Stay organized with collections Save and categorize content based on your preferences.

Change log for SEP

Date Changes
2022-10-25 Enhancement:
- Mapped "EventDescription" to "metadata.description".
- Mapped "LocalHostIP","IPAddress","source_ip" to "principal.ip".
- Mapped "LocalHostMAC" to "principal.mac".
- Mapped "computer" to "principal.hostname"
- Mapped "guid" to "principal.asset.asset_id".
- Mapped "DeviceID" to "principal.resource.product_object_id".
- Mapped "Filesize" to "target.file.size".
- Mapped "SHA256" to "target.file.sha256".
- Mapped "User1" to "principal.user.userid".
- Mapped "file_path" to "target.file.full_path".
- Mapped "GroupName" to "principal.group.group_display_name".
- Mapped "action_word" to "security_result.action_details".
- Mapped "Begin" to "vulnerabilities.scan_start_time".
- Mapped "EndTime" to "vulnerabilities.scan_end_time".
- Mapped "ScanID" to "principal.process.product_specific_process_id".
- Mapped "inter_host" to "intermediary.hostname".
- Mapped "inter_ip" to "intermediary.ip".
- Mapped "ActionType" to "additional.fields".
- Mapped "Rule" to "security_result.rule_name".
2022-10-10 - Mapped "category" to "security_result.category_details".
- Mapped "CIDS Signature ID" to "target.resource.attribute.labels".
- Mapped "CIDS Signature SubID" to "target.resource.attribute.labels".
- Mapped "CIDS Signature string" to "target.resource.attribute.labels".
- Mapped "Intrusion URL" to "principal.url".
- Mapped "User Name" to "principal.user.userid".
- Mapped "Actual action" to "security_result.action_details".
- Mapped "Application hash" to "target.file.sha256".
- Mapped "Application name" to "target.application".
- Mapped "Application type" to "target.resource.attribute.labels".
- Mapped "Certificate issuer" to "network.tls.server.certificate.issuer".
- Mapped "Certificate serial number" to "network.tls.server.certificate.serial".
- Mapped "Certificate signer" to "network.tls.server.certificate.subject".
- Mapped "Certificate thumbprint" to "network.tls.server.certificate.sha256".
- Mapped "Secondary action" to "target.resource.attribute.labels".
- Mapped "First Seen" to "security_result.detection_fields".
- Mapped "Risk Name" to "security_result.detection_fields".
- Mapped "Risk Type" to "security_result.detection_fields".
- Mapped "Permitted application reason" to "security_result.detection_fields".
- Mapped "Company name" to "target.user.company_name".
- Mapped "Computer name" to "principal.hostname".
- Mapped "Server Name" to "principal.asset.network_domain".
- Mapped "Confidence" to "security_result.description".
- Mapped "Detection Type" to "security_result.summary".
- Mapped "Group Name" to "principal.group.group_display_name".
- Mapped "Risk Level" to "security_result.severity_details".
- Mapped "File size (bytes)" to "target.file.size".
2022-09-21 Enhancement - Migrated custom parsers to default parser.
2022-08-12 Enhancement - Modified grok pattern to parse the logs.
Handled the dropped logs and mapped them to valid event_types.
- Dropped logs had following logType, which are now handled:
"REP", "SubmissionsMan", "SYLINK", "IPS", "SONAR", "SEC", "CVE", "LiveUpdate Manager; Messages related to definition updates",
"Antivirus detection submission".
- New conditions "msg1" containing "Create Process|GUP|RebootManager|Smc|WSS|Network Intrusion|Mitigation System" are handled.
- event_description containing "client-server activity logs|Got a valid certificate.|Replication .*from remote site|The database|received the client log successfully".
- Added new code block to handle the logType REP,SONAR,CVE,GUP,Smc,WSS made them parse.
- Changed event type from "GENERIC_EVENT" to "STATUS_UPDATE", "USER_UNCATEGORIZED", "NETWORK_CONNECTION", "STATUS_UNCATEGORIZED" wherever possible.
- Mapped "eventDescription" to "metadata.description".
- Mapped "hostName" to "principal.hostname".
- Mapped "machineDomainName" to "principal.administrative_domain".
- Mapped "domainName" to "target.administrative_domain".
- Mapped "serverName" to "intermediary.hostname".
- Mapped "userName" to "principal.user.userid".
- Mapped "siteName" to "read_only_udm.additional.fields".
2022-07-26 for the logs that has messageTmp as Site mapped the following fields:
- Mapped "eventDescription" to "metadata.description".
- Mapped "hostName" to "target.hostname".
- Mapped "machineDomainName" to "target.administrative_domain".
- Mapped "domainName" to "principal.administrative_domain".
- Mapped "serverName" to "principal.hostname".
- Mapped "userName" to "principal.user.userid".
- Mapped "siteName" to "read_only_udm.additional.fields".
2022-05-11 Parsed Event Timestamp log entries with the format "yyyy-MM-dd HH:mm:ss".