Change log for FORTINET_FIREWALL

Date	Changes
2024-10-15	Enhancement: - Mapped "type", "subtype", and "level" to "additional.fields".
2024-09-20	Enhancement: - When "dstosname" is equal to "DEBIAN", set "target.platform" to "LINUX".
2024-09-19	Enhancement: - When "service" is "kernel", removed the drop tag. - Mapped "mac" to "principal.mac".
2024-09-13	Enhancement: - Added a conditional check for "ssl-login-fail" and "auth-logon" before mapping the "security_result.action" UDM field value.
2024-08-29	Enhancement: - If "action" is "negotiate", then set "security_result.action" to "BLOCK". - If "action" is "tunnel-down", "tunnel-stats", "tunnel-up", and "ssl-new-con", then set "security_result.action" to "ALLOW". - If "action" is nearly equal to "tunnel" or "action" is "negotiate", then set "metadata.event_type" to "NETWORK_CONNECTION".
2024-08-16	Enhancement: - Changed the mapping of "security_result.action" from "FAIL" to "BLOCK" when "action" is "timeout".
2024-08-13	Enhancement: - Mapped "logid" to "metadata.product_log_id". - Mapped "vd" to "principal.administrative_domain". - Mapped "srcintfrole" to "security_result.detection_fields". - Mapped "dstintfrole" to "security_result.detection_fields". - Mapped "sentpkt", "rcvdpkt", "vpntype", "authserver", "crlevel", "trandisp", "policyid", and "appcat" to "additional.fields". - Mapped "policytype" to "security_result.rule_type". - Mapped "craction" to "security_result.about.labels". - Mapped "crscore" to "security_result.severity_details". - Mapped "group" to "principal.user.group_identifiers".
2024-08-06	Enhancement: - Mapped "auditid", "auditscore", "auditid", "criticalcount", "highcount" , "mediumcount", "lowcount", "passedcount", "criticalcount", "srccountry", "direction", "dstcountry", "dstintf", "dstintfrole", "xid", "qtype", "qtypeval", "qclass", "cat", "rcode" and "license_limit" to "security_result.detection_fields". - Mapped "cpu", "mem", "disk", "bandwidth", "disklograte", "fazlograte", "freediskstorage", "sysuptime", "waninfo", "trandisp", "used_for_type", "connection_type", "count" and "fctuid" to "additional.fields". - Mapped "totalsession" to "network.session_duration.seconds". - Mapped "incidentserialno" to "network.tls.client.certificate.serial". - Mapped "scertcname" to "network.tls.client.certificate.subject". - Mapped "scertissuer" to "network.tls.client.certificate.issuer". - Mapped "authserver" to "principal.hostname" and "principal.asset.hostname". - Mapped "dstserver" and "dst_host" to "target.hostname" and "target.asset.hostname". - Mapped "dsthwvendor" to "target.resource.attribute.labels". - Mapped "eventtime" to "metadata.event_timestamp". - Mapped "reqtype", "rcvdbyte", "ratemethod", "outintf", "cookies", "useralt", "xauthuser", "xauthgroup", "assignip", "vpntunnel", "init", "stage", "role", "advpnsc", "tunneltype", "tunnelid" and "nextstat" to "principal.resource.attribute.labels". - Mapped "policyid" to "security_result.rule_id". - Mapped "policytype" to "security_result.rule_type". - Mapped "date","time" and "tz" to "metadata.ingested_timestamp". - Mapped "profile" to "target.resource.name" and "target.resource.resource_type". - If "user" is a valid ip, then mapped "user" to "principal.ip" and "principal.asset.ip". - Mapped "group" to "principal.user.group_identifiers". - Mapped "mode" to "security_result.summary". - Mapped "result" to "security_result.description".
2024-07-29	Enhancement: - Added a conditional check for the "success" field before mapping "security_result.action" UDM field.
2024-07-17	Enhancement: - Added "gsub" to parse unparsed syslog logs.
2024-07-02	Enhancement: - Mapped "FTNTFGTappcat" to "additional.fields". - Mapped "FTNTFGTduration" to "network.session_duration.seconds". - Mapped "FTNTFGTsentpkt" to "additional.fields" and "network.sent_packets". - Mapped "FTNTFGTrcvdpkt" to "additional.fields" and "network.received_packets". - Mapped "FTNTFGTdstintfrole" to "security_result.detection_fields". - Mapped "FTNTFGTsrcintfrole" to "security_result.detection_fields". - Mapped "FTNTFGTpoluuid" to "security_result.rule_id". - Mapped "FTNTFGTvd" to "principal.administrative_domain".
2024-05-21	Enhancement: - Added "gsub" to parse JSON logs.
2024-04-19	Enhancement: - "Mapped correct "shost" value to "principal.hostname" by adding gsub function for "fw_version" field." Bug-fix: - Added support for logs that don't have "jsonPayload.message" field.
2024-03-07	Enhancement: - Mapped "httpmethod" to "network.http.method". - Mapped "agent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Aligned mappings for "principal.ip" and "principal.asset.ip". - Aligned mappings for "principal.hostname" and "principal.asset.hostname". - Aligned mappings for "target.ip" and "target.asset.ip". - Aligned mappings for "target.hostname" and "target.asset.hostname".
2023-11-21	Bug-Fix: - Mapped "dstuser" to "event.idm.read_only_udm.target.user.userid". - Mapped "dstauthserver" to "event.idm.read_only_udm.target.hostname". - Mapped "poluuid" to "event.idm.read_only_udm.additional.fields". - Mapped "srcuuid" to "event.idm.read_only_udm.principal.resource.product_object_id". - Mapped "dstuuid" to "event.idm.read_only_udm.target.resource.product_object_id". - Mapped "attack" to "event.idm.read_only_udm.security_result.category_details". - If "type" value is "utm" and "subtype" value is "waf", changed "event.idm.read_only_udm.metadata.event_type" from "NETWORK_UNCATEGORIZED" to "NETWORK_CONNECTION". - If "direction" value is "request", set "event.idm.read_only_udm.network.direction" to "OUTBOUND". - If "direction" value is "response",set "event.idm.read_only_udm.network.direction" to "INBOUND".
2023-11-20	Bug-fix: - Mapped "transip" to "principal.nat_ip". - Mapped "transport" to "principal.nat_port". - Mapped "tranport" to "target.nat_port".
2023-07-10	Enhancement - - Parsed raw logs of type "Added FTP Server".
2023-06-01	Enhancement - Mapped "log_id" to "metadata.product_log_id". - Mapped "operation" to "security_result.action_details" and "security_result.action" to "ALLOW". - Mapped "performed_on" to "security_result.about.application". - Mapped "path" to "security_result.description". - Mapped "pri" to "security_result.severity_details". - Mapped "mode" to "security_result.summary". - Mapped "desc" to "metadata.description". - Mapped "userfrom" to "principal.ip".
2023-05-24	Enhancement - - Mapped "severity" to "security_result.detection_fields".
2023-04-19	Enhancement - Mapped "srcinetsvc" and "dstinetsvc" to "security_result.detection_fields".
2023-03-06	Enhancement - when "type" = "event" and "subtype" = "vpn" mapped - - "event_type" to "USER_LOGIN". - "extensions.auth.type" to "VPN". - "devname" to "target.hostname". - Mapped "action" to "security_result.action" if present else mapped "utmaction". Initially it was done vice versa.
2023-02-22	- Mapped "metadata.event_type" as "USER_UNCATEGORIZED" instead of "GENERIC_EVENT" when "user" field is present. - Mapped "msg" to "security_result.summary". - Mapped "nas" to "principal.nat_ip". - Modified grok to parse data for "target.user.userid" when "logdesc" contains "GUI_ENTRY_DELETION".
2023-01-13	- Mapped "shost" to "principal.hostname".
2022-11-24	Enhancement - Mapped "tranip" to "target.nat_ip". - Modified the mapping of "msg" from "security_result.description" to "security_result.summary".
2022-10-21	Enhancement: - Mapped "suser" to "principal.user.user_display_name". - Mapped "duser" to "target.user.user_display_name". - Mapped "suid" to "principal.user.userid". - Mapped "duid" to "target.user.userid".
2022-10-20	Bug: - "security_result.action" mapping changed from "BLOCK" to "ALLOW" when "action=close".
2022-10-13	Enhancement: - Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details"
2022-10-13	Enhancement: - Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details"
2022-10-06	Bug-Fix: - Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'.
2022-10-06	Bug-Fix: - Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'.
2022-09-21	Enhancement: - Mapped the field 'protocol' to 'network.ip_protocol' if protocol contains tcp and udp else mapped it to 'network.application_protocol'. - Added gsubs and enhanced the parser to parse the logs of CEF format having different field names.
2022-09-09	Enhancement: - Migrated customer specific parsers to default parser. - Added support for logs with CEF format. - Mapped the field 'cs6' to 'principal.user.group_identifiers'. - Mapped the field 'start' to 'metadata.event_timestamp'. - Mapped the field 'dvchost' to 'intermediary.hostname'. - Mapped the field 'dhost' to 'target.hostname'. - Mapped the field 'src' to 'principal.ip'. - Mapped the field 'spt' to 'principal.port'. - Mapped the field 'sourceTranslatedAddress' to 'principal.nat_ip'. - Mapped the field 'sourceTranslatedPort' to 'principal.nat_port'. - Mapped the field 'dst' to 'target.ip'. - Mapped the field 'dpt' to 'target.port'. - Mapped the field 'out' to 'network.sent_bytes'. - Mapped the field 'in' to 'network.received_bytes. - Mapped the field 'deviceSeverity' to 'security_result.severity'. - Mapped the field 'act' to 'security_result.action' and 'security_result.action_details'. - Mapped the field 'sentpkt' to 'additional.fields'. - Mapped the field 'rcvdpkt' to 'additional.fields'. - Added conditional null checks for fieldsout 'metadata.product_name', 'metadata.vendor_name', 'sentbyte', 'rcvdbyte', 'intermediary'. - Modified the field 'metadata.event_type' for the following cases: - 'GENERIC_EVENT' to 'NETWORK_UNCATEGORIZED' where principal.ip and target.ip is not null. - 'GENERIC_EVENT' to 'STATUS_UNCATEGORIZED' where principal.ip is not null.
2022-08-22	Enhancement: - Added support for logs with CEF format. - Mapped the field 'vd' to 'principal.administrative_domain'. - Mapped the field 'status' to 'security_result.summary'. - Mapped the field 'msg' to 'security_result1.description'. - Mapped the field 'ip_address' to 'principal.ip' where the field 'msg' is present. - Removed mapping for the field 'devname' mapped to 'principal.hostname'.
2022-08-11	Enhancement: - The field "app" is mapped to "additional.fields[n]". - Added null condition check for the field "remip".
2022-07-21	Enhancement: - Modified mapping for "group" from "principal.user.groupid" to "principal.user.group_identifiers".
2022-07-13	Enhancement: Added mappings for new fields. Mapped "appcat" to event.idm.read_only_udm.additional.fields". Mapped "apprisk" to event.idm.read_only_udm.additional.fields". Mapped "applist" to event.idm.read_only_udm.additional.fields". Mapped "appact" to event.idm.read_only_udm.additional.fields". Mapped "devid" to event.idm.read_only_udm.additional.fields".
2022-06-20	Enhancement- Mapped "security_result.action" as "ALLOW" when the value of field "action" or "utmaction" is "detected".
2022-05-20	Enhancement: Added mappings for new fields; Mapped "action" and "utmaction" to "security_result.action_details". Added validation checks for "principal.ip" and "target.ip".
2022-04-29	Enhancement-Added support for action = timeout/close to UDM. Mapped devname to principal.hostname when principal field is empty.
2022-04-12	Enhancement-Added mappings for new fields. attackid mapped to security_result.rule_id crlevel mapped to security_result.severity incidentserialno mapped to metadata.product_log_id craction mapped to metadata.product_deployment_id dstintf mapped to additional.fields dstintfrole mapped to additional.fields