Package cisco/duo Release Notes
Package cisco/duo Release Notes Version 2.0.0
As part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified cisco-duo parser. This means the following parsers:
duo-authentication-json
duo-activity-json
duo-admin-json
duo-telephony-json
duo-trustmonitor-json
are deprecated and all future changes will only go into the new cisco-duo parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old parsers will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
The old parsers would duplicate certain fields, which the new cisco-duo parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.access_device.browser
Vendor.access_device.browser_version
Vendor.access_device.hostname
Vendor.access_device.ip
Vendor.access_device.location.city
Vendor.access_device.location.country
Vendor.access_device.location.state
Vendor.access_device.os
Vendor.access_device.os_version
Vendor.access_device.port
Vendor.action
Vendor.action.name
Vendor.activity_id
Vendor.actor.details.group.name
Vendor.actor.key
Vendor.actor.name
Vendor.applications
Vendor.context
Vendor.description.admin_email
Vendor.description.email
Vendor.description.hostname
Vendor.description.ip_address
Vendor.description.realname
Vendor.description.uname
Vendor.description.user_agent
Vendor.email
Vendor.enabled_by.key
Vendor.enabled_by.name
Vendor.enabled_for.key
Vendor.enabled_for.name
Vendor.object
Vendor.reason
Vendor.sekey
Vendor.surfaced_auth.access_device.browser
Vendor.surfaced_auth.access_device.browser_version
Vendor.surfaced_auth.access_device.hostname
Vendor.surfaced_auth.access_device.ip
Vendor.surfaced_auth.access_device.location.city
Vendor.surfaced_auth.access_device.location.country
Vendor.surfaced_auth.access_device.location.state
Vendor.surfaced_auth.access_device.os
Vendor.surfaced_auth.access_device.os_version
Vendor.surfaced_auth.email
Vendor.surfaced_auth.reason
Vendor.surfaced_auth.user.key
Vendor.surfaced_auth.user.name
Vendor.telephony_id
Vendor.triage_event_uri
Vendor.user.key
Vendor.user.name
Vendor.username
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Includes improved event categorization and outcome determination.
Includes improved field normalization.
Package cisco/duo Release Notes Version 1.1.3
Bug fix: Sets a timestamp format to seconds for Trust Monitor authentication events.
Package cisco/duo Release Notes Version 1.1.2
Sets a timestamp based on the isotimestamp field for the duo-authentication-json parser.
Package cisco/duo Release Notes Version 1.1.1
Updates the duo-telephony-json parser to work with new log structure introduced in V2 Telephony API.
Package cisco/duo Release Notes Version 1.1.0
Adds new parser for Trust Monitor events.
Bug fix: Renames the Parser_version to Parser.version
Package cisco/duo Release Notes Version 1.0.0
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.user and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Removes data_stream fields, since the same information is now standardized in event.dataset