Rules
- [New] CHAIN-S00013 GCP IDS Detection Followed by API Call; Detects a GCP IDS hit followed by an API call, indicating the source IP was able to gain access to GCP.
- [Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking; Adjusts "Slack - Possible Session Hijacking" to use 'sessionId' schema field.
Log Mappers
- [New] GCP IDS; Mapper for GCP IDS events
- [New] Netskope - Catch All; Added 'Catch All' Mapper to account for unavailability of event identifier in all messages.
- [New] Slack Login; Added mapping specific to logon success/failure events
- [Updated] Slack Catch All; Adjusts mapper use new sessionIdschema field in place of sourceUid
Parsers
- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog; Adjusts Cisco Firepower parser for some FTD events and corrected routing for Snort like and ASA messages which pass through the Firepower parser.
- [Updated] /Parsers/System/Google/GCP; Adds additional time format handling
Schema
- [New] sessionId; An ephemeral and at least semi-unique identifier of a connection between two systems (e.g., HTTP session, user logon session, TCP session identifiers)