January 9th, 2026 - Content Release

This content release includes:

• Rule update.
• New parsing and mapping support for VMware vSphere Web Services.
• Updates to Fortinet parsing and mapping to better capture inbound and outbound traffic bytes and packets.
• Updates to Okta mapping to standardize srcDevice_ip mappings.

Changes are enumerated below.

Rules

• [Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
  • Added exclusion to rule expression to exclude consideration of null values in baseline.

Log Mappers

• [New] Check Point Anti Malware
• [New] Check Point New Anti Virus
• [New] vSphere Web Services - Login/Logout
• [New] vSphere Web Services - default
• [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
  • Update to parser and mapper to correctly capture IP directionality.
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic Syslog 1
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events
• [Updated] Oracle Cloud Infrastructure Audit Catch All
  • Update to mapper to correctly capture source IP address.

Parsers

• [New] /Parsers/System/VMware/vSphere Web Services
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-JSON