Change log for IIS
| Date | Changes |
|---|---|
| 2023-05-12 | Enhancement - Parsed failing JSON logs
- Mapped "cshost" to "principal.hostname" - Mapped "csusername" to "principal.user.user_display_name". - Mapped "sip" to "target.ip". - Mapped "uristem" to "target.url". - Mapped "sport" to "target.port". - Mapped "csversion" to "network.tls.version_protocol". - Mapped "csuseragent" to "network.http.user_agent". - Mapped "csip" to "principal.ip". - Mapped "xforwardedfor" to "principal.ip". - Mapped "csmethod" to "network.http.method". - Mapped "csreferer" to "network.http.referral_url". - Mapped "scstatus" to "network.http.response_code". - Mapped "computername" to "target.asset.hostname". - Mapped "scbyte" to "network.sent_bytes". - Mapped "csbyte" to "network.received_bytes". - Mapped "date" and "time" to "metadata.event_timestamp". |
| 2023-03-01 | Enhancement- Added support for JSON format logs having keys like: `c-*`, `s-*`, `cs-*`, `sc-*`.
|
| 2022-10-25 | Enhancement:
- Extracted "uri_query","intermediary_device_name","principal_username","sent_bytes","received_bytes" from log. - Changed "dst_port" to "src_port" for anvs customer. - Mapped "src_port" to "principal.port". - Updated target.url mapping to "request_url"+?+"uri_query". - Mapped "token_data" to "security_result.detection_fields" as "Cookie". - Mapped "sent_bytes" and "received_bytes" to "network.sent_bytes" and "network.received_bytes" respectively. - Mapped "intermediary_devicename" to "target.hostname" if "target_host" is empty else Mapped it to "intermediary.hostname". - Mapped "principal_username" to "principal.user.userid". - "Devicename" is mapped to "target.hostname" only when "target_host" is empty. - Mapped "src_ip" to "principal.ip" if "xff_ips" is empty. - Mapped "src_ip" to "intermediary.ip" and "xff_ips" to "principal.ip" if "xff_ips" is not empty. - Added grok for qaltd customer. |
| 2022-10-01 | Enhancement -
- Wrote grok to parse unparse syslogs". - Mapped "Severity" to "security_result.severity". - Mapped "UserName" to "target.user.userid". - Mapped "UserSid" to "target.user.windows_sid". - Mapped "ProviderKey" to "security_result.about.resource.attribute.labels". - Mapped "LayerKey" to "security_result.about.resource.attribute.labels". - Mapped "LayerName" to "security_result.about.resource.attribute.labels". - Mapped "LayerId" to "security_result.about.resource.attribute.labels". - Mapped "Weight" to "security_result.about.resource.attribute.labels". - Mapped "Conditions" to "security_result.about.resource.attribute.labels". - Mapped "Action" to "security_result.about.resource.attribute.labels". - Mapped "CalloutKey" to "security_result.about.resource.attribute.labels". - Mapped "CalloutName" to "security_result.about.resource.attribute.labels". - Mapped "Channel" to "security_result.about.resource.attribute.labels". - Mapped "FilterId" to "security_result.about.resource.attribute.labels". - Mapped "FilterKey" to "security_result.about.resource.attribute.labels". - Mapped "FilterName" to "security_result.about.resource.attribute.labels". - Mapped "FilterType" to "security_result.about.resource.attribute.labels". - Mapped "ProviderGuid" to "security_result.about.resource.attribute.labels". - Mapped "ProviderName" to "security_result.about.resource.attribute.labels". - Mapped "SourceName" to "security_result.about.resource.attribute.labels". - Mapped "SyslogSeverity" to "security_result.about.resource.attribute.labels". - Mapped "Category" to "security_result.category_details". - Mapped "EventType" to "metadata.product_event_type". - Mapped "EventID" to "metadata.product_log_id". - Mapped "ProcessID" to "principal.process.pid". - Mapped "SourceModuleName" to "target.resource.name". - Mapped "SourceModuleType" to "observer.application". |
| 2022-09-30 | Enhancement - Mapped xff header IPs to intermediary.ip.
- Mapped hostname to target.hostname. - Added extra grok pattern to correctly parse certain logs with extra information and Mapped that extra information in additional fields. - Mapped ASP.NET_Session_id to network.session_id. |
| 2022-03-30 | Enhancement-Parse additional fields.
|