Change log for DARKTRACE
Date | Changes |
---|---|
2024-10-08 | Enhancement:
- Changed "event_type" from "USER_UNCATEGORIZED" to "EMAIL_UNCATEGORIZED" when "from" field is present. - Mapped "from" to "newtwork.email.from" and "principal.user.email_addresses". - Mapped "recipients" to "newtwork.email.to" and "target.user.email_addresses". - Changed "subject" mapping from "metadata.description" to "newtwork.email.subject". - Changed "message_id" mapping from "additional.fields" to "newtwork.email.mail_id". - Changed "uuid" mapping from "principal.user.userid" to "metadata.product_log_id". |
2024-10-07 | Enhancement:
- Mapped "filterType" under "triggeredFilters" to "additional.fields". - When "trigger.value" is having non IP value, then mapped "trigger.value" under "triggeredFilters" to "additional.fields". |
2024-09-25 | Enhancement:
- Mapped "description" to "metadata.description". - Mapped "score" field to "security_result.priority_details". |
2024-09-19 | Enhancement:
- Mapped all fields under "triggeredFilters" to "additional.fields". |
2024-09-09 | Enhancement:
- Mapped "uuid" to "principal.user.userid". - Mapped "from" to "principal.user.email_addresses". - Mapped "subject" to "metadata.description". - Mapped "anomaly_score", "tags", "link_hosts", and "message_id" to "additional.fields". - Mapped "recipients" to "observer.user.email_addresses". - Mapped "attachment_sha1s" and "attachment_sha256s" to "security_result.detection_fields". |
2024-08-29 | Enhancement:
- Mapped "hostname" field to "principal.hostname" and "principal.asset.hostname". - Mapped "label" field to "security_result.attribute.label". - Mapped "ip_address" field to "principal.ip" and "principal.asset.ip". - Mapped "priority" field to "security_result.priority_details". - Mapped "priority_level" field to "security_result.priority". - Mapped "alert_name" field to "security_result.rule_name". - Mapped "message" field to "security_result.description". - Mapped "url" field to "security_result.url_back_to_product". |
2024-08-06 | Enhancement:
- When "filterType" is "Destination IP", then mapped "triggeredFilter.trigger.value" to "target.ip". - When principal and target machine data is absent but user data is available then mapped "metadata.event_type" to "USER_UNCATEGORIZED". |
2024-04-05 | Bug-Fix:
- Changed mapping for "model.name" and "model.now.name" from "principal.user.user_display_name" to "metadata.product_event_type". - When principal machine data and target machine data are present, then changed mapping for "metadata.event_type" from "GENERIC_EVENT" or "USER_UNCATEGORIZED" to "NETWORK_CONNECTION", else mapping it to "USER_RESOURCE_ACCESS". |
2023-12-20 | Bug-Fix: Fixed the flaky results for the mapping "sec_result.about.resource.attribute.labels" where "key" is "details".
|
2023-11-20 | Enhancement, Bug-Fix:
- Parsed subfields in the "message" field of the raw log. - Mapped "uuid" to "principal.user.userid" and set "metadata.event_type" to "USER_UNCATEGORIZED" when "uuid" is present. - Mapped "direction" to "network.direction". - Mapped "from" to "network.email.from". - Mapped "subject" to "network.email.subject". - Mapped "attachment_sha1s", "attachment_sha256s", "recipients", "link_hosts", "tags", "actions", "anomaly_score", "message_id" to "security_result.detection_fields". - Mapped "url" to "security_result.url_back_to_product". - Mapped "severity" to "security_result.severity". - Mapped "hostname" to "principal.hostname". - Added "on_error" to a JSON block to parse unparsed set of JSON logs. - Mapped "model.pid" to "principal.process.pid". - Mapped "model.uuid" to "principal.user.userid". - Mapped "model.name" to "principal.user.user_display_name". - Mapped "breachUrl" to "security_result.url_back_to_product". - Mapped "device.typelabel", "device.sid", "device.typename" to "principal.resource.attribute.labels". - Mapped "device.ip" to "principal.ip". - Mapped "device.ips.0.subnet" to "additional_fields". - Mapped "device.did" to "principal.asset.asset_id". - Mapped "device.customFields.DT-AUTO.macaddress" to "principal.mac". - Mapped "device.firstSeen" to "principal.asset.first_seen_time". - Mapped "device.device.lastSeen" to "principal.asset.last_seen_time". - Mapped "mitreTechniques" to "security_result.attack_details.techniques". |
2023-09-26 | Enhancement:
- Adjusted the parser to support nested JSON. - Fixed the parser to handle special characters in the log. - Mapped the fields of new log type. |
2023-08-29 | Enhancement:
- Mapped "details" to "sec_result.about.resource.attribute.labels". - Mapped "principal_port_no" to "principal.port". - Mapped "ip_protocol" to "network.ip_protocol". - Mapped "location" to "principal.location.country_or_region". - Mapped "target_host" to "target.hostname". - Mapped "target_ip" to "target.ip". - Mapped "source_ip" to "principal.ip". - Mapped "source_port" to "principal.port". - Mapped "dest_ip" to "target.ip". - Mapped "dest_port" to "target.port". - Mapped "@host" to "principal.hostname". - Mapped "uid" to "principal.user.userid". - Mapped "note" to "principal.application". - Mapped "@type" to "sec_result.about.resource.attribute.labels". - Mapped "opcode" to "sec_result.about.resource.attribute.labels". - Mapped "trans_id" to "sec_result.about.resource.attribute.labels". - Mapped "query_class" to "sec_result.about.resource.attribute.labels". |
2023-07-14 | Enhancement:
- Mapped "dvchost" to "principal.hostname". - Mapped "deviceMacAddress" to "principal.mac". - Modified mapping of "dvc" to map to "principal.ip" only if it's a valid IP address. |
2023-03-24 | Enhancement:
- Mapped 'model.now.category' to 'security_result.severity'. - Mapped 'model.now.message' to 'security_result.description'. - Mapped 'model.now.description' to 'metadata.description'. - Mapped 'model.now.uuid' to 'principal.user.userid'. - Mapped 'model.now.pid' to 'principal.process.pid'. - Mapped 'model.now.name' to 'principal.user.user_display_name'. - Mapped 'score' to 'security_result.priority'. - Mapped 'triggeredComponents.port' to 'intermediary.port'. - Mapped 'triggeredComponents.ip' to 'intermediary.ip'. - Mapped 'device.ip' to 'principal.ip'. - Mapped 'device.macaddress' to 'principal.mac'. - Mapped 'device.hostname' to 'principal.hostname'. - Mapped 'model.then.logic.data.cid', 'model.now.logic.data.cid', 'model.now.tags' to 'additional.fields'. - Mapped 'Mapped 'model.then.description', 'model.then.uuid', 'model.then.name', 'model.then.pid' to 'principal.resource.attribute.labels'. - Modified 'metadata.event_type' from 'GENERIC_EVENT' to 'STATUS_UPDATE' wherver 'principal.ip' or 'principal.hostname' is present. |
2022-10-31 | Enhancement:
- Mapped the field 'time' to 'metadata.event_timestamp'. - Mapped the field 'model.description' to 'metadata.description'. - Mapped the field 'model.name' to 'principal.user.user_display_name'. - Mapped the field 'model.pid' to 'principal.process.pid'. - Mapped the field 'device.did' to 'principal.asset.asset_id'. - Mapped the field 'device.objecttype' to 'principal.asset.type'. - Mapped the field 'device.ips' to 'principal.ip'. - Mapped the field 'device.firstSeen' to 'principal.asset.first_seen_time'. - Mapped the field 'device.lastSeen' to 'principal.asset.last_discover_time'. - Mapped the fields 'device.sid', 'device.typename' and 'device.typelabel' to 'principal.resource.attribute.labels'. - Mapped the field 'model.tags' and 'model.logic.data' to 'additional.fields'. - Mapped the field 'breachUrl' to 'security_result.url_back_to_product'. - Mapped the field 'mitreTechniques' to 'security_result.detection_fields'. - Added conditional checks for 'details.0.0.contents.2.values.0' mapped to 'principal.port'. - Dropped the logs having incorrect json format. |
2022-10-13 | Added grok to parse new json type logs.
Mapped 'category' to 'security_result.severity'. Mapped 'title' to 'security_result.summary'. Mapped 'details.0.0.contents.1.values.0.hostname' to 'principal.hostname'. Mapped 'details.0.0.contents.1.values.0.ip' to 'principal.ip'. Mapped 'details.0.0.contents.2.values.0' to 'principal.port'. Mapped 'details.0.0.contents.4.values.0' to 'principal.location.country_or_region'. Mapped 'details.0.1.contents.0.values.0.hostname' to 'target.hostname'. Mapped 'details.0.1.contents.0.values.0.ip' to 'target.ip'. Mapped 'incidentEventUrl' to 'principal.url'. Mapped 'summary' to 'metadata.description'. Mapped 'model.uuid' to 'principal.user.userid'. Mapped 'relatedBreaches.0.modelName' to 'security_result.description'. |
2022-04-22 | Added support for issue code being non-numeric in CEF message
|