Change log for VECTRA_DETECT
| Date | Changes |
|---|---|
| 2024-08-21 | Enhancement:
- Added support for a new pattern of syslog logs. |
| 2024-07-22 | Enhancement:
- Mapped "threat", "certainty", and "score_decreases" to "additional.fields". |
| 2024-05-03 | Enhancement:
- Mapped "detection_profile.name", "detection_profile.vname", and "detection_profile.scoringDetections" to "security_result.detection_fields". |
| 2024-04-18 | Enhancement:
- Mapped "msg.quadrant" to "security_result.priority_details". |
| 2024-03-04 | Enhancement:
- Added support for new pattern of "Audit" type logs. - When "suser" is a valid email, then mapped "suser" to "principal.user.email_addresses". - When "suser" is not a valid email, then mapped "suser" to "principal.user.userid". - Added a conversion fail check for "flexNumber1" and "flexNumber2". - When "src" is not empty, then set "metadata.event_type" to "STATUS_UPDATE". - When "user_present" is "true", then set "metadata.event_type" to "USER_UNCATEGORIZED". - When "principal_present" is "true" and "target_present" is "true", then set "mnetadata.event_type" to "NETWORK_CONNECTION". - Aligned "target.ip" and "target.asset.ip" mappings. - Aligned "target.hostname" and "target.asset.hostname" mappings. - Aligned "principal.ip" and "principal.asset.ip" mappings. - Aligned "principal.hostname" and "principal.asset.hostname" mappings. |
| 2024-01-11 | Enhancement:
- Added support for "Audit" and "Health" type logs. - Mapped "message" to "security_result.summary". - Mapped "security_result.action" to "BLOCK" when "result" is "failure". - Mapped "security_result.action" to "ALLOW" when "result" is "true". - Mapped "result" to "security_result.detection_fields". - Mapped "type" to "metadata.product_event_type". |
| 2023-10-12 | Enhancement:
- Mapped "quadrant" to "security_result.priority_details". - Added conditions to map "threat" to "security_result.severity" as "INFORMATIONAL", "LOW", "MEDIUM", "HIGH" and "CRITICAL". - Added conditions to map "certainty" to "security_result.confidence" as "LOW_CONFIDENCE", "MEDIUM_CONFIDENCE" and "HIGH_CONFIDENCE". |
| 2023-04-14 | Enhancement -
- Mapped "device_version" to "metadata.product_version". - Mapped "externalId" to "metadata.product_log_id". - Mapped "event_name" and "device_event_class_id" to "metadata.product_event_type". - Mapped "cat" to "security_result.category_details". - Mapped "dvc" to "observer.ip". - Mapped "dvchost" to "observer.hostname". - Mapped "shost" to "principal.hostname". - Mapped "src" to "principal.ip". - Mapped "dst" to "target.ip". - Mapped "dhost" to "target.hostname". - Mapped "cs5" to "additional.fields". - Mapped "cs4" to "metadata.target.url". - Mapped "out" to "network.sent_bytes". - Mapped "in" to "network.received_bytes". - Mapped "dpt" to "target.port". - Mapped "cs5" to read_only_udm.alert. - Mapped "severity" to security_result.severity_details. - Mapped "flexNumber1" to security_result.severity. - Mapped "flexNumber2" to security_result.confidence. - Mapped "proto" to "network.ip_protocol". - Added "on_error" check for "severity" parameter. |
| 2022-09-26 | Enhancement -
- Mapped "version" to "metadata.product_version". - Mapped "detection_id" to "metadata.product_log_id". - Mapped "category" to "security_result.category_details". - Mapped "d_type" to "additional.fields". - Mapped "d_type_vname" to "additional.fields". - Mapped "triaged" to "additional.fields". - Mapped "headend_addr" to "observer.ip". - Mapped "href" to "metadata.target.url". - Mapped "dd_bytes_sent" to "network.sent_bytes". - Mapped "account_uid" to "additional.fields". |
| 2022-08-25 | Enhancement -
- Converted the parser from SDM to UDM. - Mapped "triage" to read_only_udm.alert. - Mapped severity to security_result.severity_details. |