Change log for VECTRA_STREAM
| Date | Changes |
|---|---|
| 2024-07-26 | Enhancement:
- Mapped "attributes" to "additional.fields". |
| 2024-06-18 | Enhancement:
- Mapped "first_orig_resp_data_pkt", "first_orig_resp_data_pkt_time", "cookie", "keyboard_layout", "name", and "query_scope" to "additional.fields". - Mapped "operation" to "security_result.action_details". |
| 2024-02-26 | Enhancement:
- Handled DHCP logs. |
| 2024-01-12 | Enhancement:
- Handled invalid JSON in "rcpt_to" field. |
| 2023-10-15 | Enhancement:
- Handled unparsed JSON logs having field "metadata_type" as "metadata_smbfiles". - Mapped "dns_server_ips" to "principal.ip". - Mapped "assigned_ip" to "network.dhcp.yiaddr". - Mapped "dhcp_server_ip" to "network.dhcp.giaddr". - Mapped "path" to "target.file.full_path". |
| 2023-09-14 | Fix -
- Initialized "uid", "metadata_type", "orig_sluid", "intermediary", "has_target_file", "qclass_name" to null. - Added not null check to "uid" and "metadata_type" prior to mapping to UDM. - Mapped "orig_sluid" to "principal.hostname" if "orig_hostname" is null. - Mapped "qclass_name" to "question.name". - Added a check to event_type "FILE_MODIFICATION" to verify that "target.file" is not null. |
| 2023-07-31 | Bug-Fix-
- Added "on_error" check for 'date' filter. |
| 2023-07-24 | Bug-Fix-
- Added check for 'UNIX' and 'UNIX_MS' timestamp check before mapping "certificate.not_valid_after" to "network.tls.client.certificate.not_after". - Added check for 'UNIX' and 'UNIX_MS' timestamp check before mapping "certificate.not_valid_before" to "network.tls.client.certificate.not_before". |
| 2022-10-27 | Enhancement-
Added Json support for the logs. Added extra grok pattern for failing logs. Added extra grok pattern for the "_raw" data present in some json logs. Added "metadata_type" conditions along with already present "log_type" conditions for json logs. Mapped "status_code" to "network.http.response_code". Mapped "user_agent" to "network.http.user_agent". Added condtions to check if the data is from json log inorder to convert the integer/float values to string for variables: "version_num","certificate.not_valid_before","certificate.not_valid_after","certificate.versio". Added condtions to check if the data is from syslog inorder to convert the string values to boolean for variables: "AA","RD","RA","TC","established". Added condition to check if "duration" is extracted from json log or syslog. Added grok pattern to extract "answers" as string from json logs. |
| 2022-10-25 | Enhancement-Added mappings
-common fields sensor_uid mapped to observer.asset_id. -metadata_radius account_session_id mapped to network.session_id. account_session_time mapped to network.session_duration. calling_station_id mapped to intermediate.asset.product_object_id. connect_info mapped to security_result.description. radius_type mapped to metadata.description. result mapped to security_result.summary. nas_identifier mapped to target.user.attribute.roles.name. dst_display_name mapped to target.hostname. dst_luid mapped to target.asset.product_object_it. src_display_name mapped to principal.hostname. src_luid mapped to principal.asset.product_object_it. -metadata_beacon beacon_type mapped to metadata.description beacon_uid mapped to network.session_id ja3 mapped to network.tls.ja3 -metadata_httpsessioninfo method mapped to network.http.method. uri mapped to target.url. host mapped to target.hostname. referrer mapped to network.http.referral_url. user_agent mapped to network.http.user_agent. orig_mime_types mapped to principal.file.mime_type. resp_mime_types mapped to target.file.mime_type. status_code mapped to network.http.response_code. status_msg mapped to security_result.summary. proxied mapped to principal.ip. host_multihomed mapped to additionals.key/value -metadata_ldap query mapped to principal.process.command_line. result mapped to security_result.description. result_code mapped to security_result.action_details. -metadata_ntlm hostname mapped to target.hostname. domain mapped to target.domain.name. status mapped to security_result.summary. success mapped to seucirty_result.action. -metadata_rdp cookie mapped to target.user.userid -metadata_smbfiles action mapped to metadata.event_type (FILE_*) name mapped to target.file.full_path. version mapped to principal.platform_version. -metadata_smbmapping path mapped to target.file.full_path. -metadata_ssh client mapped to principal.application. server mapped to target.application. cipher_alg mapped to network.tls.cipher. mac_alg mapped to additionals.key/value. compression_alg mapped to additionals.key/value. kex_alg mapped to additionals.key/value. host_key_alg mapped to additionals.key/value. host_key mapped to additionals.key/value. hassh mapped to additionals.key/value. hasshServer mapped to additionals.key/value. |
| 2022-07-22 | Enhancement-Added mappings
radius log type mapped to metadata.event_type=NETWORK_FLOW. beacon log type mapped to metadata.event_type=NETWORK_FLOW. httpsessioninfo log type mapped to metadata.event_type=NETWORK_NETWORK_HTTP. ldap log type mapped to metadata.event_type=NETWORK_USER_STATS. smbmapping log type mapped to metadata.event_type=NETWORK_FLOW. ntlm log type mapped to metadata.event_type=NETWORK_CONNECTION. rdp log type mapped to metadata.event_type=NETWORK_CONNECTION. smbfiles log type mapped to metadata.event_type=NETWORK_FTP. ssh log type mapped to metadata.event_type=NETWORK_CONNECTION. |