Change log for DARKTRACE

Date Changes
2024-11-21 Enhancement:
- Corrected spelling of "email_direciton_error" to "email_direction_error".
2024-11-21 Enhancement:
- Corrected spelling of "email_direciton_error" to "email_direction_error".
2024-10-30 Enhancement:
- Added a Grok pattern to parse the SYSLOG+JSON logs.
2024-10-25 Enhancement:
- Mapped "direction" to "network.direction" for "INBOUND," "OUTBOUND," or "BROADCAST." Otherwise, mapped it to "additional.fields".
2024-10-24 Enhancement:
- Added a new Grok pattern to parse new JSON logs.
2024-10-08 Enhancement:
- changed the "event_type" from "USER_UNCATEGORIZED" to "EMAIL_UNCATEGORIZED" when "from" field is present.
- "from" mapped to "newtwork.email.from" & "principal.user.email_addresses".
- "recipients" mapped to "newtwork.email.to" & "target.user.email_addresses".
- changed "subject" mapping from "metadata.description" to "newtwork.email.subject".
- changed "message_id" mapping from "additional.fields" to "newtwork.email.mail_id".
- changed "uuid" mapping from "principal.user.userid" to "metadata.product_log_id".
2024-10-07 Enhancement:
- Mapped "filterType" under "triggeredFilters" to "additional.fields".
- When "trigger.value" is having non IP value, then mapped "trigger.value" under "triggeredFilters" to "additional.fields".
2024-09-25 Enhancement:
- Mapped "description" to "metadata.description".
- Mapped "score" field to "security_result.priority_details".
2024-09-19 Enhancement:
- Mapped all fields under "triggeredFilters" to "additional.fields".
2024-09-09 Enhancement:
- Mapped "uuid" to "principal.user.userid".
- Mapped "from" to "principal.user.email_addresses".
- Mapped "subject" to "metadata.description".
- Mapped "anomaly_score", "tags", "link_hosts", and "message_id" to "additional.fields".
- Mapped "recipients" to "observer.user.email_addresses".
- Mapped "attachment_sha1s" and "attachment_sha256s" to "security_result.detection_fields".
2024-08-29 Enhancement:
- Mapped "hostname" field to "principal.hostname" and "principal.asset.hostname".
- Mapped "label" field to "security_result.attribute.label".
- Mapped "ip_address" field to "principal.ip" and "principal.asset.ip".
- Mapped "priority" field to "security_result.priority_details".
- Mapped "priority_level" field to "security_result.priority".
- Mapped "alert_name" field to "security_result.rule_name".
- Mapped "message" field to "security_result.description".
- Mapped "url" field to "security_result.url_back_to_product".
2024-08-06 Enhancement:
- When "filterType" is "Destination IP", then mapped "triggeredFilter.trigger.value" to "target.ip".
- When principal and target machine data is absent but user data is available then mapped "metadata.event_type" to "USER_UNCATEGORIZED".
2024-04-05 Bug-Fix:
- Changed mapping for "model.name" and "model.now.name" from "principal.user.user_display_name" to "metadata.product_event_type".
- When principal machine data and target machine data are present, then changed mapping for "metadata.event_type" from "GENERIC_EVENT" or "USER_UNCATEGORIZED" to "NETWORK_CONNECTION", else mapping it to "USER_RESOURCE_ACCESS".
2023-12-20 Bug-Fix: Fixed the flaky results for the mapping "sec_result.about.resource.attribute.labels" where "key" is "details".
2023-11-20 Enhancement, Bug-Fix:
- Parsed subfields in the "message" field of the raw log.
- Mapped "uuid" to "principal.user.userid" and set "metadata.event_type" to "USER_UNCATEGORIZED" when "uuid" is present.
- Mapped "direction" to "network.direction".
- Mapped "from" to "network.email.from".
- Mapped "subject" to "network.email.subject".
- Mapped "attachment_sha1s", "attachment_sha256s", "recipients", "link_hosts", "tags", "actions", "anomaly_score", "message_id" to "security_result.detection_fields".
- Mapped "url" to "security_result.url_back_to_product".
- Mapped "severity" to "security_result.severity".
- Mapped "hostname" to "principal.hostname".
- Added "on_error" to a JSON block to parse unparsed set of JSON logs.
- Mapped "model.pid" to "principal.process.pid".
- Mapped "model.uuid" to "principal.user.userid".
- Mapped "model.name" to "principal.user.user_display_name".
- Mapped "breachUrl" to "security_result.url_back_to_product".
- Mapped "device.typelabel", "device.sid", "device.typename" to "principal.resource.attribute.labels".
- Mapped "device.ip" to "principal.ip".
- Mapped "device.ips.0.subnet" to "additional_fields".
- Mapped "device.did" to "principal.asset.asset_id".
- Mapped "device.customFields.DT-AUTO.macaddress" to "principal.mac".
- Mapped "device.firstSeen" to "principal.asset.first_seen_time".
- Mapped "device.device.lastSeen" to "principal.asset.last_seen_time".
- Mapped "mitreTechniques" to "security_result.attack_details.techniques".
2023-09-26 Enhancement:
- Adjusted the parser to support nested JSON.
- Fixed the parser to handle special characters in the log.
- Mapped the fields of new log type.
2023-08-29 Enhancement:
- Mapped "details" to "sec_result.about.resource.attribute.labels".
- Mapped "principal_port_no" to "principal.port".
- Mapped "ip_protocol" to "network.ip_protocol".
- Mapped "location" to "principal.location.country_or_region".
- Mapped "target_host" to "target.hostname".
- Mapped "target_ip" to "target.ip".
- Mapped "source_ip" to "principal.ip".
- Mapped "source_port" to "principal.port".
- Mapped "dest_ip" to "target.ip".
- Mapped "dest_port" to "target.port".
- Mapped "@host" to "principal.hostname".
- Mapped "uid" to "principal.user.userid".
- Mapped "note" to "principal.application".
- Mapped "@type" to "sec_result.about.resource.attribute.labels".
- Mapped "opcode" to "sec_result.about.resource.attribute.labels".
- Mapped "trans_id" to "sec_result.about.resource.attribute.labels".
- Mapped "query_class" to "sec_result.about.resource.attribute.labels".
2023-07-14 Enhancement:
- Mapped "dvchost" to "principal.hostname".
- Mapped "deviceMacAddress" to "principal.mac".
- Modified mapping of "dvc" to map to "principal.ip" only if it's a valid IP address.
2023-03-24 Enhancement:
- Mapped 'model.now.category' to 'security_result.severity'.
- Mapped 'model.now.message' to 'security_result.description'.
- Mapped 'model.now.description' to 'metadata.description'.
- Mapped 'model.now.uuid' to 'principal.user.userid'.
- Mapped 'model.now.pid' to 'principal.process.pid'.
- Mapped 'model.now.name' to 'principal.user.user_display_name'.
- Mapped 'score' to 'security_result.priority'.
- Mapped 'triggeredComponents.port' to 'intermediary.port'.
- Mapped 'triggeredComponents.ip' to 'intermediary.ip'.
- Mapped 'device.ip' to 'principal.ip'.
- Mapped 'device.macaddress' to 'principal.mac'.
- Mapped 'device.hostname' to 'principal.hostname'.
- Mapped 'model.then.logic.data.cid', 'model.now.logic.data.cid', 'model.now.tags' to 'additional.fields'.
- Mapped 'Mapped 'model.then.description', 'model.then.uuid', 'model.then.name', 'model.then.pid' to 'principal.resource.attribute.labels'.
- Modified 'metadata.event_type' from 'GENERIC_EVENT' to 'STATUS_UPDATE' wherver 'principal.ip' or 'principal.hostname' is present.
2022-10-31 Enhancement:
- Mapped the field 'time' to 'metadata.event_timestamp'.
- Mapped the field 'model.description' to 'metadata.description'.
- Mapped the field 'model.name' to 'principal.user.user_display_name'.
- Mapped the field 'model.pid' to 'principal.process.pid'.
- Mapped the field 'device.did' to 'principal.asset.asset_id'.
- Mapped the field 'device.objecttype' to 'principal.asset.type'.
- Mapped the field 'device.ips' to 'principal.ip'.
- Mapped the field 'device.firstSeen' to 'principal.asset.first_seen_time'.
- Mapped the field 'device.lastSeen' to 'principal.asset.last_discover_time'.
- Mapped the fields 'device.sid', 'device.typename' and 'device.typelabel' to 'principal.resource.attribute.labels'.
- Mapped the field 'model.tags' and 'model.logic.data' to 'additional.fields'.
- Mapped the field 'breachUrl' to 'security_result.url_back_to_product'.
- Mapped the field 'mitreTechniques' to 'security_result.detection_fields'.
- Added conditional checks for 'details.0.0.contents.2.values.0' mapped to 'principal.port'.
- Dropped the logs having incorrect json format.
2022-10-13 Added grok to parse new json type logs.
Mapped 'category' to 'security_result.severity'.
Mapped 'title' to 'security_result.summary'.
Mapped 'details.0.0.contents.1.values.0.hostname' to 'principal.hostname'.
Mapped 'details.0.0.contents.1.values.0.ip' to 'principal.ip'.
Mapped 'details.0.0.contents.2.values.0' to 'principal.port'.
Mapped 'details.0.0.contents.4.values.0' to 'principal.location.country_or_region'.
Mapped 'details.0.1.contents.0.values.0.hostname' to 'target.hostname'.
Mapped 'details.0.1.contents.0.values.0.ip' to 'target.ip'.
Mapped 'incidentEventUrl' to 'principal.url'.
Mapped 'summary' to 'metadata.description'.
Mapped 'model.uuid' to 'principal.user.userid'.
Mapped 'relatedBreaches.0.modelName' to 'security_result.description'.
2022-04-22 Added support for issue code being non-numeric in CEF message