From 6163ba3d2e714766f75624e6abdff5b566f69d2e Mon Sep 17 00:00:00 2001 From: Daniel Kaiser Date: Thu, 6 Nov 2025 15:54:14 -0700 Subject: [PATCH 1/2] 2025-11-06: release notes --- blog-cse/2025-11-06-content.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 blog-cse/2025-11-06-content.md diff --git a/blog-cse/2025-11-06-content.md b/blog-cse/2025-11-06-content.md new file mode 100644 index 0000000000..4d1d415514 --- /dev/null +++ b/blog-cse/2025-11-06-content.md @@ -0,0 +1,34 @@ +--- +title: November 6, 2025 - Content Release +image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082 +keywords: + - log mappers + - parsers +hide_table_of_contents: true +--- + +* This content release includes: + - An updated parser and new log mappers for Netskope Cloud Security for improved handling of Netskope DLP logs + - An updated mapper for Azure Audit Logs which repurposes the changeTarget field mapping for changed items such as groups + - Updated Azure rules to accommodate the repurposed changeTarget field + - Updated Keeper Authentication mapper to include the Success field + +Note: if you are ingesting Netskope Cloud Security Logs or Azure Audit Logs ensure that the log source is set to use the appropriate system parser: + - Netskope Cloud Security: /Parsers/System/Netskope/Netskope Security Cloud JSON + - Azure Audit Logs: /Parsers/System/Microsoft/Microsoft Azure JSON + +## Rules +- [Updated] MATCH-S00226 Azure - Add Member to Group +- [Updated] MATCH-S00220 Azure - Add Member to Role Outside of PIM +- [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role +- [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM +- [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role + +## Log Mappers +- [New] Netskope - DLP Alerts +- [New] Netskope - Incidents +- [Updated] AzureActivityLog AuditLogs +- [Updated] Keeper Authentication + +## Parsers +- [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON \ No newline at end of file From 3df4a6de68a92153e09bec11efa7ebd49d06b4dc Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 6 Nov 2025 17:21:11 -0600 Subject: [PATCH 2/2] Updates from review --- blog-cse/2025-11-06-content.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/blog-cse/2025-11-06-content.md b/blog-cse/2025-11-06-content.md index 4d1d415514..6ad07a8cdc 100644 --- a/blog-cse/2025-11-06-content.md +++ b/blog-cse/2025-11-06-content.md @@ -4,31 +4,34 @@ image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-cente keywords: - log mappers - parsers + - rules hide_table_of_contents: true --- -* This content release includes: - - An updated parser and new log mappers for Netskope Cloud Security for improved handling of Netskope DLP logs - - An updated mapper for Azure Audit Logs which repurposes the changeTarget field mapping for changed items such as groups - - Updated Azure rules to accommodate the repurposed changeTarget field - - Updated Keeper Authentication mapper to include the Success field +This content release includes: + - An updated parser and new log mappers for Netskope Cloud Security for improved handling of Netskope DLP logs. + - An updated mapper for Azure Audit Logs which repurposes the `changeTarget` field mapping for changed items such as groups. + - Updated Azure rules to accommodate the repurposed `changeTarget` field + - Updated Keeper Authentication mapper to include the `Success` field. -Note: if you are ingesting Netskope Cloud Security Logs or Azure Audit Logs ensure that the log source is set to use the appropriate system parser: +:::note +If you are ingesting Netskope Cloud Security Logs or Azure Audit Logs ensure that the log source is set to use the appropriate system parser: - Netskope Cloud Security: /Parsers/System/Netskope/Netskope Security Cloud JSON - Azure Audit Logs: /Parsers/System/Microsoft/Microsoft Azure JSON +::: -## Rules +### Rules - [Updated] MATCH-S00226 Azure - Add Member to Group - [Updated] MATCH-S00220 Azure - Add Member to Role Outside of PIM - [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role - [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM - [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role -## Log Mappers +### Log Mappers - [New] Netskope - DLP Alerts - [New] Netskope - Incidents - [Updated] AzureActivityLog AuditLogs - [Updated] Keeper Authentication -## Parsers +### Parsers - [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON \ No newline at end of file