Change log for SYMANTEC_EVENT_EXPORT
Date | Changes |
---|---|
2024-12-04 | Enhancement:
- Mapped "cybox.path" to "target.file.full_path". - Mapped "cybox.size" to "target.file.size". - If "id" is "1" then mapped "security_result.action" to "BLOCK" else if "id" is "2" then mapped "security_result.action" to "ALLOW" else if "id" is in "["3","4","5","6","7"]" then mapped "security_result.action" to "ALLOW_WITH_MODIFICATION" else if "id" is "12" then mapped "security_result.action" to "QUARANTINE". - Mapped "audit" to "additional.fields". - If "policy.rulename" has "File and Folder Access Attempts" then mapped "file.name" to "principal.file.names". - If "device_os_type_id" is "100" then mapped "principal.platform" to "WINDOWS". - If "device_os_type_id" is "200" then mapped "principal.platform" to "LINUX". - If "device_os_type_id" is "300" then mapped value "SOLARIS" to "additional.fields" . - If "device_os_type_id" is "301" then mapped value "AIX" to "additional.fields". - If "device_os_type_id" is "302" then mapped value "HP-UX" to "additional.fields". - If "device_os_type_id" is "400" then mapped value "MACINTOSH" to "additional.fields". - If "device_os_type_id" is "500" then mapped "principal.platform" to "IOS". - If "device_os_type_id" is "501" then mapped "principal.platform" to "ANDROID". - If "device_os_type_id" is "502" then mapped value "WINDOWS MOBILE" to "additional.fields". - If "device_os_type_id" is "503" then mapped value "IPADOS" to "additional.fields". - If "device_os_type_id" is "1001" then mapped value "OTHER" to "additional.fields". - If "device_os_type_id" is "0" then mapped "principal.platform" to "UNKNOWN". - Modified the mapping of "product_uid" from "metadata.product_log_id" to "target.process.pid". - Modified the mapping of "process_id" from "target.process.pid" to "_metadata.product_log_id". |
2024-11-21 | Enhancement:
- Modified mappings of "severity_id". |
2024-10-25 | Enhancement:
- Mapped "connection.url.port" to "target.port". - Mapped "connection.url.host" to "target.hostname" and "target.asset.hostname". - Mapped "connection.url.domain_name" to "target.administrative_domain". - Mapped "connection.url.text" to "target.url". - Mapped "connection.src_name" to "target.application". - Mapped "parent.file.md5" to "principal.process.parent_process.file.md5". - Mapped "parent.file.sha1" to "principal.process.parent_process.file.sha1". - Mapped "parent.file.sha256" to "principal.process.parent_process.file.sha256". - Mapped "parent.file.folder" to "principal.process.parent_process.file.full_path". - Mapped "parent.file.product_name", "parent.file.company_name", "parent.file.created", "parent.file.normalized_path", "parent.file.signature_company_name", "parent.file.signature_value", and "parent.file.xattributes.portal" to "principal.resource.attribute.labels". - Mapped "parent.file.signature_value_ids" to "additional.fields". - Mapped "parent.file.version" to "network.tls.version". - Mapped "parent.file.signature_issuer" to "network.tls.server.certificate.issuer". |
2023-11-07 | Enhancement:
- Added support for SYSLOG format logs. - Added "not null" checks to "parent.cmd_line", "parent.pid", "actor.pid", "actor.cmd_line", "device_name", "device_group", "device_os_name", "device_group", "device_domain", "device_uid" prior mapping to UDM. - Mapped "device_name" to "principal.hostname". - Mapped "user_name" to "principal.user.user_display_name". - Mapped "actor.user.name" to "principal.user.user_display_name". - Mapped "actor.user.domain" to "principal.administrative_domain". - Mapped "actor.user.sid" to "principal.user.windows_sid". - Mapped "actor.file.size" to "principal.process.file.size". - Mapped "device_public_ip" to "principal.ip". - Mapped "device_networks.ipv6" to "intermediary.ip". - Mapped "user_email" to "principal.user.email_addresses". |
2022-08-19 | Enhancement - Reduced Generic Event percentage. - Mapped "type_id" to event.idm.read_only_udm.metadata.event_type - Parsed logs for type_id = 21 |