<html lang="en">
<body>
 
<p>
    <b>[OOTB] WatchGuard Firebox syslog. Version 1</b><br>
	Change log:
		<ul>
			<li>Normalizer was renamed from the "[OOTB] WatchGuard Firebox" to the "[OOTB] WatchGuard Firebox syslog".</li>
			<li>Support of the WatchGuard Firebox version v2026.1.B730198 was added.</li>
			<li>Extra normaizers "3D01-0003", "Other events", "PTR DNS events", "Other DNS events" were added.</li>
			<li>Extra normalizer "EventID" was changed. New regular expression was added.</li>
			<li>Main normalizer was changed. Event enrichment from the KUMA field DeviceReceiptTime was removed from the KUMA field EndTime. Event enrichment to the KUMA fields DeviceHostName, DeviceProcesName, DestinationUserName, DestinationHostName with lowercase function was added. Event enrichment to the KUMA fields SourceNtDomain, TransportProtocol, DestinationNtDonain with uppercase function was added.</li>
			<li>Extra normalizer "3000-0148" was changed. Capture group "sourceNtDomain" was renamed to "inif", and it's mapping was changed from SourceNTDomain to DeviceInboundInterface. Capture group "sourceNtDomain" was renamed to "inif" and it's mapping was changed from "SourceNTDomain" to "DeviceInboundInterface". Event field "iph_len" was mapped to the KUMA field BytesIn. Event field "ip_pkt_len" was mapped to the KUMA field DeviceCustomNumber1. Event field "ttl" was mapped to the KUMA field DeviceCustomNumber2. Constant in the enrichment to the KUMA field Name was changed from "Connection traffic" to "Normal traffic".</li>
			<li>Extra normalizer "3000-0149" was changed. Capture group "sourceNtDomain" was renamed to "inif", and it's mapping was changed from "SourceNTDomain" to "DeviceInboundInterface". Capture group "sourceNtDomain" was renamed to "inif" and it's mapping was changed from "SourceNTDomain" to "DeviceInboundInterface". Event field "iph_len" was mapped to the KUMA field BytesIn. Event field "ip_pkt_len" was mapped to the KUMA field DeviceCustomNumber1. Event field "ttl" was mapped to the KUMA field DeviceCustomNumber2. Event enrichment with constant to the KUMA field Name was added.</li>
			<li>Extra normalizer "3000-0151" was changed. Capture group "sourceNtDomain" was renamed to "inif", and it's mapping was changed from the KUMA field SourceNTDomain to the KUMA field DeviceInboundInterface. Capture group "sourceNtDomain" was renamed to "inif" and it's mapping was changed from the KUMA field SourceNTDomain to the KUMA field DeviceInboundInterface. Constant in the enrichment to the KUMA field "Name" was changed from "Connection summary" to "Traffic connection terminated". Event field "rcvd_pkts" was mapped to the KUMA field FlexNumber1. Event field "sent_pkts" was mapped to the KUMA field FlexNumber2. Event field "flags" was mapped to the KUMA field DeviceCustomString1.</li>
			<li>Extra normalizer "3001-1001" was changed: new regular expression was added. Constant in the enrichment to the KUMA field Name was changed from "Block" to "Temporarily blocking host".</li>
			<li>Extra normalizer "kv3000-0148" was changed. Event field "question" was from the KUMA field DestinationDNSDomain to the KUMA field DestinationHostName.</li>
			<li>Extra normalizers "kv3000-0148", "kv3000-0149", "kv3000-0151" were changed. Condition was removed.</li>
			<li>Labels of the DeviceCustom* fields were updated.</li>
		</ul>		
</p>

</body>
</html>