Change log for WATCHGUARD

Date Changes
2024-09-24 Enhancement:
- Added JSON pattern to parse the unparsed logs.
- Mapped "USERNAME" to "principal.user.userid".
- Mapped "DEST_PORT" to "target.port".
- Mapped "PROTOCOL_TR" to "network.ip_protocol".
- Mapped "DEST_INTERFACE" to "target.resource.attributes.labels".
- Mapped "SOURCE_INTERFACE" to "principal.resource.attributes.labels".
- Mapped "SOURCE_PORT" to "principal.port".
- Mapped "PRIVATE_IP" to "target.ip".
- Mapped "SOURCE_IP" to "principal.ip".
- Mapped "DEST_IP" to "target.ip".
- Mapped "COMMON_REPORT_NAME", "DOMAIN", "IENAME", "FACILITY", "MESSAGESTART", "POLICY_ID", "ARCHIVETYPE", "MESSAGELEN", "OPERATION", "IEGROUP", "ESID", and "PACK_HEADER_LEN" to "additional.fields".
- Mapped "SEVERITY" to "security_result.severity_details".
2024-07-02 Enhancement:
- Modified the Grok pattern to parse new fields.
- Modified few Grok patterns to parse the new formats of "identified_log".
- Added a Grok pattern to parse "identified_log" with "msg_id" value as "1600-0066".
- Mapped "area", "interface_name", and "network_name" to "additional.fields".
- Mapped "virtual_ip" to "intermediary.ip".
- Mapped "flags" to "security_result.detection_fields".
- Mapped "duration" to "network.session_duration.seconds".
- Mapped "sent_pkts" to "network.sent_packets".
- Mapped "rcvd_pkts" to "network.received_packets".
- Removed the mapping of "src_host" to "principal.hostname" and "dst_host" to "target.hostname".
2023-12-03 Enhancement:
- Modified a Grok pattern to parse new fields.
- Modified few Grok pattern to parse new patterns of "identified_log".
- Added a new Grok pattern to parse "identified_log" having "msg_id" value as "1600-0066".
2023-11-27 Enhancement:
- Mapped "signature_name" to "additional.fields" for logs having "msg_id" equal to "3000-0150".
- Mapped "signature_id", "signature_cat" to "additional.fields".
2023-11-24 Enhancement:
- Modified few Grok patterns to parse new fields.
- Mapped "firewallname" to "event.idm.read_only_udm.intermediary.hostname".
- Mapped "firewall_id" to "event.idm.read_only_udm.intermediary.asset_id".
- Mapped "prin_host" to "event.idm.read_only_udm.intermediary.labels"
2023-11-10 Enhancement:
- Removed redundant code.
- Mapped "signature_name" to "additional.fields".
2023-09-28 Bug-fix:
- Modified the "date" filter to support the following formats "yyyy-MM-dd HH:mm:ss", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601", "yyyy-MM-ddTHH:mm:ss".
2023-05-25 Bug-fix:
- Changed mapping for the field "src_vpn_ip" from "principal.ip" to "target.ip" for event "Received DPD message from target host through gateway".
2023-05-04 Enhancement - Added Grok patterns to handle unparsed logs with event 'dnsmasq', 'dhcpd', 'iked', 'admd'.
2023-01-20 Enhancement - Added grok to handle unparsed logs.
- Mapped "dst_port" to target.port.
- Mapped "src_port" to principal.port.
- Mapped "rcvd_bytes" to network.received_bytes.
- Mapped "geo_src" to principal.location.country_or_region.
- Mapped "geo_dst" to target.location.country_or_region.
- Mapped "prin_host" to "principal.hostname".
- Added conditional check for "dhcp_type", "intermediary_host", "protocol"
- For "msg_id" equal to "1600-0066"
- Added grok pattern for "msg_id" equal to "1600-0066".
- Mapped "description" to "metadeta.description".
- For "msg_id" equal to "2DFF-0000"
- Mapped "proxy_act" to "security_result.rule_name".
2022-12-17 Enhancement - Mapped firewall name to "principal.asset_id" for the logs containing Member1.
- Modified "event_type" from "SERVICE_MODIFICATION" to "NETWORK_CONNECTION".
- Mapped "src_user" to "principal.user.email_addresses" if it' an Email, else mapped it to "principal.user.user_display_name".
2022-12-16 Enhancement -
- Added grok to handle unparsed log with event_name 'firewall'.
- Reduced GENERIC_EVENT type.
2022-11-16 Enhancement - Mapped 'reason' field to 'security_result.action_details'.
- Added grok to handle unparsed log with event_name 'firewall'.
- Added additional conditional blocks to parse logs with event_name 'loggerd', 'sigd', 'sessiond', 'admd', 'iked'.
2022-11-07 Bug-fix:
- Mapped path given in the http header from 'target.file.full_path' to 'target.url' instead.
2022-06-17 Enhancement - Parsed logs with events related to "firewall", "http-proxy", "https-proxy".