Change log for CISCO_STEALTHWATCH
| Date | Changes |
|---|---|
| 2025-09-12 | Enhancement:
- Modified grok patterns to handle JSON format. - Added mutate filters to remove `\r\n` and `\n` characters from the message. - Added mutate filter to rename the root `event` field to `eventData` in JSON logs. - Added mutate filter to unnest the `eventData` object. - Updated the date filter to support `ISO8601` format for the `time` field. - Added conditional logic to map `source_name` to IP fields if it's an IP address, otherwise map it to hostname fields. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `time` raw log field to `event.idm.read_only_udm.metadata.event_timestamp`. - event.idm.read_only_udm.principal.ip: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.ip`. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.asset.ip`. - event.idm.read_only_udm.principal.hostname: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.hostname`. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `id` raw log field to `event.idm.read_only_udm.metadata.product_log_id`. - event.idm.read_only_udm.security_result.url_back_to_product: Newly mapped `url` raw log field to `event.idm.read_only_udm.security_result.url_back_to_product`. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `observations` raw log field to `event.idm.read_only_udm.security_result.rule_id`. |
| 2025-07-29 | Enhancement:
- Added grok patterns to parse unparsed logs. - event.idm.read_only_udm.target.hostname: Newly mapped target_hostname raw log field to event.idm.read_only_udm.target.hostname. - event.idm.read_only_udm.target.mac: Newly mapped target_mac_address raw log field to event.idm.read_only_udm.target.mac. - event.idm.read_only_udm.principal.mac: Newly mapped source_mac_address raw log field to event.idm.read_only_udm.principal.mac. - event.idm.read_only_udm.security_result.severity: Newly mapped alarm_severity_id raw log field to event.idm.read_only_udm.security_result.severity. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped source_username raw log field to event.idm.read_only_udm.principal.user.user_display_name. - Consolidated all mapping for event.idm.read_only_udm.additional.fields. |
| 2024-10-29 | Enhancement:
- Added support to handle JSON logs. |
| 2024-09-26 | Enhancement:
- Added support to parse CEF format logs. |
| 2024-06-11 | Enhancement:
- Updated the Grok pattern to parse the "emc1502" value and mapped it to "principal.hostname". |
| 2023-06-19 | Enhancement:
- Mapped "sourceIPv4Address" to "principal.ip". - Mapped "SourceModuleType" to "observer.application". - Mapped "SourceModuleName" to "target.resource.name". - Mapped "MessageSourceAddress" to "principal.ip". - Mapped "SourcePort" to "principal.port". - Mapped "Version" to "metadata.product_version". - Mapped "DestPort" to "target.port". - Mapped "DestIPv4Address" to "target.ip". - Mapped "ProtocolIdentifier" to "network.ip_protocol". - Mapped "inputSNMPIface", "outputSNMPIface", "InPackets" to "additional.fields". |
| 2023-02-10 | FIX -
- Added new Grok patterns to parse NFS and SMB protocol type logs. |
| 2022-07-06 | Enhancement-Added mappings for unparsed log (audit, alarm).
FC_Name mapped to principal.user.userid. src mapped to principal.ip. dst mapped to target.ip. Source_HG mapped to principal.location.country_or_region. category mapped to security_result.category_details. details mapped to metadata.description. vendor_severity Minor mapped to security_result.severity (INFORMATIONAL). vendor_severity Major mapped to security_result.severity (ERROR). Added Event_type USER_UNCATEGORIZED for unparsed log. Added additional field Alarm_ID. |