Change log for CISCO_FIREPOWER_FIREWALL

Date Changes
2024-12-06 Enhancement:
- Added support for a new pattern of syslog logs.
- Mapped "path" to "principal.process.file.full_path".
- Mapped "event_name" to "metadata.product_event_type".
- Mapped "description" to "metadata.description".
- Mapped "host" to "principal.hostname" and "principal.asset.hostname".
- Mapped "srcuser" to "principal.user.userid" and "user_display_name" , and set "metadata.event_type" to "USER_UNCATEGORIZED"
- Mapped "src_ip" to "principal.ip" and "principal.asset.ip".
- Mapped "src_port" to "principal.port".
2024-12-05 Enhancement:
- Added support for a new pattern of JSON logs.
2024-11-28 Enhancement:
- Added support for a new pattern of syslog logs.
- Mapped "username2" to "target.user.userid".
- Mapped "pwd" to "target.file.full_path".
- Mapped "command" to "target.process.command_line".
2024-11-13 Enhancement:
- Added support for new pattern of syslog logs.
- Mapped "username" to "principal.user.userid".
- Mapped "action" to "metadata.ingestion_labels".
- Mapped "bytes_transferred" to "network.sent_bytes".
2024-11-06 Enhancement:
- Added support for new pattern of syslog logs.
2024-11-05 Enhancement:
- Added support to parse a new format of syslog logs.
2024-11-05 Enhancement:
- Added support to parse a new format of syslog logs.
2024-08-13 Enhancement:
- Added support to parse a new format of unparsed KV logs.
2024-08-08 Enhancement:
- Added support to parse a new format of unparsed logs.
2024-07-15 Enhancement:
- Added support to parse the unparsed logs with "eventId" as "106016", "302021", and "302020".
2024-07-08 Enhancement:
- Added validation before setting the "metadata.event_type" to "FILE_CREATION" and "FILE_UNCATEGORIZED".
- When "SrcIP" and "DstIP" are not null, set "metadata.event_type" to "NETWORK_CONNECTION".
2024-06-28 Enhancement:
- Changed mapping for "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes".
- Changed mapping for "ResponderBytes" from "network.sent_bytes" to "network.received_bytes".
2024-06-11 Enhancement:
- Modified a Grok pattern to parse the intermediary hostname.
2024-06-11 Enhancement:
- Modified a Grok pattern to parse the intermediary hostname.
2024-04-12 Enhancement:
- Mapped "HTTP_Hostname" to "target.resource.attribute.labels".
- Mapped "HTTP_URI" to "target.resource.attribute.labels".
- When "InlineResult" is nearly equal to "Alert", then set "security_result.action" to "ALLOW".
- When "InlineResult" is nearly equal to "Dropped", then set "security_result.action" to "BLOCK".
- Mapped "InlineResult" to "security_result.action_details".
2024-04-06 Enhancement -
- Added a Grok pattern to parse the unparsed logs with "eventId" as "302022".
- Changed mapping of "metadata.product_event_type" from "eventId" to "action".
- Changed mapping of "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes".
2024-01-04 Enhancement:
- Added support for SFAUDIT syslog logs.
- Mapped "user_id_field" to "principal.user.userid".
- Mapped "http_method" to "network.http.method".
- Mapped "HTTPReferer" to "network.http.referral_url".
- Mapped "HTTPResponse" to "network.http.response_code".
- Mapped "event_name" to "metadata.product_event_type".
- Mapped "event_description" to "metadata.description".
- Mapped "event_summary" to "security_result.summary".
- Added Grok patterns to parse "intermediary.hostname" properly for new pattern of syslog logs.
- When "sysloghost" is a valid IP, then mapped it to "intermediary.ip".
- Added support for JSON logs.
- Mapped "userId" to "principal.user.userid".
- Mapped "sourceIpAddress" to "principal.ip".
- Mapped "sourcePortOrIcmpType" to "principal.port".
- Mapped "@computed.sensor" to "principal.hostname".
- Mapped "@computed.user" to "principal.user.user_display_name".
- Mapped "@computed.clientApplication" to "principal.application".
- Mapped "@computed.ingressInterface" to "principal.asset.attribute.labels".
- Mapped "@computed.sourceIpCountry" to "principal.location.country_or_region".
- Mapped "destinationIpAddress" to "target.ip".
- Mapped "destinationPortOrIcmpType" to "target.port".
- Mapped "@computed.destinationIpCountry" to "target.location.country_or_region".
- Mapped "ipProtocolId" to "network.ip_protocol".
- Mapped "httpResponse" to "network.http.response_code".
- Mapped "@computed.applicationProtocol" to "network.application_protocol".
- Mapped "ruleId" to "security_result.rule_id".
- Mapped "priorityId" to "security_result.priority_details".
- Mapped "@computed.priority" to "security_result.priority".
- Mapped "@computed.firewallPolicy" to "security_result.rule_name".
- Mapped "@computed.message" to "security_result.threat_name".
- Mapped "iocNumber" to "security_result.detection_fields".
- Mapped "recordLength" to "security_result.detection_fields".
- Mapped "@computed.classificationDescription" "security_result.description".
- Mapped "@computed.recordTypeDescription" to "metadata.description".
- Mapped "@computed.recordTypeCategory" to "metadata.product_event_type".
2023-12-26 Enhancement -
- Added a Grok pattern to parse the unparsed logs of type "%FTD-6-302303".
- Added an on_error for a kv block.
2023-09-12 Enhancement -
- Mapped "user_name" to "principal.user.email_addresses" and "client_ip" to "principal.ip" for "metadata.product_event_type" = "716001".
- Added a Grok pattern to parse the unparsed logs where "product" = "Intrusion".
2023-08-08 Bug-Fix -
- Added a Grok pattern to map the complete value present in the raw log to "intermediary.hostname".
2023-06-15 Enhancement -
- Added support for JSON format logs.
2023-06-07 Enhancement -
- Added new Grok pattern and mapped fields accordingly to parse unparsed logs.
2023-05-03 Enhancement -
- Modified Grok pattern to parse the failing logs.
- Corrected the logic to correctly map "network.direction" to the values "INBOUND" and "OUTBOUND".
2023-04-19 Enhancement -
- Modified g=Grok pattern to get valid hostname.
2023-04-06 Enhancement -
- Added a Grok pattern and mappings for EventId 106006.
2023-03-09 Enhancement -
- Mapped hostname form Syslog header to "intermediary.hostname".
- Removed mapping of src_ip/src_host to "observer.ip"/"observer.hostname".
- Added new grok patterns and mappings for EventIds 106001, 302015, 302016, 713219, 302013, 305012, 305011.
- Mapped severity to "security_result.severity" and "security_result.severity_details".
- Modified "metadata.event_type" to "NETWORK_CONNECTION" where "eventId" is 305011,305012,607001,302303.
- Mapped "network.direction" to INBOUND/OUTBOUND based on "src_interface_name", "dst_interface_name".
- Mapped "src_interface_name","dst_interface_name" to "metadata.ingestion_labels".
- Added check to "ApplicationProtocol" prior mapping to UDM.
2023-02-27 Enhancement
- Added Grok patterns and mappings for EventIds 302016,302014.
2023-01-27 Enhancement
- Mapped "observer.hostname","observer.ip" for thees product_event_type 430002,430003,430004,430005.
- Modified grok patterns for these EventIds 721018, 722055, 722023, 113009, 722037 to parse data correctly.
2022-11-25 Enhancement
- Added grok pattern for product_event_type [199017].
- Mapped "AUTH_VIOLATION" to security_result.category for product_event_type [199017].
- Mapped "USER_LOGIN" and "STATUS_UPDATE" event_type for product_event_type [199017].
- Mapped "target.user.userid" for product_event_type [199017].
- Mapped "extensions.auth.auth_details" for product_event_type [199017].
- Added grok pattern and "on_error" for product_event_type [713902].
- Modified "event_description" mapping for product_event_type [713902].
- Added "on_error" in grok for product_event_type [713903].
2022-07-07 Enhancement
- Removed is_alert where product_event_type is [430002,430003,313005,419002].
- Added is_alert where product_event_type is 430005.
2022-06-27 Mapped the following unparsed events:
[1:1000171:1] (Nmap), [122:1:1] (Portscan), [122:2:1] (Portscan), [122:8:1] (Portscan), [122:19:1] (Portsweep), [122:21:1] (Portscan), [122:22:1] (Portscan), [122:23:1], (Portsweep), [122:24:1] (Portscan), [122:7:1] (Portsweep),LOGSTASH[-].
Mapped "category" to "security_result.threat_name" where eventId is "http_inspect".
Mapped "category" to "security_result.threat_name" where eventId is "0" and product is "SFIMS".
Mapped "Classification" to "security_result.threat_name" where eventId is "430001".
Mapped "DeviceUUID" to "principal.resource.id" where eventId is "430001".
2022-06-09 Bug-
Added new field mapping. ACPolicy mapped to "security_result.rule_labels".
Removed field name from "security_result.confidence_details" value.
Removed field name from "security_result.rule_name" value.
2022-05-20 Bug-Fixed an error where SFIMS product logs were not being parsed.
2022-05-05 Enhancement-Moved customer specific to default and fixed incorrectly parsed metadata.event_timestamp.
2022-04-22 Enhancement-Fixed incorrectly parsed metadata.event_timestamp.
2022-04-13 Enhancement- mapped metadata.event_timestamp correctly for some unparsed logs
2022-04-04 Enhancement- Zones, interfaces, policy, user, bytes, Urlcategory and urlreputation fields are mapped.
2022-03-22 Enhancement-IngressZone,EgressZone,Priority,GID,SID,Revision,IntrusionPolicy fields are mapped.