Change log for CORTEX_XDR
Date | Changes |
---|---|
2024-03-11 | Enhancement:
- Added support for CEF format logs. - Mapped "rt" to "metadata.event_timestamp". - Mapped "category" and "cat" to "security_result.category_details". - Mapped "cs2Label", "cs2", "tenantname", "tenantCDLid" and "CSPaccountname" to "additional.fields". - Mapped "shost" to "principal.hostname" and "principal.asset.hostname". - Mapped "spt" to "principal.port". - Mapped "src" to "principal.ip" and "principal.asset.ip". - Mapped "suser" to "principal.user.user_display_name". - Mapped "dpt" to "target.port". - Mapped "dst" to "target.ip" and "target.asset.ip". - Mapped "fileHash" to "target.file.sha256". - Mapped "filePath" to "target.file.full_path". - Mapped "request" to "network.http.referral_url". - Mapped "msg" to "security_result.description". |
2024-01-18 | Enhancement:
- Changed "action_file_path" mapping from "target.file.full_path" to "target.resource.attribute.labels". - Mapped "domain" to "target.asset.hostname". - Mapped "destinationTranslatedAddress" to "target.asset.ip". - Mapped "host_name" to "principal.asset.hostname". - Mapped "dvchost" to "principal.asset.hostname". - Mapped "ip" to "principal.asset.ip". - Mapped "sourceTranslatedAddress" to "principal.asset.ip". |
2023-11-10 | Enhancement:
- When "event_type" is "RPC Call", then mapped "metadata.event_type" to "STATUS_UPDATE". - Mapped "events.action_country" to "security_result.about.location.country_or_region". - Mapped "events.actor_process_command_line" to "target.process.command_line". - Mapped "events.actor_process_image_md5" to "target.file.md5". - Mapped "events.actor_process_image_path" to "target.file.full_path". - Mapped "events.actor_process_image_sha256" to "target.file.sha256". - Mapped "events.actor_process_instance_id" to "target.process.pid". - Mapped "events.os_actor_process_command_line" to "principal.process.command_line". - Mapped "events.os_actor_process_image_path" to "principal.file.full_path". - Mapped "events.os_actor_process_image_sha256" to "principal.file.sha256". - Mapped "events.os_actor_process_instance_id" to "principal.process.pid". - Mapped "events.causality_actor_process_command_line" to "intermediary.process.command_line". - Mapped "events.causality_actor_process_image_path" to "intermediary.file.full_path". - Mapped "events.causality_actor_process_image_sha256" to "intermediary.file.sha256". - Mapped "events.causality_actor_process_instance_id" to "intermediary.process.pid". - Mapped "events.causality_actor_process_image_md5" to "intermediary.file.md5". - Mapped "events.event_type" to "metadata.product_event_type". - Mapped "events.user_name" to "principal.user.user_display_name". |
2023-10-16 | Enhancement:
- Mapped "source" to "principal.asset.attribute.labels". - Set "metadata.event_type" to "NETWORK_CONNECTION" if "event_type" in "Network Connections" or "Network Event". |
2022-11-03 | Enhancement:
- Mapped "PanOSConfigVersion" to "security_result.detection_fields". - Mapped "PanOSContentVersion" to "security_result.detection_fields". - Mapped "PanOSDGHierarchyLevel1" to "security_result.detection_fields". - Mapped "PanOSDestinationLocation" to "target.location.country_or_region". - Mapped "PanOSDynamicUserGroupName" to "principal.group.group_display_name". - Mapped "PanOSSourceLocation" to "principal.location.country_or_region". - Mapped "PanOSThreatCategory" to "security_result.category_details". - Mapped "PanOSThreatID" to "security_result.threat_id". - Mapped "app" to "target.application". - Mapped "cs1" to "additional.fields". - Mapped "cs3" to "additional.fields". - Mapped "cs4" to "additional.fields". - Mapped "cs5" to "additional.fields". - Mapped "cs6" to "additional.fields". - Mapped "cn1" to "additional.fields". - Mapped "sourceTranslatedPort" to "principal.port". - Mapped "sourceTranslatedAddress" to "principal.ip". - Mapped "destinationTranslatedAddress" to "target.ip". - Mapped "destinationTranslatedPort" to "target.port". - Mapped "act" to "security_result.action_details". - Mapped "deviceExternalId" to "security_result.about.asset_id". - Mapped "dvchost" to "principal.hostname". - Mapped "proto" to "network.ip_protocol". - Mapped "fileId" to "target.resource.attribute.labels". |