May 30, 2024 - Content Release
This content release includes several new and multiple updated log mappers, plus several updated parsers. Details are enumerated below:
Log Mappers
- [New] Cisco Meraki Firewall - Custom Parser
- Minor changes in cisco meraki mapper
- [New] Jamf Parser - Alert
- Removed wrong field
- [New] Jamf Parser - Network
- Removed wrong field
- [Updated] AWS GuardDuty Alerts from Sumo CIP
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWS S3 Server Access Log - Custom Parser
- Map bytesIn/bytesOut in AWS CloudTrail Data Events
- Keys updated: bytesIn, bytesOut
- [Updated] AWSGuardDuty_Backdoor
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Behavior
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Catch_All
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_CryptoCurrency
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Discovery
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Exfiltration
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_PenTest
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Persistence
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Policy
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_ResourceConsumption
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Stealth
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] AWSGuardDuty_Trojan
- Added region field in all the events
- Keys updated: cloud_region
- Updated] AwsServiceEvent-AWS API Call via CloudTrail
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] BlueCat DHCP Parser - Catch All
- Changed mac address field in mapper
- Keys updated: device_mac, timestamp
- [Updated] Code42 Incydr FileEvents C2C
- Mapper adjustments
- Keys updated: event_id_pattern, user_username, file_path, severity, normalizedSeverity, threat_name
- [Updated] Recon_EC2_PortProbeUnprotectedPort
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] Recon_EC2_Portscan
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] Recon_IAMUser
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] UnauthorizedAccess_EC2_SSHBruteForce
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] UnauthorizedAccess_EC2_TorClient
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] UnauthorizedAccess_EC2_TorIPCaller
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] UnauthorizedAccess_EC2_TorRelay
- Added region field in all the events
- Keys updated: cloud_region
- [Updated] UnauthorizedAccess_IAMUser
- Added region field in all the events
- Keys updated: cloud_region
Parsers
- [Updated] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
- [Updated] /Parsers/System/Cisco/Cisco Meraki
- [Updated] /Parsers/System/Code42/Code42 Incydr
- [Updated] /Parsers/System/Jamf/Jamf
- [Updated] /Parsers/System/Microsoft/Shared/Syslog Headers Microsoft
- [Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers
- [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security