This release includes parsing and mapping updates to Fortinet to account for variations in URL information present in the log sometimes leading to malformed URLs being normalized, adjustments to Jamf mappings to account for case variations in certain fields, as well as changes enumerated below.
Rules
- [Updated] OUTLIER-S00010 Spike in URL Length from IP Address
- Narrowed rule expression to NetworkHTTP and NetworkProxy records
Log Mappers
- [Updated] Fortinet App Control Logs
- [Updated] Fortinet DLP Logs
- [Updated] Fortinet Event Logs
- [Updated] Fortinet IPS Logs
- [Updated] Fortinet Traffic Logs
- [Updated] Fortinet Virus Logs
- [Updated] Fortinet Webfilter Logs
- [Updated] Jamf Audit User - Audit
- [Updated] Jamf Audit User - Authentication
- [Updated] Jamf Audit User - Endpoint
- [Updated] Jamf Audit User - Network
- [Updated] SentinelOne Logs - C2C threats
- Adds alternate value for normalizedSeverity lookup
Parsers
- [Updated] /Parsers/System/Cisco/Cisco Meraki
- Support for more variation in content filtering block logs and additional drops for events of limited to no security value.
- [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog