Change log for FORTINET_FIREWALL
| Date | Changes |
|---|---|
| 2023-03-06 | Enhancement - when "type" = "event" and "subtype" = "vpn" mapped -
- "event_type" to "USER_LOGIN". - "extensions.auth.type" to "VPN". - "devname" to "target.hostname". - Mapped "action" to "security_result.action" if present else mapped "utmaction". Initially it was done vice versa. |
| 2023-02-22 | - Mapped "metadata.event_type" as "USER_UNCATEGORIZED" instead of "GENERIC_EVENT" when "user" field is present.
- Mapped "msg" to "security_result.summary". - Mapped "nas" to "principal.nat_ip". - Modified grok to parse data for "target.user.userid" when "logdesc" contains "GUI_ENTRY_DELETION". |
| 2023-01-13 | - Mapped "shost" to "principal.hostname".
|
| 2022-11-24 | Enhancement - Mapped "tranip" to "target.nat_ip".
- Modified the mapping of "msg" from "security_result.description" to "security_result.summary". |
| 2022-10-21 | Enhancement:
- Mapped "suser" to "principal.user.user_display_name". - Mapped "duser" to "target.user.user_display_name". - Mapped "suid" to "principal.user.userid". - Mapped "duid" to "target.user.userid". |
| 2022-10-20 | Bug:
- "security_result.action" mapping changed from "BLOCK" to "ALLOW" when "action=close". |
| 2022-10-13 | Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details" |
| 2022-10-13 | Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details" |
| 2022-10-06 | Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'. |
| 2022-10-06 | Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'. |
| 2022-09-21 | Enhancement:
- Mapped the field 'protocol' to 'network.ip_protocol' if protocol contains tcp and udp else mapped it to 'network.application_protocol'. - Added gsubs and enhanced the parser to parse the logs of CEF format having different field names. |
| 2022-09-09 | Enhancement:
- Migrated customer specific parsers to default parser. - Added support for logs with CEF format. - Mapped the field 'cs6' to 'principal.user.group_identifiers'. - Mapped the field 'start' to 'metadata.event_timestamp'. - Mapped the field 'dvchost' to 'intermediary.hostname'. - Mapped the field 'dhost' to 'target.hostname'. - Mapped the field 'src' to 'principal.ip'. - Mapped the field 'spt' to 'principal.port'. - Mapped the field 'sourceTranslatedAddress' to 'principal.nat_ip'. - Mapped the field 'sourceTranslatedPort' to 'principal.nat_port'. - Mapped the field 'dst' to 'target.ip'. - Mapped the field 'dpt' to 'target.port'. - Mapped the field 'out' to 'network.sent_bytes'. - Mapped the field 'in' to 'network.received_bytes. - Mapped the field 'deviceSeverity' to 'security_result.severity'. - Mapped the field 'act' to 'security_result.action' and 'security_result.action_details'. - Mapped the field 'sentpkt' to 'additional.fields'. - Mapped the field 'rcvdpkt' to 'additional.fields'. - Added conditional null checks for fieldsout 'metadata.product_name', 'metadata.vendor_name', 'sentbyte', 'rcvdbyte', 'intermediary'. - Modified the field 'metadata.event_type' for the following cases: - 'GENERIC_EVENT' to 'NETWORK_UNCATEGORIZED' where principal.ip and target.ip is not null. - 'GENERIC_EVENT' to 'STATUS_UNCATEGORIZED' where principal.ip is not null. |
| 2022-08-22 | Enhancement:
- Added support for logs with CEF format. - Mapped the field 'vd' to 'principal.administrative_domain'. - Mapped the field 'status' to 'security_result.summary'. - Mapped the field 'msg' to 'security_result1.description'. - Mapped the field 'ip_address' to 'principal.ip' where the field 'msg' is present. - Removed mapping for the field 'devname' mapped to 'principal.hostname'. |
| 2022-08-11 | Enhancement:
- The field "app" is mapped to "additional.fields[n]". - Added null condition check for the field "remip". |
| 2022-07-21 | Enhancement:
- Modified mapping for "group" from "principal.user.groupid" to "principal.user.group_identifiers". |
| 2022-07-13 | Enhancement: Added mappings for new fields.
Mapped "appcat" to event.idm.read_only_udm.additional.fields". Mapped "apprisk" to event.idm.read_only_udm.additional.fields". Mapped "applist" to event.idm.read_only_udm.additional.fields". Mapped "appact" to event.idm.read_only_udm.additional.fields". Mapped "devid" to event.idm.read_only_udm.additional.fields". |
| 2022-06-20 | Enhancement- Mapped "security_result.action" as "ALLOW" when the value of field "action" or "utmaction" is "detected".
|
| 2022-05-20 | Enhancement: Added mappings for new fields;
Mapped "action" and "utmaction" to "security_result.action_details". Added validation checks for "principal.ip" and "target.ip". |
| 2022-04-29 | Enhancement-Added support for action = timeout/close to UDM.
Mapped devname to principal.hostname when principal field is empty. |
| 2022-04-12 | Enhancement-Added mappings for new fields.
attackid mapped to security_result.rule_id crlevel mapped to security_result.severity incidentserialno mapped to metadata.product_log_id craction mapped to metadata.product_deployment_id dstintf mapped to additional.fields dstintfrole mapped to additional.fields |