New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Added JoinTime , LeaveTime and MeetingDetailID fields for microsoft-o365-sk4-app-file-workload parser .

Updated email_address & email_domain field extractions for zscaler logs.

Added new parsers and event builders for Check Point Security Gateway logs.

Removed DupFields and added applicable regexes in parsers instead for those DupFields. Additionally we have removed the support for below Non CIM fields as we already have equivalent CIM fields available source_resource -> src_resource source_resource_type -> src_resource_type action_type -> result_code / operation username -> full_name conn_status -> connection_status suspicious_content ->risk_level

Removed DupFields and added applicable regexes in parsers instead for those DupFields. Additionally we have removed the support for below Non CIM fields as we already have equivalent CIM fields available compression_alg -> compression_algotithm directory -> process_dir identity -> identities process_path_directory -> process_dir source_resource -> src_resource source_resource_type -> src_resource_type trans_id -> transaction_id

Updated src_host field extractions for parser: amazon-awscloudtrail-json-app-activity-awsapicall

Added new parser for ServiceNow logs - servicenow-s-json-app-activity-success-install_status.

Added new parser hp-arubaos-str-ssh-start-session

Added new parser cisco-ise-kv-radius-authentication-fail-error ', cisco-ise-kv-radius-traffic-fail-OpenSSLError ', cisco-ise-kv-radius-traffic-catchall '

Created parser for 1password audit events

Added new parsers sophos-xgsfirewall-kv-vpn-authentication-success-sslvpnauthentication, sophos-xgsfirewall-kv-vpn-logout-success-sslvpnauthentication, sophos-xgsfirewall-kv-app-authentication-success-adssoauthentication, sophos-xgsfirewall-kv-app-authentication-success-vpnportalauthentication, sophos-xgsfirewall-kv-app-login-success-webadminconsole, sophos-xgsfirewall-kv-app-login-success-cliadminconsole

Fixed regex for action field into parser postgresql-p-csv-database-login-success-authentication

Created parser for Microsoft ADFS logs.

Added IIS parser in default content

Added new parsers for Carbon Black EDR logs. Updated process_command_line, parent_process_command_line for Carbon Black parsers. Updated vmware-carbonblackedr-sk4-dll-load-actionloadmodule, vmware-carbonblackedr-json-endpoint-activity-success-epapicall, vmware-carbonblack-json-network-traffic-success-ngav, vmware-carbonblackceedr-json-process-create-success-fileless conditions to parse broader category of Carbon Black CES and Carbon Black EDR logs.

Added new parser unix-unix-str-app-authentication-samlauthentication, unix-unix-str-app-notification-success-consul, unix-unix-str-app-notification-success-dkimsignatureadded, unix-unix-str-app-notification-success-nomad, postfix-postfix-str-email-send-fail-deliveryfailure, postfix-postfix-str-email-send-fail-statusdeferred, postfix-postfix-str-smtp-close-connectionfail

Updated domain and user field extractions for Microsoft logs. Added new enricher: Invalid Domain

Updated group_name, task_id, item_name, event_name, dest_user, activity_details and additional_info field extractions for parser: servicenow-s-json-http-session-success-transcation

Added new parsers and event builders for Int64 Software & OVERLAPS logs

Enhanced the process_command_line extraction for parsers microsoft-defenderep-cef-process-create-success-processcreated , microsoft-defenderep-sk4-process-create-success-processcreated & microsoft-windows-cef-process-create-success-process by prioritizing InitiatingProcessCommandLine over ProcessCommandLine in parsers These fixes might impact NSA and AA detection rules which are dependent on process_command_line and command_line respectively

Added group_type and group_name fields for microsoft-azure-json-app-activity-addgroup and microsoft-azure-json-app-activity-groupmanagement parser.

Updated the microsoft-evsecurity-json-service-create-success-4697 parser conditions to support a slightly modified raw log format.

Updated role field extractions for parser - azure-azuread-json-app-activity-useractivitydisplayname

Added various fields into parser fortinet-fortigate-kv-app-activity-system

Updated parser precedence of microsoft-azuremon-sk4-app-activity-loganalyticsomsworkspace to fix the Barracuda parsers incorrectly picking up Azure logs issue.

Updated event builder conditions for parser: google-cloudplatform-json-app-activity-success-googleapismethodname.

Added field extraction for summary field for the parser pagerduty-pagerduty-json-app-activity-success-audit

Updated email_address field extraction for parser - netskope-sc-sk4-alert-trigger-success-malwaretype.

Updated dest_mac, src_mac, and nas_ip_address field extractions for parser - cisco-ise-kv-endpoint-authentication-fail-warn.

Added group_name field for microsoft-evsecurity-xml-group-member-add-success-4728 parser.

Updated group_name, provider_name, process_guid, task_name, opcode, result, event_id, and channel field extractions for parser - microsoft-evsecurity-xml-group-member-remove-success-4729.

Updated group_name, provider_name, process_guid, task_name, opcode, result, event_id, and channel field extractions for parser - microsoft-evsecurity-xml-group-member-remove-success-securitydisabled.

Added field extraction for action, src_ip, role, operation fields for the parser microsoft-azuremon-json-endpoint-activity-success-catchall

Updated operation field for microsoft-o365-json-app-activity-success-operation parser.

Updated priority and alert_severity field extractions for parsers - symantec-endpointprotection-kv-app-notification-eventdescription and symantec-endpointprotection-kv-alert-trigger-success-symanteceprisk.

Updated EventBuilder condition for sentinelone-singularityp-json-alert-trigger-success-url-1 parser.

Updated email_address field extractions for parser - microsoft-o365-cef-app-login-fail-userloginfailed.