Skip to content

CSIEM Content Notes 2025-01-14 #4963

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 14, 2025
Merged

CSIEM Content Notes 2025-01-14 #4963

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0b5f3d6
CSIEM Content Notes 2025-01-14
jc-sumo Jan 14, 2025
c74045d
Updates from review
jpipkin1 Jan 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions blog-cse/2025/01-14.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
### January 14, 2025 - Content Release

This content release includes:
- Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
- Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.

:::note
In two weeks, MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from the out-of-the-box Cloud SIEM rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion.
:::

## Log Mappers
- [New] Azure DevOps Auditing Catch All
- [New] Check Point Application Control URL Filtering
- [New] Cisco ISE Radius Diagnostics
- [New] Linux OS Syslog - KRB5 Child - Authentication Failure
- [New] Linux OS Syslog - Process systemd - Systemd Session
- [New] Linux OS Syslog - Process systemd - Systemd Session Scope
- [New] Linux OS Syslog - Process systemd - session logout
- [New] Pfsense Firewall filterlog
- [New] Pfsense Firewall nginx
- [New] Pfsense Firewall openvpn Authentication
- [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
- [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
- [Updated] Cisco ISE Authentication Failure
- Adds `normalizedSeverity` mapping
- [Updated] Cisco ISE Authentication Success
- Adds `normalizedSeverity` mapping
- [Updated] Cloudflare - Logpush
- Adds mapping for `dns_query`, `http_hostname`, `http_response_contentLength`, `http_response_contentType`, and an alternative value for `ipProtocol`.
- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
- Adds mapping for `normalizedActio`n
- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
- Added support for additional events and mapping of `file_path`

## Parsers
- [New] /Parsers/System/Pfsense/Pfsense Firewall
- [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
- [Updated] /Parsers/System/Cisco/Cisco ISE
- [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
- [Updated] /Parsers/System/Linux/Linux OS Syslog
- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
Loading