Change log for SEP

Date Changes
2024-11-21 Enhancement:
- Added "gsub" to parse new pattern of logs.
- Added a Grok pattern to "event_description" to parse the fields.
- Mapped "File" to "principal.process.file.full_path".
- Mapped "Size" to "principal.process.file.size".
2024-11-07 Enhancement:
- Mapped "SITE_NAME" and "SOURCE" to "additional.fields".
- Mapped "SOURCE" to "security_result.description".
2024-10-25 Enhancement:
- Mapped "SCAN_ID", "CATEGORY_DESC", "CLIENT_TYPE", "DETECTION_TYPE", "HELP_VIRUS_IDX", "HPP_APP_TYPE", "IDX", "LAST_LOG_SESSION_GUID", "SITE_TYPE", "UUID", "VBIN_ID", and "VIRUS_TYPE" to "additional.fields".
- Mapped "USER_DOMAIN_NAME" to "target.administrative_domain".
- Mapped "COMPUTER_DOMAIN_NAME" to "principal.administrative_domain".
- Mapped "IP_ADDR1" to "src.ip".
- Mapped "SOURCE_COMPUTER_NAME" to "src.asset.hostname" and "src.hostname".
- Mapped "COMPUTER_NAME" to "principal.asset.hostname" and "principal.hostname".
- Mapped "OPERATION_SYSTEM" to "principal.asset.platform_software.platform".
- Mapped "SERVICE_PACK" to "principal.asset.platform_software.platform_version".
- Mapped "SOURCE_COMPUTER_IP" to "principal.ip" and "principal.asset.ip".
- Mapped "ALERT" to "metadata.product_event_type".
- Mapped "USER_NAME" to "principal.user.userid".
- Mapped "BIOS_SERIALNUMBER" to "principal.asset.hardware.serial_number".
- Mapped "ACTUALACTION" to "security_result.action_details".
- Mapped "VIRUSNAME" to "security_result.threat_name".
- Mapped "NOOFVIRUSES" to "security_result.verdict_info.malicious_count".
- Mapped "SOURCE", "DESCRIPTION", "REQUESTEDACTION" to "security_result.detection_fields".
- Mapped "CLIENT_GROUP" to "principal.group.group_display_name".
- Mapped "downloader" to "principal.process.file.full_path".
2024-10-24 Enhancement:
- Added support to parse logs with "logType" as "IPS", "Network Intrusion Protection System", "REP", "Memory Exploit Mitigation System", and "NTR".
2024-10-08 Enhancement:
- Added support for new format of syslog logs.
2024-09-23 Enhancement:
- Changed mapping of "rule_name" from "principal.resource.name" to "security_result.rule_name".
- Removed mapping of "principal.resource.resource_type" as "FIREWALL_RULE".
- Changed mapping of "security_result.category" from "ACL_VIOLATION" to "UNKNOWN_CATEGORY".
2024-09-11 Enhancement:
- Added support for array-type logs.
2024-08-08 - Mapped "REQUESTEDACTION" to "security_result.action_details".
- Mapped "SECONDARYACTION", "ACTUALACTION", "VIRUSNAME", and "NOOFVIRUSES" to "security_result.detection_fields".
- Mapped "SOURCE" to "additional.fields".
- Mapped "HPP_APP_HASH" to "target.file.sha256".
- Mapped "HPP_APP_NAME" to "target.file.names".
- Mapped "FILEPATH" to "target.file.full_path".
- Mapped "CLIENT_GROUP" to "target.user.group_identifiers".
2024-06-07 - Added Support for KV format logs.
2024-05-27 Enhancement:
- Mapped "target_file_name" from "target.file.full_path" to "target.file.names".
2023-11-28 Bug-Fix:
- When "event_time" present, mapped the same to "datetime".
2023-11-08 Bug-Fix:
- Removed mapping of "ServerName" to "target.asset.hostname" and mapped it to "intermediary.hostname".
- When "Actualaction" is "Cleaned", then mapped "security_result.action" to "BLOCK" and "is_significant" to "false".
- Added Grok pattern to parse the unparsed logs with varying patterns.
- Mapped "type", "utility-sub-type", "lang", "service-sandbox-type", "mojo-platform-channel-handle", "field-trial-handle", "disable-features" to "security_result.detection_fields".
- Mapped "target_arguments" to "read_only_udm.additional.fields".
- Mapped "user-data-dir" to "sec_result.about.file.full_path".
- Mapped "security-realm" to "security_result.summary".
- Mapped "startup-url" to "principal.url".
- Mapped "source_ip" to "target.ip".
- Mapped "action_word" to "security_result.action_details".
2023-10-12 Bug-Fix:
- Added Grok pattern to parse the unparsed logs with varying patterns.
2023-04-21 Bug-Fix:
- Changed intermediate variable names in the include files.
- Mapped "security_result.rule_name" for "File" related events.
2023-04-10 Enhancement:
- Handled the dropped logs with the logType "File Read", "File Write", "File Delete", or "Registry Write".
- Mapped "payload.domain_name" to "principal.administrative_domain".
- Added null check for "payload.device_id" and "event_description".
2023-01-21 Enhancement:
- Added conditional check for "targetComputerName","event_description1".
- Added on_error check for "file_full_path","GroupName","ServerName".
- Mapped "Applicationtype" to "principal.resource.attribute.labels".
- Mapped "mail" to "target.user.email_addresses".
- Mapped "server_name_1" to "principal.hostname".
- For logtype "SEC":
- Mapped "computer" to "principal.hostname".
- Mapped "syslogServer" to "intermediary.hostname".
- Mapped "event_description" to "metadata.description".
- Added "for loop" for the logtype "SONAR","CVE","SEC".
2022-11-24 Enhancement:
- Added grok pattern to parse logs containaing "SONAR detection now allowed".
2022-11-15 Enhancement:
- Added grok pattern to parse failed logs of type "Virus Found" and "SONAR Scan".
- Added conditional check for "Categorytype".
2022-10-25 Enhancement:
- Mapped "EventDescription" to "metadata.description".
- Mapped "LocalHostIP","IPAddress","source_ip" to "principal.ip".
- Mapped "LocalHostMAC" to "principal.mac".
- Mapped "computer" to "principal.hostname"
- Mapped "guid" to "principal.asset.asset_id".
- Mapped "DeviceID" to "principal.resource.product_object_id".
- Mapped "Filesize" to "target.file.size".
- Mapped "SHA256" to "target.file.sha256".
- Mapped "User1" to "principal.user.userid".
- Mapped "file_path" to "target.file.full_path".
- Mapped "GroupName" to "principal.group.group_display_name".
- Mapped "action_word" to "security_result.action_details".
- Mapped "Begin" to "vulnerabilities.scan_start_time".
- Mapped "EndTime" to "vulnerabilities.scan_end_time".
- Mapped "ScanID" to "principal.process.product_specific_process_id".
- Mapped "inter_host" to "intermediary.hostname".
- Mapped "inter_ip" to "intermediary.ip".
- Mapped "ActionType" to "additional.fields".
- Mapped "Rule" to "security_result.rule_name".
2022-10-10 - Mapped "category" to "security_result.category_details".
- Mapped "CIDS Signature ID" to "target.resource.attribute.labels".
- Mapped "CIDS Signature SubID" to "target.resource.attribute.labels".
- Mapped "CIDS Signature string" to "target.resource.attribute.labels".
- Mapped "Intrusion URL" to "principal.url".
- Mapped "User Name" to "principal.user.userid".
- Mapped "Actual action" to "security_result.action_details".
- Mapped "Application hash" to "target.file.sha256".
- Mapped "Application name" to "target.application".
- Mapped "Application type" to "target.resource.attribute.labels".
- Mapped "Certificate issuer" to "network.tls.server.certificate.issuer".
- Mapped "Certificate serial number" to "network.tls.server.certificate.serial".
- Mapped "Certificate signer" to "network.tls.server.certificate.subject".
- Mapped "Certificate thumbprint" to "network.tls.server.certificate.sha256".
- Mapped "Secondary action" to "target.resource.attribute.labels".
- Mapped "First Seen" to "security_result.detection_fields".
- Mapped "Risk Name" to "security_result.detection_fields".
- Mapped "Risk Type" to "security_result.detection_fields".
- Mapped "Permitted application reason" to "security_result.detection_fields".
- Mapped "Company name" to "target.user.company_name".
- Mapped "Computer name" to "principal.hostname".
- Mapped "Server Name" to "principal.asset.network_domain".
- Mapped "Confidence" to "security_result.description".
- Mapped "Detection Type" to "security_result.summary".
- Mapped "Group Name" to "principal.group.group_display_name".
- Mapped "Risk Level" to "security_result.severity_details".
- Mapped "File size (bytes)" to "target.file.size".
2022-09-21 Enhancement - Migrated custom parsers to default parser.
2022-08-12 Enhancement - Modified grok pattern to parse the logs.
Handled the dropped logs and mapped them to valid event_types.
- Dropped logs had following logType, which are now handled:
"REP", "SubmissionsMan", "SYLINK", "IPS", "SONAR", "SEC", "CVE", "LiveUpdate Manager; Messages related to definition updates",
"Antivirus detection submission".
- New conditions "msg1" containing "Create Process|GUP|RebootManager|Smc|WSS|Network Intrusion|Mitigation System" are handled.
- event_description containing "client-server activity logs|Got a valid certificate.|Replication .*from remote site|The database|received the client log successfully".
- Added new code block to handle the logType REP,SONAR,CVE,GUP,Smc,WSS made them parse.
- Changed event type from "GENERIC_EVENT" to "STATUS_UPDATE", "USER_UNCATEGORIZED", "NETWORK_CONNECTION", "STATUS_UNCATEGORIZED" wherever possible.
- Mapped "eventDescription" to "metadata.description".
- Mapped "hostName" to "principal.hostname".
- Mapped "machineDomainName" to "principal.administrative_domain".
- Mapped "domainName" to "target.administrative_domain".
- Mapped "serverName" to "intermediary.hostname".
- Mapped "userName" to "principal.user.userid".
- Mapped "siteName" to "read_only_udm.additional.fields".
2022-07-26 for the logs that has messageTmp as Site mapped the following fields:
- Mapped "eventDescription" to "metadata.description".
- Mapped "hostName" to "target.hostname".
- Mapped "machineDomainName" to "target.administrative_domain".
- Mapped "domainName" to "principal.administrative_domain".
- Mapped "serverName" to "principal.hostname".
- Mapped "userName" to "principal.user.userid".
- Mapped "siteName" to "read_only_udm.additional.fields".
2022-05-11 Parsed Event Timestamp log entries with the format "yyyy-MM-dd HH:mm:ss".