This content release includes updates to Netskope Security Cloud log parsers and mappers to ensure anomaly events are properly mapped by adjusting parser logic to map event IDs from varying locations depending on event type.

Log Mappers​

• [Updated] Netskope - Anomaly - Bulk Download
• [Updated] Netskope - Anomaly - User Shared Credentials
• [Updated] Netskope - nspolicy

Parsers​

• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This content release includes:

• New and updated mappers and parsers for Carbon Black, Cisco ISE, Cisco Umbrella, PAN Firewall CSV and LEEF, and Signal Science (Fastly) WAF.
• ❤️

Changes are enumerated below.

Log Mappers​

• [New] Carbon Black Cloud - alert event
• [Updated] Cisco ISE Radius Diagnostics
  • Supports additional Radius Diagnostic messages.
• [Updated] Cisco Umbrella DNS Logs
  • Adds dstDevice_ip, normalizedAction, and user_email.
• [Updated] Cisco Umbrella IP Logs
  • Adds alternate value for dstDevice_ip and adds user_email.
• [Updated] Cisco Umbrella Proxy Logs
  • Adds user_email.

Parsers​

• [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • Adds support for alert event event ID.
• [Updated] /Parsers/System/Cisco/Cisco ISE
  • Adds key value parsing for descriptions.
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
  • Adds a transform for capturing email addresses.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • Modifies parse_system_format_1 regular expression to support additional events.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
  • Normalizes parsing of subtype to have consistent case.
• [Updated] /Parsers/System/Signal Science/Signal Science WAF
  • Adds additional timestamp handling.

This content release includes:

• Removal and updates to Cloud SIEM rules.
• Parsing and mapping support for new products.
• Updates to existing parsing and mappers to support additional events and field mappings.

Changes are enumerated below.

Rules​

• [Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".
• [Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".

Log Mappers​

• [New] Crowdstrike FileVantage Catch All
• [New] Dragos Communication
• [New] Dragos Indicator
• [New] Dragos System|Asset
• [New] Extrahop JSON Catch All
• [New] F5 TMM Http Request|TMM Network|TMM Connection error
• [New] F5 TMSH - Custom Parser
• [New] Zendesk - Login events

Updated Field Mappings​

• [Updated] Code42 Incydr Alerts C2C
• [Updated] Cyber Ark EPM AggregateEvent
• [Updated] Google G Suite - meet
• [Updated] Palo Alto GlobalProtect - Custom Parser
• [Updated] Palo Alto GlobalProtect Auth - Custom Parser
• [Updated] Zendesk Catch All

Parsers​

• [New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
• [New] /Parsers/System/Extrahop/Extrahop JSON

Updated parsers to handle additional events and field parsing​

• [Updated] /Parsers/System/Code42/Code42 Incydr
• [Updated] /Parsers/System/Dragos/Dragos
• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

This content release includes:

• Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
• Adds parsing and mapping support for additional OpenVPN events.
• Adds additional timestamp format handling to Azure JSON log parsing.

Log Mappers​

• [Updated] Azure DevOps Auditing Catch All
• [Updated] OpenVPN Audit Event
• [Updated] OpenVPN Network Event

Parsers​

• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog

This content release includes:

• Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
• Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.

Log Mappers​

• [New] Azure DevOps Auditing Catch All
• [New] Check Point Application Control URL Filtering
• [New] Cisco ISE Radius Diagnostics
• [New] Linux OS Syslog - KRB5 Child - Authentication Failure
• [New] Linux OS Syslog - Process systemd - Systemd Session
• [New] Linux OS Syslog - Process systemd - Systemd Session Scope
• [New] Linux OS Syslog - Process systemd - session logout
• [New] Pfsense Firewall filterlog
• [New] Pfsense Firewall nginx
• [New] Pfsense Firewall openvpn Authentication
• [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
• [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
• [Updated] Cisco ISE Authentication Failure
  • Adds normalizedSeverity mapping
• [Updated] Cisco ISE Authentication Success
  • Adds normalizedSeverity mapping
• [Updated] Cloudflare - Logpush
  • Adds mapping for dns_query, http_hostname, http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol.
• [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
  • Adds mapping for normalizedAction
• [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
  • Added support for additional events and mapping of file_path

Parsers​

• [New] /Parsers/System/Pfsense/Pfsense Firewall
• [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
• [Updated] /Parsers/System/Cisco/Cisco ISE
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Linux/Linux OS Syslog
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here.