Stay organized with collections Save and categorize content based on your preferences.

Change log for FORTINET_FIREWALL

Date Changes
2022-10-21 Enhancement:
- Mapped "suser" to "principal.user.user_display_name".
- Mapped "duser" to "target.user.user_display_name".
- Mapped "suid" to "principal.user.userid".
- Mapped "duid" to "target.user.userid".
2022-10-20 Bug:
- "security_result.action" mapping changed from "BLOCK" to "ALLOW" when "action=close".
2022-10-13 Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION"
- Mapped "msg" to "security_result.description"
- Mapped "devname" to "principal.hostname"
- Mapped "user_name" to "target.user.userid"
- Mapped "level" to "security_result.severity_details"
2022-10-13 Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION"
- Mapped "msg" to "security_result.description"
- Mapped "devname" to "principal.hostname"
- Mapped "user_name" to "target.user.userid"
- Mapped "level" to "security_result.severity_details"
2022-10-06 Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'.
- Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'.
2022-10-06 Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'.
- Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'.
2022-09-21 Enhancement:
- Mapped the field 'protocol' to 'network.ip_protocol' if protocol contains tcp and udp else mapped it to 'network.application_protocol'.
- Added gsubs and enhanced the parser to parse the logs of CEF format having different field names.
2022-09-09 Enhancement:
- Migrated customer specific parsers to default parser.
- Added support for logs with CEF format.
- Mapped the field 'cs6' to 'principal.user.group_identifiers'.
- Mapped the field 'start' to 'metadata.event_timestamp'.
- Mapped the field 'dvchost' to 'intermediary.hostname'.
- Mapped the field 'dhost' to 'target.hostname'.
- Mapped the field 'src' to 'principal.ip'.
- Mapped the field 'spt' to 'principal.port'.
- Mapped the field 'sourceTranslatedAddress' to 'principal.nat_ip'.
- Mapped the field 'sourceTranslatedPort' to 'principal.nat_port'.
- Mapped the field 'dst' to 'target.ip'.
- Mapped the field 'dpt' to 'target.port'.
- Mapped the field 'out' to 'network.sent_bytes'.
- Mapped the field 'in' to 'network.received_bytes.
- Mapped the field 'deviceSeverity' to 'security_result.severity'.
- Mapped the field 'act' to 'security_result.action' and 'security_result.action_details'.
- Mapped the field 'sentpkt' to 'additional.fields'.
- Mapped the field 'rcvdpkt' to 'additional.fields'.
- Added conditional null checks for fieldsout 'metadata.product_name', 'metadata.vendor_name', 'sentbyte', 'rcvdbyte', 'intermediary'.
- Modified the field 'metadata.event_type' for the following cases:
- 'GENERIC_EVENT' to 'NETWORK_UNCATEGORIZED' where principal.ip and target.ip is not null.
- 'GENERIC_EVENT' to 'STATUS_UNCATEGORIZED' where principal.ip is not null.
2022-08-22 Enhancement:
- Added support for logs with CEF format.
- Mapped the field 'vd' to 'principal.administrative_domain'.
- Mapped the field 'status' to 'security_result.summary'.
- Mapped the field 'msg' to 'security_result1.description'.
- Mapped the field 'ip_address' to 'principal.ip' where the field 'msg' is present.
- Removed mapping for the field 'devname' mapped to 'principal.hostname'.
2022-08-11 Enhancement:
- The field "app" is mapped to "additional.fields[n]".
- Added null condition check for the field "remip".
2022-07-21 Enhancement:
- Modified mapping for "group" from "principal.user.groupid" to "principal.user.group_identifiers".
2022-07-13 Enhancement: Added mappings for new fields.
Mapped "appcat" to event.idm.read_only_udm.additional.fields".
Mapped "apprisk" to event.idm.read_only_udm.additional.fields".
Mapped "applist" to event.idm.read_only_udm.additional.fields".
Mapped "appact" to event.idm.read_only_udm.additional.fields".
Mapped "devid" to event.idm.read_only_udm.additional.fields".
2022-06-20 Enhancement- Mapped "security_result.action" as "ALLOW" when the value of field "action" or "utmaction" is "detected".
2022-05-20 Enhancement: Added mappings for new fields;
Mapped "action" and "utmaction" to "security_result.action_details".
Added validation checks for "principal.ip" and "target.ip".
2022-04-29 Enhancement-Added support for action = timeout/close to UDM.
Mapped devname to principal.hostname when principal field is empty.
2022-04-12 Enhancement-Added mappings for new fields.
attackid mapped to security_result.rule_id
crlevel mapped to security_result.severity
incidentserialno mapped to metadata.product_log_id
craction mapped to metadata.product_deployment_id
dstintf mapped to additional.fields
dstintfrole mapped to additional.fields