Change log for VECTRA_STREAM
| Date | Changes |
|---|---|
| 2022-10-27 | Enhancement-
Added Json support for the logs. Added extra grok pattern for failing logs. Added extra grok pattern for the "_raw" data present in some json logs. Added "metadata_type" conditions along with already present "log_type" conditions for json logs. Mapped "status_code" to "network.http.response_code". Mapped "user_agent" to "network.http.user_agent". Added condtions to check if the data is from json log inorder to convert the integer/float values to string for variables: "version_num","certificate.not_valid_before","certificate.not_valid_after","certificate.versio". Added condtions to check if the data is from syslog inorder to convert the string values to boolean for variables: "AA","RD","RA","TC","established". Added condition to check if "duration" is extracted from json log or syslog. Added grok pattern to extract "answers" as string from json logs. |
| 2022-10-25 | Enhancement-Added mappings
-common fields sensor_uid mapped to observer.asset_id. -metadata_radius account_session_id mapped to network.session_id. account_session_time mapped to network.session_duration. calling_station_id mapped to intermediate.asset.product_object_id. connect_info mapped to security_result.description. radius_type mapped to metadata.description. result mapped to security_result.summary. nas_identifier mapped to target.user.attribute.roles.name. dst_display_name mapped to target.hostname. dst_luid mapped to target.asset.product_object_it. src_display_name mapped to principal.hostname. src_luid mapped to principal.asset.product_object_it. -metadata_beacon beacon_type mapped to metadata.description beacon_uid mapped to network.session_id ja3 mapped to network.tls.ja3 -metadata_httpsessioninfo method mapped to network.http.method. uri mapped to target.url. host mapped to target.hostname. referrer mapped to network.http.referral_url. user_agent mapped to network.http.user_agent. orig_mime_types mapped to principal.file.mime_type. resp_mime_types mapped to target.file.mime_type. status_code mapped to network.http.response_code. status_msg mapped to security_result.summary. proxied mapped to principal.ip. host_multihomed mapped to additionals.key/value -metadata_ldap query mapped to principal.process.command_line. result mapped to security_result.description. result_code mapped to security_result.action_details. -metadata_ntlm hostname mapped to target.hostname. domain mapped to target.domain.name. status mapped to security_result.summary. success mapped to seucirty_result.action. -metadata_rdp cookie mapped to target.user.userid -metadata_smbfiles action mapped to metadata.event_type (FILE_*) name mapped to target.file.full_path. version mapped to principal.platform_version. -metadata_smbmapping path mapped to target.file.full_path. -metadata_ssh client mapped to principal.application. server mapped to target.application. cipher_alg mapped to network.tls.cipher. mac_alg mapped to additionals.key/value. compression_alg mapped to additionals.key/value. kex_alg mapped to additionals.key/value. host_key_alg mapped to additionals.key/value. host_key mapped to additionals.key/value. hassh mapped to additionals.key/value. hasshServer mapped to additionals.key/value. |
| 2022-07-22 | Enhancement-Added mappings
radius log type mapped to metadata.event_type=NETWORK_FLOW. beacon log type mapped to metadata.event_type=NETWORK_FLOW. httpsessioninfo log type mapped to metadata.event_type=NETWORK_NETWORK_HTTP. ldap log type mapped to metadata.event_type=NETWORK_USER_STATS. smbmapping log type mapped to metadata.event_type=NETWORK_FLOW. ntlm log type mapped to metadata.event_type=NETWORK_CONNECTION. rdp log type mapped to metadata.event_type=NETWORK_CONNECTION. smbfiles log type mapped to metadata.event_type=NETWORK_FTP. ssh log type mapped to metadata.event_type=NETWORK_CONNECTION. |