Change log for F5_ASM

Date Changes
2024-11-28 Enhancement:
- Changed the mapping of "Referer" from "network.http.referral_url" to "target.url".
2024-11-07 Enhancement:
- Mapped "exec_data" to "target.process.command_line".
- Mapped "src" to "principal.hostname" and "principal.asset.hostname".
- Mapped "cs3" to "additional.fields".
2024-10-30 Enhancement:
- Added support to handle CSV logs.
2024-10-28 Enhancement:
- Modified existing Grok pattern to handle ISP block and ISP GEO block.
2024-10-25 Enhancement:
- Mapped "form_data" to "additional.fields".
2024-10-23 Enhancement:
- Mapped "SOAPAction" to "additional.fields".
2024-09-30 Enhancement:
- Mapped "link" to "target.url"
- When the message contains "DROP" then set "security_result.action" to "BLOCK".
- When the message contains "allowed" then set "security_result.action" to "ALLOW".
2024-08-07 Enhancement:
- Modified existing Grok pattern to handle CEF logs.
- Mapped "suid" to "principal.user.userid".
- Mapped "suser" to "principal.user.user_display_name".
- Mapped "device_version" to "metadata.product_version".
- Mapped "severity" to "security_result.severity".
2024-07-15 Enhancement:
- Added support to handle the SYSLOG + KV logs.
2024-06-17 Enhancement:
- Added support for a new pattern of CSV logs.
2024-06-11 Enhancement:
- Added KV block to handle unparsed KV logs.
- Formatted CSV logs using "gsub" to parse CSV logs.
2024-05-13 Enhancement:
- Added KV block to parse KV logs.
- Added "gsub" to remove unwanted characters.
2024-04-19 Enhancement:
- Handled CSV unparsed logs.
- Added a Grok pattern to map "resp_code".
- Mapped "errdefs_msgno", "support_id_array", "audit_component" to "additional.fields".
- Mapped "descrip" to "metadata.description".
2024-04-08 Enhancement:
- Added support to parse newly ingested unparsed logs.
2024-04-05 Bug-Fix:
- Added condition to parse dropped ASF CEM logs.
2024-02-27 Bug-Fix:
- When "cs5" field has a valid IP address, then mapped to "principal.ip".
- Aligned "principal.ip" and "principal.asset.ip" mappings.
- Aligned "principal.hostname" and "principal.asset.hostname" mappings.
- Aligned "target.ip" and "target.asset.ip" mappings.
- Aligned "target.hostname" and "target.asset.hostname" mappings.
2024-01-12 Enhancement:
- Mapped "severity" to "security_result.severity_details".
- Mapped "resp_code" to "http.response_code".
- Mapped "virus_name" to "security_result.threat_name".
- Mapped "ip_route_domain" to "principal.ip".
- Mapped "geo_info", "resp", "req_status", "violate_rate", and "ip_addr_intelli" to "security_result.detection_fields".
2023-12-15 Enhancement:
- Handled newly ingested set of logs where "metadata.event_type" is "GENERIC_EVENT" and "network.application_protocol" is "HTTP".
- Set "network.ip_protocol" to "UDP" if message contains "UDP".
- Removed hardcoding value of "network.application_protocol".
- Set "network.application_protocol" to "HTTP" and "HTTPS" if "message" has "HTTP" and "HTTPS, respectively.
- Set "network.application_protocol" to "HTTP" if "metadata.event_type" is "NETWORK_HTTP".
- Added two Grok patterns to parse "principal_ip" and "src_port" from newly ingested logs.
- Mapped "message_body" to "metadata.description".
- Mapped "tmm_msg" to "metadata.description"
2023-12-07 Enhancement:
- Added a new Grok pattern to parse new KV+XML logs.
- Added KV filters to parse unparsed KV logs.
- Added XML filters to parse unparsed XML logs.
- Mapped "policy_name" to "security_result.about.resource.name".
- Mapped "viol_name" to "security_result.detection_fields".
- Mapped "response_code" to "network.http.response_code".
- Modified Grok pattern to map complete "Referer" field to "network.http.referral_url".
- Mapped "parseduseragent" to "network.http.parsed_user_agent.
2023-11-08 Enhancement:
- Added a new Grok pattern to parse new KV logs.
- Added a KV filter to parse uparsed KV logs.
- Mapped "bigip_mgmt_ip", "client_ip_geo_location", "client_port", "client_request_uri", "device_version", "http_method", "route_domain" and "virtual_server_name" to "principal.ip", "principal.location.country_or_region", "principal.port", "principal.url", "metadata.product_version", "network.http.method", "additional.fields", "network.tls.client.server_name", respectively.
- Added "legal" to "request_status" condition to map "security_result.action_details" as "ALLOW".
- Mapped "profile_name", "action", "previous_action", "bot_signature", "bot_signature_category", "bot_name", "class", "anomaly_categories", "anomalies", "micro_services_name", "micro_services_type", "micro_services_matched_wildcard_url", "micro_services_hostname", "browser_configured_verification_action", "browser_actual_verification_action", "new_request_status", "mobile_is_app", "enforced_by", "application_display_name", "client_type", and "challenge_failure_reason" to "additional.fields".
2023-10-19 Enhancement:
- Added a Grok pattern to extract the value of "Referer" field as "referer" from CEF logs.
- Mapped "referer" to "network.http.referral_url".
2023-09-27 Bug-Fix:
- Set "security_result.action" to "BLOCK" and "security_result.action_details" to "blocked" for logs having "request_status = blocked".
- Set "security_result.action" to "ALLOW" and "security_result.action_details" to "passed" for logs having "request_status = passed".
- Set "security_result.action" to "QUARANTINE" and "security_result.action_details" to "alerted" for logs having "request_status = alerted".
2023-08-07 Enhancement:
- Mapped "management_ip_address" to "metadata.intermediary.ip".
- Mapped "request_status" to "security_result.action".
- Mapped "query_string" to "additional.fields".
- Mapped "sig_ids" to "security_result.rule_id".
- Mapped "sig_names" to "security_result.rule_name".
- Mapped "username" to "principal.user.userid".
- Mapped "policy_name" to "security_result.about.resource.name".
- Mapped "sub_violations" to "security_result.about.resource.attribute.labels".
- Mapped "violation_rating" to "security_result.about.resource.attribute.labels".
- Mapped "websocket_direction" to "network.direction".
- Mapped "websocket_message_type" to "security_result.detection_fields".
2023-07-27 Bug-Fix:
- Added a new field "target_app" to contain value corresponding to "target.application".
- Mapped the field "process" to "target.application" only when value of the field "target_app" is null.
- Converted the field "process" to "string" if it's already not a string.
2023-07-03 Enhancement:
- Mapped "externalId" to ""additional.fields".
- Mapped the event time to ""metadata.event_timestamp".
2023-05-12 Enhancement - For CEF format logs, mapped the information about the attack to "security_result.description".
2023-04-06 Enhancement:
- Login event parsed as 'USER_LOGIN' instead of 'STATUS UPDATE'.
- Parsed the username value in 'firstname.lastname' and mapped to 'principal.user.userid'.
2023-02-09 Enhancement- Parsed the logs containing "type=irule" by adding new grok pattern and mapped the following fields:
- Mapped "type" to "metadata.product_event_type".
- Mapped "data.sessionid" to "network.session_id".
- Mapped "data.bits" to "network.sent_bytes".
- Mapped "data.version" to "network.tls.version".
- Mapped "client_ip" to "principal.ip".
- Mapped "client_port" to "principal.port".
- Mapped "snat_ip" to "principal.nat_ip".
- Mapped "snat_port" to "principal.nat_port".
- Mapped "server_ip" to "target.ip".
- Mapped "server_port" to "target.port".
- Mapped "irule" to "security_result.rule_name".
- Mapped "irule-version" to "security_result.rule_version".
- Mapped "proxy_id" to "security_result.rule_id".
- Mapped "virtualserver" to "network.tls.client.server_name".
2022-11-03 Enhancement:
- Added a condition for unparsed CEF format logs.
- Added a condition to check for sshd and httpd user_login logs.
- Added grok patterns to parse httpd and sshd user_login success/failure logs.
- Mapped "event_id" to "metadata.product_log_id".
- Mapped "application" to "target.application".
- Mapped "prin_ip" to "principal.ip".
- Mapped "SSH" to "app_protocol" when "tty" is "ssh" or "applicaition" is "sshd".
- Mapped "user_id" "principal.user.user_id".
- Mapped "USER_LOGIN" to "metadata.event_type" for httpd/sshd user_login logs.
- Mapped "auth_level" to "principal.user.attribute.roles".
- Mapped "addr" from log to "target.ip"
- Mapped "port" from log to "target.port"
2022-09-21 Enhancement:
- Migrated customer specific to default parser.
2022-05-17 Enhancement: Enhanced the parser to parse the header of the HTTP request.
2022-04-27 Bug - Fix:
- Enhanced the parser to parse logs with the "ASM:" format.
2022-04-26 Enhanced the parser to handle unparsed raw logs