2016 SIEM Content and Parsing Updates

Transcription

1 2016 SIEM Content and Parsing Updates

2 Table of Contents Table of Contents SIEM Data Sources January 21, 2016 February 10, 2016 February 16, 2016 February 26, 2016 March 25, 2016 June 2, 2016 June 8, 2016 July 19, 2016 August 04, 2016 August 11, 2016 August 15, 2016 September 1, 2016 September 2, 2016 September 26, 2016 October 12, 2016 October 13, 2016 November 7, 2016 November 10, 2016 November 11, 2016 December 2, 2016 SIEM Custom Types October 13, 2016 October 25, 2016 SIEM Parsing Rules January 8, 2015 January 12, 2016 January 13, 2016 January 21, 2016 January 22, 2016 January 25, 2016 January 29, 2016 January 29, 2016 February 4, 2016 February 8, 2016 February 10, 2016 February 11, 2016 February 16, 2016 February 17, 2016 February 19, 2016 February 23, 2016 February 24, 2016 February 25, 2016 February 26, 2016 February 29, 2016 March 2, 2016 March 3, 2016 March 7, 2016 March 8, 2016 March 9, 2016 March 11, 2016 March 14, 2016 March 16, 2016 March 17, 2016 March 18, 2016 March 21, 2016 March 24, 2016 March 25, 2016 March 29, 2016 March 30, 2016 March 31, 2016 April 01, 2016 April 04, 2016 April 07, 2016 April 08, 2016 April 21,

3 April 26, 2016 May 3, 2016 May 5, 2016 May 5, 2016 May 9, 2016 May 11, 2016 May 16, 2016 May 18, 2016 May 23, 2016 May 24, 2016 May 25, 2016 May 26, 2016 May 27, 2016 June 2, 2016 June 06, 2016 June 08, 2016 June 13, 2016 June 15, 2016 June 17, 2016 June 20, 2016 June 23, 2016 June 28, 2016 June 30, 2016 July 07, 2016 July 08, 2016 July 11, 2016 July 12, 2016 July 13, 2016 July 15, 2016 July 19, 2016 July 22, 2016 July 25, 2016 August 02, 2016 August 04, 2016 August 11, 2016 August 15, 2016 August 22, 2016 August 24, 2016 September 1, 2016 September 2, 2016 September 15, 2016 September 19, 2016 September 23, 2016 September 26, 2016 October 5, 2016 October 12, 2016 October 13, 2016 October 25, 2016 October 28, 2016 November 2, 2016 November 7, 2016 November 9, 2016 November 10, 2016 November 11, 2016 December 2, 2016 December 5, 2016 December 14, 2016 December 15, 2016 December 16, 2016 Content Packs February 3, 2016 February 4, 2016 February 18, 2016 April 13, 2016 April 18, 2016 May 20, 2016 May 31, 2016 June 2, 2016 July 12, 2016 August 9, 2016 September 15, 2016 September 27, 2016 September 30,

4 November 2, 2016 IPS Rules January 12, 2016 January 14, 2016 January 15, 2016 February 9, 2016 March 8, 2016 March 17, 2016 March 23, 2016 April 13, 2016 May 20,

5 SIEM Data Sources January 21, 2016 New Data Source Vendor: SSH Communications Security Product: CryptoAuditor Collector: Syslog Device ID: 554 Version: ESM and above Notes: February 10, 2016 New Data Source Vendor: IBM Product: ISS SiteProtector - LEEF Collector: Syslog Device ID: 555 Version: ESM and above Notes: Parses LEEF formatted events received over syslog. February 16, 2016 New Data Source Product: Internet Authentication Service - Database Compatible Format Collector: File Pull / Syslog Device ID: 556 Version: ESM and above Notes: Parses database-compatible formatted log files. Parsed events use signature IDs associated with data source ID 407. February 26, 2016 Modified Data Source Vendor: Oracle Product: Oracle Audit - SQL Pull (ASP) Collector: SQL Device ID: 470 Version: ESM and above Notes: Updated to support pulling Audit events from Oracle 12c. New Data Source Vendor: Prevoty Product: Prevoty Collector: Syslog Device ID: 557 Version: ESM and above Notes: Syslog support requires the use of Log4j on Prevoty. March 25, 2016 New Data Source Vendor: Wurldtech Product: OpShield Collector: Syslog Device ID: 558 Version: ESM and above Notes: 5

6 June 2, 2016 New Data Source Vendor: Interset Product: Interset Collector: Syslog Device ID: 560 Version: ESM and above Notes:Requires Interset version 4.1 or greater. June 8, 2016 New Data Source Vendor: Globalscape Product: Globalscape EFT Collector: MEF Device ID: 561 Version: ESM and above. Notes: New Data Source Vendor: Blue Coat Product: Reporter Collector: File Device ID: 562 Version: ESM and above. Notes: Added support for Blue Coat Reporter Cloud Access logs. July 19, 2016 New Data Source Vendor: PhishMe Product: PhishMe Intelligence Collector: Syslog Device ID: 563 Version: ESM and above. August 04, 2016 New Data Source Vendor: Malwarebytes Product: Breach Remediation Collector: Syslog Device ID: 564 Version: ESM and above Notes: CEF format is supported. August 11, 2016 New Data Source Vendor: Malwarebytes Product: Management Console Collector: Syslog Device ID: 565 Version: ESM and above Notes:Management Console version 1.7, part of Malwarebytes Enterprise Endpoint Security, sends security events generated by Malwarebytes Anti- Malware and Malwarebytes Anti-Exploit running on managed endpoints. CEF formatted syslog is supported by ESM. August 15, 2016 New Data Sources Vendor: CyberArk Product: Privilaged Threat Analytics Collector: Syslog Device ID: 566 Version: ESM and above Notes: CEF format is supported from PTA version 3.1 September 1, 2016 New Data Sources Vendor: Skyhigh Networks Product: Cloud Security Platform Collector: Syslog Device ID: 567 Version: ESM and above Notes: Requires Skyhigh Enterprise Connector. CEF format is supported. Skyhigh version 2.2 and above is supported by ESM. Vendor: Niara Product: Niara Collector: Syslog Device ID: 568 Version: ESM and above Notes: Niara version 1.5 and above is supported by ESM. 6

7 Vendor: TrapX Security Product: DeceptionGrid Collector: Syslog Device ID: 569 Version: ESM and above Notes: September 2, 2016 New Data Sources Vendor: Attivo Networks Product: BOTsink Collector: Syslog Device ID: 570 Version: ESM and above Notes: Requires BOTsink version 3.3 or above. Vendor: PhishMe Product: PhishMe Triage Collector: Syslog Device ID: 571 Version: ESM and above. Notes: September 26, 2016 Updated Data Sources Product: epolicy Orchestrator (SiteAdvisor) Collector: SQL Device ID: 357 Version: ESM and above Notes: The SQL configuration was updated to report the HostName and HostIP fields belonging to the host running the SiteAdvisor client. October 12, 2016 New Data Sources Vendor: Fortscale Product: Fortscale UEBA Collector: Syslog Device ID: 572 Version: ESM and above Notes: October 13, 2016 New Data Source Vendor: ThreatConnect Product: ThreatConnect Threat Intelligence Platform Collector: Syslog Device ID: 573 Version: ESM and above Notes: November 7, 2016 New Data Sources Product: Endpoint Security Platform (epo) Collector: SQL Device ID: 574 Version: ESM and above Notes: Data source coupled with epo. Product: Endpoint Security Firewall (epo) Collector: SQL Device ID: 575 Version: ESM and above Notes: Data source coupled with epo. Product: Endpoint Security Threat Prevention (epo) Collector: SQL Device ID: 576 Version: ESM and above Notes: Data source coupled with epo. Product: Endpoint Security Web Control (epo) Collector: SQL Device ID: 577 7

8 Device ID: 577 Version: ESM and above Notes: Data source coupled with epo. November 10, 2016 Updated Data Sources Vendor: Oracle Product: Oracle Audit - SQL Pull (ASP) Collector: SQL Device ID: 470 Version: ESM and above Notes: The SQL configuration was updated to pull Unified Audit events from version 12c when mixed mode reporting is disabled and Unified Auditing is specifically enabled. November 11, 2016 Updated Data Sources Product: epolicy Orchestrator (HIPS) Collector: SQL Device ID: 357 Version: ESM and above Notes: The SQL configuration was updated to collect the Local Port and Remote Port fields from the HIPS tables in epo. December 2, 2016 Updated Data Sources Vendor: Symantec Product: Critical System Protection - SQL Pull (ASP) Collector: SQL Device ID: 103 Version: ESM and above Notes: The SQL configuration was updated to collect events from newer versions of Data Center Security including version 6.7. The data source name was also updated to Data Center Security (CSP) - SQL Pull. 8

9 SIEM Custom Types October 13, 2016 New Custom Types Field Name: Device_Confidence Data Type: Unsigned Integer Event Field: 24 Indexed: Yes ESM Version: and above October 25, 2016 New Custom Types Field Name: Total_Bytes Data Type: Accumulator Event Field: 3 Indexed: Yes ESM Version: and above 9

10 SIEM Parsing Rules January 8, 2015 Data Source: Advanced Threat Defense Parsing rules , , and were updated to map the Object GUID and Correlation ID from the log to the Object_GUID and Instance_GUID fields in the ESM. Data Source: Advanced Threat Defense Data Source rules , , , , , and were added to the Advanced Threat Defense rule set. January 12, 2016 Vendor: Juniper Networks Data Source: JUNOS Router (ASP) Parsing rules and were added to the JUNOS Router (ASP) rule set. Data Source: Windows Event Log - WMI Affected Versions: ESM and above Parsing rules , , , , , , , , , , , , , , and were added to the Windows Event Log - WMI rule set. January 13, 2016 Vendor: Vormetric Data Source: Data Security (ASP) Parsing rule was updated to add key to Registry_Key, and faked usernames to User_Nickname. Also updated normilization. Data Source: Windows Event Log - WMI Parsing rule was created to the Windows Event Log - WMI rule set to parse events from Vasco Identikey authentication server. January 21, 2016 Data Source: Microsoft Event Log - WMI Parsing rule was updated to map the filename to the Filename field in the ESM. Vendor: Fortinet Data Source: FortiGate UTM Parsing rules and were updated to include edit in the action map. Data Source: IOS IPS (SDEE protocol) Affected Versions: ESM and above Parsing rule was updated to map the CVE reference from the log to the Vulnerability_References field in the ESM. Vendor: SSH Communications Security Data Source: CryptoAuditor Parsing rule was added to the CryptoAuditor rule set. 10

11 January 22, 2016 Data Source: Network Security Manager (ASP) Affected Versions: ESM and above Data source rule messages were updated to reflect changes made by the McAfee NSM. January 25, 2016 Data Source: Windows Event Log - WMI Affected Versions: ESM and above Parsing rule was added to the Windows Event Log - WMI rule set to parse event 1085 from the Microsoft-Windows-GroupPolicy source. Data Source: Forefront Threat Management Gateway / ISA Server -W3C (ASP) Parsing rule was updated to account for optional ports at the end of source and destination IP's. Added Denied to action map action from the log to the Event Subtype field in the ESM. January 29, 2016 Data Source: Meraki Parsing rules through were added to the Meraki rule set. January 29, 2016 Data Source: Windows Event Log - WMI Parsing rules , , , , , , , and were updated to parse and capture the service name into ESM field Service_Name where they used to parse into Application. The rules also parse the following additional data from the logs: error code into ESM field Status, event count into ESM field Count, device action into ESM field Device_Action, and time for corrective actions into ESM field Response_Time. Vendor:F5 Networks Data Source: BIG-IP Application Security Manager (ASP) Parsing rules , , , and were updated to parse the PID from the logs. Vendor:F5 Networks Data Source: BIG-IP Local Traffic Manager - LTM (ASP) Parsing rules , , , , , and were updated to parse the PID from the logs into ESM field PID. Rule was also updated to capture the instance guid from the logs into ESM field instance_guid for ESM versions and above Vendor: Fortinet Data Source: FortiGate UTM - Space delimited (ASP) Parsing rule was updated to parse changes made to the event in newer versions of FortiGate UTM Data Source: PIX/ASA/FWSM (ASP) Parsing rules through were added to the Cisco PIX/ASA/FWSM rule set. Data Source: PIX/ASA/FWSM (ASP) Parsing rules through were added to the Cisco PIX/ASA/FWSM rule set. Vendor:F5 Networks Data Source: BIG-IP Local Traffic Manager (ASP) Parsing rules through were added to the BIG-IP Local Traffic Manager (ASP) rule set. Vendor: Fortinet Data Source: FortiGate UTM - Space delimited (ASP) Parsing rules and were added to the FortiGate UTM rule set. February 4, 2016 Data Source: Windows Event Log - WMI Parsing rules were added to the Windows Event Log - WMI rule set to support Terminal Services and Remote Desktop Services events. Data Source: Windows Event Log - WMI 11

12 Affected Versions: ESM and above Parsing rules , , and have updated normalization from Authentication -> User Account to Network Access -> Connection/Session. Parsing rules , , , and have updated normalization from Authentication -> Login to Application -> Configuration Status. February 8, 2016 Data Source: PIX/ASA/FWSM - ASP Parsing rules through were added to the PIX/ASA/FWSM - ASP rule set. Data Source: IOS (ASP) Affected Versions: ESM and above Multiple rules were updated to modify the parsing of the data and time from Cisco events. February 10, 2016 Vendor: Checkpoint Data Source: Checkpoint - ASP Affected Versions: ESM and above Parsing rules were updated to prioritize an IPV4 address to capture into the ESM field NAT_Details.NAT_Address, when it exists in the logs. Vendor: Enterasys Networks Data Source: Enterasys Network Access Control (ASP) Parsing rule was modified to account for new format for the State field in the logs. Vendor: IBM Data Source: ISS SiteProtector - LEEF Parsing rule was added to the ISS SiteProtector - LEEF rule set. February 11, 2016 Vendor: SourceFire Data Source: FireSIGHT Management Console - estreamer Parsing rules , , , , and were updated to handle logs where no source IP is present. Data Source: SharePoint (ASP) Parsing rules through were updated to to enhance hostname parsing. Data Source: SharePoint (ASP) Parsing rules , , and were added to the SharePoint (ASP) rule set. February 16, 2016 Data Source: Internet Authentication Service - Formatted (ASP) Affected Versions: ESM and above Parsing rule was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data, and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, and Destination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs. Data Source: Internet Authentication Service - XML (ASP) Affected Versions: ESM and above Parsing rule was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data, and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, and Destination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs. Data Source: Internet Authentication Service - Database Compatible Format Affected Versions: ESM and above Parsing rule was added to the Internet Authentication Service - Database Compatible Format rule set. February 17, 2016 Data Source: Network Security Manager (ASP) 1566 Data Source Rules were added to the Network Security Manager (ASP) rule set. 12

13 February 19, 2016 Vendor: Juniper Networks Data Source: Juniper Secure Access / MAG (ASP) Affected Versions: ESM and above Parsing rule was updated to account for a spelling error in the Secure Access log, and will match on either Occured or Occurred. February 23, 2016 Data Source: Network Security Manager (ASP) Added new data source rules: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and to the McAfee Network Security Manager (ASP) data source Data Source: Network Security Manager (ASP) Updated the normalization for data source rules: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and for the McAfee Network Security Manager (ASP) data source February 24, 2016 Vendor: RioRey Data Source: DDOS Protection Parsing rule was added to the RioRey DDOS Protection rule set. Data Source: Windows Event Log - WMI Parsing rules , , , , , and were updated to map Service Name and File Name from the logs to Service_Name and Filename in the ESM. In some cases Service Name from the logs was mapped to Application in the ESM. February 25, 2016 Modifed Rules Data Source: IOS (ASP) Parsing rule was updated with a severity value of 10 and will parse Source IP, Source Port, Destination IP, Destination Port, and Protocol from the logs to Source IP, Source Port, Destination IP, Destination Port and Protocol in the ESM. February 26, 2016 Data Source: NX-OS (ASP) Parsing rules through were added to the Cisco NX-OS (ASP) rule set. Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Parsing rule was added to the Cooper Power Systems Cybectec RTU (ASP) rule set. Vendor: Prevoty Data Source: Prevoty Affected Versions: ESM and above Parsing rules through were added to the Prevoty rule set. Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Parsing rule was updated to support the Console service in addition to Log and Maintenance on the Cooper Power Systems Cybectec RTU (ASP) rule set. Data Source: McAfee Host Data Loss Prevention (epo) Parsing rules , , and were updated to include the product family name of Data Loss Prevention in the adsid map and regular expression matches. 13

14 expression matches. February 29, 2016 Vendor: InterSect Alliance Data Source: Snare for Windows (ASP) Parsing rule was updated to map the Subject Account Name, New Logon Account Name, New Logon Logon ID, Subject Logon ID, New Logon Security ID, New Logon Account Domain, Package Name, Failure Reason, and Failure Information Satus from the log, to the Destination Username, Source Username, Source_Logon_ID, Destination_Logon_ID, Security_ID, Domain, Version, Message_Text, and Status fields in the ESM. The changes were made to improve reporting for event IDs 4624, 4625, 4675, 4648, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 4672 and March 2, 2016 Vendor: Websense Data Source: Websense - CEF, Key Value Pair (ASP) Parsing rules , , were updated to include the following additional categories: '220 : Security:Compromised Websites', '221 : Extended Protection:Newly Registered Websites', '222 : Collaboration - Office', '223 : Collaboration - Office:Office - Mail', '224 : Collaboration - Office:Office - Drive', '225 : Collaboration - Office:Office - Documents', '226 : Collaboration - Office:Office - Apps', '227 : Information Technology:Web Analytics', '228 : Information Technology:Web and Marketing'. Rule was updated to enhance auto learning for the Websense - CEF, Key Value Pair (ASP) data source. Vendor: Websense Data Source: Websense Enterprise - SQL Pull (ASP) Parsing rules , , and were updated to include the following additional categories: '220 : Security:Compromised Websites', '221 : Extended Protection:Newly Registered Websites', '222 : Collaboration - Office', '223 : Collaboration - Office:Office - Mail', '224 : Collaboration - Office:Office - Drive', '225 : Collaboration - Office:Office - Documents', '226 : Collaboration - Office:Office - Apps', '227 : Information Technology:Web Analytics', '228 : Information Technology:Web and Marketing'for the Websense Enterprise - SQL Pull (ASP) data source. Vendor: Websense Data Source: Websense Enterprise - SQL Pull (ASP) Normalization was updated for Data Source Rules 1029, 1030, 1031, 1035, 1037, 1040, 1041, 1052, 1053, 1054, 1057, 1060, 1061, 1293, 1296, 1310, 1313, 1537, 1553, , and for the Websense Enterprise - SQL Pull (ASP) data source. Vendor: LOGbinder Data Source: LOGbinder (ASP) Parsing rules , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and were updated to map the Statement from the log to the SQL_Statement field in the ESM. Parsing rules through , through , through , , and through were updated to map the Target Object Type from the log to the Object_Type field in the ESM. Parsing rules , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , through , through , through , and were updated to map the Target Object Name from the log to the Object field in the ESM. March 3, 2016 Vendor: Fortinet Data Source: FortiManager (ASP) Parsing rules through , and through were updated to improve parsing username. Vendor: Kaspersky Data Source: Administration Kit - SQL Pull (ASP) Affected Versions: ESM and above Parsing rule was updated to to capture Threat Name from the logs into Threat Name in the ESM. Data Source: Windows Event Log - WMI Parsing rule was updated to parse Old Account Name and New Account Name from the logs into Old Value and New Value in the ESM. 14

15 March 7, 2016 Vendor: LOGbinder Data Source: LOGbinder (ASP) Parsing rules through , were added to the LOGbinder - LOGbinder (ASP) data source. March 8, 2016 Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Parsing rules and were updated to map the Threat_ID and Threat_Severity from the logs to the Incident_ID and Object fields respectively in the ESM. March 9, 2016 Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Parsing rule was added to the Cybectec RTU (ASP) data source. Vendor: Citrix Data Source: NetScaler (ASP) Parsing rules , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , were updated to enhance normalization for Cybectec RTU (ASP) data source. Vendor: RioRey Data Source: DDOS Protection Parsing rule was updated to map zone from the logs into Destination_Zone and Source_Zone on the ESM. Rule message has also been updated to show full context of event. March 11, 2016 Vendor: LOGbinder Data Source: LOGbinder (ASP) Parsing rules through were added to the LOGbinder (ASP) data source. Vendor: LOGbinder Data Source: LOGbinder (ASP) Parsing rules through were updated to account for updated log formats, updated rules also map Performed Logon Type, Item Subject, and Mailbox GUID from the logs into Logon_Type, Subject, and Instance_GUID in the ESM for the LOGbinder (ASP) data source. Vendor: IBM Data Source: ISS SiteProtector - SQL Pull Updated parsing rule to map blocked from the logs to Action in the ESM for the ISS SiteProtector - SQL Pull data source. March 14, 2016 Data Source: IOS IPS (SDEE protocol) Affected Versions: ESM and above Updated parsing rule to capture sd:originator/cid:appname, cid:alertdetails, cid:riskratingvalue, sd:signature/@cid:type, sd:signature/@id, cid:os/@type, sd:signature/marscategory, sd:attacker/sd:addr/@cid:locality, and sd:target/sd:addr/@cid:locality from the logs to application, Message_Text, Reputation, Threat_Category, Incident_ID, objectname, Threat_Name, Source_Zone, and Destination_Zone in the ESM for the IOS IPS (SDEE protocol) data source. March 16, 2016 Vendor: Proofpoint Data Source: Messaging Security Gateway (ASP) Parsing rules through were added to the Messaging Security Gateway (ASP) data source. Data Source: Wireless Lan Controller (ASP) Parsing rules through were added to the Wireless Lan Controller (ASP) data source. 15

16 Vendor: Proofpoint Data Source: Messaging Security Gateway (ASP) Updated parsing rules , , , , , , , , , , , , through , , , , , through , , , , , , through , , , , , , , and to enhance application captures and improve reporting for the Messaging Security Gateway (ASP) data source. Vendor: UNIX Data Source: Linux (ASP) Updated parsing rules , , , , , , , , , , and to enhance parsing and reporting for the Linux (ASP) data source. March 17, 2016 Vendor: UNIX Data Source: Linux (ASP) Parsing rules and were updated to map the DNS Type from the logs into the DNS_Type field in the ESM. The normalization was updated from System -> Misc System Event to Network Access -> DNS. Data Source: Windows DNS (ASP) Parsing rules through and through were updated to map the DNS Type from the logs into the DNS_Type field in the ESM. The normalization was updated from System -> Misc System Event to Network Access -> DNS. March 18, 2016 Vendor: SourceFire Data Source: FireSIGHT Management Console - estreamer Parsing rules and were updated to map the Device ID.Name from the log, when present, to the Sensor_Name field in the ESM. Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Parsing rules , , , and were updated to enhance parsing for the Cybectec RTU (ASP) data source. Data Source: IOS (ASP) Parsing rule , and were updated to enhance parsing and action reporting for the IOS (ASP) data source. Rule has been enhanced to parse source ip and destination ip from the logs into Source IP and Destination IP and the normalization has been updated from Suspicious Activity -> Protocol Anomaly -> TCP Protocol Anomaly to Suspicious Activity -> Invalid Command or Data. Vendor: SourceFire Data Source: FireSIGHT Management Console - estreamer Affected Versions: ESM and above Parsing rules through were added to the FireSIGHT Management Console - estreamer rule set. Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Parsing rules through were added to the Cybectec RTU (ASP) data source. Data Source: IOS (ASP) Parsing rules through were added to the IOS (ASP) data source. March 21, 2016 Data Source: Network Security Manager (ASP) Parsing rule was updated to enhance parsing, the rule will now capture URI referrer, CLI command, Login ID, IP, and Port from the logs into URL, Command, Source IP, and Source Port in the ESM, for the Network Security Manager (ASP) data source. Data Source: Network Security Manager (ASP) Data Source rule was added to the Network Security Manager (ASP) data source. 16

17 March 24, 2016 Vendor: Unix Data Source: Linux (ASP) Parsing rules , , , , , , , , , , , , , , and were updated to account for IPv6 addresses. Parsing rules , , and were updated to remove setting the message from the log text. The updates were made to rules parsing BIND events. Data Source: epolicy Orchestrator (ASP) Parsing rule was updated to map siem_severity as the primary capture and ThreatSeverity as the secondary capture for the Severity field in the ESM. Vendor: Enforcive Data Source: Cross-Platform Audit Parsing rule was added to the Cross-Platform Audit data source. March 25, 2016 Vendor: Wurldtech Data Source: OpShield Parsing rules through were added to the OpShield rule set. Vendor: Reversing Labs Data Source: N1000 Parsing rules through and were added to the N1000 parsing ruleset. Vendor: UNIX Data Source: Linux (ASP) Parsing rules has been added to the Linux ruleset. March 29, 2016 Data Source: PIX/ASA/FWSM (ASP) Updated parsing rules , , through , , , , , , , , , , , , , , and through to improve Normalization and enhance parsing for the PIX/ASA/FWSM (ASP) data source. Parsing Rules , , , , , , , , , , , , , and were updated to map Destination IP, Source IP, Hostname, Shun List, Username, Interface, Destination Interface, and Device Type from the logs to Destination IP, Source IP, Hostname, Objectname, Source Username, Interface, Destination Interface, and External Device Type in the ESM. Data Source: Network Security Manager (ASP) Enhanced Normalizations for data source rules , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , for the Network Security Manager (ASP) data source. Vendor: Citrix Data Source: NetScaler (ASP) Affected Versions: ESM and above Parsing rules , , , , , , and were updated to remove time captures. Event times are now derived from the syslog header. 17

18 March 30, 2016 Vendor: Aruba Data Source: Aruba OS Updated rules , , , , , , , , , to enhance parsing for the Aruba OS data source. March 31, 2016 Data Source: Windows Event Log - WMI Parsing rules , , and were added to the Windows Event Log - WMI data source Data Source: EWS v5 / Gateway Original Format - Legacy - (ASP) Updated parsing rule to capture all attachments listed in the logs the logs into File_Path in the ESM, for the EWS v5 / Gateway Original Format - Legacy - (ASP) data source. April 01, 2016 Data Source: NX-OS (ASP) Parsing rules , , , through , , , through , , , , , , through , , , , , , through , , through , , , , , through , through , , , through , , , , through , through , through , , , through , , , through , , through , through , , through , , , and were updated to enhance parsing. The rules in this data source had been parsing Interface and Port from the logs into Object in the ESM, they will now parse Interface and Port from the logs into Interface in the ESM for the NX-OS (ASP) data source. April 04, 2016 Vendor: Raz-Lee Security Data Source: isecurity Suite (ASP) Parsing rules through were added to the isecurity Suite (ASP) data source. Vendor: Raz-Lee Security Data Source: isecurity Suite (ASP) Parsing rules through were updated to enhance parsing, the rules were also updated to map Job, Job Type, Document, and MsgID from the logs into Mainframe_Job_Name, Job_Type, Filename, and Message_ID in the ESM for the isecurity Suite (ASP) data source. April 07, 2016 Vendor: Good Technology Data Source: Good Mobile Control (ASP) Parsing rules , , , and were updated to enhance parsing for the Good Mobile Control (ASP) data source. April 08, 2016 Vendor: Enforcive Data Source: Cross-Platform Audit Updated parsing rule to map Event Status, Application, Action, Destination Process, and Message from the logs into Event Subtype, Application, Command, Target_Process_Name, and Signature_Name in the ESM, for the Cross-Platform Audit data source. Data Source: Advanced Threat Defense Parsing rule was updated to enhance parsing for the Advanced Threat Defense data source. Vendor: Vormetric Data Source: Data Security (ASP) Parsing rule was updated to enhance parsing for the Data Security (ASP) data source. April 21, 2016 Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Affected Versions: ESM and above Updated parsing rules and to account for parenthesis in rule messages for the Palo Alto Firewalls (ASP) data source. 18

19 April 26, 2016 Data Source: Windows Event Log - WMI Parsing rules , , , , , , , , , , , , , , , , , , , and were added to the Windows Event Log - WMI rule set. May 3, 2016 Data Source: epolicy Orchestrator (ASP) Parsing rules and was updated to map ThreatSeverity as the primary capture and siem_severity as the secondary capture for the Severity field in the ESM. Also, the mapping for the Severity values has been enhanced. May 5, 2016 Vendor: Fortinet Data Source: FortiGate UTM - Space Delimited - (ASP) Parsing rules , , , , , , , , , , , , , , , , , , , , , and were updated to map status as the primary capture and action as the secondary capture for the Event Subtype field in the ESM. May 5, 2016 Vendor: Fortinet Data Source: FortiGate UTM - Comma Delimited - (ASP) Parsing rules , , , , , , , and were updated to map status as the primary capture and action as the secondary capture for the Event Subtype field in the ESM. May 9, 2016 Vendor: Fortinet Data Source: FortiGate UTM - Space Delimited - (ASP) Parsing rule was updated to add timeout to the action map. Vendor: Proofpoint Data Source: Messaging Security Gateway (ASP) Affected Versions: ESM and above Updated parsing rules , , , , , , , , , , , , , , and to reduce the possibility of overlapping rules for the Messaging Security Gateway (ASP) data source. May 11, 2016 Data Source: Windows Event Log - WMI Updated parsing rule for the Windows Event Log - WMI data source to enhance Domain and Hostname Parsing. May 16, 2016 Vendor: SourceFire Data Source: FireSIGHT Management Console - estreamer Affected Versions: ESM and above Parsing rules and were updated to account for minor changes in the log format. The Threat_Name field mapping was removed as it no longer matches the context of the event. May 18, 2016 Vendor: Tufin Data Source: SecureTrack (ASP) Updated parsing rules through for the SecureTrack (ASP) data source with new versions to enhance action mapping, support additional time formats, and improve normalization and severity. May 23,

20 Data Source: Windows Event Log - WMI Affected Versions: ESM and above Parsing rules through , through , through , through , through , , through , through , through , through , through , , through , through , , , , through , through , , through , through , through , through , , , through , , through , through , through , through , , , , through , through , through , through , through , through , through , through , , , , , , , , through , , through , , , , , , , , , through , , through , through , through , through , , , , through , , , through , , , , , , , , through , through , , , , , , , , through , , , , through , , , through , , , , through , , , , , , through , through , through , through , through , through , , , through , through , , through , , , , , , through , through , , , , , through , , through , through , through , through , through , through , through , , , , , through , , through , through , through , through , through , through , , , , , , , through , , through , through , through , , , through , through , through , through , through , through , through , through , through , through , through , , through , through , through , through , through , , , , through , , , through , , through , , , , through , through , through , through , through , through , , through , through , through , through , and were added to the Windows Event Log - WMI rule set. Data Source: Windows Event Log - WMI Affected Versions: ESM and above Parsing rules , , and were modified for the Windows Event Log - WMI rule set. May 24, 2016 Data Source: PIX/ASA/FWSM (ASP) Updated parsing rule for the PIX/ASA/FWSM (ASP) data source to enhance Source IP parsing. May 25, 2016 Data Source: Web Gateway (ASP) Parsing rules through were added to parse Audit events from the Web Gateway (ASP) data source. Data Source: PIX/ASA/FWSM (ASP) Updated parsing rule for the PIX/ASA/FWSM (ASP) data source to enhance Source IP and Destination IP parsing. 20

21 May 26, 2016 Data Source: PIX/ASA/FWSM (ASP) Updated parsing rule for the PIX/ASA/FWSM (ASP) data source map Source IP from the log into Source IP in the ESM. May 27, 2016 Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Added parsing rule Palo Alto Firewalls (ASP) data source. Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Updated parsing rules through , , , , , , , , and for the Palo Alto Firewalls (ASP) data source to enhance parsing. June 2, 2016 Vendor:Interset Data Source: Interset Affected Versions: ESM and above Added support for the Interset data source. Data Source: Windows Event Log - WMI Parsing rules , , , , , and were updated to map the direction from the log, to the Direction field in the ESM. Data Source: Windows Event Log - WMI 301 Parsing rules were added to the Windows Event Log - WMI data source to parse events from HealthService and OpsMgr SDK Service. June 06, 2016 Vendor: UNIX Data Source: Linux (ASP) Parsing rule , , and was added to the Linux (ASP) data source. Vendor: UNIX Data Source: Linux (ASP) Updated parsing rules , , , , , , , , through , , , , , , , , , , , , , , and for the Linux (ASP) data source to enhance parsing. Parsing rules , , and have been deprecated. June 08, 2016 Vendor: Globalscape Data Source: Globalscape EFT Added support for the Globalscape EFT data source. Parsing rule was added to the Globalscape EFT data source. Vendor: SafeNet Data Source: Hardware Security Modules (ASP) Parsing rule was added to the Hardware Security Modules (ASP) data source. Vendor: Blue Coat Data Source: Reporter Added support for the Reporter data source. Parsing rule was added to the Reporter data source. Vendor: SafeNet Data Source: Hardware Security Modules (ASP) Updated parsing rules through , , through , , and for the Hardware Security Modules (ASP) data source. June 13, 2016 Data Source: IOS (ASP) Affected Versions: ESM and above Parsing rules , , and for the IOS (ASP) data source to enhance parsing. 21