Change log for EXCHANGE_MAIL
| Date | Changes |
|---|---|
| 2024-08-06 | Enhancement:
- When "column3" is "application_protocol", then mapped it to "network.application_protocol". - Added a Grok pattern to parse "column6" and to extract "target_ip_1". |
| 2024-07-08 | Enhancement:
- Added support for new pattern of CSV logs. - Added a Grok pattern to check if ip is valid before mapping. - Added a Grok pattern over "column6" to extract "target_ip_1", "target_ip_2", and "target_ip_3". - Mapped "target_ip_1", "target_ip_2", and "target_ip_3" to "target.ip" and "target.asset.ip". - If "column2" is not valid IP address, "column2" mapped to "metadata.product_log_id". - If "column4" is not valid IP address, "column4" mapped to "metadata.product_event_type". |
| 2024-06-18 | Enhancement:
- Mapped "schema-version" to "additional.fields". |
| 2024-03-22 | Enhancement:
- Changed mapping of "OriginalFromAddress" from "target.user.email_addresses" to "principal.user.email_addresses". - Added support for new pattern of CSV logs. - Mapped "sender-address", "column20", and "from_mail" to "principal.user.email_addresses". - Mapped "column13" and "to_mail" to "target.user.email_addresses". |
| 2024-03-18 | Enhancement:
- Added support for new pattern of JSON logs. - Mapped "Hostname" to "principal.hostname" and "principal.asset.hostname". - Mapped "ProcessID" to "principal.process.pid". - Mapped "SourceName" to "principal.resource.attribute.labels". - Mapped "Message" to "security_result.description". - Mapped "Category" to "security_result.category_details". - Mapped "Severity" to "security_result.severity". - Mapped "SeverityValue" to "security_result.severity_details". - Mapped "Keywords", "ThreadID", "Task", "RecordNumber", "Channel" and "EventID" to "security_result.detection_fields". |
| 2024-03-01 | Enhancement:
- Added support for new pattern of syslog logs. - Mapped "AgentDevice", "AgentLogFile", "AgentLogFormat", "AgentLogProtocol", "PluginVersion", and "sc-substatus" to "additional.fields". - Mapped "client-ip" and "original-client-ip" to "principal.ip" and "principal.asset.ip". - Mapped "client-hostname" to "principal.hostname" and "principal.asset.hostname". - Mapped "server-ip" and "original-server-ip" to "target.ip" and "target.asset.ip". - Mapped "server-hostname" to "target.hostname" and "target.asset.hostname". - When "has_principal" is "true", then set "metadata.event_type" to "STATUS_UPDATE". - When "event_type" is "GENERIC_EVENT" and "has_principal_email" or "has_target_email" is "true", then set "metadata.event_type" to "USER_UNCATEGORIZED". |
| 2024-02-15 | Enhancement
- Added CSV block to parse CSV logs. - Mapped "Coloumn2" and "Coloumn25" to "principal.ip" and "principal.assest.ip". - Mapped "Coloumn3" to "principal.hostname" and "principal.assest.hostname". - Mapped "Coloumn4" to "target.ip" and "target.assest.ip". - Mapped "Coloumn5" to "target.hostname" and "target.assest.hostname". - Added new Grok at "Coloumn6" patterns to retrieve "EventReceivedTime" and "client_submit_time". - Mapped "Coloumn9" to "metadata.product_event_type". - Mapped "Coloumn10" to "intermediary.resource.attribute.labels". - Mapped "Coloumn12","Coloumn8","Coloumn7","Coloumn15","Coloumn24" and "Coloumn28" to "additional.fields". - Mapped "Coloumn13" to "network.email.to". - Mapped "Coloumn16" to "target.resource.attribute.labels". - Mapped "Coloumn19" to "network.email.subject". - Mapped "Coloumn20" to "network.email.from". - Mapped "Coloumn22" to "sec_result.description". - Mapped "Coloumn26" to "target.ip" and "target.assest.ip". - Mapped "Coloumn29" to "metadata.product_log_id". - Mapped "Coloumn30" to "metadata.product_version". - Added new date match filter to parse "EventReceivedTime". - Replaced Grok pattern with CSV blocks. |
| 2024-02-08 | Enhancement:
- Added a new Grok pattern to parse new type of logs of format SYSLOG + KV. - Mapped "version" to "metadata.product_version". - Mapped "sec_result_desc" to "network.email.subject". |
| 2023-12-17 | Enhancement - Added new Grok patterns to parse new type of logs of format SYSLOG + KV. - Mapped "MailboxDatabaseGuid", "Mailboxes", "StoreObjectIds", "DeliveryLatency" to "security_result.detection_fields". - Mapped "client_submit_time", "event_source", "AttachCount", "network_id" to "additional.fields". - Mapped "sec_result_desc" to "security_result.description". - Mapped "product_event_type" to "metadata.product_event_type". - Mapped "msg_id" to "network.email.mail_id". - Mapped "guid" to "metadata.product_log_id". - Mapped "internal_msgid" to "intermediary.resource.attribute.labels". - Mapped "recipients" to "target.user.email_addresses". - Mapped "recipients_status","recipents_count" to "target.resource.attribute.labels". - Mapped "msg_size" to "network.sent_bytes". |
| 2023-11-20 | Enhancement - Added new Grok patterns to parse new type of logs of format SYSLOG + Key-Value. - Mapped "host" to "event.idm.read_only_udm.principal.hostname". - Mapped "email_address" to "event.idm.read_only_udm.principal.user.email_addresses". - Mapped "ProxiedClientHostname" to "event.idm.read_only_udm.intermediary.hostname". - Mapped "ProxyHop1", "MessageValue", "IncludeInSla", "Microsoft_Exchange_Transport_MailRecipient_RequiredTlsAuthLevel", "IsSmtpResponseFromExternalServer", "SlaExclusionReason", "MsgRecipCount", "FirstForestHop", "PrioritizationReason", and "TransportTrafficSubType" to "event.idm.read_only_udm.security_result.detection_fields". - Mapped "DeliveryPriority" to "event.idm.read_only_udm.security_result.priority". - Mapped "ProxiedClientIPAddress" to "event.idm.read_only_udm.intermediary.ip". - Mapped "version" from "TransportTrafficSubType" to "event.idm.read_only_udm.metadata.product_version". - If "event.idm.read_only_udm.principal.user.email", "event.idm.read_only_udm.target.user.email", and either "event.idm.read_only_udm.principal.hostname" or "event.idm.read_only_udm.principal.ip" are present, then set "event.idm.read_only_udm.metadata.event_type" to "EMAIL_TRANSACTION". |
| 2023-10-20 | Enhancement - Added a Grok pattern to parser logs with non-integer "session_id". - Mapped "AccountForest", "DeliveryPriority", "IsProbe", "PersistProbeTrace", "ProbeType" to "security_result.detection_fields". |
| 2023-06-16 | Enhancement Added grok to parse failing logs. - Mapped "product_id" to "metadata.product_log_id". - Mapped "OriginalFromAddress" to "principal.user.email_addresses". - Mapped "E2ELatency", "P2RecipStat", "FromEntity", "ToEntity" to "sec_result.detection_fields". - Wrote Grok pattern to parse failing logs. |
| 2022-11-25 | ENHANCEMENT - Handled unparsed logs by writing grok and mapping fields. - Added condition check for date field. - Mapped severity to security_result.severity. - Mapped "sessionid" to "network.session_id". - Mapped "u_path" to "target.url". |
| 2022-06-14 | - Modified the code to parse, mapped "EMAIL From" to network.email.from and "RCPT To" to network.email.to.
- Mapped "sequence-number" to additional.filed as key/value pair. |
| 2022-05-02 | Bug - Modified the code to support 24hr time format for the "EventReceivedTime" field.
Added regexp condition for email address parsing error. |