<html lang="en">
<body>

<p>
		<b>[OOTB] Linux auditd file for KUMA 3.2. Version 2</b><br>
		Change list:
		<ul>
		    <li>Extra normalizer "Audittools" was changed. Mutation with replaceWithRegexp function was changed. "(.*)(type=EXECVE\s.*?)(type=.*)?$" changed to "(.*)(type=EXECVE\s.*?)\s+(type=.*)?$".</li>
			<li>Extra normalizer "Audittools" was changed. Mutation with replaceWithRegexp function was changed. "a\d\=" changed to "\sa\d\=".</li>
			<li>Exta normalizer "Message parsing" was changed. Parameter "Keep extra fields" was disabled.</li>
			<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE" was changed. The value "GRP" was added to the Filter parameters.</li>
			<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE" was renamed to "CRED|USER|CRYPTO|SERVICE|GRP|ADD|DEL".</li>
			<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE msg" was renamed to "CRED|USER|CRYPTO|SERVICE|GRP|ADD|DEL msg".</li>
			<li>New mapping was added in the extra normalizer "CRED|USER|CRYPTO|SERVICE|GRP|ADD|DEL msg". Event field "SUID" was mapped to the KUMA field "S.SUID", Event field "id" was mapped to the KUMA field "N.id", Event field "grp" was mapped to the KUMA field "FlexString2", Event field "pid" was mapped to the KUMA field "DestinationProcessID", Event field "comm" was mapped to the KUMA field "S.command".</li>
			<li>Exta normalizer "CRED|USER|CRYPTO|SERVICE|GRP|ADD|DEL msg" was changed. Mapping of the KUMA field "DeviceCustomString6" was changed from the event field "Cipher" to "cipher". </li>
			<li>Exta normalizer "CRED|USER|CRYPTO|SERVICE|GRP|ADD|DEL" was changed. New regular expressions were added.</li>
			<li>Exta normalizer "CRED|USER|CRYPTO|SERVICE|GRP|ADD|DEL msg" was changed. Mutation with "replace" function were added for the "direction", "terminal", "grantors" fields. "?" replace for "".</li>
			<li>Exta normalizer "Audittools" was changed. New regular expression was added.</li>
			<li>Exta normalizer "Audittools part" was changed. New dictionaries "[OOTB] Linux. Syscall types by architecture" and "[OOTB] Linux. Auditd connect error codes" were added.</li>			
			<li>Exta normalizer "Audittools part" was changed. Event enrichment "replace" was added to the field DeviceCustomString3. "40000003" field replace for "i386".</li>
			<li>New mapping was added in the extra normalizer "Audittools part". Event field "SYSCALL" was mapped to the KUMA field "S.Syscall", Event field "fam" was mapped to the KUMA field "S.saddr_fam"</li>
		</ul>

<p>
		<b>[OOTB] Linux auditd file for KUMA 3.2. Version 1</b><br>
		This is the first version of the package.<br>
		Change list:
		<ul>
			<li>Main normalizer was changed. The regular expression was changed. New regular expression was added. Mapping of event field "auditId" was removed from the KUMA field DeviceProcessID.</li>
			<li>New extra normalizers "extranormalizer telnet", "extranormalizer rsh", "extranormalizer execute command", "extranormalizer failed console login", "extranormalizer new group|user", "extranormalizer change|add|delete|lock|unlock", "extranormalizerToExtraError", "extranormalizer sshd", "extranormalizer cmd_execute_fail", "extranormalizer pam_", "Other", "Connect,bind syscall" were added.</li>
			<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE" was changed. The values "ADD" and "DEL" were added to the Filter parameters.</li>
			<li>New mapping was added in the extra normalizer "CRED|USER|CRYPTO|SERVICE msg". Event field "ID" was mapped to the KUMA field "DeviceCustomString1".</li>
			<li>Extra normalizer "CRED|USER|CRYPTO|SERVICE msg" was changed. Mutation with replaceWithRegexp function was added "(\w+=)" value is replaced with "|$1". Mutation with replace function was added """ value is replaced with "". Mutation with replace function was added "|op" value is replaced with "op". Pair delimiter was changed from " " to "|". Mutation with replaceWithRegexp function on field SourceUserName was added. "^(\")?(.*)" value is replaced with " $2". Replace of symbol "'" with empty character was added for the data in the KUMA field "EventOutcome". Mapping of the event field "addr" was changed from the KUMA field "DestinationAddress" to "SourceAddress". Mapping of the event field "laddr" was changed from the KUMA field "SourceAddress" to "DestinationAddress". Event field "AUID" was mapped to the KUMA field "SourceUserName". Event field "UID" was mapped to the KUMA field "DestinationUserName". New event enrichment was added. Replace of symbol "'" with empty character was added for the data in the KUMA field "EventOutcome". Replace of the first character " with empty character was added for the data in the KUMA field "EventOutcome". Mapping of event field "acct" was changed from KUMA field "SourceUserName" to the KUMA field "DeviceCustomString1".</li>
			<li>In the extra normalizer "Audittools" event field "syscallArg" mapping was removed from the KUMA field DeviceCustomString5.</li>
			<li>New mapping was added in the extra normalizer "Audittools part". Event field "proctitle" was mapped from the KUMA field "DeviceAction" to the KUMA field "DeviceCustomString5". Event field "pid" was mapped from the KUMA field "SourceProcessID" to the KUMA field "DestinationProcessID". Event field "ppid" was mapped to the KUMA field "SourceProcessID". Event field "GID" was mapped to the extended data model field "S.GID". Event field "EUID" was mapped to the extended data model field "S.EUID". Event field "SUID" was mapped to the extended data model field "S.SUID". Event field "SGID" was mapped to the extended data model field "S.SGID". Event field "AUID" was mapped to the KUMA field "SourceUserName". Event field "UID" was mapped to the KUMA field "DestinationUserName". Event field "euid" was mapped to the extended data model field "S.euid". Event field "auid" was mapped from the KUMA field "DestinationUserID" to the KUMA field "SourceUserID". Event field "uid" was mapped from the KUMA field "SourceUserID" to the KUMA field "DestinationUserID". The field "path" was mapped to the "S.saddr_path" KUMA field. The field "saddr_fam" was mapped to the "S.saddr_fam" KUMA field. The field "obj" was mapped to the "SA.TargetSELinuxContext" KUMA field. The field "cmd" was mapped to the "FlexString1" KUMA field.</li>
		</ul>
</p>

</body>
</html>