Content Package 2025.26.1

2025 Content Package Release Notes

These release notes contain information about content package 2025.26.1, released on 18 Dec 2025.

Enhancements

Parse email and appID from principalSubject and resourceName, respectively
Created new parser checkpoint-tp-kv-alert-trigger-success-actionprevent for logs with action 'Prevent'. Adjusted the parser conditions for parser checkpoint-ngfw-kv-app-activity-newantivirus to match broader category of logs, also enhanced the field mapping.
New Palo Alto parsers added for System & Config logs.
Created new parser for json format logs of beyondtrust for type:process and type: User Logon beyondtrust-b-json-process-create-success-ecs beyondtrust-b-json-user-logon-success-ecs
Updated activity_type from : http-session to http-request for below parsers pan-ngfw-leef-http-session-threat pan-ngfw-csv-http-session-9999 pan-ngfw-csv-http-session-webbrowsing pan-ngfw-csv-network-traffic-success-connection pan-ngfw-cef-http-session-url pan-ngfw-json-http-session-webbrowsing pan-ngfw-json-alert-trigger-success-threat pan-ngfw-cef-http-session-url-1 pan-prismaaccess-leef-http-session-threat
Added new parsers for Ermes Browser Security Platform logs: ermes-ebsp-json-alert-trigger-success-blockedrequests, ermes-ebsp-json-alert-trigger-success-extensionsthreat, ermes-ebsp-json-app-login-success-detectedtracebusinessaccountlogin, ermes-ebsp-json-app-success-dashboardauth, ermes-ebsp-json-app-activity-success-dashboardaudit

Addressed Issues

Added src_port field extraction for parser - microsoft-evsecurity-xml-endpoint-login-4768.
Updated dest_email_address field extraction for parser: mimecast-seg-cef-email-url. Updated email_address, email_domain, src_ip, service_name field extraction for parser: mimecast-seg-cef-app-login-success-audittype. Updated email_address, email_domain, src_ip, failure_reason, app field extraction for parser: mimecast-seg-cef-app-login-fail-logonauthfailed. Updated dest_email_address field extraction for parser: mimecast-seg-json-email-eventtype.
Updated time, protocol, method, web_domain, dest_port, uri_path, http_response_code, bytes, policy_id, protocol field extractions for parser: akamai-siem-json-http-session-httpmessage.
Corrected TimeFormats for the following parsers:- microsoft-evpowershell-xml-network-listen-53504, microsoft-evpowershell-xml-script-execute-success-4104, microsoft-evpowershell-xml-endpoint-notification-40962.
Updated dest_ip and dest_host field extractions for parser: trendmicro-officescan-kv-alert-trigger-success-deepsecuritymanager.
Count of Beam Features Modified: 1 # Feature ID Field Modified Old Value New Value 1 NumDCP-PCHEnum-TC-U-HEnum _beam_feature.query (source_user_entity_id = '${trigger.scope_value}') AND (activity_type = 'process-create') AND (process_name IN 'System Enumeration Processes') OR (process_name= 'net.exe' AND (process_command_line = (WLDi(' config '), WLDi(' share '), WLDi(' start '), WLDi(' time '), WLDi(' use '), WLDi(' view ')))) OR (process_name= 'powershell.exe' AND (process_command_line = WLDi(' adrecon.ps1 '))) AND NOT (product = 'NG Analytics' AND activity_type = 'rule-trigger' AND vendor = 'Exabeam') (source_user_entity_id = '${trigger.scope_value}') AND (activity_type = 'process-create') AND ((process_name IN 'System Enumeration Processes') OR (process_name= 'net.exe' AND (process_command_line = (WLDi(' config '), WLDi(' share '), WLDi(' start '), WLDi(' time '), WLDi(' use '), WLDi(' view ')))) OR (process_name= ('powershell.exe','pwsh.exe') AND (process_command_line = WLDi(' adrecon.ps1 ')))) AND NOT (product = 'NG Analytics' AND activity_type = 'rule-trigger' AND vendor = 'Exabeam')
Updated src_ip field extraction for parser: postgresql-p-str-database-query-success-logaudit
Updated user, domain regex of parser microsoft-evsecurity-xml-process-close-4689

Click the following link for the complete package release notes: 2025.26.1 Content Package Release Notes

New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Table of ContentsTable of Contents

Content Package 2025.26.1