Change log for JUNIPER_FIREWALL

Date Changes
2024-10-31 Enhancement:
- Added a new Grok pattern to parse unparsed logs.
- Mapped "processid" to "target.process.id"
- Mapped "TSr" and "TSi" to "additional.fields".
- Added "gsub" function to map "Remote-IP" to "target.ip".
- Added "gsub" function to map "TSi" and "Local_IKE_ID" to "additional.fields".
- Added KV filter to "kv_data1" to parse unparsed fields.
2024-10-30 Enhancement:
- Added a new Grok pattern to parse new log pattern.
- Mapped "fw" to "intermediary.ip".
- Mapped "msg1" to "security_result.summary".
- Mapped "desc" to "metadata.description".
2024-10-24 Enhancement:
- Added a new Grok pattern to parse logs in the new SYSLOG+KV format.
- Mapped "local_ip" to "principal.ip" and "principal.assest.ip".
- Mapped "remote_ip" to "target.ip" and "target.asset.ip".
2024-10-11 Enhancement:
- Mapped "hostn" to "principal.hostname".
- Mapped "app" to "principal.application".
- Mapped "pid" to "principal.process.pid".
- Mapped "event_title" to "metadata.product_event_type".
- Mapped "event_message" to "metadata.description".
- Mapped "Local-ip" to "principal.ip" and "principal.asset.ip".
- Mapped "Gateway_Name", "vpn", "tunnel_id", "tunnel_if", "Local_IKE_ID", "Remote_IKE_ID", "AAA_username", "VR_id", "Traffic_selector", "Traffic_selector_Remote_ID", "Traffic_selector_local_ID", "SA_Type", "Reason", "threshold", "time-period", and "error-message_data" to "observer.resource.attribute.labels".
- Mapped "target_ip" to "target.ip" and "target.asset.ip".
- Mapped "data" to "target.ip" and "target.asset.ip".
2024-06-28 Enhancement:
- Modified the Grok patterns to parse unparsed logs.
- Added Grok patterns over the field "msg_data" to extract the fields "user_id", "principal_host", "file_path", "pid_2", and "server_ip".
- Mapped "principal_host" to "principal.hostname".
- Mapped "user_id" to "target.user.userid".
- Mapped "file_path" to "target.file.full_path".
- Mapped "pid_2" to "target.process.pid".
- Mapped "server_ip" to "target.ip".
- Mapped "event_time" to "metadata.event_timestamp" correctly by removing "rebase" if year is present.
2024-01-22 Bug-Fix:
- Added new Grok patterns to parse "message" field with key-value data.
- Mapped "ACTION" to "security_result.action_details".
- Mapped "SESSION_ID" to "network.session_id".
- Mapped "APPLICATION" to "principal.application".
- Mapped "pingCtlOwnerIndex", "pingCtlTestName", "usp_lsys_max_num_rpd", "usp_lsys_max_num", "urlcategory_risk", "application_sub_category", "source-zone", "destination-zone", "NESTED-APPLICATION", "CATEGORY", "REASON", "PROFILE", "source_rule", "retrans_timer" and "arp_unicast_mode" to "additional.fields".
- Mapped "time" to "metadata.event_timestamp".
2023-12-31 Bug-Fix:
- Added support for a new pattern of JSON logs.
- Mapped "time" to "metadata.event_timestamp".
- Mapped "host" to "principal.hostname".
- Mapped "ident" to "target.application".
- Mapped "pid" to "target.process.pid".
- Added Grok patterns to parse "message" field.
2023-12-15 Enhancement:
- Mapped "internal-protocol" to "network.ip_protocol" .
- Mapped "state" to "security_result.detection_fields".
- Mapped "internal-ip" to "principal.ip".
- Mapped "reflexive-ip" to "target.ip".
- Mapped "internal-port" to "principle.port".
- Mapped "reflexive-port" to "target.port".
- Mapped "local-address" to "principal.ip".
- Mapped "remote-address" to "target.ip".
- Added KV filter with source as "task_summary".
- Mapped "dns-server-address" to "principal.ip".
- Mapped "domain-name" to "principal.administrative_domain".
- Mapped "argument1" to "network.direction".
- Mapped "state" to "security_result.detection_fields".
- Mapped "test-owner" to "additional.fields".
- Mapped "local-initiator" to "additional.fields".
- Mapped "test-name" to "additional.fields".
- Mapped "SPI" to "additional.fields".
- Mapped "AUX-SPI" to "additional.fields".
- Mapped "Type" to "additional.fields".
- Mapped "error-message" to "security_result.summary".
2023-11-02 Enhancement:
- Added a new Grok pattern to parse logs of new "SYSLOG+KV" format.
2023-08-24 Enhancement:
- Added gsub function to remove special characters.
2023-08-02 Enhancement:
- Modified Grok pattern to support new log formats for NetScreen type.
- Added support for type "RT_FLOW_SESSION_CREATE_LS", "RT_FLOW_SESSION_CLOSE_LS" and "RT_FLOW_SESSION_DENY_LS".
- Mapped "sent" to "network.sent_bytes".
- Mapped "rcvd" to "network.received_bytes".
2023-05-05 Enhancement:
- Mapped "rule-name" to "security_result.rule_id".
- Mapped "rulebase-name" to "security_result.detection_fields".
- Mapped "export-id" to "security_result.detection_fields".
- Mapped "repeat-count" to "security_result.detection_fields".
- Mapped "packet-log-id" to "security_result.detection_fields".
- Mapped "alert" to "is_alert" when the value is "yes".
- Mapped "outbound-packets" to "network.sent_packets".
- Mapped "inbound-packets" to "network.received_packets".
- Mapped "outbound-bytes" to "network.sent_bytes".
- Mapped "inbound-bytes" to "network.received_bytes".
2023-03-08 Enhancement:
- Mapped "application" to "target.application".
- Mapped "reason" to "security_result.description".
- Mapped "application-characteristics" to "security_result.summary".
- Mapped "application-risk" to "security_result.severity_details".
- Mapped "application-category" to "security_result.detection_fields".
- Mapped "application-sub-category" to "security_result.detection_fields".
- Mapped "dst-nat-rule-name" to "security_result.detection_fields".
- Mapped "dst-nat-rule-type" to "security_result.detection_fields".
- Mapped "src-nat-rule-name" to "security_result.detection_fields".
- Mapped "src-nat-rule-type" to "security_result.detection_fields".
- Mapped "encrypted" to "security_result.detection_fields".
- Mapped "nested-application" to "security_result.detection_fields".
- Mapped "packet-incoming-interface" to "security_result.detection_fields".
- Mapped "session-id-32" to "network.session_id".
- Mapped "packets-from-client" to "network.sent_packets".
- Mapped "packets-from-server" to "network.received_packets".
- Mapped "bytes-from-client" to "network.sent_bytes".
- Mapped "bytes-from-server" to "network.received_bytes".
- Mapped "elapsed-time" to "network.session_duration.seconds".
- Mapped "nat-destination-address" to "target.nat_ip".
- Mapped "nat-destination-port" to "target.nat_port".
- Mapped "source-destination-address" to "principal.nat_ip".
- Mapped "source-destination-port" to "principal.nat_port".
2023-01-18 Bug-fix:
- Made the condition case insensitive to map "BLOCK" to "security_result.action", when "action" is "drop/DROP".
- Mapped "msg_data" to "security_result.description" when "no_app_name" is false.
- Mapped "threat-severity" to "security_result.severity".
- Mapped the field "message" to "metadata.description".
- Mapped "app_name" to "target.application".
- Mapped "pid" to "target.process.pid".
- Mapped "desc" to "metadata.description".
- Mapped "username" to "principal.user.userid".
- Mapped "command" to "target.process.command_line".
- Mapped "action" to "security_result.action_details".
- Mapped "sec_description" to "security_result.description".
- Mapped "application-name" to "network.application_protocol".
2023-01-15 Enhancement-
- Modified Grok pattern to support unparsed logs containing type "UI_CMDLINE_READ_LINE", "UI_COMMIT_PROGRESS", "UI_CHILD_START",
"UI_CFG_AUDIT_OTHER", "UI_LOGIN_EVENT", "UI_CHILD_STATUS", "UI_LOGOUT_EVENT", "UI_LOAD_EVENT",
"JTASK_IO_CONNECT_FAILED", "UI_AUTH_EVENT", "UI_NETCONF_CMD", "UI_COMMIT_NO_MASTER_PASSWORD", "UI_CFG_AUDIT_SET", "UI_JUNOSCRIPT_CMD",
"SNMPD_AUTH_FAILURE", "UI_CFG_AUDIT_NEW", "UI_COMMIT" , "LIBJNX_LOGIN_ACCOUNT_LOCKED", "UI_COMMIT_COMPLETED",
"PAM_USER_LOCK_LOGIN_REQUESTS_DENIED", "RTPERF_CPU_USAGE_OK", "RTPERF_CPU_THRESHOLD_EXCEEDED", "LIBJNX_LOGIN_ACCOUNT_UNLOCKED",
"JSRPD_SET_OTHER_INTF_MON_FAIL", "JSRPD_SET_SCHED_MON_FAILURE", "UI_CHILD_WAITPID", "UI_DBASE_LOGIN_EVENT".
2022-11-07 Enhancement-
- Mapped "subtype" to "metadata.product_event_type".
- Mapped "attack-name" to "security_result.threat_name".
- Mapped "policy-name" to "security_result.rule_name".
- Mapped "action" to "security_result.action", where value "drop" is mapped to BLOCK others to ALLOW.
- Mapped "source-interface-name" to "security_result.detection_fields".
- Mapped "destination-interface-name" to "security_result.detection_fields".
- Mapped "source-zone-name" to "security_result.detection_fields".
- Mapped "destination-zone-name" to "security_result.detection_fields".
- Mapped "service-name" to "security_result.detection_fields".
- Mapped "application-name" to "security_result.detection_fields".
- Mapped "metadata.product_name"
- Mapped "metadata.vendor_name"
2022-10-04 Enhancement- Mapped attack-name to security_result.rule_name.
- Converted SDM mappings to following fields of UDM:-
- Mapped "source-address" to "principal.ip".
- Mapped "destination-address" to "target.ip".
- Mapped "source-port" to "principal.port".
- Mapped "host" to "principal.hostname".
- Mapped "bytes-from-server" to "network.received_bytes".
- Mapped "policy-name" to "security_result.rule_name".
- Mapped "protocol-id" to "network.ip_protocol".