Change log for AUDITD
| Date | Changes |
|---|---|
| 2023-11-27 | Enhancement:
- Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_LOGIN". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_LOGOUT". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_CREATION". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_DELETION". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_UNCATEGORIZED". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_RESOURCE_ACCESS". - Added validation check to ensure either "principal_user_present", "target_user_present" or "has_principal" is true before setting "metadata.event_type" to "USER_CHANGE_PERMISSIONS". - When user details are present and principal machine details are not present then changed mapping of "metadata.event_type" from "USER_CREATION" to "USER_UNCATEGORIZED". - When user details are present and principal machine details are not present then changed mapping of "metadata.event_type" from "USER_DELETION" to "USER_UNCATEGORIZED". |
| 2023-09-06 | Enhancement:
- Added mapping of "CMD" to "target.process.command_line" for "cron daemon(CROND)". |
| 2023-06-20 | Enhancement - Added or modified the following mappings when type="ADD_USER" and "DEL_USER"-
- Modified the mapping of "uid" from "target.user.userid" to "principal.user.userid". - Mapped "id" to "target.user.userid". - Mapped "ID" to "target.user.user_display_name". - Modified the mapping of "UID" from "principal.user.userid" to "principal.user.user_display_name". - Modified the mapping of "acct" from "principal.user.user_display_name" to "target.user.user_display_name" and "target.user.userid". |
| 2023-06-09 | Enhancement - Modified "event_type" from "USER_LOGIN" to "USER_CREATION" when "type=ADD_USER".
|
| 2023-04-17 | Enhancement
- Added gsub function to replace "GS - Group separator" character which is breaking the JSON construction. |
| 2023-04-10 | Enhancement
- Added 'gid','euid','egid','suid','fsuid','sgid','fsgid','tty','items' fields to security_result.detection_fields. - Additionally mapped 'gid' to 'principal.user.group_identifiers'. - Mapped 'euid' to 'target.user.userid'. - Mapped 'egid' to 'target.user.group_identifiers'. |
| 2023-03-27 | Enhancement - Added support for "jsonPayload" containing logs.
|
| 2023-02-28 | Bug-fix - Enhanced parser to convert hex encoded string to ASCII.
|
| 2023-02-09 | Enhancement - Modified grok for logs containing "type=PATH" to fetch the correct hostname from logs.
|
| 2023-01-24 | Enhancement -
- Parsed log with eventType as "tac_plus". - Added conditions for mapping different event_types "NETWORK_CONNECTION", "NETWORK_HTTP", "USER_LOGIN". |
| 2022-12-02 | Enhancement -
- Mapped "user_name" to "principal.user.userid". - added conditional check for "dst_ip", "dst_port". |
| 2022-11-16 | Enhancement -
- Improved "GENERIC_EVENT" to "STATUS_UPDATE" for log types containing "Access Logs". |
| 2022-10-31 | Enhancement -
- Enhanced the parser to parse the log with type=ADD_USER, USER_MGMT, DEL_USER. - Added null checks for "principal_hostname". - Added on_error checks for "principal.process.file.full_path", "type_syscall_props.key", "type_syscall_props.arch", "msg2". - Added conditional checks for mapping to event_type="FILE_OPEN", "USER_UNCATEGORIZED", "STATUS_UPDATE", "USER_DELETION". - Mapped "principal_user_userid" to "principal.user.userid". |
| 2022-10-14 | Enhancement -
- Migrated customer parser to default parser. |
| 2022-10-13 | Enhancement - Mapped "vendor_name" to "Linux".
- Mapped "product_name" to "AuditD". - Parsed the logs containing "ProxySG" and mapped "ip" to "target.ip", "port" to "target.port" wherever possible. - Modified "event_type" from "GENERIC_EVENT" to "STATUS_UPDATE". - Modified mapping for "intermediary.hostname" to "principal.hostname". |
| 2022-07-28 | Enhancement -
- Mapped the field 'auid' to about.user.userid'. - Mapped the field 'AUID' to 'about.user.user_display_name'. - Mapped the field 'proctitle' to 'target.process.file.full_path'. - Enhanced the parser to parse the log with type=DAEMON_END, CRYPTO_SESSION, CONFIG_CHANGE, PROCTITLE, USER_ERR, CRYPTO_KEY_USER. - Added conditional check for laddr, addr, cipher, pfs, direction, acct, pid, ppid, cmd, exe, ses. |
| 2022-06-17 | Enhancement - Mapped/Modified the following fields :
- Changed mapping of "auid" from "security_result.about.user.userid" to "about.user.userid". - Changed "event_type" for type=SYSCALL from "SYSTEM_AUDIT_LOG_UNCATEGORIZED" to "USER_UNCATEGORIZED". - Mapped "success" to "security_result.summary". - Mapped "syscall", "exit", "tty", "a0", "a1", "a2", "a3" to "security_result.about.labels". - Dropped the logs in ASCII format. |
| 2022-06-14 | Enhancement - Enhanced the parser to parse the USER_CMD type of logs. - Mapped the field 'cmd' to 'principal.process.command_line'. - Mapped the field 'ses' to 'network.session_id'. - Mapped the field 'res' to 'security_result.action' and 'security_result.action_details'. - Mapped the fields 'auid' and 'cwd' to 'security_result.detection_fields'. |
| 2022-04-26 | Enhancement - Increased the parsing percentage by parsing all the unparsed logs. |