Change log for CISCO_STEALTHWATCH
| Date | Changes |
|---|---|
| 2026-01-12 | Enhancement:
- `event.idm.read_only_udm.metadata.product_event_type`: Newly mapped `eventData_id` raw log field to `event.idm.read_only_udm.metadata.product_event_type`. - `event.idm.read_only_udm.principal.ip`: Newly mapped `host.ip`, `leef.src` raw log fields to `event.idm.read_only_udm.principal.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `host.ip`, `leef.src` raw log fields to `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.metadata.product_version`: Newly mapped `version` raw log field to `event.idm.read_only_udm.metadata.product_version`. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `process.pid` raw log field to `event.idm.read_only_udm.principal.process.pid`. - `event.idm.read_only_udm.principal.process.file.full_path`: Newly mapped `process.name` raw log field to `event.idm.read_only_udm.principal.process.file.full_path`. - `event.idm.read_only_udm.metadata.description`: Newly mapped `leef.fullmessage` raw log field to `event.idm.read_only_udm.metadata.description`. - `event.idm.read_only_udm.observer.hostname`: Newly mapped `leef.flowCollectorName` raw log field to `event.idm.read_only_udm.observer.hostname`. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `leef.sourceHG` raw log field to `event.idm.read_only_udm.principal.location.country_or_region`. - `event.idm.read_only_udm.target.ip`: Newly mapped `leef.dst` raw log field to `event.idm.read_only_udm.target.ip`. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `leef.dst` raw log field to `event.idm.read_only_udm.target.asset.ip`. - `event.idm.read_only_udm.security_result.severity_details`: Newly mapped `leef.alarmSev` raw log field to `event.idm.read_only_udm.security_result.severity_details`. - `event.idm.read_only_udm.target.url`: Newly mapped `leef.targetHostSnapshot` raw log field to `event.idm.read_only_udm.target.url`. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `leef.start` raw log field to `event.idm.read_only_udm.metadata.event_timestamp`. - `event.idm.read_only_udm.security_result.category_details`: Newly mapped `leef.cat` raw log field to `event.idm.read_only_udm.security_result.category_details`. - `event.idm.read_only_udm.observer.ip`: Newly mapped `leef.flowCollectorIP` raw log field to `event.idm.read_only_udm.observer.ip`. - `event.idm.read_only_udm.observer.asset.ip`: Newly mapped `leef.flowCollectorIP` raw log field to `event.idm.read_only_udm.observer.asset.ip`. - `event.idm.read_only_udm.principal.url`: Newly mapped `leef.sourceHostSnapshot` raw log field to `event.idm.read_only_udm.principal.url`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `leef.msg` raw log field to `event.idm.read_only_udm.security_result.description`. - `event.idm.read_only_udm.principal.administrative_domain`: Newly mapped `leef.domain` raw log field to `event.idm.read_only_udm.principal.administrative_domain`. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `log.syslog.severity.name` raw log field to `event.idm.read_only_udm.security_result.severity`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `leef.alarmID`, `leef.alarmStatus`, `leef_version`, `service.type`, `log.syslog.severity.code`, `Log_Type`, `delimiter`, `syslog_pri`, `log.syslog.facility.code`, `log.syslog.facility.name`, `event.original` raw log fields to `event.idm.read_only_udm.additional.fields`. - Added conditional mapping for `security_result.severity` based on `log.syslog.severity.name`. |
| 2025-09-12 | Enhancement:
- Modified grok patterns to handle JSON format. - Added mutate filters to remove `\r\n` and `\n` characters from the message. - Added mutate filter to rename the root `event` field to `eventData` in JSON logs. - Added mutate filter to unnest the `eventData` object. - Updated the date filter to support `ISO8601` format for the `time` field. - Added conditional logic to map `source_name` to IP fields if it's an IP address, otherwise map it to hostname fields. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `time` raw log field to `event.idm.read_only_udm.metadata.event_timestamp`. - event.idm.read_only_udm.principal.ip: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.ip`. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.asset.ip`. - event.idm.read_only_udm.principal.hostname: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.hostname`. - event.idm.read_only_udm.principal.asset.hostname: Newly mapped `source_name` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `id` raw log field to `event.idm.read_only_udm.metadata.product_log_id`. - event.idm.read_only_udm.security_result.url_back_to_product: Newly mapped `url` raw log field to `event.idm.read_only_udm.security_result.url_back_to_product`. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `observations` raw log field to `event.idm.read_only_udm.security_result.rule_id`. |
| 2025-07-29 | Enhancement:
- Added grok patterns to parse unparsed logs. - event.idm.read_only_udm.target.hostname: Newly mapped target_hostname raw log field to event.idm.read_only_udm.target.hostname. - event.idm.read_only_udm.target.mac: Newly mapped target_mac_address raw log field to event.idm.read_only_udm.target.mac. - event.idm.read_only_udm.principal.mac: Newly mapped source_mac_address raw log field to event.idm.read_only_udm.principal.mac. - event.idm.read_only_udm.security_result.severity: Newly mapped alarm_severity_id raw log field to event.idm.read_only_udm.security_result.severity. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped source_username raw log field to event.idm.read_only_udm.principal.user.user_display_name. - Consolidated all mapping for event.idm.read_only_udm.additional.fields. |
| 2024-10-29 | Enhancement:
- Added support to handle JSON logs. |
| 2024-09-26 | Enhancement:
- Added support to parse CEF format logs. |
| 2024-06-11 | Enhancement:
- Updated the Grok pattern to parse the "emc1502" value and mapped it to "principal.hostname". |
| 2023-06-19 | Enhancement:
- Mapped "sourceIPv4Address" to "principal.ip". - Mapped "SourceModuleType" to "observer.application". - Mapped "SourceModuleName" to "target.resource.name". - Mapped "MessageSourceAddress" to "principal.ip". - Mapped "SourcePort" to "principal.port". - Mapped "Version" to "metadata.product_version". - Mapped "DestPort" to "target.port". - Mapped "DestIPv4Address" to "target.ip". - Mapped "ProtocolIdentifier" to "network.ip_protocol". - Mapped "inputSNMPIface", "outputSNMPIface", "InPackets" to "additional.fields". |
| 2023-02-10 | FIX -
- Added new Grok patterns to parse NFS and SMB protocol type logs. |
| 2022-07-06 | Enhancement-Added mappings for unparsed log (audit, alarm).
FC_Name mapped to principal.user.userid. src mapped to principal.ip. dst mapped to target.ip. Source_HG mapped to principal.location.country_or_region. category mapped to security_result.category_details. details mapped to metadata.description. vendor_severity Minor mapped to security_result.severity (INFORMATIONAL). vendor_severity Major mapped to security_result.severity (ERROR). Added Event_type USER_UNCATEGORIZED for unparsed log. Added additional field Alarm_ID. |