From 0b5f3d62a0aed9062972a485d39d575d30cb881f Mon Sep 17 00:00:00 2001 From: Julian Crowley Date: Tue, 14 Jan 2025 15:06:25 -0700 Subject: [PATCH 1/2] CSIEM Content Notes 2025-01-14 --- blog-cse/2025/01-14.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 blog-cse/2025/01-14.md diff --git a/blog-cse/2025/01-14.md b/blog-cse/2025/01-14.md new file mode 100644 index 0000000000..e2b525f380 --- /dev/null +++ b/blog-cse/2025/01-14.md @@ -0,0 +1,41 @@ +### January 14, 2025 - Content Release + +This content release includes: +- Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall, +- Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog + +* Note: In ~2 weeks MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from OOTB Cloud SIEM Rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion. + +## Log Mappers +- [New] Azure DevOps Auditing Catch All +- [New] Check Point Application Control URL Filtering +- [New] Cisco ISE Radius Diagnostics +- [New] Linux OS Syslog - KRB5 Child - Authentication Failure +- [New] Linux OS Syslog - Process systemd - Systemd Session +- [New] Linux OS Syslog - Process systemd - Systemd Session Scope +- [New] Linux OS Syslog - Process systemd - session logout +- [New] Pfsense Firewall filterlog +- [New] Pfsense Firewall nginx +- [New] Pfsense Firewall openvpn Authentication +- [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log +- [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log +- [Updated] Cisco ISE Authentication Failure + - Adds normalizedSeverity mapping +- [Updated] Cisco ISE Authentication Success + - Adds normalizedSeverity mapping +- [Updated] Cloudflare - Logpush + - Adds mapping for dns_query, http_hostname,http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol. +- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect + - Adds mapping for normalizedAction +- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration + - Added support for additional events and mapping of file_path + +## Parsers +- [New] /Parsers/System/Pfsense/Pfsense Firewall +- [Updated] /Parsers/System/Check Point/Check Point Firewall JSON +- [Updated] /Parsers/System/Cisco/Cisco ISE +- [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush +- [Updated] /Parsers/System/Linux/Linux OS Syslog +- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers + +- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers \ No newline at end of file From c74045d2540a19930137a3324a5c7971f715a4ab Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Tue, 14 Jan 2025 16:32:52 -0600 Subject: [PATCH 2/2] Updates from review --- blog-cse/2025/01-14.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/blog-cse/2025/01-14.md b/blog-cse/2025/01-14.md index e2b525f380..b4688a03fc 100644 --- a/blog-cse/2025/01-14.md +++ b/blog-cse/2025/01-14.md @@ -1,10 +1,12 @@ ### January 14, 2025 - Content Release This content release includes: -- Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall, -- Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog +- Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall. +- Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog. -* Note: In ~2 weeks MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from OOTB Cloud SIEM Rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion. +:::note +In two weeks, MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from the out-of-the-box Cloud SIEM rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion. +::: ## Log Mappers - [New] Azure DevOps Auditing Catch All @@ -20,15 +22,15 @@ This content release includes: - [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log - [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log - [Updated] Cisco ISE Authentication Failure - - Adds normalizedSeverity mapping + - Adds `normalizedSeverity` mapping - [Updated] Cisco ISE Authentication Success - - Adds normalizedSeverity mapping + - Adds `normalizedSeverity` mapping - [Updated] Cloudflare - Logpush - - Adds mapping for dns_query, http_hostname,http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol. + - Adds mapping for `dns_query`, `http_hostname`, `http_response_contentLength`, `http_response_contentType`, and an alternative value for `ipProtocol`. - [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect - - Adds mapping for normalizedAction + - Adds mapping for `normalizedActio`n - [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration - - Added support for additional events and mapping of file_path + - Added support for additional events and mapping of `file_path` ## Parsers - [New] /Parsers/System/Pfsense/Pfsense Firewall @@ -37,5 +39,4 @@ This content release includes: - [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush - [Updated] /Parsers/System/Linux/Linux OS Syslog - [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers - - [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers \ No newline at end of file