November 22, 2024 - Content Release
This content release includes:
- New mapping support for: Qumulo Core, and Teramind Teraserver.
- Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta.
- Updates to the existing Okta log mappings to support a new HTTP source log formatting.
- Updates to Code42 Incydr Alerts C2C mapping to support new alert log format.
Changes are enumerated below.
Rules
- [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
- Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place.
- [New] THRESHOLD-S00116 Password Attack from IP
- This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping.
- [Updated] FIRST-S00095 Password Attack from Host
- Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity.
- [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application
- Baseline retention window size increased from 35 days to the standard 90 day retention.
- Modified the summary description to read as follows: "User:
{{user_username}}
has successfully accessed the Okta Admin Application".
Log Mappers
- [New] Palo Alto Threat DLP non File - Custom Parser
- Mapping support added for event id pattern: threat-dlp-non-file.
- [New] Qumulo Core - Catch All
- [New] Qumulo Core - Login
- [New] Teramind Authentication
- [New] Teramind Catch All
- [New] Teramind Email
- [Updated] Code42 Incydr Alerts C2C
- [Updated] Okta Authentication - auth_via_AD_agent
- [Updated] Okta Authentication - auth_via_mfa
- [Updated] Okta Authentication - auth_via_radius
- [Updated] Okta Authentication - sso
- [Updated] Okta Authentication Events
- [Updated] Okta Catch All
- [Updated] Okta Security Threat Events
Parsers
- [New] /Parsers/System/Qumulo/Qumulo Core
- [New] /Parsers/System/Salesforce/Salesforce
- [New] /Parsers/System/Teramind/Teramind Teraserver
- [Updated] /Parsers/System/Code42/Code42 Incydr
- Transform update for a new alert log format for tenantId.
- [Updated] /Parsers/System/Okta/Okta
- Modified event_id from eventType to event_type.
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- Additional parsing support for a new Palo Alto Threat event format.