Change log for CS_STREAM
Date | Changes |
---|---|
2024-10-29 | Enhancement:
- Added support for JSON format of logs. - Mapped "request" to "network.http.referral_url". - Mapped "networkDetectionType" to "security_result.detection_fields". |
2022-07-18 | Enhancement:
- Added following mapping for the LEEF format logs: - The field "version" mapped to "metadata.product_version". - The field "usrName" and "userName" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid". - The field "severityName" mapped to "security_result.severity". - The field "cat" mapped to "security_result.category_details". - The field "incidentType" mapped to "security_result.summary". - The field "falconHostLink" mapped to "security_result.about.url". - The field "numberOfCompromisedEntities" mapped to "security_result.detection_fields[n]". - The field "identityProtectionIncidentId" mapped to "security_result.detection_fields[n]". - The field "numbersOfAlerts" mapped to "security_result.detection_fields[n]". - The field "state" mapped to "security_result.detection_fields[n]". - Added following mapping for the CEF format logs: - The field "version" mapped to "metadata.product_version". - The field "deviceCustomDate1" mapped to "metadata.event_type". - The field "msg" mapped to "metadata.description". - The field "cs1" mapped to "security_result.summary" if the value of "cs1Label" is "incidentType" else mapped to "security_result.detection_fields[n]". - The field "cs2" mapped to "security_result.detection_fields[n]". - The field "cs3" mapped to "security_result.detection_fields[n]". - The field "cs1" mapped to "security_result.about.url" if the value of "cs4Label" is "falconHostLink" else mapped to "security_result.detection_fields[n]". - The field "cn1" mapped to "security_result.detection_fields[n]". - The field "cn2" mapped to "security_result.detection_fields[n]". - The field "cn3" mapped to "security_result.detection_fields[n]". - The field "duser" to "principal.user.email_addresses" if it is an email else mapped to "principal.user.userid". |