Summary
- Updated GuardDuty mappers to use detail.type instead of overly verbose detail.description.
- Added parsing and mapping support for Citrix Cloud C2C.
- Secondary update corrections around Matchlist fix for column specifc filters.
- New Sophos C2C mapper expansion around Event and Alert normalization.
- Net-new OOBB content for Zoom; eight-Match rules, six Mappers, one Parser.
Rules
- [New] MATCH-S00856 Zoom - Account Created
- [New] MATCH-S00857 Zoom - Account Deleted
- [New] MATCH-S00858 Zoom - Group Admin Added
- [New] MATCH-S00859 Zoom - Group Admin Deleted
- [New] MATCH-S00860 Zoom - Group Changes
- [New] MATCH-S00861 Zoom - Information Barrier Policy Changes
- [New] MATCH-S00862 Zoom - Meeting Risk Alert
- [New] MATCH-S00863 Zoom - Recording Modification
- [Updated] THRESHOLD-S00096 Brute Force Attempt
- [Updated] MATCH-S00565 Direct Outbound DNS Traffic
- [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
- [Updated] THRESHOLD-S00102 Domain Password Attack
- [Updated] THRESHOLD-S00095 Password Attack
- [Updated] CHAIN-S00008 Successful Brute Force
Log Mappers
- [New] Citrix Cloud Client Created or Deleted
- [New] Sophos - C2C Alerts
- [New] Sophos - C2C Event Threat Detections
- [New] Zoom - Account Creations or Deletions
- [New] Zoom - Catch All
- [New] Zoom - Group Modifications
- [New] Zoom - Information Barrier Policy Modifications
- [New] Zoom - Meeting Risk Alert
- [New] Zoom - Recording Deleted or Trashed
- [Updated] AWSGuardDuty_PenTest
- [Updated] AWSGuardDuty_Stealth
- [Updated] Recon_EC2_PortProbeUnprotectedPort
- [Updated] Recon_IAMUser
Parsers
- [New] /Parsers/System/Citrix/Citrix Cloud C2C
- [New] /Parsers/System/Zoom/Zoom