Skip to content

Cloud SIEM content release notes for November 22 2024 #4790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 22, 2024
Merged

Cloud SIEM content release notes for November 22 2024 #4790

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions blog-cse/2024-11-22-content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
---
title: November 22, 2024 - Content Release
hide_table_of_contents: true
keywords:
- log mappers
- log parsers
- detection rules
- tag schemas
image: https://help.sumologic.com/img/sumo-square.png
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>

This content release includes:
* New mapping support for: Qumulo Core, and Teramind Teraserver.
* Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta.
* Updates to the existing Okta log mappings to support a new HTTP source log formatting.
* Updates to Code42 Incydr Alerts C2C mapping to support new alert log format.

Changes are enumerated below.

### Rules
* [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
* Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place.
* [New] THRESHOLD-S00116 Password Attack from IP
* This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping.
* [Updated] FIRST-S00095 Password Attack from Host
* Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity.
* [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application
* Baseline retention window size increased from 35 days to the standard 90 day retention.
* Modified the summary description to read as follows: "User: `{{user_username}}` has successfully accessed the Okta Admin Application".

### Log Mappers
* [New] Palo Alto Threat DLP non File - Custom Parser
* Mapping support added for event id pattern: threat-dlp-non-file.
* [New] Qumulo Core - Catch All
* [New] Qumulo Core - Login
* [New] Teramind Authentication
* [New] Teramind Catch All
* [New] Teramind Email
* [Updated] Code42 Incydr Alerts C2C
* [Updated] Okta Authentication - auth_via_AD_agent
* [Updated] Okta Authentication - auth_via_mfa
* [Updated] Okta Authentication - auth_via_radius
* [Updated] Okta Authentication - sso
* [Updated] Okta Authentication Events
* [Updated] Okta Catch All
* [Updated] Okta Security Threat Events

### Parsers
* [New] /Parsers/System/Qumulo/Qumulo Core
* [New] /Parsers/System/Salesforce/Salesforce
* [New] /Parsers/System/Teramind/Teramind Teraserver
* [Updated] /Parsers/System/Code42/Code42 Incydr
* Transform update for a new alert log format for tenantId.
* [Updated] /Parsers/System/Okta/Okta
* Modified event_id from eventType to event_type.
* [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
* Additional parsing support for a new Palo Alto Threat event format.
Loading