New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Added a parser 'microsoft-mcas-cef-app-activity-success-catchall' support for new format MCAS logs

Added a new parser for Snowflake query history logs. Fixed user and time field parsing issues for snowflake-s-sk4-database-login-success-login-1 parser.

Added new parser 'microsoft-mcas-cef-app-activity-success-catchall' and EB condition to parse broader category of MCAS logs

Added 2 new parser's to support cylance protect collector logs. parser's - arcticwolf-protect-json-alert-trigger-success-memoryprotection and arcticwolf-protect-json-alert-trigger-success-cylancethreat .

Added one new parser to support Medigate unparsed logs. parser name : claroty-c-json-alert-trigger-success-alertaffecteddevice .

Updated parsers postgresql-p-str-database-login-success-authenticated,postgresql-p-str-database-activity-success-connection_received,postgresql-p-str-database-logout-success-disconnect,postgresql-p-str-database-query-success-statement,postgresql-p-str-database-activity-fail-error,postgresql-p-json-database-activity-fail-error conditions to parse new format postgresql logs

Updated parser conditions for Imperva SecureSphere parsers to cater to a broader set of logs: imperva-securesphere-kv-database-query-success-eventcatquery, imperva-securesphere-kv-alert-trigger-success-catsecurity

Replaced all instances of src_email_address / src_email_domain with email_address/ email_domain across the codebase to improve naming consistency.

Added new parser for Proofpoint CASB logs.

Added new parsers to parse unparsed logs. parser name - pingidentity-forgerock-csv-endpoint-authentication-success-amlogin and pingidentity-forgerock-str-endpoint-authentication-success-amlogin .

Updated additional_info, alert_id, category, dest_user, event_name, group_name, priority, sub_category, state, activity_details, operator_name, incident_creation_time and operation field extractions for ServiceNow logs.

Updated parser - 'imperva-securesphere-kv-database-query-success-eventcatquery' conditions to parse broader category of Imperva SecureSphere logs.

Updated 'sophos-ep-sk4-alert-trigger-success-dlpautomaticallyallowed' conditions to parse broader category of Sophos Endpoint Protection - DLP logs.

Added new parser beyondtrust-prividentity-kv-app-activity for BeyondTrust Logs

Updated field name to process_command_line replacing process_path or process_name from the command line for more accurate tracking.

Added new parser for Trellix Email Security - Cloud: fireeye-etp-cef-alert-trigger-success-malicious-email

Added new parsers for Pagerduty Audit logs

Added new registry-modify, registry-create, registry-delete event-builders for windows 4657 parser - microsoft-evsecurity-xml-registry-create-success-4657

Added catchall parser for vendor ServiceNow

updated parser airlock-allowlisting-json-app-activity-success-task conditions to parse broader category of Airlock Logs

Added new parsers for Amazon Q prompt logs

Added new fields: current_working_dir, process_relative_path, process_relative_dir for Unix parsers: unix-unix-str-process-create-success-cmd, unix-unix-kv-process-create-success-command, unix-unix-mix-user-switch-success-sudo

Added new parsers for Akamai Guardicore network traffic blocked logs akamai-guardicore-cef-network-traffic-blocked-networklog Updated dhost field mapping for parser akamai-guardicore-cef-network-traffic-success-networklog Added new fields shost, cs1 for parser akamai-guardicore-cef-network-traffic-success-networklog Updated dhost field mapping for parser akamai-guardicore-cef-alert-trigger-success-networklog-1 Added new fields cs1, cs15, cs16 for parser akamai-guardicore-cef-alert-trigger-success-networklog-1

Updated dest_user regex for microsoft-evsecurity-mix-user-enable-success-4722 parser.

Fixed user field parsing issue for microsoft-evsystem-xml-endpoint-activity-catchall parser.

Updated user_id, user_name field extractions for parser auth0-a-json-app-login-success-s

Updated parser unix-unix-str-ssh-traffic-success-sftpsessionopened condition to parse Unix ssh traffic logs Added new parser unix-unix-str-cron-session-success-sessionopened to parse Unix cron session logs.

Updated mfa_device, time, email_address, user, src_ip, src_port, result, action, category, process_name, app and additional_info fields extractions for parser: pingidentity-pi-json-app-authentication-success-user

Updated dest_email_domain field extractions for parser - microsoft-o365-sk4-app-activity-success-forwardto

Added host and email_address field parsing support for crowdstrike-falcon-sk4-app-activity-eventsimplename-1 and crowdstrike-falcon-json-process-create-success-processrollup.

Added alert_name field for netskope-sc-json-alert-trigger-success-malsite-1 parser.

Updated dns_query, dns_query_type, dest_ip and dest_port field extractions for parser: unix-unixnamed-str-app-notification-resolving

Updated dest_host, dns_query and dns_query_type field extractions for parser: unix-unixnamed-str-app-notification-success-cname

Updated EventBuilder condition of parser cimcor-cimtrak-json-app-activity-success-catchall to create file-create:success event

Added new json extractions for user, email_address fields in template aws-cloudtrail-json-1, used in multiple AWS CloudTrail parsers.

Added user regex for microsoft-defenderep-cef-process-create-success-processcreated-1 ,microsoft-defenderep-json-alert-trigger-success-credentialaccess-1 , microsoft-defenderep-json-alert-trigger-success-defenseevasion-2 ,microsoft-defenderep-json-alert-trigger-success-lateralmovement-2, microsoft-defenderep-json-alert-trigger-success-execution-1 parser's.

Fixed syntax error in event builder dl-microsoft-ad-ds-object-delete-success.

Updated the microsoft-defenderep-json-alert-trigger-success-incidentname parser to support broader MS Defender Graph Incident log categories and enhanced field extractions for incidentId, createdDateTime, description, determination, displayName, id, and incidentWebUrl.

Fixed user field parsing issue for hp-arubacpm-kv-endpoint-login-success-authenticated parser.

Updated and added new event builder for crowdstrike-falcon-sk4-app-activity-eventsimplename-1 and crowdstrike-falcon-sk4-app-activity-eventsimplename .

Added auth_package field for microsoft-evsecurity-kv-endpoint-login-success-4624-4 parser.

Updated the precedence regex for process_name in parser microsoft-defenderep-cef-process-create-success-processcreated

Updated src_host field extraction for parser: microsoft-o365-sk4-app-file-operationworkload Updated event_name, host and dest_host field extractions for Unix logs.