New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Updated dest_email_address regex for parser microsoft-azuread-json-group-member-add-success-aadiam

Added tactic, tactic_key, technique , technique_key and mitre_labels fields for crowdstrike-falcon-mix-alert-trigger-success-detection parser.

Suggested to use default field 'user' instead of custom field 'c_username'

Updated field extraction regex for web_domain in parser f5-asm-cef-alert-trigger-success-http

Added new parser for Microsoft Azure Monitor logs: microsoft-azuremon-json-endpoint-activity-success-advancedhuntingcloudauditevents. Updated event builder conditions for parser: microsoft-azure-json-file-success-2. Updated microsoft-365defender-json-endpoint-activity-success-publish-identityinfo conditions to parse broader category of Microsoft Defender logs.

Created new parser microsoft-evkdc-xml-kerberos-key-distribution-center for Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational logs

Fixed condition of parsers microsoft-evntlm-xml-endpoint-login-success-8002

Added additional _info field into parser veeam-v-json-app-activity-success-eventid

Added new parser 'unix-unix-str-app-activity-docker', 'unix-unix-str-app-activity-vault'

Updated bytes , hash_sha1 and hash_sha256 field extractions for parser microsoft-o365-sk4-app-file-workload . Updated the event builder microsoft-365-app-activity-success-2 to not create app-activity for FileDownloadedFromBrowser operation.

Added extraction for src_ip , thread_id , error_code , event_category , event_subtype , role , db_name , db_query , user / db_user & event_time fields for parser microsoft-azuremon-json-app-activity-operationname

Updated parser condition f5-bigip-kv-configuration-modify-audit Added new parser f5-bigip-kv-app-notification-success-audit, f5-bigip-kv-app-authentication-success-audit

Added new parser for Cisco Router Syslogs - cisco-ios-str-network-notification-success-cryptotunnel.

Updated the json path for the parser atlassian-atlassian-json-app-activity-success as per the new logs.

Updated Platform name from Linux to Unix in all UNIX parsers.

Updated dest_host,dest_ip ,user for crowdstrike-falcon-cef-file-write-success-critialfilemodified parser.

Updated web_domain field extractions for parsers: zscaler-ia-cef-http-session-spriv, zscaler-ia-cef-alert-trigger-success-zscalernssweblogdlpdictionaries

Updated policy_name, user_id, group_id , user_info and key_name parser vormetric-v-kv-file-read-success-code.

Created new parser atlassian-guard-json-alert-trigger-success for Atlassian Guard Security Alerts

Added new parser for Mimecast Secure Email Gateway logs: mimecast-seg-json-email-eventtype

Added new parser for Check Point Avanan logs: checkpoint-avanan-json-email-entitypayload

Added new parser forcepoint-dlp-cef-alert-trigger-success-dlpsyslog-1 of vendor forcepoint

Added new parser cyera-omnidlp-json-alert-trigger-success-dlpalert

Updated process_name,process_path and process_dir fields for microsoft-defenderep-cef-process-create-success-processcreated parser.

Count of CRB Templates newly developed: 4 Template Name Description System Language Discovery Commands Detects use of commands used to gather information about the system language of a victim to potentially infer the geographical location of that host. Log Enumeration Commands Detects the use of commands used to enumerate system and service logs Password Policy Discovery Commands Detects use of commands used to access information about password policies. Fsutil Peripheral Device Discovery Command Detects use of the fsutil command to enumerate drives, which may indicate reconnaissance or preparation for data exfiltration. Count of CRB Templates removed: 0 Count of CRB Templates Modified: 0 Total CRB Templates to be Released: 225

New parsers added for the Canon product canon-iradv-csv-endpoint-activity-8193-catchall, ,canon-iradv-csv-endpoint-login-4098-catchall, canon-iradv-csv-printer-activity-1001-catchall

Removed DupFields from f5vpn , mcafee , digitalguardian , fireeye , imperva , secureauth , kiteworks , ping , sonicwall and vmware parsers and added applicable regexes in respective parsers

Removed DupFields and added applicable regexes in windows parsers instead for those DupFields. Additionally we have removed the support for below Non CIM fields as we already have equivalent CIM fields available ms_protocol_num -> protocol

Fixed host regex of parsers cisco-asa-str-app-notification-success-sfpwarning, cisco-c-mix-ssh-traffic-success-loginsuccess , cisco-asa-str-app-notification-success-sys, apache-tomcat-str-app-notification-tomcatcatalina

Updated result, attachment,file_ext, dkim_result for parser proofpoint-tappod-leef-email-resolvestatus

Added fields dest_ip, proxy_ip,src_mac,dest_mac and dest_port into parser fireeye-networksecurity-json-alert-trigger-success-alert

Updated product of cisco-duo-json-endpoint-authentication-result-1 parser and parsed src_ip from auth_device .

Updated src_host, dst_host, domain, user, src_ip and object_id field extractions for parser: zeronetworks-zeronetworks-json-app-activity-success-auditlogevent

Added all the regex for pan-csv-threat template to not to parse incorrect fields.

Added configuration-delete:fail event builder for parser 'azure-azuread-json-app-activity-useractivitydisplayname'

Fixed email_address regex of parser auth0-a-json-app-login-success-s,auth0-a-json-endpoint-login-fail-fp and auth0-a-json-user-password-modify-success-changepassword

Updated the regex for user and domain field for parser microsoft-nps-csv-endpoint-authentication-success-wirelessconnection

Updated parser name from pan-ngfw-mix-alert-trigger-success-threadvulnerability to pan-ngfw-mix-alert-trigger-success-threatvulnerability.

Updated action, src_ip ,db_user, db_name and app regex for postgresql-p-csv-database-login-success-authentication parser.

Added event_code field for microsoft-evsecurity-xml-group-create-success-4727-1 parser.

Updated dest_email_address field extractions for parser template microsoft-azuread-json-events

Updated process_command_line field extractions for parser microsoft-defenderep-cef-process-create-success-processcreated

Updated the parser servicenow-s-cef-file-syscreated

Updated external_id field parsing for parser: microsoft-o365-mix-file-success-workload

Updated db_name regexes in parser: microsoft-mssql-xml-database-login-qualifiers and microsoft-mssql-xml-database-login-success-33205.

Added a regex to parse the session 'Start Time' and map it to the start_time CIM field. Parsers: pan-ngfw-csv-network-traffic-success-end, pan-ngfw-csv-network-traffic-fail-drop, pan-ngfw-csv-network-traffic-fail-tcp, pan-ngfw-csv-network-traffic-fail-panorama

Added user field in s-okta-app-login template ,okta-amfa-cef-app-login-success-userauthverify, okta-amfa-json-app-login-fail-userlogintookta and okta-amfa-mix-app-login-success-securitycontext parser .

Updated user field for below parsers: microsoft-evsecurity-xml-user-lock-success-4740-1 microsoft-evsecurity-xml-user-lock-success-4740 microsoft-evsecurity-json-user-lock-success-4740 microsoft-evsecurity-json-user-lock-success-4740-3 microsoft-windows-json-user-lock-success-4740-2 microsoft-evsecurity-mix-user-lock-success-4740 microsoft-evsecurity-kv-user-lock-success-4740-2

Removed Dupfield host->src_host from microsoft-defenderep-cef-network-session-devicenetworkevents as well as from template

Updated user, user_id, email_address field extractions for Auth0 logs.

Added enricher to filter LFODownloadConfirmation