Change log for CHECKPOINT_FIREWALL

Date Changes
2024-11-27 Enhancement:
- Mapped "operation_number" to "security_result.detection_fields".
- Mapped "client_ip" to "principal.ip" and "principal.asset.ip".
2024-11-26 Enhancement:
- Mapped "src" to "principal.hostname" and "principal.asset.hostname".
2024-11-21 Enhancement:
- Added a Grok pattern to map "resource" to "target.url".
2024-11-04 Enhancement:
- Mapped "cu_rule_category" value to "security_result.rule_name".
2024-10-30 Enhancement:
- Modified the Grok pattern to extract correct "service" data.
2024-10-14 Enhancement:
- Mapped "log Update" value to "additional.fields".
- Mapped "log_sys_message" to "metadata.description".
2024-09-18 Enhancement:
- When "Action" is equal to "Prevent", then mapped "security_result.action" to "BLOCK".
2024-08-30 Enhancement:
- Mapped "layer_name" to "security_result.detection_fields".
2024-08-28 Enhancement:
- Modified the condition to parse new format of SYSLOG + KV logs.
2024-08-14 Enhancement:
- Added a "gsub" for field "service".
2024-08-14 Enhancement:
- Added a "gsub" for field "service".
2024-08-13 Enhancement:
- Removed "target.ip" and "target.asset.ip" mappings for "origin".
2024-08-02 Enhancement:
- Mapped "feature_name" and "securexl_message" to "additional.fields".
2024-07-30 Enhancement:
- Mapped "emailSubject" to "network.email.subject".
- Mapped "cat" to "security_result.detection_fields".
- Mapped "url" to "principal.url".
- Mapped "srcPostNAT" to "principal.nat_ip".
- Mapped "dstPostNAT" to "target.nat_ip".
- Mapped "srcPostNATPort" to "principal.nat_port".
- Mapped "dstPostNATPort" to "target.nat_port".
- Removed mapping for field "origin" from "target.ip".
2024-07-18 Enhancement:
- Added support for some of the unmapped fields for product "Application Control"
2024-07-11 Reviewer-suggested edit
Enhancement:
- Mapped svc to the target port.
- Added if block for the "action.details" value "0".
- Added null check for "security_result.detection_fields".
2024-06-26 Enhancement:
- Added support for some of the unmapped fields(CEF format logs) for product "VPN-1 & FireWall-1"
- list of fields added:
- fw_subproduct
- src_user_dn
- hll_key
- nat_rulenum
- security_inzone
- security_outzone
- snid
- drop_reason
- reason
- match_id
- parent_rule
- ifname
- logid
- sequencenum
- version
- service_id
- community
- lastupdatetime
- vpn_feature_name
- conn_direction
- contextnum
- context_num
- certificate_validity
- nat_addtnl_rulenum
- nat_rule_uid
- needs_browse_time
- sig_id
- sni
- tls_server_host_name
- log_delay
- dst_user_dn
- rpc_interface_uuid
- icmp
2024-06-26 Enhancement:
- Added support for some of the unmapped fields(CEF format logs) for product "VPN-1 & FireWall-1"
- list of fields added:
- fw_subproduct
- src_user_dn
- hll_key
- nat_rulenum
- security_inzone
- security_outzone
- snid
- drop_reason
- reason
- match_id
- parent_rule
- ifname
- logid
- sequencenum
- version
- service_id
- community
- lastupdatetime
- vpn_feature_name
- conn_direction
- contextnum
- context_num
- certificate_validity
- nat_addtnl_rulenum
- nat_rule_uid
- needs_browse_time
- sig_id
- sni
- tls_server_host_name
- log_delay
- dst_user_dn
- rpc_interface_uuid
- icmp
2024-06-14 Enhancement:
- If "Action" is "Detect" or "detect", then changed the mapping of "security_result.action" from "QUARANTINE" to "ALLOW".
2024-06-11 Enhancement:
- Mapped "dns_query" to "network.dns.questions".
2024-05-29 Enhancement:
- Mapped "layer_uuid_rule_uuid" to "security_result.rule_id".
- Mapped "domain" to "principal.administrative_domain".
- Mapped "fservice", "appi_name", "app_risk", and "policy_name" to "security_result.detection_fields".
- Mapped "packets", "__id", "dedup_time", "browse_time", "bytes", "product_family", "hll_key", and "calc_service" to "additional.fields".
- Mapped "id" to "metadata.product_log_id".
- Mapped "orig_log_server" to "principal.resource.product_object_id".
- Mapped "environment_id" to "target.resource.product_object_id".
- Mapped "client_outbound_packets" and "client_inbound_packets" to "principal.resource.attribute.labels".
- Mapped "server_outbound_bytes" and "server_inbound_bytes" to "target.resource.attribute.labels".
- Mapped "orig" to "principal.hostname" and "principal.asset.hostname".
- Mapped "orig_log_server_ip" to "principal.ip" and "principal.asset.ip".
- Mapped "proto" to "network.ip_protocol".
2024-05-20 Enhancement:
- Added a Grok pattern to extract "inter_host".
- Mapped "inter_host" to "intermediary.hostname".
2024-04-19 Enhancement and Bug-Fix:
- Mapped "origin" to "target.ip" and "target.asset.ip".
- Added new Grok patterns to parse new format of SYSLOG logs.
- Mapped "smartdefense_profile", "malware_rule_id", and "malware_rule_name" to "security_result.detection_fields".
- Mapped "sequencenum", "description_url", "industry_reference", "mitre_execution", "packet_capture_name", "packet_capture_unique_id", "packet_capture_time", and "performance_impact" to "additional.fields".
- Mapped "version" to "metadata.product_version".
- Mapped "http_host" to "target.resource.attribute.labels".
- Mapped "log_id" to "metadata.product_log_id".
- Mapped "user_agent" to "network.http.user_agent" and "http.parsed_user_agent".
- Mapped "hostname", "dvc", and "principal_hostname" to "target.hostname" and "target.asset.hostname".
- If "has_principal" is "true", "has_target" is "true", and "Action"/"action" is "Log In" or "Failed Log In" or "Failed Login" or "Update", then set "metadata.event_type" to "USER_LOGIN" and "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED".
- If "has_principal" is "true", "has_target" is "true", and "Action"/"act"/"event_type" is "Log Out" or "Logout", then set "metadata.event_type" to "USER_LOGOUT" and "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED".
- If "has_principal" is "true", "has_target" is "true", then set "metadata.event_type" to "NETWORK_CONNECTION".
- If "has_principal" is "true", "has_target" is "false", then set "metadata.event_type" to "STATUS_UPDATE".
2024-02-07 Enhancement: Added mapping for the following fields:
- Mapped "protection_id", "malware_action", "malware_family,protection_name", "protection_type" to "security_result.detection_fields".
- Mapped "confidence_level" to "security_result.confidence" and "security_result.confidence_details".
2024-02-05 Enhancement: Added mapping for the following fields:
- Mapped "method" to "network.http.method".
2024-01-24 Enhancement: Added mapping for the following fields:
- Mapped "method" to "network.http.method".
- Mapped "duration" to "network.session_duration.seconds".
- Mapped "additional_info" to "security_result.description".
- Mapped "operation" to "security_result.summary".
- Mapped "subject" to "metadata.description".
- Mapped "principal_hostname" to "intermediary.hostname".
- Mapped "tcp_packet_out_of_state", "aggregated_log_count", "connection_count", "appi_name", "src_user_dn",
"update_count", "additional_info", "administrator", "operation", "sendtotrackerasadvancedauditlog",
"subject", "fieldschanges", "logic_changes", "objecttype", "session_description",
"session_name" to "security_result.detection_fields".
2023-12-27 Enhancement: Added mapping for the following fields:
- Mapped "flags" to "security_result.detection_fields".
- Mapped "tcp_flags" to "security_result.detection_fields".
- Mapped "tcp_packet_out_of_state" to "security_result.detection_fields".
2023-12-11 Enhancement:
- If "principal_hostname" is a valid ip, mapped it to "principal.ip".
- If "principal_hostname" is not a valid ip, mapped it to "principal.hostname".
- Mapped "sport_svc" to "principal.port".
- Mapped "ProductFamily" to "additional.fields".
- Mapped "mitre_initial_access" to "security_result.detection_fields".
- Mapped "policy_time" to "security_result.detection_fields".
- Mapped "profile" to "security_result.detection_fields".
- Mapped "reject_id_kid" to "security_result.detection_fields".
- Mapped "ser_agent_kid" to "security_result.detection_fields".
2023-10-11 Enhancement:
- If "product" is "New Anti Virus", then the mapping from "firewall management node" to "principal.hostname" is removed and instead mapped to "security_result.detection_fields".
2023-07-06 Enhancement: Added mapping for the following fields:
- Mapped "app_category" to "security_result.category_details".
- Mapped "matched_category" to "security_result.detection_fields".
- Mapped "app_properties" to "security_result.detection_fields".
2023-06-14 Enhancement: Added mapping for following fields
- Mapped "conn_direction" to "additional.fields".
- Modified gsub's so as not to replace the ":" with "=" from actual values.
2023-05-12 Enhancement: Added mapping for following fields
- Mapped "rule_name" to "security_result.rule_name".
- Mapped "rule","sub_policy_name","sub_policy_uid","smartdefense_profile","tags","flexString2" to "security_result.detection_fields".
Enhancement:
- Added new Grok pattern to support the new log formats.
- Mapped "dvc" to "intermediary.hostname".
- Mapped "hostname" to "intermediary.hostname".
- Mapped "origin_sic_name" to "intermediary.asset_id".
- Mapped "conn_direction" to "network.ip_protocol".
- Mapped "ifname" to "security_result.detection_fields".
- Mapped "security_inzone" to "security_result.detection_fields".
- Mapped "match_id" to "security_result.detection_fields".
- Mapped "parent_rule" to "security_result.detection_fields".
- Mapped "security_outzone" to "security_result.detection_fields".
- Mapped "sub_policy_name" to "security_result.detection_fields".
- Mapped "sub_policy_uid" to "security_result.detection_fields".
- Mapped "drop_reason" to "security_result.summary".
- Mapped "reason" to "security_result.summary".
- Mapped "xlatesport" to "principal.nat_port".
- Mapped "xlatedport" to "target.nat_port".
- Mapped "ipv6_dst" to "target.ip".
- Mapped "ipv6_src" to "principal.ip".
2023-04-24 Enhancement:
- Added support for logs with CEF format.
2022-11-18 Enhancement:
- Modified mapping for "service" and mapped it to "target.port".
2022-10-27 Enhancement:
- Added conditional check for "attack","attack_info","policy_name".
- Added grok pattern to retrieve "principal_hostname".
- Added gsub to change "=" to ":".
- Modified mapping for "service" and mapped it to "target.resource.attribute.labels".
2022-10-13 Enhancement:
- Mapped the field 'fw_subproduct' to 'metadata.product_name'.
- Added grok pattern to extract the ip form the field 'src'.
2022-08-30 Enhancement:
- Merged the changes of Customer-specific versions to default.
- Undropped the logs containing "*****" in UserCheck.
2022-08-18 Enhancement:
- Mapped "portal_message" to "security_result.description".
- Mapped "security_result.category" as "SOFTWARE_MALICIOUS" in case "portal_message" contains keywords "malware/malicious".
- Mapped "URL" to "security_result.about.url".
- Mapped "Activity" to "security_result.summary".
- Mapped "Reference" to "security_result.about.resource.attribute.labels".
- Modified "event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" by replicating the value of "intermediary.ip" to "principal.ip".
2022-08-12 Enhancement:
- Mapped "malware_action", "malware_family,protection_name", "protection_type" to "security_result.about.resource.attribute.labels".
- Mapped "src_machine_name" to "security_result.detection_fields".
2022-06-30 Enhancement:
- Mapped "message_info" to "metadata.description".
2022-06-17 Enhancement:
- Added conditional checks for fields "nat_rulenum", "rule", "sent_bytes", "received_bytes", "s_port", "service".
- Modified event_types for the following cases:
- "GENERIC_EVENT" to "NETWORK_CONNECTION" where "principal.ip or principal.hostname" and "target.ip or target.hostname" are not null.
- "GENERIC_EVENT" to "STATUS_UNCATEGORIZED" where "principal.ip or principal.hostname" is not null.
2022-06-14 Enhancement:
- Modified the parser to parse more logs by removing the condition check for passwd.
2022-06-07 Enhancement:
- Mapped src_machine_name to security_result.detection_fields.
2022-05-19 Enhancement:
- Mapped inzone, outzone, layer_name, layer_uuid and policy_name to security_result.detection_fields.
- Mapped service_id to principal.application.