From 4041ef172a99966d47e265f5afdbe20083fc2aab Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Fri, 22 Nov 2024 16:14:02 -0600
Subject: [PATCH] Add notes

---
 blog-cse/2024-11-22-content.md | 61 ++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 blog-cse/2024-11-22-content.md

diff --git a/blog-cse/2024-11-22-content.md b/blog-cse/2024-11-22-content.md
new file mode 100644
index 0000000000..23073e59db
--- /dev/null
+++ b/blog-cse/2024-11-22-content.md
@@ -0,0 +1,61 @@
+---
+title: November 22, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+  - tag schemas
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+* New mapping support for: Qumulo Core, and Teramind Teraserver.
+* Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta.
+* Updates to the existing Okta log mappings to support a new HTTP source log formatting.
+* Updates to Code42 Incydr Alerts C2C mapping to support new alert log format.
+
+Changes are enumerated below.
+
+### Rules
+* [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
+   * Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place.
+* [New] THRESHOLD-S00116 Password Attack from IP
+   * This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping.
+* [Updated] FIRST-S00095 Password Attack from Host
+   * Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity.
+* [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application
+   * Baseline retention window size increased from 35 days to the standard 90 day retention.
+   * Modified the summary description to read as follows: "User: `{{user_username}}` has successfully accessed the Okta Admin Application".
+
+### Log Mappers
+* [New] Palo Alto Threat DLP non File - Custom Parser
+   * Mapping support added for event id pattern: threat-dlp-non-file.
+* [New] Qumulo Core - Catch All
+* [New] Qumulo Core - Login
+* [New] Teramind Authentication
+* [New] Teramind Catch All
+* [New] Teramind Email
+* [Updated] Code42 Incydr Alerts C2C
+* [Updated] Okta Authentication - auth_via_AD_agent
+* [Updated] Okta Authentication - auth_via_mfa
+* [Updated] Okta Authentication - auth_via_radius
+* [Updated] Okta Authentication - sso
+* [Updated] Okta Authentication Events
+* [Updated] Okta Catch All
+* [Updated] Okta Security Threat Events
+
+### Parsers
+* [New] /Parsers/System/Qumulo/Qumulo Core
+* [New] /Parsers/System/Salesforce/Salesforce
+* [New] /Parsers/System/Teramind/Teramind Teraserver
+* [Updated] /Parsers/System/Code42/Code42 Incydr
+   * Transform update for a new alert log format for tenantId.
+* [Updated] /Parsers/System/Okta/Okta
+   * Modified event_id from eventType to event_type.
+* [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
+   * Additional parsing support for a new Palo Alto Threat event format.
\ No newline at end of file