New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Added new parser's to parse unparsed logs .Parser Name - skyhighsecurity-ssc-cef-alert-trigger-success-alertdata and skyhighsecurity-ssc-cef-app-activity-success-auditeventtype .

Created new parser unix-unix-str-endpoint-notification-success-snoopy for Snoopy logs.

Enricher to handle username containing ip addresses.

Reversed the source and destination IP for parser crowdstrike-falcon-mix-endpoint-login-success-userlogon

Updated field extractions for parser: tanium-ep-json-alert-trigger-success-accountenumeration

Updated dest_ip, dest_port field extractions for parser: fortinet-vpn-cef-vpn-logout-success-connection. Updated profile field extractions for parser: fortinet-utm-kv-http-session-webfilter. Updated src_translated_ip, src_host_type, src_mac, dest_mac field extractions for parser: fortinet-firewall-kv-network-traffic-notice. Update src_role, dest_role, src_interface, dest_interface, severity, direction, policy_id field extractions for parser: fortinet-utm-kv-http-session-appctrl. Updated additional_info, web_domain, src_role, dest_role field extractions for parser: fortinet-fortigate-kv-network-traffic-logid.

Enricher to handle username containing ip addresses.

Updated lenel-og-kv-physical-location-access-accessgranted-1 conditions to parse broader category of Lenel Onguard logs.

Created two new JSON parsers to process Infoblox BloxOne DDI logs, covering both application login (iam.login_succeeded) and DHCP traffic (lease) events. Parsers: infoblox-bddi-json-app-login-success-iamloginsucceeded and infoblox-bddi-json-dhcp-traffic-success-lease.

Added new parsers for Infoblox dns logs

Added new parser snowflake-s-csv-app-login-loginhistory for vendor snowflake

Updated pan-cortex-json-alert-trigger-success-xdr conditions to parse broader category of Palo Alto Networks logs. Also updated src_ip, dest_ip, email_address and email_domain field extractions for the same parser.

updated the EB for parser amazon-awscloudtrail-json-aws-login-consolelogin

Added new parser checkpoint-ia-kv-endpoint-login-success-iaevents, checkpoint-ia-kv-vpn-logout-success-logout for product Check Point Identity Awareness

Created new parser - unix-unix-str-file-write-success-audit to parse unparsed logs.

Updated src_ip,src_host,dest_ip and dest_host fields for crowdstrike-falcon-json-process-create-success-processrollup parser .

Moved all the field extractions parsing below fields from template level to parser level for windows parsers 'user', 'src_user', 'dest_user', 'src_ip', 'src_host', 'dest_ip', 'dest_host', 'email_address', 'dest_email_address', 'host', 'domain', 'src_domain', 'dest_domain', 'account', 'account', 'account_domain', 'db_user', 'db_name'

Added new parser for Microsoft Azure Monitor logs: microsoft-azuremon-json-endpoint-activity-success-advancedhuntingcloudauditevents, microsoft-azuremon-json-endpoint-activity-success-advancedhuntingcloudstorageaggregatedevents. Updated event builder conditions for parser: microsoft-azure-json-file-success-2. Updated microsoft-365defender-json-endpoint-activity-success-publish-identityinfo conditions to parse broader category of Microsoft Defender logs.

Fixed dest_user, dest_email_address regex and also added new event builder for okta-amfa-mix-app-login-success-securitycontext to create group related activities.

Updated regex for initiatedBy and TargetResources field for parser microsoft-azure-json-app-activity-updateuser updated regex for initiatedBy and TargetResources field for template ms-azure-eventhubs-activity

Added parser for new vendor AIM Security AI Security platform.

update parser condition f5-bigip-kv-configuration-modify-audit

Updated Enrichers: CrowdStrike Source Host Lookup for OUTBOUND Network Connection & CrowdStrike Destination Host Lookup for INBOUND Network Connection Added New Enricher: CrowdStrike Asset ID to Destination Host Lookup

Added parsing support for the Gemini Enterprise logs

Removed DupFields from parsers in parsers_unix, parsers_default, parsers_default_weak.conf files and added applicable regexes in respective parsers

Updated target field extraction for parser - microsoft-o365-cef-app-file-success-removememberfromgroup.

Updated cyberark-pam-cef-user-switch-success-pwdretrieve parser regex to correctly parse email-format user values.

Created new parser oracle-oci-json-app-activity-auditlogevent for OCI audit logs

Reversed source and destination IP for parser crowdstrike-falcon-sk4-endpoint-login-userloginfail

Updated parser 'cisco-ise-kv-endpoint-authentication-accounting' mapping 'src_ip' extraction from vendor field 'Framed-IP-Address'

Updated process_name ,process_path and process_dir fields for microsoft-evsecurity-xml-group-member-list-4799-1 parser.

Added the firewall field extraction for palo alto parser templates: json-pan-system , paloalto-vpn and parsers pan-gp-csv-vpn-login-success-login-1 , pan-ngfw-json-alert-trigger-success-spyware , pan-gp-csv-vpn-login-useridlogin

Updated field alert_severity and priority into parser 1. symantec-endpointprotection-kv-alert-trigger-success-scanningyourcomputer 2. symantec-endpointprotection-kv-alert-trigger-success-denialofservice

Updated mailfrom field extraction for parser: proofpoint-tappod-json-email-send-receive-rcpts

Added configuration-delete:fail event builder for parser 'azure-azuread-json-app-activity-useractivitydisplayname'

updated the parser 'pan-ngfw-mix-alert-trigger-success-threatvulnerability' EB

Added new parser to parse unparsed logs .Parser Name - skyhighsecurity-ssc-csv-http-session-observed , skyhighsecurity-ssc-csv-http-session-observed-1.