This content release includes:

• New support for OpenAI and Anthropic Claude Code audit logging to monitor AI platform usage, API key lifecycle, and organizational access.
• New support for Akamai Noname API Security threat detection and analysis.
• Enhanced CrowdStrike Falcon detection coverage including XDR events, automated lead summaries, and data protection alerts.
• Standardized device IP field mappings across Cisco ASA log mappers for improved asset correlation.

Additional changes are enumerated below.

Rules​

• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line. Updated detection expression for improved query performance.

Log Mappers​

• [New] Akamai Noname API Security Insight Log
• [New] Anthropic Claude Code - api_request|api_error|user_prompt|tool_result|tool_decision
• [New] Anthropic Claude Code Catch All
• [New] CrowdStrike Alert - All Detections
• [New] CrowdStrike Falcon - AutomatedLeadSummaryEvent|XdrDetectionSummaryEvent
• [New] CrowdStrike Falcon - DataProtectionDetectionSummaryEvent
• [New] OpenAI Audit - API Key Events
• [New] OpenAI Audit - Invite Events
• [New] OpenAI Audit - Login Events
• [New] OpenAI Audit - Organization Events
• [New] OpenAI Audit - Project Events
• [New] OpenAI Audit - Role Assignment Events
• [New] OpenAI Audit - Role Events
• [New] OpenAI Audit - Service Account Events
• [New] OpenAI Audit - User Management Events
• [New] OpenAI Audit - Workflow Events
• [New] OpenAI Audit Catch All
• [Updated] Cisco ASA 106001 JSON
• [Updated] Cisco ASA 106102-3 JSON
• [Updated] Cisco ASA 109201|109207|113022
• [Updated] Cisco ASA 4180(18|19|44)
• [Updated] Cisco ASA 609002 JSON
• [Updated] Cisco ASA 713172 JSON
• [Updated] Cisco ASA 713nnn JSON
• [Updated] Cisco ASA 716039 JSON
• [Updated] Cisco ASA 716059 JSON
• [Updated] Cisco ASA 725016|771002
• [Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
• [Updated] Cisco Umbrella DNS Logs
• [Updated] Unifi HTTP Request Logs

Parsers​

• [New] /Parsers/System/Akamai/Noname API Security
• [New] /Parsers/System/Anthropic/Claude Code
• [New] /Parsers/System/OpenAI/OpenAI Audit
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON

This content release includes:

• New parsing and mapping support for Ubiquiti Unifi.
• Updates to Infoblox DDI and NIOS log mappers and parsers to extract and map hostname, IP, port, and MAC address fields.
• Updates to Check Point Firewall Syslog parser to improve user extraction.
• Update to Netskope Security Cloud JSON parser to add a static alert name in the absence of specific alert name data.

Log Mappers​

• [New] Unifi Catch All
• [New] Unifi Http Request Logs
• [New] Unifi Traffic Logs
• [Updated] Infoblox DDI - Catch All
• [Updated] Infoblox DDI - DHCP
• [Updated] Infoblox DDI - DNS
• [Updated] Infoblox NIOS - Catch All
• [Updated] Infoblox NIOS - DHCP
• [Updated] Infoblox NIOS - DNS

Parsers​

• [New] /Parsers/System/Ubiquiti/Ubiquiti Unifi
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This release adds support for OCSF 1.6 and Netskope WebTx logs. Changes are enumerated below.

Rules​

• [New] MATCH-S01148 OCSF IAM Analysis Finding
  • Passes through IAM analysis findings from OCSF conforming sources.
• [Updated] MATCH-S00445 Known Ransomware File Extensions
  • Corrects spelling in rule description.

Log Mappers​

• [Updated] Netskope - WebTx Events

Parsers​

• [New] /Parsers/System/Netskope/Netskope WebTx

This content release includes:

• Rule update.
• New parsing and mapping support for VMware vSphere Web Services.
• Updates to Fortinet parsing and mapping to better capture inbound and outbound traffic bytes and packets.
• Updates to Okta mapping to standardize srcDevice_ip mappings.

Changes are enumerated below.

Rules​

• [Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
  • Added exclusion to rule expression to exclude consideration of null values in baseline.

Log Mappers​

• [New] Check Point Anti Malware
• [New] Check Point New Anti Virus
• [New] vSphere Web Services - Login/Logout
• [New] vSphere Web Services - default
• [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
  • Update to parser and mapper to correctly capture IP directionality.
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic Syslog 1
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events
• [Updated] Oracle Cloud Infrastructure Audit Catch All
  • Update to mapper to correctly capture source IP address.

Parsers​

• [New] /Parsers/System/VMware/vSphere Web Services
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-JSON

This is an archive of 2025 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.