New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Updated activity-type mapping for parser: crowdstrike-falcon-sk4-app-activity-fdritemsexplorer.

Removed regex for direction field in parser - cisco-asa-str-network-traffic-success-built.

Added channel field extraction for Microsoft parsers.

Added new parsers for Zscaler Breach Predictor logs: zscaler-bp-json-http-session-threatcategory.

Added new parsers for Microsoft DNS server updates & notification logs.

Added new parser for Axway Gateway logs.

Updated web_domain field extraction for parser template bluecoat-proxy

New parsers added for Microsoft AzureADPasswordProtection-DCAgent & AzureADPasswordProtection-ProxyService logs.

Added new parsers for Kong Gateway logs: kong-kg-json-http-session-accesslog

Added new parsers for PowerProtect Data Manager logs .Parser Name : dell-ppdm-kv-app-activity-success-catchall, dell-ppdm-kv-app-login-success-audit, dell-ppdm-kv-app-logout-success-audit .

Added new parser crowdstrike-falcon-json-app-activity-eambypassevent for CrowdStrike EAMBypassEvent events.

Updated dg-ep-json-alert-trigger-success-dlp-activity conditions to parse broader category of Digital Guardian logs Added new activity-type event builders for parser: dg-ep-json-alert-trigger-success-dlp-activity

Updated field extraction in parsers and event builders condition for Microsoft Tier-3 parsers.

Updated extraction for fields http_response_code , bytes_in & bytes_out , bytes field for parsers crowdstrike-falcon-json-app-login-apiactivityauditevent , extrahop-revealx-cef-alert-trigger-success-riskscore & forcepoint-dlp-cef-alert-trigger-success-forcepointdlp respectively

Added new Enrichers: User to Email Address, Destination User to Destination Email Address, User to User SID or User ID, Destination User to Destination User SID or Destination User ID, Microsoft User UPN to Email Address Enricher, Discard EM HOST, Discard EM USER Removed Enrichers: UID to User Lookup, EmployeeNumber to User Lookup, Email to User Enricher-1, Destination Email to Destination User Enricher-1, Email to User Enricher-2, Destination Email to Destination User Enricher-2, User SID to User Lookup, Microsoft User UPN to User/Email Enricher, CrowdStrike Asset ID to User Lookup, Discard EM External, Discard EM Ephemeral, Discard Exabeam User

Updated dest_ip, dns_response, dns_response_flags field extractions for parser: infoblox-bddi-str-dns-request-success-dnsquery

Added 3 parser to parse unparsed logs .Parser Name : microsoft-evntlm-xml-endpoint-authentication-fail-4021 , microsoft-evntlm-xml-alert-trigger-success-4014 and microsoft-evsystem-xml-endpoint-notification-success-catchall

Added multiple new parsers for vendor Upwind

New parsers created for Copilot AI operations logs.

Enhanced existing parsers & event-builders for vendors like Microsoft, Netskope, Okta, Oracle.

Updated field extraction in parsers and event builders condition for Dell , F5, Google,HP,Skyhigh Security and etc Tier-3 parsers.

Enhanced existing parsers & event-builders for vendors like Amazon, Badge, Barracuda Networks, Check Point, Cisco, CrowdStrike, CyberArk.

Updated the vendor to Dnsmasq

Updated group_name, dest_user, dest_email_address fields extraction for parser: azure-azuread-json-app-activity-useractivitydisplayname

Updated user_id and email_address field extractions for parser - auth0-a-json-app-authentication-fail-warning.

Added user_agent field for parser - mcafee-wg-csv-http-session-3.

Updated src_host field extraction for the parser: symantec-endpointprotection-kv-alert-trigger-success-requestedaction

Updated Platform values for multiple BloxOne DDI parsers.

Fixed host field of parser postgresql-p-str-database-activity-context

Updated product names of parsers - citrix-netscalerwaf-str-network-traffic-default, citrix-netscalerwaf-str-ssl-traffic-ssllog, and citrix-appfw-str-app-notification-message. Updated parser condition of citrix-appfw-str-app-notification-message to match the unparsed log.

Added a new parser for Auth0 logs (Parser: auth0-a-json-app-login-fail-fsa). Additionally, updated the confidence_level field extraction across Auth0 parsers.

Added user , country_code , location_city , region , failure_reason , additional_info , host, event_name , src_ip , and etc field extractions for parsers jumpcloud-jc-str-app-login-success and jumpcloud-jc-json-directoryinsights-events .

Updated trigger_time field extractions for parsers: exabeam-nganalytics-json-rule-trigger-success-nganalytics, exabeam-cr-json-rule-trigger-success-correlationrule and exabeam-phishingengine-json-rule-trigger-success-phishingengine.

Added tactic_key,tactic,technique_key,technique fields for parser corelight-corelightids-json-alert-trigger-success-suricatacorelight

Enhanced parser accuracy by fixing priorities and conditions across multiple vendors including Microsoft (Azure Monitor, Microsoft Defender), Proofpoint, MariaDB, HP, Symantec, Accellion, and Citrix.

Added parsers for Copilot Interaction & Powerplatform logs.

Added process related fields for parser jamf-jamfpro-json-endpoint-notification-success-devicetelemetrystream

Added channel field extraction in the Microsoft parsers.

Updated the parser conditions and regex for time, bytes, message_id, result, and log_source in the parser - microsoft-o365-json-email-send-receive-subject.

Added host field extraction for Palo Alto Networks parsers.

Added new parser - hp-arubaos-str-ssh-close-success-sshclose to generate correct events.

Updated the parser template for parser checkpoint-ngfw-cef-endpoint-login-success-identity-1

Updated the parser silverfort-s-cef-app-login-adminconsole for new log format.

Updated email_recipients field extraction for parser microsoft-o365-sk4-app-activity-success-forwardto

Added tenant_id field extraction for Microsoft parsers.

Updated time field extraction for parser salesforce-sf-json-app-activity-success-loginhistory.

Updated the event builder conditions for parser: crowdstrike-falcon-json-file-delete-success-deleted

Enhanced the user extraction for the parsers pingidentity-forgerock-json-endpoint-authentication-amlogin & pingidentity-forgerock-json-endpoint-logout-amlogout

Updated email_address, full_name, first_name, last_name, user field extractions for Microsoft parsers.

Added email_attachments field extraction for parser proofpoint-tappod-json-email-send-receive-rcpts

Added user_agent field extraction for parser: skyhighsecurity-ssc-csv-http-session-fail-denied. Updated parser conditions skyhighsecurity-ssc-csv-http-session-observed to reslove misparsing McAfee logs.

Updated web_domain extraction for parser template bluecoat-proxy

Fixed event type of parser microsoft-evsecurity-xml-http-request-403

Added regex for event_category field in parsers - pan-gp-cef-app-activity-success-globalprotect and pan-tesm-csv-alert-trigger-hipmatch

Removed parsing of src_host from TargetDeviceName for parser microsoft-defenderep-json-endpoint-login-identitylogonevents

Resolved Salesforce Marketing Cloud Log getting misparsed as Picture Perfect log issue.

Updated src_host, host field extractions for parser: microsoft-sysmon-kv-process-create-success-processcreate-1

Added host field parsing for following parsers: cisco-mma-kv-alert-trigger-airmarshalevents, microsoft-mdhcplog-csv-dhcp-traffic-success-bootp, unix-unix-str-endpoint-notification-bash, unix-unix-str-endpoint-notification-kernel, postgresql-p-json-database-activity-fail-error, vmware-esxi-str-app-activity-hostd-1, postfix-postfix-str-email-send-fail-statusdeferred, postfix-postfix-str-email-send-fail-deliveryfailure, postfix-postfix-str-smtp-close-connectionfail, unix-sm-kv-email-send and vmware-esxi-str-endpoint-activity-vmkernel.

Added alert_severity, alert_subject, alert_name, and dest_ip fields extraction for parser: trendmicro-ds-cef-app-activity-appactivity.

Updated alert_source extraction for parser template json-microsoft-security-events-1

Updated EB conditions for parser azure-azuread-json-app-activity-useractivitydisplayname. Added new activity_type for parser azure-azuread-json-app-activity-useractivitydisplayname

Updated src_host extraction for parser template json-microsoft-security-events-1

Parsed field dest_user from account field into parser delinea-ss-cef-app-activity-success-thycotic

Added host field in parser microsoft-o365-cef-app-login-fail-userloginfailed

Updated regex for host field extraction in parsers - microsoft-azuread-json-app-login-appdisplayname and microsoft-o365-cef-app-login-success-user.

Removed the mapping of first_name, last_name and full_name from parser azure-azuread-json-app-activity-useractivitydisplayname. Updated mapping for user_agent for parser azure-azuread-json-app-activity-useractivitydisplayname

Updated precedence of pan-gp-cef-app-activity-success-globalprotect parser.

Updated email_address regex in following parsers - microsoft-evsecurity-xml-endpoint-login-fail-4625, crowdstrike-falcon-sk4-endpoint-login-userloginfail, microsoft-o365-sk4-app-activity-success-softdelete, mcafee-wg-kv-http-session-success-mwgaccess3, microsoft-o365-json-email-send-fail-advancedhunting, microsoft-o365-sk4-file-write-success-filemodified and microsoft-o365-sk4-app-activity-success-movetodeleteditems-2.

Added src_user field for GitHub parsers.

Updated regex for email_address field extraction in parser - crowdstrike-falcon-sk4-endpoint-login-userloginfail.

Updated activity type to alert-trigger:success in parsers - crowdstrike-falcon-cef-app-activity-useractivityauditevent and crowdstrike-falcon-cef-app-activity-useractivityauditevent-1