Change log for FORCEPOINT_WEBPROXY
| Date | Changes |
|---|---|
| 2025-10-14 | Enhancement:
- The gsub mutations were removed because they stripped percentage signs, corrupting URL-encoded data in logs, which caused grok patterns to extract invalid IP addresses (e.g., 24.0.0.07) and trigger field type check failures. |
| 2025-09-12 | Enhancement:-
- Added support to parse the timestamp properly. - event.idm.read_only_udm.target.process.file.mime_type: Newly Mapped `extension` raw log field with `event.idm.read_only_udm.target.process.file.mime_type` UDM field. - event.idm.read_only_udm.target.file.mime_type: Newly Mapped `filetype` raw log field with `event.idm.read_only_udm.target.file.mime_type` UDM field. - event.idm.read_only_udm.network.http.method: Newly Mapped `method` raw log field with `event.idm.read_only_udm.network.http.method` UDM field. - event.idm.read_only_udm.network.received_bytes: Newly Mapped `received_bytes` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field. - event.idm.read_only_udm.network.sent_bytes: Newly Mapped `sent_bytes` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly Mapped `response_code` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - event.idm.read_only_udm.principal.location.country_or_region: Newly Mapped `region` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - event.idm.read_only_udm.network.application_protocol: Newly Mapped `protocol` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field. - event.idm.read_only_udm.security_result.description: Newly Mapped `sec_description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly Mapped `version` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.parsed_user_agent: Newly Mapped `version` raw log with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.principal.location.city: Newly Mapped `city` raw log field with `event.idm.read_only_udm.principal.location.city` UDM field. - event.idm.read_only_udm.target.url: Newly Mapped `turl` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `userid` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly Mapped `email` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.security_result.action: Newly Mapped `_action` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.metadata.description: Newly Mapped `descrip` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `status` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.principal.application: Newly Mapped `appname` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `tip` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `tip` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `pip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `pip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `p_ip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `p_ip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.metadata.event_timestamp: Newly Mapped `log_timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - event.idm.read_only_udm.target.port: Newly Mapped `port` raw log field with `event.idm.read_only_udm.target.port` UDM field. |
| 2025-09-05 | Enhancement:-
- Added support for new csv format logs. - event.idm.read_only_udm.network.http.user_agent: Newly Mapped `version` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.parsed_user_agent: Newly Mapped `version` raw log with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.principal.location.city: Newly Mapped `city` raw log field with `event.idm.read_only_udm.principal.location.city` UDM field. - event.idm.read_only_udm.target.url: Newly Mapped `turl` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly Mapped `userid` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly Mapped `email` raw log field with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.metadata.description: Newly Mapped `descrip` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.security_result.action: Newly Mapped `status` raw log field with `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.security_result.action_details: Newly Mapped `status` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - event.idm.read_only_udm.principal.application: Newly Mapped `appname` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.target.ip: Newly Mapped `tip` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly Mapped `tip` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `pip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `pip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `p_ip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `p_ip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. |
| 2025-04-11 | Enhancement:
- event.idm.read_only_udm.intermediary.hostname : Removed Mapping of `dhost` from `event.idm.read_only_udm.intermediary.hostname` UDM field and Mapped `dvchost` instead. - event.idm.read_only_udm.target.hostname: Newly Mapped `dhost` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. |
| 2025-03-06 | Enhancement:
- Mapped "rt" to "event.timestamp". |
| 2025-01-16 | Enhancement:
- Mapped "security_result.action" to "BLOCK" when "s-action" is "TCP_DENIED". |
| 2024-10-18 | Enhancement:
- Added support to parse the unparsed CSV logs. - Added support to drop invalid CSV logs. - Mapped "host-url" to "principal.url". |
| 2024-07-10 | Enhancement:
- Added the Grok patterns for new KV format logs. - Mapped "username" to "principal.user.userid". - Mapped "cs-uri" to "target.url". - Mapped "cs-uri-query" , "time-taken" , "filter-category" , "cs-uri-path" , "cs-uri-extension" and "rs_content_type" to "additional.fields". - If "sc-filter-result" is "OBSERVED" then set "security_result.action" to "ALLOW" , else if "sc-filter-result" is "DENIED" then set "security_result.action" to "BLOCK" , else set "security_result.action" to "ALLOW". - Mapped "cs-auth-group" to "principal.user_group_identifiers". - Mapped "cs-method" to "network.http.method". - Mapped "sc-status" to "response_code". - Mapped "s-action" to "security_result.detection_fields". - Mapped "srcport" to "principal.port". - Mapped "dstport" to "target.port". - Mapped "sc-bytes" to "network.received_bytes". - Mapped "cs-bytes" to "network.sent_bytes". - Mapped "cs" to "security_result.summary". - Mapped "cs_referer" to "network.http.referral_url". - Mapped "cs-host" to "target.hostname". |
| 2024-06-10 | Enhancement:
- Added support for CSV format logs. |
| 2023-06-12 | Enhancement:
- Modified Grok pattern to parse failing logs in which some of the values are present as '-'. - Added condition check for field 'http_response' before mapping. |
| 2022-08-11 | Enhancement:
- Modified grok to parse CEF type logs with no syslog header. |
| 2022-05-16 | Enhancement: mapped category number to security_result.detection_fields.
|
| 2022-05-05 | Enhancement:
dded mapping for fields: requestClientApplication to http.user_agent. proxyStatus-code to http.response_code. disposition and cn1 to security_result.detection_fields. Mapped 'cs2' field to 'security_result.category_details' if the value of 'cs2Label' is 'DynCat'. Mapped 'cs2' field to 'security_result.detection_fields' if the value of 'cs2Label' is 'NatRuleId'. |