Change log for CS_EDR

Date Changes
2024-10-09 Enhancement:
- Mapped "SmbNamedPipeName" to "security_result.detection_fields".
- Mapped "RequestType" to "network.dns.question.type".
- Mapped "QueryStatus" to "network.dns.response_code".
- Mapped "IP4Records", "IP6Records" and "CNAMERecords" to "network.dns.answer.name".
2024-09-24 Enhancement:
- Added a Grok pattern to stop parsing IP addresses as "principal.hostname".
2024-09-19 Enhancement:
- Mapped "HttpRequest" to "target.ip".
- Mapped "HttpHost" to "target.hostname".
- Mapped "HttpPath" to "target.url".
2024-09-19 Enhancement:
- Mapped "HttpRequest" to "target.ip".
- Mapped "HttpHost" to "target.hostname".
- Mapped "HttpPath" to "target.url".
2024-09-12 Enhancement:
- For "FILE_CREATION" events when "ContextImageFileName" is not null, then mapped "ContextImageFileName" to "principal.process.file.full_path".
- Changed mapping of "OriginalFilename" from "target.process.file.exif_info.original_file" to "principal.process.file.exif_info.original_file".
2024-09-10 - Added support for a new pattern of JSON logs.
- Mapped "FileVersion" and "FixedFileVersion" to "additional.fields".
2024-09-03 Enhancement:
- Mapped "timestamp" to "metadata.event_timestamp".
2024-08-29 Bug-Fix:
- Added on_error to handle case when "TaskExecCommand" is null.
2024-08-20 Enhancement:
- Mapped "IsOnRemovableDisk", "RegOperationType", and "RegType" to "additional.fields".
2024-08-06 Enhancement:
- Mapped "tar_user" to "target.user.userid".
2024-07-24 Enhancement:
- Changed "LocalAddressIP4" mapping from "target.ip" to "principal.ip".
- When "direction" is "INBOUND", then changed "RemoteAddressIP4" mapping from "principal.ip" to "src.ip".
- When "direction" is "OUTBOUND", then changed "RemoteAddressIP4" mapping from "principal.ip" to "target.ip".
2024-07-08 Enhancement:
- Mapped "Description" to "security_result.description".
- Mapped "Name" to "security_result.threat_name".
- Mapped "CompositeId" to "additional.fields".
- Mapped "id" to "metadata.product_log_id".
2024-06-25 Enhancement:
- Mapped "SourceFileName" to "principal.process.file.full_path".
- Mapped "OdsFileName" and "ImageFileName" to "target.process.file.full_path".
- When "event_simpleName" is "MotwWritten", then mapped "metadata.event_type" to "FILE_CREATION".
2024-06-06 Enhancement:
- Mapped "OriginalFilename" to "target.process.file.exif_info.original_file".
2024-05-31 Enhancement:
- Mapped "os_version" to "principal.platform_version".
- Mapped "hostname" to "principal.hostname" and "principal.asset.hostname".
- Mapped "product_type_desc", "host_hidden_status", "scores.os", "scores.sensor", "scores.version", "scores.overall", and "scores.modified_time" to "security_result.detection_fields".
2024-05-23 Enhancement:
- Mapped "Version" to "principal.platform_version".
2024-05-21 Enhancement:
- When "event_simpleName" is "FileWritten", "NetworkConnect", or "DnsRequest", then mapped "ContextBaseFileName" to "principal.process.file.full_path".
- Mapped "QuarantinedFileName" to "principal.process.file.full_path".
2024-05-15 Enhancement:
- Mapped "Version", "BiosVersion" and "ChassisType" to "principal.asset.attribute.labels".
- Mapped "Continent", "OU" and "SiteName" to "additional.fields".
2024-04-17 Enhancement:
- Mapped "ModuleILPath" to "target.resource.attribute.labels".
2024-04-08 Bug-Fix:
- When "event_simpleName" is "ClassifiedModuleLoad", then changed "metadata.event_type" from "STATUS_UPDATE" to "PROCESS_MODULE_LOAD".
2024-02-21 Enhancement:
- Mapped "SubjectDN" to "security_result.about.artifact.last_https_certificate.subject".
- Mapped "IssuerDN" to "security_result.about.artifact.last_https_certificate.issuer".
- Mapped "SubjectCertValidTo" to "security_result.about.artifact.last_https_certificate.validity.issue_time"".
- Mapped "SubjectCertValidFrom" to "security_result.about.artifact.last_https_certificate.validity.expiry_time".
- Mapped "SubjectSerialNumber" to "security_result.about.artifact.last_https_certificate.serial_number".
- Mapped "SubjectVersion" to "security_result.about.artifact.last_https_certificate.version".
- Mapped "SubjectCertThumbprint" to "security_result.about.artifact.last_https_certificate.thumbprint".
- Mapped "SignatureDigestAlg" to "security_result.about.artifact.last_https_certificate.signature_algorithm".
- Mapped "SignatureDigestEncryptAlg" to "security_result.about.artifact.last_https_certificate.cert_signature.signature_algorithm".
- Mapped "AuthenticodeHashData" to "target.file.authentihash".
- Mapped "AuthorityKeyIdentifier" to "security_result.about.artifact.last_https_certificate.extension.authority_key_id.keyid" and "security_result.about.artifact.last_https_certificate.cert_extensions.fields".
- Mapped "SubjectKeyIdentifier" to "security_result.about.artifact.last_https_certificate.extension.subject_key_id" and "security_result.about.artifact.last_https_certificate.cert_extensions.fields".
- Mapped "OriginalFilename" to "additional.fields".
- Mapped "SignInfoFlagUnknownError", "SignInfoFlagHasValidSignature", "SignInfoFlagSignHashMismatch",
"AuthenticodeMatch", "SignInfoFlagMicrosoftSigned", "SignInfoFlagNoSignature", "SignInfoFlagInvalidSignChain",
"SignInfoFlagNoCodeKeyUsage", "SignInfoFlagNoEmbeddedCert", "SignInfoFlagThirdPartyRoot",
"SignInfoFlagCatalogSigned", "SignInfoFlagSelfSigned", "SignInfoFlagFailedCertCheck",
"SignInfoFlagEmbeddedSigned", "IssuerCN", "SubjectCN" to "security_result.detection_fields".
2023-12-22 - Mapped "HostUrl" to "target.url".
- Mapped "ReferrerUrl" to "network.http.referral_url".
2023-11-23 - When "is_alert" is set to "true", then mapped "event.idm.is_significant" to "true".
- When "is_alert" is set to "true", then mapped "event_simpleName" to "security_result.summary".
2023-10-11 - Added a regular expression check to validate SHA1, MD5 and SHA256 values.
2023-08-22 - Mapped "Technique" to "security_result.attack_details.techniques.name" and corresponding technique and tactic details.
2023-08-03 Enhancement:
- Mapped "ReflectiveDllName" to "target.file.full_path".
- Mapped "event_type" to "STATUS_UPDATE" for logs where the field "DomainName" is absent.
2023-08-01 - Mapped "Tactic" to "security_result.attack_details.tactics.name" and corresponding tactics.id.
2023-07-31 Bug-Fix-
- Added "on_error" check for date filter.
2023-06-19 - Mapped "ParentBaseFileName" to "principal.process.file.full_path".
- Removed mapping of "ImageFileName" to "target.file.full_path" as it is already mapped to "target.process.file.full_path" for events "ProcessRollup2" and "SyntheticProcessRollup2".
2023-05-12 Enhancement -
- Mapped 'aip' to 'intermediary.ip'.
2023-05-08 Bugfix - Convert time formats to string and handled nanoseconds time format.
2023-04-14 Enhancement - Modified "Severity" value of range[0-19] to "security_result.severity" as "INFORMATIONAL".
- Modified "Severity" value of range[20-39] to "security_result.severity" as "LOW".
- Modified "Severity" value of range[40-59] to "security_result.severity" as "MEDIUM".
- Modified "Severity" value of range[60-79] to "security_result.severity" as "HIGH".
- Modified "Severity" value of range[80-100] to "security_result.severity" as "CRITICAL".
- Mapped "PatternId" to "security_result.detection_fields".
- Mapped "SourceEndpointIpAddress" to "principal.ip".
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "event_simpleName =~ userlogonfailed" and user information not present.
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "ExternalApiType = "Event_UserActivityAuditEvent"" and has user information.
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" when "event_simpleName =~ "ActiveDirectory".
- Mapped "TargetAccountObjectGuid" to "additional.fields".
- Mapped "TargetDomainControllerObjectGuid" to "additional.fields".
- Mapped "TargetDomainControllerObjectSid" to "additional.fields".
- Mapped "AggregationActivityCount" to "additional.fields".
- Mapped "TargetServiceAccessIdentifier" to "additional.fields".
- Mapped "SourceAccountUserPrincipal" to "principal.user.userid".
- Mapped "SourceEndpointAddressIP4" to "principal.ip".
- Mapped "SourceAccountObjectGuid" to "additional.fields".
- Mapped "AccountDomain" to "principal.administrative_domain".
- Mapped "AccountObjectGuid" to "metadata.product_log_id".
- Mapped "AccountObjectSid" to "principal.user.windows_sid".
- Mapped "SamAccountName" to "principal.user.user_display_name".
- Mapped "SourceAccountSamAccountName" to "principal.user.user_display_name".
- Mapped "IOARuleGroupName" to "security_result.detection_fields".
- Mapped "IOARuleName" to "security_result.detection_fields".
- Mapped "RemoteAddressIP4" to "target.ip" for "event_simpleName"="RegCredAccessDetectInfo".
2023-03-24 - Mapped "id" to "metadata.product_log_id" instead of "target.resource.id".
- Mapped "RegBinaryValue" to "target.registry.registry_value_data" if both "RegNumericValue" and "RegStringValue" are null.
2023-03-21 Enhancement -
- Mapped "BatchTimestamp", "GcpCreationTimestamp", "K8SCreationTimestamp", "AwsCreationTimestamp" to "metadata.event_timestamp".
- Mapped "FileOperatorSid"to "target.user.windows_sid".
2023-03-13 Enhancement -
- Mapped "LogonTime", "ProcessStartTime", "ContextTimeStamp", "ContextTimeStamp_decimal", and "AccountCreationTimeStamp" to "metadata.event_timestamp".
2023-03-10 Enhancement -
- Mapped "CallStackModuleNamesVersion","CallStackModuleNamesVersion" to security_result.detection_fields.
2023-02-28 Enhancement - Modified the following mappings for field "ParentProcessId" when "event_simpleName" is in ["ProcessRollup2", "SyntheticProcessRollup2"]
- "target.process.parent_process.pid" modified to "target.process.parent_process.product_specific_process_id"
2023-02-16 Enhancement -
- Mapped the field "AssociatedFile" to "security_result.detection_fields[n].value" and the "security_result.detection_fields[n].key" is mapped to "AssociatedIOCFile".
2023-02-09 Enhancement
- Remapped the fields getting mapped under "target.labels" to "target.resource.attribute.labels".
- Rectified the mapping for "ManagedPdbBuildPath" to "target.resource.attribute.labels".
2023-02-09 Enhancement
- Remapped the fields getting mapped under "target.labels" to "target.resource.attribute.labels".
- Rectified the mapping for "ManagedPdbBuildPath" to "target.resource.attribute.labels".
2023-01-15 BugFix -
-Remapped "aid" for "UserLogonFailed" event to "target.asset_id" from "principal.asset_id".
2023-01-13 Enhancement -
-User name mapped to principal.user.userid for event_type "ScheduledTaskModified" and "ScheduledTaskRegistered".
-"AssemblyName","ManagedPdbBuildPath","ModuleILPath" mapped to "target.labels" when metadata.product_event_type = "ReflectiveDotnetModuleLoad"
-"VirtualDriveFileName","VolumeName" mapped to "target.labels" when metadata.product_event_type = "RemovableMediaVolumeMounted"
-"ImageFileName" mapped to "target.file.full_path" when metadata.product_event_type = "ClassifiedModuleLoad"
2023-01-13 Enhancement -
-User name mapped to principal.user.userid for event_type "ScheduledTaskModified" and "ScheduledTaskRegistered".
-"AssemblyName","ManagedPdbBuildPath","ModuleILPath" mapped to "target.labels" when metadata.product_event_type = "ReflectiveDotnetModuleLoad"
-"VirtualDriveFileName","VolumeName" mapped to "target.labels" when metadata.product_event_type = "RemovableMediaVolumeMounted"
-"ImageFileName" mapped to "target.file.full_path" when metadata.product_event_type = "ClassifiedModuleLoad"
2023-01-02 Enhancement -
-User name mapped to principal.user.userid for event_type "ScheduledTaskModified" and "ScheduledTaskRegistered".
2022-12-22 Enhancement -
-Mapped "RemoteAddressIP4" to "principal.ip" for "event_type"="Userlogonfailed2"
2022-11-04 Enhancement -
-Mapped "GrandparentImageFileName" to "principal.process.parent_process.parent_process.file.full_path".
-Mapped "GrandparentCommandLine" to "principal.process.parent_process.parent_process.commamdLine"
2022-11-03 Bug -
When "event_simpleName" is "InstalledApplication" then below parameters are mapped.
-Mapped "AppName" to "principal.asset.software.name".
-Mapped "AppVersion" to "principal.asset.software.version".
2022-10-12 Bug -
-Mapped "discoverer_aid" to "resource.attribute.labels".
-Mapped "NeighborName" to "intermediary.hostname".
-Mapped "subnet" to "additional.fields".
-Mapped "localipCount" to "additional.fields".
-Mapped "aipCount" to "additional.fields".
-Added conditional check for "LogonServer"
2022-10-07 Bug-Fix:
Changed "CommandLine" mapping from "principal.process.command_line" to "target.process.command_line".
2022-09-13 Fix:
- Mapped metadata.event_type to REGISTRY_CREATION where RegOperationType is "3".
- Mapped event_type to REGISTRY_DELETION where RegOperationType is "4" or "102".
- Mapped event_type to REGISTRY_MODIFICATION where RegOperationType is "5","7","9","101" or "1".
- Mapped event_type to REGISTRY_UNCATEGORIZED where RegOperationType is not null and not in all the above cases.
2022-09-02 Enhancement:
- Define field "UserPrincipal" in the statedata.
2022-08-30 Enahancement:
- Defined the field "UserPrincipal" in the statedata.
2022-08-21 Enhancement:
- Mapped "ActivityId" to "additional.fields".
- Mapped "SourceEndpointHostName" to "principal.hostname".
- Mapped "SourceAccountObjectSid" to "principal.user.windows_sid".
- Added condition to parse "LocalAddressIP4" and "aip".
- Mapped "metadata.event_type" to "STATUS_UPDATE" where "ComputerName" and "LocalAddressIP4" is not null.
- Mapped "SourceEndpointAccountObjectGuid" to "metadata.product_log_id".
- Mapped "SourceEndpointAccountObjectSid" to "target.user.windows_sid".
- Mapped "SourceEndpointHostName" to "principal.hostname".
2022-08-18 Fix:
- Mapped the following fields:
- "event.PatternDispositionValue" to "security_result.about.labels".
- "event.ProcessId" to "principal.process.product_specific_process_id".
- "event.ParentProcessId" to "target.process.parent_process.pid".
- "event.ProcessStartTime" to "security_result.detection_fields".
- "event.ProcessEndTime" to "security_result.detection_fields".
- "event.ComputerName" to "principal.hostname".
- "event.UserName" to "principal.user.userid".
- "event.DetectName" to "security_result.threat_name".
- "event.DetectDescription" to "security_result.description".
- "event.SeverityName" to "security_result.severity".
- "event.FileName" to "target.file.full_path".
- "event.FilePath" to "target.file.full_path".
- "event.CommandLine" to "principal.process.command_line".
- "event.SHA256String" to "target.file.sha256".
- "event.MD5String" to "security_result.about.file.md5".
- "event.MachineDomain" to "principal.administrative_domain".
- "event.FalconHostLink" to "intermediary.url".
- "event.LocalIP" to "principal.ip".
- "event.MACAddress" to "principal.mac".
- "event.Tactic" to "security_result.detection_fields".
- "event.Technique" to "security_result.detection_fields".
- "event.Objective" to "security_result.rule_name".
- "event.PatternDispositionDescription" to "security_result.summary".
- "event.ParentImageFileName" to "principal.process.parent_process.file.full_path".
- "event.ParentCommandLine" to "principal.process.parent_process.command_line".
2022-07-29 Enhancement:
- Mapped "event_category,event_module,Hmac" to "additional.fields".
- Mapped "user_name" to "principal.user.userid".
- Mapped "event_source" to "target.application".
- Added grok for "auth_group and new logs".
- Added check for "principal_ip,target_ip and event_type".
2022-07-25 Bug-Fix:
-Mapped "metadata.event_type" to "USER_RESOURCE_ACCESS" where "eventType" is "K8SDetectionEvent"
-Mapped "metadata.event_type" to "STATUS_UPDATE" where "metadata.event_type" is null and "principal.asset_id" is not null.
-Mapped "SourceAccountDomain" to "principal.administrative_domain"
-Mapped "SourceAccountName" to "principal.user.userid"
-Mapped "metadata.event_type" to "STATUS_UPDATE" where "EventType" is "Event_ExternalApiEvent" and "OperationName" in ["quarantined_file_update", "detection_update", "update_rule"]
-Mapped "metadata.event_type" to "USER_RESOURCE_ACCESS" where FilePath is null and FileName is null or AgentIdString is null.
-Mapped "metadata.event_type" to "STATUS_UPDATE" where Protocol is null.
-Added conditional check for MD5String,SHA256String,CommandLine,AgentIdString,ProcessId,ParentProcessId,FilePath,FileName.
2022-07-12 Enhancement:
for event_simpleName - DriverLoad,ProcessRollup,PeVersionInfo,PeFileWritten,TemplateDetectAnalysis,ScriptControlDetectInfo.
- Mapped OriginalFilename to principal.process.file.full_path
2022-06-20 Enhancement:
- Mapped "ConfigBuild" to "security_result.detection_fields".
- Mapped "EffectiveTransmissionClass" to "security_result.detection_fields".
- Mapped "Entitlements" to "security_result.detection_fields".
2022-06-14 Enhancement:
- Mapped "CompanyName" to "target.user.company_name"
- Mapped "AccountType" to "target.user.role_description"
- Mapped "ProductVersion" to "metadata.product_version"
- Mapped "LogonInfo" to "principal.ip"
- Mapped "MAC" to "principal.mac"
- Mapped "UserSid_readable" to "target.user.windows_sid"
- Mapped "FileName" to "target.file.full_path"
- Mapped "_time" to "metadata.event_timestamp"
- Added Conditional check for "MD5HashData", "SHA256HashData", "UserName", "id", "RegObjectName", "RegStringValue", "RegValueName", "UserSid", "TargetFileName", "aid"
2022-06-02 Bug-Fix: Removed key name and colon character from "security_result.detection_fields.value".
2022-05-27 Enhancement - Additional mapping: SHA256String and MD5String to security_result.about.file to show up as Alert event.
2022-05-20 Enhancement:
- Mapped "LinkName" to "target.resource.attribute.labels".
- Switched possible "GENERIC_EVENTS" occurrences to "STATUS_UPDATE".
- Added Backslash between the process and its parent root directory.
- Parsed platform if the "event_platform" is iOS.
- Changed resource.type to resource_type.
2022-05-12 Enhancement - resourceName mapped to target.resource.name
resourceId mapped to target.resource.product_object_id
Namespace mapped to target.namespace
Category mapped to security_result.category_details
description mapped to security_result.description
sourceAgent mapped to network.http.user_agent
Severity mapped to security_result.severity
resourceKind mapped to target.resource.type
detectionName mapped to target.resource.name
clusterName mapped to target.resource.attribute.labels
clusterId mapped to target.resource.attribute.labels
detectionId mapped to target.resource.attribute.labels
Type mapped to additional.fields
Remediation to additional.fields
Benchmarks to additional.fields
badResources to additional.fields
2022-04-27 Bug - Fix: 1. Changed udm event_type from GENERIC_EVENT to USER_LOGIN for logs with ExternalApiType = Event_AuthActivityAuditEvent.
2. Changed mappings for target_user,actor_user, actor_user_uuid from additional.fields to target.user.email_addresses, target.user.user_display_name, target.user.userid respectively.
2022-04-25 Enhancement - Mapped "RemoteAddressIP4" to principal.ip.
2022-04-14 Bug - Added Support for ScriptContent field for all type of logs
2022-04-13 Enhancement-Added mappings for new fields
Added new event mappings - AuthenticationPackage mapped to target.resource.name
2022-04-04 Bug - Mapped "OriginatingURL" to principal.url for NetworkConnect events.