January 31, 2025 - Content Release

This content release includes:

• Removal and updates to Cloud SIEM rules.
• Parsing and mapping support for new products.
• Updates to existing parsing and mappers to support additional events and field mappings.

Changes are enumerated below.

Rules

• [Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".
• [Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".

Log Mappers

• [New] Crowdstrike FileVantage Catch All
• [New] Dragos Communication
• [New] Dragos Indicator
• [New] Dragos System|Asset
• [New] Extrahop JSON Catch All
• [New] F5 TMM Http Request|TMM Network|TMM Connection error
• [New] F5 TMSH - Custom Parser
• [New] Zendesk - Login events

Updated Field Mappings

• [Updated] Code42 Incydr Alerts C2C
• [Updated] Cyber Ark EPM AggregateEvent
• [Updated] Google G Suite - meet
• [Updated] Palo Alto GlobalProtect - Custom Parser
• [Updated] Palo Alto GlobalProtect Auth - Custom Parser
• [Updated] Zendesk Catch All

Parsers

• [New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
• [New] /Parsers/System/Extrahop/Extrahop JSON

Updated parsers to handle additional events and field parsing

• [Updated] /Parsers/System/Code42/Code42 Incydr
• [Updated] /Parsers/System/Dragos/Dragos
• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV