Date Changes
2025-01-23 Enhancement:
- Mapped "urls" and "WbrsScore" to "security_result.detection_fields".
2024-12-16 Enhancement:
- Added support for the new SYSLOG log pattern.
- Added a new Grok pattern for "inner_message".
- Mapped "message_id2" to "".
- Mapped "injection_connection_id" to "network.session_id".
- Mapped "action" to "security_result.action_details".
- Mapped "address_clean" to "".
- Mapped "receiver" to "".
- Added a condition check for the "from" field before mapping it to "".
- Mapped "reply_to" to "".
- Added "on_error" for "gsub" function for "description".
- Mapped "inner_message" to "metadata.description".
2024-10-30 Bug-Fix:
- Changed mapping of "host_msg" from "principal.hostname" to "intermediary.hostname".
- When "host_msg" is an IP address, then mapped "host_msg" to "intermediary.ip".
2024-09-05 Enhancement:
- Mapped "host_msg" to "principal.hostname" and "principal.asset.hostname".
2023-10-05 Bug-Fix:
- Renamed the 'product_event' from 'amp' to 'SIEM_AMPenginelogs'.
2023-09-15 Enhancement:
- Added support for "SIEM_proxylogs","SIEM_webrootlogs","SIEM_AMPenginelogs" of json logs.
2023-09-04 Enhancement
- Added a Grok pattern to parse unparsed logs and mapped the fields accordingly.
- Added support for new pattern of JSON logs.
2022-12-16 Enhancement
- Modified conditional checks for the fields mapped to '', '', 'principal.user.email_addresses', 'target.user.email_addresses' and ''.
- Added support for json logs :
- Mapped the field 'host' to 'principal.hostname'.
- Mapped the field 'domain' to 'target.administrative_domain'.
- Mapped the field 'mail_id' to ''.
- Mapped the field 'mailto' to '' and 'target.user.email_addresses'.
- Mapped the field 'source' to 'network.ip_protocol'.
- Mapped the field 'reputation' to 'security_result.confidence_details'.
- Mapped the field 'log_type' to 'security_result.severity' and 'security_result.severity_details'.
- Mapped the field 'cribl_pipe' to 'additional.fields'.
2022-09-22 Enhancement
- Added a grok pattern for unparsed logs, having the field "product_event" as empty.
2022-08-02 Enhancement
- Added conditions for newly added event_type "STATUS_UPDATE", "USER_UNCATEGORIZED", "SCAN_PROCESS"
- Mapped "attack" to "security_result.category_details"
- Enahanced parser to parse "ESAAttachmentDetails" field of different types of logs.
2022-06-09 Enhancement- Mapped "from_user" to "principal.user.user_display_name".
- Updated "metadata.product_event_type" from "Consolidated Log Event" to "ESA_CONSOLIDATED_LOG_EVENT".
2022-06-07 Enhancement- Mapped suser to
2022-05-17 Enhancement - Mapped duser to
- Added on_error for product_version and product_description fields to avoid null value mapping to UDM.
- Added additional logic to parse logs starting with "DAY TIMESTAMP YEAR" format, for example: Wed Feb 18 00:34:12 2021.
2022-05-05 Enhancement-Used grok for
2022-03-31 Enhancement-Added mappings for new fields.
- ESAReplyTo mapped to
- duser mapped to