August 16, 2024 - Content Release
This content release includes:
- Updates to Azure rules to reflect a name change in the Company Administrator role to Global Administrator.
- New Linux OS Syslog mappers.
- Addition of sessionId mapping to Okta mappers.
Individual changes are enumerated below.
Rules
- [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
- [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
- [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role
- [Renamed] FIRST-S00088 First Seen User Performing NTLM Authentication to Host -> First Seen NTLM Authentication to Host (User)
Log Mappers
- [New] Linux OS Syslog - Process sudo - Authentication Failure
- [New] Linux OS Syslog - Systemd-user Session Open|Closed
- [New] Linux OS Syslog - sshd - Postponed publickey
- [New] Linux OS Syslog - sshd - User not allowed
- [New] MicrosoftGraphActivityLogs
- [Updated] AWS Redshift - Authentication Log
- Added normalizedAction mapping for logon and a success boolean lookup on event_name
- [Updated] Aruba ClearPass Guest Access
- Added normalizedAction mapping for logon and a success boolean lookup on error codes
- [Updated] Check Point Failed Log In
- Updated record type to Authentication and adjusted normalizedAction mapping to logon
- [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
- Added logon normalizedAction and mapped success boolean to checkMfa
- [Updated] Infoblox NIOS - DNS
- Updated mapping for dns_query to fix dns enrichments
- [Updated] JumpCloud IdP Authentication
- Adds logon normalizedAction to mapper
- [Updated] Linux OS Syslog - Cron - Session Opened
- Adds mappings for targetUser_username, targetUser_userId, user_userId
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
- Adds "check pass" to event ID pattern
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
- Added description mapping
- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
- Updated mapper name, and added "sshd-disconnect" to event ID pattern. Adds mappings for srcDevice_ip, description, action.
- [Updated] Linux OS Syslog - Process sshd - SSH Session Opened
- Adds mapping for srcDevice_ip
- [Updated] Linux OS Syslog - Process sshd - SSH Session Starting
- Adds mappings for srcDevice_ip, srcPort
- [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
- Adds mapping for description
- [Updated] PingFederate - Authentication Event
- Added logon normalizedAction to mapper
- [Updated] Pulse Secure Custom Parser - AUT24326
- Added logon normalizedAction to mapper
- [Updated] Windows - Security - 4648
- Adds logon normalizedAction mapping
- [Updated] Okta Authentication - auth_via_AD_agent
- [Updated] Okta Authentication - auth_via_mfa
- [Updated] Okta Authentication - auth_via_radius
- [Updated] Okta Authentication - sso
- [Updated] Okta Authentication Events
- [Updated] Okta Catch All
- [Updated] Okta Security Threat Events
Parsers
- [Updated] /Parsers/System/Linux/Linux OS Syslog
- Adds new parsing patterns for cron, sshd, sudo, and systemd. Adjusts existing sshd parsing patterns.
Schema
- [New] repository
- The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts.