<html lang="en">
<body>
  <p>
    <b>[OOTB] KEDR telemetry. Version 7</b><br>
   	Change log:
	<ul>
		<li>New event enrichment was added to the main normalizer. A template was added, as a result of which, in events of the "inbound" type, the "LocalPort" field is mapped to the KUMA "SourcePort" field, and in events of the "outbound" type, the "RemotePort" field is mapped to the KUMA "SourcePort" field.</li>
        <li>New event enrichment was added to the main normalizer. A template was added, as a result of which, in events of the "outbound" type, the "LocalPort" field is mapped to the KUMA "DestinationPort" field, and in events of the "inbound" type, the "RemotePort" field is mapped to the KUMA "DestinationPort" field.</li>
        <li>New event enrichment was added to the main normalizer. A template was added, as a result of which, in events of the "inbound" type, the "LocalIp" field is mapped to the KUMA "SourceAddress" field, and in events of the "outbound" type, the "RemoteIp" field is mapped to the KUMA "SourceAddress" field.</li>
        <li>New event enrichment was added to the main normalizer. A template was added, as a result of which, in events of the "outbound" type, the "LocalIp" field is mapped to the KUMA "DestinationAddress" field, and in events of the "inbound" type, the "RemoteIp" field is mapped to the KUMA "DestinationAddress" field.</li>
        <li>The extra normalizer "threatprocessingresult" was changed. The fields "LocalIp", "LocalPort", "RemoteIp", and "RemotePort" were removed.
        <li>The extra normalizer "threatdetect" was changed. The fields "LocalIp", "LocalPort", "RemoteIp", and "RemotePort" were removed.</li>
        <li>The extra normalizer "portlisten" was changed. The fields "LocalIp", "LocalPort", "RemoteIp", and "RemotePort" were removed.</li>
        <li>The extra normalizer "connection" was changed. The fields "LocalIp", "LocalPort", "RemoteIp", and "RemotePort" were removed.</li>
		<li>The extra normalizer "windows event log event" was changed. The enrichment of the KUMA "Name" field was removed.</li>
        <li>New event enrichment was added to the extra normalizer "windows event log event". The KUMA field "DeviceEventClassID" is mapped to the KUMA field "Name" with the "Replace" function, which converts the event class into a description.</li>
	</ul>
  </p>

  <p>
    <b>[OOTB] KEDR telemetry. Version 6</b><br>
   	Change log:
	<ul>
		<li>Value of parameter "Keep raw event" changed from "Always" to "Only errors".</li>
		<li>Mapping in the main normalizer was changed. Mapping of the event field "SignatureSubjectName" was removed from the KUMA field "FileID". Event field "ProductVendor" was mappedt to the KUMA field "FileID".</li>
		<li>Mapping in the extra normalizer "driver" was changed. Mapping of the event field "ProductVendor" was removed from the KUMA field "DeviceCustomString6".</li>
		<li>Mapping in the extra normalizer "module" was changed. Mapping of the event field "DllSignatureCheckResult" was mapped to the KUMA field "EventOutcome".</li>
		<li>New event enrichment was added to the main normalizer (DeviceHostName to lower case).</li>
		<li>Extra normalizer "4610 or 4614 or 4622" was changed. Mapping of event field "Extra.Data.EventData.Data.Name.value" was removed from the KUMA field DeviceCustomString1Label. Mapping of event field "Extra.Data.EventData.value" was removed from the KUMA field DeviceCustomString1. Event field "EventData.Data.Name.value" was mapped to the KUMA field DeviceCustomString1Label. Event field "EventData.Data.value" was mapped to the KUMA field DeviceCustomString1.</li>
	</ul>
  </p>

  <p>
    <b>[OOTB] KEDR telemetry. Version 5</b><br>
   	Change log:
	<ul>
		<li>Event enrichments to the KUMA fields SourceUserName, DestinationUserName, SourceNtDomain, DestinationNtDomain were updated in the main normalizer. New regular expressions were added.</li>
		<li>Data from the KUMA field SourceUserName was duplicated to the KUMA field DestinationUserName in the extra normalizers: connection, process, filechange, applock, blockeddocument, module, driver, portlisten, registry, threatdetect, threatprocessingresult, process_interpreted_file_run, process_console_interactive_input, amsi_scan, process-terminate, dns_lookup, named_pipe.</li>
	</ul>
  </p>

  <p>
    <b>[OOTB] KEDR telemetry. Version 4</b><br>
   	Change log:
	<ul>
		<li>New extra normalizers were added: " dns_lookup", " named_pipe".</li>
		<li>Additional data was added to the dictionary «[OOTB] KEDR. FileOperationType» (enteries 7, 8, 9).</li>
		<li>Mapping was changed in the main normalizer. Mapping of event field "UniquePid" was removed from the KUMA field «FlexString2». Event field "OriginalFileName" was mapped to the KUMA field «DeviceCustomString1». Event field "ZoneIdentifier" was mapped to the KUMA field "DeviceCustomFloatingPoing1". Event field "OsName" was mapped from the KUMA field "DeviceVersion" to the field "Extra.OsName". Event field "OsVersion" was mapped from the KUMA field "DeviceCustomString1" to the field "Extra.OsVersion".</li>
		<li>Mapping was changed in the extra normalizer "process". Mapping of event field "UniquePid" was removed from the KUMA field «FlexString2». Mapping of event field "UniqueParentPid" was removed from the KUMA field «FlexString1».</li>
		<li>Event enrichment was changed in the main normalizer. Event enrichment with template was added to the KUMA field "ExtarnalID" in the main normalizer.</li>
	</ul>
  </p>

  <p>
    <b>[OOTB] KEDR telemetry. Version 3</b><br>
   	Change log:
	<ul>
		<li>Additional condition was added in the extra normalizer "amsi_scan".</li>
		<li>Additional event enrichments were added in the main normalizer (lower case to the KUMA fields "DestinationUserName", "SourceHostName").</li>
		<li>Additional mapping was added in the extra normalizer "windows event log event". Event field "EventData.Data.lpAddress.value" was mapped to the KUMA field "SourceAddress". Event field "EventData.Data.WorkstationName.value" was mapped to the KUMA field "SourceHostName".</li>		
	</ul>
  </p>

  <p>
    <b>[OOTB] KEDR telemetry. Version 2</b><br>
   	Change log:
	<ul>
		<li>Mapping of the field "ProductVersion" in the main normalizer have been changed from the "FileId" field to the "DeviceVersion" KUMA field.</li>
		<li>Mapping of the field "SignatureSubjectName" in the main normalizer have been changed from the "FlexString2" field to the "FileId" KUMA field.</li>
	</ul>
  </p>

  <p>
    <b>[OOTB] KEDR telemetry. Version 1</b><br>
   	Change log:
	<ul>
		<li>Parsing of new event type have been added (process_terminate event).</li>
		<li>Mapping of additional event fields has been added in extra normalizers.</li>
		<li>Mapping of the Timestamp field has been added in the "registry" extra normalizer.</li>
		<li>Mapping of the timestamp field was changed from the StartTime to the EndTime KUMA field.</li>
		<li>Event enrichment have been added for *UserName fields (lower case).</li>
		<li>Event enrichment have been added to the SourceNtDomain KUMA field (upper case).</li>
		<li>Mapping of the LocalIp field was changed from the DestinationAddress to the SourceAddress KUMA field in the "portlisten" extra normalizer.</li>
		<li>Mapping of the LocalPort field was changed from the DestinationPort to the SourcePort KUMA field in the "portlisten" extra normalizer.</li>
	</ul>
  </p>

</body>
</html>