New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Updated activity type from 'endpoint-login' to 'app-authentication' in parser - okta-amfg-cef-endpoint-login-success-attemptsuccess.

Added attribute_value,operation_type,attribute field in the event viewer log 5136.

Added parser support for Citrix Secure Private Access logs with event types App.SaaS.Url.Navigate, App.SaaS.Launch, and App.SaaS.End.

New parsers created for F5 Distributed Cloud logs.

Developed new parser content for Airlock

Updated src_file_name,src_file_path,src_file_ext fields for parser - microsoft-evsecurity-xml-file-success-4663-1.

Added the parser “crowdstrike-falcon-json-file-write-success-written” to the Event Builders with platform.

Added regex for parsing of process related fields in crowdstrike falcon parsers.

Updated the tanium-ep-json-alert-trigger-success-accountenumeration parser definition to include parsing for the src_host and src_ip fields.

Added support for the windows event id - 4702 new format logs.

Added new parser to support for Citrix Gateway unparsed logs.

Tenable parser condition updated to cater broader category of logs.

Updated user regex to not mis-parse.

Developed new parser content for Cisco HyperFlex

Added regex to parse src_host field in parsers -cisco-asa-str-endpoint-login-fail-2960 and cisco-asa-str-endpoint-login-fail-2960-1

Updated the parser workday-wd-json-app-activity-success-activityaction' condition to match the logs.

Extracted the email_address from the appropriate location, giving it the highest priority in microsoft-o365-sk4-app-file-workload parser.

Microsoft Exchange parsers have been updated to use ActorInfoString instead of ClientInfoString wherever applicable for the parsing of the user_agent field.

Fixed host field parsing from microsoft-evsecurity-kv-key-5061

Host extractions fixed for parser microsoft-m365auditlogs-json-app-activity-operationname

Removed dest_ip parsing from proofpoint-tappod-json-email-send-receive-rcpts parser since src_ip and dest_ip both were parsing from the same location.

Added new parser to support PostgreSQL unparsed logs.

Updated db_name regex in parser microsoft-mssql-xml-database-login-audit

Fixed alert_severity regex for parser crowdstrike-falcon-cef-alert-trigger-success-host

Updated the web_domain regex in the parser - microsoft-azureeh-sk4-app-activity-success-applicationgatewayaccesslog.

Added a field parsing support for dest_email_domain for proofpoint parsers.

Created new parser 'amazon-ards-json-app-notification-datamessage'

Added a new parser ( sentinelone-singularityp-json-app-notification-success-disableagent ) support for the sentinelone agent disable logs.

Updated the below 5 parsers regex to parse user name and other fields.

Updated the parser 'proofpoint-pitm-json-alert-trigger-success' regex and added more field extractions

Enhanced the conditions for below Cisco parsers cisco-ucm-str-app-logout-success-loggedout cisco-cucm-kv-endpoint-login-success-authsuccess cisco-cucm-kv-endpoint-authentication-fail-userlogging cisco-cucm-kv-endpoint-authentication-fail-failure cisco-cucm-kv-app-activity-success-useraccess cisco-ucm-str-app-logout-success-loggedout cisco-ucm-kv-configuration-modify-success-generalconfigurationupdate cisco-ucm-kv-user-role-modify-success-userrolemembershipupdate