Change log for MCAFEE_EPO
| Date | Changes |
|---|---|
| 2024-10-01 | Enhancement:
- When "tvdeventid" is "1027" or "scantype" is "*Scan*", then mapped "username" to "target.user.userid". - When "tvdeventid" is "1027" or "scantype" is "*Scan*", then mapped "agentdomainname" to "target.administrative_domain". - When "tvdeventid" is "1027" or "scantype" is "Endpoint Security Threat Prevention", then mapped "domain" and "userid" from "UserName" to "target.administrative_domain" and "target.user.userid" respectively. |
| 2024-08-29 | Enhancement:
- Added support to handle dropped logs. |
| 2024-08-12 | Enhancement:
- Changed mapping for "Description" from "metadata.description" to "security_result.description". - Mapped "Name" to "metadata.description". - Mapped "ThreatAction" to "security_result.action_details". |
| 2024-08-07 | Enhancement:
- Added support to handle unparsed JSON logs. - Mapped "ActionID", "ReasonID", "RatingID", "ListID", "PhishingRatingID", "DownloadRatingID", "SpamRatingID", "PopupRatingID", "BadLinkRatingID", "ExploitRatingID", and "ContentID" to "additional.fields". |
| 2023-10-15 | Enhancement:
- Handeled XML logs having "product_name" as "MOVE AV Agentless" or "MSME". |
| 2023-06-20 | Enhancement:
- Added grok pattern to handle xml logs. |
| 2023-01-02 | Enhancement - Added gsub to remove empty namespace with prefix.
|
| 2022-12-16 | Bug-fix - Added code block to handle "is_DLPAGENT11600". - Added code block for product names specific. - Added "GENERIC_EVENT" wherever possible if principal and target UDM fields are null. - Mapped normalized_ip_address to "principal.ip". - Mapped normalized_mac_address to "principal.mac" wherever possible. |
| 2022-09-14 | Enhancement - Merged The customer specific-version to default by Handling Log formats of type Key-value pairs.
- Provided on_error check for "Content.ParentProcessFileName". |
| 2022-09-09 | Enhancement - Parsed logs of type "Solidifier" which were being dropped earlier.
- Logs are present in CSV format so following additional mappings have been defined for the particular columns : - Mapped "column8" to "principal.hostname". - Mapped "column11" to "principal.mac". - Mapped "column25" to "target.process.file.full_path". - Mapped "column30" to "security_result.action". It is mapped to "BLOCK" if value contains "deny" else mapped as "ALLOW" in case of some other value apart from none. - Mapped "metadata.event_type" to "STATUS_UPDATE". |
| 2022-08-11 | Bug-Fix -
- Remapped AnalyzerHostname to intermediary.hostname. - Remapped sys_host to observer.hostname. |
| 2022-07-27 | Enhancement - Mapped the following field:
- Mapped "csv_mcafee_security.column4" to "principal.asset.first_seen_time". |
| 2022-07-14 | Enhancement - Mapped the following fields:
- Mapped "product_version" to "metadata.product_version". - Mapped "FileSHA1Hash" to "target.process.file.sha1". - Added code block to handle event_id "35103". - Changed event_type from "GENERIC_EVENT" to "STATUS_UPDATE" wherever possible. |
| 2022-05-05 | Enhancement - Mapped the following fields:
- SourceHostname to principal.hostname. If SourceHostname is null mapped AnalyserHostname to principal.hostname. - MachineName to observer.hostname. - AnalyserHostname to intermediate.hostname. - IP header csv 9 to principal.ip. - IP header csv 17 to target.ip. - ThreatName header csv 28 to security_result.threat_name commonly for all. |
| 2022-04-12 | Added generic string for Vendor name and replaced different product names to a generic value string. |