May 30, 2025 - Content Release

This content release includes:

• Rule updates.
• New log parsers and mappers to support Akamai CPC and Contrast Security ADR.
• New and updated log mappers for Azure Event Hub - Windows Defender logs, Cisco ISE, Microsoft Office 365, and Snowflake.
• Modifications to existing parsers for Microsoft Azure JSON, Nginx Syslog, and Snowflake to support additional formats and events.

Changes are enumerated below.

Rules

• [Updated] MATCH-S00068 O365 - Users Password Changed
  • Updated entity selectors to include both user_username and targetUser_username
• [Updated] MATCH-S00069 O365 - Users Password Reset
  • Updated entity selectors to include both user_username and targetUser_username

Log Mappers

• [New] Akamai CPC
• [New] Azure Event Hub - Windows Defender Audit events
• [New] Azure Event Hub - Windows Defender Audit file events
• [New] Azure Event Hub - Windows Defender Authentication events
• [New] Azure Event Hub - Windows Defender Email events
• [New] Azure Event Hub - Windows Defender Endpoint Process events
• [New] Azure Event Hub - Windows Defender Network events
• [New] Contrast Security ADR Default Mapping
• [New] Snowflake Query History
• [New] Snowflake Session
• [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
• [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
• [Updated] Cisco ISE Catch All
• [Updated] Microsoft Office 365 Active Directory Authentication Events
• [Updated] Snowflake Catch All
• [Updated] Snowflake Login

Parsers

• [New] /Parsers/System/Akamai/Akamai CPC
• [New] /Parsers/System/Contrast Security/Contrast ADR
• [Updated] /Parsers/System/Cisco/Cisco ISE
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Nginx/Nginx Syslog
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Snowflake/Snowflake
• [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
• [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry