May 9, 2025 - Content Release

May 9, 2025

This release includes:

New rules for monitoring AWS services (see below for tuning guidance).
Updated rules for Microsoft O365 and Powershell.
Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity.
Updates to Cisco Umbrella mappers to add user_username.
Updates to SentinelOne mappers to drop null values.
New parsers for Azure Virtual Network and SentinelOne MGMT API.
Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C.

Changes are enumerated below.

Rules

[New] OUTLIER-S00033 AWS DynamoDB Outlier in PutItem Events from User
- [Disabled by Default] This rule detects an unusual amount of PutItem events to a DynamoDB resource within an hour time period (DynamoDB data events are required). Verify the user is authorized to modify the DynamoDB tables and instances. This rule is disabled by default due to potential volume of signals, before enabling consider excluding authorized users via match lists, and adjust floor value and model sensitivity as needed.
[New] FIRST-S00100 First Seen User Enumerating Custom AWS Bedrock Models
- [Disabled by Default] Detection of a user account's first enumeration of custom AWS Bedrock models via ListCustomModels API. Verify the user is authorized for AWS Bedrock access. The http_userAgent field indicates whether a browser or CLI tool was used. This rule is disabled by default due to potential high volume of alerts, particularly from service accounts. Before enabling, consider excluding authorized users and service accounts (such as CNAPP monitoring accounts with timestamp-based usernames) through rule tuning expressions.
[New] OUTLIER-S00032 Outlier in Data Transferred from an S3 Bucket by User
- [Disabled by Default] This rule detects an unusual amount of data transferred outbound from an S3 bucket (requires AWS Data events are required). Verify if the user, role and IP address associated with this activity are authorized. This rule is disabled by default due to potential signal volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
[New] OUTLIER-S00031 Outlier in Data Transferred into an S3 Bucket by User
- [Disabled by Default] Detects unusual amounts of inbound data transfers to S3 buckets (requires AWS Data events). Verify if the user, role, and IP address associated with this activity are authorized. This rule is disabled by default due to potential alert volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
[Updated] MATCH-S00069 O365 - Users Password Reset
- Changed Entity and Summary, replacing user_username with targetUser_username.
[Updated] MATCH-S00449 Powershell Execution Policy Bypass
- Fixed camel case in commandLine field.

Log Mappers

[New] Azure Virtual Network Flow logs
[Updated] Abnormal Security Threats
[Updated] Cisco ASA 103001 JSON
[Updated] Cisco ASA 103004 JSON
[Updated] Cisco ASA 106001 JSON
[Updated] Cisco ASA 106002 JSON
[Updated] Cisco ASA 106006 JSON
[Updated] Cisco ASA 106007 JSON
[Updated] Cisco ASA 106010 JSON
[Updated] Cisco ASA 106012 JSON
[Updated] Cisco ASA 106014 JSON
[Updated] Cisco ASA 106015 JSON
[Updated] Cisco ASA 106021 JSON
[Updated] Cisco ASA 106023 JSON
[Updated] Cisco ASA 106027 JSON
[Updated] Cisco ASA 106100 JSON
[Updated] Cisco ASA 106102-3 JSON
[Updated] Cisco ASA 109005-8 JSON
[Updated] Cisco ASA 110002 JSON
[Updated] Cisco ASA 111008-9 JSON
[Updated] Cisco ASA 111010 JSON
[Updated] Cisco ASA 113003 JSON
[Updated] Cisco ASA 113004 JSON
[Updated] Cisco ASA 113005 JSON
[Updated] Cisco ASA 113006 JSON
[Updated] Cisco ASA 113007 JSON
[Updated] Cisco ASA 113008 JSON
[Updated] Cisco ASA 113009 JSON
[Updated] Cisco ASA 113012-17 JSON
[Updated] Cisco ASA 113019 JSON
[Updated] Cisco ASA 113021 JSON
[Updated] Cisco ASA 113039 JSON
[Updated] Cisco ASA 209004 JSON
[Updated] Cisco ASA 302010 JSON
[Updated] Cisco ASA 302020-1 JSON
[Updated] Cisco ASA 303002 JSON
[Updated] Cisco ASA 304001 JSON
[Updated] Cisco ASA 304002 JSON
[Updated] Cisco ASA 305011-12 JSON
[Updated] Cisco ASA 313001 JSON
[Updated] Cisco ASA 313004 JSON
[Updated] Cisco ASA 313005 JSON
[Updated] Cisco ASA 314003 JSON
[Updated] Cisco ASA 315011 JSON
[Updated] Cisco ASA 322001 JSON
[Updated] Cisco ASA 322003 JSON
[Updated] Cisco ASA 338001-8+338201-4 JSON
[Updated] Cisco ASA 4000nn JSON
[Updated] Cisco ASA 402117 JSON
[Updated] Cisco ASA 402119 JSON
[Updated] Cisco ASA 405001 JSON
[Updated] Cisco ASA 405002 JSON
[Updated] Cisco ASA 406001 JSON
[Updated] Cisco ASA 406002 JSON
[Updated] Cisco ASA 419001 JSON
[Updated] Cisco ASA 419002 JSON
[Updated] Cisco ASA 500004 JSON
[Updated] Cisco ASA 502101-2 JSON
[Updated] Cisco ASA 502103 JSON
[Updated] Cisco ASA 602303-4 JSON
[Updated] Cisco ASA 605004-5 JSON
[Updated] Cisco ASA 609002 JSON
[Updated] Cisco ASA 611101-2 JSON
[Updated] Cisco ASA 611103 JSON
[Updated] Cisco ASA 710002-3 JSON
[Updated] Cisco ASA 710005 JSON
[Updated] Cisco ASA 713052 JSON
[Updated] Cisco ASA 713172 JSON
[Updated] Cisco ASA 713228 JSON
[Updated] Cisco ASA 716014-7-8 JSON
[Updated] Cisco ASA 716038 JSON
[Updated] Cisco ASA 716039 JSON
[Updated] Cisco ASA 716059 JSON
[Updated] Cisco ASA 719022-3 JSON
[Updated] Cisco ASA 721016-8 JSON
[Updated] Cisco ASA 722034 JSON
[Updated] Cisco ASA 722051 JSON
[Updated] Cisco ASA 722055 JSON
[Updated] Cisco ASA 733100 JSON
[Updated] Cisco ASA 751011 JSON
[Updated] Cisco ASA 751023 JSON
[Updated] Cisco ASA 751025 JSON
[Updated] Cisco ASA tcp_udp_sctp_builds JSON
[Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
[Updated] Cisco Umbrella DNS Logs
[Updated] Cisco Umbrella IP Logs
[Updated] Cisco Umbrella Proxy Logs
[Updated] SentinelOne Logs - C2C activities
[Updated] SentinelOne Logs - C2C agents
[Updated] SentinelOne Logs - C2C alerts
[Updated] SentinelOne Logs - C2C threats
[Updated] SentinelOne Logs - C2C users
[Updated] SentinelOne Logs - Syslog Custom Parser

Parsers

[New] /Parsers/System/Microsoft/Azure Virtual Network
[New] /Parsers/System/SentinelOne/SentinelOne MGMT API
[Updated] /Parsers/System/Abnormal Security/Abnormal Security
- Updated the parser to support new events.
[Updated] /Parsers/System/Cisco/Cisco ASA
- Updated regex to fix ASA-6-721016 events.
[Updated] /Parsers/System/Cisco/Cisco ISE
- Updated parser to drop certain non-actionable logs.
[Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
- Updated parser to support additional event format variations.
[Updated] /Parsers/System/Cylance/Cylance Syslog
- Updated parser to support new events.
[Updated] /Parsers/System/KnowBe4/KnowBe4 KMSAT C2C
- Updated parser to drop phishing test events.

Rules​

Log Mappers​

Parsers​

Rules

Log Mappers

Parsers