Change log for PAN_FIREWALL
| Date | Changes |
|---|---|
| 2024-03-13 | - Handle mapping of "characteristic_of_app" with "security_result.summary".
|
| 2024-02-19 | - Priorotized the "High Resolution Timestamp" raw field for the mapping of "metadata.event_timesatamp".
|
| 2024-02-14 | - Updated the Grok pattern to extract the correct userid and IP address from "msg" field.
- Updated the Grok pattern to extract URL and hostname from "misc" field. |
| 2024-01-31 | - Extracted domain and userid from "Source User" field.
- Updated the typo for "PanOSTimeGeneratedHighResolution" field for the logs of type "GLOBALPROTECT". |
| 2024-01-17 | Updated the typo for "PanOSTimeGeneratedHighResolution" field.
Extracted "domain" and "userid" from "Source User" for "TRAFFIC" log type. Updated the Grok pattern to extract URL and hostname from "misc" field. Updated the Grok pattern to extract the correct user ID and IP address from "msg" field. |
| 2024-01-03 | Updated the "metadata.event_type" to "USER_LOGIN" where logtype value is "System" and subtype value is "auth".
Supported new field names for the CEF format logs for "DECRYPTION", "GLOBALPROTECT" and "AUTHENTICATION" log type. Extracted all possible values from the "msg" field and mapped accordingly. |
| 2023-11-29 | Aligned 'principal/target.hostname' and 'principal/target.asset.hostname' mapping.
Added additional mapping by extracting values from "msg" field. Added mappings of the raw log fields which were mapped to the deprecated field "noun.labels". |
| 2023-09-20 | Updated the mapping of "msg" field to "metadata.description" field for LEEF log format. |
| 2023-09-06 | Changed regular expression pattern to map all authentication events to "USER_LOGIN". |
| 2023-06-28 | Updated the parser to include "security_result.severity" field. |
| 2023-06-14 | Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent". |
| 2023-05-02 | - Changed the mapping of the "network.sent_bytes" and "network.received_bytes" fields.
|
| 2023-03-29 | - "security_result.action" field is set to "BLOCK" when the value of raw log field "act/action" is "drop-packet".
|
| 2023-03-15 | - Handled rename failure error for "GLOBALPROTECT" type logs in CEF format.
|
| 2023-03-01 | - Added mapping of field bytes sent and bytes received to "about.labels" if the field value is 0.
|
| 2023-02-15 | - Extracted numerical 'threat_id' from "security_result.threat_name" and mapped it to "security_result.threat_id".
|
| 2023-02-01 | - Added mapping of "Application" field to "target.application" for "THREAT" type logs in CSV format.
|
| 2022-12-09 | - Handled unnecessary double quotes.
|
| 2022-11-16 | - Added gsub filters to handle unnecessary double quotes.
- Changed mapping of 'misc' value for THREAT type logs. Now, in case of subtype 'spyware' and 'vulnerability', value in misc variable will be mapped with 'target.url' and 'target.file.full_path` both. Also, restored 'target.hostname' mapping for subtype 'url' . - Added validation check for network.session_duration.seconds |
| 2022-11-04 | - Modified mapping of 'misc' field for subtype 'spyware', 'misc' field value is mapped with 'target.file.full_path'.
|
| 2022-10-04 | - Added condition to parse newly injested csv format logs.
|
| 2022-09-28 | Promoted PAN_FIREWALL parser to default.
For the field mapping differences, see field mapping changes |
| 2022-03-28 | Enhancement-Added mappings for certain fields when log is of type TRAFFIC/THREAT.
- Sequence Number to event.idm.read_only_udm.metadata.product_log_id. - Session End Reason to event.idm.read_only_udm.security_result.summary. - Session ID to event.idm.read_only_udm.network.session_id. |