Change log for GTI_IOC
| Date | Changes |
|---|---|
| 2025-11-13 | - `event.idm.entity.entity.security_result.detection_fields`: Newly mapped "eventvalue.attributes.gti_assessment.verdict.value", "eventvalue.attributes.threat_severity.threat_severity_level", "eventvalue.attributes.threat_severity.level_description", "eventvalue.attributes.threat_severity.version", "eventvalue.attributes.last_https_certificate_raw.extensions.ca_information_access.CA_Issuers", "eventvalue.attributes.last_https_certificate_raw.extensions.ca_information_access.OCSP", "eventvalue.attributes.last_https_certificate_raw.extensions.authority_key_identifier.keyid", "eventvalue.attributes.last_https_certificate_raw.issuer.C", "eventvalue.attributes.last_https_certificate_raw.issuer.CN", "eventvalue.attributes.last_https_certificate_raw.issuer.O" raw log field as a key-value pair to "event.idm.entity.entity.security_result.detection_fields" entity field.
- `event.idm.entity.additional.fields`: Newly mapped "eventvalue.attributes.gti_assessment.threat_score.value", "eventvalue.attributes.last_https_certificate_raw.public_key.rsa.exponent", "eventvalue.attributes.last_https_certificate_raw.public_key.rsa.key_size", "eventvalue.attributes.last_https_certificate_raw.public_key.rsa.modulus", "eventvalue.attributes.last_https_certificate_raw.serial_number", "eventvalue.attributes.last_https_certificate_raw.size", "eventvalue.attributes.last_https_certificate_raw.thumbprint", "eventvalue.attributes.last_https_certificate_raw.thumbprint_sha256", "eventvalue.attributes.last_https_certificate_raw.version", "eventvalue.attributes.last_https_certificate_raw.extensions.CA", "eventvalue.attributes.last_dns_records_date", "eventvalue.attributes.last_analysis_stats_raw.timeout", "eventvalue.attributes.threat_severity.last_analysis_date", "eventvalue.attributes.last_https_certificate_raw.last_https_certificate_date", "eventvalue.attributes.last_https_certificate_raw.validity.not_before", "eventvalue.attributes.last_https_certificate_raw.validity.not_after" raw log field as a key-value pair to "event.idm.entity.additional.fields" entity field. - `event.idm.entity.entity.labels`: Newly mapped "eventvalue.attributes.total_votes.harmless", "eventvalue.attributes.total_votes.malicious", "eventvalue.attributes.last_https_certificate_raw.signature_algorithm" raw log field as a key-value pair to "event.idm.entity.entity.labels" entity field. - `event.idm.entity.entity.security_result.detection_fields`: Newly mapped values from the loop over "eventvalue.attributes.last_https_certificate_raw.extensions.extended_key_usage" raw log field as key-value pairs to "event.idm.entity.entity.security_result.detection_fields" entity field. - Newly added gsub for the `message` and `last_analysis_stats`, `last_https_certificate`, `last_dns_records`, `CA Issuers` data field to parse the logs in correct manner. - `event.idm.entity.metadata.interval.start_time`: Newly mapped "eventvalue.attributes.creation_date", "eventvalue.attributes.last_analysis_date" raw log field with "event.idm.entity.metadata.interval.start_time" entity field. - `event.idm.entity.metadata.interval.end_time`: Newly mapped "eventvalue.attributes.expiration_date", "eventvalue.attributes.last_modification_date" raw log field with "event.idm.entity.metadata.interval.end_time" entity field. |
| 2025-10-15 | - `event.idm.entity.metadata.interval.start_time`: Newly mapped `eventvalue.attributes.creation_date.seconds` or `eventvalue.attributes.last_analysis_date.seconds` raw log field with `event.idm.entity.metadata.interval.start_time` entity field.
- `event.idm.entity.metadata.interval.end_time`: Newly mapped `eventvalue.attributes.expiration_date.seconds` or `eventvalue.attributes.last_modification_date.seconds` raw log field with `event.idm.entity.metadata.interval.end_time` entity field. - `event.idm.entity.metadata.threat.confidence_details`: Newly mapped `eventvalue.attributes.gti_assessment.contributing_factors.gti_confidence_score` raw log field with `event.idm.entity.metadata.threat.confidence_details` entity field. - `event.idm.entity.metadata.threat.description`: Newly mapped `eventvalue.attributes.gti_assessment.description` raw log field with `event.idm.entity.metadata.threat.description` entity field. - `event.idm.entity.metadata.threat.severity_details`: Newly mapped `eventvalue.attributes.gti_assessment.severity.gti_severity` raw log field with `event.idm.entity.metadata.threat.severity_details` entity field. - `event.idm.entity.metadata.threat.risk_score`: Newly mapped `eventvalue.attributes.gti_assessment.threat_score.gti_threat_score` raw log field with `event.idm.entity.metadata.threat.risk_score` entity field. - `event.idm.entity.metadata.threat.url_back_to_product`: Newly mapped `eventvalue.links.self` raw log field with `event.idm.entity.metadata.threat.url_back_to_product` entity field. - `event.idm.entity.entity.file.md5`: Newly mapped `eventvalue.attributes.md5` raw log field with `event.idm.entity.entity.file.md5` entity field. - `event.idm.entity.entity.file.sha1`: Newly mapped `eventvalue.attributes.sha1` raw log field with `event.idm.entity.entity.file.sha1` entity field. - `event.idm.entity.entity.file.sha256`: Newly mapped `eventvalue.id` raw log field with `event.idm.entity.entity.file.sha256` entity field. - `event.idm.entity.entity.url`: Newly mapped `eventvalue.attributes.url` raw log field with `event.idm.entity.entity.url` entity field. - `event.idm.entity.entity.ip`: Newly mapped `eventvalue.id` raw log field with `event.idm.entity.entity.ip` entity field. - `event.idm.entity.entity.hostname`: Newly mapped `eventvalue.id` raw log field with `event.idm.entity.entity.hostname` entity field. - `event.idm.entity.entity.domain.jarm`: Newly mapped `eventvalue.attributes.jarm` raw log field with `event.idm.entity.entity.domain.jarm` entity field. - `event.idm.entity.entity.domain.registrar`: Newly mapped `eventvalue.attributes.registrar` raw log field with `event.idm.entity.entity.domain.registrar` entity field. - `event.idm.entity.entity.labels`: Newly mapped various fields from `eventvalue.attributes.gti_assessment.contributing_factors.`, and `eventvalue.attributes.last_analysis_stats_raw.` raw log fields with `event.idm.entity.entity.labels` entity field. - `event.idm.entity.entity.security_result.detection_fields`: Newly mapped `eventvalue.attributes.gti_assessment.verdict.gti_verdict`, `eventvalue.attributes.last_https_certificate_raw.cert_signature.signature`, and fields within `eventvalue.attributes.last_analysis_results_raw` raw log fields with `event.idm.entity.entity.security_result.detection_fields` entity field. - `event.idm.entity.additional.fields`: Newly mapped a large number of fields from `eventvalue.attributes.last_analysis_results_raw.`, `eventvalue.attributes.last_dns_records_raw.`, `eventvalue.attributes.last_https_certificate_raw.`, `eventvalue.attributes.signature_info.`, `eventvalue.attributes.pe_info_raw.`, `eventvalue.attributes.trid.`, `eventvalue.attributes.magic`, `eventvalue.attributes.main_icon.`, `eventvalue.attributes.meaningful_name`, and `eventvalue.attributes.exiftool_raw.` raw log fields with `event.idm.entity.additional.fields` entity field. - Added a Grok pattern on "id" to extract "IP:id". - The parser transforms the input message by replacing `}{` with `},{` and wrapping it to form a valid JSON array structure. - Newly added gsub for the `message` and `event_data_string` data field to parse the logs in correct manner. - Newly added JSON filter for `event_data_string` data field to parse the logs in correct manner. |