Change log for NIX_SYSTEM
Date | Changes |
---|---|
2024-08-21 | Enhancement:
- Added support for a new pattern of JSON logs. |
2024-05-30 | Enhancement:
- Mapped "APP-NAME" from syslog message to "target.application". |
2024-05-26 | Enhancement:
- Mapped "HostIP" to "principal.ip". - Mapped "Computer" to "principal.hostname". - Mapped "ProcessID" to "principal.process.pid". - Mapped "TenantId" to "principal.user.product_object_id" - Mapped "target_url" to "target.url". - Mapped "sec_summary" to "security_result.summary". - Mapped "file_path_value" to "target.file.full_path". - Mapped "SeverityLevel" to "security_result.severity". - Mapped "SyslogMessage" to "security_result.description". - Mapped "action_details_value" to "security_result.action_details". - Mapped "_ResourceId" to "principal.resource.attribute.labels". - Mapped "_Internal_WorkspaceResourceId" to "target.resource.attribute.labels". - Mapped "Facility", "MG", "ProcessName", "SourceSystem", "Type", "logger_name", and "_ItemId" to "principal.resource.attribute.labels". - Extracted the value of "resource_id_value" from "_ResourceId" and mapped "resource_id_value" to "principal.resource.product_object_id". - Extracted the value of "target_resource_id_value" from "_Internal_WorkspaceResourceId" and mapped "target_resource_id_value" to "target.resource.product_object_id". - If the value of the field "process" is "su" and value of "dvc" is valid ip, mapped "dvc" to "principal.ip". - If the value of the field "process" is "su" and value of "dvc" is not valid IP address, mapped "dvc" to "principal.hostname". - If the value of the field "process" is "su", mapped "msg1" to "additional.fields". - If the value of the field "process" is "su", mapped "user_display_name" to "target.user.user_display_name". - If the value of the field "process" is "su", mapped "src_user_display_name" to "principal.user.user_display_name". - If the value of the field "prod_eve_type" is null, mapped "process" to "metadata.product_event_type". |
2024-04-22 | Enhancement:
- Added a "kv" function over "extended_description" to split key-value fields. - Mapped "pid" to "principal.process.pid". - Mapped "uid" to "principal.user.userid". - Mapped "res" to "security_result.summary". - Mapped "ses" to "network.session_duration". - Mapped "auid", "cmd" and "terminal" to "additional.fields". |
2024-04-10 | Enhancement:
- Added a Grok pattern to segregate "reason" and "uid_2" from "reason". - Mapped "uid_2" to "target.user.userid". - Mapped "reason" to "security_result.description". |
2024-04-09 | Enhancement:
- Mapped "description" to "security_result.description". - Mapped "userid" to "target.user.userId". |
2024-04-03 | Enhancement:
- Added support of subProcess "cleanup" and "qmgr" for logs of process "postfix". - When "msg1" contains "user NOT in sudoers" or "command not allowed", then set "security_result.action" to "FAIL". |
2024-03-26 | Enhancement:
-Added Grok to resolve issue leading to "too long for type ACCOUNT_ID (336 bytes, max 256): invalid argument". |
2024-02-08 | Enhancement:
- Mapped "eventType" to "target.application". - Mapped "description" to "security_result.description". - When "description" is nearly equal to "fail", then set "security_result.action" to "BLOCK". - Aligned "principal.ip", "principal.hostname" and "principal.asset.ip", "principal.asset.hostname" mappings. - Aligned "target.ip", "target.hostname" and "target.asset.ip", "target.asset.hostname" mappings. |
2024-01-09 | Enhancement:
- If "eventType" is "dispatcher", then mapped "msg1" to "metadata.description", "dvc" to "principal.hostname" and set "metadata.event_type" to "STATUS_UPDATE". - Added support to parse logs with "action" as "rexec" by parsing "msg1" and mapped "dvc" to "principal.hostname", "msg1" to "metadata.description", and set "metadata.event_type" to "STATUS_UPDATE". - Added support to parse logs with "action" as "Postponed publickey" by parsing "msg1" and mapped "dvc" to "principal.hostname", "msg1" to "metadata.description", "srcIP" to "principal.ip", "srcPort" to "principal.port" and set "metadata.event_type" as "STATUS_UPDATE". - Modified and added new Grok patterns to parse "srcPort" and mapped to "principal.port". |
2023-12-11 | Enhancement:
- Added a Grok pattern to match "msg1" part. - Mapped "insertId" to "metadata.product_log_id". - Mapped "resource.labels.instance.id" to "target.resource.product_object_id". - Mapped "resource.labels.project.id" to "target.asset.attribute.cloud.project.id". - Mapped "resource.labels.zone" to "target.asset.attribute.cloud.availability_zone". - Mapped "resource.type" to "target.resource.resource_subtype". - Mapped "logname" to "additional.fields". |
2023-11-10 | Enhancement:
- Added 'json' filter to properly parse newly added JSON logs. - Mapped "DeviceUUID" to "metadata.product_log_id". - Mapped "InstanceID", "ConnectionID", "FirstPacketSecond" to "security_result.detection_fields". - Mapped "AccessControlRuleAction" to "security_result.action". - Mapped "DstIP" to "target.ip". - Mapped "DstPort" to "target.port". - Mapped "SrcIP" to "principal.ip". - Mapped "Protocol" to "network.ip_protocol". - Mapped "IngressInterface", "EgressInterface", "IngressVRF", "EgressVRF" to "principal.asset.attribute.labels". - Mapped "IngressZone" to "principal.location.name". - Mapped "EgressZone" to "target.location.name". - Mapped "ACPolicy", "NAPPolicy" to "security_result.rule_labels". - Mapped "AccessControlRuleName" to "security_result.rule_name". - Mapped "ApplicationProtocol" to "network.application_protocol". - Mapped "InitiatorPackets" to "network.sent_packets". - Mapped "ResponderPackets" to "network.received_packets". - Mapped "InitiatorBytes" to "network.sent_bytes". - Mapped "DNSQuery" , "DNSRecordType", "DNSResponseType", "DNS_TTL" to "additional_fields". |
2023-10-30 | Enhancement:
- When user details are not present, set "metadata.event_type" to "STATUS_UPDATE" for "systemd" and "systemd-logind" logs. - Added Grok patterns to support new pattern of "systemd" and "systemd-logind" logs. - Mapped "application_name" to "target.application" for "systemd" logs. - Mapped "p_id" to "target.process.pid" for "systemd" logs. - Mapped "username" to "target.user.userid" for "systemd" logs. |
2023-10-26 | Bug-Fix:
- Modified a Grok pattern to parse entire value in "target.user.userid". - Mapped "security_result.action" to "ALLOW" if "action" is "Accepted publickey". |
2023-09-21 | Enhancement:
- Adjusted parser to support JSON format logs along with SYSLOG. - Mapped "host.ip" to "principal.ip". - Mapped "event_details.original" to "security_result.description". - Mapped "log.syslog.facility.name" to "target.application". - Mapped "log.syslog.severity.name" to "security_result.severity". |
2023-09-15 | - Added a Grok pattern to map the hostname of the Squid proxy server to "intermediary.hostname".
|
2023-08-10 | - Added a Grok pattern to map new format logs.
|
2023-04-27 | Customer Issue -
- Logs that come with "action:OPENED" changed the event_type from "FILE_READ" to "FILE_OPEN". |
2023-04-05 | Customer Issue -
- Mapped field "exe" to "target.process.command_line" and "acct" to "target.user.userid". |
2023-03-10 | Customer Issue -
- Added Grok pattern to parse logs with "eventType" = "cp", "USER_CHAUTHTOK". - Added Grok pattern to parser logs with "process" = "CRON". |
2022-12-06 | Enhancement -
- Modified changed event_type from "USER_UNCATEGORIZED" to "USER_LOGIN" for action = "Accepted publickey". - Mapped parser to map process name "setroubleshoot" to "target.application". |
2022-10-21 | Enhancement -
- Modified grok pattern to parse logs in which process_id may or may not be present. - Parsed logs of type "-bash" , "su". - For SSHD logs with "refused connect" , modified mapping of hostname from "target.hostname" to "principal.hostname". |
2022-08-12 | Enhancement - Reduced "GENERIC_EVENT" percentage
- Modified mapping for "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" by replicating the mapping for "intermeidary.hostname"/"target.hostname" to "principal.hostname". - Parsed the logs of type "postfix/smtpd","sudo","systemd-logind","sftp-server" . |
2022-06-28 | Bug-fix -
- Added a new grok to parse dropped logs with tag TAG_NO_SECURITY_VALUE - Mapped "pid" to "target.process.pid" - Mapped "comm" to "target.process.command" - Mapped "uid" to "principal.user.userid" - Mapped "grp" to "target.group.group_display_name" - Mapped "ip" to "principal.ip" - Mapped "ses" to "network.session_id" |
2022-06-13 | Enhancement -
- Added grok pattern for "process" == "named". - Added grok pattern for "process" == "unbound". for "process" == "named" - Mapped "action" to "security_result.action". - Mapped "hostname" to "target.hostname". - Mapped "ip" tp "principal.ip". - Mapped "srcPort" to "principal.port". for "process" == "unbound" - Mapped "hostname" to "target.hostname". - Mapped "ip" tp "principal.ip". |
2022-06-07 | Enhancement - Removed leading or trailing spaces from principal.hostname and target.process.command_line".
|
2022-03-23 | Customer Issue -
- Added Grok pattern to parse logs with "eventType" = "su". - Added include file to parse "facility" and "severity" for Syslog type of logs. |