August 05, 2024 - Content Release
This content release includes:
- A new Cloud SIEM First Seen rule
- Consolidation of AWSGuardDuty log mappers
- CrowdStrike FDR mapping modifications by adding
aid
as a value fordevice_hostname
as primary or alternate - Mapping update to Windows PowerShell operational events to facilitate a JSON data set from the legacy Windows format
- Several new log mappers, parsers, and multiple updated parsers
Release specifics are enumerated below.
Rules
- NEW FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
- This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process.
Log Mappers
- [Deleted] AWS GuardDuty Alerts from Sumo CIP
- [Deleted] AWSGuardDuty_Backdoor
- [Deleted] AWSGuardDuty_Behavior
- [Deleted] AWSGuardDuty_Catch_All
- [Deleted] AWSGuardDuty_CryptoCurrency
- [Deleted] AWSGuardDuty_Discovery
- [Deleted] AWSGuardDuty_Exfiltration
- [Deleted] AWSGuardDuty_PenTest
- [Deleted] AWSGuardDuty_Persistence
- [Deleted] AWSGuardDuty_Policy
- [Deleted] AWSGuardDuty_ResourceConsumption
- [Deleted] AWSGuardDuty_Stealth
- [Deleted] AWSGuardDuty_Trojan
- [Retired] AwsServiceEvent-AWS API Call via CloudTrail
- [Deleted] Recon_EC2_PortProbeUnprotectedPort
- [Deleted] Recon_EC2_Portscan
- [Deleted] Recon_IAMUser
- [Deleted] UnauthorizedAccess_EC2_SSHBruteForce
- [Deleted] UnauthorizedAccess_EC2_TorClient
- [Deleted] UnauthorizedAccess_EC2_TorIPCaller
- [Deleted] UnauthorizedAccess_EC2_TorRelay
- [Deleted] UnauthorizedAccess_IAMUser
- [Updated] AWS GuardDuty Alerts from Sumo CIP
- [New] AWS Redshift - ACTIVITY_LOG
- [New] AWS Redshift - Authentication Log
- [New] AWS Redshift - Connection Log
- [New] AWS Redshift - USER_LOG
- [New] AWSGuardDuty - Audit Events
- [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
- [New] AWSGuardDuty - Reconnaissance and malicious activity detection
- [Updated] AWSGuardDuty - Tor Client and Relay
- [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
- [Updated] AWSGuardDuty_Catch_All
- [New] Forescout CounterACT - NAC Policy Log
- [New] PingFederate - Authentication Event
- [New] Symantec Endpoint Security - All
- [Updated] UnauthorizedAccess_EC2_SSHBruteForce
- [New] VMware NSX - Firewall
- [Updated] CloudTrail Default Mapping
- Added alternate values for
userIdentity.arn
, andrequestParameters.sourceIdentity
applied touser_role
. Additional mappings forbytesIn
, andbytesOut
.
- Added alternate values for
- [Updated] CrowdStrike FDR - Catch All
- [Updated] CrowdStrike FDR - CriticalFileAccessed
- [Updated] CrowdStrike FDR - NetworkConnectIP4
- [Updated] CrowdStrike FDR - NetworkConnectIP6
- [Updated] CrowdStrike FDR - ProcessRollup2
- [Updated] CrowdStrike FDR - SuspiciousDnsRequest
- [Updated] PingFederate Event
- Narrowed the lookup scope where success is true.
- [Updated] Windows - Microsoft-Windows-PowerShell/Operational Events - 4103 through 4105
- Updated keys for:
user_userId
,user_username
,commandLine
,baseImage
,file_path
, andseverity
.
- Updated keys for:
Parsers
- [New] /Parsers/System/AWS/AWS Redshift
- [Updated] /Parsers/System/Forescout/Forescout CounterACT
- Updated the start time field.
- [New] /Parsers/System/Symantec/Symantec Endpoint Security
- [New] /Parsers/System/VMware/VMware NSX
- [Updated] /Parsers/System/Cisco/Cisco Meraki
- Added support for URLS new format.
- [Updated] /Parsers/System/PingIdentity/PingFederate
- Added support of new log format.
- [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
- Dropped the redundant message field.