Change log for NIX_SYSTEM
Date | Changes |
---|---|
2024-02-08 | Enhancement:
- Mapped "eventType" to "target.application". - Mapped "description" to "security_result.description". - When "description" is nearly equal to "fail", then set "security_result.action" to "BLOCK". - Aligned "principal.ip", "principal.hostname" and "principal.asset.ip", "principal.asset.hostname" mappings. - Aligned "target.ip", "target.hostname" and "target.asset.ip", "target.asset.hostname" mappings. |
2024-01-09 | Enhancement:
- If "eventType" is "dispatcher", then mapped "msg1" to "metadata.description", "dvc" to "principal.hostname" and set "metadata.event_type" to "STATUS_UPDATE". - Added support to parse logs with "action" as "rexec" by parsing "msg1" and mapped "dvc" to "principal.hostname", "msg1" to "metadata.description", and set "metadata.event_type" to "STATUS_UPDATE". - Added support to parse logs with "action" as "Postponed publickey" by parsing "msg1" and mapped "dvc" to "principal.hostname", "msg1" to "metadata.description", "srcIP" to "principal.ip", "srcPort" to "principal.port" and set "metadata.event_type" as "STATUS_UPDATE". - Modified and added new Grok patterns to parse "srcPort" and mapped to "principal.port". |
2023-12-11 | Enhancement:
- Added a Grok pattern to match "msg1" part. - Mapped "insertId" to "metadata.product_log_id". - Mapped "resource.labels.instance.id" to "target.resource.product_object_id". - Mapped "resource.labels.project.id" to "target.asset.attribute.cloud.project.id". - Mapped "resource.labels.zone" to "target.asset.attribute.cloud.availability_zone". - Mapped "resource.type" to "target.resource.resource_subtype". - Mapped "logname" to "additional.fields". |
2023-11-10 | Enhancement:
- Added 'json' filter to properly parse newly added JSON logs. - Mapped "DeviceUUID" to "metadata.product_log_id". - Mapped "InstanceID", "ConnectionID", "FirstPacketSecond" to "security_result.detection_fields". - Mapped "AccessControlRuleAction" to "security_result.action". - Mapped "DstIP" to "target.ip". - Mapped "DstPort" to "target.port". - Mapped "SrcIP" to "principal.ip". - Mapped "Protocol" to "network.ip_protocol". - Mapped "IngressInterface", "EgressInterface", "IngressVRF", "EgressVRF" to "principal.asset.attribute.labels". - Mapped "IngressZone" to "principal.location.name". - Mapped "EgressZone" to "target.location.name". - Mapped "ACPolicy", "NAPPolicy" to "security_result.rule_labels". - Mapped "AccessControlRuleName" to "security_result.rule_name". - Mapped "ApplicationProtocol" to "network.application_protocol". - Mapped "InitiatorPackets" to "network.sent_packets". - Mapped "ResponderPackets" to "network.received_packets". - Mapped "InitiatorBytes" to "network.sent_bytes". - Mapped "DNSQuery" , "DNSRecordType", "DNSResponseType", "DNS_TTL" to "additional_fields". |
2023-10-30 | Enhancement:
- When user details are not present, set "metadata.event_type" to "STATUS_UPDATE" for "systemd" and "systemd-logind" logs. - Added Grok patterns to support new pattern of "systemd" and "systemd-logind" logs. - Mapped "application_name" to "target.application" for "systemd" logs. - Mapped "p_id" to "target.process.pid" for "systemd" logs. - Mapped "username" to "target.user.userid" for "systemd" logs. |
2023-10-26 | Bug-Fix:
- Modified a Grok pattern to parse entire value in "target.user.userid". - Mapped "security_result.action" to "ALLOW" if "action" is "Accepted publickey". |
2023-09-21 | Enhancement:
- Adjusted parser to support JSON format logs along with SYSLOG. - Mapped "host.ip" to "principal.ip". - Mapped "event_details.original" to "security_result.description". - Mapped "log.syslog.facility.name" to "target.application". - Mapped "log.syslog.severity.name" to "security_result.severity". |
2023-09-15 | - Added a Grok pattern to map the hostname of the Squid proxy server to "intermediary.hostname".
|
2023-08-10 | - Added a Grok pattern to map new format logs.
|
2023-04-27 | Customer Issue -
- Logs that come with "action:OPENED" changed the event_type from "FILE_READ" to "FILE_OPEN". |
2023-04-05 | Customer Issue -
- Mapped field "exe" to "target.process.command_line" and "acct" to "target.user.userid". |
2023-03-10 | Customer Issue -
- Added Grok pattern to parse logs with "eventType" = "cp", "USER_CHAUTHTOK". - Added Grok pattern to parser logs with "process" = "CRON". |
2022-12-06 | Enhancement -
- Modified changed event_type from "USER_UNCATEGORIZED" to "USER_LOGIN" for action = "Accepted publickey". - Mapped parser to map process name "setroubleshoot" to "target.application". |
2022-10-21 | Enhancement -
- Modified grok pattern to parse logs in which process_id may or may not be present. - Parsed logs of type "-bash" , "su". - For SSHD logs with "refused connect" , modified mapping of hostname from "target.hostname" to "principal.hostname". |
2022-08-12 | Enhancement - Reduced "GENERIC_EVENT" percentage
- Modified mapping for "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" by replicating the mapping for "intermeidary.hostname"/"target.hostname" to "principal.hostname". - Parsed the logs of type "postfix/smtpd","sudo","systemd-logind","sftp-server" . |
2022-06-28 | Bug-fix -
- Added a new grok to parse dropped logs with tag TAG_NO_SECURITY_VALUE - Mapped "pid" to "target.process.pid" - Mapped "comm" to "target.process.command" - Mapped "uid" to "principal.user.userid" - Mapped "grp" to "target.group.group_display_name" - Mapped "ip" to "principal.ip" - Mapped "ses" to "network.session_id" |
2022-06-13 | Enhancement -
- Added grok pattern for "process" == "named". - Added grok pattern for "process" == "unbound". for "process" == "named" - Mapped "action" to "security_result.action". - Mapped "hostname" to "target.hostname". - Mapped "ip" tp "principal.ip". - Mapped "srcPort" to "principal.port". for "process" == "unbound" - Mapped "hostname" to "target.hostname". - Mapped "ip" tp "principal.ip". |
2022-06-07 | Enhancement - Removed leading or trailing spaces from principal.hostname and target.process.command_line".
|
2022-03-23 | Customer Issue -
- Added Grok pattern to parse logs with "eventType" = "su". - Added include file to parse "facility" and "severity" for Syslog type of logs. |