Change log for BLOXONE
Date | Changes |
---|---|
2024-12-02 | Enhancement:
- If "raw.app" is a valid application_protocol value, it is mapped to "network.application_protocol". |
2024-06-18 | Enhancement:
- Added support to handle CEF logs. |
2024-01-18 | Enhancement:
- Added a Grok pattern to parse unparsed logs. - Mapped "network" to "principal.hostname", and "principal.asset.hostname". - Mapped "device" to "principal.ip", and "principal.asset.ip". - Mapped "rip" to "target.ip", and "target.asset.ip". - Mapped "mac_address" to "principal.mac". - Mapped "country" to "principal.location.name". - Mapped "os_version" to "principal.platform_version". - Mapped "app_name" to "principal.application". - Mapped "user" to "principal.user.user_display_name". - Mapped "feed_type" to "principal.resource.attribute.labels". - Mapped "feed_name" to "principal.resource.name", and "principal.resource.resource_subtype". - Mapped "policy_action" to "security_result.action_details". - Mapped "endpoint_groups", "user_groups", "dns_view", "dhcp_fingerprint", "policy_name", "tclass", "tproperty", "threat_indicator", "category", and "rcode" to "security_result.detection_fields". - Mapped "app_category" to "security_result.category_details". - Mapped "confidence" to "security_result.confidence". - Mapped "severity" to "security_result.severity". - Mapped "qname" to "questions.name". - Mapped "rdata" to "dns.answers". |
2023-03-07 | Newly created parser.
|