Change log for SOURCEFIRE_IDS
Date | Changes |
---|---|
2024-12-06 | Enhancement:
- Mapped "fileShaHash.data" to "principal.file.sha256". - Mapped "fileShaHash.blockType", "fileShaHash.blockLength", "fileName.data", "fileName.blockType", and "fileName.blockLength" to "additional.fields". |
2024-07-22 | Enhancement:
- Added support to parse a new pattern of JSON logs. - Mapped "MessageSourceAddress" to "principal.ip". - Mapped "Hostname" to "principal.hostname". - Mapped "SourceModuleName" and "SourceModuleType" to "principal.resource.attribute.labels". - Mapped "SyslogFacility", "SyslogSeverity", "DeviceUUID", "GID", and "Revision" to "security_result.detection_fields". |
2024-03-07 | Enhancement:
- Mapped "httpURI.data" to "target.url". - Mapped "sourcePortOrIcmpType" to "principal.port". - Mapped "destinationPortOrIcmpType" to "target.port". - Mapped "@computed.blocked" to "security_result.action_details". - Mapped "blockType", "policyUuid", "recordLength", "accessControlRuleId", "connectionInstanceId", "@computed.message", "egressVRFName.data", "ingressVRFName.data", "smptTo.blockType", "smtpHeaders.blockType", "smtpFrom.blockType", "smtpAttachments.blockType", "egressVRFName.blockType", "httpURI.blockType", "httpHostname.blockType", "ingressVRFName.blockType", "httpHostname.data", "smptTo.data", "smtpHeaders.data", "smtpAttachments.data", "smtpFrom.data", "blockedReasonId" and "@computed.blockedReasonId" to "security_result.detection_fields". - Aligned "principal.ip" and "principal.hostname" mappings. - Aligned "principal.hostname" and "principal.asset.hostname" mappings. - Aligned "target.ip" and "target.asset.ip" mappings. |
2023-07-06 | Enhancement -
- Handled logs where "recordType = 2". - Mapped "packetLength", "packetData", "packetSecond", and "packetMicroSecond" to "additional" UDM fields. - Modified "GENERIC_EVENT" "metadata.event_type" to "USER_RESOURCE_ACCESS" for logs where "recordType = 2". - Handled logs in CEF format. |
2022-11-07 | Enhancement -
- Handled unparsed logs by adding new field mapping. - Mapped "IntrusionPolicy" to "additional.fields". - Mapped "IngressInterface" to "asset.attribute.labels". - Mapped "IngressZone" to "location.name". - Mapped "EgressInterface" to "asset.attribute.labels". - Mapped "EgressZone" to "location.name". - Mapped "InlineResult" to "security_result.action". - Mapped "Client" to "http.user_agent". - Mapped "ApplicationProtocol" to "network.application_protocol". - Mapped "Classification" to "security_result.threat_name". - Mapped "User" to "security_result.action_details". - Mapped "Message" to "metadata.description". - Mapped "Severity" to ""security_result.severity". - Mapped "Priority" to "security_result.priority". - Mapped "SeverityValue" to "security_result.severity". |
2022-08-22 | Enhancement -
- Handled unparsed logs by adding new grok pattern. - Modified "GENERIC_EVENT" event_type to "STATUS_UPDATE" wherever possible. |
2022-06-09 | Bug - Parsed logs of kv format (FTD)
Mapped following fields- - Mapped "sourceHostname" to "principal.hostname". - Mapped "DstIP" to "target.ip". - Mapped "SrcIP" to "principal.ip". - Mapped "DstPort" to "target.port". - Mapped "SrcPort" to "principal.port". - Mapped "Protocol" to "network.ip_protocol". - Mapped "InitiatorBytes" to "network.sent_bytes". - Mapped "ResponderBytes" to "network.received_bytes". - Mapped "NAPPolicy" to "security_result.description". - Mapped "EventPriority" to "security_result.severity". - Mapped "AccessControlRuleName" to "security_result.rule_name". - Mapped "ACPolicy" to "principal.resource.name". - Mapped "ACCESS_POLICY" to "principal.resource.resource_type". - Mapped "event_type" according to log values. |