Change log for AWS_NETWORK_FIREWALL
| Date | Changes |
|---|---|
| 2026-02-05 | Enhancement:
- `event.idm.read_only_udm.additional.fields`- Newly mapped `event.timestamp` raw log field to event.idm.read_only_udm.additional.fields with key "event_timestamp". - `event.idm.read_only_udm.additional.fields`- Newly mapped `event.proto` raw log field to event.idm.read_only_udm.additional.fields with key "network_protocol_info" when `event.proto` is not a valid ip_protocol enum value. - Added conditional logic within the `event.proto` block to handle different `event.proto` values: - If `event.proto` raw log field is "IPV6-ICMP" or "ICMPV6", set `event.idm.read_only_udm.network.ip_protocol` to "ICMP". - else if `event.proto` raw log field is a valid ip_protocol enum value, set `event.idm.read_only_udm.network.ip_protocol` to the value of `event.proto`. - In the else block, the `event.proto` raw log field is mapped to `event.idm.read_only_udm.additional.fields` when `event.proto` is not a valid ip_protocol enum value. |
| 2025-03-12 | - Added support for new JSON log format.
- Mapped "Connection_info.Protocol_num" to "network.ip_protocol". - Mapped "Activity_id" to "metadata.product_log_id". - Mapped "Activity_id", "Activity_name" to "metadata.product_event_type". - Mapped "Tls.Version" to "network.tls.version". - Mapped "Unmapped.Sni" to "network.tls.client.server_name". - Mapped "Metadata.Version" to "metadata.product_version". - Mapped "Connection_info.Uid", "Metadata.Product.Feature.Name", "Unmapped.App_proto" "Unmapped.Rev", "Unmapped.Category", "Unmapped.Tls_inspected", "Unmapped.Signature_id, "Metadata.Profiles", "Class_name", and "Class_uid" to "additional.fields". - Mapped "Unmapped.Suricata_severity" to "security_result.severity_details". - Mapped "Unmapped.Action" to "security_result.action". - Mapped "Src_endpoint.Ip" to "principal.ip" and "principal.asset.ip". - Mapped "Dst_endpoint.Ip" to "target.ip" and "target.asset.ip". - Mapped "Src_endpoint.Port" to "principal.port". - Mapped "Dst_endpoint.Port" to "target.port". - Mapped "sr_action" to "security_result.action". - Mapped "Category_name" to "security_result.category_details". - Mapped "Category_uid" to "security_result.category_details". - Mapped "Severity" to "security_result.severity_details". - Mapped "Type_uid" to "security_result.detection_fields". |
| 2024-11-28 | - Added support for new JSON log format.
- Changed mapping of "firewall_name" field from "metadata.product_event_type" to "target.resource.attribute.labels". |
| 2023-05-05 | - Newly created parser.
|