New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Updated service_state field extractions for parsers with event code - 7036 and 7040.

Updated Product for parser microsoft-wdac-str-endpoint-notification-success-3033 from Windows Defender Application Control to Event Viewer - CodeIntegrity

Added new parser for Proofpoint CASB Data Leakage logs.

Added new field 'ioc' for parser infoblox-bddi-json-dns-query-success-response

Added new parser tenable-t-json-endpoint-scan-scaninformation to support for new format Tenable logs.

Updated activity type from endpoint-notification:success to dll-load:fail in parsers microsoft-wdac-xml-endpoint-notification-success-3033 & microsoft-wdac-str-endpoint-notification-success-3033

Updated conditions for parser fireeye-networksecurity-json-http-session-success-http to cater to a broader set of Trellix Network Security (NX) logs.

Updated cisco-ise-str-app-notification-alarm parser condition to support cisco unparsed logs .

Updated product for parser microsoft-wdac-str-endpoint-notification-success-3033 from Windows Defender Application Control to Event Viewer - CodeIntegrity . Additionaly updated the event builders for parser microsoft-wdac-str-endpoint-notification-success-3033 & {{microsoft-wdac-xml-endpoint-notification-success-3033}}to create dll-load:fail events.

Added parser akamai-guardicore-cef-alert-trigger-success-revealincident and updated akamai-guardicore-cef-app-activity-userauth

updated the parser salesforce-sf-json-app-activity-success-loginhistory to match the broader category of Salesforce logs Added new fields as per the new logs. Added new eventbuilders for the parser salesforce-sf-json-app-activity-success-loginhistory

Added new parser for humansecurity logs - humansecurity-botdefender-json-app-activity-botdefender parser .

Updated the parser condition for OOTB parser thoughtspot-ts-json-app-activity-success-type to parse unparsed ThoughtSpot logs properly

Updated file_type, group, action field extractions for parser template: Microsoft-CAS-Event-Category

Updated file_type, group, action field extractions for parser template: Microsoft-CAS-Event-Category

Added new parser for KnowBe4 logs - knowbe4-sat-json-app-activity-success-kmsat.

Updated file_type, group, action field extractions for parser template: Microsoft-CAS-Event-Category

Updated windows parsers to parse out all user values including considering system account.

Added new parser apache-a-str-http-session-apacheaccess to support unparsed apache logs.

Added new parsers - postgresql-p-str-database-activity-context,postgresql-p-str-database-activity-fatal,postgresql-p-str-database-activity-log,postgresql-p-str-database-activity-detail,postgresql-p-str-database-login-fail-password-doesnotmatch and updated parser - postgresql-p-str-database-login-fail-role-doesnt_exist to parse PostgreSQL logs.

Updated parser:f5-asm-cef-alert-trigger-success-cookie conditions to parse broader category of F5 ASM logs Added new fields as per new logs Added a new parser for bot defense logs of F5 ASM

Created parser for Google Agentspace logs

Added new parsers for Ordr SCE.

We re-added two parsers with VendorMatch=True, which had been removed earlier due to conflicts with Barracuda. microsoft-iis-str-http-session-getapi microsoft-iis-str-http-session-postapi

Added new parser for F5 Big-IP TMM logs.

Change subject and activity_type from peripheral_storage to peripheral_device

added new parser 'f5-lbr-str-ssl-error'

Added new parser for GitLab logs - gitlab-gl-json-app-activity-success-entity.

Removed a deprecated template - dl-wazuh-windows-template and updated JSON regexes in template - microsoft-json-events.

updated result field extractions for parser airlock-allowlisting-json-app-activity-success-task

Fixed the regexes which were causing slow regex issue that resulted into large number of unparsed amazon logs.

Added support for JSON regex in parser - microsoft-o365-sk4-app-file-operationworkload. It is now a hybrid parser that supports both plain and JSON regex.

Added method, url, user_agent, src_ip, dest_ip, http_response_code, additional_info, project_id, result and log_name fields for google-gcpca-sk4-app-activity-cloud parser .

Updated src_ip field for vectra-cd-json-alert-trigger-success-detection-1 parser.

Updated instance_profile_arn, alert_id field extractions for parser: amazon-awsguardduty-cef-alert-trigger-success-catsecurity

Updated SequenceExpiryTime to five minutes in VariableMessageMultiEventTracker to merge logs for parser - f5-apm-str-vpn-success-01490005.

Updated user_agent, dest_email_domain, src_ip and tenant_id field extractions for parser - azure-azuread-json-app-activity-useractivitydisplayname

Updated alert_reason, alert_subject, severity field extractions for parser: okta-amfa-mix-app-login-success-securitycontext

Updated rule field extraction for parser - pan-ngfw-json-alert-trigger-success-threat.

Added user_agent field in microsoft-azuredevops-json-app-activity-success-devopsaudit parser.

Added action field extraction for parsers - checkpoint-es-cef-alert-trigger-success-checkpoint and checkpoint-am-cef-alert-trigger-success-checkpointantimalware.

Fixed threat_url, src_mac, connection_id and sensor field issues with vectra-cd-json-alert-trigger-success-detection parser.

Updated the regex for 'Process Name' field for below parsers microsoft-evsecurity-kv-file-permission-modify-4670 microsoft-evsecurity-kv-group-list-membershipenumerated microsoft-evsecurity-kv-group-member-list-4799 Updated 'Process ID' field for the parser microsoft-evsecurity-kv-group-member-list-4799

Fixed event types for parser cisco-mma-json-network-traffic-success-addressingvlans,cisco-netsec-json-network-traffic-success-categorytype

Updated Regex for the 'user' field mapping for below parsers microsoft-evsecurity-kv-process-create-success-created-1 microsoft-evsecurity-kv-endpoint-login-fail-4625-2 microsoft-evsecurity-kv-handle-request-4656-2 microsoft-evsecurity-kv-user-privilege-use-success-4674-1 microsoft-evsecurity-mix-share-access-success-5140-1

Added 'user' field for Auth0 parsers

Updated parser - pan-gp-csv-vpn-login-useridlogin to create only success event.

Updated user & account field extractions for Windows eventID 4740 parsers: microsoft-evsecurity-xml-user-lock-success-4740-1, microsoft-evsecurity-json-user-lock-success-4740

Fixed the regexes which were causing slow regex issue for Amazon parsers.