May 30, 2025 - Content Release
This content release includes:
- Rule updates.
- New log parsers and mappers to support Akamai CPC and Contrast Security ADR.
- New and updated log mappers for Azure Event Hub - Windows Defender logs, Cisco ISE, Microsoft Office 365, and Snowflake.
- Modifications to existing parsers for Microsoft Azure JSON, Nginx Syslog, and Snowflake to support additional formats and events.
Changes are enumerated below.
Rules
- [Updated] MATCH-S00068 O365 - Users Password Changed
- Updated entity selectors to include both
user_username
andtargetUser_username
- Updated entity selectors to include both
- [Updated] MATCH-S00069 O365 - Users Password Reset
- Updated entity selectors to include both
user_username
andtargetUser_username
- Updated entity selectors to include both
Log Mappers
- [New] Akamai CPC
- [New] Azure Event Hub - Windows Defender Audit events
- [New] Azure Event Hub - Windows Defender Audit file events
- [New] Azure Event Hub - Windows Defender Authentication events
- [New] Azure Event Hub - Windows Defender Email events
- [New] Azure Event Hub - Windows Defender Endpoint Process events
- [New] Azure Event Hub - Windows Defender Network events
- [New] Contrast Security ADR Default Mapping
- [New] Snowflake Query History
- [New] Snowflake Session
- [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
- [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
- [Updated] Cisco ISE Catch All
- [Updated] Microsoft Office 365 Active Directory Authentication Events
- [Updated] Snowflake Catch All
- [Updated] Snowflake Login
Parsers
- [New] /Parsers/System/Akamai/Akamai CPC
- [New] /Parsers/System/Contrast Security/Contrast ADR
- [Updated] /Parsers/System/Cisco/Cisco ISE
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- [Updated] /Parsers/System/Nginx/Nginx Syslog
- [Updated] /Parsers/System/Microsoft/Office 365
- [Updated] /Parsers/System/Snowflake/Snowflake
- [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
- [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry