Change log for SONIC_FIREWALL
| Date | Changes |
|---|---|
| 2024-09-05 | Enhancement:
- If "fw_action" is equal to "NA", then changed the mapping of "security_result.action" from "UNKNOWN_ACTION" to "BLOCK". |
| 2024-06-06 | Enhancement:
- Mapped the "C" field to "additional.fields". - Mapped the "gcat" field to "additional.fields". - Mapped "note" to "additional.fields". - Mapped "n" to "additional.fields". - Mapped "vpnpolicyDst" to "additional.fields". - Mapped "FileId" to "additional.fields". - Mapped "dur" to "additional.fields". - Mapped "m" to "additional.fields". |
| 2024-06-04 | Enhancement:
- Removed alignment of "principal.asset.ip" and "target.asset.ip". - If the IP value is in range-format, then "src" and "dst" are mapped to "additional.fields". - Mapped "gw" to "intermediary.ip". |
| 2024-05-29 | Enhancement:
- Mapped "firewall_hostname" to "intermediary.hostname". - Modified the Grok pattern to parse the field "sn". - Mapped "sn" to "intermediary.asset_id". |
| 2024-05-29 | Enhancement:
- Mapped "firewall_hostname" to "intermediary.hostname". - Modified the Grok pattern to parse the field "sn". - Mapped "sn" to "intermediary.asset_id". |
| 2024-04-18 | Enhancement:
- Changed the mapping of "fw" from "observer.ip" to "principal.ip". - Changed the mapping of "id" from "resource.id" to "principal.hostname". |
| 2023-05-26 | Enhancement -
- Mapped "fw_action" to "security_result.action_details". - Mapped "spkt" to "network.sent_packets". |
| 2023-03-08 | Enhancement -
- Added a condition check to "User" field to parse the appropriate field (i.e. principal.user.email_addresses or principal.user.user_display_name or principal.user.userid). - Removed "pri" from "security_result.detection_fields" and mapped it to "security_result.severity". - Mapped "usr" to "principal.user.email_addresses". - Mapped "vpnpolicy" field to "security_result.detection_fields". - Mapped "cdur" field to "security_result.detection_fields". - Mapped "sess" field to "security_result.detection_fields". |
| 2023-03-06 | Enhancement -
- Mapped "fw" to "observer.ip" instead of target.ip. |
| 2023-02-22 | Enhancement -
- Events are parsing traffic as "NETWORK_HTTP" are mapped to "NETWORK_CONNECTION" instead, when the protocol is not HTTP. - Mapped "msg" to "security_result.summary" where "fw_action" is equal to "drop" Mapped "BLOCK" to "security_result.action". - Mapped "fw" to "observer.ip" and "src" to "principal.ip". |
| 2022-06-24 | Enhancement -
- Mapped "msg" to "security_result.summary". - Where "fw_action" is equal to "drop" Mapped "BLOCK" to "security_result.action". - Mapped "sent" to "network.sent_bytes". - Mapped "rcvd" to "network.received_bytes". - Mapped "usr" to "principal.user.userid". - Mapped "pri" to "additional.fields". - Mapped "sn" to "additional.fields". - Mapped "id" to "target.resource.id". |
| 2022-05-26 | Bug fix-
Mapped duration to network.session_duration.seconds. Mapped user to principal.user.userid. Mapped agent to network.http.user_agent. Mapped avgThroughput to target.resource.attribute.labels. Mapped bytesIn to network.sent_bytes. Mapped bytesOut to network.received_bytes. Mapped bytesTotal to target.resource.attribute.labels. Mapped maxThroughput to target.resource.attribute.labels. Mapped dst to target.ip. Mapped fw to principal.ip. Mapped pri to event.idm.read_only_udm.additional.fields. |
| 2022-05-19 | Enhancement - Converted parser from SDM to UDM (changed mapping from webproxy fields to event fields).
|