Change log for FORTINET_FIREWALL
| Date | Changes |
|---|---|
| 2024-03-07 | Enhancement:
- Mapped "httpmethod" to "network.http.method". - Mapped "agent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Aligned mappings for "principal.ip" and "principal.asset.ip". - Aligned mappings for "principal.hostname" and "principal.asset.hostname". - Aligned mappings for "target.ip" and "target.asset.ip". - Aligned mappings for "target.hostname" and "target.asset.hostname". |
| 2023-11-21 | Bug-Fix:
- Mapped "dstuser" to "event.idm.read_only_udm.target.user.userid". - Mapped "dstauthserver" to "event.idm.read_only_udm.target.hostname". - Mapped "poluuid" to "event.idm.read_only_udm.additional.fields". - Mapped "srcuuid" to "event.idm.read_only_udm.principal.resource.product_object_id". - Mapped "dstuuid" to "event.idm.read_only_udm.target.resource.product_object_id". - Mapped "attack" to "event.idm.read_only_udm.security_result.category_details". - If "type" value is "utm" and "subtype" value is "waf", changed "event.idm.read_only_udm.metadata.event_type" from "NETWORK_UNCATEGORIZED" to "NETWORK_CONNECTION". - If "direction" value is "request", set "event.idm.read_only_udm.network.direction" to "OUTBOUND". - If "direction" value is "response",set "event.idm.read_only_udm.network.direction" to "INBOUND". |
| 2023-11-20 | Bug-fix:
- Mapped "transip" to "principal.nat_ip". - Mapped "transport" to "principal.nat_port". - Mapped "tranport" to "target.nat_port". |
| 2023-07-10 | Enhancement -
- Parsed raw logs of type "Added FTP Server". |
| 2023-06-01 | Enhancement - Mapped "log_id" to "metadata.product_log_id".
- Mapped "operation" to "security_result.action_details" and "security_result.action" to "ALLOW". - Mapped "performed_on" to "security_result.about.application". - Mapped "path" to "security_result.description". - Mapped "pri" to "security_result.severity_details". - Mapped "mode" to "security_result.summary". - Mapped "desc" to "metadata.description". - Mapped "userfrom" to "principal.ip". |
| 2023-05-24 | Enhancement -
- Mapped "severity" to "security_result.detection_fields". |
| 2023-04-19 | Enhancement - Mapped "srcinetsvc" and "dstinetsvc" to "security_result.detection_fields".
|
| 2023-03-06 | Enhancement - when "type" = "event" and "subtype" = "vpn" mapped -
- "event_type" to "USER_LOGIN". - "extensions.auth.type" to "VPN". - "devname" to "target.hostname". - Mapped "action" to "security_result.action" if present else mapped "utmaction". Initially it was done vice versa. |
| 2023-02-22 | - Mapped "metadata.event_type" as "USER_UNCATEGORIZED" instead of "GENERIC_EVENT" when "user" field is present.
- Mapped "msg" to "security_result.summary". - Mapped "nas" to "principal.nat_ip". - Modified grok to parse data for "target.user.userid" when "logdesc" contains "GUI_ENTRY_DELETION". |
| 2023-01-13 | - Mapped "shost" to "principal.hostname".
|
| 2022-11-24 | Enhancement - Mapped "tranip" to "target.nat_ip".
- Modified the mapping of "msg" from "security_result.description" to "security_result.summary". |
| 2022-10-21 | Enhancement:
- Mapped "suser" to "principal.user.user_display_name". - Mapped "duser" to "target.user.user_display_name". - Mapped "suid" to "principal.user.userid". - Mapped "duid" to "target.user.userid". |
| 2022-10-20 | Bug:
- "security_result.action" mapping changed from "BLOCK" to "ALLOW" when "action=close". |
| 2022-10-13 | Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details" |
| 2022-10-13 | Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details" |
| 2022-10-06 | Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'. |
| 2022-10-06 | Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'. |
| 2022-09-21 | Enhancement:
- Mapped the field 'protocol' to 'network.ip_protocol' if protocol contains tcp and udp else mapped it to 'network.application_protocol'. - Added gsubs and enhanced the parser to parse the logs of CEF format having different field names. |
| 2022-09-09 | Enhancement:
- Migrated customer specific parsers to default parser. - Added support for logs with CEF format. - Mapped the field 'cs6' to 'principal.user.group_identifiers'. - Mapped the field 'start' to 'metadata.event_timestamp'. - Mapped the field 'dvchost' to 'intermediary.hostname'. - Mapped the field 'dhost' to 'target.hostname'. - Mapped the field 'src' to 'principal.ip'. - Mapped the field 'spt' to 'principal.port'. - Mapped the field 'sourceTranslatedAddress' to 'principal.nat_ip'. - Mapped the field 'sourceTranslatedPort' to 'principal.nat_port'. - Mapped the field 'dst' to 'target.ip'. - Mapped the field 'dpt' to 'target.port'. - Mapped the field 'out' to 'network.sent_bytes'. - Mapped the field 'in' to 'network.received_bytes. - Mapped the field 'deviceSeverity' to 'security_result.severity'. - Mapped the field 'act' to 'security_result.action' and 'security_result.action_details'. - Mapped the field 'sentpkt' to 'additional.fields'. - Mapped the field 'rcvdpkt' to 'additional.fields'. - Added conditional null checks for fieldsout 'metadata.product_name', 'metadata.vendor_name', 'sentbyte', 'rcvdbyte', 'intermediary'. - Modified the field 'metadata.event_type' for the following cases: - 'GENERIC_EVENT' to 'NETWORK_UNCATEGORIZED' where principal.ip and target.ip is not null. - 'GENERIC_EVENT' to 'STATUS_UNCATEGORIZED' where principal.ip is not null. |
| 2022-08-22 | Enhancement:
- Added support for logs with CEF format. - Mapped the field 'vd' to 'principal.administrative_domain'. - Mapped the field 'status' to 'security_result.summary'. - Mapped the field 'msg' to 'security_result1.description'. - Mapped the field 'ip_address' to 'principal.ip' where the field 'msg' is present. - Removed mapping for the field 'devname' mapped to 'principal.hostname'. |
| 2022-08-11 | Enhancement:
- The field "app" is mapped to "additional.fields[n]". - Added null condition check for the field "remip". |
| 2022-07-21 | Enhancement:
- Modified mapping for "group" from "principal.user.groupid" to "principal.user.group_identifiers". |
| 2022-07-13 | Enhancement: Added mappings for new fields.
Mapped "appcat" to event.idm.read_only_udm.additional.fields". Mapped "apprisk" to event.idm.read_only_udm.additional.fields". Mapped "applist" to event.idm.read_only_udm.additional.fields". Mapped "appact" to event.idm.read_only_udm.additional.fields". Mapped "devid" to event.idm.read_only_udm.additional.fields". |
| 2022-06-20 | Enhancement- Mapped "security_result.action" as "ALLOW" when the value of field "action" or "utmaction" is "detected".
|
| 2022-05-20 | Enhancement: Added mappings for new fields;
Mapped "action" and "utmaction" to "security_result.action_details". Added validation checks for "principal.ip" and "target.ip". |
| 2022-04-29 | Enhancement-Added support for action = timeout/close to UDM.
Mapped devname to principal.hostname when principal field is empty. |
| 2022-04-12 | Enhancement-Added mappings for new fields.
attackid mapped to security_result.rule_id crlevel mapped to security_result.severity incidentserialno mapped to metadata.product_log_id craction mapped to metadata.product_deployment_id dstintf mapped to additional.fields dstintfrole mapped to additional.fields |