Package checkpoint/ngfw Release Notes
Package checkpoint/ngfw Release Notes Version 1.3.0
Updated parser has been improved to handle field duplication more effeciently. Previously, certain fields were duplicated under both the Vendor namespace (e.g. Vendor.srcIp) and a CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the updated parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the updated parser:
Vendor.action
Vendor.additional_info
Vendor.administrator
Vendor.app_risk
Vendor.app_rule_id
Vendor.app_rule_name
Vendor.application
Vendor.bytes
Vendor.categories
Vendor.client_inbound_interface
Vendor.client_ip
Vendor.client_outbound_bytes
Vendor.client_outbound_packets
Vendor.conn_direction
Vendor.delivery_time
Vendor.description
Vendor.dlp_file_name
Vendor.dlp_rule_name
Vendor.dlp_rule_uid
Vendor.dns_message_type
Vendor.dns_type
Vendor.domain_name
Vendor.dst
Vendor.dst_user_name
Vendor.email_message_id
Vendor.email_queue_id
Vendor.email_subject
Vendor.endpoint_ip
Vendor.file_id
Vendor.file_name
Vendor.file_size
Vendor.file_type
Vendor.first_detection
Vendor.from
Vendor.ifdir
Vendor.ifname
Vendor.industry_reference
Vendor.information
Vendor.inzone
Vendor.last_detection
Vendor.lastupdatetime
Vendor.layer_name
Vendor.loguid
Vendor.mac_destination_address
Vendor.mac_source_address
Vendor.malware_action
Vendor.malware_rule_id
Vendor.malware_rule_name
Vendor.matched_category
Vendor.method
Vendor.objectname
Vendor.origin
Vendor.origin_ip
Vendor.os_name
Vendor.os_version
Vendor.outzone
Vendor.packet_capture
Vendor.packets
Vendor.parent_process_name
Vendor.policy
Vendor.process_name
Vendor.product
Vendor.proto
Vendor.received_bytes
Vendor.referrer
Vendor.resource
Vendor.rule_name
Vendor.rule_uid
Vendor.s_port
Vendor.security_outzone
Vendor.sent_bytes
Vendor.sequencenum
Vendor.server_outbound_bytes
Vendor.server_outbound_interface
Vendor.server_outbound_packets
Vendor.service
Vendor.service_id
Vendor.session_description
Vendor.session_uid
Vendor.severity
Vendor.smartdefence_profile
Vendor.sport_svc
Vendor.src
Vendor.src_user_group
Vendor.src_user_name
Vendor.start_time
Vendor.svc
Vendor.to
Vendor.type
Vendor.uid
Vendor.update_version
Vendor.url
Vendor.user
Vendor.user_agent
Vendor.user_group
Vendor.usercheck_incident_uid
Vendor.web_client_type
Vendor.xlatedport
Vendor.xlatedport_svc
Vendor.xlatedst
Vendor.xlatesport
Vendor.xlatesport_svc
Vendor.xlatesrc
Bug fix: resolved an issue with the regex used to extract fields from rawstring.
Bumps the ecs.version to 8.16.0.
Corrects a typo in the event.type field values to comply with ECS. Changed conection to connection and delection to deletion.
Removes the destination.service.name field as it was not valid ECS field.
Renames the network.app_name to network.application to comply with ECS.
Updates the event.dataset from content-awareness to ngfw.content-awareness to comply with CPS.
Package checkpoint/ngfw Release Notes Version 1.2.0
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds support for JSON format.
Fixes an issue where the timestamp wasn't working if it was +2:00.
Adds a couple of feidls, for example: host.ip, observer.egress.interface.name, observer.ingress.interface.name, destination.user.name and more.
Builds out the event.category and event.type fields.
Package checkpoint/ngfw Release Notes Version 1.1.0
Adds more options for Action and Rule Action mappings
Adds default category and type as network/info to ensure all events are parsed to CPS standard
Package checkpoint/ngfw Release Notes Version 1.0.0
Adds new event.module and Cps.version fields
Removes the Product , related.user, related.hash and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type