Change log for PROOFPOINT_MAIL_FILTER

Date	Changes
2022-10-03	Enhancement - Added grok pattern to parse newly ingested and unparsed logs. - Added null check for field name "proc". - Mapped "process_id" to "principal.process.pid". - Mapped "prod_event_type" to "metadata.product_event_type". - Mapped "version" to "network.tls.version". - Added error check for field name "status". - Mapped "proto" to "network.application_protocol" with newly added conditions. - Added condition to check for valid email for the field name "from". - Added condition to check for valid email for the field name "to" and also handled multiple emails in the field. Mapped each valid email to "target.user.email_addresses". - Mapped "class" to "security_result.detection_fields". - MApped "msgid" to "network.email.mail_id". - Mapped "auth" to "extensions.auth.type". - Mapped "delay" to "about.resource.attribute.labels". - Set "security_result.action" to "ALLOW" if "verify" is "OK" and vice versa. - Mapped "mailer" to "network.application_protocol" with newly added conditions. - Added grok to parse "stat" and mapped the contents to "security_result.summary". - Mapped "received_byte" to "network.received_bytes". - Mapped "Hostname" to "target.hostname". - Mapped "H" to "target.hostname". - Added grok to map for ip, based on the check if it's domain then mapped "relay" to "intermediary.administrative_domain" else mapped "interm_ip" to "intermediary.ip". - Mapped "domain" to "intermediary.administrative_domain". - Remapped "device" from "intermediary.hostname" to "principal.hostname".

Date

Changes

2022-10-03

Enhancement
- Added grok pattern to parse newly ingested and unparsed logs.
- Added null check for field name "proc".
- Mapped "process_id" to "principal.process.pid".
- Mapped "prod_event_type" to "metadata.product_event_type".
- Mapped "version" to "network.tls.version".
- Added error check for field name "status".
- Mapped "proto" to "network.application_protocol" with newly added conditions.
- Added condition to check for valid email for the field name "from".
- Added condition to check for valid email for the field name "to" and also handled multiple emails in the field. Mapped each valid email to "target.user.email_addresses".
- Mapped "class" to "security_result.detection_fields".
- MApped "msgid" to "network.email.mail_id".
- Mapped "auth" to "extensions.auth.type".
- Mapped "delay" to "about.resource.attribute.labels".
- Set "security_result.action" to "ALLOW" if "verify" is "OK" and vice versa.
- Mapped "mailer" to "network.application_protocol" with newly added conditions.
- Added grok to parse "stat" and mapped the contents to "security_result.summary".
- Mapped "received_byte" to "network.received_bytes".
- Mapped "Hostname" to "target.hostname".
- Mapped "H" to "target.hostname".
- Added grok to map for ip, based on the check if it's domain then mapped "relay" to "intermediary.administrative_domain" else mapped "interm_ip" to "intermediary.ip".
- Mapped "domain" to "intermediary.administrative_domain".
- Remapped "device" from "intermediary.hostname" to "principal.hostname".