Skip to content

CSIEM Content Release Notes 2025-01-28 #5003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jan 28, 2025
+30 −4
Merged

CSIEM Content Release Notes 2025-01-28 #5003

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
58274b6
CSIEM Content Release Notes 2025-01-28
jc-sumo Jan 28, 2025
b5e4294
Merge branch 'main' into 2025-01-28-content
jc-sumo Jan 28, 2025
188ae68
Update 2025-01-14-content.md
kimsauce Jan 28, 2025
4853708
Update blog-cse/2025/01-28.md
jpipkin1 Jan 28, 2025
0636095
Updates from review
jpipkin1 Jan 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions blog-cse/2025-01-14-content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ This content release includes:
In two weeks, MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from the out-of-the-box Cloud SIEM rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion.
:::

## Log Mappers
### Log Mappers
- [New] Azure DevOps Auditing Catch All
- [New] Check Point Application Control URL Filtering
- [New] Cisco ISE Radius Diagnostics
Expand All @@ -40,15 +40,15 @@ In two weeks, MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted
- [Updated] Cloudflare - Logpush
- Adds mapping for `dns_query`, `http_hostname`, `http_response_contentLength`, `http_response_contentType`, and an alternative value for `ipProtocol`.
- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
- Adds mapping for `normalizedActio`n
- Adds mapping for `normalizedAction`
- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
- Added support for additional events and mapping of `file_path`

## Parsers
### Parsers
- [New] /Parsers/System/Pfsense/Pfsense Firewall
- [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
- [Updated] /Parsers/System/Cisco/Cisco ISE
- [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
- [Updated] /Parsers/System/Linux/Linux OS Syslog
- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
26 changes: 26 additions & 0 deletions blog-cse/2025-01-28-content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
title: January 28, 2025 - Content Release
image: https://help.sumologic.com/img/sumo-square.png
keywords:
- log mappers
- parsers
hide_table_of_contents: true
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>

This content release includes:
- Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
- Adds parsing and mapping support for additional OpenVPN events.
- Adds additional timestamp format handling to Azure JSON log parsing.

### Log Mappers
- [Updated] Azure DevOps Auditing Catch All
- [Updated] OpenVPN Audit Event
- [Updated] OpenVPN Network Event

### Parsers
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog