Change log for VERSA_FIREWALL
| Date | Changes |
|---|---|
| 2025-10-19 | Enhancement:
- Refactored the merge target for "ipsApplication_field" to use the relative path "additional.fields" instead of the full path "event.idm.read_only_udm.additional.fields". - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `threatSeverity`, `dnsfBadCname`, `dnsfEvType`, `dnsfDomain`, `dnsfMsgType`, `dnsfProfileName` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.security_result.category_details`: Newly mapped `dnsfIpReputation` raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `dnsfAction`, `HitCount`, `groupId`, `signatureRev`, `packetTime`, `moduleId` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip`: Newly mapped `dnsfBadResolvedV4Addr` raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.target.location.country_or_region`: Newly mapped `dnsfIpGeoLocation` raw log field with `event.idm.read_only_udm.target.location.country_or_region` UDM field. |
| 2025-09-25 | Enhancement:
- `event.idm.read_only_udm.metadata.description`: Changed mapping for `event.idm.read_only_udm.metadata.description` UDM field. It is now conditionally mapped from a combination of `sourceIPv4Address` and `destinationIPv4Address` raw log fields when both are present, else mapped `log_type` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `host` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `eipProfileName`, `traffScope`, `srcSGT`, `destSGT`, `ucsBand`, `ucsReason`, `urlLookupSrc`, `protocolInfo`, `ecsBand`, `ecsReason`, `appAuth` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `ucsScore`, `policyActionName`, `policyActionModule`, `ecsScore` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.intermediary.asset.product_object_id`: Newly mapped `applianceId` raw log field with `event.idm.read_only_udm.intermediary.asset.product_object_id` UDM field. |
| 2025-06-06 | Enhancement:
- Added a Grok pattern to support new format of SYSLOG + KV logs. - event.idm.ready_only_udm.intermediary.hostname: Newly mapped `inter_hostname` raw log field with `event.idm.ready_only_udm.intermediary.hostname` UDM field - Fixed the code to handle the "network.ip_protocol" field. - Added a conditional check "has_principal". If "has_principal" is true and either of "destinationIPv4Address", "remoteSite" , "destinationIPv6Address" , "clientIPv4Address" or "hostname" is not empty then map "metadata.event_type" to "NETWORK_CONNECTION" else map "metadata.event_type" to "GENERIC_EVENT". - Added a conditional check "msg2". If "msg2" is not empty then map the log value's else drop the log. - Add a KV filter for "msg2" to filter out the data. |
| 2024-06-03 | Enhancement:
- Mapped "idpAction" to "security_result.action". - Mapped "threatType" to "security_result.detection_fields". - Mapped "ipsDirection" to "security_result.detection_fields". - Mapped "ipsProfile" to "security_result.detection_fields". - Mapped "signaturePriority" to "security_result.severity". - Mapped "signatureMsg" to "security_result.detection_fields". - Mapped "signatureId" to "security_result.detection_fields". - Mapped "ipsApplication" to "security_result.detection_fields". - Mapped "classMsg" to "security_result.description". - Mapped "ipsProfileRule" to "security_result.rule_name". - Mapped "ipsProtocol" to "network.ip_protocol". |
| 2023-07-03 | Enhancement: Added support for "entitlementLog", "monStatsLog", and "tcpAppMonLog".
|
| 2022-11-04 | Enhancement: New parser created.
|