March 11, 2024 - Content Release

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules

• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
  • Updated rule expression to reduce false positivity.
• [Updated] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event
  • Updated Severity from 4 to 1.
• [Updated] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
  • Fixed description and summary transposition and lowered severity from 3 to 1.

Log Mappers

Added userAgent mapping to Okta.

• [New] Kaltura Audits
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All

Parsers

• [New] /Parsers/System/Kaltura/Kaltura