New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Added new parser - juniper-srx-kv-network-traffic-success-udpflood for juniper SRX traffic logs.

Added new subject & activity type for ai_agent & ai_agent-request:success

Created parser for Check Point Identity Collector VPN logout event logs.

Added new parser f5-dc-json-app-activity-success-apiaudit

updated parser proofpoint-casb-json-alert-trigger-success-severity

Added new parser vectra-cd-json-app-activity-success-accountscoring

Created parser for AutomatedLeadSummaryEvent of CrowdStrike Falcon.

Updated EventBuilder condition for microsoft-evsecurity-kv-file-fileoperation ,microsoft-evsecurity-mix-user-privilege-assign-success-4672,microsoft-evsecurity-mix-user-privilege-use-success-4674 parser to generate events .

Updated field extractions for user, dest_host & full_name for parser: microsoft-evsecurity-xml-registry-create-success-4657

Updated definition for field 'state' to be used in geographical context. For other fields we have replaced it to status_msg or service_state.

Added new event_type and added user,syscall_name,syscall_number ,process_command_line ,system_architecture fields for unix-ad-kv-process-create-fail-syscall and unix-unix-kv-process-create-success-exe parser .

Deprecated unused legacy parsers netskope-sc-json-app-login-success-loginsuccess netskope-sc-json-alert-trigger-success-compromised netskope-sc-sk4-app-login-success-page netskope-sc-sk4-app-logout-success-logout netskope-sc-sk4-app-notification-success-auditevent microsoft-defendercloud-sk4-alert-trigger-success-simulateda mcafee-wg-leef-http-session-webgateway netskope-sc-json-app-activity-success-propertyupdated

Added new parsers for Check Point Avanan

Updated process_name & process_id extractions for Unix

Updated the regex of 'additional_info' field.

Created parser for Sailpoint tomcat logs.

Developed new NSA enricher for login_type & login_type_text

Added enricher for login_type and login_type_text field

Updated bytes_in & bytes_out extractions for google, fortinet, suricata, cisco, mcafee & microsoft-azure

Updated bytes_in & bytes_out extractions for google, fortinet, suricata, cisco, mcafee & microsoft-azure

Updated dest_user field extractions for parser: microsoft-evsecurity-mix-user-enable-success-4722

Updated dns_query field for infoblox-bddi-cef-alert-trigger-success-alert parser.

Updated file_path, file_name and file_ext field extractions for parser - zeek-z-json-file-success-sbmfiles

Added mapping for the field Logon Type

Added event_code field for crowdstrike-falcon-sk4-endpoint-login-userloginfail parser

Updated device_name field extractions for parser: okta-amfa-mix-app-login-success-securitycontext

Updated old_user_name, new_user_name, dest_domain, dest_user_sid, user_sid, user, domain, login_id, privileges field extractions for parser: microsoft-evsecurity-xml-user-name-modify-4781-1

Updated aip , src_ip , host field extractions for Crowdstrike logs

Updated EventBuilder condition for sentinelone-singularityp-json-alert-trigger-success-url-1 parser.

Updated user and full_name field extractions in parser - gitlab-gl-json-app-activity-success-entity.

Fixed slow regexes issue for parser - microsoft-azuread-json-group-member-add-success-aadiam, microsoft-azure-cef-group-member-remove-success-removefromgroup, microsoft-azuread-json-group-member-remove-success-groupmemberremoved.

Added new parser for Check Point NGFW logs - checkpoint-ngfw-kv-network-traffic-success-checkpoint.

Updated regex for dns_query, dns_query_type, src_ip, src_host and src_port for Unix Named Updated event builder conditions for for Unix Named

Updated regex for host field extraction in parser - microsoft-defenderep-json-alert-trigger-success-category.

Updated the field name from audispd_type (Non-CIM field) to event_name (CIM field) in parser - unix-unix-kv-endpoint-login-userstart.

Updated process_guid, user_sid, parent_process_id and additional_info extractions for parser: microsoft-sysmon-json-process-create-success-processcreate

Updated process related fields extractions to filter '-' value for parser: microsoft-sysmon-xml-process-create-success-processcreate

Updated action, category field extractions for parser: netskope-sc-json-alert-trigger-success-alertname

updated parser zscaler-ia-csv-network-traffic-success-zscalerclientconnector

Added field extraction for 'user' and 'domain' field for parser microsoft-evdirservice-xml-app-notification-success-directoryservice

Updated regex for src_ip and src_host for parser unix-auditd-kv-user-switch-success-userrolechange Updated event builder conditions for parser:unix-auditd-kv-user-switch-success-userrolechange

updated parser microsoft-evsecurity-kv-endpoint-login-success-successfullyloggedon

Updated regex for dest_email_address for parsers: proofpoint-tappod-json-email-send-receive-sendmailto and proofpoint-tappod-json-email-send-receive-sendmailfrom

Fixed condition for feature id Prof-GA-Country-O-SCountry, Prof-GA-Country-U-SCountry, Prof-GA-Country-DZ-SCountry & Prof-GA-Country-SZ-DCountry

Added file_dir ,file_name , file_ext and process_command_line fields for crowdstrike-falcon-sk4-alert-trigger-firewallmatchevent parser.

Fixed mac_address regex into parser unix-unix-str-dhcp-session-success-appliedadd

Updated email_address, user field extractions for parser microsoft-o365-cef-app-login-fail-userloginfailed

Updated the CrowdStrike Falcon and Microsoft parsers to correctly extract the host field. Parsers: crowdstrike-falcon-mix-alert-trigger-success-detection, crowdstrike-falcon-json-alert-trigger-success-identityprotection and microsoft-o365-sk4-app-file-workload.

Updated regex for email_address field extraction in parser - zeek-z-json-email-send-receive-rcptto.

Updated the regex for host and dest_host for parser linux-dhcp-str-dhcp-session-success-dhcprequest

Added mapping for hostname, dsthost field for the parser netskope-sc-json-network-session-success-typenetwork

Added dest_user_sid , dest_domain , user fields for microsoft-evsecurity-xml-endpoint-login-success-4624-1 and microsoft-evsecurity-kv-endpoint-login-success-successfullyloggedon parser.

Updated the parser 'sentinelone-singularityp-kv-app-activity-success-malware'

Added serial_num regex in parsers - okta-amfa-mix-app-login-success-securitycontext and okta-amfa-json-app-login-success-evaluatesignon-1.

Updated parser 'mimecast-seg-cef-email-url v1.0.0'

Updated the rule Fact-PCgup-AF ('title': 'The Notepad++ updater was executed from an unknown path') expression to exclude false positives related to standard Notepad++ software updates.

Updated SentinelOne Singularity Platform parser to parse src.process.parent as grandparent_process*, src.process as parent_process*, and tgt.process as process for script/process-related event types.