Change log for TANIUM_TH
| Date | Changes |
|---|---|
| 2023-12-18 | Enhancement-
- Mapped "network.direction" JSON field to "network.direction" UDM field. |
| 2023-09-20 | Enhancement-
- Mapped "metadata.description" JSON field to "metadata.description" UDM field. |
| 2022-12-12 | Enhancement-
- Mapped "metadata.event_type" to "USER_LOGIN" when "additional.event_id" is "4625", "4624", "4648", or "4627". - Mapped "metadata.event_type" to "USER_LOGOUT" when "additional.event_id" is "4634" or "4647". - Mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS" when "additional.event_id" is "4670", "4672", "4673", "4674", "4703", "4704", "4705". - Mapped "metadata.event_type" to "PROCESS_LAUNCH" when "additional.event_id" = "4688". - Mapped "metadata.event_type" to "PROCESS_TERMINATION" when "additional.event_id" = "4689". - Mapped "metadata.event_type" to "PROCESS_UNCATEGORIZED" when "additional.event_id" = "4799". - Mapped "metadata.event_type" to "SCHEDULED_TASK_MODIFICATION" when "additional.event_id" = "4702". - Mapped "metadata.event_type" to "SCHEDULED_TASK_DISABLE" when "additional.event_id" = "4701". - Mapped "metadata.event_type" to "SCHEDULED_TASK_ENABLE" when "additional.event_id" = "4700". - Mapped "metadata.event_type" to "SCHEDULED_TASK_DELETION" when "additional.event_id" = "4699". - Mapped "metadata.event_type" to "SCHEDULED_TASK_CREATION" when "additional.event_id" = "4698". - Modified "metadata.event_type" from "USER_UNCATEGORIZED" to "STATUS_UPDATE" for all other event types not handled specifically. |
| 2022-09-16 | Enhancement-
- Added error check for "principal.process.file.fullPath","principal.process.file.md5","target.file.md5". - Set "event_type" to "STATUS_UPDATE" when field "logType" is equal to "PROCESS_MODULE_LOAD" and "target.file.md5" is null. |
| 2022-08-10 | Enhancement-
- Modified mapping for the field 'additional.event_id' from 'metadata.product_log_id' to 'security_result.rule_name'. - Modified mapping for 'metadata.event_type' from 'GENERIC_EVENT' to 'USER_LOGIN' where 'additional.event_id' == '4625'. - Modified mapping for 'additional.event__AuthenticationPackageName' from 'target.resource.name' to 'security_result.about.resource.name' where 'additional.event_id' == '4625'and '4624'. - Mapped the field 'additional.event__LogonType' to 'extensions.auth.mechanism'. - Mapped 'security_result.category' to 'AUTH_VIOLATION' where 'additional.event_id' == '4625'. |
| 2022-06-01 | Enhancement- For logs with logType 'GENERIC_EVENT_LOG', changed 'metadata.event_type' from 'GENERIC_EVENT' to 'USER_UNCATEGORIZED'.
Enhanced the parser to correct the parsing of the field 'additional.query' so as to accordingly map it to target.ip or target.hostname based upon the value present in the log. |
| 2022-05-12 | Bug-Fix - Added condition check on field additional.query so as to map it to target.ip or target.hostname based upon the value present in the log. |
| 2022-03-30 | Enhancement to map following raw logs elements to UDM elements:
Mapped field "additional.event__TargetSid" and "additional.event__TargetUserSid" to "target.user.windows_sid". Mapped field "additional.event__SubjectUserName" to "principal.user.user_display_name". Mapped field "additional.event__CallerProcessId" and "additional.event__ClientProcessId" to "principal.process.pid". Mapped field "additional.event__CallerProcessName" to "principal.process.file.full_path". Mapped filed "additional.event__FQDN" to "principal.hostname". Mapped field "additional.event__ParentProcessName" to "principal.process.parent_process.file.full_path". Mapped field "additional.event__CommandLine" to "target.process.command_line". Mapped field "additional.event__NewProcessId" to "target.process.pid". Mapped field "additional.event__NewProcessName" to "target.process.file.full_path". Mapped field "additional.event__ParentProcessId" to "principal.process.parent_process.pid". Mapped field "additional.event__ObjectServer" to "security_result.category_details". Mapped field "additional.event__Service" to "security_result.description". Mapped field "additional.event__PrivilegeList" to "principal.user.attribute.permissions". Mapped field "additional.event__TransmittedServices", "additional.event__LmPackageName", "additional.event__TokenElevationType", "additional.event__MandatoryLabel", "additional.event__AlgorithmName", "additional.event__KeyName", "additional.event__KeyType", "additional.event__Operation", "additional.event__ProviderName", "additional.event__ReturnCode", "additional.event__RpcCallClientLocality", "additional.event__ClientProcessStartKey", "additional.event__TaskContentNew", "additional.event__TaskName", "additional.event__Status", "additional.event__FailureReason", "additional.event__SubStatus", "additional.event__KeyLength", "additional.event__RestrictedAdminMode", "additional.event__TargetLinkedLogonId", "additional.event__TargetOutboundUserName", "additional.event__TargetOutboundDomainName" to "additional.fields". Changed mapping for "additional.event__VirtualAccount", "additional.event__ElevatedToken", "additional.event__ImpersonationLevel", "additional.event__TargetLogonId", "additional.event__SubjectLogonId" from "about.labels" to "additional.fields". |