Skip to main content

November 22, 2024 - Content Release

icon

This content release includes:

  • New mapping support for: Qumulo Core, and Teramind Teraserver.
  • Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta.
  • Updates to the existing Okta log mappings to support a new HTTP source log formatting.
  • Updates to Code42 Incydr Alerts C2C mapping to support new alert log format.

Changes are enumerated below.

Rules​

  • [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
    • Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place.
  • [New] THRESHOLD-S00116 Password Attack from IP
    • This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping.
  • [Updated] FIRST-S00095 Password Attack from Host
    • Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity.
  • [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application
    • Baseline retention window size increased from 35 days to the standard 90 day retention.
    • Modified the summary description to read as follows: "User: {{user_username}} has successfully accessed the Okta Admin Application".

Log Mappers​

  • [New] Palo Alto Threat DLP non File - Custom Parser
    • Mapping support added for event id pattern: threat-dlp-non-file.
  • [New] Qumulo Core - Catch All
  • [New] Qumulo Core - Login
  • [New] Teramind Authentication
  • [New] Teramind Catch All
  • [New] Teramind Email
  • [Updated] Code42 Incydr Alerts C2C
  • [Updated] Okta Authentication - auth_via_AD_agent
  • [Updated] Okta Authentication - auth_via_mfa
  • [Updated] Okta Authentication - auth_via_radius
  • [Updated] Okta Authentication - sso
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All
  • [Updated] Okta Security Threat Events

Parsers​

  • [New] /Parsers/System/Qumulo/Qumulo Core
  • [New] /Parsers/System/Salesforce/Salesforce
  • [New] /Parsers/System/Teramind/Teramind Teraserver
  • [Updated] /Parsers/System/Code42/Code42 Incydr
    • Transform update for a new alert log format for tenantId.
  • [Updated] /Parsers/System/Okta/Okta
    • Modified event_id from eventType to event_type.
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
    • Additional parsing support for a new Palo Alto Threat event format.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.