<html lang="en">
<body>
 
<p>
		<b>[OOTB] Kaspersky Industrial CyberSecurity for Networks 4.x syslog. Version 1</b><br>
		This is the first version of the package.<br>
		Change list:
		<ul>
			<li>Support of Kaspersky Industrial CyberSecurity for Networks version 4.3, 4.5 have been added.</li>
			<li>New extra normalizers were added: IDS events, CC events, DPI events, AM  events, 4000005003, 4000005004, 4000005005, 4000005006, 4000005007, 4000005013, 4000005014, 4000005015, 4000005204, 4000005600, 4000005601, 4000005602, 4000005603 4000005604, External events, NIC events, EPP events, Not parsed.</li>
			<li>Main normalizer was changed. Mapping of the event filed "msg" was removed from the KUMA field DeviceCustomStrin6. New event enrichment to the KUMA fields SourceHostName, DeviceHostName, DestinationHostName, SourceUserName, DestinationUserName (lower case), SourceNtDoman, DeviceNtDomain, DestinationNtDomain was added (upper case).</li>
			<li>Extra normalizer "CEF Normalization" was changed. The mutation was removed. Mutation with replaceWithRegexp function was added ("attackTechnique\d+" replace to "attackTechnique"). Mutation with replaceWithRegexp function was added ("param\d+" replace to "param").Mutation with replaceWithRegexp function was added ("type=([A-Za-z]+)" replace to "epptype=$1").Mutation with replaceWithRegexp function was added ("\bname=((?:\d{1,3}\.){3}\d{1,3})" replace to "ipaddress=$1").Mutation with replaceWithRegexp function was added ("\bname=((\w:|\\\\)[^\s]+)" replace to "filepath=$1").Mutation with replaceWithRegexp function was added ("\bname=([А-Яа-я\s]+)" replace to "attackdesc=$1").Mutation with replaceWithRegexp function was added ("\bname=(\S+)" replace to "devORregistryname=$1").</li>
			<li>Extra normalizer "CEF Normalization" was changed. Mapping of event field "messageIdentifier" was removed from KUMA field "ExternalID". Mapping of event field "monitoringPoint" was removed from KUMA field "DeviceInboundInterface".</li>
			<li>Extra normalizer "CEF Normalization" was changed. The default CEF mapping was added. Event field "messageCategory" was mapped to the KUMA field "DeviceEventCategory". Event field "as" was mapped to the KUMA field "FlexString1". Event field "Space" was mapped to the KUMA field "FlexString2".</li>
			<li>Extra normalizer "messageCategory=Event" was renamed to "Events Custom Fields Normalization".</li>
			<li>Extra normalizer "Events Custom Fields Normalization" was changed. Mapping of event field "name" was removed from KUMA field "Name". Mapping of event field "deviceVendor" was removed from KUMA field "DeviceVendor". Mapping of event field "deviceProduct" was removed from KUMA field "DeviceProduct". Mapping of event field "deviceVersion" was removed from KUMA field "DeviceVersion". Mapping of event field "severity" was removed from KUMA field "Severity". Mapping of event field "cnt" was removed from KUMA field "BaseEventCount". Mapping of event field "app" was removed from KUMA field "ApplicationProtocol". Mapping of event field "start" was removed from KUMA field "StartTime". Mapping of event field "type" was removed from KUMA field "DeviceCustomString6".</li>
			<li>Extra normalizer "Events Custom Fields Normalization" was changed. Event field "srcOs" was mapped to the KUMA field "S.SourceOS". Event field "dstVendor" was mapped to the KUMA field "S.DestinationVendor". Event field "dstModel" was mapped to the KUMA field "S.DestinationModel". Event field "dstNetworkName" was mapped to the KUMA field "S.DestinationNetwork". Event field "dstOs" was mapped to the KUMA field "S.DestinationOS".</li>
			<li>Extra normalizer "Обнаружено неразрешенное сетевое взаимодействие| Unauthorized network interaction detected" was remowed. </li>
			<li>Extra normalizer "Обнаружен зараженный или возможно зараженный объект" was remowed.</li>
		</ul>
</p>

</body>
</html>