Change log for SNARE_SOLUTIONS
| Date | Changes |
|---|---|
| 2025-02-25 | Enhancement:
- Added "gsub" to parse the fields. - Mapped "service_account" to "target.resource.name". - Mapped "service_start_type" to "additional.fields". - Mapped "service_type" to "additional.fields". - Mapped "service_file_name" to "target.file.full_path". - Mapped "SubjectLogonId" to "additional.fields". |
| 2025-02-05 | Enhancement:
- Changed the key name of field "EventType" from "EventType" to "System_Keywords". - Changed the key name of field "EventCategory" from "EventCategory" to "Task". - Mapped "TicketEncryptionType" and "TicketOptions" to "additional.fields". - Mapped "application" to "target.application". - Mapped "src_ip" to "principal.ip" and "principal.asset.ip". - Mapped "Account Name" to "target.user.userid". |
| 2025-02-04 | Enhancement:
- Changed mapping for "network_information_source_network_address" from "target.ip" and "target.asset.ip" to "src.ip". - Mapped "Process_ProviderPath" to "principal.process.file.full_path". - Mapped "subject_user" to "principal.user.userid". - Mapped "subject_account_domain1" to "principal.administrative_domain". |
| 2024-12-26 | Enhancement:
- Added a Grok pattern to support new pattern of syslog logs. - Mapped "source_workstation" to "additional.fields". - Mapped "error_code" to "security_result.description". |
| 2024-11-14 | Enhancement:
- Added support for a new format of SYSLOG+JSON logs. - Mapped "event_id" to "additional.fields". - Mapped "log_name" to "principal.application". - Mapped "workstation_name" to "target.hostname". - Mapped "keyword" to "security_result.summary". - Mapped "event_action" to "security_result.description". |
| 2024-07-31 | Enhancement:
- Added support for a new format of SYSLOG logs. |
| 2024-06-06 | Enhancement:
- Mapped "network_information_workstation_name" to "target.hostname". - Mapped "intermediary.ip". - Mapped "target.user.userid". |
| 2024-06-04 | Enhancement:
- Added a new Grok pattern to parse the "SYSLOG + KV" format logs. - Mapped "EventCategory" and "EventlogType" to "additional.fields". - Mapped "filter_runtime_id", "layer_name", and "layer_runtime_id" to "security_result.detection_fields". |
| 2024-05-31 | Enhancement:
- Mapped "target.user.userid" to have the second part of value. - Mapped event IDs to "metadata.product_event_type". |
| 2024-05-20 | Enhancement:
- Mapped "logon type" to "extensions.auth.auth_details". |
| 2024-04-17 | Enhancement:
- Supported new Microsoft Windows event logs. |
| 2024-01-24 | Enhancement:
- Added Grok patterns to parse dropped "SYSLOG + KV" format logs. - Mapped "ts" to "metadata.event_timestamp". - Mapped "hostname" and "src_host" to "principal.asset.hostname". - Mapped "src_ip" to "principal.asset.ip". - Mapped "Namespace" to "principal.user.userid". - Mapped "ClientProcessID" to "principal.process.pid". - Mapped "HostApplication" to "principal.application". - Mapped "Id" to "principal.resource.product_object_id". - Mapped "ip_protocol" to "network.ip_protocol". - Mapped "event_id" and "Component" to "additional.fields". - Mapped "NotificationQuery", "PossibleCause", "Operation" and "ResultCode" to "security_result.detection_fields". - Mapped "ProviderName", "NewProviderState", "SequenceNumber", "HostName", "HostVersion", "HostId", ""EngineVersion", "RunspaceId", "PipelineId", "CommandName", "ScriptName", "CommandPath", "Volume_GUID", and "Volume_name" to "principal.resource.attribute.labels". |
| 2022-07-29 | Newly created parser
|