This release includes minor updates and a new log mapper for Microsoft Defender.
Rules
- [Updated] MATCH-S00231 Azure - Member Added to Company Administrator Role
- Updated expression to account for parser and vendor schema changes
- [Updated] THRESHOLD-S00097 Impossible Travel - Successful
- Removed vendor/product grouping
- [Updated] THRESHOLD-S00098 Impossible Travel - Unsuccessful
- Removed vendor/product grouping
- [Updated] MATCH-S00167 Recon Using Common Windows Commands
- Bug fix for Qualys path exclusion not working
Log Mappers
- [New] Microsoft Defender for Cloud - Security Alerts
- Support for new log schema
Parsers
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- Added additional time format