Change log for CS_DETECTS
| Date | Changes |
|---|---|
| 2024-01-31 | Bug-Fix:
- Added data check before mapping "behavior.ioc_value" to "target.file.sha256". - Added data check before mapping "behavior.sha256" to "target.file.sha256". - Added data check before mapping "behavior.md5" to "target.process.file.md5". - Added data check before mapping "behavior.parent_details.parent_md5" to "target.process.file.md5". - Added data check before mapping "behavior.parent_details.parent_sha256" to "target.process.parent_process.file.sha256". |
| 2023-07-21 | - Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
|
| 2023-06-07 | - Mapped "behaviors.tactic" to "security_result.attack_details.tactics.name".
- Mapped "behaviors.tactic_id" to "security_result.attack_details.tactics.id". - Mapped "behaviors.technique" to "security_result.attack_details.techniques.name". - Mapped "behaviors.technique_id" to "security_result.attack_details.techniques.id". |
| 2023-04-26 | Fix -
- Mapped "metadata.event_type" to "GENERIC_EVENT" if both "device.local_ip" and "device.hostname" are null. - Mapped "behavior.ioc_source" to "metadata.product_event_type". - Mapped "behavior.ioc_description" to "target.file.full_path". - If "behavior.ioc_type" is "exe", then "target.file.file_type" is set to "FILE_TYPE_PE_EXE". - Mapped "behavior.ioc_value" to "target.file.sha256". - Mapped "behavior.filename" to "security_result.threat_name". |
| 2023-02-28 | Enhancement -
- Mapped "device.platform_name" to "target.asset.platform_software.platform". - Mapped "device.os_version" to "target.asset.platform_software.platform_version". - Mapped "device.agent_version" to "target.asset.platform_software.platform_patch_level". - Mapped "device.first_seen" to "target.asset.first_seen_time". - Mapped "device.last_seen" to "target.asset.attribute.labels". - Mapped "device.product_type_desc" as follow: - if "device.product_type_desc" is "Mobile" then mapped "target.asset.type" as "Mobile". - if "device.product_type_desc" is "WORKSTATION" then mapped "target.asset.type" as "Compute" or "Workstation". - if "device.product_type_desc" is "IOT" then mapped "target.asset.type" as "Iot". - if "device.product_type_desc" is "SERVER" then mapped "target.asset.type" as "Server". - else mapped the field "device.product_type_desc" to "target.asset.attribute.labels". - Mapped "max_severity_displayname" to "security_result.severity". |
| 2023-02-17 | Enhancement -
- If "detection_id" is not null and "url_back_to_product" is not null then mapped "url_back_to_product/activity/detections/detail/detection_id_values.1/detection_id_values.2?_cid=%{cid}" to "metadata.url_back_to_product". |
| 2023-02-07 | Enhancement -
- Mapped "behavior.timestamp" to "security_result.detection_fields". - Mapped "behavior.behavior_id" to "security_result.detection_fields". - Mapped each behavior into a different security_result. |
| 2023-02-01 | Enhancement -
- Mapped "max_severity_displayname" to "security_result.severity". - Mapped "security_result.action" to "BLOCK" and "security_result.threat_status" to "CLEARED" if any of ["kill_process", "kill_subprocess", "kill_parent", "operation_blocked", "process_blocked", "registry_operation_blocked", "fs_operation_blocked", "suspend_process", "suspend_parent"] are true. - Mapped "security_result.action" to "QUARANTINE" and "security_result.threat_status" to "CLEARED" if "quarantine_file" or "quarantine_machine" are true. |
| 2022-09-29 | Enhancement -
- Mapped "metadata.product_name" to "Falcon". - Mapped "metadata.vendor_name" to "Crowdstrike". - Mapped "security_result.alert_state" to "ALERTING". |
| 2022-09-21 | Enhancement -
- Changed "metadata.event_type" from PROCESS_UNCATEGORIZED to SCAN_UNCATEGORIZED where technique is Indicator of Compromise. - Added sha256 format regex check for "behavior.sha256" and "behavior.parent_details.parent_sha256" prior mapping them to udm. |
| 2022-08-25 | Bug:
- Added md5 format regex check for "behavior.md5" and "behavior.parent_details.parent_md5" prior mapping them to udm. - Dropped the logs that are malformed and has no valid data. |
| 2022-08-16 | Enhancement -
- Modified mapping of cid from metadata.product_log_id to metadata.product_deployment_id. - Mapped detection_id to metadata.product_log_id. - Mapped created_timestamp to metadata.event_timestamp. |
| 2022-08-09 | Newly created parser.
|