Change log for GTI_IOC
| Date | Changes |
|---|---|
| 2026-03-24 | - `event.ioc.domain_and_ports.domain`: Newly mapped `id` raw log field to `event.ioc.domain_and_ports` entity field if the log is for a domain.
- `event.ioc.ip_and_ports.ip_address`: Newly mapped `id` raw log field to `event.ioc.ip_and_ports` entity field if the log is for an IP. - `event.ioc.feed_name`: mapped to "GTI". - `event.ioc.confidence_score`: Mapped `eventvalue.attributes.gti_assessment.threat_score.value` raw log field to `event.ioc.confidence_score` entity field. - `event.ioc.active_timerange.start`: mapped to 1 to indicate that this is a timeless IOC that is always valid. This parallels how `event.ioc.active_timerange.start` is set for other global IOC feeds (e.g. OPEN_SOURCE_INTEL_IOC, MANDIANT_ACTIVE_BREACH_IOC, etc). - `event.ioc.active_timerange.end`: mapped to max int value to indicate that this is a timeless IOC that is always valid. This parallels how `event.ioc.active_timerange.end` is set for other global IOC feeds (e.g. OPEN_SOURCE_INTEL_IOC, MANDIANT_ACTIVE_BREACH_IOC, etc). - `event.ioc.raw_severity`: Newly mapped `eventvalue.attributes.gti_assessment.severity.gti_severity` raw log field to `event.ioc.raw_severity` entity field. - `event.ioc.description`: Newly mapped `eventvalue.attributes.gti_assessment.description` raw log field to `event.ioc.description` entity field. |
| 2026-03-19 | Enhancement of GTI_IOC:
- `event.idm.entity.metadata.creation_timestamp`: Newly mapped `eventvalue.attributes.first_submission_date` or `eventvalue.attributes.first_seen_itw_date` raw log field to `event.idm.entity.metadata.creation_timestamp` entity field. - `event.idm.entity.metadata.product_entity_id`: Newly mapped `eventvalue.id` raw log field to `event.idm.entity.metadata.product_entity_id` entity field. |
| 2026-03-18 | - `event.idm.entity.metadata.threat.severity_details`: remove `SEVERITY_` prefix to conform with existing formatting of IOC severity in IOC entities. For example, here is same extraction in the parser for `MANDIANT_ACTIVE_BREACH_IOC` log type: http://google3/googlex/security/malachite/cbn/configs/MANDIANT_ACTIVE_BREACH_IOC/default/mandiant_active_breach_ioc.conf;l=3716-3718;rcl=582660169
- `event.idm.entity.metadata.threat.last_updated_time`: Newly mapped `eventvalue.attributes.last_modification_date` raw log field to `event.idm.entity.metadata.threat.last_updated_time` entity field. - `event.idm.entity.metadata.threat.first_discovered_time`: Newly mapped `eventvalue.attributes.first_seen_itw_date` and `eventvalue.attributes.first_submission_date` raw log fields to `event.idm.entity.metadata.threat.first_discovered_time` entity field. - `event.idm.entity.metadata.threat.last_discovered_time`: Newly mapped `eventvalue.attributes.last_seen_itw_date` and `eventvalue.attributes.last_analysis_date` raw log fields to `event.idm.entity.metadata.threat.last_discovered_time` entity field. - `event.idm.entity.metadata.threat.verdict_info`["GTI Verdict"]: newly mapped `eventvalue.attributes.gti_assessment.verdict.value` and `eventvalue.attributes.gti_assessment.verdict.gti_verdict` raw log fields to `event.idm.entity.metadata.threat.verdict_info`["GTI Verdict"] entity field. - `event.idm.entity.metadata.threat.verdict_info`["GTI Severity"]: newly mapped `eventvalue.attributes.gti_assessment.severity.gti_severity` raw log fields to `event.idm.entity.metadata.threat.verdict_info`["GTI Severity"] entity field. - `event.idm.entity.metadata.threat.verdict_info`["GTI Threat Score"]: newly mapped `eventvalue.attributes.gti_assessment.threat_score.gti_threat_score` raw log fields to `event.idm.entity.metadata.threat.verdict_info`["GTI Threat Score"] entity field. - Ensure single `event.idm.entity.metadata.threat` field. |
| 2026-03-16 | Enhancement of GTI_IOC:
- `event.idm.entity.metadata.interval.start_time`: mapped to 1 to indicate that this is a timeless IOC that is always valid. This parallels how `entity.metadata.interval.start_time` is set for other global IOC feeds (e.g. OPEN_SOURCE_INTEL_IOC, MANDIANT_ACTIVE_BREACH_IOC, etc). - `event.idm.entity.metadata.interval.end_time`: removed mapping as this field is automatically set as part of the entity enrichment process |
| 2026-03-11 | - `event.idm.entity.additional.fields`: Removed mapping of `eventvalue.relationships.campaigns.data.id` from `event.idm.entity.additional.fields` entity field in order to introduce more accurate mapping to its entity field.
- `event.idm.entity.metadata.threat.threat_collections`: Mapped `eventvalue.relationships.campaigns.data.id`, `eventvalue.relationships.reports.data.id` raw log fields with `event.idm.entity.metadata.threat.threat_collections` entity field. - `event.idm.entity.metadata.threat.threat_collections.type`:Mapped `CAMPAIGN` to `event.idm.entity.metadata.threat.threat_collections.type` when `eventvalue.relationships.campaigns.data.id` is present. - `event.idm.entity.metadata.threat.threat_collections.type`: Mapped `REPORT` to `event.idm.entity.metadata.threat.threat_collections.type` when `eventvalue.relationships.reports.data.id` is present. - `event.idm.entity.metadata.threat.associations`: Newly mapped `eventvalue.relationships.malware_families.data.id`, `eventvalue.relationships.threat_actors.data.id` raw log fields with `event.idm.entity.metadata.threat.associations` entity field. - `event.idm.entity.metadata.threat.associations.type`: Mapped `MALWARE` to `event.idm.entity.metadata.threat.associations.type` when `eventvalue.relationships.malware_families.data.id` is present. - `event.idm.entity.metadata.threat.associations.type`: Mapped `THREAT_ACTOR` to `event.idm.entity.metadata.threat.associations.type` when `eventvalue.relationships.threat_actors.data.id` is present. - `event.idm.entity.security_result.detection_fields`: Newly mapped `eventvalue.relationships.reports.data.context_attributes.related_from.attributes.name`, `eventvalue.relationships.reports.data.context_attributes.related_from.attributes.origin`, `eventvalue.relationships.reports.data.context_attributes.related_from.id` raw log fields with `event.idm.entity.security_result.detection_fields` entity field. - `event.idm.entity.additional.fields`: Newly mapped `eventvalue.relationships.threat_actors.links.self`, `eventvalue.relationships.threat_actors.links.related` raw log fields with `event.idm.entity.additional.fields` entity field. |
| 2026-02-12 | - `event.idm.entity.entity.security_result.detection_fields`: Newly mapped `eventvalue.attributes.gti_assessment.contributing_factors.google_malware_analysis`, `eventvalue.attributes.gti_assessment.contributing_factors.mandiant_association_report`, `eventvalue.attributes.gti_assessment.contributing_factors.mandiant_association_actor`, `eventvalue.attributes.gti_assessment.contributing_factors.mandiant_association_malware`, `eventvalue.attributes.mandiant_id`, `eventvalue.relationships.campaigns.links.related`, `eventvalue.relationships.campaigns.links.self`, `eventvalue.relationships.malware_families.links.related`, and `eventvalue.relationships.malware_families.links.self` raw log field to `event.idm.entity.entity.security_result.detection_fields` entity field.
- `event.idm.entity.additional.fields`: Newly mapped `eventvalue.attributes.continent`, `eventvalue.attributes.regional_internet_registry`, `eventvalue.attributes.asn`, `eventvalue.attributes.gti_assessment.contributing_factors.mandiant_confidence_score`, `eventvalue.attributes.as_owner`, `eventvalue.attributes.network`, `eventvalue.attributes.country`, `eventvalue.relationships.campaigns.data`, `relationshipvalues.id` raw log field to `event.idm.entity.additional.fields` entity field. - `event.idm.entity.metadata.interval.start_time`: Newly mapped `eventvalue.attributes.first_seen_itw_date` raw log field to `event.idm.entity.metadata.interval.start_time` entity field. - `event.idm.entity.metadata.interval.end_time`: Newly mapped `eventvalue.attributes.last_seen_itw_date` raw log field to `event.idm.entity.metadata.interval.end_time` entity field. |
| 2025-11-13 | - `event.idm.entity.entity.security_result.detection_fields`: Newly mapped "eventvalue.attributes.gti_assessment.verdict.value", "eventvalue.attributes.threat_severity.threat_severity_level", "eventvalue.attributes.threat_severity.level_description", "eventvalue.attributes.threat_severity.version", "eventvalue.attributes.last_https_certificate_raw.extensions.ca_information_access.CA_Issuers", "eventvalue.attributes.last_https_certificate_raw.extensions.ca_information_access.OCSP", "eventvalue.attributes.last_https_certificate_raw.extensions.authority_key_identifier.keyid", "eventvalue.attributes.last_https_certificate_raw.issuer.C", "eventvalue.attributes.last_https_certificate_raw.issuer.CN", "eventvalue.attributes.last_https_certificate_raw.issuer.O" raw log field as a key-value pair to "event.idm.entity.entity.security_result.detection_fields" entity field.
- `event.idm.entity.additional.fields`: Newly mapped "eventvalue.attributes.gti_assessment.threat_score.value", "eventvalue.attributes.last_https_certificate_raw.public_key.rsa.exponent", "eventvalue.attributes.last_https_certificate_raw.public_key.rsa.key_size", "eventvalue.attributes.last_https_certificate_raw.public_key.rsa.modulus", "eventvalue.attributes.last_https_certificate_raw.serial_number", "eventvalue.attributes.last_https_certificate_raw.size", "eventvalue.attributes.last_https_certificate_raw.thumbprint", "eventvalue.attributes.last_https_certificate_raw.thumbprint_sha256", "eventvalue.attributes.last_https_certificate_raw.version", "eventvalue.attributes.last_https_certificate_raw.extensions.CA", "eventvalue.attributes.last_dns_records_date", "eventvalue.attributes.last_analysis_stats_raw.timeout", "eventvalue.attributes.threat_severity.last_analysis_date", "eventvalue.attributes.last_https_certificate_raw.last_https_certificate_date", "eventvalue.attributes.last_https_certificate_raw.validity.not_before", "eventvalue.attributes.last_https_certificate_raw.validity.not_after" raw log field as a key-value pair to "event.idm.entity.additional.fields" entity field. - `event.idm.entity.entity.labels`: Newly mapped "eventvalue.attributes.total_votes.harmless", "eventvalue.attributes.total_votes.malicious", "eventvalue.attributes.last_https_certificate_raw.signature_algorithm" raw log field as a key-value pair to "event.idm.entity.entity.labels" entity field. - `event.idm.entity.entity.security_result.detection_fields`: Newly mapped values from the loop over "eventvalue.attributes.last_https_certificate_raw.extensions.extended_key_usage" raw log field as key-value pairs to "event.idm.entity.entity.security_result.detection_fields" entity field. - Newly added gsub for the `message` and `last_analysis_stats`, `last_https_certificate`, `last_dns_records`, `CA Issuers` data field to parse the logs in correct manner. - `event.idm.entity.metadata.interval.start_time`: Newly mapped "eventvalue.attributes.creation_date", "eventvalue.attributes.last_analysis_date" raw log field with "event.idm.entity.metadata.interval.start_time" entity field. - `event.idm.entity.metadata.interval.end_time`: Newly mapped "eventvalue.attributes.expiration_date", "eventvalue.attributes.last_modification_date" raw log field with "event.idm.entity.metadata.interval.end_time" entity field. |
| 2025-10-15 | - `event.idm.entity.metadata.interval.start_time`: Newly mapped `eventvalue.attributes.creation_date.seconds` or `eventvalue.attributes.last_analysis_date.seconds` raw log field with `event.idm.entity.metadata.interval.start_time` entity field.
- `event.idm.entity.metadata.interval.end_time`: Newly mapped `eventvalue.attributes.expiration_date.seconds` or `eventvalue.attributes.last_modification_date.seconds` raw log field with `event.idm.entity.metadata.interval.end_time` entity field. - `event.idm.entity.metadata.threat.confidence_details`: Newly mapped `eventvalue.attributes.gti_assessment.contributing_factors.gti_confidence_score` raw log field with `event.idm.entity.metadata.threat.confidence_details` entity field. - `event.idm.entity.metadata.threat.description`: Newly mapped `eventvalue.attributes.gti_assessment.description` raw log field with `event.idm.entity.metadata.threat.description` entity field. - `event.idm.entity.metadata.threat.severity_details`: Newly mapped `eventvalue.attributes.gti_assessment.severity.gti_severity` raw log field with `event.idm.entity.metadata.threat.severity_details` entity field. - `event.idm.entity.metadata.threat.risk_score`: Newly mapped `eventvalue.attributes.gti_assessment.threat_score.gti_threat_score` raw log field with `event.idm.entity.metadata.threat.risk_score` entity field. - `event.idm.entity.metadata.threat.url_back_to_product`: Newly mapped `eventvalue.links.self` raw log field with `event.idm.entity.metadata.threat.url_back_to_product` entity field. - `event.idm.entity.entity.file.md5`: Newly mapped `eventvalue.attributes.md5` raw log field with `event.idm.entity.entity.file.md5` entity field. - `event.idm.entity.entity.file.sha1`: Newly mapped `eventvalue.attributes.sha1` raw log field with `event.idm.entity.entity.file.sha1` entity field. - `event.idm.entity.entity.file.sha256`: Newly mapped `eventvalue.id` raw log field with `event.idm.entity.entity.file.sha256` entity field. - `event.idm.entity.entity.url`: Newly mapped `eventvalue.attributes.url` raw log field with `event.idm.entity.entity.url` entity field. - `event.idm.entity.entity.ip`: Newly mapped `eventvalue.id` raw log field with `event.idm.entity.entity.ip` entity field. - `event.idm.entity.entity.hostname`: Newly mapped `eventvalue.id` raw log field with `event.idm.entity.entity.hostname` entity field. - `event.idm.entity.entity.domain.jarm`: Newly mapped `eventvalue.attributes.jarm` raw log field with `event.idm.entity.entity.domain.jarm` entity field. - `event.idm.entity.entity.domain.registrar`: Newly mapped `eventvalue.attributes.registrar` raw log field with `event.idm.entity.entity.domain.registrar` entity field. - `event.idm.entity.entity.labels`: Newly mapped various fields from `eventvalue.attributes.gti_assessment.contributing_factors.`, and `eventvalue.attributes.last_analysis_stats_raw.` raw log fields with `event.idm.entity.entity.labels` entity field. - `event.idm.entity.entity.security_result.detection_fields`: Newly mapped `eventvalue.attributes.gti_assessment.verdict.gti_verdict`, `eventvalue.attributes.last_https_certificate_raw.cert_signature.signature`, and fields within `eventvalue.attributes.last_analysis_results_raw` raw log fields with `event.idm.entity.entity.security_result.detection_fields` entity field. - `event.idm.entity.additional.fields`: Newly mapped a large number of fields from `eventvalue.attributes.last_analysis_results_raw.`, `eventvalue.attributes.last_dns_records_raw.`, `eventvalue.attributes.last_https_certificate_raw.`, `eventvalue.attributes.signature_info.`, `eventvalue.attributes.pe_info_raw.`, `eventvalue.attributes.trid.`, `eventvalue.attributes.magic`, `eventvalue.attributes.main_icon.`, `eventvalue.attributes.meaningful_name`, and `eventvalue.attributes.exiftool_raw.` raw log fields with `event.idm.entity.additional.fields` entity field. - Added a Grok pattern on "id" to extract "IP:id". - The parser transforms the input message by replacing `}{` with `},{` and wrapping it to form a valid JSON array structure. - Newly added gsub for the `message` and `event_data_string` data field to parse the logs in correct manner. - Newly added JSON filter for `event_data_string` data field to parse the logs in correct manner. |