Skip to content

Cloud SIEM content release notes for December 20, 2024 #4901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 23, 2024
Merged

Cloud SIEM content release notes for December 20, 2024 #4901

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c582ff
Create 2024-12-20-content.md
jc-sumo Dec 23, 2024
535b238
Updates from review
jpipkin1 Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions blog-cse/2024-12-20-content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
title: December 20, 2024 - Content Release
hide_table_of_contents: true
keywords:
- log mappers
- log parsers
- detection rules
image: https://help.sumologic.com/img/sumo-square.png
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>

This content release includes:
- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management).
- AWS Cloudtrail updates.
- Adds alternate mapping for `user_userId` in anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/).
- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower.
- Rule updates.

Changes are are enumerated below.

## Rules
- [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
- Rule has been replaced by FIRST-S00065 as this version was not enabled by default.
- [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
- Updated "First Seen" value from ClientInfoString to Client to reduce false positives.
- [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
- Replaces FIRST-S00029.

## Log Mappers
- [New] Dragos Catch All
- [New] Mindpoint Group Keeper Authentication
- [New] Mindpoint Group Keeper Catch All
- [New] Trust Login Authentication
- [New] Trust Login Catch All
- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
- [Updated] CloudTrail Default Mapping
- [Updated] Firepower Catch All
- Additional new field mappings to support Firepower events and improve records classification.
- [Updated] Palo Alto Config - Custom Parser
- Adds alternate field mappings.
- [Updated] Palo Alto System - Custom Parser
- Adds alternate field mappings.
- [Updated] Palo Alto System Auth - Custom Parser
- Support additional panorama-auth-success and alternate fields for mapped fields.

## Parsers
- [New] /Parsers/System/Dragos/Dragos
- [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
- [New] /Parsers/System/Trust Login/Trust Login
- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
- Adds support for FTD 430002 and 430003 events.
- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
- Adds support for 'panorama-auth-success' events and improves timestamp handling.
Loading