Change log for SOURCEFIRE_IDS

Date Changes
2024-07-22 Enhancement:
- Added support to parse a new pattern of JSON logs.
- Mapped "MessageSourceAddress" to "principal.ip".
- Mapped "Hostname" to "principal.hostname".
- Mapped "SourceModuleName" and "SourceModuleType" to "principal.resource.attribute.labels".
- Mapped "SyslogFacility", "SyslogSeverity", "DeviceUUID", "GID", and "Revision" to "security_result.detection_fields".
2024-03-07 Enhancement:
- Mapped "httpURI.data" to "target.url".
- Mapped "sourcePortOrIcmpType" to "principal.port".
- Mapped "destinationPortOrIcmpType" to "target.port".
- Mapped "@computed.blocked" to "security_result.action_details".
- Mapped "blockType", "policyUuid", "recordLength", "accessControlRuleId", "connectionInstanceId", "@computed.message", "egressVRFName.data", "ingressVRFName.data", "smptTo.blockType", "smtpHeaders.blockType", "smtpFrom.blockType", "smtpAttachments.blockType", "egressVRFName.blockType", "httpURI.blockType", "httpHostname.blockType", "ingressVRFName.blockType", "httpHostname.data", "smptTo.data", "smtpHeaders.data", "smtpAttachments.data", "smtpFrom.data", "blockedReasonId" and "@computed.blockedReasonId" to "security_result.detection_fields".
- Aligned "principal.ip" and "principal.hostname" mappings.
- Aligned "principal.hostname" and "principal.asset.hostname" mappings.
- Aligned "target.ip" and "target.asset.ip" mappings.
2023-07-06 Enhancement -
- Handled logs where "recordType = 2".
- Mapped "packetLength", "packetData", "packetSecond", and "packetMicroSecond" to "additional" UDM fields.
- Modified "GENERIC_EVENT" "metadata.event_type" to "USER_RESOURCE_ACCESS" for logs where "recordType = 2".
- Handled logs in CEF format.
2022-11-07 Enhancement -
- Handled unparsed logs by adding new field mapping.
- Mapped "IntrusionPolicy" to "additional.fields".
- Mapped "IngressInterface" to "asset.attribute.labels".
- Mapped "IngressZone" to "location.name".
- Mapped "EgressInterface" to "asset.attribute.labels".
- Mapped "EgressZone" to "location.name".
- Mapped "InlineResult" to "security_result.action".
- Mapped "Client" to "http.user_agent".
- Mapped "ApplicationProtocol" to "network.application_protocol".
- Mapped "Classification" to "security_result.threat_name".
- Mapped "User" to "security_result.action_details".
- Mapped "Message" to "metadata.description".
- Mapped "Severity" to ""security_result.severity".
- Mapped "Priority" to "security_result.priority".
- Mapped "SeverityValue" to "security_result.severity".
2022-08-22 Enhancement -
- Handled unparsed logs by adding new grok pattern.
- Modified "GENERIC_EVENT" event_type to "STATUS_UPDATE" wherever possible.
2022-06-09 Bug - Parsed logs of kv format (FTD)
Mapped following fields-
- Mapped "sourceHostname" to "principal.hostname".
- Mapped "DstIP" to "target.ip".
- Mapped "SrcIP" to "principal.ip".
- Mapped "DstPort" to "target.port".
- Mapped "SrcPort" to "principal.port".
- Mapped "Protocol" to "network.ip_protocol".
- Mapped "InitiatorBytes" to "network.sent_bytes".
- Mapped "ResponderBytes" to "network.received_bytes".
- Mapped "NAPPolicy" to "security_result.description".
- Mapped "EventPriority" to "security_result.severity".
- Mapped "AccessControlRuleName" to "security_result.rule_name".
- Mapped "ACPolicy" to "principal.resource.name".
- Mapped "ACCESS_POLICY" to "principal.resource.resource_type".
- Mapped "event_type" according to log values.