ReleaseNotes_c2206.2.md

Security Content c2206.2 Release Notes

These Release Notes document security content updates from content package c2204.3 to c2206.2.

The security content updates listed below include changes to the following areas:

• Parsers

• Models

• Rules

In the lists below, each item represents a specific parser, model, or rule that has been added, updated, or deprecated. To facilitate finding every data source where the changed content items are referenced, a content library query has been created for each changed parser, model, or rule. To view the results of each query, click on the link for the relevant content item.

Parsers

• New

• Updated

• Deprecated

New Parsers

• bluecat-networks-dhcp

• cef-okta-member-added

• cisco-wlc-remote-logon

• digipass-nac-logon-2

• duo-app-login-1

• exchange-app-login-1

• exchange-app-login

• f5-big-ip-authentication-successful

• json-4622

• json-4724-2

• json-4800-1

• json-5140-1

• json-5145-1

• json-6272

• json-6273

• json-6416

• json-paloalto-firewall-traffic-drop

• json-paloalto-ngfw-network-connection

• json-pan-file-alert

• o365-failed-app-login

• paloalto-ngfw-network-connection

• raw-1149-1

• rubrik-app-login

• s-infoblox-dhcp-4

• s-proofpoint-email-in-2

• sailpoint-app-activity-3

• vectra-authentication-attempt

• vectra-dlp-email-alert

• vectra-file-operations

• vectra-ntlm-logon

• vectra-web-activity

Updated Parsers

• ad-audit-4740

• asa-svc-vpn-716001-start

• asa-svc-vpn-716002-end

• asa-svc-vpn-716038-start

• asa-svc-vpn-716059-start

• auditd-unix-process-created

• azure-ad-account-password-change-2

• azure-ad-account-password-change-3

• azure-ad-member-added-1

• azure-app-activity-2

• azure-app-activity-3

• azure-app-activity-4

• azure-app-activity-5

• azure-app-activity-6

• azure-app-activity-7

• beyondtrust-app-activity

• beyondtrust-app-login

• beyondtrust-failed-app-login

• bluecoat-proxy-10

• bluecoat-proxy-11

• bluecoat-proxy-12

• bluecoat-proxy-13

• bluecoat-proxy-14

• bluecoat-proxy-15

• bluecoat-proxy-1

• bluecoat-proxy-2

• bluecoat-proxy-3

• bluecoat-proxy-4

• bluecoat-proxy-5

• bluecoat-proxy-6

• bluecoat-proxy-7

• bluecoat-proxy-8

• bluecoat-proxy-9

• bro-rdp-remote-logon-1

• bro-rdp-remote-logon-2

• cef-4648

• cef-4740

• cef-4771

• cef-aws-guardduty-discovery-alert

• cef-aws-guardduty

• cef-cisco-dns-response-sk4-ad-users

• cef-crowdstrike-alert

• cef-cyberark-security-alert-1

• cef-darktrace

• cef-defender-atp-alert

• cef-defender-atp-file

• cef-defender-atp-member-added

• cef-defender-atp-member-removed

• cef-defender-atp-network-con

• cef-defender-atp-process-1

• cef-defender-atp-process

• cef-duo-app-activity

• cef-incapsula-web-activity-2

• cef-microsoft-app-activity-10

• cef-microsoft-app-activity-11

• cef-microsoft-app-activity-12

• cef-microsoft-app-activity-13

• cef-microsoft-app-activity-17

• cef-microsoft-app-activity-18

• cef-microsoft-app-activity-19

• cef-microsoft-app-activity-1

• cef-microsoft-app-activity-20

• cef-microsoft-app-activity-21

• cef-microsoft-app-activity-22

• cef-microsoft-app-activity-23

• cef-microsoft-app-activity-24

• cef-microsoft-app-activity-25

• cef-microsoft-app-activity-26

• cef-microsoft-app-activity-27

• cef-microsoft-app-activity-28

• cef-microsoft-app-activity-29

• cef-microsoft-app-activity-2

• cef-microsoft-app-activity-30

• cef-microsoft-app-activity-31

• cef-microsoft-app-activity-32

• cef-microsoft-app-activity-33

• cef-microsoft-app-activity-34

• cef-microsoft-app-activity-35

• cef-microsoft-app-activity-36

• cef-microsoft-app-activity-37

• cef-microsoft-app-activity-39

• cef-microsoft-app-activity-3

• cef-microsoft-app-activity-40

• cef-microsoft-app-activity-41

• cef-microsoft-app-activity-42

• cef-microsoft-app-activity-43

• cef-microsoft-app-activity-44

• cef-microsoft-app-activity-4

• cef-microsoft-app-activity-51

• cef-microsoft-app-activity-52

• cef-microsoft-app-activity-5

• cef-microsoft-app-activity-7

• cef-microsoft-app-activity-8

• cef-microsoft-app-activity-9

• cef-microsoft-app-activity-inbox-rule

• cef-mimecast-dlp-email

• cef-mimecast-message-view

• cef-netskope-web-activity-1

• cef-netskope-web-activity

• cef-netskope-web-policy-1

• cef-netskope-web-policy

• cef-o365-app-login-1

• cef-o365-app-login-2

• cef-o365-app-login-failed

• cef-o365-app-login

• cef-o365-password-change

• cef-o365-security-alert

• cef-observeit-security-alert

• cef-okta-account-password-reset

• cef-okta-account-unlocked

• cef-proofpoint-email-in-1

• cef-proofpoint-email-in-failed

• cef-proofpoint-email-out-failed

• cef-proofpoint-email-out

• cef-salesforce-app-activity-32

• cef-syslog-sharepoint-activity

• cef-windows-6416

• checkpoint-dlp-email-alert

• checkpoint-network-alert-3

• cisco-asa-auth-successful

• cisco-asa-connection-built-302013

• cisco-asa-connection-teardown

• cisco-nac-failed-logon

• cisco-nac-logon

• cisco-netflow-connection

• cisco-ssh-login-1

• cisco-vpn-logout-2

• cisco-vpn-logout

• cisco-vpn-start-3

• cise-config-change

• citrix-file-download

• citrix-file-upload

• citrix-vpn-connection

• crowdstrike-file-operations-1

• crowdstrike-process-created

• exa-app-activity-1

• exa-app-activity-2

• exa-app-activity-3

• exa-app-activity-4

• exa-app-activity-5

• exa-app-activity-6

• exa-app-activity-7

• exa-app-login-aa

• exa-app-login

• exa-failed-app-login

• exa-log-source-added

• f5-ssh-failed-logon

• fireeye-cef-alert-no-connector

• fortinet-network-connection

• gamma-security-alert

• json-4771

• json-defender-atp-alert

• json-microsoft-app-activity-19

• json-okta-app-login-1

• json-okta-app-login

• json-okta-authentication-failed-3

• json-okta-authentication-failed-4

• json-okta-authentication-failed-5

• json-okta-authentication-success

• json-okta-failed-app-login-4

• json-okta-failed-app-login-5

• json-okta-failed-app-login-6

• json-okta-security-alert

• leef-dns-query

• lieberman-erpm

• microsoft-app-activity-1

• microsoft-app-activity-2

• microsoft-nps-6273

• netscalar-remote-access-1

• netscalar-remote-access-2

• netskope-web-activity

• nic-member-removed-2008

• o365-activity

• o365-dlp-email-out-1

• o365-dlp-email-out-2

• o365-inbox-rules-2

• o365-inbox-rules

• o365-phishing-alert

• o365-sharepoint-activity

• o365-teams-activity-1

• paloalto-firewall-alert-1

• paloalto-firewall-allow-1

• paloalto-firewall-traffic-deny

• paloalto-firewall-traffic-drop

• paloalto-web-activity-1

• pan-cef-alert-1

• pan-cef-alert-2

• pan-cef-alert-3

• pan-cef-alert-5

• pan-cef-alert-6

• pan-cef-alert-7

• pan-cef-alert

• pan-file-alert

• pan-flood-alert

• pan-spyware-alert

• pan-virus-alert

• pan-vpn-logout-1

• pan-vulnerability-alert

• pmp-account-switch

• pmp-password-change

• q-asa-6-113039-vpn-start

• q-asa-722037-vpn-end

• q-box-app-activity

• q-o365-sharepoint-activity

• q-unix-audispd-logon

• racf-db-access-1

• racf-db-access-2

• racf-db-access-3

• racf-db-access-4

• racf-db-access

• racf-db-failed-login

• raw-4625

• raw-4663-7

• raw-4673-1

• raw-4700

• raw-4723

• raw-4742

• raw-4767

• raw-4769-3

• raw-5139

• raw-5140

• raw-5145-5

• raw-asa-113004-vpn-start

• raw-asa-113005-2

• raw-asa-113005

• raw-asa-svc-vpn-start

• raw-checkpoint-firewall-2

• raw-netscaler-ica-login

• raw-netscaler-vpn-start

• raw-netscaler-vpn-stop

• raw-pan-failed-vpn-login

• raw-pan-vpn-app-activity

• raw-pan-vpn-end-2

• raw-pan-vpn-login-1

• raw-pan-vpn-login

• raw-pan-vpn-start-2

• raw-process-created-1

• raw-windows-account-4726

• raw-windows-account-4740

• rdp-vectra-meta-data

• s-4697

• s-aws-cloudtrail-s3-activity

• s-aws-netflow-connection-reject

• s-aws-netflow-connection

• s-duo-app-activity

• s-duo-app-login

• s-duo-auth-json

• s-kaspersky-es-alert-1

• s-microsoft-dhcp

• s-microsoft-dns-renew

• s-microsoft-dns-update

• s-mvision-dlp-alert

• s-nac-failed-logon-1

• s-nac-failed-logon-2

• s-nac-logon-1

• s-nac-logon

• s-o365-dlp-alert

• s-proofpoint-email-alert-4

• s-unix-auth-event

• s-xml-1102

• s-xml-4771

• sourcefire-network-alert

• ssh-vectra-meta-data

• unix-auditd-login-2

• unix-auditd-login

• vontu-dlp

• windows-xml-powershell-process-created-1

• windows-xml-powershell-process-created-2

• windows-xml-powershell-process-created

• xml-4625

• xml-4776

• xml-powershell-4104

• zscaler-firewall

Deprecated Parsers

• checkpoint-firewall-accept-1

• checkpoint-firewall-allow-1

• checkpoint-firewall-block

• checkpoint-firewall-drop-1

• checkpoint-firewall-reject

• checkpoint-network-connection-1

• checkpoint-network-connection-2

• checkpoint-network-connection-3

• checkpoint-network-connection-4

• checkpoint-vpn-login-3

Models

• New

• Updated

• Deprecated

New Models

There are no new models in this release.

Updated Models

• A-FLSh-Count – Count of failed logons from host

• EM-Gcountry – Email Countries sent to by peer group

• UA-OC – Countries for organization

• WEB-RCCount – Count of allowed web activity events with 3xx/4xx requests in a sequence

Deprecated Models

There are no deprecated models in this release.

Rules

• New

• Updated

• Deprecated

New Rules

There are no new rules in this release.

Updated Rules

There are no updated rules in this release.

Deprecated Rules

• A-NET-Coin-IP – com.exabeam.releasenotesgeneratortool.UseCase@6ddf90b0

• WEB-Shadow-Mining-IP – com.exabeam.releasenotesgeneratortool.UseCase@57536d79