- 2025 Content Package Release Notes
- Content Package 2025.25.1
- Content Package 2025.24.1
- Content Package 2025.23.1
- Content Package 2025.22.1
- Content Package 2025.21.1
- Content Package 2025.20.1
- Content Package 2025.19.1
- Content Package 2025.18.1
- Content Package 2025.17.1
- Content Package 2025.16.1
- Content Package 2025.15.1
- Content Package 2025.14.1
- Content Package 2025.13.1
- Content Package 2025.12.1
Content Package 2025.25.1
These release notes contain information about content package 2025.25.1, released on 04 Dec 2025.
Enhancements
Increase the sequenceExpiryTime for Gemini Enterprise event builders.
Fixed condition of parser checkpoint-ia-kv-endpoint-login-success-iaevents & checkpoint-ia-kv-vpn-logout-success-logout
Added new parser radware-waf-json-alert-trigger-security-eaaf for Radware waf
Updated result_reason regex for google-geminient-json-ai_agent-request-modelarmor parser.
Updated wiz-w-json-alert-trigger-success-virtualmachine conditions to parse broader category of Wiz logs.
created new parser jamf-jamfpro-json-security-alerts-jamfprotect for JAMF alerts logs.
Updated url and web_domain field extractions for microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule parser.
Updated event builder platform to Cisco Network Security for EB - dl-cisco-network-app-notification-success.
Add a new parser informatica-infocloud-json-app-activity-success-auditlogentry for the Informatica Cloud.
Added new regex to parse src_host from targetusername in parser microsoft-evsecurity-xml-endpoint-login-success-4624-1
Added new parsers canon-iradv-csv-endpoint-activity-3001-catchall, canon-iradv-csv-endpoint-activity-8198-catchall & canon-iradv-csv-endpoint-activity-8200-catchall for vendor Canon
Added new parser workday-wd-json-app-authentication-activesession for vendor Workday
Removed account field extractions for parser - microsoft-defenderep-cef-endpoint-login-network
Added new parser fortinet-fortiweb-cef-alert-trigger-success-attack to support unparsed logs.
Updated dest_ip field extraction for parser - crowdstrike-falcon-mix-dns-request-success-dnsrequest.
Updated enricher conditions
Added host, session_id,db_user, result , server_name ,db_query, action , response and src_ip fields for microsoft-azuremon-sk4-app-activity-loganalyticsomsworkspace parser.
Added new parser to support unparsed logs .Parser Name - infoblox-bddi-json-alert-trigger-success-alert.
Adjusted the event builder conditions for the parsers with the Windows EventIds 4779,4720,4724,4768,4663,4769,4743,4740,4722,4672,4674,5145,5142,5144,5143,4673,4742,4726,4624,4625,4778,4776,4657,1102,6272,8004,6273,6278,1009,1149,2000,4780,4654,4981,1200,1202,1203,1201,4957,8002,8001,4738,4105,1000,1530,1030,4653,2887,4658,5379,4655,5447,5152,5061,1001,4100
Addressed Issues
Added new parser for Gmail BigQuery collector logs and added JSON field extractions for parser - google-workspace-cef-email-receive.
Updated host field extraction for parser - pan-ngfw-csv-alert-trigger-success-file.
Updated wiz-w-json-alert-trigger-success-virtualmachine parser to include additional fields for parsing Wiz threat and detection logs
Updated the auth0 parsers to extract user/email_address values only from user_name and removed the regexes extracting user/email from user_id
Added user_id field for auth0-a-json-endpoint-login-fail-fp parser
Updated url field extractions for parsers - microsoft-o365-cef-app-file-success-fileupload, microsoft-o365-cef-app-file-success-filemodified, microsoft-o365-cef-app-file-success-filesyncuploadedfull, microsoft-o365-sk4-file-delete-success-filedeleted, microsoft-o365-cef-app-file-success-filedeleted, microsoft-o365-cef-app-file-success-filerenamed, microsoft-o365-cef-app-file-success-filemoved.
Parsed user as ZPA System User into parser zscaler-pa-json-app-activity-success-update
Fixed src/dest IP in parser extrahop-revealx-json-dns-request-success-dnsquery
Updated user regex for parser - cisco-asa-kv-vpn-login-fail-113005.
Updated the product value to 'Event Viewer Security' for the Windows Event ID 4735 parsers. Parsers: microsoft-evsecurity-xml-group-modify-success-4735-2 and microsoft-evsecurity-kv-group-modify-success-4735
Updated process_name,process_dir and process_path regex for microsoft-evsecurity-xml-group-memberlist-4799-1 , microsoft-evsecurity-xml-group-list-4798-1 parser .
Updated email_address extraction for parser auth0-a-json-app-login-success-s.
Updated time, host, host_ip field extractions for parser: unix-unix-str-endpoint-activity-sshd
Updated src_ip, dest_ip, protocol, direction, action, result_code, packets_out, bytes_out, packets_in, bytes_in fields extraction for parser: microsoft-networkwatcher-json-network-traffic-flowlogevent
Updated exists condition in the enricher.
Added new regex to parse src_host from targetusername in parser microsoft-evsecurity-xml-endpoint-login-success-4624-1
Updated TimeFormat for parsing 7 fractional-second digits in parser - microsoft-evsecurity-xml-user-password-read-success-5382.
Updated product of cisco-duo-json-endpoint-authentication-result-1 parser and parsed src_ip .
Click the following link for the complete package release notes: 2025.25.1 Content Package Release Notes