This release changes Crowdstrike mapper record types from 'Endpoint' to 'Audit' logs to align with Crowdstrike documentation, fixes to Fortinet severity scoring, SentinelOne IP mappings, additional values for Windows mappers for Snare, Snare parser updates for Windows Event 4947, updates to TrendMicro Deep Security CEF parser to allow for additional timestamp formats, and a minor rule update.
Rules
- [Updated] AGGREGATION-S00005 Suspicious System Enumeration Occurring in Quick Succession, Rule no longer in prototype
Log Mappers
- [Updated] CrowdStrike Audit Logs
- [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
- [Updated] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
- [Updated] CrowdStrike Falcon Identity Protection (CNC)
- [Updated] CrowdStrike Remote Response Session (CNC)
- [Updated] CrowdStrike UserActivity Logs
- [Updated] Fortinet DLP Logs
- [Updated] Fortinet IPS Logs
- [Updated] SentinelOne Logs - C2C agents
- [Updated] SentinelOne Logs - C2C threats
- [Updated] Windows - Security - 4947
- [Updated] Windows - Security - 4948
Parsers
- [Updated] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF
- [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security