Stay organized with collections Save and categorize content based on your preferences.

Change log for VECTRA_STREAM

Date Changes
2022-10-27 Enhancement-
Added Json support for the logs.
Added extra grok pattern for failing logs.
Added extra grok pattern for the "_raw" data present in some json logs.
Added "metadata_type" conditions along with already present "log_type" conditions for json logs.
Mapped "status_code" to "network.http.response_code".
Mapped "user_agent" to "network.http.user_agent".
Added condtions to check if the data is from json log inorder to convert the integer/float values to string for variables:
"version_num","certificate.not_valid_before","certificate.not_valid_after","certificate.versio".
Added condtions to check if the data is from syslog inorder to convert the string values to boolean for variables:
"AA","RD","RA","TC","established".
Added condition to check if "duration" is extracted from json log or syslog.
Added grok pattern to extract "answers" as string from json logs.
2022-10-25 Enhancement-Added mappings
-common fields
sensor_uid mapped to observer.asset_id.
-metadata_radius
account_session_id mapped to network.session_id.
account_session_time mapped to network.session_duration.
calling_station_id mapped to intermediate.asset.product_object_id.
connect_info mapped to security_result.description.
radius_type mapped to metadata.description.
result mapped to security_result.summary.
nas_identifier mapped to target.user.attribute.roles.name.
dst_display_name mapped to target.hostname.
dst_luid mapped to target.asset.product_object_it.
src_display_name mapped to principal.hostname.
src_luid mapped to principal.asset.product_object_it.
-metadata_beacon
beacon_type mapped to metadata.description
beacon_uid mapped to network.session_id
ja3 mapped to network.tls.ja3
-metadata_httpsessioninfo
method mapped to network.http.method.
uri mapped to target.url.
host mapped to target.hostname.
referrer mapped to network.http.referral_url.
user_agent mapped to network.http.user_agent.
orig_mime_types mapped to principal.file.mime_type.
resp_mime_types mapped to target.file.mime_type.
status_code mapped to network.http.response_code.
status_msg mapped to security_result.summary.
proxied mapped to principal.ip.
host_multihomed mapped to additionals.key/value
-metadata_ldap
query mapped to principal.process.command_line.
result mapped to security_result.description.
result_code mapped to security_result.action_details.
-metadata_ntlm
hostname mapped to target.hostname.
domain mapped to target.domain.name.
status mapped to security_result.summary.
success mapped to seucirty_result.action.
-metadata_rdp
cookie mapped to target.user.userid
-metadata_smbfiles
action mapped to metadata.event_type (FILE_*)
name mapped to target.file.full_path.
version mapped to principal.platform_version.
-metadata_smbmapping
path mapped to target.file.full_path.
-metadata_ssh
client mapped to principal.application.
server mapped to target.application.
cipher_alg mapped to network.tls.cipher.
mac_alg mapped to additionals.key/value.
compression_alg mapped to additionals.key/value.
kex_alg mapped to additionals.key/value.
host_key_alg mapped to additionals.key/value.
host_key mapped to additionals.key/value.
hassh mapped to additionals.key/value.
hasshServer mapped to additionals.key/value.
2022-07-22 Enhancement-Added mappings
radius log type mapped to metadata.event_type=NETWORK_FLOW.
beacon log type mapped to metadata.event_type=NETWORK_FLOW.
httpsessioninfo log type mapped to metadata.event_type=NETWORK_NETWORK_HTTP.
ldap log type mapped to metadata.event_type=NETWORK_USER_STATS.
smbmapping log type mapped to metadata.event_type=NETWORK_FLOW.
ntlm log type mapped to metadata.event_type=NETWORK_CONNECTION.
rdp log type mapped to metadata.event_type=NETWORK_CONNECTION.
smbfiles log type mapped to metadata.event_type=NETWORK_FTP.
ssh log type mapped to metadata.event_type=NETWORK_CONNECTION.