New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Added new parsers for NetApp Ontap logs - netapp-netappontap-str-endpoint-login-fail-loginattempterror and netapp-netappontap-str-endpoint-success-logging.

Updated tanium-im-kv-file-write-success-write conditions to parse broader category of Tanium Integrity Monitor logs.

Added new parser sentinelone-singularityp-json-app-authentication-apiactivity to parse SentinelOne - API Activity logs.

Added new parser for Microsoft DHCP xml logs - microsoft-mdhcplog-xml-configuration-modify-success-dhcpserver.

Updated mfa field extraction for aws console login parsers amazon-awscloudtrail-json-app-login-awsconsolesignin & amazon-awscloudtrail-json-aws-login-consolelogin. Additionally updated the activity type to build app-login events for parser amazon-awscloudtrail-json-aws-login-consolelogin

Added new parser corelight-corelightids-json-alert-trigger-success-suricatacorelight to parse Corelight IDS logs.

Added new parser for Corelight IDS DCE/RPC logs: corelight-corelightids-json-app-activity-success-dce_rpc.

Added new parser for UNIX logs: unix-unix-kv-endpoint-login-success-sshuserlogin.

Added new parser jumpcloud-jc-json-directoryinsights-events for JumpCloud json logs

Added new parser for OpenAI ChatGPT Compliance logs: openai-oai-json-ai-agent-request-response-compliance.

Added new parser for SentinelOne Scalyr logs: sentinelone-scalyr-json-endpoint-notification-success-scalyragentlog.

Added new parsers for Azure ATP logs: microsoft-defenderep-json-alert-trigger-success-bruteforcesecurityalert, microsoft-defenderep-json-alert-trigger-success-storageblonapplicationanomoly, microsoft-defenderep-json-alert-trigger-success-suspiciousapitraffic.

Added new parser for SmartSuite logs: smartsuite-ssuite-json-audit-event smartsuite-ssuite-json-app-activity-success

Added new parser for Semperis DSP logs: semperis-dsp-kv-security-alert-trigger.

Added a new parser for Island Enterprise Browser logs: island-islandbrowser-json-http-session-message.

Updated object_name, start_time, end_time field extractions for parser: microsoft-o365-sk4-app-file-workload

Updated Vendor to Mimecast for parsers code42-incydr-json-file-success-oshostname, code42-incydr-sk4-app-activity-success-appclient

Updated beyondtrust-b-json-user-logon-success-ecs and beyondtrust-b-json-process-create-success-ecs conditions to parse broader category of BeyondTrust EPM logs. Updated event builder conditions for parser: beyondtrust-b-json-process-create-success-ecs Added new parsers for BeyondTrust EPM logs beyondtrust-b-json-app-activity-fail-ecs beyondtrust-b-json-service-start-ecs beyondtrust-b-json-service-stop-ecs

Updated parser - microsoft-iis-str-http-request-post443 conditions to parse broader category of IIS logs.

Added new parsers for Menlo Security logs: menlo-ms-json-alert-trigger-success-heat. Updated menlo-ms-json-http-session-security conditions to parse broader category of Menlo Security logs.

Updated oracle-oci-json-app-activity-auditlogevent conditions to parse broader category of Oracle Cloud Infrastructure logs.

Added new parser for Ermes Browser Security Platform logs: ermes-ebsp-json-alert-trigger-success-datalossprevention

Added new parser for Microsoft Copilot Interaction logs: microsoft-copilot-json-ai-agent-request-success-interaction.

Added new parsers for Check Point Avanan logs : checkpoint-avanan-mix-alert-trigger-success-severity-1, checkpoint-avanan-kv-alert-trigger-success-avanan.

Updated the existing parser jamf-jamfpro-json-security-alerts-jamfprotect conditions to accommodate Jamf logs of type GPProcessEvent and GPUnifiedLogEvent. Additionally, created a new parser jamf-jamfpro-json-endpoint-notification-success-devicetelemetrystream for logs of type Device Telemetry Stream.

Added new parsers for Extrahop Reveal(x) logs: extrahop-revealx-str-app-activity-success-auditlog and extrahop-revealx-leef-app-activity-success-rx360auditlog

Added new parsers for Commvault ThreatWise logs: commvault-threatwise-str-alert-trigger-success-synscan, commvault-threatwise-str-alert-trigger-success-reconnaissance, commvault-threatwise-str-traps-catchall.

Removed unused of SOAR block from parser definition: vmware-carbonblackedr-leef-alert-trigger-success-watchlist.

Added VendorMatchers config for Progress ShareFile, Vectra, Qualys, Zoom, Trend Micro, Trellix, Tenable, Sophos, Snowflake, Slack, ServiceNow, SentinelOne, Salesforce, Recorded Future, Palo Alto, Okta, Proofpoint, Cato, Github, Google, Cloudflare, Cisco, LastPass, AWS, VMware, Netskope to match parsers using their collector information.

Updated user field extraction for parser: auth0-a-json-endpoint-login-fail-fp.

Updated event_id & client_id field extractions for parser: snowflake-s-csv-app-login-loginhistory

Updated user field extraction for parser: cisco-asa-str-file-success-client

Updated src_network_zone and src_network_type field extractions for parser: microsoft-windows-sk4-app-login-fail-signin.

Updated time field extraction for parser: questsoftware-casql-cef-database-query-success-sqlaudit, questsoftware-casql-cef-database-activity-success-audit.

Updated time, target, result, src_ip, user, object, host, email_address field extractions for parser: microsoft-o365-sk4-app-activity-success-movetofolder

Updated mapping of access_device locations to city and state, and auth_device locations to location_city and location_state for parser - cisco-duo-json-endpoint-authentication-result-1.

Updated access_type field extraction for parser: microsoft-o365-sk4-app-file-operationworkload.

Updated src_host, email_address, domain, user field extractions for parser: sentinelone-singularityp-json-alert-trigger-success-rulename

Added new activity type - service-stop event builders for parser - crowdstrike-falcon-sk4-app-activity-eventsimplename and crowdstrike-falcon-sk4-app-activity-eventsimplename-1.

Fixed src_host and parsed from targetusername and removed regex src_host from workstation from parser microsoft-evsecurity-xml-endpoint-login-success-4624

Updated regex for src_ip and dest_ip field extractions for parsers: microsoft-o365-sk4-app-file-move, exabeam-aa-kv-rule-trigger-success-anomaly and cisco-netsec-str-network-notification-success-ftd.

Added new parsers for Netskope Webtx logs - netskope-webtx-csv-network-traffic-httptransaction and netskope-webtx-csv-network-traffic-websocket.

Fixed json & regex extractions for parser code42-incydr-json-file-succes-file to correctly parse operation, src_host and other fields.

Added new parser for Check Point NGFW logs: checkpoint-ngfw-cef-email-receive-mtainbound.

Added an eventType mapping when the user does not exist for the parser pingidentity-pi-str-endpoint-login-fail-inprogress

Updated grandparent_image_filename & grandparent_command_line field extractions for Crowdstrike.

Updated conditions for enricher: Fallback User Name

Updated email_address, src_ip/dest_ip fields for auth0-a-json-app-activity-success-catchall, auth0-a-json-app-login-fail-fcpr, auth0-a-json-app-login-fail-fu, azure-azuread-json-app-activity-updateserviceprincipal, microsoft-azuremon-json-app-activity-success-devicecompliance, microsoft-defenderep-json-alert-trigger-success-dlprulematch-1, microsoft-o365-cef-app-file-success-filedeleted, microsoft-o365-json-email-send-receive-subject, microsoft-o365-sk4-app-file-move, microsoft-o365-sk4-app-file-workload, microsoft-o365-sk4-email-receive-success-inbound, proofpoint-tappod-json-email-send-receive-sendmailto, sailpoint-identityiq-json-app-activity-success-appactivity parser.

Updated regexes to correctly parse fields in the following parsers - microsoft-iis-str-http-session-postmapi, microsoft-iis-str-http-request-post443, microsoft-iis-str-http-request-postotherports.

Updated regex for action field extraction in parser - netskope-sc-json-network-traffic-traffictype and netskope-sc-json-alert-trigger-success-malsite-1.

Updated the host field regex in the parser - unix-unix-str-endpoint-activity-anacron and adjusted the parser priority.

Added email_address, app_id, authorization_scope, role_definition_id, principal_id, principal_type, app_version, region, result and more fields for microsoft-azuremon-sk4-app-activity-administrative and microsoft-azuremon-json-app-activity-operationname parser.

Enhanced user, src_user, dest_user field extraction for PaloAlto parsers: pan-ngfw-csv-network-traffic-success-end, pan-ngfw-csv-network-traffic-fail-drop, pan-ngfw-csv-network-traffic-fail-tcp

Moved weak condition Cisco parsers to a lower priority.

Updated rule_severity & rule_count field extractions for parser: amazon-awscloudtrail-json-policy-apply-success-policyexecution. Updated dest_ip field extractions for parser: cisco-netsec-str-network-notification-success-ftd. Updated failure_reason & email_address field extractions for parser: juniper-ps-str-vpn-login-fail-hostfailed. Updated email_address field extractions for parser: juniper-ps-str-vpn-logout-success-timeout. Updated new_ip field extractions for parser: amazon-awscloudtrail-json-endpoint-create-runinstances

Updated host field extraction for parser: unix-unix-kv-process-create-success-execve.

Updated src_mac field extraction for parser: infoblox-bddi-json-dhcp-traffic-success-lease.

Added time parsing for sentTime in addition to receivedTime for the parser exabeam-phishingtool-json-email-receive-success-phish .

Updated src_ip field extractions for Microsoft Azure logs.

Updated the bytes field extraction for the microsoft-o365-json-email-send-fail-publish parser and the attachment_size field extraction for the microsoft-o365-json-email-send-fail-advancedhunting parser.

Updated url and web_domain field extractions for parser: microsoft-o365-mix-file-success-workload.

Updated email_address field extraction for parsers: azure-azuremfa-json-app-activity-additionaldetails and microsoft-evsecurity-xml-endpoint-login-4768. Updated src_ip field extraction for parser: addressmicrosoft-o365-sk4-app-file-move.

Enhanced the enricher precedence enriching the user value: crowdstrike-user

Added more_info & workspace_name field extractions for parser template: defender-atp-security-alert-events & json-microsoft-security-events-1

Updated the parser microsoft-mssql-xml-database-login-qualifiers condition and moved parser - microsoft-evsecurity-xml-endpoint-logout-4634 to higher priority.

Added db_name, db_user and role fields for snowflake-s-json-database-activity-success-querytext parser.

Added new parser for Code42 Incydr logs: code42-incydr-json-file-success-file-1.

Updated auth_method field extraction for parser: secureauth-login-kv-app-notification-24010.

Updated action field extraction for parsers pan-ngfw-cef-network-traffic-success-end, pan-ngfw-leef-network-traffic-success-allow, pan-ngfw-csv-network-traffic-success-end

Updated dest_country field extraction for parser: pan-ngfw-mix-alert-trigger-success-threatvulnerability.

Increased the sequenceExpiryTime to 15 minutes for Gemini Enterprise event builders.