Change log for TRENDMICRO_STELLAR
| Date | Changes |
|---|---|
| 2025-10-01 | Enhancement:
- Added grok patterns in order to parse the logs with variation. - Corrected the over written values for `event.idm.read_only_udm.metadata.product_name` and `event.idm.read_only_udm.metadata.vendor_name` UDM fields. - event.idm.read_only_udm.security_result.threat_id: Newly Mapped `threatAttackID` raw log field with `event.idm.read_only_udm.security_result.threat_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly Mapped `frameworkName` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.target.file.size: Newly Mapped `fileSize` raw log field with `event.idm.read_only_udm.target.file.size` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `fileVersion` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `fileCreateTime` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `fileModificationTime` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `file_product` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `file_vendor` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.principal.process.file.full_path: Newly Mapped `lastModifierPath` raw log field with `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly Mapped `agentGrpPath` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly Mapped `agentGrpName` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly Mapped `agentRt` raw log field with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.group.product_object_id: Newly Mapped `agentGrpGuid` raw log field with `event.idm.read_only_udm.principal.group.product_object_id` UDM field. - event.idm.read_only_udm.security_result.severity: Newly Mapped `legacyAgentSeverity` raw log field with `event.idm.read_only_udm.security_result.severity` UDM field. - event.idm.read_only_udm.principal.ip: Newly Mapped `agentIp` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly Mapped `agentIp` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `rebootRequired` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.threat_name: Newly Mapped `threatName` raw log field with `event.idm.read_only_udm.security_result.threat_name` UDM field. - event.idm.read_only_udm.principal.file.full_path: Newly Mapped `fileName` raw log field with `event.idm.read_only_udm.principal.file.full_path` UDM field. |
| 2025-04-16 | Enhancement:
- Added grok patterns in order to parse the logs with variation. - `event.idm.read_only_udm.target.ip`: Newly mapped `dst` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dst` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `src` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `src` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `dvc` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - Updated "has_user" to "true" when `event.idm.read_only_udm.principal.user.userid` and `event.idm.read_only_udm.target.user.user` is present. |
| 2025-02-12 | Enhancement:
- Added support to parse the unparsed logs. |
| 2025-01-23 | Enhancement:
Added a Grok pattern to parse the logs. - Mapped "eventTime" to "metadata.event_timestamp". - Mapped "start" to "metadata.event_timestamp". - Mapped "severity" to "security_result.severity". - Mapped "event_id" to "metadata.product_log_id". - Mapped "security_result.action" for "event_id" in ["5888","8193","5377","8194"]. - Mapped "event_name" to "metadata.product_event_type". - Mapped "serverIP" to "intermediary.hostname". - Changed "metadata.event_type" for "event_id" in ["5888","4609","523","8197","8214","8209","8211"] |
| 2024-12-05 | Enhancement:
- Mapped "sourceIP" to "principal.ip"and "principal.asset.ip". - Mapped "fileHashAllowed" to "target.file.sha256". - Mapped "programHash" to "target.file.sha256". - Mapped "certificate" to "network.tls.client.certificate.issuer". - Mapped "programSize" to "principal.process.file.size". - Mapped "programPath" to "principal.process.file.full_path". - Mapped "domain" to "principal.administrative_domain" |
| 2024-11-21 | Newly created parser.
|