" character which is breaking the JSON construction.
2023-04-10 Enhancement
- Added 'gid','euid','egid','suid','fsuid','sgid','fsgid','tty','items' fields to security_result.detection_fields.
- Additionally mapped 'gid' to 'principal.user.group_identifiers'.
- Mapped 'euid' to 'target.user.userid'.
- Mapped 'egid' to 'target.user.group_identifiers'.
2023-03-27 Enhancement - Added support for "jsonPayload" containing logs.
2023-02-28 Bug-fix - Enhanced parser to convert hex encoded string to ASCII.
2023-02-09 Enhancement - Modified grok for logs containing "type=PATH" to fetch the correct hostname from logs.
2023-01-24 Enhancement -
- Parsed log with eventType as "tac_plus".
- Added conditions for mapping different event_types "NETWORK_CONNECTION", "NETWORK_HTTP", "USER_LOGIN".
2022-12-02 Enhancement -
- Mapped "user_name" to "principal.user.userid".
- added conditional check for "dst_ip", "dst_port".
2022-11-16 Enhancement -
- Improved "GENERIC_EVENT" to "STATUS_UPDATE" for log types containing "Access Logs".
2022-10-31 Enhancement -
- Enhanced the parser to parse the log with type=ADD_USER, USER_MGMT, DEL_USER.
- Added null checks for "principal_hostname".
- Added on_error checks for "principal.process.file.full_path", "type_syscall_props.key", "type_syscall_props.arch", "msg2".
- Added conditional checks for mapping to event_type="FILE_OPEN", "USER_UNCATEGORIZED", "STATUS_UPDATE", "USER_DELETION".
- Mapped "principal_user_userid" to "principal.user.userid".
2022-10-14 Enhancement -
- Migrated customer parser to default parser.
2022-10-13 Enhancement - Mapped "vendor_name" to "Linux".
- Mapped "product_name" to "AuditD".
- Parsed the logs containing "ProxySG" and mapped "ip" to "target.ip", "port" to "target.port" wherever possible.
- Modified "event_type" from "GENERIC_EVENT" to "STATUS_UPDATE".
- Modified mapping for "intermediary.hostname" to "principal.hostname".
2022-07-28 Enhancement -
- Mapped the field 'auid' to about.user.userid'.
- Mapped the field 'AUID' to 'about.user.user_display_name'.
- Mapped the field 'proctitle' to 'target.process.file.full_path'.
- Enhanced the parser to parse the log with type=DAEMON_END, CRYPTO_SESSION, CONFIG_CHANGE, PROCTITLE, USER_ERR, CRYPTO_KEY_USER.
- Added conditional check for laddr, addr, cipher, pfs, direction, acct, pid, ppid, cmd, exe, ses.
2022-06-17 Enhancement - Mapped/Modified the following fields :
- Changed mapping of "auid" from "security_result.about.user.userid" to "about.user.userid".
- Changed "event_type" for type=SYSCALL from "SYSTEM_AUDIT_LOG_UNCATEGORIZED" to "USER_UNCATEGORIZED".
- Mapped "success" to "security_result.summary".
- Mapped "syscall", "exit", "tty", "a0", "a1", "a2", "a3" to "security_result.about.labels".
- Dropped the logs in ASCII format.
2022-06-14 Enhancement
- Enhanced the parser to parse the USER_CMD type of logs.
- Mapped the field 'cmd' to 'principal.process.command_line'.
- Mapped the field 'ses' to 'network.session_id'.
- Mapped the field 'res' to 'security_result.action' and 'security_result.action_details'.
- Mapped the fields 'auid' and 'cwd' to 'security_result.detection_fields'.
2022-04-26 Enhancement
- Increased the parsing percentage by parsing all the unparsed logs.