Change log for CISCO_ACS
Date | Changes |
---|---|
2023-09-26 | Enhancement -
- Initialized "hostname" to null and added a hostname not null check prior setting "metadata.event_type" to "STATUS_UPDATE". - Added a valid IP address check to "kv.DeviceIPAddress", "kv.Remote-Address" prior to mapping to UDM fields. |
2022-08-19 | Enhancement -
-Mapped "User-Name" to "principal.user.userid". -Renamed ip:source-ip" to "source_ip" and Mapped it to "principal.ip". -Renamed "kv.audit-session-id" to "kv.audit_session_id" and Mapped it to "network.session_id". -Mapped "kv.AuthenticationMethod" to "additional.fields". -Mapped "kv.SelectedAccessService" to "additional.fields". -Mapped "kv.SelectedAuthorizationProfiles" to "security_result.detection_fields". -Mapped "kv.SelectedAuthenticationIdentityStores" to "security_result.detection_fields". -Mapped "kv.device-uid-global" to "principal.asset.product_object_id". -Mapped "kv.device-uid" to "principal.asset.asset_id". -Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where kv.DestinationIPAddress and kv.NAS-IP-Address and kv.NAS-IP-Address and kv.UserName and kv.NetworkDeviceName is null. -Added support for logs with LEEF format. |
2022-06-14 | Enhancement - Modified grok to parse logs of log_type = "CSCOacs_Passed_Authentications" which were failing due to multiple spaces.
- Replaced the value of 'device-mac' with the dummy value of "00:00:00:00:00:00" for logtype "CSCOacs_RADIUS_Accounting" in case of invalid value (00). |
2022-06-06 | Enhancement - Parsed logs of type "CSCOacs_Passed_Authentications" that doesn't have either of "DestinationIPAddress" or "NAS-IP-Address" present in the logs.
- Modified metadata.event_type from "USER_UNCATEGORIZED" to "USER_LOGIN" for logs of type "CSCOacs_Passed_Authentications" |
2022-05-05 | Enhancement - The newly ingested logs which do not have message code are parsed and dropped.
|
2022-04-27 | Enhancement - Parsed the logs with log_type=CISE_TACACS_Accounting.
|