From 1c582ff6f4d04d185133f42afc4464a0749ca8c7 Mon Sep 17 00:00:00 2001
From: Julian Crowley <jcrowley@sumologic.com>
Date: Mon, 23 Dec 2024 10:37:18 -0700
Subject: [PATCH 1/2] Create 2024-12-20-content.md

---
 blog-cse/2024-12-20-content.md | 57 ++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 blog-cse/2024-12-20-content.md

diff --git a/blog-cse/2024-12-20-content.md b/blog-cse/2024-12-20-content.md
new file mode 100644
index 0000000000..bf6907895c
--- /dev/null
+++ b/blog-cse/2024-12-20-content.md
@@ -0,0 +1,57 @@
+---
+title: December 20, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management)
+- AWS Cloudtrail updates;
+    - Adds alternate mapping for user_userId in anticipation of AWS Identity Center CloudTrail logging change see https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/ for more information on the change.
+- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower
+- Rule updates
+- Changes are are enumerated below.
+
+## Rules
+- [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
+    - Rule has been replaced by FIRST-S00065 as this version was not enabled by default.
+- [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
+    - Updated "First Seen" value from ClientInfoString to Client to reduce false positives
+- [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
+    - Replaces FIRST-S00029
+
+## Log Mappers
+- [New] Dragos Catch All
+- [New] Mindpoint Group Keeper Authentication
+- [New] Mindpoint Group Keeper Catch All
+- [New] Trust Login Authentication
+- [New] Trust Login Catch All
+- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
+- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
+- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
+- [Updated] CloudTrail Default Mapping
+- [Updated] Firepower Catch All
+    - Additional new field mappings to support Firepower events and improve records classification
+- [Updated] Palo Alto Config - Custom Parser
+    - Adds alternate field mappings
+- [Updated] Palo Alto System - Custom Parser
+    - Adds alternate field mappings
+- [Updated] Palo Alto System Auth - Custom Parser
+     - Support additional panorama-auth-success and alternate fields for mapped fields
+
+## Parsers
+- [New] /Parsers/System/Dragos/Dragos
+- [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
+- [New] /Parsers/System/Trust Login/Trust Login
+- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
+    - Adds support for FTD 430002 and 430003 events
+- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
+    - Adds support for 'panorama-auth-success' events and improves timestamp handling.
\ No newline at end of file

From 535b23881b8014cbe89f303e4e2fa906251e4317 Mon Sep 17 00:00:00 2001
From: John Pipkin <jpipkin@sumologic.com>
Date: Mon, 23 Dec 2024 12:34:59 -0600
Subject: [PATCH 2/2] Updates from review

---
 blog-cse/2024-12-20-content.md | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/blog-cse/2024-12-20-content.md b/blog-cse/2024-12-20-content.md
index bf6907895c..932c83074e 100644
--- a/blog-cse/2024-12-20-content.md
+++ b/blog-cse/2024-12-20-content.md
@@ -13,20 +13,21 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 <a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
 
 This content release includes:
-- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management)
-- AWS Cloudtrail updates;
-    - Adds alternate mapping for user_userId in anticipation of AWS Identity Center CloudTrail logging change see https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/ for more information on the change.
-- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower
-- Rule updates
-- Changes are are enumerated below.
+- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management).
+- AWS Cloudtrail updates.
+    - Adds alternate mapping for `user_userId` in anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/).
+- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower.
+- Rule updates.
+
+Changes are are enumerated below.
 
 ## Rules
 - [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
     - Rule has been replaced by FIRST-S00065 as this version was not enabled by default.
 - [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
-    - Updated "First Seen" value from ClientInfoString to Client to reduce false positives
+    - Updated "First Seen" value from ClientInfoString to Client to reduce false positives.
 - [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
-    - Replaces FIRST-S00029
+    - Replaces FIRST-S00029.
 
 ## Log Mappers
 - [New] Dragos Catch All
@@ -39,19 +40,19 @@ This content release includes:
 - [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
 - [Updated] CloudTrail Default Mapping
 - [Updated] Firepower Catch All
-    - Additional new field mappings to support Firepower events and improve records classification
+    - Additional new field mappings to support Firepower events and improve records classification.
 - [Updated] Palo Alto Config - Custom Parser
-    - Adds alternate field mappings
+    - Adds alternate field mappings.
 - [Updated] Palo Alto System - Custom Parser
-    - Adds alternate field mappings
+    - Adds alternate field mappings.
 - [Updated] Palo Alto System Auth - Custom Parser
-     - Support additional panorama-auth-success and alternate fields for mapped fields
+     - Support additional panorama-auth-success and alternate fields for mapped fields.
 
 ## Parsers
 - [New] /Parsers/System/Dragos/Dragos
 - [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
 - [New] /Parsers/System/Trust Login/Trust Login
 - [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
-    - Adds support for FTD 430002 and 430003 events
+    - Adds support for FTD 430002 and 430003 events.
 - [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
     - Adds support for 'panorama-auth-success' events and improves timestamp handling.
\ No newline at end of file