Change log for BLUECOAT_WEBPROXY

Date Changes
2024-11-14 Enhancement:
- Mapped "proxy_name" and "column3" to "principal.asset.hostname".
2024-10-25 Enhancement:
- Added a new grok pattern to parse "cs_threat_risk" and "cs_categories".
2024-10-18 Enhancement:
- Added support to handle KV, CSV, and SYSLOG logs.
2024-10-15 Enhancement:
- Mapped "upload-source" to "additional.fields".
2024-09-25 Enhancement:
- Added support for new format logs.
2024-09-11 Enhancement:
- Set "metadata.event_type" to "NETWORK_HTTP" if "message" contains "SG - HTTP".
2024-08-29 Enhancement:
- Added support for a new log pattern.
2024-08-22 Enhancement:
- Added support for a new log pattern.
- Added a Grok pattern to parse the new format of field "file_name".
2024-08-07 Enhancement:
- Mapped "time-taken" to "session_duration.session_duration".
2024-06-20 Enhancement:
- Added the new Grok patterns to parse new format of field "file_name".
2024-06-18 Enhancement:
- Added support to handle unparsed SYSLOG logs.
2024-06-14 Enhancement:
- Added support to parse dropped logs.
2024-05-21 Enhancement:
- Added a Grok pattern over "x_icap_respmod_header" to extract the fields "file_reputation" and "expect_sandbox".
- Mapped "x_icap_respmod_header" to "security_result.detection_fields".
- Mapped "file_reputation" to "security_result.detection_fields".
- Mapped "expect_sandbox" to "security_result.detection_fields".
2024-05-14 Bug-Fix:
- Separated "principal_user_group_identifiers" CSV values and mapped them into "principal.user.group_identifiers".
2024-05-09 Enhancement:
- Parsed "search_query" from "target_url" and mapped it to "target.resource.attribute.labels".
2024-05-06 Bug-Fix:
- Mapped "cs_auth_groups" to "principal.user.group_identifiers".
2024-04-25 Bug-Fix:
- Removed "column16" mapping to "target.ip" as it is being mapped to "intermediary.ip".
2024-02-21 Enhancement:
- Added a Grok pattern to parse new format logs.
2024-02-16 Enhancement:
- Parsed "file_name" from "target.file.file_path" and mapped to "target.file.names".
2024-02-06 Enhancement:
- If "time_taken" is less than 1000, then mapped "time_taken" to "network.session_duration.nanos", else mapped to "network.session_duration.seconds".
2024-01-25 Enhancement:
- Mapped "x-tenant-id" to "security_result.detection_fields".
2023-12-19 Enhancement:
- Added mapping of "originating_ip" to "principal.ip".
2023-12-13 Bug-Fix:
- Changed mapping of "cs-host" from "principal.hostname" to "target.hostname".
- Added null check to "c_ip_host" prior mapping to "principal.hostname".
- Mapped "s-supplier-ip" to "intermediary.ip".
- Mapped "s-source-ip" to "intermediary.ip".
- Mapped "cs-uri-port" to "target.port".
- Mapped "x-bluecoat-application-name" to "target.application".
- Mapped "x-rs-certificate-validate-status" to "network.tls.server.certificate.subject".
- Mapped "x-sr-vpop-country-code" to "principal.location.country_or_region".
- Mapped "cs-icap-status" to "security_result.description".
- Mapped "x-rs-ocsp-error", "x-cs-ocsp-error", "cs-icap-error-details", "rs-icap-error-details", "risk-groups", "x-rs-certificate-hostname-threat-risk", "cs-X-Requested-With", "x-rs-connection-negotiated-ssl-version", "x-cs-connection-negotiated-cipher-size", "x-rs-connection-negotiated-cipher-size", "x-rs-connection-negotiated-cipher", "x-bluecoat-reference-id", "x-bluecoat-placeholder", "wf_id", "verdict", "x-cloud-rs", "x-symc-dei-via", "x-sc-connection-issuer-keyring", "x-client-security-posture-risk-score", "s-supplier-failures", "x-data-leak-detected", "x-virus-id", "x-rs-certificate-observed-errors", "x-rs-connection-negotiated-cipher-strength", to "security_result.detection_fields".
- When principal and target details are present, then set "metadata.event_type" to "NETWORK_CONNECTION".
2023-11-27 Enhancement:
- Added support for JSON logs.
- Added on_error for mapping of "_network.http.response_code" to "network.http.response_code".
- Initialized "date_time", "rs_status", "c_ip_host", "r_port", "json_message", and "r_dns" to null.
- Added null check before mapping "rs_status" to "network.http.response_code".
- Added null check to "date_time" before matching the date pattern.
- Mapped "x-sr-vpop-ip" to "principal.ip".
- Mapped "cs-userdn" to "principal.user.userid".
- Mapped "x-client-agent-type" to "principal.application".
- Mapped "x-client-agent-sw" to "principal.asset.software".
- Mapped "x-sr-vpop-country" to "principal.location.country_or_region".
- Mapped "x-client-device-id" to "principal.resource.product_object_id".
- Mapped "application-name" to "target.applcation".
- Mapped "rs_content_type" to "target.file.mime_type".
- Mapped "sc_status" to "network.http.response_code".
- Mapped "x-bluecoat-appliance-name" to "intermediary.application".
- Mapped "s-supplier-country" to "intermediary.location.country_or_region".
2023-11-13 Enhancement-
- Mapped "rs_server" to "security_result.about.labels".
- Mapped "c_uri_path_query" to "target.file.full_path".
- Mapped "time_taken" to "network.session_duration.nanos".
- Added "target_hostname" to complete "target_url",
- Mapped "cs_threat_risk" to "security_result.risk_score".
2023-10-01 Enhancement-
- Removed dropping of logs that contain "Log uploading failed".
- Added check to "ip_target" prior mapping "metadata.event_type" to "NETWORK_CONNECTION". If "ip_target" is "-" mapped "metadata.event_type" to "STATUS_UPDATE".
- Logs parsed using CSV extraction instead of a Grok pattern.
2023-08-18 Enhancement-
- Added additional Grok pattern to parse the new format syslog logs.
- Mapped 'x_cs_connection_negotiated_cipher' to 'network.tls.cipher'.
- Mapped 'x_rs_certificate_hostname' to 'network.tls.client.server_name'.
- Mapped 'x_rs_certificate_validate_status' to 'network.tls.server.certificate.subject'.
- Mapped 's_icap_status' to 'security_result.description'.
- Mapped 'x_cs_connection_negotiated_ssl_version' to 'network.tls.version'.
2023-06-25 Enhancement- Added a Grok pattern to parse unparsed logs.
- Changed "metadata.event_type" from 'GENERIC_EVENT' to a more specific value wherever possible.
2023-04-27 - Mapped "cs(User-Agent)" to "network.http.user_agent".
- Mapped "cs-uri-scheme" to "network.ip_protocol".
- Added null checks to 'on_error' statements for some fields.
- Mapped "dst_user" to "target.user.userid".
- Mapped "session_id" to "network.session_id".
- Added new Grok pattern for authentication log types.
2022-09-28 Enhancement - Migrated customer-specific parser to default.
- Added "on_error" statements while replacing the values of fields as they might not be present in the log.
- Updated "metadata.event_type" to "NETWORK_CONNECTION" from "GENERIC_EVENT" wherever possible.
- Added condition check before mapping "metadata.event_type" as "STATUS_UPDATE" or "STATUS_UNCATEGORIZED" to ensure value of "target.ip" or "target.hostname" is not present as otherwise it may throw an error.
2022-08-23 Enhancement -
- Mapped "sc_status" to "network.http.response_code".
- Mapped "rule_name" to "security_result.rule_name".
- Mapped "cs_method" to "network.http.method".
- Mapped "application_protocol" to "network.application_protocol".
- Mapped "communication_type" to "security_result.rule_name".
- Mapped "rule_name" to "security_result.about.labels".
- Added null check for "cs_host", "hostname", "cs_method", "cs_uri_scheme", "cs_username", "sc_bytes", "username".
- Removed Drop statement.
2022-05-25 Enhancement - Added GROK extraction for PingSSOWAF syslog.
2022-04-20 Enhancement - Dropped logs with improper JSON Format.
-on_error conditional checks are added to handle such logs.