Change log for SYMANTEC_CASB
| Date | Changes |
|---|---|
| 2024-02-19 | Enhancement:
- Added support to parse JSON logs coming in single quotations. - Mapped "severity" to "security_result.severity_details". |
| 2024-02-16 | - Resolved flakiness issue by replacing "instance.0" with "instance" when it is not an array.
|
| 2024-02-11 | Enhancement:
- Added support for logs of format JSON. - Mapped "_id" to "metadata.product_log_id". - Mapped "__event_timestamp" to "metadata.event_timestamp". - Mapped "_elastic_timestamp", "created_timestamp", "inserted_timestamp", "updated_timestamp", "responsible_logs" and "sub_feature" to "additional.fields". - Mapped "threat_score", "locations", "transaction_id", "content_checks.dlp.raw_response.requestid", "content_checks.dlp.raw_response.responseaction", "org_unit", "policy_type", "content_checks.vk_pci", "content_checks.vk_vba_macros", "content_checks.vk_glba", "content_checks.vk_source_code", "content_checks.vk_pii", "content_checks.vk_virus", "content_checks.vk_hipaa", "content_checks.violations", "object_name", "multi_user", "risks", "name", "_latency", "content_checks.dlp.raw_response.warning", "content_checks.dlp.raw_response.violation", "content_checks.dlp.raw_response.contentdetails", "content_checks.vk_dlp_policy_violations", "content_checks.risktype_list", "content_checks.vk_content_iq_violations", "actions_taken", "__detect_source", "multi_facility", "content_checks.vba_macros.expressions" and "policy_violated" to "security_result.detection_fields". - Mapped "severity" to "security_result.severity". - Mapped "host" to "principal.hostname". - Mapped "file_size" to "product_data.file_size". - Mapped "source" to "principal.resource.attribute.labels". - Mapped "resource_id" to "target.resource.id". - Mapped "policy_action" to "security_result.action_details". - Mapped "object_type" to "target.resource.name". - Mapped "ioi_code" to "security_result.summary". - Mapped "user" to "principal.user.userid". - Mapped "content_checks.filename" to "target.file.full_path". - Mapped "content_checks.mimetype" to "target.file.mime_type". - Mapped "activity_type" to "metadata.product_event_type". - Mapped "service" to "target.application". - Mapped "_domain" to "target.hostname". - Mapped "hosts" to "principal.ip". - If "has_principal" is "true" then set "metadata.event_type" as "STATUS_UPDATE". - If "has_principal_user" is "true", "has_target" is "true" and "has_principal" is "false", then set "metadata.event_type" as "USER_UNCATEGORIZED". - If "has_principal_user" is "true", "has_target" is "true" and "has_principal" is "true", then set "metadata.event_type" as "USER_LOGIN". |