|
| 1 | +--- |
| 2 | +title: December 20, 2024 - Content Release |
| 3 | +hide_table_of_contents: true |
| 4 | +keywords: |
| 5 | + - log mappers |
| 6 | + - log parsers |
| 7 | + - detection rules |
| 8 | +image: https://help.sumologic.com/img/sumo-square.png |
| 9 | +--- |
| 10 | + |
| 11 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 12 | + |
| 13 | +< a href= "https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></ a> |
| 14 | + |
| 15 | +This content release includes: |
| 16 | +- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management). |
| 17 | +- AWS Cloudtrail updates. |
| 18 | + - Adds alternate mapping for `user_userId` in anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/). |
| 19 | +- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower. |
| 20 | +- Rule updates. |
| 21 | + |
| 22 | +Changes are are enumerated below. |
| 23 | + |
| 24 | +## Rules |
| 25 | +- [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country |
| 26 | + - Rule has been replaced by FIRST-S00065 as this version was not enabled by default. |
| 27 | +- [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User |
| 28 | + - Updated "First Seen" value from ClientInfoString to Client to reduce false positives. |
| 29 | +- [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country |
| 30 | + - Replaces FIRST-S00029. |
| 31 | + |
| 32 | +## Log Mappers |
| 33 | +- [New] Dragos Catch All |
| 34 | +- [New] Mindpoint Group Keeper Authentication |
| 35 | +- [New] Mindpoint Group Keeper Catch All |
| 36 | +- [New] Trust Login Authentication |
| 37 | +- [New] Trust Login Catch All |
| 38 | +- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications |
| 39 | +- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events |
| 40 | +- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication |
| 41 | +- [Updated] CloudTrail Default Mapping |
| 42 | +- [Updated] Firepower Catch All |
| 43 | + - Additional new field mappings to support Firepower events and improve records classification. |
| 44 | +- [Updated] Palo Alto Config - Custom Parser |
| 45 | + - Adds alternate field mappings. |
| 46 | +- [Updated] Palo Alto System - Custom Parser |
| 47 | + - Adds alternate field mappings. |
| 48 | +- [Updated] Palo Alto System Auth - Custom Parser |
| 49 | + - Support additional panorama-auth-success and alternate fields for mapped fields. |
| 50 | + |
| 51 | +## Parsers |
| 52 | +- [New] /Parsers/System/Dragos/Dragos |
| 53 | +- [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper |
| 54 | +- [New] /Parsers/System/Trust Login/Trust Login |
| 55 | +- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog |
| 56 | + - Adds support for FTD 430002 and 430003 events. |
| 57 | +- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF |
| 58 | + - Adds support for 'panorama-auth-success' events and improves timestamp handling. |
0 commit comments