Change log for FORTINET_FIREWALL
| Date | Changes |
|---|---|
| 2024-09-20 | Enhancement:
- When "dstosname" is equal to "DEBIAN", set "target.platform" to "LINUX". |
| 2024-09-19 | Enhancement:
- When "service" is "kernel", removed the drop tag. - Mapped "mac" to "principal.mac". |
| 2024-09-13 | Enhancement:
- Added a conditional check for "ssl-login-fail" and "auth-logon" before mapping the "security_result.action" UDM field value. |
| 2024-08-29 | Enhancement:
- If "action" is "negotiate", then set "security_result.action" to "BLOCK". - If "action" is "tunnel-down", "tunnel-stats", "tunnel-up", and "ssl-new-con", then set "security_result.action" to "ALLOW". - If "action" is nearly equal to "tunnel" or "action" is "negotiate", then set "metadata.event_type" to "NETWORK_CONNECTION". |
| 2024-08-16 | Enhancement:
- Changed the mapping of "security_result.action" from "FAIL" to "BLOCK" when "action" is "timeout". |
| 2024-08-13 | Enhancement:
- Mapped "logid" to "metadata.product_log_id". - Mapped "vd" to "principal.administrative_domain". - Mapped "srcintfrole" to "security_result.detection_fields". - Mapped "dstintfrole" to "security_result.detection_fields". - Mapped "sentpkt", "rcvdpkt", "vpntype", "authserver", "crlevel", "trandisp", "policyid", and "appcat" to "additional.fields". - Mapped "policytype" to "security_result.rule_type". - Mapped "craction" to "security_result.about.labels". - Mapped "crscore" to "security_result.severity_details". - Mapped "group" to "principal.user.group_identifiers". |
| 2024-08-06 | Enhancement:
- Mapped "auditid", "auditscore", "auditid", "criticalcount", "highcount" , "mediumcount", "lowcount", "passedcount", "criticalcount", "srccountry", "direction", "dstcountry", "dstintf", "dstintfrole", "xid", "qtype", "qtypeval", "qclass", "cat", "rcode" and "license_limit" to "security_result.detection_fields". - Mapped "cpu", "mem", "disk", "bandwidth", "disklograte", "fazlograte", "freediskstorage", "sysuptime", "waninfo", "trandisp", "used_for_type", "connection_type", "count" and "fctuid" to "additional.fields". - Mapped "totalsession" to "network.session_duration.seconds". - Mapped "incidentserialno" to "network.tls.client.certificate.serial". - Mapped "scertcname" to "network.tls.client.certificate.subject". - Mapped "scertissuer" to "network.tls.client.certificate.issuer". - Mapped "authserver" to "principal.hostname" and "principal.asset.hostname". - Mapped "dstserver" and "dst_host" to "target.hostname" and "target.asset.hostname". - Mapped "dsthwvendor" to "target.resource.attribute.labels". - Mapped "eventtime" to "metadata.event_timestamp". - Mapped "reqtype", "rcvdbyte", "ratemethod", "outintf", "cookies", "useralt", "xauthuser", "xauthgroup", "assignip", "vpntunnel", "init", "stage", "role", "advpnsc", "tunneltype", "tunnelid" and "nextstat" to "principal.resource.attribute.labels". - Mapped "policyid" to "security_result.rule_id". - Mapped "policytype" to "security_result.rule_type". - Mapped "date","time" and "tz" to "metadata.ingested_timestamp". - Mapped "profile" to "target.resource.name" and "target.resource.resource_type". - If "user" is a valid ip, then mapped "user" to "principal.ip" and "principal.asset.ip". - Mapped "group" to "principal.user.group_identifiers". - Mapped "mode" to "security_result.summary". - Mapped "result" to "security_result.description". |
| 2024-07-29 | Enhancement:
- Added a conditional check for the "success" field before mapping "security_result.action" UDM field. |
| 2024-07-17 | Enhancement:
- Added "gsub" to parse unparsed syslog logs. |
| 2024-07-02 | Enhancement:
- Mapped "FTNTFGTappcat" to "additional.fields". - Mapped "FTNTFGTduration" to "network.session_duration.seconds". - Mapped "FTNTFGTsentpkt" to "additional.fields" and "network.sent_packets". - Mapped "FTNTFGTrcvdpkt" to "additional.fields" and "network.received_packets". - Mapped "FTNTFGTdstintfrole" to "security_result.detection_fields". - Mapped "FTNTFGTsrcintfrole" to "security_result.detection_fields". - Mapped "FTNTFGTpoluuid" to "security_result.rule_id". - Mapped "FTNTFGTvd" to "principal.administrative_domain". |
| 2024-05-21 | Enhancement:
- Added "gsub" to parse JSON logs. |
| 2024-04-19 | Enhancement:
- "Mapped correct "shost" value to "principal.hostname" by adding gsub function for "fw_version" field." Bug-fix: - Added support for logs that don't have "jsonPayload.message" field. |
| 2024-03-07 | Enhancement:
- Mapped "httpmethod" to "network.http.method". - Mapped "agent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Aligned mappings for "principal.ip" and "principal.asset.ip". - Aligned mappings for "principal.hostname" and "principal.asset.hostname". - Aligned mappings for "target.ip" and "target.asset.ip". - Aligned mappings for "target.hostname" and "target.asset.hostname". |
| 2023-11-21 | Bug-Fix:
- Mapped "dstuser" to "event.idm.read_only_udm.target.user.userid". - Mapped "dstauthserver" to "event.idm.read_only_udm.target.hostname". - Mapped "poluuid" to "event.idm.read_only_udm.additional.fields". - Mapped "srcuuid" to "event.idm.read_only_udm.principal.resource.product_object_id". - Mapped "dstuuid" to "event.idm.read_only_udm.target.resource.product_object_id". - Mapped "attack" to "event.idm.read_only_udm.security_result.category_details". - If "type" value is "utm" and "subtype" value is "waf", changed "event.idm.read_only_udm.metadata.event_type" from "NETWORK_UNCATEGORIZED" to "NETWORK_CONNECTION". - If "direction" value is "request", set "event.idm.read_only_udm.network.direction" to "OUTBOUND". - If "direction" value is "response",set "event.idm.read_only_udm.network.direction" to "INBOUND". |
| 2023-11-20 | Bug-fix:
- Mapped "transip" to "principal.nat_ip". - Mapped "transport" to "principal.nat_port". - Mapped "tranport" to "target.nat_port". |
| 2023-07-10 | Enhancement -
- Parsed raw logs of type "Added FTP Server". |
| 2023-06-01 | Enhancement - Mapped "log_id" to "metadata.product_log_id".
- Mapped "operation" to "security_result.action_details" and "security_result.action" to "ALLOW". - Mapped "performed_on" to "security_result.about.application". - Mapped "path" to "security_result.description". - Mapped "pri" to "security_result.severity_details". - Mapped "mode" to "security_result.summary". - Mapped "desc" to "metadata.description". - Mapped "userfrom" to "principal.ip". |
| 2023-05-24 | Enhancement -
- Mapped "severity" to "security_result.detection_fields". |
| 2023-04-19 | Enhancement - Mapped "srcinetsvc" and "dstinetsvc" to "security_result.detection_fields".
|
| 2023-03-06 | Enhancement - when "type" = "event" and "subtype" = "vpn" mapped -
- "event_type" to "USER_LOGIN". - "extensions.auth.type" to "VPN". - "devname" to "target.hostname". - Mapped "action" to "security_result.action" if present else mapped "utmaction". Initially it was done vice versa. |
| 2023-02-22 | - Mapped "metadata.event_type" as "USER_UNCATEGORIZED" instead of "GENERIC_EVENT" when "user" field is present.
- Mapped "msg" to "security_result.summary". - Mapped "nas" to "principal.nat_ip". - Modified grok to parse data for "target.user.userid" when "logdesc" contains "GUI_ENTRY_DELETION". |
| 2023-01-13 | - Mapped "shost" to "principal.hostname".
|
| 2022-11-24 | Enhancement - Mapped "tranip" to "target.nat_ip".
- Modified the mapping of "msg" from "security_result.description" to "security_result.summary". |
| 2022-10-21 | Enhancement:
- Mapped "suser" to "principal.user.user_display_name". - Mapped "duser" to "target.user.user_display_name". - Mapped "suid" to "principal.user.userid". - Mapped "duid" to "target.user.userid". |
| 2022-10-20 | Bug:
- "security_result.action" mapping changed from "BLOCK" to "ALLOW" when "action=close". |
| 2022-10-13 | Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details" |
| 2022-10-13 | Enhancement:
- Changed Mapping for "metadata.event_type" from "GENERIC_EVENT" to "USER_DELETION" when "logdesc" is "GUI_ENTRY_DELETION" - Mapped "msg" to "security_result.description" - Mapped "devname" to "principal.hostname" - Mapped "user_name" to "target.user.userid" - Mapped "level" to "security_result.severity_details" |
| 2022-10-06 | Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'. |
| 2022-10-06 | Bug-Fix:
- Added conditional check for the field 'utmaction' and 'action'. - Mapped the field 'utmaction' to security_result.action if present, else mapped the field 'action'. |
| 2022-09-21 | Enhancement:
- Mapped the field 'protocol' to 'network.ip_protocol' if protocol contains tcp and udp else mapped it to 'network.application_protocol'. - Added gsubs and enhanced the parser to parse the logs of CEF format having different field names. |
| 2022-09-09 | Enhancement:
- Migrated customer specific parsers to default parser. - Added support for logs with CEF format. - Mapped the field 'cs6' to 'principal.user.group_identifiers'. - Mapped the field 'start' to 'metadata.event_timestamp'. - Mapped the field 'dvchost' to 'intermediary.hostname'. - Mapped the field 'dhost' to 'target.hostname'. - Mapped the field 'src' to 'principal.ip'. - Mapped the field 'spt' to 'principal.port'. - Mapped the field 'sourceTranslatedAddress' to 'principal.nat_ip'. - Mapped the field 'sourceTranslatedPort' to 'principal.nat_port'. - Mapped the field 'dst' to 'target.ip'. - Mapped the field 'dpt' to 'target.port'. - Mapped the field 'out' to 'network.sent_bytes'. - Mapped the field 'in' to 'network.received_bytes. - Mapped the field 'deviceSeverity' to 'security_result.severity'. - Mapped the field 'act' to 'security_result.action' and 'security_result.action_details'. - Mapped the field 'sentpkt' to 'additional.fields'. - Mapped the field 'rcvdpkt' to 'additional.fields'. - Added conditional null checks for fieldsout 'metadata.product_name', 'metadata.vendor_name', 'sentbyte', 'rcvdbyte', 'intermediary'. - Modified the field 'metadata.event_type' for the following cases: - 'GENERIC_EVENT' to 'NETWORK_UNCATEGORIZED' where principal.ip and target.ip is not null. - 'GENERIC_EVENT' to 'STATUS_UNCATEGORIZED' where principal.ip is not null. |
| 2022-08-22 | Enhancement:
- Added support for logs with CEF format. - Mapped the field 'vd' to 'principal.administrative_domain'. - Mapped the field 'status' to 'security_result.summary'. - Mapped the field 'msg' to 'security_result1.description'. - Mapped the field 'ip_address' to 'principal.ip' where the field 'msg' is present. - Removed mapping for the field 'devname' mapped to 'principal.hostname'. |
| 2022-08-11 | Enhancement:
- The field "app" is mapped to "additional.fields[n]". - Added null condition check for the field "remip". |
| 2022-07-21 | Enhancement:
- Modified mapping for "group" from "principal.user.groupid" to "principal.user.group_identifiers". |
| 2022-07-13 | Enhancement: Added mappings for new fields.
Mapped "appcat" to event.idm.read_only_udm.additional.fields". Mapped "apprisk" to event.idm.read_only_udm.additional.fields". Mapped "applist" to event.idm.read_only_udm.additional.fields". Mapped "appact" to event.idm.read_only_udm.additional.fields". Mapped "devid" to event.idm.read_only_udm.additional.fields". |
| 2022-06-20 | Enhancement- Mapped "security_result.action" as "ALLOW" when the value of field "action" or "utmaction" is "detected".
|
| 2022-05-20 | Enhancement: Added mappings for new fields;
Mapped "action" and "utmaction" to "security_result.action_details". Added validation checks for "principal.ip" and "target.ip". |
| 2022-04-29 | Enhancement-Added support for action = timeout/close to UDM.
Mapped devname to principal.hostname when principal field is empty. |
| 2022-04-12 | Enhancement-Added mappings for new fields.
attackid mapped to security_result.rule_id crlevel mapped to security_result.severity incidentserialno mapped to metadata.product_log_id craction mapped to metadata.product_deployment_id dstintf mapped to additional.fields dstintfrole mapped to additional.fields |