Change log for VARONIS
| Date | Changes |
|---|---|
| 2025-10-08 | - `event.idm.read_only_udm.target.file.full_path`: Newly mapped `fname` raw log field to `event.idm.read_only_udm.target.file.full_path`.'
- Modified severity mapping logic for `event.idm.read_only_udm.security_result.severity` to better categorize raw `sev` and `severity` values into `CRITICAL`, `HIGH`, `MEDIUM`, and `LOW`. - Updated `event.idm.read_only_udm.security_result.severity` to `LOW` when `sev` or `severity` is `5`, `6`, `7`, `informational`, `INFORMATIONAL`, `NOTICE`, `DEBUG` or `LOW` instead of `0`, `1`, `2`, `3`, `LOW` previously. - Updated `event.idm.read_only_udm.security_result.severity` from `INFORMATIONAL` to `LOW` when `sev` or `severity` is `informational`, `INFORMATIONAL` previously. - Updated `event.idm.read_only_udm.security_result.severity` to `MEDIUM` when `sev` or `severity` is `3`,`4`, `ERROR`, `WARNING` or `MEDIUM` instead of `4`, `5`, `6`, `MEDIUM` previously. - Updated `event.idm.read_only_udm.security_result.severity` to `HIGH` when `sev` or `severity` is `2`, `ALERT` or `HIGH` instead of `7`, `8`, `HIGH` previously. - Removed `event.idm.read_only_udm.security_result.severity` to `CRITICAL` when `8`, `9`, `10`, `VERY-HIGH`,`CRITICAL`. - Refined email recipient parsing by adding regex validation `(^.+@.+$)` for `Email_Recipients` and `mailRecipient` fields before mapping to `event.idm.read_only_udm.network.email.to`. - Updated `FILE_OPEN` event type detection to also trigger when the `fname` field is present. |
| 2025-09-04 | - Added a new Grok pattern to parse "CEF" pattern syslog logs.
|
| 2025-08-25 | - Added a new Grok pattern to parse "LEEF" pattern syslog logs.
|
| 2025-02-06 | - Added a new Grok pattern for "LEEF" log type.
- Mapped "description" to "metadata.description". - Mapped "usrName" to "principal.user.userid". - Mapped "Event_Type" to "metadata.product_event_type". - Mapped "domain" to "prinicipal.administrative_domain". - Mapped "proto", "cat", "Event_Additional_Data", "Event_Status", "Email_Attachment_Name", "Email_Date", "Account_of_Changed_Permissions", "Permissions_Changes", "Permissions_before_Change", and "Permissions_after_Change" to "additional.fields". - Mapped "Affected_Object_Path" to "taregt.file.full_path". - Mapped "Affected_Object" to "security_result.detection_fields". - Mapped "src" to "principal.ip" and "principal.assest.ip". - Mapped "Alert_ID" to "security_result.rule_id". - Mapped "Email_Recipients" to "network.email.to". - Mapped "Email_Item", "Mailbox_Access_by_Owner", "Threshold_Value", "Threshold_First_Timestamp", "Event_by_MailboxOwner", and "Email_Sender" to "additional.fields". - Mapped "Email_Sender" to "network.email.from". - Mapped "accountName" to "target.user.userid". - Mapped "Device_Name" to "taregt.hostname" and taregt.asset.hostname". - Mapped "Event_Type_ID" to "metadata.product_log_id". - Mapped "Event_File_Server_Domain" to "target.administrative_domain". - Mapped "Alert_Page_URL" to "taregt.url". - Mapped "devTime" to "metadata.event_timestamp". - Mapped "sev" to "security_result.severity". |
| 2022-10-08 | - Added grok pattern for "LEEF" log type.
- Mapped "severity" to "security_result.severity". - Mapped "device_version" to "metadata.product_version". - Mapped "administrative_domain" to "target.administrative_domain" - Added conditional check for "intermediary_host". |
| 2022-10-07 | Bug-Fix:
- Mapped "rt" to "metadata.event_timestamp" if "rt" is not null. |