ReleaseNotes_c2102.5.md

Security Content c2102.5 (i56) Release Notes

These Release Notes document security content updates from content package c2010.6 (i55) to c2102.5 (i56).

The security content updates listed below include changes to the following areas:

• Parsers

• Models

• Rules

In the lists below, each item represents a specific parser, model, or rule that has been added, updated, or deprecated. To facilitate finding every data source where the changed content items are referenced, a content library query has been created for each changed parser, model, or rule. To view the results of each query, click on the link for the relevant content item.

Parsers

• New

• Updated

• Deprecated

New Parsers

• abnormal-dlp-email-alert

• abnormal-security-alert

• aix-task-created-1

• armis-alert-iot

• azure-mfa-admin-activity

• azure-security-alert-2

• barracuda-firewall-network-connection-1

• barracuda-remote-logon

• beyondtrust-privileged-access-1

• beyondtrust-privileged-access-2

• beyondtrust-privileged-access-3

• beyondtrust-process-created

• bind-dns-query-4

• bluecoat-proxy-v4

• bluecoat-proxy-v5

• cef-defender-atp-batch-logon

• cef-defender-atp-local-logon

• cef-defender-atp-malware-detected

• cef-defender-atp-remote-access

• cef-defender-atp-remote-logon

• cef-defender-atp-service-logon

• cef-duo-authentication

• cef-extrahop-network-sec

• cef-rsa-app-login-1

• cef-skyformation-mimecast-login

• cef-sophos-dlp-alert-7

• cef-sophos-security-alert-34

• cef-sophos-security-alert-35

• cef-sophos-security-alert-36

• cef-sophos-security-alert-37

• cef-sophos-security-alert-38

• cef-sophos-security-alert-39

• cef-sophos-security-alert-40

• cef-symantec-web-activity-2

• cisco-asa-authentication-successful

• cisco-ftd-716039

• cisco-ftd-721016

• cisco-ftd-721018

• cisco-ftd-746014

• cisco-ftd-746015

• cisco-ftd-746016

• citrix-app-login-3

• citrix-app-login-4

• citrix-remote-logon-1

• citrix-remote-logon

• counteract-nac-logon-successful

• egnyte-app-login

• egnyte-failed-app-login

• esector-file-delete

• esector-file-read

• esector-file-write-1

• esector-file-write-2

• esector-file-write

• fortinet-web-activity-1

• gamma-security-alert

• googlecloud-cloudresourcemanager-activity

• googlecloud-iam-activity

• googlecloud-storage-activity

• hornet-dlp-email-alert

• hornet-dlp-email

• hornet-email-security-alert

• json-4104

• json-4719

• json-5156

• json-5158

• json-azure-storage-access

• json-microsoft-dns-query

• json-microsoft-o365-alert-10

• json-microsoft-o365-alert-11

• json-microsoft-o365-alert-12

• json-microsoft-o365-alert-13

• json-microsoft-o365-alert-14

• json-microsoft-o365-alert-15

• json-microsoft-o365-alert-16

• json-microsoft-o365-alert-17

• json-microsoft-o365-alert-18

• json-microsoft-o365-alert-19

• json-microsoft-o365-alert-20

• json-microsoft-o365-alert-2

• json-microsoft-o365-alert-3

• json-microsoft-o365-alert-4

• json-microsoft-o365-alert-5

• json-microsoft-o365-alert-6

• json-microsoft-o365-alert-7

• json-microsoft-o365-alert-8

• json-microsoft-o365-alert-9

• json-okta-account-lockout

• json-okta-member-added

• json-sybase-db-access-1

• json-sybase-db-access

• json-sybase-db-login

• json-sybase-db-query-create

• json-sybase-db-query-delete

• json-sybase-db-query-insert

• json-sybase-db-query-select

• json-sybase-db-query-update

• json-unix-ssh-login-failed

• l-aruba-failed-nac-logon

• l-aruba-nac-logon

• l-ironport-dlp-email-alert

• l-lenel-badge-access-1

• l-lenel-badge-access

• leef-eset-app-login-success

• leef-eset-failed-logon

• leef-eset-network-alert

• leef-eset-web-activity-denied

• mcafee-security-alert-1027

• microsoft-cloud-app-security-alert-1

• microsoft-dns-update-successful

• netmotion-vpn-end-1

• netmotion-vpn-finish-1

• netmotion-vpn-start-1

• netmotion-vpn-stop-1

• nnt-ct-app-login

• openvpn-vpn-end-4

• oracle-avdf-database-login

• oracle-avdf-database-query

• outlook-exchange-app-activity-10

• outlook-exchange-app-activity-9

• powershell-800-syslog-1

• proofpoint-dlp-alert

• proofpoint-dlp-email-from

• proofpoint-security-alert-1

• proofpoint-security-alert

• q-lenel-badge-access-1

• q-okta-app-activity

• q-okta-app-login-6

• racf-db-access-1

• racf-db-access-2

• racf-db-access-3

• racf-db-access-4

• racf-db-access

• racf-db-failed-login

• raw-10016

• raw-1149

• raw-148

• raw-216

• raw-325

• raw-326

• raw-327

• raw-4770-1

• raw-4928

• raw-4929

• raw-5157-1

• raw-5805

• rsa-authentication-successful-1

• rsa-authentication-successful

• s-aws-cloudtrail-iam

• s-aws-cloudtrail-s3-activity

• s-aws-data-access

• s-azure-api-management

• s-azure-authorization-activity-2

• s-azure-authorization-activity-3

• s-azure-authorization-activity

• s-azure-core-directory

• s-azure-managed-identity

• s-azure-pim-activity

• s-azure-storage-access

• s-azure-storage-activity-2

• s-azure-storage-activity-3

• s-azure-storage-activity

• s-checkpoint-alert-3

• s-checkpoint-alert-4

• s-checkpoint-fw-network-connection

• s-digitalguardian-file-read

• s-digitalguardian-file-write-5

• s-digitalguardian-usb-write

• s-fireeye-hx-alert-3

• s-fireeye-hx-alert-4

• s-fireeye-hx-alert-5

• s-fireeye-hx-alert-6

• s-mcafee-dlp-alert-3

• s-mcafee-print-activity-1

• s-mcafee-print-activity-2

• s-mwg-proxy-1

• s-process-alert-carbonblack-2

• s-quest-failed-logon

• s-symantec-web-activity-1

• s-tanium-security-alert-5

• sailpoint-app-activity-1

• sailpoint-app-activity-2

• sailpoint-auth

• sailpoint-password-change

• sap-app-login

• sap-failed-app-login

• sap-remote-logon-1

• sap-remote-logon

• spanish-raw-4625

• spanish-raw-4672

• spanish-raw-4688

• squid-web-activity-4

• stealthwatch-network-alert-4

• sysmon-image-loaded

• tanium-process-alert

• unix-account-switch-1

• unix-file-operation

• unix-local-logon-2

• unix-process-created-1

• unix-process-created-failed

• vmware-failed-logon

• windows-xml-member-added-2008

• workday-app-activity-2

• workday-app-login-2

• xml-5138

• xml-8004

• zscaler-network-connection

Updated Parsers

• ad-audit-4625

• ad-audit-4662

• ad-audit-4663

• ad-audit-4688

• ad-audit-4738

• ad-audit-4742

• ad-audit-4767

• ad-audit-4778

• ad-audit-4800

• ad-audit-4801

• ad-audit-5136

• ad-audit-5137

• ad-audit-5140

• ad-audit-5141

• ad-json-4720

• ad-json-4722

• ad-json-4724

• ad-json-4740

• ad-json-4767

• ad-json-5140

• ad-json-member-added-2008

• ad-json-member-removed-2008

• aix-task-created

• aruba-controller-failed-nac-logon

• aruba-nac-logon

• aws-cloudtrail-app-activity

• azure-app-logon

• azure-security-alert

• bastion-failed-logon

• bastion-remote-logon

• bluecoat-proxy-10

• bluecoat-proxy-11

• bluecoat-proxy-12

• bluecoat-proxy-13

• bluecoat-proxy-14

• bluecoat-proxy-15

• bluecoat-proxy-1

• bluecoat-proxy-2

• bluecoat-proxy-3

• bluecoat-proxy-4

• bluecoat-proxy-5

• bluecoat-proxy-6

• bluecoat-proxy-7

• bluecoat-proxy-8

• bluecoat-proxy-9

• bluecoat-proxy-v2

• bluecoat-proxy-v3

• bluecoat-web-activity

• box-skyformation-file-activity

• bro-dns-response

• bro-files-analysis

• bro-web-activity

• cas-app-activity

• cas-login-failed

• cas-login-success

• cef-5142

• cef-5143

• cef-5144

• cef-O365-dlp-email-out-1

• cef-aruba-mobile

• cef-asa-113004-vpn-start

• cef-aws-cloudwatch-netflow-connection

• cef-aws-guardduty

• cef-aws-netflow-connection

• cef-aws-vpc-netflow-connection

• cef-azure-app-activity-1

• cef-azure-app-activity-2

• cef-azure-app-activity-3

• cef-azure-app-activity-4

• cef-azure-app-activity-5

• cef-azure-onedrive-account-password-change

• cef-azure-onedrive-account-password-reset

• cef-azure-onedrive-app-activity-10

• cef-azure-onedrive-app-activity-11

• cef-azure-onedrive-app-activity-12

• cef-azure-onedrive-app-activity-13

• cef-azure-onedrive-app-activity-14

• cef-azure-onedrive-app-activity-15

• cef-azure-onedrive-app-activity-16

• cef-azure-onedrive-app-activity-17

• cef-azure-onedrive-app-activity-18

• cef-azure-onedrive-app-activity-19

• cef-azure-onedrive-app-activity-1

• cef-azure-onedrive-app-activity-20

• cef-azure-onedrive-app-activity-21

• cef-azure-onedrive-app-activity-22

• cef-azure-onedrive-app-activity-23

• cef-azure-onedrive-app-activity-24

• cef-azure-onedrive-app-activity-25

• cef-azure-onedrive-app-activity-26

• cef-azure-onedrive-app-activity-27

• cef-azure-onedrive-app-activity-28

• cef-azure-onedrive-app-activity-29

• cef-azure-onedrive-app-activity-2

• cef-azure-onedrive-app-activity-30

• cef-azure-onedrive-app-activity-31

• cef-azure-onedrive-app-activity-32

• cef-azure-onedrive-app-activity-33

• cef-azure-onedrive-app-activity-34

• cef-azure-onedrive-app-activity-35

• cef-azure-onedrive-app-activity-36

• cef-azure-onedrive-app-activity-3

• cef-azure-onedrive-app-activity-4

• cef-azure-onedrive-app-activity-5

• cef-azure-onedrive-app-activity-6

• cef-azure-onedrive-app-activity-7

• cef-azure-onedrive-app-activity-8

• cef-azure-onedrive-app-activity-9

• cef-azure-onedrive-file-activity-10

• cef-azure-onedrive-file-activity-11

• cef-azure-onedrive-file-activity-12

• cef-azure-onedrive-file-activity-13

• cef-azure-onedrive-file-activity-14

• cef-azure-onedrive-file-activity-15

• cef-azure-onedrive-file-activity-1

• cef-azure-onedrive-file-activity-2

• cef-azure-onedrive-file-activity-3

• cef-azure-onedrive-file-activity-4

• cef-azure-onedrive-file-activity-5

• cef-azure-onedrive-file-activity-6

• cef-azure-onedrive-file-activity-7

• cef-azure-onedrive-file-activity-8

• cef-azure-onedrive-file-activity-9

• cef-azure-onedrive-file-upload

• cef-azure-onedrive-file-write

• cef-azure-siem-app-logon

• cef-bit9-file-alert

• cef-bit9-usb-activity

• cef-bitdefender-gravityzone-alert

• cef-bluecoat-proxy

• cef-carbonblack-file-alert

• cef-carbonblack-usb-activity

• cef-cas-security-alert

• cef-catonetworks-web-activity

• cef-cisco-dns-response-1

• cef-cisco-dns-response-sk4-2

• cef-cisco-dns-response-sk4-3

• cef-cisco-dns-response-sk4-4

• cef-cisco-dns-response-sk4

• cef-cisco-dns-response

• cef-cortex-xdr-alert-1

• cef-cortex-xdr-alert

• cef-cyberark-security-alert-1

• cef-darktrace

• cef-defender-atp-alert

• cef-defender-atp-file

• cef-defender-atp-member-added

• cef-defender-atp-member-removed

• cef-defender-atp-network-con

• cef-defender-atp-process

• cef-defender-graph-security-alert

• cef-digitalguardian-file-operation

• cef-digitalguardian-send-mail

• cef-duo-app-activity

• cef-epic-app-activity-10

• cef-epic-app-activity-11

• cef-epic-app-activity-12

• cef-epic-app-activity-1

• cef-epic-app-activity-2

• cef-epic-app-activity-3

• cef-epic-app-activity-4

• cef-epic-app-activity-5

• cef-epic-app-activity-6

• cef-epic-app-activity-7

• cef-epic-app-activity-8

• cef-epic-app-activity-9

• cef-forcepoint-dlp-alert

• cef-forcepoint-dlp-email-alert-1

• cef-forcepoint-proxy

• cef-google-app-activity-1

• cef-google-app-activity-2

• cef-google-app-activity-3

• cef-google-app-activity-4

• cef-google-app-activity-5

• cef-google-app-activity-6

• cef-google-app-login

• cef-guardium-db-alert-1

• cef-liebsoft-app-activity-1

• cef-liebsoft-app-activity-2

• cef-liebsoft-app-activity-3

• cef-liebsoft-app-activity-4

• cef-liebsoft-app-activity-5

• cef-malwarebytes-network-alert-ids

• cef-malwarebytes-security-alert-1

• cef-malwarebytes-security-alert-2

• cef-malwarebytes-security-alert-exploit

• cef-malwarebytes-security-alert

• cef-mbmc-security-alert-detection-1

• cef-mcafee-dlp-alert-info

• cef-mcafee-dlp-email-out

• cef-mcafee-dlp-email

• cef-mcafee-dlp-prevent

• cef-mcafee-epo-alert-2

• cef-mcafee-epo-alert-3

• cef-mcafee-epo-alert-4

• cef-mcafee-epo-alert-5

• cef-mcafee-epo-alert-6

• cef-mcafee-epo-dlp-alert

• cef-mcafee-process-alert

• cef-mcafee-vse-alert

• cef-microsoft-app-activity-10

• cef-microsoft-app-activity-11

• cef-microsoft-app-activity-12

• cef-microsoft-app-activity-13

• cef-microsoft-app-activity-17

• cef-microsoft-app-activity-18

• cef-microsoft-app-activity-19

• cef-microsoft-app-activity-1

• cef-microsoft-app-activity-20

• cef-microsoft-app-activity-21

• cef-microsoft-app-activity-22

• cef-microsoft-app-activity-23

• cef-microsoft-app-activity-24

• cef-microsoft-app-activity-25

• cef-microsoft-app-activity-26

• cef-microsoft-app-activity-27

• cef-microsoft-app-activity-28

• cef-microsoft-app-activity-29

• cef-microsoft-app-activity-2

• cef-microsoft-app-activity-30

• cef-microsoft-app-activity-31

• cef-microsoft-app-activity-32

• cef-microsoft-app-activity-33

• cef-microsoft-app-activity-34

• cef-microsoft-app-activity-35

• cef-microsoft-app-activity-36

• cef-microsoft-app-activity-37

• cef-microsoft-app-activity-38

• cef-microsoft-app-activity-39

• cef-microsoft-app-activity-3

• cef-microsoft-app-activity-4

• cef-microsoft-app-activity-5

• cef-microsoft-app-activity-6

• cef-microsoft-app-activity-7

• cef-microsoft-app-activity-8

• cef-microsoft-app-activity-9

• cef-microsoft-app-activity-inbox-rule

• cef-microsoft-app-login

• cef-microsoft-database-query

• cef-microsoft-dns-query

• cef-microsoft-failed-app-login

• cef-microsoft-password-change

• cef-microsoft-remote-logon

• cef-mimecast-email-alert-1

• cef-mimecast-email-alert

• cef-mimecast-failed-app-login

• cef-mimecast-security-alert

• cef-netscaler-aaatm-login

• cef-netskope-alert-1

• cef-netskope-alert-2

• cef-netskope-alert-anomaly

• cef-netskope-alert-compromise

• cef-netskope-alert-malsite

• cef-netskope-alert-policy

• cef-netskope-alert

• cef-netskope-app-activity-10

• cef-netskope-app-activity-11

• cef-netskope-app-activity-12

• cef-netskope-app-activity-13

• cef-netskope-app-activity-14

• cef-netskope-app-activity-15

• cef-netskope-app-activity-16

• cef-netskope-app-activity-17

• cef-netskope-app-activity-18

• cef-netskope-app-activity-19

• cef-netskope-app-activity-1

• cef-netskope-app-activity-2

• cef-netskope-app-activity-3

• cef-netskope-app-activity-45

• cef-netskope-app-activity-46

• cef-netskope-app-activity-47

• cef-netskope-app-activity-48

• cef-netskope-app-activity-49

• cef-netskope-app-activity-4

• cef-netskope-app-activity-50

• cef-netskope-app-activity-51

• cef-netskope-app-activity-5

• cef-netskope-app-activity-6

• cef-netskope-app-activity-7

• cef-netskope-app-activity-8

• cef-netskope-app-activity-9

• cef-netskope-app-login-1

• cef-netskope-app-login-2

• cef-netskope-dlp-alert-1

• cef-netskope-dlp-alert

• cef-netskope-dlp-email-alert-1

• cef-netskope-failed-app-login

• cef-netskope-web-activity

• cef-netskope-web-policy

• cef-o365-app-login

• cef-o365-dlp-alert

• cef-o365-security-alert

• cef-okta-account-password-reset

• cef-okta-account-unlocked

• cef-okta-app-activity

• cef-okta-app-login

• cef-okta-logs-app-activity

• cef-okta-logs-app-alert

• cef-salesforce-app-activity-42

• cef-salesforce-app-activity-43

• cef-salesforce-app-activity-44

• cef-salesforce-app-activity-45

• cef-salesforce-app-activity-46

• cef-salesforce-app-activity-47

• cef-security-graph-alert

• cef-sentinelone-security-alert-6

• cef-sentinelone-security-alert

• cef-skyformation-login

• cef-slack-app-activity

• cef-snowflake-db-login

• cef-snowflake-db-query

• cef-sophos-dlp-alert-8

• cef-sophos-usb-insert-1

• cef-stealthwatch-network-alert

• cef-syslog-microsoft-db-impersonate

• cef-syslog-microsoft-db-login

• cef-trendmicro-database-failed-login

• cef-trendmicro-security-alert-2

• cef-trendmicro-security-alert-5

• cef-trendmicro-security-alert-6

• cef-trendmicro-security-alert-7

• cef-trendmicro-security-alert-8

• cef-zscaler-web-activity

• checkpoint-dlp-email-alert

• checkpoint-firewall-accept-1

• checkpoint-firewall-accept-2

• checkpoint-firewall-allow-1

• checkpoint-firewall-block

• checkpoint-firewall-drop-1

• checkpoint-firewall-drop-2

• checkpoint-firewall-network-alert-1

• checkpoint-firewall-reject-1

• checkpoint-firewall-reject

• checkpoint-network-alert-3

• checkpoint-network-connection-1

• checkpoint-network-connection-2

• checkpoint-network-connection-3

• checkpoint-network-connection-4

• checkpoint-vpn-login-2

• checkpoint-vpn-login-3

• cisco-dns-response-1

• cisco-fpr-113004

• cisco-ftd-113004

• cisco-ftd-722041

• cisco-ftd-firewall-1

• cisco-ftd-firewall-2

• cisco-ftd-firewall-3

• cisco-ftd-firewall-4

• cisco-ftd-firewall-5

• cisco-ftd-firewall-6

• cisco-ftd-firewall-7

• cisco-ftd-firewall-8

• cisco-ftd-firewall-9

• cisco-nac-logon-3

• cisco-nac-logon

• cisco-netflow-connection

• citrix-file-share

• cl-cisco-dns-response-sk4-4

• cloudflare-app-activity

• corelight-dns-query

• crowdstrike-auth-failed-1

• crowdstrike-auth-failed-2

• crowdstrike-file-delete-1

• crowdstrike-file-download-1

• crowdstrike-file-download

• crowdstrike-file-process-alert-2

• crowdstrike-file-read-2

• crowdstrike-file-read-3

• crowdstrike-file-read

• crowdstrike-file-write-10

• crowdstrike-file-write-11

• crowdstrike-file-write-12

• crowdstrike-file-write-13

• crowdstrike-file-write-14

• crowdstrike-file-write-2

• crowdstrike-file-write-3

• crowdstrike-file-write-4

• crowdstrike-file-write-5

• crowdstrike-file-write-7

• crowdstrike-file-write-8

• crowdstrike-file-write-9

• crowdstrike-file-write

• crowdstrike-logon-2

• crowdstrike-logon

• crowdstrike-network-connection

• crowdstrike-process-created-1

• crowdstrike-process-created-2

• crowdstrike-process-created

• crowdstrike-security-alert-2

• crowdstrike-service-created-1

• crowdstrike-user-identity

• cylance-alert-2

• cylance-process-alert

• damballa-cef-alert

• defender-atp-file-events

• defender-atp-logon

• defender-atp-network

• defender-atp-process-2

• defender-atp-process

• digital-guardian-send-mail

• emc-syslog-4624

• eset-domain-user-failed-login

• eset-domain-user-login

• exa-cor-rule-alerts

• exalms-4625

• exalms-4662

• exalms-4663

• exalms-4719

• exalms-4742

• exalms-4776

• exalms-540

• exalms-552

• exalms-567

• exalms-576

• exalms-680

• exalms-sqlserver-failed-login

• f5-asm-alert-1

• filesite-app-activity

• fireeye-cef-alert-no-connector

• fireeye-dlp-email-alert

• forcepoint-proxy-2

• forefront-epp-cef-alert

• gravityzone-security-alert-aph

• gravityzone-security-alert-av

• gravityzone-security-alert-avc

• gravityzone-security-alert-hd

• gravityzone-security-alert-new-login

• gravityzone-web-activity-denied

• ironport-proxy-3

• ironport-proxy-4

• isilon-file-delete

• isilon-file-permission-change

• isilon-file-read

• isilon-file-write

• json-4624-1

• json-4624-2

• json-4625-2

• json-4648-2

• json-4662-1

• json-4662

• json-4672-1

• json-4672-2

• json-4673-1

• json-4673-2

• json-4720-1

• json-4722

• json-4723-1

• json-4723-2

• json-4724-1

• json-4725

• json-4726

• json-4728

• json-4729

• json-4738-1

• json-4740-1

• json-4767

• json-4768-2

• json-4768

• json-4769-2

• json-4769

• json-4770

• json-4771

• json-4776-2

• json-4776

• json-5136-1

• json-5136

• json-5140

• json-bluecoat-proxy-web-activity

• json-bro-web-activity

• json-lenel-badge-access

• json-microsoft-app-activity-19

• json-netskope-app-activity-17

• json-netskope-app-activity-18

• json-netskope-app-login

• json-netskope-failed-app-login

• json-o365-activity-3

• json-okta-app-login-1

• json-okta-app-login

• json-okta-authentication-failed-3

• json-okta-authentication-failed-4

• json-okta-authentication-failed-5

• json-okta-authentication-success

• json-okta-failed-app-login-4

• json-okta-failed-app-login-5

• json-okta-failed-app-login-6

• json-okta-security-alert

• json-process-created-1

• json-s-proofpoint-email-alert-2

• json-sysmon-file-create-1

• json-sysmon-file-create

• json-sysmon-process-created-1

• json-sysmon-process-created

• json-sysmon-process-network

• json-zeek-kerberos

• json-zeek_dce_rpc

• json-zeek_dhcp

• json-zeek_dns

• json-zeek_files

• json-zeek_ntlm

• json-zeek_ssl

• json-zeek_weird

• l-4740

• leef-crowdstrike-alert

• leef-crowdstrike-detectionsummaryevent

• leef-crowdstrike-dnsrequests

• leef-crowdstrike-documentsaccessed

• leef-crowdstrike-executableswritten

• leef-crowdstrike-networkaccesses

• leef-digitalguardian-dlp-email-alert-out-1

• leef-digitalguardian-dlp-email-alert-out

• leef-digitalguardian-local-logon-1

• leef-digitalguardian-local-logon

• leef-digitalguardian-print-activity-1

• leef-digitalguardian-print-activity

• leef-digitalguardian-usb-insert

• leef-epic-app-activity

• leef-eset-security-alert

• lenel-badge-access-2

• lenel-badge-access

• lieberman-erpm

• linux-dhcp-request

• meraki-firepower-active-dir

• microsoft-app-activity-1

• microsoft-app-activity-2

• microsoft-network-alert

• ms-dhcp

• n-cef-bluecoat-proxy

• n-forwarded-cef-4624

• n-forwarded-cef-4625

• n-forwarded-cef-4648

• n-forwarded-cef-4663

• n-forwarded-cef-4672

• n-forwarded-cef-4673

• n-forwarded-cef-4688

• n-forwarded-cef-4722

• n-forwarded-cef-4724

• n-forwarded-cef-4725

• n-forwarded-cef-4740

• n-forwarded-cef-4768

• n-forwarded-cef-4769

• n-forwarded-cef-4770

• n-forwarded-cef-4771

• n-forwarded-cef-4776

• n-forwarded-cef-5136

• n-forwarded-cef-528

• n-forwarded-cef-540

• n-forwarded-cef-552

• n-forwarded-cef-680

• n-forwarded-cef-failed-logon-2003

• n-forwarded-cef-lastline

• n-forwarded-cef-member-added-2008

• n-forwarded-cef-member-removed-2008

• n-mwg-proxy

• netscalar-remote-access-1

• netscalar-remote-access-2

• netscalar-remote-access

• netscope-dlp-alert-activity

• netskope-activity

• netskope-alert

• netskope-app-activity

• netskope-dlp-alert

• netskope-login

• netskope-network-connection

• netskope-security-alert

• netskope-web-activity

• o365-activity-3

• o365-activity

• o365-malware-alert

• okta-app-activity-ad

• oracle-database-access-1

• oracle-database-login

• outlook-exchange-app-activity-1

• outlook-exchange-app-activity-2

• outlook-exchange-app-activity-3

• outlook-exchange-app-activity-4

• outlook-exchange-app-activity-5

• outlook-exchange-app-activity-6

• outlook-exchange-app-activity-7

• outlook-exchange-app-activity-8

• paloalto-firewall-allow-2

• paloalto-firewall-allow

• paloalto-firewall-deny-1

• paloalto-firewall-deny

• paloalto-firewall-drop

• pan-alert-1

• pan-alert

• pan-cef-alert-1

• pan-cef-alert-2

• pan-cef-alert-3

• pan-cef-alert-5

• pan-cef-alert-6

• pan-cef-alert-7

• pan-cef-alert

• physical-badge-access-1

• physical-badge-access

• powershell-process-created-2

• proofpoint-email

• q-1102

• q-cisco-dns-response

• q-dlp-alert

• q-leef-invincea-alert

• q-lenel-badge-access

• q-process-alert-carbonblack-1

• q-process-alert-carbonblack

• q-unix-dhcp-1

• q-xgs-network-alert

• q-zscaler-web-activity

• r-nic-damballa-alert

• r-syslog-bluecoatcas-alert

• raw-1102

• raw-4104

• raw-4624-6

• raw-4624-7

• raw-4624-9

• raw-4624

• raw-4663-10

• raw-4663-4

• raw-4663-7

• raw-4672-1

• raw-4672

• raw-4674-1

• raw-4674-2

• raw-4674-3

• raw-4674

• raw-4724

• raw-4738

• raw-4742

• raw-4768-3

• raw-4768-4

• raw-4768

• raw-4769-2

• raw-4769-5

• raw-4776-4

• raw-4778

• raw-5138

• raw-5141

• raw-5145-1

• raw-5145

• raw-5156

• raw-7045

• raw-asa-113004-vpn-start

• raw-asa-113005-2

• raw-asa-113005

• raw-asa-svc-vpn-start

• raw-checkpoint-firewall-2

• raw-juniper-nwc-vpn-hostfailed

• raw-member-added-2008

• raw-member-removed-2008-2

• raw-pan-failed-vpn-login

• raw-pan-vpn-app-activity

• raw-pan-vpn-end-2

• raw-pan-vpn-login

• raw-pan-vpn-set-ip

• raw-pan-vpn-start-2

• raw-process-created

• raw-windows-account-4720

• raw-windows-account-4722

• raw-windows-account-4726

• raw-windows-account-624

• rs-4624

• s-1102

• s-aws-cloudtrail-activity-json

• s-aws-cloudtrail-assumedrole-json

• s-aws-cloudtrail-login-json

• s-aws-netflow-connection-reject

• s-aws-netflow-connection

• s-codegreen-dlp-alert

• s-codegreen-dlp-email-out

• s-crowdstrike-app-ransomware

• s-database-login-18453

• s-database-login-18454

• s-digitalguardian-dlp-alert-1

• s-digitalguardian-dlp-alert-2

• s-digitalguardian-dlp-email-out-1

• s-digitalguardian-dlp-email-out-2

• s-digitalguardian-dlp-email-out-3

• s-digitalguardian-dlp-email-out-4

• s-digitalguardian-file-download

• s-digitalguardian-file-upload

• s-digitalguardian-file-write-1

• s-digitalguardian-file-write-2

• s-digitalguardian-file-write-3

• s-digitalguardian-file-write-4

• s-digitalguardian-network-connection

• s-digitalguardian-print-activity-1

• s-digitalguardian-print-activity-2

• s-digitalguardian-print-activity-3

• s-digitalguardian-print-activity-4

• s-dlp-email-out

• s-estreamer-network-connection

• s-failed-app-login

• s-github-activity

• s-infoblox-dhcp-1

• s-lanscope-app-activity-1

• s-lanscope-asset-alert

• s-lanscope-file-operations

• s-lanscope-print-activity

• s-lanscope-process-created-failed

• s-lanscope-process-created

• s-lanscope-web-activity

• s-liebsoft-app-login

• s-mcafee-usb-activity-bluetooth

• s-mcafee-usb-activity-diskdrives

• s-mcafee-usb-activity-dvd

• s-mcafee-usb-activity-imaging

• s-mcafee-usb-activity-portable

• s-mcafee-usb-filewrite

• s-microsoft-database-login

• s-microsoft-dns-renew

• s-microsoft-dns-update

• s-mimecast-dlp-email

• s-netskope-activity

• s-netskope-login

• s-o365-dlp-alert-1

• s-o365-dlp-alert

• s-okta-app-login-1

• s-okta-app-login-2

• s-okta-app-login-3

• s-okta-app-login-4

• s-okta-app-login

• s-okta-failed-login-3

• s-onguard-physical-badge-access-2

• s-onguard-physical-badge-access

• s-opendns-dns-response-10

• s-opendns-dns-response-1

• s-opendns-dns-response-2

• s-opendns-dns-response-3

• s-opendns-dns-response-4

• s-opendns-dns-response-5

• s-opendns-dns-response-6

• s-opendns-dns-response-7

• s-opendns-dns-response-8

• s-opendns-dns-response-9

• s-opendns-dns-response

• s-pan-correlation-alert

• s-panngwf-spyware-alert

• s-physical-badge-access-3

• s-physical-badge-access-8

• s-ping-sso

• s-proofpoint-email-alert-2

• s-proofpoint-email-alert-3

• s-proofpoint-email-in-1

• s-quest-directory-access

• s-sendmail-email-from

• s-skyfence-alert

• s-tanium-security-alert-3

• s-vontu-dlp-alert

• s-vontu-email-dlp

• s-xml-1102

• s-xml-4724

• s-zscaler-dlp-alert

• s-zscaler-web-activity-1

• s-zscaler-web-activity-2

• s-zscaler-web-activity-3

• s-zscaler-web-activity-4

• s-zscaler-web-activity-5

• s-zscaler-web-activity

• sendmail-email-from

• sentinelone-dns-query

• sentinelone-dns-response-1

• sentinelone-dns-response

• sentinelone-file-create-1

• sentinelone-file-create

• sentinelone-file-delete-1

• sentinelone-file-delete

• sentinelone-file-modify-1

• sentinelone-file-modify

• sentinelone-network-connection-1

• sentinelone-network-connection

• sentinelone-process-created-1

• sentinelone-process-created

• sentinelone-security-alert-1

• sentinelone-task-register

• sentinelone-task-update-1

• sentinelone-task-update-2

• sentinelone-task-update

• sentinelone-web-activity-1

• sentinelone-web-activity-2

• sentinelone-web-activity

• sk4-json-4662

• sk4-json-4697

• sk4-json-4720

• sk4-json-4722

• sk4-json-4724

• sk4-json-4725

• sk4-json-4767

• sk4-json-4779

• sk4-json-4800

• sk4-json-4801

• sk4-json-5137

• sk4-json-5141

• sk4-json-member-added-2008

• sk4-json-member-removed-2008

• sk4-workday-app-auth-failed

• sk4-workday-app-login

• sk4-workday-failed-app-login

• skyformation-cloudflare-waf-1

• skyformation-cloudflare-waf-2

• skyformation-cloudflare-waf

• skyhigh-dlp-alert-1

• skyhigh-dlp-alert-2

• skyhigh-dlp-alert

• snare-1102

• snort-alert

• sonicwall-network-alert-1

• sonicwall-network-alert-2

• sonicwall-network-alert-3

• sonicwall-network-alert-4

• sonicwall-network-alert

• sonicwall-network-connection-successful-1

• sonicwall-network-connection-successful

• sophos-security-alert-2

• sophos-web-alert

• sourcefire-proxy-1

• symantec-av-dlp-alert-cn

• symantec-av-dlp-alert

• symantec-network-connection

• symantec-security-alert-2

• syslog-5158

• syslog-cisco-wsa-web-activity

• syslog-json-4663

• syslog-juniper-vpn-realm-1

• syslog-liebsoft-account-switch

• syslog-symantec-usb-write

• sysmon-file-create

• sysmon-file-delete

• sysmon-process-created-1

• sysmon-process-created-2

• sysmon-process-created

• sysmon-process-network

• thycotic-app-activity

• u-googledrive-file-activity

• u-googledrive-file-permission-change

• u-mcafee-epo-alert

• unix-auditd-login-2

• unix-auditd-login

• vmware-esxi-login-1

• vmware-ssh-login

• wls-4624

• xml-1102

• xml-4624

• xml-4673

• xml-4688

• xml-4738

• xml-5145

• xml-mssql-database-login-1

• xml-sysmon-process-created-2

• xml-sysmon-process-created

• zscaler-proxy

Deprecated Parsers

• admanager-activity

• armis-network-alert

• armis-security-alert

• azure-email-notification

• cef-defender-atp-logon

• cef-sophos-dlp-alert-1

• cef-sophos-dlp-alert-10

• cef-sophos-dlp-alert-11

• cef-sophos-dlp-alert-12

• cef-sophos-dlp-alert-3

• cef-sophos-dlp-alert-4

• cef-sophos-dlp-alert-5

• cef-sophos-dlp-alert-9

• cef-sophos-security-alert-16

• cef-sophos-security-alert-20

• cef-sophos-security-alert-21

• cef-sophos-security-alert-22

• cef-sophos-security-alert-23

• cef-sophos-security-alert-24

• cef-sophos-security-alert-25

• cef-sophos-security-alert-27

• cef-sophos-security-alert-28

• cef-sophos-security-alert-29

• cef-sophos-security-alert-31

• cef-sophos-security-alert-9

• cef-sysmon-file-write-2

• cisco-wifi-login

• crowdstrike-file-process-alert

• mcafee-ips-network-alert-1

• mimecast-dlp-email

• s-aws-app-activity

• s-aws-cloudtrail-activity-access-json

• s-aws-cloudtrail-activity-delete-json

• s-aws-cloudtrail-activity-upload-json

• s-examworkspace-file-read

• s-windows-event-4611

• sonicwall-network-alert-10

• sonicwall-network-alert-11

• sonicwall-network-alert-12

• sonicwall-network-alert-13

• sonicwall-network-alert-14

• sonicwall-network-alert-15

• sonicwall-network-alert-16

• sonicwall-network-alert-17

• sonicwall-network-alert-18

• sonicwall-network-alert-19

• sonicwall-network-alert-5

• sonicwall-network-alert-6

• sonicwall-network-alert-7

• sonicwall-network-alert-8

• sonicwall-network-alert-9

• sophos-dlp-alert-2

• sysmon-registry-set

• sysmon-registry-set-2

Models

• New

• Updated

• Deprecated

New Models

• A-EPA-CSC – Tracks csc activity for the asset.

• A-EPA-MSBuild – Tracks MSBuild activity with unknown file arguments

• A-EPA-REG-WU – Models reg query activity for windows update on the assets.

• A-EPA-Rundll-FTP – Rundll actions for FTP port blocking/unblocking on the asset

• A-FW-ProcessName-FileName – File creations for process

• A-NETFLOW-RDP-DestHost – Asset accessing RDP services.

• A-NTDS-Access – Models the amount of accesses to paths that are related to NTDS

• A-PC-InstallUtil-exe – EXE file parameter passed to InstallUtil.exe on the asset.

• A-PC-MSBuild-Csproj – CSPROJ file parameter passed to MSBuild.exe on the asset in the organization.

• A-PC-MSBuild-xml – XML file parameter passed to MSBuild.exe on the asset in the organization.

• A-PC-Mshta-Hta – HTA file parameter passed to Mshta.exe on the asset in the organization.

• A-PC-ParentName-ProcessName – Processes for parent parent processes.

• A-PC-Process-Hash – Hashes used to create processes on the asset.

• A-PC-Regsvr32-sct – SCT file parameter passed to Regsvr32.exe on the asset in the organization.

• A-SA-AN-ALERT-IOT – Security alert names on IOT/OT devices

• A-SA-OA-ALERT-IOT – IOT/OT devices triggering security alerts in the organization

• A-ServiceName-ServiceCmdline – Service Executable Files on the asset

• B-CS-Bucket-Activity – Activities per storage container/bucket

• B-CS-Bucket-Bytes – Bytes sent from bucket

• B-CS-Bucket-UA – User agents per bucket

• B-CS-Bucket-Users – Users per storage container/bucket

• B-CS-Buckets – Buckets seen in the organization

• B-CS-IType – User Identity types per cloud storage container

• CS-Admin-Activity – Cloud administrative activities performed by user

• CS-Bucket-C-D – Users who create or delete storage containers

• CS-Critical-Activities – Users who perform critical IAM activites

• CS-O-UA – User agents in the organization accessing cloud storage

• CS-P-UA – User agents accessing cloud storage per peer group

• CS-Policies – Cloud Policies seen in the organization

• CS-Storage-Activity – Cloud storage activities for the user

• CS-Universal-Policy – Users creating universal '*' policies

• CS-User-Creation – Users who create users/accounts in the cloud

• CS-Users – Users accessing cloud storage in the org

• DB-OPCOUNT-NEW – Count of distinct database operations for user

• DB-OPCOUNT-TOTAL – Count of total database operations for user

• DB-URSum-New – Sum of response sizes in database queries

• FA-UA-UI-new – ISP of users during file activity

• PC-InstallUtil-dll – DLL file parameter passed to Installutil.exe

• PC-InstallUtil-exe – EXE file parameter passed to Installutil.exe

• PC-MSBuild-Csproj – CSPROJ file parameter passed to MSBuild.exe

• PC-MSBuild-xml – XML file parameter passed to MSBuild.exe

• PC-Mshta-Hta – HTA file parameter passed to Mshta.exe

• PC-ParentName-ProcessName – Child processes created by a parent process

• PC-Process-Hash – Hashes used to create processes.

• PC-Regsvr32-sct – SCT file parameter passed to Regsvr32.exe

• ParentProcess-P – Parent processes for peer group

• UA-UI-new – ISP of users during application activity

Updated Models

• AL-HT-PRIV – Privilege Users Assets

• APP-AT-PRIV – Privileged application activities

• APP-ObT-PRIV – Privileged application objects

• DS-APRIV – Privileged user attributes

• DS-OA – Non-privileged attributes in the organization

• DS-UA – Attributes per privileged user

• EPA-OG-SYSVOL – SYSVOL domain group policy access by group in the organization

• FA-FT-PRIV – Privileged Folders

• FA-UR – Number of file accesses from repository by privileged user

• UA-GC – Countries for peer groups

• UA-UC – Countries for user activity

• WEB-UBytesSum-In-FS-PU – Sum of bytes read/downloaded from file sharing sites in a day by privileged user

• WEB-UBytesSum-In-FS – Sum of bytes read/downloaded from file sharing sites in a day by non-privileged user

Deprecated Models

There are no deprecated models in this release.

Rules

• New

• Updated

• Deprecated

New Rules

There are no new rules in this release.

Updated Rules

There are no updated rules in this release.

Deprecated Rules

There are no deprecated rules in this release.