Change log for CORTEX_XDR
| Date | Changes |
|---|---|
| 2024-08-20 | Enhancement:
- Mapped "user_name" to "target.user.userid". |
| 2024-08-19 | Enhancement:
- Mapped "actor_process_os_pid" to "target.process.pid". - Changed mapping of "alert_id" from "security_result.rule_id" to "security_result.detection_fields". - Changed mapping of "endpoint_id" from "target.process.product_specific_process_id" to "principal.asset.asset_id". - Added support to parse new format of unparsed JSON logs. |
| 2024-07-02 | Enhancement:
- Mapped "external_id" to "metadata.product_log_id". - Mapped "action_pretty" to "security_result.action_details". |
| 2024-06-17 | Enhancement:
- When "severity" is less than or equal to 6, then set "security_result.severity" to "LOW". - when "severity" is greater than 6 and less than or equal to 8, then set "security_result.severity" to "MEDIUM". - When "severity" is greater than 8, then set "security_result.severity" to "HIGH". - Mapped "action" to "security_result.action_details". - Mapped "original_tags" to "additional.fields". |
| 2024-04-17 | Enhancement:
- Mapped "action_local_port" to "principal.port". - Mapped "dst_agent_id" to "principal.ip". - Mapped "action_remote_ip" to "target.ip". - Mapped "action_remote_port" to "target.ip". - Added check if "target_device" is preset prior setting "metadata.event_type" to "NETWORK_CONNECTION". |
| 2024-03-15 | Enhancement:
- Added a Grok to retrieve "source" and "sr_summary" from the message header. - Mapped "sr_summary" to "security_result.summary" |
| 2024-03-11 | Enhancement:
- Added support for CEF format logs. - Mapped "rt" to "metadata.event_timestamp". - Mapped "category" and "cat" to "security_result.category_details". - Mapped "cs2Label", "cs2", "tenantname", "tenantCDLid" and "CSPaccountname" to "additional.fields". - Mapped "shost" to "principal.hostname" and "principal.asset.hostname". - Mapped "spt" to "principal.port". - Mapped "src" to "principal.ip" and "principal.asset.ip". - Mapped "suser" to "principal.user.user_display_name". - Mapped "dpt" to "target.port". - Mapped "dst" to "target.ip" and "target.asset.ip". - Mapped "fileHash" to "target.file.sha256". - Mapped "filePath" to "target.file.full_path". - Mapped "request" to "network.http.referral_url". - Mapped "msg" to "security_result.description". |
| 2024-01-18 | Enhancement:
- Changed "action_file_path" mapping from "target.file.full_path" to "target.resource.attribute.labels". - Mapped "domain" to "target.asset.hostname". - Mapped "destinationTranslatedAddress" to "target.asset.ip". - Mapped "host_name" to "principal.asset.hostname". - Mapped "dvchost" to "principal.asset.hostname". - Mapped "ip" to "principal.asset.ip". - Mapped "sourceTranslatedAddress" to "principal.asset.ip". |
| 2023-11-10 | Enhancement:
- When "event_type" is "RPC Call", then mapped "metadata.event_type" to "STATUS_UPDATE". - Mapped "events.action_country" to "security_result.about.location.country_or_region". - Mapped "events.actor_process_command_line" to "target.process.command_line". - Mapped "events.actor_process_image_md5" to "target.file.md5". - Mapped "events.actor_process_image_path" to "target.file.full_path". - Mapped "events.actor_process_image_sha256" to "target.file.sha256". - Mapped "events.actor_process_instance_id" to "target.process.pid". - Mapped "events.os_actor_process_command_line" to "principal.process.command_line". - Mapped "events.os_actor_process_image_path" to "principal.file.full_path". - Mapped "events.os_actor_process_image_sha256" to "principal.file.sha256". - Mapped "events.os_actor_process_instance_id" to "principal.process.pid". - Mapped "events.causality_actor_process_command_line" to "intermediary.process.command_line". - Mapped "events.causality_actor_process_image_path" to "intermediary.file.full_path". - Mapped "events.causality_actor_process_image_sha256" to "intermediary.file.sha256". - Mapped "events.causality_actor_process_instance_id" to "intermediary.process.pid". - Mapped "events.causality_actor_process_image_md5" to "intermediary.file.md5". - Mapped "events.event_type" to "metadata.product_event_type". - Mapped "events.user_name" to "principal.user.user_display_name". |
| 2023-10-16 | Enhancement:
- Mapped "source" to "principal.asset.attribute.labels". - Set "metadata.event_type" to "NETWORK_CONNECTION" if "event_type" in "Network Connections" or "Network Event". |
| 2022-11-03 | Enhancement:
- Mapped "PanOSConfigVersion" to "security_result.detection_fields". - Mapped "PanOSContentVersion" to "security_result.detection_fields". - Mapped "PanOSDGHierarchyLevel1" to "security_result.detection_fields". - Mapped "PanOSDestinationLocation" to "target.location.country_or_region". - Mapped "PanOSDynamicUserGroupName" to "principal.group.group_display_name". - Mapped "PanOSSourceLocation" to "principal.location.country_or_region". - Mapped "PanOSThreatCategory" to "security_result.category_details". - Mapped "PanOSThreatID" to "security_result.threat_id". - Mapped "app" to "target.application". - Mapped "cs1" to "additional.fields". - Mapped "cs3" to "additional.fields". - Mapped "cs4" to "additional.fields". - Mapped "cs5" to "additional.fields". - Mapped "cs6" to "additional.fields". - Mapped "cn1" to "additional.fields". - Mapped "sourceTranslatedPort" to "principal.port". - Mapped "sourceTranslatedAddress" to "principal.ip". - Mapped "destinationTranslatedAddress" to "target.ip". - Mapped "destinationTranslatedPort" to "target.port". - Mapped "act" to "security_result.action_details". - Mapped "deviceExternalId" to "security_result.about.asset_id". - Mapped "dvchost" to "principal.hostname". - Mapped "proto" to "network.ip_protocol". - Mapped "fileId" to "target.resource.attribute.labels". |