Skip to main content

September 19, 2025 - Content Release

This content release includes:

  • New rules for passing through OCSF Findings, such as those generated by AWS Security Hub.
  • Updates to rules for impossible travel to exclude local system accounts.
  • New log mappers for Cisco Meraki Traffic Events, OCI Authentication Events, and TippingPoint TPS Cloud.
  • Updates to existing log mappers to support new event IDs and enhance functionality.
  • New parser for TippingPoint TPS Cloud.
  • Updates to existing parsers for Cisco ASA, Cisco Meraki C2C, Kaspersky Endpoint Security, and Oracle Cloud Infrastructure to support new events.
  • Schema update to include ocsf as an enforced value for threat_ruleType.

Changes are enumerated below.

note

These updates have been rolled out to all deployments with the exception of FED, which will receive the updates in the coming days.

Rules

  • [New] MATCH-S01053 OCSF Compliance Finding
    Passes through compliance findings from OCSF sources.
  • [New] MATCH-S01054 OCSF Detection Finding
    Passes through detection findings from OCSF sources.
  • [New] MATCH-S01055 OCSF Vulnerability Finding
    Passes through vulnerability findings from OCSF sources.
  • [Updated] THRESHOLD-S00097 Impossible Travel - Successful
    Exclude local system accounts from the rule.
  • [Updated] THRESHOLD-S00098 Impossible Travel - Unsuccessful
    Exclude local system accounts from the rule.

Log Mappers

  • [New] Cisco Meraki Traffic Events
  • [New] OCI Catch Authentication events
  • [New] TippingPoint TPS Cloud Catch All
  • [Updated] AWS GuardDuty - OCSF Finding Events
    Modified to support dedicated OCSF finding rules.
  • [Updated] AWS Inspector - OCSF Finding Events
    Modified to support dedicated OCSF finding rules.
  • [Updated] AWS Security Hub - OCSF Finding Events
    Modified to support dedicated OCSF finding rules.
  • [Updated] AWS Security Hub Coverage - OCSF Finding Events
    Modified to support dedicated OCSF finding rules.
  • [Updated] AWS Security Hub Exposure Detection - OCSF Finding Events
    Modified to support dedicated OCSF finding rules.
  • [Updated] Cisco ASA 109201|109207|113022
  • [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
  • [Updated] Kaspersky Endpoint Security Catch All
  • [Updated] Oracle Cloud Infrastructure Audit Catch All
  • [Updated] Windows - Security - 4624
    Added user_role field to identify admin users
  • [Updated] Windows - Security - 4648
    Added user_role field to identify admin users.

Parsers

  • [New] /Parsers/System/TippingPoint/TippingPoint TPS Cloud
  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Cisco/Cisco Meraki C2C
  • [Updated] /Parsers/System/Kaspersky/Kaspersky Endpoint Security
  • [Updated] /Parsers/System/Oracle/Oracle Cloud Infrastructure Schema
  • [Updated] threat_ruleType
    Updated enforced values to include ocsf as an option for mappers representing Findings records as categorized in the Open Cybersecurity Schema Framework (OCSF).
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.