Stay organized with collections Save and categorize content based on your preferences.

Change log for DARKTRACE

Date Changes
2023-03-24 Enhancement:
- Mapped 'model.now.category' to 'security_result.severity'.
- Mapped 'model.now.message' to 'security_result.description'.
- Mapped 'model.now.description' to 'metadata.description'.
- Mapped 'model.now.uuid' to 'principal.user.userid'.
- Mapped 'model.now.pid' to 'principal.process.pid'.
- Mapped 'model.now.name' to 'principal.user.user_display_name'.
- Mapped 'score' to 'security_result.priority'.
- Mapped 'triggeredComponents.port' to 'intermediary.port'.
- Mapped 'triggeredComponents.ip' to 'intermediary.ip'.
- Mapped 'device.ip' to 'principal.ip'.
- Mapped 'device.macaddress' to 'principal.mac'.
- Mapped 'device.hostname' to 'principal.hostname'.
- Mapped 'model.then.logic.data.cid', 'model.now.logic.data.cid', 'model.now.tags' to 'additional.fields'.
- Mapped 'Mapped 'model.then.description', 'model.then.uuid', 'model.then.name', 'model.then.pid' to 'principal.resource.attribute.labels'.
- Modified 'metadata.event_type' from 'GENERIC_EVENT' to 'STATUS_UPDATE' wherver 'principal.ip' or 'principal.hostname' is present.
2022-10-31 Enhancement:
- Mapped the field 'time' to 'metadata.event_timestamp'.
- Mapped the field 'model.description' to 'metadata.description'.
- Mapped the field 'model.name' to 'principal.user.user_display_name'.
- Mapped the field 'model.pid' to 'principal.process.pid'.
- Mapped the field 'device.did' to 'principal.asset.asset_id'.
- Mapped the field 'device.objecttype' to 'principal.asset.type'.
- Mapped the field 'device.ips' to 'principal.ip'.
- Mapped the field 'device.firstSeen' to 'principal.asset.first_seen_time'.
- Mapped the field 'device.lastSeen' to 'principal.asset.last_discover_time'.
- Mapped the fields 'device.sid', 'device.typename' and 'device.typelabel' to 'principal.resource.attribute.labels'.
- Mapped the field 'model.tags' and 'model.logic.data' to 'additional.fields'.
- Mapped the field 'breachUrl' to 'security_result.url_back_to_product'.
- Mapped the field 'mitreTechniques' to 'security_result.detection_fields'.
- Added conditional checks for 'details.0.0.contents.2.values.0' mapped to 'principal.port'.
- Dropped the logs having incorrect json format.
2022-10-13 Added grok to parse new json type logs.
Mapped 'category' to 'security_result.severity'.
Mapped 'title' to 'security_result.summary'.
Mapped 'details.0.0.contents.1.values.0.hostname' to 'principal.hostname'.
Mapped 'details.0.0.contents.1.values.0.ip' to 'principal.ip'.
Mapped 'details.0.0.contents.2.values.0' to 'principal.port'.
Mapped 'details.0.0.contents.4.values.0' to 'principal.location.country_or_region'.
Mapped 'details.0.1.contents.0.values.0.hostname' to 'target.hostname'.
Mapped 'details.0.1.contents.0.values.0.ip' to 'target.ip'.
Mapped 'incidentEventUrl' to 'principal.url'.
Mapped 'summary' to 'metadata.description'.
Mapped 'model.uuid' to 'principal.user.userid'.
Mapped 'relatedBreaches.0.modelName' to 'security_result.description'.
2022-04-22 Added support for issue code being non-numeric in CEF message