Change log for CISCO_EMAIL_SECURITY
Date | Changes |
---|---|
2024-10-30 | Bug-Fix:
- Changed mapping of "host_msg" from "principal.hostname" to "intermediary.hostname". - When "host_msg" is an IP address, then mapped "host_msg" to "intermediary.ip". |
2024-09-05 | Enhancement:
- Mapped "host_msg" to "principal.hostname" and "principal.asset.hostname". |
2023-10-05 | Bug-Fix:
- Renamed the 'product_event' from 'amp' to 'SIEM_AMPenginelogs'. |
2023-09-15 | Enhancement:
- Added support for "SIEM_proxylogs","SIEM_webrootlogs","SIEM_AMPenginelogs" of json logs. |
2023-09-04 | Enhancement
- Added a Grok pattern to parse unparsed logs and mapped the fields accordingly. - Added support for new pattern of JSON logs. |
2022-12-16 | Enhancement
- Modified conditional checks for the fields mapped to 'network.email.to', 'network.email.from', 'principal.user.email_addresses', 'target.user.email_addresses' and 'network.email.reply_to'. - Added support for json logs : - Mapped the field 'host' to 'principal.hostname'. - Mapped the field 'domain' to 'target.administrative_domain'. - Mapped the field 'mail_id' to 'network.email.mail_id'. - Mapped the field 'mailto' to 'network.email.to' and 'target.user.email_addresses'. - Mapped the field 'source' to 'network.ip_protocol'. - Mapped the field 'reputation' to 'security_result.confidence_details'. - Mapped the field 'log_type' to 'security_result.severity' and 'security_result.severity_details'. - Mapped the field 'cribl_pipe' to 'additional.fields'. |
2022-09-22 | Enhancement
- Added a grok pattern for unparsed logs, having the field "product_event" as empty. |
2022-08-02 | Enhancement
- Added conditions for newly added event_type "STATUS_UPDATE", "USER_UNCATEGORIZED", "SCAN_PROCESS" - Mapped "attack" to "security_result.category_details" - Enahanced parser to parse "ESAAttachmentDetails" field of different types of logs. |
2022-06-09 | Enhancement- Mapped "from_user" to "principal.user.user_display_name".
- Updated "metadata.product_event_type" from "Consolidated Log Event" to "ESA_CONSOLIDATED_LOG_EVENT". |
2022-06-07 | Enhancement- Mapped suser to network.email.bounce_address.
|
2022-05-17 | Enhancement - Mapped duser to network.email.to.
- Added on_error for product_version and product_description fields to avoid null value mapping to UDM. - Added additional logic to parse logs starting with "DAY TIMESTAMP YEAR" format, for example: Wed Feb 18 00:34:12 2021. |
2022-05-05 | Enhancement-Used grok for network.email.from
|
2022-03-31 | Enhancement-Added mappings for new fields.
- ESAReplyTo mapped to network.email.reply_to. - duser mapped to network.email.to. |