ReleaseNotes_c2204.3.md

Security Content i62.3 Release Notes

These Release Notes document security content updates from content package c2112.2 which is included with Advanced Analytics i62.3. The Release Notes show the updates to content as compared to the previous content package c2204.3 which was released in i62.2.

The security content updates listed below include changes to the following areas:

• Parsers

• Models

• Rules

In the lists below, each item represents a specific parser, model, or rule that has been added, updated, or deprecated. To facilitate finding every data source where the changed content items are referenced, a content library query has been created for each changed parser, model, or rule. To view the results of each query, click on the link for the relevant content item.

Parsers

• New

• Updated

• Deprecated

New Parsers

• ad-audit-json-4624

• ad-audit-json-4663-1

• ad-audit-json-4663

• ad-audit-json-4768

• ad-audit-json-4771

• ad-audit-json-5140

• airwatch-admin-loggedin

• airwatch-admin-login-failed

• apache-web-activity-1

• azure-atp-security-alert-5

• azure-atp-security-alert-6

• azure-event-hub-image-load

• azure-eventhubbeat-app-activity-1

• azure-eventhubbeat-app-activity-2

• azure-eventhubbeat-app-activity-3

• azure-eventhubbeat-app-activity-4

• azure-eventhubbeat-app-activity-5

• azure-eventhubbeat-app-activity-6

• azure-eventhubbeat-app-activity-7

• azure-eventhubbeat-app-activity-8

• azure-eventhubbeat-app-activity-9

• azure-eventhubbeat-app-activity

• beyondtrust-pi-account-password-change-1

• beyondtrust-pi-account-password-change

• beyondtrust-pi-account-switch

• beyondtrust-pi-app-activity-10

• beyondtrust-pi-app-activity-4

• beyondtrust-pi-app-activity-5

• beyondtrust-pi-app-activity-6

• beyondtrust-pi-app-activity-8

• beyondtrust-pi-app-activity-9

• beyondtrust-pi-privileged-access-1

• beyondtrust-pi-privileged-access

• carbonblack-edr-regmod

• cef-aws-guardduty-discovery-alert

• cef-carbonblack-file-alert

• cef-duo-app-activity-1

• cef-mimecast-email-alert-2

• checkpoint-network-alert-6

• checkpoint-network-connection-accept-2

• checkpoint-network-connection-allow

• cisco-asa-network-connection-successful

• cisco-esa-dlp-alert-2

• citrix-appfw-csrf-tag-1

• citrix-appfw-fieldconsistency-1

• citrix-appfw-referer-header-1

• citrix-appfw-starturl-1

• defender-atp-security-alert-11

• defender-atp-security-alert-12

• defender-atp-security-alert-13

• defender-atp-security-alert-14

• defender-atp-security-alert-15

• defender-atp-security-alert-16

• defender-atp-security-alert-9

• duo-app-activity-10

• duo-app-activity-1

• duo-app-activity-2

• duo-app-activity-3

• duo-app-activity-4

• duo-app-activity-6

• duo-app-activity-7

• duo-app-activity-8

• duo-app-activity-9

• exchange-failed-app-login

• forcepoint-network-connection-failed-5

• hp-ilo-app-login-1

• hp-ilo-app-login-2

• json-5156-1

• json-carbonblack-device-control-security-alert

• json-carbonblack-edr-fileless-scriptload

• json-carbonblack-edr-netconn

• json-carbonblack-edr-scriptload

• json-carbonblack-ngav-crossproc

• json-carbonblack-ngav-filemod

• json-carbonblack-ngav-netconn

• json-carbonblack-ngav-procstart

• json-carbonblack-ngav-regmod

• json-defender-alert-evidence

• json-defender-atp-alert

• json-sentinelone-process-alert

• json-sentinelone-process-created

• json-sentinelone-threat-file-delete

• json-sentinelone-threat-file-write-2

• json-sentinelone-threat-file-write

• json-sentinelone-threat-network-connection

• jsonar-database-login-1

• kaspersky-network-alert

• leef-carbonblack-file-alert-1

• leef-carbonblack-process-alert

• leef-carbonblack-security-alert

• leef-carbonblack-usb-activity

• leef-mssql-database-failed-login

• leef-mssql-database-login-1

• leef-mssql-database-login-2

• leef-paloalto-app-activity-1

• leef-paloalto-app-activity-2

• leef-paloalto-app-activity

• leef-paloalto-vpn-end

• leef-paloalto-vpn-login-1

• leef-paloalto-vpn-login

• leef-paloalto-vpn-start

• liquidfiles-app-login

• liquidfiles-failed-app-login

• liquidfiles-file-download

• liquidfiles-file-upload

• mcas-security-alert-2

• mcas-security-alert-3

• mcas-security-alert-4

• mcas-security-alert-5

• medigate-alert-iot

• medigate-security-alert

• mongodb-database-update-1

• mongodb-database-update

• o365-inbox-rules-forward-to-2

• o365-usb-write

• okta-member-removed

• onelogin-app-activity

• oracle-database-query-4

• oracle-db-access-2

• oracle-db-insert

• oracle-db-login-2

• oracle-db-query-4

• oracle-db-query-5

• oracle-db-update-1

• pan-virus-alert-1

• postgresql-database-login

• progress-db-remote-logon

• raw-4622

• raw-4649

• raw-4657-1

• raw-4674-5

• raw-4743-2

• raw-5142

• raw-5143-1

• raw-5144

• raw-5478

• raw-vpn-start-1

• s-carbonblack-security-alert-1

• s-carbonblack-security-alert

• s-mcafee-epo-alert-4

• s-mssql-database-query-al-1

• s-mssql-database-query-cr

• s-mssql-database-query-dl-1

• s-mssql-database-query-dr

• s-mssql-database-query-sl-1

• s-mssql-database-query-vw

• s-oracle-db-login-2

• s-proofpoint-email-alert-4

• s-xml-windows-member-4756

• s-xml-windows-member-4757

• s-zscaler-web-activity-6

• sentinelone-security-alert-10

• sentinelone-security-alert-2

• sentinelone-security-alert-3

• sentinelone-security-alert-4

• sentinelone-security-alert-5

• sentinelone-security-alert-6

• sentinelone-security-alert-7

• sentinelone-security-alert-8

• sentinelone-security-alert-9

• sigsci-web-activity-1

• win-external-device-recog-1

• windows-powershell-800

• xml-10016-1

• xml-30002

• xml-30004

• xml-30026

• xml-4657

• xml-4825

• xml-iis-6200-web-activity

• zscaler-dlp-alert-2

Updated Parsers

• ad-audit-4625

• airwatch-auth-successful

• airwatch-authentication

• airwatch-security-alerts

• aix-auth-failed

• aix-auth-successful

• aix-process-created

• aix-task-created-1

• aix-task-created

• akamai-security-alert

• asa-aaa-cef-vpn-start

• asa-aaa-vpn-start

• asa-aaa-vpn-stop

• asa-nap-cef-7.1.7-vpn-start

• asa-nap-cef-vpn-end

• asa-nap-cef-vpn-start

• asa-svc-cef-7.1.7-vpn-end

• asa-svc-cef-vpn-close

• asa-svc-vpn-713050-end

• asa-svc-vpn-716001-start

• asa-svc-vpn-716002-end

• asa-svc-vpn-716038-start

• asa-svc-vpn-716059-start

• asa-svc-vpn-751025-start

• asa-svc-vpn-start-iPhone

• asa-web-activity-716003

• azure-event-hub-file-events

• bluecoat-proxy-10

• bluecoat-proxy-11

• bluecoat-proxy-12

• bluecoat-proxy-13

• bluecoat-proxy-14

• bluecoat-proxy-15

• bluecoat-proxy-1

• bluecoat-proxy-2

• bluecoat-proxy-3

• bluecoat-proxy-4

• bluecoat-proxy-5

• bluecoat-proxy-6

• bluecoat-proxy-7

• bluecoat-proxy-8

• bluecoat-proxy-9

• bluecoat-proxy-v2

• carbonblack-edr-crossproc

• carbonblack-edr-filemod

• carbonblack-edr-netconn

• carbonblack-edr-procstart-1

• carbonblack-edr-procstart

• carbonblack-endpoint-process-file

• carbonblack-endpoint-process-network

• carbonblack-endpoint-process-start

• carbonblack-file-activity

• carbonblack-file-operations-1

• carbonblack-file-operations

• carbonblack-process-alert-1

• carbonblack-process-alert

• carbonblack-process-created-1

• carbonblack-process-created

• carbonblack-usb-insert-1

• carbonblack-usb-insert

• carbonblack-usb-removed-1

• cc-carbonblack-edr-crossproc

• cc-carbonblack-edr-filemod

• cc-carbonblack-edr-netconn

• cc-carbonblack-edr-procstart

• cc-carbonblack-process-alert-1

• cds-account-auth

• cds-process-creation

• cds-user-login

• cef-asa-113004-vpn-start

• cef-asa-svc-vpn-start

• cef-aws-guardduty

• cef-azure-event-hub-security

• cef-bit9-app-login

• cef-bit9-epp-alert

• cef-bit9-file-alert

• cef-bit9-process-alert

• cef-bit9-usb-activity

• cef-carbonblack-alert-1

• cef-carbonblack-alert-2

• cef-carbonblack-alert

• cef-carbonblack-app-login

• cef-carbonblack-edr-process-alert

• cef-carbonblack-endpoint-process

• cef-carbonblack-file-alert-3

• cef-carbonblack-file-create

• cef-carbonblack-file-read-1

• cef-carbonblack-file-read-2

• cef-carbonblack-file-write-1

• cef-carbonblack-file-write-2

• cef-carbonblack-file-write-3

• cef-carbonblack-file-write-4

• cef-carbonblack-local-logon-3

• cef-carbonblack-local-logon

• cef-carbonblack-network-connection-failed-1

• cef-carbonblack-network-connection-failed-2

• cef-carbonblack-network-connection-successful-1

• cef-carbonblack-network-connection-successful-2

• cef-carbonblack-process-alert-1

• cef-carbonblack-process-alert-2

• cef-carbonblack-process-alert-3

• cef-carbonblack-process-alert-query

• cef-carbonblack-process-alert-storage

• cef-carbonblack-process-alert

• cef-carbonblack-process-created-1

• cef-carbonblack-process-created-2

• cef-carbonblack-process-created-3

• cef-carbonblack-process-created-failed-1

• cef-carbonblack-process-created

• cef-carbonblack-usb-activity

• cef-carbonblack-workstation-locked-2

• cef-carbonblack-workstation-locked

• cef-carbonblack-workstation-unlocked-2

• cef-carbonblack-workstation-unlocked

• cef-cisco-acs-auth-failed

• cef-cisco-acs-auth-successful

• cef-cisco-asa-113039-vpn-start

• cef-cisco-asa-721016-vpn-start

• cef-cisco-asa-722041-vpn-login

• cef-cisco-asa-auth-successful

• cef-cisco-dns-response-sk4-2

• cef-cisco-dns-response-sk4-3

• cef-cisco-dns-response-sk4-4

• cef-cisco-dns-response-sk4-ad-computers

• cef-cisco-dns-response-sk4-ad-users

• cef-cisco-dns-response-sk4-internal-networks

• cef-cisco-dns-response-sk4-networks

• cef-cisco-dns-response-sk4-roaming-client

• cef-cisco-dns-response-sk4-roaming-computer

• cef-cisco-dns-response-sk4

• cef-cisco-firepower-dns-query

• cef-cisco-firepower

• cef-cisco-ise-nac-failed-logon

• cef-cisco-ise-nac-logon-1

• cef-cisco-ise-nac-logon-2

• cef-cisco-ise-nac-logon

• cef-cyberark-app-activity

• cef-cyberark-app-login

• cef-cyberark-password-change-1

• cef-cyberark-password-change

• cef-defender-atp-alert

• cef-defender-atp-batch-logon

• cef-defender-atp-file

• cef-defender-atp-local-logon

• cef-defender-atp-member-added

• cef-defender-atp-member-removed

• cef-defender-atp-network-con

• cef-defender-atp-process-1

• cef-defender-atp-process

• cef-defender-atp-remote-access

• cef-defender-atp-remote-logon

• cef-defender-atp-service-logon

• cef-defender-graph-security-alert

• cef-duo-app-activity

• cef-infoblox-network-alert

• cef-infoblox-network-connection

• cef-meraki-network-alert

• cef-microsoft-app-activity-10

• cef-microsoft-app-activity-11

• cef-microsoft-app-activity-12

• cef-microsoft-app-activity-13

• cef-microsoft-app-activity-17

• cef-microsoft-app-activity-18

• cef-microsoft-app-activity-19

• cef-microsoft-app-activity-1

• cef-microsoft-app-activity-20

• cef-microsoft-app-activity-21

• cef-microsoft-app-activity-22

• cef-microsoft-app-activity-23

• cef-microsoft-app-activity-24

• cef-microsoft-app-activity-25

• cef-microsoft-app-activity-26

• cef-microsoft-app-activity-27

• cef-microsoft-app-activity-28

• cef-microsoft-app-activity-29

• cef-microsoft-app-activity-2

• cef-microsoft-app-activity-30

• cef-microsoft-app-activity-31

• cef-microsoft-app-activity-32

• cef-microsoft-app-activity-33

• cef-microsoft-app-activity-34

• cef-microsoft-app-activity-35

• cef-microsoft-app-activity-36

• cef-microsoft-app-activity-37

• cef-microsoft-app-activity-39

• cef-microsoft-app-activity-3

• cef-microsoft-app-activity-40

• cef-microsoft-app-activity-41

• cef-microsoft-app-activity-42

• cef-microsoft-app-activity-43

• cef-microsoft-app-activity-44

• cef-microsoft-app-activity-4

• cef-microsoft-app-activity-51

• cef-microsoft-app-activity-52

• cef-microsoft-app-activity-5

• cef-microsoft-app-activity-7

• cef-microsoft-app-activity-8

• cef-microsoft-app-activity-9

• cef-microsoft-app-activity-inbox-rule

• cef-microsoft-dns-query

• cef-mimecast-dlp-email

• cef-mimecast-email-alert-1

• cef-mimecast-email-alert

• cef-mimecast-message-view

• cef-nac-logon

• cef-netskope-alert-1

• cef-netskope-alert-2

• cef-netskope-alert-anomaly

• cef-netskope-alert-compromise

• cef-netskope-alert-malsite

• cef-netskope-alert-policy

• cef-netskope-alert

• cef-netskope-app-activity-10

• cef-netskope-app-activity-11

• cef-netskope-app-activity-12

• cef-netskope-app-activity-13

• cef-netskope-app-activity-14

• cef-netskope-app-activity-15

• cef-netskope-app-activity-16

• cef-netskope-app-activity-17

• cef-netskope-app-activity-18

• cef-netskope-app-activity-19

• cef-netskope-app-activity-1

• cef-netskope-app-activity-2

• cef-netskope-app-activity-3

• cef-netskope-app-activity-45

• cef-netskope-app-activity-46

• cef-netskope-app-activity-47

• cef-netskope-app-activity-48

• cef-netskope-app-activity-49

• cef-netskope-app-activity-4

• cef-netskope-app-activity-50

• cef-netskope-app-activity-51

• cef-netskope-app-activity-5

• cef-netskope-app-activity-6

• cef-netskope-app-activity-7

• cef-netskope-app-activity-8

• cef-netskope-app-activity-9

• cef-netskope-app-login-1

• cef-netskope-app-login-2

• cef-netskope-dlp-alert-1

• cef-netskope-dlp-alert

• cef-netskope-dlp-email-alert-1

• cef-netskope-failed-app-login

• cef-netskope-web-activity-1

• cef-netskope-web-activity

• cef-netskope-web-policy-1

• cef-netskope-web-policy

• cef-okta-account-password-reset

• cef-okta-account-unlocked

• cef-okta-app-login-1

• cef-okta-app-login

• cef-okta-logs-app-activity

• cef-onelogin-app-activity

• cef-pingid-auth

• cef-proofpoint-dlp-alert-1

• cef-proofpoint-email-in-1

• cef-proofpoint-email-in-failed

• cef-proofpoint-email-out-failed

• cef-proofpoint-email-out

• cef-salesforce-app-activity-26

• cef-salesforce-app-activity-34

• cef-salesforce-app-login

• cef-salesforce-failed-app-login

• cef-salesforce-file-download

• cef-salesforce-file-upload

• cef-sentinelone-security-alert-3

• cef-sentinelone-security-alert-6

• cef-sourcefire-estreamer-alert

• cef-stealthwatch-network-alert

• centrify-account-password-change-failed-1

• centrify-account-switch

• centrify-app-activity

• centrify-auth-denied

• centrify-auth-success

• centrify-authentication-failed-1

• centrify-authentication-failed-2

• centrify-authentication-success-1

• centrify-failed-logon-1

• centrify-failed-logon-2

• centrify-failed-logon

• centrify-file-access

• centrify-local-logon

• centrify-process

• centrify-remote-logon-1

• centrify-remote-logon-2

• centrify-ssh-login-failed

• centrify-ssh-login

• checkpoint-auth-failed

• checkpoint-auth-successful-1

• checkpoint-auth-successful

• checkpoint-dlp-alert-out

• checkpoint-network-connection-accept-1

• checkpoint-network-connection-drop-1

• checkpoint-network-decrypt

• checkpoint-network-encrypt

• checkpoint-vpn-connection

• checkpoint-vpn-login-6

• cisco-2960-auth-failed-1

• cisco-2960-auth-failed

• cisco-2960-auth-successful

• cisco-acs-auth-failed

• cisco-acs-auth-success-2

• cisco-acs-auth-success

• cisco-acs-nac-logon

• cisco-acs-system-activity-1

• cisco-acs-vpn-login-failed

• cisco-acs-vpn-login

• cisco-acs-vpn-logout

• cisco-adc-web-activity

• cisco-airespace-network-alert

• cisco-app-activity

• cisco-asa-113015

• cisco-asa-746016

• cisco-asa-auth-failed

• cisco-asa-auth-successful

• cisco-asa-authentication-successful

• cisco-asa-connection-built-302013

• cisco-asa-connection-stop

• cisco-asa-connection-teardown

• cisco-asa-process-created-1

• cisco-asa-process-created

• cisco-asa-vpn-login

• cisco-auth-failed-1

• cisco-auth-failed-2

• cisco-auth-failed

• cisco-auth-successful-1

• cisco-auth-successful-2

• cisco-auth-successful

• cisco-config-change

• cisco-dhcp

• cisco-dns-response-1

• cisco-dns-response

• cisco-esa-dlp-alert-1

• cisco-esa-dlp-alert

• cisco-file-activity

• cisco-firesight-alert

• cisco-fpr-113004

• cisco-ftd-113004

• cisco-ftd-716039

• cisco-ftd-721016

• cisco-ftd-721018

• cisco-ftd-722041

• cisco-ftd-746014

• cisco-ftd-746015

• cisco-ftd-746016

• cisco-ftd-connection-built-302013

• cisco-ftd-connection-stop

• cisco-ftd-connection-teardown

• cisco-ftd-file-download

• cisco-ftd-firewall-1

• cisco-ftd-firewall-2

• cisco-ftd-firewall-3

• cisco-ftd-firewall-4

• cisco-ftd-firewall-5

• cisco-ftd-firewall-6

• cisco-ftd-firewall-7

• cisco-ftd-firewall-8

• cisco-ftd-firewall-9

• cisco-ftd-permit-any

• cisco-ftd-process-created-1

• cisco-ftd-process-created-2

• cisco-ftd-process-created

• cisco-ise-nac-ssh-login

• cisco-ise-tacacs-login

• cisco-ise-vpn-logout

• cisco-meraki-vpn-start

• cisco-meraki-vpn-stop

• cisco-meraki-web-activity

• cisco-nac-failed-logon

• cisco-nac-logon-1

• cisco-nac-logon-2

• cisco-nac-logon-3

• cisco-nac-logon

• cisco-netflow-connection-1

• cisco-netflow-connection-2

• cisco-netflow-connection

• cisco-process-created

• cisco-sourcefire-alert

• cisco-ssh-login

• cisco-umbrella-intelligent-proxy

• cisco-w3c-proxy

• cisco-wsa-squid-proxy

• cisco-wsa-web-activity-1

• cisco-wsa-web-activity

• cise-config-change-1

• cise-config-change

• cise-remote-logon-1

• cise-remote-logon-2

• cise-remote-logon-3

• cise-remote-logon

• cl-cisco-dns-response-sk4-4

• confer-alert

• crowdstrike-auth-failed-1

• crowdstrike-auth-failed-2

• crowdstrike-file-delete-1

• crowdstrike-file-download-1

• crowdstrike-file-download

• crowdstrike-file-process-alert-2

• crowdstrike-file-read-2

• crowdstrike-file-read

• crowdstrike-file-write-10

• crowdstrike-file-write-11

• crowdstrike-file-write-12

• crowdstrike-file-write-13

• crowdstrike-file-write-14

• crowdstrike-file-write-2

• crowdstrike-file-write-3

• crowdstrike-file-write-4

• crowdstrike-file-write-5

• crowdstrike-file-write-6

• crowdstrike-file-write-7

• crowdstrike-file-write-8

• crowdstrike-file-write-9

• crowdstrike-file-write

• crowdstrike-host-info

• crowdstrike-logon-2

• crowdstrike-logon

• crowdstrike-modify-binary

• crowdstrike-process-created-1

• crowdstrike-process-created-2

• crowdstrike-security-alert-2

• crowdstrike-service-created

• crowdstrike-user-identity

• cws-proxy-1

• cws-proxy

• cyberark-account-switch

• cyberark-app-login

• cyberark-password-change

• cyberark-process-alert

• defender-atp-file-events

• defender-atp-logon

• defender-atp-network

• defender-atp-process-2

• defender-atp-process

• dhcpd-dhcpack-logon

• dhcpd-renew

• elk-cisco-wsa-web-activity

• estreamer-dns-query

• exa-app-activity-1

• exa-app-activity-2

• exa-app-activity-3

• exa-app-activity-4

• exa-app-activity-5

• exa-app-activity-6

• exa-app-activity-7

• exa-app-login-aa

• exa-app-login

• exa-cor-rule-alerts

• exa-failed-app-login

• exa-log-source-added

• exalms-4625

• f5-dlp-email-out

• f5-network-connection-2

• f5-network-connection-3

• f5-network-connection-4

• f5-ssh-failed-logon

• f5-ssh-login-successful

• falcon-dns-request

• firepower-dns-response

• firepower-network-alert-1

• firepower-network-alert

• forcepoint-proxy

• fortinet-0102043039

• fortinet-network-connection

• googlecloud-cloudresourcemanager-activity

• googlecloud-storage-activity

• infoblox-remote-logon

• json-4625-2

• json-4625

• json-4648

• json-4672

• json-4771

• json-cisco-cloudlock-dlp

• json-cisco-firesight-alert-1

• json-cisco-netflow-connection-1

• json-cisco-netflow-connection

• json-cyberark-privileged-object-access

• json-microsoft-app-activity-10

• json-microsoft-app-activity-11

• json-microsoft-app-activity-12

• json-microsoft-app-activity-17

• json-microsoft-app-activity-19

• json-microsoft-app-activity-1

• json-microsoft-app-activity-2

• json-microsoft-app-activity-31

• json-microsoft-app-activity-5

• json-microsoft-app-activity-6

• json-microsoft-app-activity-8

• json-microsoft-app-activity-9

• json-netskope-app-activity-17

• json-netskope-app-activity-18

• json-netskope-app-login

• json-netskope-failed-app-login

• json-o365-file-write-7

• json-okta-app-login-1

• json-okta-app-login

• json-okta-authentication-failed-3

• json-okta-authentication-failed-4

• json-okta-authentication-failed-5

• json-okta-authentication-success

• json-okta-failed-app-login-4

• json-okta-failed-app-login-5

• json-okta-failed-app-login-6

• json-okta-security-alert

• juniper-firewall-network-connection-close-1

• juniper-firewall-network-connection-deny-2

• kerberos-as

• kerberos-tgs

• l-4674

• l-4725

• lastline-security-alert-1

• lastline-security-alert-2

• lastline-security-alert-3

• lastpass-app-activity

• leef-bit9-security-alert

• leef-carbonblack-file-alert

• leef-carbonblack-local-logon-1

• leef-carbonblack-local-logon-2

• leef-carbonblack-workstation-locked

• leef-carbonblack-workstation-unlocked

• leef-cyberark-app-activity

• leef-lastline-security-alert

• leef-stealthwatch-network-alert

• meraki-firepower-active-dir

• meraki-ip-flow-start

• meraki-network-alert

• meraki-network-connection-1

• meraki-network-connection

• meraki-web-activity-denied

• microsoft-app-activity-1

• microsoft-app-activity-2

• microsoft-nps-6273

• microsoft-nps-6274

• microsoft-nps-6278

• ms-azure-eventhubs-app-activity

• ms-azure-eventhubs-login

• n-forwarded-cef-asa-nap-vpn-end

• n-forwarded-cef-asa-nap-vpn-start

• n-forwarded-cef-asa-svc-vpn-end

• n-forwarded-cef-asa-svc-vpn-start

• n-forwarded-cef-lastline

• n-forwarded-cef-nac-logon

• named-dns-query

• netscope-dlp-alert-activity

• netskope-activity

• netskope-alert

• netskope-app-activity

• netskope-dlp-alert

• netskope-login

• netskope-network-connection

• netskope-security-alert

• netskope-web-activity

• o365-inbox-activity

• o365-phishing-alert

• o365-sharepoint-activity

• paloalto-app-activity-1

• paloalto-app-activity-2

• paloalto-app-activity-3

• paloalto-app-activity

• paloalto-firewall-alert-1

• paloalto-firewall-allow-1

• paloalto-firewall-traffic-deny

• paloalto-firewall-traffic-drop

• paloalto-vpn-end

• paloalto-vpn-login-1

• paloalto-vpn-login-2

• paloalto-vpn-login-3

• paloalto-vpn-login

• paloalto-vpn-start

• paloalto-web-activity-1

• pan-failed-vpn-login

• pan-file-alert

• pan-spyware-alert

• pan-vpn-login-1

• pan-vpn-logout-1

• pan-vulnerability-alert

• powershell-process-created

• proofpoint-email-6

• q-1102

• q-asa-6-113039-vpn-start

• q-asa-722037-vpn-end

• q-bit9-epp-alert

• q-box-app-activity

• q-cisco-acs-nac-logon

• q-cisco-dns-response

• q-firesight-alert-2

• q-firesight-alert-3

• q-firesight-alert-4

• q-firesight-alert

• q-process-alert-carbonblack-1

• q-process-alert-carbonblack

• q-snort-alert

• q-unix-as

• q-varonis-file-activity

• q-wsa-proxy

• r-asa-aaa-vpn-end

• r-asa-aaa-vpn-start

• raw-1102

• raw-4624-7

• raw-4624-8

• raw-4624

• raw-4625-1

• raw-4625

• raw-4648

• raw-4662

• raw-4672

• raw-4673-1

• raw-4674

• raw-4723

• raw-4738

• raw-4767

• raw-4768

• raw-4769

• raw-4771

• raw-4776-3

• raw-4779

• raw-5156

• raw-asa-113004-vpn-start

• raw-asa-113005-1

• raw-asa-113005-2

• raw-asa-113005

• raw-asa-713184-vpn-start

• raw-asa-713228-vpn-start

• raw-asa-nap-vpn-end

• raw-asa-svc-vpn-end

• raw-asa-svc-vpn-start

• raw-cisco-vpnconcentrator-end

• raw-cisco-vpnconcentrator-start

• raw-pan-vpn-login-1

• raw-process-created-1

• raw-unix-account-created

• raw-unix-account-deleted

• raw-unix-dhcp-reversemap

• raw-unix-dhcp

• raw-unix-dns-appliedadd

• raw-unix-member-added-1

• raw-unix-member-added-2

• raw-unix-member-removed

• raw-unix-password-change

• raw-unix-su

• raw-windows-account-4720

• raw-windows-account-4725

• raw-windows-account-4740

• rs-4625

• s-1102

• s-4719

• s-4800

• s-4801

• s-asa-605005

• s-aws-cloudtrail-activity-json

• s-aws-cloudtrail-assumedrole-json

• s-aws-cloudtrail-iam

• s-aws-cloudtrail-login-json

• s-aws-cloudtrail-s3-activity

• s-aws-netflow-connection-reject

• s-aws-netflow-connection

• s-bit9-epp-alert

• s-cisco-acs-app-activity

• s-cisco-acs-auth-failed

• s-cisco-acs-auth-successful

• s-cisco-acs-nac-failed-logon

• s-cisco-acs-nac-logon

• s-cisco-amp-alert-10

• s-cisco-amp-alert-11

• s-cisco-amp-alert-13

• s-cisco-amp-alert-14

• s-cisco-amp-alert-15

• s-cisco-amp-alert-16

• s-cisco-amp-alert-1

• s-cisco-amp-alert-2

• s-cisco-amp-alert-3

• s-cisco-amp-alert-5

• s-cisco-amp-alert-7

• s-cisco-amp-alert-8

• s-cisco-amp-alert-9

• s-crowdstrike-app-login-10

• s-crowdstrike-app-login-1

• s-crowdstrike-app-login-2

• s-crowdstrike-app-login-3

• s-crowdstrike-app-login-4

• s-crowdstrike-app-login-5

• s-crowdstrike-app-login-6

• s-crowdstrike-app-login-7

• s-crowdstrike-app-login-8

• s-crowdstrike-app-login-9

• s-crowdstrike-app-login

• s-crowdstrike-failed-logon

• s-crowdstrike-process-alert

• s-crowdstrike-security-alert

• s-cws-proxy

• s-duo-auth-json

• s-estreamer-network-connection-1

• s-estreamer-network-connection-2

• s-estreamer-network-connection

• s-estreamer-security-alert

• s-member-removed-2008

• s-mssql-database-login-1

• s-mssql-database-login-failed-xml

• s-mssql-database-login-failed

• s-mssql-database-login-xml

• s-mssql-database-login

• s-mssql-database-query-al-xml

• s-mssql-database-query-al

• s-mssql-database-query-dl-xml

• s-mssql-database-query-dl

• s-mssql-database-query-sl-xml

• s-mssql-database-query-sl

• s-nac-failed-logon-1

• s-nac-failed-logon-2

• s-nac-failed-logon

• s-nac-logon-1

• s-nac-logon-2

• s-nac-logon

• s-netskope-activity

• s-netskope-login

• s-okta-app-login-1

• s-okta-app-login-2

• s-okta-app-login-3

• s-okta-app-login-4

• s-okta-app-login

• s-opendns-dns-response-10

• s-opendns-dns-response-1

• s-opendns-dns-response-2

• s-opendns-dns-response-3

• s-opendns-dns-response-4

• s-opendns-dns-response-5

• s-opendns-dns-response-6

• s-opendns-dns-response-7

• s-opendns-dns-response-8

• s-opendns-dns-response-9

• s-opendns-dns-response

• s-oracle-db-execute-1

• s-oracle-db-query

• s-oracle-db-select-1

• s-panngwf-spyware-alert

• s-process-alert-carbonblack-1

• s-process-alert-carbonblack-2

• s-process-alert-carbonblack

• s-process-created-carbonblack

• s-process-network-carbonblack

• s-stealthwatch-network-alert

• s-tanium-security-alert-5

• s-unix-auth-event

• s-zscaler-web-activity-2

• s-zscaler-web-activity

• sftp-file-close

• sftp-file-open

• sftp-file-rename

• sftp-remote-logon

• siebel-db-query

• sigsci-web-activity

• snare-1102

• snare-unix-su-1

• snare-unix-su-2

• sophos-security-alert-1

• sourcefire-estreamer-alert-2

• sourcefire-estreamer-alert

• sourcefire-network-alert-1

• sourcefire-network-alert-2

• sourcefire-network-alert-3

• sourcefire-network-alert-4

• sourcefire-network-alert-5

• sourcefire-network-alert

• sourcefire-proxy-1

• sourcefire-proxy

• sourcefire-security-alert

• spanish-raw-4625

• stealthwatch-network-alert-1

• stealthwatch-network-alert-2

• stealthwatch-network-alert-3

• stealthwatch-network-alert-4

• stealthwatch-network-alert

• syslog-bit9-file-alert

• syslog-cisco-cta-security-alert

• syslog-cisco-wsa-web-activity

• syslog-dhcpd-4

• sysmon-registry-set-2

• tacacs-process-created

• tanium-process-alert

• thycotic-account-switch

• thycotic-app-activity

• thycotic-app-login

• thycotic-failed-app-login

• u-googledrive-file-activity

• u-googledrive-file-permission-change

• u-mcafee-epo-alert

• unix-as

• unix-auditd-login-2

• unix-auditd-login

• unix-auth-event-2

• unix-auth-failed-1

• unix-auth-failed-3

• unix-auth-failed-5

• unix-auth-failed

• unix-authentication-fail

• unix-authentication-failed-1

• unix-authentication-successful

• unix-dlp-email-out

• unix-failed-logon-10

• unix-failed-logon-11

• unix-failed-logon-12

• unix-failed-logon-3

• unix-failed-logon-8

• unix-failed-logon-9

• unix-file-operation

• unix-local-logon-1

• unix-local-logon

• unix-pam-ssh-login

• unix-process-created

• unix-remote-access

• unix-remote-logon-1

• unix-remote-logon-2

• unix-remote-logon-3

• unix-ssh-login-failed-2

• unix-ssh-login

• vmware-esxi-login-1

• wazuh-4624

• wazuh-4625

• wazuh-4673

• wazuh-4738

• wazuh-4767

• wazuh-4776

• wazuh-4779

• wazuh-sql-login

• xml-1102

• xml-4625-1

• xml-4625

• xml-4662

• xml-4688

• xml-4769

• xml-4776

• xml-5145-1

• xml-5145

• xml-5157

• xml-6272

• xml-member-removed-2008

Deprecated Parsers

• s-carbonblack-process-alert

• s-okta-failed-login-3

Models

• New

• Updated

• Deprecated

New Models

• A-FA-StartupFolder-OH – Hosts where programs were added to startup folders in the organization

• A-RA-LogonRunKeys-OH – Hosts where programs add to the registry run keys in the organization.

• A-WEB-Mime-Types-Src – Web Activity MIME types for asset in organization

• FA-StartupFolder-OU – Users that add programs to the startup folders

• RA-LogonRunKeys-OU – Users that add programs to the registry run keys

• WEB-Mime-Types-Org – MIME types in the organization

Updated Models

• A-EPA-CSC – Tracks csc activity for the asset.

• A-EPA-OH-CENUM – Assets on which credential enumeration tools are run

• A-EPA-OH-HENUM – Assets on which host enumeration tools are run

• A-EPA-REG-WU – Models reg query activity for windows update on the assets.

• A-FLDh-Count – Count of failed logons to host

• A-NETFLOW-dZBytes – Inbound bytes per zone

• A-NETFLOW-sH22Bytes – Outbound bytes through SSH protocol

• A-NETFLOW-sH23Bytes – Outbound bytes through Telnet protocol

• A-NETFLOW-sH25Bytes – Outbound bytes through SMTP protocol

• A-NETFLOW-sH443Bytes – Outbound bytes through HTTPS protocol

• A-NETFLOW-sH53Bytes – Outbound bytes through DNS protocol

• A-NETFLOW-sH80Bytes – Outbound bytes through HTTP protocol

• A-NETFLOW-sHFTPBytes – Outbound bytes through FTP protocol

• AL-HT-EXEC – Executive Assets

• DS-APRIV – Privileged user attributes

• DS-OA – Non-privileged attributes in the organization

• DS-UA – Attributes per privileged user

• EM-EXEC – E-mail subjects sent by an executive user

• FA-FT-EXEC – Executive Folders

• WPA-PD – Directories per process

• WPA-USH – Source hosts with privileged access events for user

Deprecated Models

There are no deprecated models in this release.

Rules

• New

• Updated

• Deprecated

New Rules

• A-ALERT-Log4j – Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected.

• A-APP-Log4j-String – There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability on this asset.

• A-App-Log4j-String-2 – There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset.

• A-EPA-HP-Commands-A – Abnormal execution of process on asset and the command of the process is curl/wget

• A-EPA-HP-Commands-F – First execution of process on asset and the command of the process is curl/wget

• A-EPA-HP-CrontabMod-A – Abnormal execution of process on asset and the command of the process is crontab modification

• A-EPA-HP-CrontabMod-F – First execution of process on asset and the command of the process is crontab modification

• A-EPA-Log4j-String-Command-2 – There was an attempt via process creation to exploit the CVE-2021-44228 vulnerability using known keywords on this asset.

• A-EPA-Log4j-String-Command – There was an attempt via process creation to exploit the CVE-2021-44228 vulnerability on this asset.

• A-FA-StartupFolder-OH-A – Abnormal addition of a program to the startup folder on the asset

• A-FA-StartupFolder-OH-F – A program was added to the startup folder for the first time on this asset

• A-KnownFirewallDisable-Log4j – FireWall disable arguments via command line were detected on this asset.

• A-Log4j-Vul-Alert – Alert for the CVE-2021-44228 vulnerability on the asset.

• A-NET-Log4j-IP – Asset was accessed by an external IP associated with Log4j exploit

• A-NETF-Log4j-IP – There was a failed attempt to access this asset by an external IP associated with Log4j exploit

• A-RA-LogonRunKeys-OH-A – Abnormal addition of a program to the registry run key on this asset

• A-RA-LogonRunKeys-OH-F – A program was added to the registry run key on this asset at the first time

• A-WEB-Base64CommandUserAgent – User agent with encoded commands was detected from this web activity.

• A-WEB-Log4j-String-2 – There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset.

• A-WEB-Log4j-String – There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability on this asset.

• A-WEB-Mime-Types-Org-F – First occurence of this mime type on this asset for organization

• APP-Log4j-String-2 – There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords.

• APP-Log4j-String – There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability.

• DLP-Log4j-String-2 – There was an attempt via email message to exploit the CVE-2021-44228 vulnerability using known keywords.

• DLP-Log4j-String – There was an attempt via email message to exploit the CVE-2021-44228 vulnerability.

• EPA-HP-Commands-F – First execution of process on host and the command of the process is curl/wget

• EPA-Log4j-String-Command-2 – There was an attempt via process creation to exploit the CVE-2021-44228 vulnerability using known keywords.

• EPA-Log4j-String-Command – There was an attempt via process creation to exploit the CVE-2021-44228 vulnerability by the user.

• EPA-UP-Commands-A – Abnormal process execution containing wget or curl commands for the user.

• EPA-UP-Commands-F – First execution of this process for user and the command of the process is curl/wget

• EPA-UP-CrontabMod-A – Abnormal execution of of process which contains commands for crontab modification for user.

• EPA-UP-CrontabMod-F – First execution of process which contains commands for crontab modification for user.

• FA-StartupFolder-OU-A – Abnormal program addition to the startup folder by the user.

• FA-StartupFolder-OU-F – A program was added to the startup folder for the first time by the user

• Log4j-Vul-Alert – Alert for the CVE-2021-44228 vulnerability

• RA-LogonRunKeys-OU-A – Abnormal addition of a program to the registry run key by the user

• RA-LogonRunKeys-OU-F – A program was added to the registry run key for the first time by the user

• WEB-Log4j-String-2 – There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords.

• WEB-Log4j-String – There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability.

• WEB-Mime-Types-Org-F – First occurence of this mime type for organization

Updated Rules

There are no updated rules in this release.

Deprecated Rules

There are no deprecated rules in this release.