Within this content release, we have deprecated two of our First Seen rules linked to low fidelity as we continue to perform internal testing around similar detections. Additionally, we are bringing out a new set of Carbon Black mappers, expanding on our existing normalization with the product.
Rules
- [Deleted] FIRST-S00011 First Seen Sysmon IMPHASH - Global
- [Deleted] FIRST-S00012 First Seen Sysmon IMPHASH - Host
Log Mappers
- [New] Carbon Black C2C Alert - DEVICE_CONTROL
- [New] Carbon Black Cloud C2C API Call
- [New] Carbon Black Cloud C2C Cross Process Event
- [New] Carbon Black Cloud C2C File Modification
- [New] Carbon Black Cloud C2C Module Load
- [New] Carbon Black Cloud C2C Network Connection
- [New] Carbon Black Cloud C2C Process Auditing
- [New] Carbon Black Cloud C2C Registry Modification
- [New] Carbon Black Cloud C2C Script Load
- [New] Carbon Black Cloud C2C Watchlist Hit
- [Updated] AWS Security Hub; Remaps Action field to more consistently appearing actionType, maps cloud region, description, and accountId, and adjusts mapper to use collapsed single list item array field names.
- [Updated] Squid Proxy - Parser; Made minor additions to allow for Bytes In and Out normalization
Parsers
- [Updated] /Parsers/System/AWS/AWS Security Hub; Modifies eventID to 'Title' which appears more consistently. Concatenates ResourceType and ID to create single strongly typed field. Collapses single listed item arrays.
- [Updated] /Parsers/System/Squid/Squid Proxy Syslog; Made minor additions to allow for Bytes In and Out parsing