Adds an additional mapping to ECS for user_agent.original field.

Parses user.name out of Admin field from Config logs.

Adds additional mappings to ECS for: source.geo.country_name , destination.geo.country_name , rule.category , process.command_line , source.ip (for Config logs), network.packets fields.

Adds url.* ECS fields for subtype url

Adds the field observer.type

Adds additional options to Config logs to determine event.outcome

Enhancement to parsing for system auth logs

Decodes network.transport to include network.iana_numbers

Aliases client.ip/port to source.ip/port and server.ip/port to destination.ip/port

Adds support for PAN-OS v11.0

Improves the field extraction and performance.

Renames the fields under the Vendor namespace to pascal case notation. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields.

Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

Adds threat.* , event.severity fields and more.

Sets the event.action for Authentication events.

Sets the event.category to intrusion_detection and malware for Colleration events.

Classifies events according to a threat taxonomy as the MITRE ATT&CK framework.

Renames the parser to paloalto-ngfw .

Adds new event.module and Cps.version fields

Removes the Product , related.hash , related.user , related.hosts , related.ip and message fields

Sets following tags: Cps.version , Vendor , ecs.version , event.dataset , event.kind , event.module , event.outcome , observer.type

Updates the parser to normalise event data to common schema. It currently supports messages of Traffic, Threat, HIP Match, GlobalProtect, IP-Tag, User-ID, Decryption, Tunnel Inspection, SCTP, Config, Authentication, System, Correlated Events and GTP types.

Removes old queries and dashboards from the package. To keep those, stay on the old version of the package.

Bumps the minimum supported version of LogScale from 1.20 to 1.82