Change log for PAN_PRISMA_CA
Date | Changes |
---|---|
2024-12-05 | Enhancement:
- Mapped "record.region" to "principal.location.country_or_region". - Mapped "record.policy.name" to "security_result.description". - Mapped "record.account.cloudType" to "principal.cloud.environment". - Mapped "record.policy.policyType", "record.policy.recommendation", and "record.policy.description" to "security_result.detection_fields". - Mapped "record.policy.severity" to "security_result.severity". - Mapped "record.policy.labels" to "additional.fields". |
2024-11-27 | Enhancement:
- Refreshed parser to have multi-valued arrayed entries altered to access commonly used fields without duplication within the array index. |
2024-11-14 | Enhancement:
- Added support for a new pattern of JSON logs. - Mapped "callbackUrl" to "metadata.url_back_to_product". - Mapped "errorMessage" to "metadata.description". - Mapped "notificationRuleName" to "security_result.rule_name". - Mapped "body", "title" to "additional.fields". - Mapped "alarmType" to "principal.cloud.environment". - Mapped "severity" to "security_result.severity". |
2024-10-31 | Enhancement:
- Mapped all instances of "aggregatedAlert.compilanceIssues" to different "security_result" blocks. |
2024-10-17 | Enhancement:
- Mapped "aggregatedAlert.vulnerabilities.imageID" to "extensions.vulns.vulnerabilities.about.file.sha256". - Mapped "aggregatedAlert.vulnerabilities.imageName" to "extensions.vulns.vulnerabilities.about.file.path". - Mapped "aggregatedAlert.vulnerabilities.distribution" to "extensions.vulns.vulnerabilities.name". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.severity" to "extensions.vulns.vulnerabilities.severity". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.cve" to "extensions.vulns.vulnerabilities.cve_id" - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.link" to "extensions.vulns.vulnerabilities.about.url". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.status" to "extensions.vulns.vulnerabilities.description". - Mapped "aggregatedAlert.vulnerabilities.newVulnerabilities.packages", "aggregatedAlert.vulnerabilities.newVulnerabilities.packageVersion", and "aggregatedAlert.vulnerabilities.newVulnerabilities.sourcePackage" to "target.resource.attribute.labels". |
2024-09-15 | Enhancement:
- Added support for a new pattern of JSON logs. |
2024-06-21 | Enhancement:
- Added support for a new pattern of unparsed JSON logs. |
2024-06-18 | Enhancement:
- Mapped "policyLabels" to "additional.fields". - Mapped "policyType" to "security_result.detection_fields". |
2024-06-17 | Enhancement:
- Mapped "resource.unifiedAssetId" to "principal.asset.asset_id". - Mapped "policyName" to "security_result.description". - Mapped "resource.resourceConfigJsonAvailable", "resource.resourceDetailsAvailable", and "policy.deleted" to "additional.fields". - Mapped "policy.recommendation", "policy.policyType", and "policy.description" to "security_result.detection_fields". - Mapped "resource.url" to "principal.url". - Mapped "reason" to "security_result.summary". - Mapped "resource.region" to "principal.location.state". - Mapped "resource.regionId" to "principal.location.country_or_region". - Mapped "resource.resourceType" to "target.resource.resource_subtype". - Mapped "resource.accountId" to "target.resource.product_object_id" and "target.resource.id". - Mapped "resource.url" to "principal.url".' - Mapped "reason" to "security_result.summary". - If "resource.cloudType" value is "gcp", set "principal.cloud.environment" to "GOOGLE_CLOUD_PLATFORM". |
2023-12-10 | Enhancement:
- Added a Grok pattern to extract JSON part. - Mapped "resourceId" to "principal.resource.product_object_id". - Mapped "accountId" to "target.resource.product_object_id". - Mapped "alertRuleName" to "security_result.rule_name". - Mapped "accountName" to "target.resource.name". - Mapped "hasFinding" to "security_result.detection_fields". - Mapped "resourceRegionId" to "principal.cloud.availability_zone". - Mapped "source" to "principal.application". - Mapped "callbackUrl" to "metadata.url_back_to_product". - Mapped "alertRuleId" to "security_result.rule_id". - Mapped "alertId" to "security_result.detection_fields". - Mapped "policyLabels" to "additional.fields". - Mapped "policyName" to "security_result.description". - Mapped "resourceName" to "principal.resource.name". - Mapped "resourceRegion" to "principal.location.country_or_region". - Mapped "policyDescription" to "security_result.detection_fields". - Mapped "policyRecommendation" to "security_result.detection_fields". - Mapped "resourceCloudService" to "principal.resource.attribute.labels". - Mapped "resource.url" to "principal.url". - Mapped "alertTs" to "security_result.detection_fields". - Mapped "firstSeen" to "principal.asset.first_seen_time". - Mapped "lastSeen" to "principal.asset.last_discover_time". - Mapped "reason" to "security_result.summary". - Mapped "alertStatus" to "security_result.detection_fields". - If "severity" value is "HIGH", set "security_result.severity" to "HIGH". - If "cloudType" value is "gcp", set "principal.cloud.environment" to "GOOGLE_CLOUD_PLATFORM". |
2023-08-17 | Newly created parser.
|