Change log for NETSKOPE_ALERT

Date Changes
2024-02-19 Enhancement:
- Changed the mapping of "client_bytes" from "network.received_bytes" to "network.sent_bytes".
- Changed the mapping of "server_bytes" from "network.sent_bytes" to "network.received_bytes".
2024-02-08 Enhancement:
- Mapped "useragent" and "user_agent" to "network.http.user_agent" and "network.http.parsed_user_agent".
2023-11-10 Enhancement:
- Added Grok pattern, to check whether "srcip" is a valid IP pattern.
- Mapped "instance_id" to "principal.hostname".
- Mapped "traffic_type" to "security_result.detection_fields".
- Mapped "app_activity" to "additional.fields".
- Mapped "count" to "additional.fields".
- Mapped "site" to "additional.fields".
- Mapped "device" to "principal.resource.resource_sub_type".
- Mapped "type" to "security_result.detection_fields".
- Changed the mapping of "hostname" using "replace" instead of "rename".
- Changed "cci" mapping from "additional.fields" to "security_result.detection_fields".
- Changed "ccl" mapping from "additional.fields" to "security_result.confidence_details".
- Populated "security_result.confidence" according to the value in "ccl".
2023-07-14 Bug-Fix -
- Extracted value for 'browser_session_id','app_session_id' using Grok pattern before mapping.
- Added condition check to validate email before mapping the field 'to_user'.
2023-07-06 Enhancement -
- Modified Grok pattern to identify whether "dsthost" is an IP address or not.
If "dsthost" is an IP address, then mapped to "target.ip", else mapped to "target.hostname".
2023-06-06 Enhancement -
- Mapped "domain" to "target.hostname".
- Mapped "app_session_id" to "target.resource.attribute.labels".
- Mapped "malware_severity" to "security_result.severity".
- Mapped "malware_type" to "security_result.detection_fields".
- Mapped "threat_match_field" to "security_result.detection_fields".
- Mapped "ja3" to "network.tls.client.ja3".
- Mapped "ja3s" to "network.tls.server.ja3s".
- Mapped "cci", "ccl" to "additional.fields".
- Mapped "access_method" to "extensions.auth.auth_details".
- Mapped "browser_version" to "network.http.parsed_user_agent.browser_version".
- Mapped "dlp_profile" to "security_result.rule_type".
- Mapped "dlp_rule" to "security_result.rule_name".
- Mapped "netskope_pop" to "observer.hostname".
- Mapped "page" to "network.http.referral_url".
- Mapped "to_user" to "target.user.email_addresses".
- Mapped "to_user_category" to "target.resource.attribute.labels".
2023-03-23 Enhancement -
- Mapped "security_result.alert_state" to "ALERTING" if "alert" is equal to "yes".
- Mapped "security_result.alert_state" to "NOT_ALERTING" if "alert" is equal to "no".
- Mapped "security_result.alert_state" to "UNSPECIFIED" if "alert" is null.
2022-07-23 Enhancement:
- Removed unnecessary mapping for "metadata.description".
2022-07-01 Enhancement:
- The field "os" mapped to "principal.platform".
- The field "dsthost" mapped to "target.ip" if "dsthost" is an IP, else mapped to "target.hostname".
- The field "dstport" mapped to "target.port".
- The field "srcport" mapped to "principal.port".
- The field "user" mapped to "principal.user.email_addresses", if "user" is a valid email address.
- The field "src_latitude" mapped to "principal.location.region_latitude".
- The field "src_longitude" mapped to "principal.location.region_longitude".
- The field "ip_protocol" mapped to "network.ip_protocol".
- The field "client_bytes" mapped to "network.received_bytes".
- The field "server_bytes" mapped to "network.sent_bytes".
- The field "browser_session_id" mapped to "network.session_id".
- The field "network_session_id" mapped to "network.session_id".
- The field "appcategory" mapped to "security_result.category_details".
- The field "publisher_cn" mapped to "additional.fields[n]".
- The field "publisher_name" mapped to "additional.fields[n]".
- The field "tunnel_id" mapped to "additional.fields[n]".
- The field "tunnel_type" mapped to "additional.fields[n]".
- Changed mapping for the field "shared_with" from "intermediary.user.email_addresses" to "network.email.to".
- Changed mapping for the field "network.email.to" from "principal.user.email_addresses" to "network.email.from".
- Added conditional checks for field "_severity", "shared_with", "from_user", "protocol".
- Modified "metadata.event_type" for the following cases:
- "GENERIC_EVENT" to "NETWORK_HTTP" where "principal.ip or principal.hostname" and "target.ip or target.hostname" are not null.
- "GENERIC_EVENT" to "STATUS_UPDATE" where "principal.ip or principal.hostname" is not null.
- "GENERIC_EVENT" to "USER_UNCATEGORIZED" where "principal.user.userid" is not null.
2022-06-17 Bug-Fix:
- Added conditinal check for "md5" == "not available".