Change log for TRELLIX_HX_ES
| Date | Changes |
|---|---|
| 2025-11-13 | Enhancement:
- event.idm.read_only_udm.target.http.user_agent: Removed mapping of `userAgent` from `event.idm.read_only_udm.network.http.user_agent` UDM field when `EventType` is `urlMonitorEvent` in order to introduce a more accurate mapping for the raw log fields. - event.idm.read_only_udm.target.http.method: Removed mapping of `urlMethod` from `event.idm.read_only_udm.network.http.method` UDM field when `EventType` is `urlMonitorEvent` in order to introduce a more accurate mapping for the raw log fields. - event.idm.read_only_udm.target.network.http.user_agent: Newly mapped `userAgent` raw log field with `event.idm.read_only_udm.target.network.http.user_agent` UDM field when `EventType` is `urlMonitorEvent`. - event.idm.read_only_udm.target.network.http.method: Newly mapped `urlMethod` raw log field with `event.idm.read_only_udm.target.network.http.method` UDM field when `EventType` is `urlMonitorEvent`. - event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field when `EventType` is `urlMonitorEvent`. - event.idm.read_only_udm.additional.fields: Newly mapped `Connection`, `Accept`, `Accept-Encoding`, `If-Unmodified-Since`, and `Range` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-11-13 | Enhancement:
- event.idm.read_only_udm.target.http.user_agent: Removed mapping of `userAgent` from `event.idm.read_only_udm.network.http.user_agent` UDM field when `EventType` is `urlMonitorEvent` in order to introduce a more accurate mapping for the raw log fields. - event.idm.read_only_udm.target.http.method: Removed mapping of `urlMethod` from `event.idm.read_only_udm.network.http.method` UDM field when `EventType` is `urlMonitorEvent` in order to introduce a more accurate mapping for the raw log fields. - event.idm.read_only_udm.target.network.http.user_agent: Newly mapped `userAgent` raw log field with `event.idm.read_only_udm.target.network.http.user_agent` UDM field when `EventType` is `urlMonitorEvent`. - event.idm.read_only_udm.target.network.http.method: Newly mapped `urlMethod` raw log field with `event.idm.read_only_udm.target.network.http.method` UDM field when `EventType` is `urlMonitorEvent`. - event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname: Newly mapped `hostname` raw log field with `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` UDM field when `EventType` is `urlMonitorEvent`. - event.idm.read_only_udm.additional.fields: Newly mapped `Connection`, `Accept`, `Accept-Encoding`, `If-Unmodified-Since`, and `Range` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-11-10 | Enhancement:
- event.idm.read_only_udm.principal.process.pid: Newly mapped `ProcessId` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field when `EventType` is `DeleteValue`. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `Image` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field when `EventType` is `DeleteValue`. - event.idm.read_only_udm.target.registry.registry_key: Newly mapped `TargetObject` raw log field with `event.idm.read_only_udm.target.registry.registry_key` UDM field when `EventType` is `DeleteValue`. - event.idm.read_only_udm.additional.fields: Newly mapped `SourceName`, `AccountType`, `text`, `ProcessID` and `Keywords` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.rule_name: Newly mapped `RuleName` raw log field with `event.idm.read_only_udm.security_result.rule_name` UDM field. - event.idm.read_only_udm.principal.process.product_specific_process_id: Newly mapped `ProcessGuid` raw log field with `event.idm.read_only_udm.principal.process.product_specific_process_id` UDM field. - event.idm.read_only_udm.security_result.severity: Setting `event.idm.read_only_udm.security_result.severity` UDM field to `INFORMATIONAL` when `Severity` raw log field is `INFO` else if `Severity` raw log field is `ERROR` then set `ERROR`. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `SeverityValue` raw log field with `event.idm.read_only_udm.security_result.severity_details` UDM field. - event.idm.read_only_udm.src.registry.registry_key: Newly mapped `originalPath` raw log field with `event.idm.read_only_udm.src.registry.registry_key` UDM field when `eventType` is `RegValueChange`. - event.idm.read_only_udm.principal.process.pid: Newly mapped `pid` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field when `eventType` is `RegValueChange`. - event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `processPath` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field when `eventType` is `RegValueChange`. - event.idm.read_only_udm.target.registry.registry_value_name: Newly mapped `valueName` raw log field with `event.idm.read_only_udm.target.registry.registry_value_name` UDM field when `eventType` is `RegValueChange`. - event.idm.read_only_udm.target.registry.registry_value_type: Set `event.idm.read_only_udm.target.registry.registry_value_type` UDM field to `DWORD` when `valueType` is similar to `DWORD`. - event.idm.read_only_udm.target.registry.registry_key: Newly mapped `path` raw log field with `event.idm.read_only_udm.target.registry.registry_key` UDM field when `eventType` is `RegValueChange`. - event.idm.read_only_udm.target.registry.registry_value_data: Newly mapped `value` raw log field with `event.idm.read_only_udm.target.registry.registry_value_data` UDM field when `eventType` is `RegValueChange`. - event.idm.read_only_udm.metadata.event_type: Setting `event.idm.read_only_udm.metadata.event_type` to `REGISTRY_DELETION` when `principal_machine_present` is `true` and `has_target_registry` is `true` and `EventType` is `DeleteValue`. - Modified the date filter to parse `event.idm.read_only_udm.metadata.event_timestamp` correctly. |
| 2025-11-07 | Enhancement:
- `event.idm.read_only_udm.target.process.file.names`: Removed mapping of `process` from `event.idm.read_only_udm.target.process.file.names` UDM field so it belongs in principal, while the registry key itself is the object. - `event.idm.read_only_udm.principal.process.file.names`: Newly mapped `process` raw log field to the `event.idm.read_only_udm.principal.process.file.names` UDM field. - `event.idm.read_only_udm.target.process.file.full_path`: Removed mapping of `processPath` from `event.idm.read_only_udm.target.process.file.full_path` UDM field because it identifies the actor process causing the event, not the target of the action. - `event.idm.read_only_udm.principal.process.file.full_path`: Newly mapped `processPath` raw log field to the `event.idm.read_only_udm.principal.process.file.full_path UDM field. - `event.idm.read_only_udm.target.process.pid`: Removed mapping of `pid` from `event.idm.read_only_udm.target.process.pid` UDM field because the PID identifies the process initiating the event, making it the actor principal, not the object being acted upon target. - `event.idm.read_only_udm.principal.process.pid`: Newly mapped `pid` raw log field to the `event.idm.read_only_udm.principal.process.pid` UDM field. - `event.idm.read_only_udm.target.registry.registry_key`: Newly mapped `path` raw log field to the `event.idm.read_only_udm.target.registry.registry_key` UDM field. - `event.idm.read_only_udm.target.registry.registry_key`: Removed mapping of `originalPath` from `event.idm.read_only_udm.target.registry.registry_key` UDM field because it is the actual underlying registry key being affected, distinguishing it from the potentially symbolic path. - `event.idm.read_only_udm.src.registry.registry_key`: Newly mapped `originalPath` raw log field with `event.idm.read_only_udm.src.registry.registry_key` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `eventType` is `RegKeyChange`, updated to "REGISTRY_MODIFICATION". - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `eventType` is `imageLoadEvent`, updated to "USER_UNCATEGORIZED". |
| 2025-11-06 | Enhancement:
- Added grok for `kv_msg` field to map more number of fields. - event.idm.read_only_udm.additional.fields: Newly Mapped `threat_name` raw log field to `event.idm.read_only_udm.additional.fields` UDM Field. - event.idm.read_only_udm.additional.fields: Newly Mapped `threat_id` raw log field to `event.idm.read_only_udm.additional.fields` UDM Field. - event.idm.read_only_udm.security_result.first_discovered_time: Newly Mapped `startTime` raw log field to `event.idm.read_only_udm.security_result.first_discovered_time` UDM Field. - Added a replace condition to `pid` raw log field to set `has_target_process` to `true` and event_type will become `PROCESS_TERMINATION`. |
| 2025-08-06 | Enhancement:
- Added on_error check condition for `parentProcess` raw log field before setting `has_principal_process` as `true`. |
| 2025-08-03 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Mapped the `timestamp` field to `event.idm.read_only_udm.metadata.event_timestamp`. - event.idm.read_only_udm.network.dns.questions: Mapped the `hostname` field to `event.idm.read_only_udm.network.dns.questions.name` when it`s available. - event.idm.read_only_udm.target.process.file.names: Mapped the `process` field to `event.idm.read_only_udm.target.process.file.names`. - event.idm.read_only_udm.target.process.file.full_path: Mapped the `processPath` field to `event.idm.read_only_udm.target.process.file.full_path`. - event.idm.read_only_udm.target.process.file.md5: Mapped the `md5` field to `event.idm.read_only_udm.target.process.file.md5`. - event.idm.read_only_udm.target.process.command_line: Mapped the `processCmdLine` field to `event.idm.read_only_udm.target.process.command_line`. - event.idm.read_only_udm.target.process.pid: Mapped the `pid` field to `event.idm.read_only_udm.target.process.pid`. - event.idm.read_only_udm.target.file.names: Mapped the `fileName` field to `event.idm.read_only_udm.target.file.names`. - event.idm.read_only_udm.target.file.mime_type: Mapped the `fileExtension` field to `event.idm.read_only_udm.target.file.mime_type`. - event.idm.read_only_udm.target.file.full_path: Mapped `processPath` and `fileName` to `event.idm.read_only_udm.target.file.full_path` when both are available. - event.idm.read_only_udm.principal.process.file.full_path: Mapped the `fullPath` field to `event.idm.read_only_udm.principal.process.file.full_path`. - event.idm.read_only_udm.additional.fields: Newly mapped fields `sequence_num`, `drive`, `filePath`, `devicePath`,`args`,`ipv6`,`writes`,`numBytesSeenWritten`,`lowestFileOffsetSeen`,`dataAtLowestOffset`,`textAtLowestOffset`,`closed`,`openTimeRaw`,`openDuration`, `eventReason`,`AgentId`,`data`,`hive`,`keyPath`,`path` raw log fields to `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.principal.process.pid: Mapped the `parentPid` field to `event.idm.read_only_udm.principal.process.pid`. - event.idm.read_only_udm.principal.process.file.full_path: Mapped the `parentProcessPath` field to `event.idm.read_only_udm.principal.process.file.full_path`. - event.idm.read_only_udm.principal.process.parent_process.file.names: Mapped the `parentProcess` field to `event.idm.read_only_udm.principal.process.parent_process.file.names`. - event.idm.read_only_udm.principal.process.parent_process.file.full_path: Mapped the `parentPath` field to `event.idm.read_only_udm.principal.process.parent_process.file.full_path`. - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Mapped the `remoteIP` and `remoteIpAddress` field to `event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip`. - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Mapped the `localIP` field to `event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip`. - event.idm.read_only_udm.principal.port: Mapped the `localPort` field to `event.idm.read_only_udm.principal.port`. - event.idm.read_only_udm.target.port: Mapped the `remotePort` field to `event.idm.read_only_udm.target.port`. - event.idm.read_only_udm.target.url: Mapped the `requestUrl` field to `event.idm.read_only_udm.target.url`. - event.idm.read_only_udm.network.http.method: Mapped the `urlMethod` field to `event.idm.read_only_udm.network.http.method`. - event.idm.read_only_udm.network.http.user_agent: Mapped the `userAgent` field to `event.idm.read_only_udm.network.http.user_agent`. - event.idm.read_only_udm.metadata.product_event_type: Mapped the `EventType` or `eventType` field to `event.idm.read_only_udm.metadata.product_event_type`. - event.idm.read_only_udm.network.application_protocol: Mapped the `proto` field to `event.idm.read_only_udm.network.application_protocol`. - event.idm.read_only_udm.network.application_protocol_version: Mapped the `proto_version` field to `event.idm.read_only_udm.network.application_protocol_version`. - event.idm.read_only_udm.target.registry.registry_key: Mapped the `originalPath` field to `event.idm.read_only_udm.target.registry.registry_key`. - event.idm.read_only_udm.metadata.event_type: - If EventID is "7036", and has principal and target, updated to SERVICE_STOP or SERVICE_START based on the `param2` field. - If event_type is GENERIC_EVENT, `principal_machine_present` is true and `has_dns` is true, updated to `NETWORK_DNS`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true and `network_application_protocol` is `HTTP`, updated to `NETWORK_HTTP`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `eventType` is `start`, updated to `PROCESS_LAUNCH`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `eventType` is `end`, updated to `PROCESS_TERMINATION`. - If event_type is GENERIC_EVENT, `has_file`, `principal_machine_present` is true and `eventType` is `fileWriteEvent`, updated to `FILE_MODIFICATION`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true, `has_target_process` and `has_principal` process, updated to `PROCESS_MODULE_LOAD`. - If event_type is GENERIC_EVENT, `principal_machine_present` is true and `has_target_registry`, updated to `REGISTRY_MODIFICATION`. - If event_type is GENERIC_EVENT, `has_target` and `has_principal`, updated to NETWORK_CONNECTION. |
| 2025-02-28 | Enhancement:
- Refreshed parser to map all fields correctly. |
| 2024-11-28 | Enhancement:
- Mapped "security_result.action" based on login status. - When login is failed, then mapped "security_result.category" to "AUTH_VIOLATION". - Mapped "Status", "FailureReason", "SubStatus", and "LogonType" to "additional.fields". |
| 2024-11-14 | Enhancement:
- Added support for new pattern of JSON logs. |
| 2024-03-31 | - Newly created parser.
|