Change log for CB_EDR
| Date | Changes |
|---|---|
| 2024-01-19 | Enhancement:
- Added a null check for "filemod_hash.0" and "filemod_hash.1" before mapping. |
| 2023-12-27 | Enhancement:
- Initialized "filemod_hash.0" and "filemod_hash.1" to null to parse the unparsed logs. |
| 2023-10-26 | Enhancement:
- Added "gsub" function to parse the unparsed fields. |
| 2023-10-13 | Enhancement:
- Handled new JSON logs by adding JSON block. - Removed redundant code for fields "computer_name", "parent_name", "process_name", "pid", "process_path", "md5", "sha256", "process_guid", "parent_pid", "docs.0.process_pid", "cb_version", "process_hash.0", "process_hash.1", "parent_hash.0" and "parent_hash.1". |
| 2023-07-21 | - Added MITRE ATT&CK tactic and technique details to "security_result.attack_details".
|
| 2023-03-24 | - Mapped the field "protocol" to "network.ip_protocol".
- Added null conditional check for the field "child_username", "child_pid", "child_command_line". - Changed the "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" when "principal.hostname" or "principal.ip" is not null. |
| 2023-03-14 | Bug-fix:
- Mapped the following fields when the field "type" is null: - Mapped the field "process_guid" to "principal.process.product_specific_process_id". - Mapped the field "device_external_ip" to "target.ip". - Mapped the field "device_os" to "principal.platform". - Mapped the field "device_group" to "principal.group.group_display_name". - Mapped the field "process_pid" to "principal.process.pid". - Mapped the field "process_path" to "principal.process.file.full_path". - Mapped the field "process_cmdline" to "principal.process.command_line". - Mapped the field "process_hash.0" to "principal.process.file.md5". - Mapped the field "principal.1" to "principal.process.file.sha256". - Mapped the field "process_username" to "principal.user.userid". - Mapped the field "clientIp" to "principal.ip". - Mapped the field "description" to "metadata.description". - Mapped the field "orgName" to "principal.administrative_domain". - Mapped the following fields when the field "ruleName" contains "CYDERES": - Mapped the field "deviceInfo.internalIpAddress" to "principal.ip". - Mapped the field "deviceInfo.externalIpAddress" to "target.ip". - Mapped the field "ruleName" to "security_result.rule_name". - Mapped the field "deviceInfo.deviceType" to "principal.asset.platform_software.platform". - Mapped the field "domain" to "principal.administrative_domain". - Mapped the field "deviceInfo.groupName" to "principal.group.group_display_name". - Mapped the field "deviceInfo.deviceVersion" to "principal.asset.platform_software.platform_version". - Mapped the field "deviceInfo.deviceId" to "principal.asset.asset_id". - Mapped the field "eventId" to "additional.fields". - Changed the "metadata.event_type" from "GENERIC_EVENT" to "NETWORK_CONNECTION" when "principal.ip" and "target.ip" is not null. - Changed the "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" when "principal.ip" is not null. |
| 2023-02-03 | Bug-fix:
- Map "filemod_hash" to "target.file" instead of "target.process.file". |
| 2023-01-20 | Bug-fix:
- Stopped populating and mapping product_specific_process_id for empty process ids. |
| 2022-11-25 | - Mapped 'remote_ip' to 'principal.ip' and 'local_ip' to 'target.ip' for 'Inbound' TCP/UDP events.
- Mapped 'remote_port' to 'principal.port' and 'local_port' to 'target.port' for 'Inbound' TCP/UDP events. |
| 2022-10-06 | - Migrated all customer specific parsers to default parser.
|
| 2022-07-10 | - Updated mapping of 'event_type' to 'PROCESS_LAUNCH' for logs of type 'endpoint.event.'.
|