December 20, 2024 - Content Release
This content release includes:
- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management).
- AWS Cloudtrail updates.
- Adds alternate mapping for
user_userIdin anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see Important changes to CloudTrail events for AWS IAM Identity Center.
- Adds alternate mapping for
- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower.
- Rule updates.
Changes are are enumerated below.
Rules​
- [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
- Rule has been replaced by FIRST-S00065 as this version was not enabled by default.
- [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
- Updated "First Seen" value from ClientInfoString to Client to reduce false positives.
- [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
- Replaces FIRST-S00029.
Log Mappers​
- [New] Dragos Catch All
- [New] Mindpoint Group Keeper Authentication
- [New] Mindpoint Group Keeper Catch All
- [New] Trust Login Authentication
- [New] Trust Login Catch All
- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
- [Updated] CloudTrail Default Mapping
- [Updated] Firepower Catch All
- Additional new field mappings to support Firepower events and improve records classification.
- [Updated] Palo Alto Config - Custom Parser
- Adds alternate field mappings.
- [Updated] Palo Alto System - Custom Parser
- Adds alternate field mappings.
- [Updated] Palo Alto System Auth - Custom Parser
- Support additional panorama-auth-success and alternate fields for mapped fields.
Parsers​
- [New] /Parsers/System/Dragos/Dragos
- [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
- [New] /Parsers/System/Trust Login/Trust Login
- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
- Adds support for FTD 430002 and 430003 events.
- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
- Adds support for 'panorama-auth-success' events and improves timestamp handling.