Change log for SONIC_FIREWALL

Date Changes
2024-11-05 Enhancement:
- Mapped "firewall_serial_number" to "intermediary.asset_id" and "firewall_hostname" to "intermediary.hostname".
2024-09-05 Enhancement:
- If "fw_action" is equal to "NA", then changed the mapping of "security_result.action" from "UNKNOWN_ACTION" to "BLOCK".
2024-06-06 Enhancement:
- Mapped the "C" field to "additional.fields".
- Mapped the "gcat" field to "additional.fields".
- Mapped "note" to "additional.fields".
- Mapped "n" to "additional.fields".
- Mapped "vpnpolicyDst" to "additional.fields".
- Mapped "FileId" to "additional.fields".
- Mapped "dur" to "additional.fields".
- Mapped "m" to "additional.fields".
2024-06-04 Enhancement:
- Removed alignment of "principal.asset.ip" and "target.asset.ip".
- If the IP value is in range-format, then "src" and "dst" are mapped to "additional.fields".
- Mapped "gw" to "intermediary.ip".
2024-05-29 Enhancement:
- Mapped "firewall_hostname" to "intermediary.hostname".
- Modified the Grok pattern to parse the field "sn".
- Mapped "sn" to "intermediary.asset_id".
2024-05-29 Enhancement:
- Mapped "firewall_hostname" to "intermediary.hostname".
- Modified the Grok pattern to parse the field "sn".
- Mapped "sn" to "intermediary.asset_id".
2024-04-18 Enhancement:
- Changed the mapping of "fw" from "observer.ip" to "principal.ip".
- Changed the mapping of "id" from "resource.id" to "principal.hostname".
2023-05-26 Enhancement -
- Mapped "fw_action" to "security_result.action_details".
- Mapped "spkt" to "network.sent_packets".
2023-03-08 Enhancement -
- Added a condition check to "User" field to parse the appropriate field (i.e. principal.user.email_addresses or principal.user.user_display_name or principal.user.userid).
- Removed "pri" from "security_result.detection_fields" and mapped it to "security_result.severity".
- Mapped "usr" to "principal.user.email_addresses".
- Mapped "vpnpolicy" field to "security_result.detection_fields".
- Mapped "cdur" field to "security_result.detection_fields".
- Mapped "sess" field to "security_result.detection_fields".
2023-03-06 Enhancement -
- Mapped "fw" to "observer.ip" instead of target.ip.
2023-02-22 Enhancement -
- Events are parsing traffic as "NETWORK_HTTP" are mapped to "NETWORK_CONNECTION" instead, when the protocol is not HTTP.
- Mapped "msg" to "security_result.summary" where "fw_action" is equal to "drop" Mapped "BLOCK" to "security_result.action".
- Mapped "fw" to "observer.ip" and "src" to "principal.ip".
2022-06-24 Enhancement -
- Mapped "msg" to "security_result.summary".
- Where "fw_action" is equal to "drop" Mapped "BLOCK" to "security_result.action".
- Mapped "sent" to "network.sent_bytes".
- Mapped "rcvd" to "network.received_bytes".
- Mapped "usr" to "principal.user.userid".
- Mapped "pri" to "additional.fields".
- Mapped "sn" to "additional.fields".
- Mapped "id" to "target.resource.id".
2022-05-26 Bug fix-
Mapped duration to network.session_duration.seconds.
Mapped user to principal.user.userid.
Mapped agent to network.http.user_agent.
Mapped avgThroughput to target.resource.attribute.labels.
Mapped bytesIn to network.sent_bytes.
Mapped bytesOut to network.received_bytes.
Mapped bytesTotal to target.resource.attribute.labels.
Mapped maxThroughput to target.resource.attribute.labels.
Mapped dst to target.ip.
Mapped fw to principal.ip.
Mapped pri to event.idm.read_only_udm.additional.fields.
2022-05-19 Enhancement - Converted parser from SDM to UDM (changed mapping from webproxy fields to event fields).