Change log for SURICATA_EVE
| Date | Changes |
|---|---|
| 2022-08-17 | Enhancement -
- Mapped dest_ip to target.ip. - Modified mapping of security_result.severity from critical to high where severity is 1. - Added a grok to parse logs with syslog header. |
| 2022-07-25 | Enhancement -
- Mapped "process.executable" to "principal.process.file.full_path". - Mapped "process.pid" to "principal.process.pid". - Mapped "process.command_line" to "principal.process.command_line". - Mapped "service.type" to "additional.fields". - Mapped "event.dataset" to "about.labels". - Mapped "event.module" to "about.labels". - Mapped "event.duration" to "about.labels". - Mapped "agent.id" to "metadata.product_log_id". - Mapped "agent.type" to "metadata.product_event_type". - Mapped "agent.version" to "metadata.product_version". - Mapped "agent.hostname" to "principal.hostname". - Mapped "agent.name" to "principal.hostname". - Mapped "agent.ephemeral_id" to "additional.fields". - Mapped "ecs.version" to "principal.asset.attribute.labels". - Mapped "process.args" to "about.file.capabilities_tags". |
| 2022-07-08 | Enhancement - Added mappings for following fields :
- 'tls.sni' mapped to 'target.hostname'. - 'tls.issuerdn' mapped to 'network.tls.client.certificate.issuer'. - 'tls.subject' mapped to 'network.tls.client.certificate.subject'. - 'tls.serial' mapped to 'network.tls.client.certificate.serial'. - 'tls.fingerprint' mapped to 'network.tls.client.certificate.sha256'. - 'tls.version' mapped to 'network.tls.version'. - 'tls.ja3.hash' mapped to 'network.tls.client.ja3'. - 'tls.ja3s.hash' mapped to 'network.tls.server.ja3s'. - 'tls.notbefore' mapped to 'network.tls.client.certificate.not_before'. - 'tls.notafter' mapped to 'network.tls.client.certificate.not_after'. - 'tls.sni' mapped to 'network.tls.client.server_name'. - Modified the mappings for following fields : - if 'alert.severity' has values 0,1,2 then 'security_result.severity' mapped to CRITICAL. - if 'alert.severity' has values 3,4 then 'security_result.severity' mapped to HIGH. - if 'alert.severity' has values 5,6,7 then 'security_result.severity' mapped to LOW. |