Change log for PROOFPOINT_MAIL_FILTER
| Date | Changes |
|---|---|
| 2024-09-19 | Enhancement:
- Added support for new log format. |
| 2024-06-03 | Enhancement:
- Added a Grok pattern to parse unparsed logs. - Added a conditonal check for "datetime", "hfrom". - Mapped "net_mail_id" and "hdr_mid" to "network.email.mail_id". |
| 2022-10-03 | Enhancement
- Added grok pattern to parse newly ingested and unparsed logs. - Added null check for field name "proc". - Mapped "process_id" to "principal.process.pid". - Mapped "prod_event_type" to "metadata.product_event_type". - Mapped "version" to "network.tls.version". - Added error check for field name "status". - Mapped "proto" to "network.application_protocol" with newly added conditions. - Added condition to check for valid email for the field name "from". - Added condition to check for valid email for the field name "to" and also handled multiple emails in the field. Mapped each valid email to "target.user.email_addresses". - Mapped "class" to "security_result.detection_fields". - MApped "msgid" to "network.email.mail_id". - Mapped "auth" to "extensions.auth.type". - Mapped "delay" to "about.resource.attribute.labels". - Set "security_result.action" to "ALLOW" if "verify" is "OK" and vice versa. - Mapped "mailer" to "network.application_protocol" with newly added conditions. - Added grok to parse "stat" and mapped the contents to "security_result.summary". - Mapped "received_byte" to "network.received_bytes". - Mapped "Hostname" to "target.hostname". - Mapped "H" to "target.hostname". - Added grok to map for ip, based on the check if it's domain then mapped "relay" to "intermediary.administrative_domain" else mapped "interm_ip" to "intermediary.ip". - Mapped "domain" to "intermediary.administrative_domain". - Remapped "device" from "intermediary.hostname" to "principal.hostname". |