Change log for FORTINET_FORTICLIENT
| Date | Changes |
|---|---|
| 2023-12-29 | Enhancement:
- Changed mapping of "SubjectUserName" from "principal.user.userid" to "additional.fields". - Changed mapping of "uid" from "principal.user.userid" to "principal.user.product_object_id". - If "uid" is not present, mapped "fctuid" to "principal.user.product_object_id". - Mapped "user" to "principal.user.userid" on the top of its mapping to "principal.user.user_display_name". |
| 2023-11-30 | Enhancement:
- Added a Grok pattern to parse the new logType. - Added a Grok pattern to parse the new XML part. - If "devname" is not null, set "principal.resource.type" to "DEVICE". - Mapped "devname" to "principal.resource.name". - Mapped "itime" to "additional.fields". - Mapped "fctsn" to "additional.fields". - Mapped "logver" to "additional.fields". - Mapped "id" to "metadata.product_log_id". - Mapped "subtype" to "principal.resource.resource_subtype". - Mapped "eventtype" to "metadata.product_event_type". - Mapped "level" to "security_result.severity". - Mapped "pcdomain" to "principal.administrative_domain". - Mapped "site" "additional.fields". - Mapped "fctver" "additional.fields". - Mapped "sessionid" to "network.session_id". - Mapped "srcname" to "principal.resource.attribute.labels". - Mapped "srcproduct" to "principal.application". - Mapped "srcport" "principal.port". - Mapped "direction" to "network.direction". - Mapped "dstip" to "target.ip". - Mapped "remotename" to "target.hostname". - Mapped "dstport" to "target.port". - Mapped "proto" to "network.ip_protocol" - Mapped "rcvdbyte" to "network.received_bytes". - Mapped "sentbyte" to "network.sent_bytes". - Mapped "utmaction" to "security_result.description". - Mapped "sec_action" to "security_result.action". - Mapped "utmevent" to "security_result.category_details". - Mapped "threat" to "security_result.threat_name". - Mapped "service" to "network.application_protocol". - Mapped "url" to "principal.url". - Mapped "userinitiated" to "security_result.detection_fields". - Mapped "browsetime" to "additional.fields". - Mapped "date" and time" to "metadata.event_timestamp". - Mapped "timestamp" to "metadata.collected_timestamp". - Mapped "client_ip" to "principal.ip". - Mapped "source_ver" to "principal.platform_version". - Mapped "source_type" to "principal.resource.attribute.labels". - Mapped "type" to "principal.resource.attribute.labels". - Mapped "event_id" to "additional.fields". - Mapped "ThreadID" to "additional.fields". - Mapped "SubjectLogonId" to "additional.fields". - Mapped "fctuid" to "principal.user.product_object_id". - Mapped "source_ver" to "principal.platform_version". - Mapped "ProviderGuid" to "principal.resource.product_object_id". - Mapped "ProcessId" to "principal.process.pid". - Mapped "SubjectUserSid" to "principal.user.windows_sid". - Mapped "SubjectUserName" to "principal.user.userid". |
| 2023-10-27 | - Newly created parser.
|