Change log for STIX
Date | Changes |
---|---|
2024-11-07 | Enhancement:
- Added a Grok pattern to parse unparsed logs. |
2024-10-15 | Enhancement:
- Added support to parse unparsed logs. - Removed duplicate code. - Renamed field "extension-definition--322b8f77-262a-4cb8-a915-1e441e00329b" to "mitre-extension-definition" and mapped "mitre-extension-definition.extension_type" to "entity.resource.attribute.labels.value". - Renamed field "extension-definition--f93e2c80-4231-4f9a-af8b-95c9bd566a82" to "sco-extension-definition" and mapped "sco-extension-definition.extension_type" to "entity.resource.attribute.labels.value". |
2024-09-25 | Enhancement:
- Mapped "x_ctix_confidence_score" to "threat_detail.confidence_score". |
2024-09-25 | Enhancement:
- Mapped "x_ctix_confidence_score" to "threat_detail.confidence_score". |
2024-09-20 | Enhancement:
- Added drop statement to drop unsupported logs. - Mapped "modified" to "timestamp". - Mapped "valid_from" to "entity_event.metadata.interval.start_time". - Added support for logs with the "pattern" value "hostname:value". - If the "entity_type" field is not equal to "File," then map the "valid_until" field to the value of "entity_event.metadata.interval.end_time." |
2024-09-19 | Enhancement:
- Added new Grok patterns to parse the field "pattern". - Mapped "valid_until" to "metadata.interval.end_time". |
2024-09-18 | Enhancement:
- Added support for logs with the "pattern" value "ipv4:addr". - Added support for logs with the "main_observable_type" value "Hostname". - Mapped "confidence" to "threat_detail.confidence_score". - When "main_observable_type" is "StixFile", then mapped "name" to "entity.entity.file.full_path". |
2024-03-06 | Enhancement:
- Added support for logs with the "type" value "indicator". |
2024-02-07 | Enhancement:
- Added support for entity field mappings for new set of ingested logs. - Mapped "description" to "threat_detail.description". - Mapped "external_references.0.source_name" to "entity_event.entity.hostname". - Mapped fields present in nested JSON field "extensions.extension-definition" to "threat_detail.detection_fields". |
2023-11-08 | Enhancement:
- Added support for entity field mappings for new set of ingested logs. - Mapped "entity_type" to "IP_ADDRESS" and "entity_event.entity.ip" to "ip" for "pattern" = "ipv4-addr". - Mapped "entity_type" to "USER" and "entity_event.entity.user.email_addresses" to "mail" for "pattern" = "email-addr". - Mapped "entity_type" to "FILE" and "entity_event.entity.file.sha256" to "sha256val","entity_event.entity.file.md5" to "MD5_val" and "entity_event.entity.file.sha1" to "sha1_val" for "pattern" = "file:hashes". - Mapped "entity_type" to "DOMAIN_NAME" and "entity_event.entity.hostname" to "dom" for "pattern" = "domain-name". - Mapped "entity_type" to "URL" and "entity_event.entity.url" to "url_val" for "pattern" = "url:value". |
2023-03-24 | Enhancement: Added support for entity field mappings.
|
2022-12-12 | Bug Fix - Mapped timestamp to "metadata.event_timestamp".
- Added Grok patterns to identify the type of log. - Added type specific blocks like 'md5', 'sha1', 'sha256', 'domain-name', 'mal_file_name' etc. |
2022-12-03 | Bug Fix - Parsed unparsed logs:
- Added Grok patterns to identify the type of log. - Added type specific blocks like 'mal_md5', 'mal_url' etc. - Parsed 'SHA-512' as 'security_result.detection_fields' due to large size. |
2022-11-27 | Newly created parser.
|