Change log for CISCO_FIREPOWER_FIREWALL
| Date | Changes |
|---|---|
| 2024-08-13 | Enhancement:
- Added support to parse a new format of unparsed KV logs. |
| 2024-08-08 | Enhancement:
- Added support to parse a new format of unparsed logs. |
| 2024-07-15 | Enhancement:
- Added support to parse the unparsed logs with "eventId" as "106016", "302021", and "302020". |
| 2024-07-08 | Enhancement:
- Added validation before setting the "metadata.event_type" to "FILE_CREATION" and "FILE_UNCATEGORIZED". - When "SrcIP" and "DstIP" are not null, set "metadata.event_type" to "NETWORK_CONNECTION". |
| 2024-06-28 | Enhancement:
- Changed mapping for "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes". - Changed mapping for "ResponderBytes" from "network.sent_bytes" to "network.received_bytes". |
| 2024-06-11 | Enhancement:
- Modified a Grok pattern to parse the intermediary hostname. |
| 2024-06-11 | Enhancement:
- Modified a Grok pattern to parse the intermediary hostname. |
| 2024-04-12 | Enhancement:
- Mapped "HTTP_Hostname" to "target.resource.attribute.labels". - Mapped "HTTP_URI" to "target.resource.attribute.labels". - When "InlineResult" is nearly equal to "Alert", then set "security_result.action" to "ALLOW". - When "InlineResult" is nearly equal to "Dropped", then set "security_result.action" to "BLOCK". - Mapped "InlineResult" to "security_result.action_details". |
| 2024-04-06 | Enhancement -
- Added a Grok pattern to parse the unparsed logs with "eventId" as "302022". - Changed mapping of "metadata.product_event_type" from "eventId" to "action". - Changed mapping of "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes". |
| 2024-01-04 | Enhancement:
- Added support for SFAUDIT syslog logs. - Mapped "user_id_field" to "principal.user.userid". - Mapped "http_method" to "network.http.method". - Mapped "HTTPReferer" to "network.http.referral_url". - Mapped "HTTPResponse" to "network.http.response_code". - Mapped "event_name" to "metadata.product_event_type". - Mapped "event_description" to "metadata.description". - Mapped "event_summary" to "security_result.summary". - Added Grok patterns to parse "intermediary.hostname" properly for new pattern of syslog logs. - When "sysloghost" is a valid IP, then mapped it to "intermediary.ip". - Added support for JSON logs. - Mapped "userId" to "principal.user.userid". - Mapped "sourceIpAddress" to "principal.ip". - Mapped "sourcePortOrIcmpType" to "principal.port". - Mapped "@computed.sensor" to "principal.hostname". - Mapped "@computed.user" to "principal.user.user_display_name". - Mapped "@computed.clientApplication" to "principal.application". - Mapped "@computed.ingressInterface" to "principal.asset.attribute.labels". - Mapped "@computed.sourceIpCountry" to "principal.location.country_or_region". - Mapped "destinationIpAddress" to "target.ip". - Mapped "destinationPortOrIcmpType" to "target.port". - Mapped "@computed.destinationIpCountry" to "target.location.country_or_region". - Mapped "ipProtocolId" to "network.ip_protocol". - Mapped "httpResponse" to "network.http.response_code". - Mapped "@computed.applicationProtocol" to "network.application_protocol". - Mapped "ruleId" to "security_result.rule_id". - Mapped "priorityId" to "security_result.priority_details". - Mapped "@computed.priority" to "security_result.priority". - Mapped "@computed.firewallPolicy" to "security_result.rule_name". - Mapped "@computed.message" to "security_result.threat_name". - Mapped "iocNumber" to "security_result.detection_fields". - Mapped "recordLength" to "security_result.detection_fields". - Mapped "@computed.classificationDescription" "security_result.description". - Mapped "@computed.recordTypeDescription" to "metadata.description". - Mapped "@computed.recordTypeCategory" to "metadata.product_event_type". |
| 2023-12-26 | Enhancement -
- Added a Grok pattern to parse the unparsed logs of type "%FTD-6-302303". - Added an on_error for a kv block. |
| 2023-09-12 | Enhancement -
- Mapped "user_name" to "principal.user.email_addresses" and "client_ip" to "principal.ip" for "metadata.product_event_type" = "716001". - Added a Grok pattern to parse the unparsed logs where "product" = "Intrusion". |
| 2023-08-08 | Bug-Fix -
- Added a Grok pattern to map the complete value present in the raw log to "intermediary.hostname". |
| 2023-06-15 | Enhancement -
- Added support for JSON format logs. |
| 2023-06-07 | Enhancement -
- Added new Grok pattern and mapped fields accordingly to parse unparsed logs. |
| 2023-05-03 | Enhancement -
- Modified Grok pattern to parse the failing logs. - Corrected the logic to correctly map "network.direction" to the values "INBOUND" and "OUTBOUND". |
| 2023-04-19 | Enhancement -
- Modified g=Grok pattern to get valid hostname. |
| 2023-04-06 | Enhancement -
- Added a Grok pattern and mappings for EventId 106006. |
| 2023-03-09 | Enhancement -
- Mapped hostname form Syslog header to "intermediary.hostname". - Removed mapping of src_ip/src_host to "observer.ip"/"observer.hostname". - Added new grok patterns and mappings for EventIds 106001, 302015, 302016, 713219, 302013, 305012, 305011. - Mapped severity to "security_result.severity" and "security_result.severity_details". - Modified "metadata.event_type" to "NETWORK_CONNECTION" where "eventId" is 305011,305012,607001,302303. - Mapped "network.direction" to INBOUND/OUTBOUND based on "src_interface_name", "dst_interface_name". - Mapped "src_interface_name","dst_interface_name" to "metadata.ingestion_labels". - Added check to "ApplicationProtocol" prior mapping to UDM. |
| 2023-02-27 | Enhancement
- Added Grok patterns and mappings for EventIds 302016,302014. |
| 2023-01-27 | Enhancement
- Mapped "observer.hostname","observer.ip" for thees product_event_type 430002,430003,430004,430005. - Modified grok patterns for these EventIds 721018, 722055, 722023, 113009, 722037 to parse data correctly. |
| 2022-11-25 | Enhancement
- Added grok pattern for product_event_type [199017]. - Mapped "AUTH_VIOLATION" to security_result.category for product_event_type [199017]. - Mapped "USER_LOGIN" and "STATUS_UPDATE" event_type for product_event_type [199017]. - Mapped "target.user.userid" for product_event_type [199017]. - Mapped "extensions.auth.auth_details" for product_event_type [199017]. - Added grok pattern and "on_error" for product_event_type [713902]. - Modified "event_description" mapping for product_event_type [713902]. - Added "on_error" in grok for product_event_type [713903]. |
| 2022-07-07 | Enhancement
- Removed is_alert where product_event_type is [430002,430003,313005,419002]. - Added is_alert where product_event_type is 430005. |
| 2022-06-27 | Mapped the following unparsed events:
[1:1000171:1] (Nmap), [122:1:1] (Portscan), [122:2:1] (Portscan), [122:8:1] (Portscan), [122:19:1] (Portsweep), [122:21:1] (Portscan), [122:22:1] (Portscan), [122:23:1], (Portsweep), [122:24:1] (Portscan), [122:7:1] (Portsweep),LOGSTASH[-]. Mapped "category" to "security_result.threat_name" where eventId is "http_inspect". Mapped "category" to "security_result.threat_name" where eventId is "0" and product is "SFIMS". Mapped "Classification" to "security_result.threat_name" where eventId is "430001". Mapped "DeviceUUID" to "principal.resource.id" where eventId is "430001". |
| 2022-06-09 | Bug-
Added new field mapping. ACPolicy mapped to "security_result.rule_labels". Removed field name from "security_result.confidence_details" value. Removed field name from "security_result.rule_name" value. |
| 2022-05-20 | Bug-Fixed an error where SFIMS product logs were not being parsed.
|
| 2022-05-05 | Enhancement-Moved customer specific to default and fixed incorrectly parsed metadata.event_timestamp.
|
| 2022-04-22 | Enhancement-Fixed incorrectly parsed metadata.event_timestamp.
|
| 2022-04-13 | Enhancement- mapped metadata.event_timestamp correctly for some unparsed logs
|
| 2022-04-04 | Enhancement- Zones, interfaces, policy, user, bytes, Urlcategory and urlreputation fields are mapped.
|
| 2022-03-22 | Enhancement-IngressZone,EgressZone,Priority,GID,SID,Revision,IntrusionPolicy fields are mapped.
|