Change log for SENTINEL_DV
| Date | Changes |
|---|---|
| 2023-09-06 | Enhancement -
- Modified mapping of "tgt.process.storyline.id" from "target.process.product_specific_process_id" to "security_result.about.resource.attribute.labels". - Modified mapping of "src.process.storyline.id" from "principal.process.product_specific_process_id" to "security_result.about.resource.attribute.labels". - Modified mapping of "src.process.parent.storyline.id" from "principal.parent.process.product_specific_process_id" to "security_result.about.resource.attribute.labels". |
| 2023-07-31 | Enhancement -
- Handled logs containing "XML" data. |
| 2023-04-09 | Enhancement -
- If "event.type" is "Process Creation" mapped "metadata.event_type" to "PROCESS_LAUNCH". - If "event.type" is "Duplicate Process Handle" mapped "metadata.event_type" to "PROCESS_OPEN". - If "event.type" is "Duplicate Thread Handle" mapped "metadata.event_type" to "PROCESS_OPEN". - If "event.type" is "Open Remote Process Handle" mapped "metadata.event_type" to "PROCESS_OPEN". - If "event.type" is "Remote Thread Creation" mapped "metadata.event_type" to "PROCESS_LAUNCH". - If "event.type" is "Command Script" mapped "metadata.event_type" to "FILE_UNCATEGORIZED". - If "event.type" is "IP Connect" mapped "metadata.event_type" to "NETWORK_CONNECTION". - If "event.type" is "IP Listen" mapped "metadata.event_type" to "NETWORK_UNCATEGORIZED". - If "event.type" is "File ModIfication" mapped "metadata.event_type" to "FILE_MODIfICATION". - If "event.type" is "File Creation" mapped "metadata.event_type" to "FILE_CREATION". - If "event.type" is "File Scan" mapped "metadata.event_type" to "FILE_UNCATEGORIZED". - If "event.type" is "File Deletion" mapped "metadata.event_type" to "FILE_DELETION". - If "event.type" is "File Rename" mapped "metadata.event_type" to "FILE_MODIfICATION". - If "event.type" is "Pre Execution Detection" mapped "metadata.event_type" to "FILE_UNCATEGORIZED". - If "event.type" is "Login" mapped "metadata.event_type" to "USER_LOGIN". - If "event.type" is "Logout" mapped "metadata.event_type" to "USER_LOGOUT". - If "event.type" is "GET" mapped "metadata.event_type" to "NETWORK_HTTP". - If "event.type" is "OPTIONS" mapped "metadata.event_type" to "NETWORK_HTTP". - If "event.type" is "POST" mapped "metadata.event_type" to "NETWORK_HTTP". - If "event.type" is "PUT" mapped "metadata.event_type" to "NETWORK_HTTP". - If "event.type" is "DELETE" mapped "metadata.event_type" to "NETWORK_HTTP". - If "event.type" is "CONNECT" mapped "metadata.event_type" to "NETWORK_HTTP". - If "event.type" is "HEAD" mapped "metadata.event_type" to "NETWORK_HTTP". - If "event.type" is "Not Reported" mapped "metadata.event_type" to "STATUS_UNCATEGORIZED". - If "event.type" is "DNS Resolved" mapped "metadata.event_type" to "NETWORK_DNS". - If "event.type" is "DNS Unresolved" mapped "metadata.event_type" to "NETWORK_DNS". - If "event.type" is "Task Register" mapped "metadata.event_type" to "SCHEDULED_TASK_CREATION". - If "event.type" is "Task Update" mapped "metadata.event_type" to "SCHEDULED_TASK_MODIfICATION". - If "event.type" is "Task Start" mapped "metadata.event_type" to "SCHEDULED_TASK_UNCATEGORIZED". - If "event.type" is "Task Trigger" mapped "metadata.event_type" to "SCHEDULED_TASK_UNCATEGORIZED". - If "event.type" is "Task Delete" mapped "metadata.event_type" to "SCHEDULED_TASK_DELETION". - If "event.type" is "Registry Key Create" mapped "metadata.event_type" to "REGISTRY_CREATION". - If "event.type" is "Registry Key Rename" mapped "metadata.event_type" to "REGISTRY_MODIfICATION". - If "event.type" is "Registry Key Delete" mapped "metadata.event_type" to "REGISTRY_DELETION". - If "event.type" is "Registry Key Export" mapped "metadata.event_type" to "REGISTRY_UNCATEGORIZED". - If "event.type" is "Registry Key Security Changed" mapped "metadata.event_type" to "REGISTRY_MODIfICATION". - If "event.type" is "Registry Key Import" mapped "metadata.event_type" to "REGISTRY_CREATION". - If "event.type" is "Registry Value ModIfied" mapped "metadata.event_type" to "REGISTRY_MODIfICATION". - If "event.type" is "Registry Value Create" mapped "metadata.event_type" to "REGISTRY_CREATION". - If "event.type" is "Registry Value Delete" mapped "metadata.event_type" to "REGISTRY_DELETION". - If "event.type" is "Behavioral Indicators" mapped "metadata.event_type" to "SCAN_UNCATEGORIZED". - If "event.type" is "Module Load" mapped "metadata.event_type" to "PROCESS_MODULE_LOAD". - If "event.type" is "Threat Intelligence Indicators" mapped "metadata.event_type" to "SCAN_UNCATEGORIZED". - If "event.type" is "Named Pipe Creation" mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED". - If "event.type" is "Named Pipe Connection" mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED". - If "event.type" is "Driver Load" mapped "metadata.event_type" to "PROCESS_MODULE_LOAD". |
| 2023-02-13 | Enhancement -
- Mapped "endpoint.os" to "principal.platform". - Mapped "endpoint.name" to "target.hostname". - Mapped "src.process.pid" to "principal.process.pid". - Mapped "src.process.cmdline" to "principal.process.command_line". - Mapped "src.process.image.path" to "principal.process.file.full_path". - Mapped "src.process.image.sha1" to "principal.process.file.sha1". - Mapped "src.process.eUserUid" to "metadata.ingestion_labels". - Mapped "src.process.lUserUid" to "metadata.ingestion_labels". - Mapped "src.process.uid" to "principal.user.userid". - Mapped "src.process.displayName" to "principal.user.user_display_name". - Mapped "src.process.isRedirectCmdProcessor", "src.process.isNative64Bit", "src.process.isStorylineRoot", "src.process.signedStatus", "src.file.isSigned", "src.process.subsystem", "src.process.integrityLevel", "src.process.tgtFileCreationCount", "src.process.childProcCount", "src.process.indicatorBootConfigurationUpdateCount", "src.process.indicatorEvasionCount", "src.process.indicatorExploitationCount", "src.process.indicatorGeneralCount", "src.process.indicatorInfostealerCount", "src.process.moduleCount" to "principal.resource.attribute.labels". - Mapped "src.process.image.md5" to "principal.process.file.md5". - Mapped "agent.uuid" to "principal.asset.asset_id". - Mapped "agent.version" to "metadata.product_version". - Mapped "site.id" to "principal.namespace". - Mapped "site.name" to "principal.location.name". - Mapped "trace.id" to "metadata.product_log_id". - Mapped "dataSource.category" to "security_result.category_details". - Mapped "packet.id" to "about.resource.attribute.labels". - Mapped "mgmt.url", "endpoint.type" to "metadata.url_back_to_product". - Mapped "tgt.process.image.sha1" to "target.process.file.sha1". - Mapped "tgt.process.image.path" to "target.process.file.full_path". - Mapped "tgt.process.pid" to "target.process.pid". - Mapped "tgt.process.uid" to "target.user.userid". - Mapped "tgt.process.cmdline" to "target.process.command_line". - Mapped "tgt.process.displayName" to "target.user.user_display_name". - Mapped "tgt.process.image.md5" to "target.process.file.md5". - Mapped "src.process.parent.image.sha256" to "principal.process.file.sha256". - Mapped "tgt.process.image.sha256" to "target.process.file.sha256". - Mapped "tgt.process.sessionId" to "network.session_id". - Mapped "tgt.process.storyline.id" to "target.process.product_specific_process_id". - Mapped "tgt.process.isRedirectCmdProcessor", "tgt.process.isNative64Bit", "tgt.process.isStorylineRoot", "tgt.process.signedStatus", "tgt.file.isSigned", "tgt.process.subsystem", "tgt.process.integrityLevel", "tgt.process.publisher" to "target.resource.attribute.labels". - Mapped "prod_event_type" to "metadata.product_event_type". |
| 2022-09-09 | Enhancement - Undropped the logs with "event_type" = null.
- Provided null checks for "meta.os_version", "meta.os_name", "meta.uuid", "meta.computer_name", "meta.os_revision". - Reduced the size of "*.targetFile.hashes.sha1" and "*.source.executable.hashes.sha1" to 64 bytes when exceeding the limit of 64 bytes. |