Change log for LINUX_SYSMON
Date | Changes |
---|---|
2024-06-17 | Enhancement:
- Added support for the new pattern of JSON logs. |
2024-01-25 | Enhancement :
- Removed extra escape characters from the "message" to avoid 'xml' filter failure. - Changed mapping for "UserID" from "principal.user.windows_sid" to "principal.user.userid". |
2023-11-09 | Enhancement :
- Mapped "User" to "target.user.userid". - Mapped "ParentUser" to "principal.user.userid". - Mapped "ProcessId" to "target.process.pid". - Mapped "FileVersion" to "principal.software.version". - Mapped "Product" to "principal.software.name". - Mapped "Company" to "principal.software.vendor_name". - Mapped "LogonId" to "principal.network.session_id". - Mapped "OriginalFileName", "CurrentDirectory", "LogonGuid", "TerminalSessionId", "IntegrityLevel" to "additional.fields". |
2022-07-12 | Enhancement :
- Added null check to EventID field prior mapping. - Mapped insertId to metadata.product_log_id. - Mapped logName to target_process_file. - Mapped resource.type to target.resource.type. - Mapped resource.labels.project_id to target.resource.product_object_id. - Mapped resource.labels.instance_id to target.resource.id. - Mapped refer_url to network.http.referral_url. |
2022-05-10 | Initial creation of the LINUX_SYSMON Chronicle parser, based upon WINDOWS_SYSMON - Supports events IDs 1, 3, 5, 9, 11, 16, 23. - Uses the Chronicle Forwarder Regex Filter capabilities with an allow filter of 'sysmon' to exclude syslog logs. |