Package fortinet/fortigate Release Notes

Package fortinet/fortigate Release Notes Version 1.2.0
Duplicated vendor fields dropped in new parser

The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, in this version the parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using new parser version:

  • Vendor.action

  • Vendor.agent

  • Vendor.app

  • Vendor.applist

  • Vendor.catdesc

  • Vendor.cc

  • Vendor.ccertissuer

  • Vendor.crlevel

  • Vendor.crscore

  • Vendor.devid

  • Vendor.devname

  • Vendor.dir

  • Vendor.direction

  • Vendor.dsintfrole

  • Vendor.dst_host

  • Vendor.dstcity

  • Vendor.dstcountry

  • Vendor.dstintf

  • Vendor.dstip

  • Vendor.dstname

  • Vendor.dstport

  • Vendor.dstregion

  • Vendor.dstuser

  • Vendor.dtype

  • Vendor.error

  • Vendor.error_num

  • Vendor.event_id

  • Vendor.eventtype

  • Vendor.file

  • Vendor.filename

  • Vendor.filesize

  • Vendor.filetype

  • Vendor.group

  • Vendor.hostname

  • Vendor.level

  • Vendor.locport

  • Vendor.logdesc

  • Vendor.policyid

  • Vendor.poluuid

  • Vendor.proto

  • Vendor.qclass

  • Vendor.qname

  • Vendor.qtype

  • Vendor.rcvdbyte

  • Vendor.rcvdpkt

  • Vendor.ref

  • Vendor.scertcname

  • Vendor.scertissuer

  • Vendor.sentbyte

  • Vendor.sentpkt

  • Vendor.sess_duration

  • Vendor.src_int

  • Vendor.srcdomain

  • Vendor.srcintfrole

  • Vendor.srcip

  • Vendor.srcname

  • Vendor.subject

  • Vendor.tranip

  • Vendor.tranport

  • Vendor.transip

  • Vendor.transport

  • Vendor.use

Miscellaneous
  • Removes event.start field.

  • Removes event.code field

  • Updates default event.type to "info".

  • Updates default event.type to "network".

  • Sets event.kind to alert for the case when Vendor.type="utm" AND log.level="alert" AND Vendor.severity=*.

  • Renames the dns.resolved_ip field to dns.resolved_ip[0] to comply with ECS standard.

  • Renames the vulnerability.category field to vulnerability.category[0] to comply with ECS standard.

  • Drops source.geo as it was duplicated from source.ip.

  • Aliases client.ip/port to source.ip/port.

  • Aliases destination.ip/port to server.ip/port.

  • Updates assignment of observer.vendor/product to actual Vendor values.

Package fortinet/fortigate Release Notes Version 1.1.0
  • Improves the field extraction and performance.

  • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

  • Sets the error.code field.

  • Sets the event.category and rule.description fields based on the event type.

Package fortinet/fortigate Release Notes Version 1.0.0
  • Adds new event.module, event.dataset and Cps.version fields

  • Removes the Product, related.hosts and related.ip fields

  • Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type