Change log for CISCO_AMP
Date | Changes |
---|---|
2024-05-14 | Enhancement:
- Mapped "event_type_id" to "metadata.product_log_id". - Mapped "detection_id" to "security_result.detection_fields". - Mapped "file.disposition", "error.error_code", and "error.description" to "security_result.description". - Mapped "file.file_name" to "target.file.names". - Mapped "file.parent.disposition", "file.parent.file_name", "file.parent.identity.md5", "file.parent.identity.sha1", and "file.parent.identity.sha256" to "target.resource.attribute.labels". - Mapped "file.identity.md5" to "target.file.md5". - Mapped "file.identity.sha1" to "target.file.sha1". |
2024-02-23 | Enhancement:
- Added support to parse logs if "event_type" is "Component Download Success", "Scan Started", "Scan Completed, No Detections", "Product Update Started", "Product is already installed.", "Policy Update", "Install Started", "Product Update Failed", "Uninstall", "Endpoint IOC Definition Update Success", "Endpoint IOC Scan Started", "Policy Update Failure", "Endpoint IOC Scan Failed", "Major Fault Raised", "Critical Fault Raised", "Endpoint IOC Scan Detection Summary", "Endpoint IOC Configuration Update Success", "Scan Failed", "Fault Cleared", or "Install Failure". |