|
| 1 | +--- |
| 2 | +title: November 22, 2024 - Content Release |
| 3 | +hide_table_of_contents: true |
| 4 | +keywords: |
| 5 | + - log mappers |
| 6 | + - log parsers |
| 7 | + - detection rules |
| 8 | + - tag schemas |
| 9 | +image: https://help.sumologic.com/img/sumo-square.png |
| 10 | +--- |
| 11 | + |
| 12 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 13 | + |
| 14 | +< a href= "https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></ a> |
| 15 | + |
| 16 | +This content release includes: |
| 17 | +* New mapping support for: Qumulo Core, and Teramind Teraserver. |
| 18 | +* Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta. |
| 19 | +* Updates to the existing Okta log mappings to support a new HTTP source log formatting. |
| 20 | +* Updates to Code42 Incydr Alerts C2C mapping to support new alert log format. |
| 21 | + |
| 22 | +Changes are enumerated below. |
| 23 | + |
| 24 | +### Rules |
| 25 | +* [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event |
| 26 | + * Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place. |
| 27 | +* [New] THRESHOLD-S00116 Password Attack from IP |
| 28 | + * This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping. |
| 29 | +* [Updated] FIRST-S00095 Password Attack from Host |
| 30 | + * Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity. |
| 31 | +* [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application |
| 32 | + * Baseline retention window size increased from 35 days to the standard 90 day retention. |
| 33 | + * Modified the summary description to read as follows: "User: `{{user_username}}` has successfully accessed the Okta Admin Application". |
| 34 | + |
| 35 | +### Log Mappers |
| 36 | +* [New] Palo Alto Threat DLP non File - Custom Parser |
| 37 | + * Mapping support added for event id pattern: threat-dlp-non-file. |
| 38 | +* [New] Qumulo Core - Catch All |
| 39 | +* [New] Qumulo Core - Login |
| 40 | +* [New] Teramind Authentication |
| 41 | +* [New] Teramind Catch All |
| 42 | +* [New] Teramind Email |
| 43 | +* [Updated] Code42 Incydr Alerts C2C |
| 44 | +* [Updated] Okta Authentication - auth_via_AD_agent |
| 45 | +* [Updated] Okta Authentication - auth_via_mfa |
| 46 | +* [Updated] Okta Authentication - auth_via_radius |
| 47 | +* [Updated] Okta Authentication - sso |
| 48 | +* [Updated] Okta Authentication Events |
| 49 | +* [Updated] Okta Catch All |
| 50 | +* [Updated] Okta Security Threat Events |
| 51 | + |
| 52 | +### Parsers |
| 53 | +* [New] /Parsers/System/Qumulo/Qumulo Core |
| 54 | +* [New] /Parsers/System/Salesforce/Salesforce |
| 55 | +* [New] /Parsers/System/Teramind/Teramind Teraserver |
| 56 | +* [Updated] /Parsers/System/Code42/Code42 Incydr |
| 57 | + * Transform update for a new alert log format for tenantId. |
| 58 | +* [Updated] /Parsers/System/Okta/Okta |
| 59 | + * Modified event_id from eventType to event_type. |
| 60 | +* [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV |
| 61 | + * Additional parsing support for a new Palo Alto Threat event format. |
0 commit comments