November 14, 2025 - Content Release
This content release includes:
- Updates to Microsoft Azure rules so rule summaries contain richer information around groups and roles that have been modified.
- New and updated mappers for various products, including new support for PingIdentity MFA logs, better handling of severity scores for Netskope DLP alerts, and improved entity handling for Okta logs.
- New and updated parsers, including new support for PingIdentity MFA logs and improved parsing for Netskope DLP events.
Changes are enumerated below.
Rules​
- [Updated] MATCH-S00226 Azure - Add Member to Group
- [Updated] MATCH-S00220 Azure - Add Member to Role Outside of PIM
- [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
- [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
- [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role
Log Mappers​
- [New] Netskope - DLP Alerts
- [New] Netskope - Incidents
- [New] PingIdentity MFA - Authentication Event
- [New] PingIdentity MFA - Catch All
- [Updated] AzureActivityLog AuditLogs
- [Updated] Keeper Authentication
- [Updated] Netskope - Alerts
- [Updated] Netskope - Catch All
- [Updated] Okta Authentication - auth_via_AD_agent
- [Updated] Okta Authentication - auth_via_mfa
- [Updated] Okta Authentication - auth_via_radius
- [Updated] Okta Authentication - sso
- [Updated] Okta Authentication Events
- [Updated] Okta Catch All
- [Updated] Okta Security Threat Events
Parsers​
- [New] /Parsers/System/PingIdentity/PingIdentity MFA
- [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON