This content release includes:

• Removal and updates to Cloud SIEM rules.
• Parsing and mapping support for new products.
• Updates to existing parsing and mappers to support additional events and field mappings.

Changes are enumerated below.

Rules​

• [Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".
• [Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".

Log Mappers​

• [New] Crowdstrike FileVantage Catch All
• [New] Dragos Communication
• [New] Dragos Indicator
• [New] Dragos System|Asset
• [New] Extrahop JSON Catch All
• [New] F5 TMM Http Request|TMM Network|TMM Connection error
• [New] F5 TMSH - Custom Parser
• [New] Zendesk - Login events

Updated Field Mappings​

• [Updated] Code42 Incydr Alerts C2C
• [Updated] Cyber Ark EPM AggregateEvent
• [Updated] Google G Suite - meet
• [Updated] Palo Alto GlobalProtect - Custom Parser
• [Updated] Palo Alto GlobalProtect Auth - Custom Parser
• [Updated] Zendesk Catch All

Parsers​

• [New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
• [New] /Parsers/System/Extrahop/Extrahop JSON

Updated parsers to handle additional events and field parsing​

• [Updated] /Parsers/System/Code42/Code42 Incydr
• [Updated] /Parsers/System/Dragos/Dragos
• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

This content release includes:

• Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
• Adds parsing and mapping support for additional OpenVPN events.
• Adds additional timestamp format handling to Azure JSON log parsing.

Log Mappers​

• [Updated] Azure DevOps Auditing Catch All
• [Updated] OpenVPN Audit Event
• [Updated] OpenVPN Network Event

Parsers​

• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog

This content release includes:

• Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
• Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.

Log Mappers​

• [New] Azure DevOps Auditing Catch All
• [New] Check Point Application Control URL Filtering
• [New] Cisco ISE Radius Diagnostics
• [New] Linux OS Syslog - KRB5 Child - Authentication Failure
• [New] Linux OS Syslog - Process systemd - Systemd Session
• [New] Linux OS Syslog - Process systemd - Systemd Session Scope
• [New] Linux OS Syslog - Process systemd - session logout
• [New] Pfsense Firewall filterlog
• [New] Pfsense Firewall nginx
• [New] Pfsense Firewall openvpn Authentication
• [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
• [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
• [Updated] Cisco ISE Authentication Failure
  • Adds normalizedSeverity mapping
• [Updated] Cisco ISE Authentication Success
  • Adds normalizedSeverity mapping
• [Updated] Cloudflare - Logpush
  • Adds mapping for dns_query, http_hostname, http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol.
• [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
  • Adds mapping for normalizedAction
• [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
  • Added support for additional events and mapping of file_path

Parsers​

• [New] /Parsers/System/Pfsense/Pfsense Firewall
• [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
• [Updated] /Parsers/System/Cisco/Cisco ISE
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Linux/Linux OS Syslog
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here.