Change log for FORTINET_FIREWALL

Date Changes
2024-11-28 Enhancement:
- Mapped "metadata.event_type" to "USER_CREATION" when "action" is "Add".
- Mapped "metadata.event_type" to "USER_DELETION" when "action" is "Delete".
- Mapped "metadata.event_type" to "DEVICE_CONFIG_UPDATE" when "action" is "Edit".
- Changed mapping for "devid" from "security_result.detection_fields" to "target.user.userid".
2024-11-27 Enhancement:
- If "utmaction" is present, mapped "action" to "security_result_1.action_details".
2024-11-21 Enhancement:
- Changed mapping for "msg" from "metadata.description" to "security_result.summary".
- Mapped "logdesc" to "metadata.description".
2024-11-08 Enhancement:
- Mapped "ui" to "principal.ip" and "principal.asset.ip".
2024-11-08 Enhancement:
- Mapped "ui" to "principal.ip" and "principal.asset.ip".
2024-10-15 Enhancement:
- Mapped "type", "subtype", and "level" to "additional.fields".
2024-09-20 Enhancement:
- When "dstosname" is equal to "DEBIAN", set "target.platform" to "LINUX".
2024-09-19 Enhancement:
- When "service" is "kernel", removed the drop tag.
- Mapped "mac" to "principal.mac".
2024-09-13 Enhancement:
- Added a conditional check for "ssl-login-fail" and "auth-logon" before mapping the "security_result.action" UDM field value.
2024-08-29 Enhancement:
- If "action" is "negotiate", then set "security_result.action" to "BLOCK".
- If "action" is "tunnel-down", "tunnel-stats", "tunnel-up", and "ssl-new-con", then set "security_result.action" to "ALLOW".
- If "action" is nearly equal to "tunnel" or "action" is "negotiate", then set "metadata.event_type" to "NETWORK_CONNECTION".
2024-08-16 Enhancement:
- Changed the mapping of "security_result.action" from "FAIL" to "BLOCK" when "action" is "timeout".
2024-08-13 Enhancement:
- Mapped "logid" to "metadata.product_log_id".
- Mapped "vd" to "principal.administrative_domain".
- Mapped "srcintfrole" to "security_result.detection_fields".
- Mapped "dstintfrole" to "security_result.detection_fields".
- Mapped "sentpkt", "rcvdpkt", "vpntype", "authserver", "crlevel", "trandisp", "policyid", and "appcat" to "additional.fields".
- Mapped "policytype" to "security_result.rule_type".
- Mapped "craction" to "security_result.about.labels".
- Mapped "crscore" to "security_result.severity_details".
- Mapped "group" to "principal.user.group_identifiers".
2024-08-06 Enhancement:
- Mapped "auditid", "auditscore", "auditid", "criticalcount", "highcount" , "mediumcount", "lowcount", "passedcount", "criticalcount", "srccountry", "direction", "dstcountry", "dstintf", "dstintfrole", "xid", "qtype", "qtypeval", "qclass", "cat", "rcode" and "license_limit" to "security_result.detection_fields".
- Mapped "cpu", "mem", "disk", "bandwidth", "disklograte", "fazlograte", "freediskstorage", "sysuptime", "waninfo", "trandisp", "used_for_type", "connection_type", "count" and "fctuid" to "additional.fields".
- Mapped "totalsession" to "network.session_duration.seconds".
- Mapped "incidentserialno" to "network.tls.client.certificate.serial".
- Mapped "scertcname" to "network.tls.client.certificate.subject".
- Mapped "scertissuer" to "network.tls.client.certificate.issuer".
- Mapped "authserver" to "principal.hostname" and "principal.asset.hostname".
- Mapped "dstserver" and "dst_host" to "target.hostname" and "target.asset.hostname".
- Mapped "dsthwvendor" to "target.resource.attribute.labels".
- Mapped "eventtime" to "metadata.event_timestamp".
- Mapped "reqtype", "rcvdbyte", "ratemethod", "outintf", "cookies", "useralt", "xauthuser", "xauthgroup",
"assignip", "vpntunnel", "init", "stage", "role", "advpnsc", "tunneltype", "tunnelid" and "nextstat" to "principal.resource.attribute.labels".
- Mapped "policyid" to "security_result.rule_id".
- Mapped "policytype" to "security_result.rule_type".
- Mapped "date","time" and "tz" to "metadata.ingested_timestamp".
- Mapped "profile" to "target.resource.name" and "target.resource.resource_type".
- If "user" is a valid ip, then mapped "user" to "principal.ip" and "principal.asset.ip".
- Mapped "group" to "principal.user.group_identifiers".
- Mapped "mode" to "security_result.summary".
- Mapped "result" to "security_result.description".
2024-07-29 Enhancement:
- Added a conditional check for the "success" field before mapping "security_result.action" UDM field.
2024-07-17 Enhancement:
- Added "gsub" to parse unparsed syslog logs.
2024-07-02 Enhancement:
- Mapped "FTNTFGTappcat" to "additional.fields".
- Mapped "FTNTFGTduration" to "network.session_duration.seconds".
- Mapped "FTNTFGTsentpkt" to "additional.fields" and "network.sent_packets".
- Mapped "FTNTFGTrcvdpkt" to "additional.fields" and "network.received_packets".
- Mapped "FTNTFGTdstintfrole" to "security_result.detection_fields".
- Mapped "FTNTFGTsrcintfrole" to "security_result.detection_fields".
- Mapped "FTNTFGTpoluuid" to "security_result.rule_id".
- Mapped "FTNTFGTvd" to "principal.administrative_domain".
2024-05-21 Enhancement:
- Added "gsub" to parse JSON logs.
2024-04-19 Enhancement:
- "Mapped correct "shost" value to "principal.hostname" by adding gsub function for "fw_version" field."
Bug-fix:
- Added support for logs that don't have "jsonPayload.message" field.
2024-03-07 Enhancement:
- Mapped "httpmethod" to "network.http.method".
- Mapped "agent" to "network.http.user_agent" and "network.http.parsed_user_agent".
- Aligned mappings for "principal.ip" and "principal.asset.ip".
- Aligned mappings for "principal.hostname" and "principal.asset.hostname".
- Aligned mappings for "target.ip" and "target.asset.ip".
- Aligned mappings for "target.hostname" and "target.asset.hostname".
2023-11-21 Bug-Fix:
- Mapped "dstuser" to "event.idm.read_only_udm.target.user.userid".
- Mapped "dstauthserver" to "event.idm.read_only_udm.target.hostname".
- Mapped "poluuid" to "event.idm.read_only_udm.additional.fields".
- Mapped "srcuuid" to "event.idm.read_only_udm.principal.resource.product_object_id".
- Mapped "dstuuid" to "event.idm.read_only_udm.target.resource.product_object_id".
- Mapped "attack" to "event.idm.read_only_udm.security_result.category_details".
- If "type" value is "utm" and "subtype" value is "waf", changed "event.idm.read_only_udm.metadata.event_type" from "NETWORK_UNCATEGORIZED" to "NETWORK_CONNECTION".
- If "direction" value is "request", set "event.idm.read_only_udm.network.direction" to "OUTBOUND".
- If "direction" value is "response",set "event.idm.read_only_udm.network.direction" to "INBOUND".
2023-11-20 Bug-fix:
- Mapped "transip" to "principal.nat_ip".
- Mapped "transport" to "principal.nat_port".
- Mapped "tranport" to "target.nat_port".
2023-07-10 Enhancement -
- Parsed raw logs of type "Added FTP Server".
2023-06-01 Enhancement - Mapped "log_id" to "metadata.product_log_id".
- Mapped "operation" to "security_result.action_details" and "security_result.action" to "ALLOW".
- Mapped "performed_on" to "security_result.about.application".
- Mapped "path" to "security_result.description".
- Mapped "pri" to "security_result.severity_details".
- Mapped "mode" to "security_result.summary".
- Mapped "desc" to "metadata.description".
- Mapped "userfrom" to "principal.ip".
2023-05-24 Enhancement -
- Mapped "severity" to "security_result.detection_fields".
2023-04-19 Enhancement - Mapped "srcinetsvc" and "dstinetsvc" to "security_result.detection_fields".
2023-03-06 Enhancement - when "type" = "event" and "subtype" = "vpn" mapped -
- "event_type" to "USER_LOGIN".
- "extensions.auth.type" to "VPN".
- "devname" to "target.hostname".
- Mapped "action" to "security_result.action" if present else mapped "utmaction". Initially it was done vice versa.
2023-02-22 - Mapped "metadata.event_type" as "USER_UNCATEGORIZED" instead of "GENERIC_EVENT" when "user" field is present.
- Mapped "msg" to "security_result.summary".
- Mapped "nas" to "principal.nat_ip".
- Modified grok to parse data for "target.user.userid" when "logdesc" contains "GUI_ENTRY_DELETION".
2023-01-13 - Mapped "shost" to "principal.hostname".
2022-11-24 Enhancement - Mapped "tranip" to "target.nat_ip".
- Modified the mapping of "msg" from "security_result.description" to "security_result.summary".
2022-10-21 Enhancement:
- Mapped "suser" to "principal.user.user_display_name".
- Mapped "duser" to "target.user.user_display_name".
- Mapped "suid" to "principal.user.userid".
- Mapped "duid" to "target.user.userid".
2022-10-20 Bug:
- "security_result.action" mapping changed from "BLOCK" to "ALLOW" when "action=close".
2022-10-13 Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION"
- Mapped "msg" to "security_result.description"
- Mapped "devname" to "principal.hostname"
- Mapped "user_name" to "target.user.userid"
- Mapped "level" to "security_result.severity_details"
2022-10-13 Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION"
- Mapped "msg" to "security_result.description"
- Mapped "devname" to "principal.hostname"
- Mapped "user_name" to "target.user.userid"
- Mapped "level" to "security_result.severity_details"
2022-10-06 Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'.
- Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'.
2022-10-06 Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'.
- Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'.
2022-09-21 Enhancement:
- Mapped the field 'protocol' to 'network.ip_protocol' if protocol contains tcp and udp else mapped it to 'network.application_protocol'.
- Added gsubs and enhanced the parser to parse the logs of CEF format having different field names.
2022-09-09 Enhancement:
- Migrated customer specific parsers to default parser.
- Added support for logs with CEF format.
- Mapped the field 'cs6' to 'principal.user.group_identifiers'.
- Mapped the field 'start' to 'metadata.event_timestamp'.
- Mapped the field 'dvchost' to 'intermediary.hostname'.
- Mapped the field 'dhost' to 'target.hostname'.
- Mapped the field 'src' to 'principal.ip'.
- Mapped the field 'spt' to 'principal.port'.
- Mapped the field 'sourceTranslatedAddress' to 'principal.nat_ip'.
- Mapped the field 'sourceTranslatedPort' to 'principal.nat_port'.
- Mapped the field 'dst' to 'target.ip'.
- Mapped the field 'dpt' to 'target.port'.
- Mapped the field 'out' to 'network.sent_bytes'.
- Mapped the field 'in' to 'network.received_bytes.
- Mapped the field 'deviceSeverity' to 'security_result.severity'.
- Mapped the field 'act' to 'security_result.action' and 'security_result.action_details'.
- Mapped the field 'sentpkt' to 'additional.fields'.
- Mapped the field 'rcvdpkt' to 'additional.fields'.
- Added conditional null checks for fieldsout 'metadata.product_name', 'metadata.vendor_name', 'sentbyte', 'rcvdbyte', 'intermediary'.
- Modified the field 'metadata.event_type' for the following cases:
- 'GENERIC_EVENT' to 'NETWORK_UNCATEGORIZED' where principal.ip and target.ip is not null.
- 'GENERIC_EVENT' to 'STATUS_UNCATEGORIZED' where principal.ip is not null.
2022-08-22 Enhancement:
- Added support for logs with CEF format.
- Mapped the field 'vd' to 'principal.administrative_domain'.
- Mapped the field 'status' to 'security_result.summary'.
- Mapped the field 'msg' to 'security_result1.description'.
- Mapped the field 'ip_address' to 'principal.ip' where the field 'msg' is present.
- Removed mapping for the field 'devname' mapped to 'principal.hostname'.
2022-08-11 Enhancement:
- The field "app" is mapped to "additional.fields[n]".
- Added null condition check for the field "remip".
2022-07-21 Enhancement:
- Modified mapping for "group" from "principal.user.groupid" to "principal.user.group_identifiers".
2022-07-13 Enhancement: Added mappings for new fields.
Mapped "appcat" to event.idm.read_only_udm.additional.fields".
Mapped "apprisk" to event.idm.read_only_udm.additional.fields".
Mapped "applist" to event.idm.read_only_udm.additional.fields".
Mapped "appact" to event.idm.read_only_udm.additional.fields".
Mapped "devid" to event.idm.read_only_udm.additional.fields".
2022-06-20 Enhancement- Mapped "security_result.action" as "ALLOW" when the value of field "action" or "utmaction" is "detected".
2022-05-20 Enhancement: Added mappings for new fields;
Mapped "action" and "utmaction" to "security_result.action_details".
Added validation checks for "principal.ip" and "target.ip".
2022-04-29 Enhancement-Added support for action = timeout/close to UDM.
Mapped devname to principal.hostname when principal field is empty.
2022-04-12 Enhancement-Added mappings for new fields.
attackid mapped to security_result.rule_id
crlevel mapped to security_result.severity
incidentserialno mapped to metadata.product_log_id
craction mapped to metadata.product_deployment_id
dstintf mapped to additional.fields
dstintfrole mapped to additional.fields