Change log for CS_DETECTS

Date	Changes
2024-10-11	- Added support for the CrowdStrike alert logs.
2024-09-12	Enhancement: - Mapped "status" to "security_result.detection_fields". - When "status" is not "cleared", then removed mapping of "security_result.threat_status".
2024-04-02	Enhancement: - Mapped "first_behavior" to "metadata.event_timestamp". - Mapped "created_timestamp" to "metadata.collected_timestamp". - Mapped "url_back_to_product" to "metadata.url_back_to_product". - Changed mapping of "device.external_ip" from "target.ip"" to "principal.nat_ip". - Changed mapping of "device.platform_name" from "target.asset.platform_software.platform" to "principal.asset.platform_software.platform". - Changed mapping of "device.os_version" from "target.asset.platform_software.platform_version" to "principal.asset.platform_software.platform_version". - Changed mapping of "device.agent_version" from "target.asset.platform_software.platform_patch_level" to "principal.asset.platform_software.platform_patch_level". - Changed mapping of "device.first_seen" from "target.asset.first_seen_time" to "principal.asset.first_seen_time". - Changed mapping of "device.last_seen" from "target.asset.attribute.labels" to "principal.asset.attribute.labels". - Changed mapping of "device.product_type_desc" from "target.asset.type" to "principal.asset.type". - Changed mapping of "behavior.device_id" from "target.asset_id" to "principal.asset_id".
2024-03-20	Enhancement: - Mapped "behavior.display_name" to "security_result.summary". - When index is "0", then mapped "behavior.technique" to "security_result.rule_name". - When index is "0", then mapped "behavior.technique_id" to "security_result.rule_id". - When index is "0", then mapped "behavior.confidence" to "security_result.confidence_details".
2024-01-31	Bug-Fix: - Added data check before mapping "behavior.ioc_value" to "target.file.sha256". - Added data check before mapping "behavior.sha256" to "target.file.sha256". - Added data check before mapping "behavior.md5" to "target.process.file.md5". - Added data check before mapping "behavior.parent_details.parent_md5" to "target.process.file.md5". - Added data check before mapping "behavior.parent_details.parent_sha256" to "target.process.parent_process.file.sha256".
2023-07-21	- Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
2023-06-07	- Mapped "behaviors.tactic" to "security_result.attack_details.tactics.name". - Mapped "behaviors.tactic_id" to "security_result.attack_details.tactics.id". - Mapped "behaviors.technique" to "security_result.attack_details.techniques.name". - Mapped "behaviors.technique_id" to "security_result.attack_details.techniques.id".
2023-04-26	Fix - - Mapped "metadata.event_type" to "GENERIC_EVENT" if both "device.local_ip" and "device.hostname" are null. - Mapped "behavior.ioc_source" to "metadata.product_event_type". - Mapped "behavior.ioc_description" to "target.file.full_path". - If "behavior.ioc_type" is "exe", then "target.file.file_type" is set to "FILE_TYPE_PE_EXE". - Mapped "behavior.ioc_value" to "target.file.sha256". - Mapped "behavior.filename" to "security_result.threat_name".
2023-02-28	Enhancement - - Mapped "device.platform_name" to "target.asset.platform_software.platform". - Mapped "device.os_version" to "target.asset.platform_software.platform_version". - Mapped "device.agent_version" to "target.asset.platform_software.platform_patch_level". - Mapped "device.first_seen" to "target.asset.first_seen_time". - Mapped "device.last_seen" to "target.asset.attribute.labels". - Mapped "device.product_type_desc" as follow: - if "device.product_type_desc" is "Mobile" then mapped "target.asset.type" as "Mobile". - if "device.product_type_desc" is "WORKSTATION" then mapped "target.asset.type" as "Compute" or "Workstation". - if "device.product_type_desc" is "IOT" then mapped "target.asset.type" as "Iot". - if "device.product_type_desc" is "SERVER" then mapped "target.asset.type" as "Server". - else mapped the field "device.product_type_desc" to "target.asset.attribute.labels". - Mapped "max_severity_displayname" to "security_result.severity".
2023-02-17	Enhancement - - If "detection_id" is not null and "url_back_to_product" is not null then mapped "url_back_to_product/activity/detections/detail/detection_id_values.1/detection_id_values.2?_cid=%{cid}" to "metadata.url_back_to_product".
2023-02-07	Enhancement - - Mapped "behavior.timestamp" to "security_result.detection_fields". - Mapped "behavior.behavior_id" to "security_result.detection_fields". - Mapped each behavior into a different security_result.
2023-02-01	Enhancement - - Mapped "max_severity_displayname" to "security_result.severity". - Mapped "security_result.action" to "BLOCK" and "security_result.threat_status" to "CLEARED" if any of ["kill_process", "kill_subprocess", "kill_parent", "operation_blocked", "process_blocked", "registry_operation_blocked", "fs_operation_blocked", "suspend_process", "suspend_parent"] are true. - Mapped "security_result.action" to "QUARANTINE" and "security_result.threat_status" to "CLEARED" if "quarantine_file" or "quarantine_machine" are true.
2022-09-29	Enhancement - - Mapped "metadata.product_name" to "Falcon". - Mapped "metadata.vendor_name" to "Crowdstrike". - Mapped "security_result.alert_state" to "ALERTING".
2022-09-21	Enhancement - - Changed "metadata.event_type" from PROCESS_UNCATEGORIZED to SCAN_UNCATEGORIZED where technique is Indicator of Compromise. - Added sha256 format regex check for "behavior.sha256" and "behavior.parent_details.parent_sha256" prior mapping them to udm.
2022-08-25	Bug: - Added md5 format regex check for "behavior.md5" and "behavior.parent_details.parent_md5" prior mapping them to udm. - Dropped the logs that are malformed and has no valid data.
2022-08-16	Enhancement - - Modified mapping of cid from metadata.product_log_id to metadata.product_deployment_id. - Mapped detection_id to metadata.product_log_id. - Mapped created_timestamp to metadata.event_timestamp.
2022-08-09	Newly created parser.