Package zscaler/deception Release Notes
Package zscaler/deception Release Notes Version 1.2.0
The old parser deception is deprecated, and replaced by the new parser zscaler-deception. While the old parser will remain available during a transition period, all future changes will only go into the new zscaler-deception parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old deception parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old deception parser would duplicate certain fields, which the new zscaler-deception parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.attacker.name
Vendor.attacker.port
Vendor.linux.command_line
Vendor.linux.pid
Vendor.linux.process_name
Vendor.linux.user
Vendor.network.protocol
Vendor.score
Vendor.ssl.cipher
Vendor.ssl.version
Vendor.type
Vendor.web.host
Vendor.web.method
Vendor.web.scheme
Vendor.web.status
Vendor.web.uri
Vendor.web.user_agent.string
Package zscaler/deception Release Notes Version 1.1.0
Uses timestamp from the syslog header as an alternative to parse timestamp
Improves extraction of threat.indicator.ip and threat.indicator.name fields
Normalizes data to CrowdStrike Parsing Standard (CPS) for:
process.* fields, e.g process.name, process.user.name, process.pid, process.command
tls.* fields, e.g tls.version, tls.cipher
url.* fields, e.g url.full, url.scheme, url.domain
http.* fields, e.g http.request.method, http.response.status
network.protocol field
user_agent.name field
Package zscaler/deception Release Notes Version 1.0.0
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Package zscaler/deception Release Notes Version 0.2.0
Updates the parser to accept the logs coming from syslog
Renames the parser to deception.yaml