New-Scale Security Operations PlatformNew-Scale Content Package Release Notes

Updated parser condition for fortinet-fortiweb-kv-alert-trigger-success-attack and fortinet-fortigate-kv-network-traffic-logid parser.

Added new parser unix-unix-kv-dns-request-fail-docker

New parsers added for OpenAI Audit API Collector logs: openai-oai-json-account-create-delete-success-service, openai-oai-json-app-logout-success-logoutsucceeded, openai-oai-json-certificate-success-certificate, openai-oai-json-invite-success-invite, openai-oai-json-project-success-project, openai-oai-json-user-delete-success-userdeleted, openai-oai-json-role-assign-delete-success

Updated email_address regex to support consecutive special characters.

Added new parser google-workspace-cef-email-sendmaileventtype

Added new parsers for CrowdStrike Falcon FDR: crowdstrike-falcon-json-file-upload-success-local_application, crowdstrike-falcon-json-peripheral_device-activity-success-usb, crowdstrike-falcon-json-file-upload-success-web, crowdstrike-falcon-json-printer-activity-success-printer.

Added new parser microsoft-evntlm-xml-endpoint-authentication-success-8005 and microsoft-evntlm-xml-endpoint-authentication-success-8006 to support Microsoft-Windows-NTLM logs.

Added new parser microsoft-365defender-json-message-send-success-messageevents to support Microsoft Defender logs.

Updated CIM field description for email_recipients,share_type , count ,site_name,object_type,session_id,folder_name,src_email_folder,dest_email_folder,group_info and rule fields.

Added new parsers for Epic Siem XML and JSON format logs - epic-siem-xml-app-login-fail-failedlogin, epic-siem-xml-app-login-fail-wpsecloginfail, epic-siem-xml-app-login-success-hkulogin, epic-siem-xml-app-login-success-login, epic-siem-xml-app-login-success-roverlogin, epic-siem-xml-app-login-success-wpsecloginsuccess, epic-siem-xml-endpoint-login-success-authentication, epic-siem-json-app-login-success-login and epic-siem-json-endpoint-login-success-authentication.

Updated activity_type for skysea-cv-csv-peripheral-storage-activity-success-usbactivity parser.

Added new parser crowdstrike-falcon-json-alert-trigger-success-iom for Crowdstrike IOM logs

Added new parser and event builders for Ordr AI Protect logs: ordr-aiprotect-json-alert-trigger-success-warning

Added new parser for Okta Workforce Identity Cloud logs: okta-wic-json-app-activity-securitycontext.

Removed redundant Microsoft host enrichers (microsoft-src_host-1 and microsoft-dest_host-1) and updated direction enrichers (all-direction-1 and all-direction-2) to override parser-level values as per research guidance.

Added field extractions for blocked, message_id & conversation_id in parsers microsoft-copilot-json-ai-agent-request-success-interaction & microsoft-copilot-json-ai-agent-request-success-interaction-2

Added new parser crowdstrike-falcon-json-alert-trigger-containerswithoutrunasnonroot

Added new parser amazon-s3-str-http-session-success-accesslog for S3 access logs

Added new parser microsoft-evsecurity-kv-certificate-create-success-4887 to support Microsoft 4887 Logs.

Added new parser for ABA logs: exabeam-aba-json-ai-agent-activity.

Added new parser - microsoft-defenderep-json-alert-trigger-success-dlppolicymatch to parse Microsoft Defender logs.

Added new parser delinea-dp-kv-app-activty-success-delineasyslog

Enhanced O365 parsing and templates with new field extractions including target, target_domain, mailbox_name, and email_recipients, along with app_id mapping improvements.

New parsers created for OpenAI Audit logs openai-oai-json-api-key-create-success, openai-oai-json-api-key-delete-success, openai-oai-json-api-key-modify-success, openai-oai-json-group-create-success, openai-oai-json-group-delete-success, openai-oai-json-group-modify-success, openai-oai-json-project-create-success, openai-oai-json-role-assign-success, openai-oai-json-role-create-success, openai-oai-json-role-delete-success,openai-oai-json-role-modify-success

New CIM field extractions added across all M365 parsers, field names include site_name, src_site_name, owner, throttled, count, app_id, file_id, email_recipients.

Updated tenant_id field extraction for the Microsoft parsers.

Developed an enricher: all-icmp-src_dest_port to nullify the src_port/dest_port values if 0 or if protocol is ICMP.

Added added_permissions field extraction for parser google-cloudplatform-json-policy-modify-success-googleapissetiampolicy

Updated EB condition for parser google-cloudplatform-json-network-traffic-success-payload and google-cloudplatform-sk4-network-traffic-success-payload

Updated account_id field for amazon-awscloudtrail-json-role-assume-success-assumerole parser.

Updated web_domain field for netskope-webtx-csv-network-traffic-httptransaction parser.

Updated additional_info and event_name field extractions and also added new activity-types - user-password-reset, user-modify and app-activity for parser - onelogin-o-json-app-login-success-applogin.

Updated dest_email_address extraction for parser microsoft-m365auditlogs-json-app-activity-operationname

Updated Platform value for parser microsoft-windows-sk4-app-login-fail-signin. Fixed OS field parsing for parser microsoft-windows-sk4-app-login-fail-signin.

Updated host field extraction for parser: cisco-mma-kv-http-session-fail-url.

Updated parser conditions of Zscaler Internet Access parsers: zscaler-ia-kv-network-traffic-success-tunnel, zscaler-ia-json-network-traffic-success-tunnel also updated the time, src_port, email_address, email_domain field extractions.

Added new parsers/event builders for Azure Monitor logs.

New parsers added for OpenAI Audit log collector.

Added new parsers/event builders for Checkpoint Harmony Email & Collaboration logs.

Updated mapping of dest_ip field in parser - crowdstrike-falcon-json-process-create-success-processrollup.

Updated parser condition for parser microsoft-evsecurity-json-endpoint-login-fail-4771

Updated activity_type for cisco-fp-str-network-traffic-fail-106015 parser.

Added new parser for Microsoft 365 logs: microsoft-o365-json-email-send-receive-subject-1.

Updated parser conditions of Menlo parser - menlo-ms-json-http-session-security.

Updated user_sid field extraction for parser - microsoft-evsecurity-xml-endpoint-time-modify-4616.

Updated reason field regex for parser cyberark-pam-mix-user-switch-success-retrievepassword

Updated member, group_name fields extraction also added a new event group-member-add:success support for parser: okta-amfa-mix-app-login-success-securitycontext

Removed parser axway-gateway-str-endpoint-login-success-edge.

Added New parser/Event builders for Netskope Security Cloud logs.

Updated src_ip/dest_ip fields for pan-ngfw-csv-http-session-9999 parser.

Updated the web_domain, uri_path field extractions for parser: netskope-sc-cef-http-session-success-cloudapp.

Updated dest_email_address field for azure-azuread-json-app-activity-useractivitydisplayname parser.

Updated severity, threat_id field extraction and event type mapping to endpoint-scan for parser: qualys-q-json-app-activity-success-scan.

Added user_sid, dest_user_sid, dest_host, user field extractions for parser microsoft-defenderep-json-user-password-modify-success-passwordchanged.

Added mapping for direction, src_mac, dest_mac for parser microsoft-defenderep-cef-network-session-devicenetworkevents

Removed wrongly parsed dest_host fields from crowdstrike-falcon-mix-alert-trigger-success-detection parser.

Updated src_host field extraction for parsers: microsoft-evsecurity-xml-endpoint-login-success-4624-1, microsoft-evsecurity-xml-endpoint-login-success-4624.

Added new parser for Microsoft Azure Monitor: microsoft-azuremon-json-database-activity-postgresqllogs.

Updated UserId field regex for parser microsoft-o365-sk4-app-file-operationworkload

Updated user field extraction regex for parser microsoft-o365-sk4-app-file-operationworkload

Added new parser for Google Cloud Platform logs: google-cloudplatform-json-app-activity-success-googleapismethodnamecustomresourcedefinitionsupdate

Updated host, dest_host field extractions for PostgreSQL logs.

Updated parser condition for parser menlo-ms-json-http-session-security. Added file_url, session_id field extraction for parser menlo-ms-json-http-session-security

Updated dest_email_address field for azure-azuread-json-app-activity-useractivitydisplayname parser.

Updated regex to parse Node value into object field instead of dest_host for F5 Access Policy Manager logs. Updated domain, dest_host field extractions for Delinea logs. Updated dest_host, dest_ip, additional_info field extractions for parser: unix-unixdhcpd-str-dhcp-session-success-dhcpd Updated src_port field extractions for parser: unix-unix-str-endpoint-logout-sshdconnectionclosed Updated dest_ip, src_interface field extractions for parser: infoblox-bddi-str-dhcp-traffic-dhcprelease

Updated regex for parser google-cloudplatform-json-policy-modify-success-googleapissetiampolicy

Updated src_file_name and browser field extraction regex for parser symantec-cloudsoc-cef-file-activity-symanteccloudsoc. Updated hosts field extraction regex for parser symantec-cloudsoc-sk4-alert-trigger-success-fromdetect

Added Microsoft Domain Validation Enricher: Drop domain fields for Microsoft events when the domain is an IP or matches the source or destination host.

Updated ChatName , ItemName fields for microsoft-o365-sk4-app-file-workload parser.

Updated the field extraction attack_info,attack_conf,attack,alert_source,alert_status for parser abnormalsecurity-as-json-alert-trigger-success-attacktype-1

Added email_subject_list field extraction for parser microsoft-o365-sk4-app-file-operationworkload , microsoft-o365-json-mail-access-mailitemsaccessed

Updated the email extraction regex for parsers cisco-fp-str-network-traffic-success-teardown-duration cisco-fp-str-network-traffic-success-teardown-connection

Updated the parser microsoft-windows-cef-endpoint-login-device

Updated time regex and corresponding time formats for parsers - beyondtrust-b-json-process-create-success-ecs, wiz-w-json-app-activity-success-fail-wiz, microsoft-evsystem-xml-endpoint-stop-1074, microsoft-evapp-xml-endpoint-stop-1074, microsoft-evsystem-xml-endpoint-notification-success-catchall, wiz-w-json-app-login-success-fail-login, microsoft-azuremon-sk4-app-notification-performancelog, and microsoft-evsystem-xml-log-clear-success-104-1.

Updated condition of enrichment of all-src_network_type , all-dest_network_type, all-direction-1 & all-direction-2

Updated the parser sentinelone-singularityp-json-endpoint-login-success-logins and EB

Updated the detectionReason for rule: Prof-SA-AN-U-AN.

Updated time regex and respective TimeFormat in these default parsers - snowflake-s-json-database-activity-success-querytext and snowflake-s-sk4-database-login-success-login-1.