April 10th, 2026 - Content Release
note
In upcoming content releases, we will be addressing field mapping redundancies involving the following fields: device_hostname, device_ip, srcDevice_hostname, and srcDevice_ip. Currently, these normalized fields are sometimes derived from the same input source, leading to duplication.
The updates will streamline and standardize these mappings across the following product mappers, as well as any rules that generate signals from their records:
- AWS CloudTrail
- Cisco Umbrella
- Fortinet FortiGate
- Jamf
- Microsoft Office 365
- Microsoft Windows
- Okta
- Suricata
These refinements will help ensure consistent and efficient data normalization across supported sources.
This content release includes:
- New AWS Bedrock audit logging to track knowledge base deletion events.
- Enhanced field mappings and parsing for Netskope security events, improving username extraction, threat categorization, and anomaly detection across 14 log mappers.
- Updated Microsoft Exchange Message Trace mapper and parser to support Graph API log format with improved email tracking and user identification.
- Expanded AWS CloudWatch and IAM logging with improved identity field mapping, timestamp parsing, and resource tracking.
- Parser enhancements for Imperva Incapsula (
cslabelfield support) and Infoblox (new log format support). - New schema fields for grandparent process tracking to improve visibility into process execution chains.
Additional changes are enumerated below.
Log Mappers
- [New] CloudTrail - bedrock.amazonaws.com - DeleteKnowledgeBase
- [Updated] AWS CloudWatch Custom
- [Updated] CloudTrail - iam.amazonaws.com - Policy Change
- [Updated] Microsoft O365 Exchange Message Trace C2C
- [Updated] Netskope - Alerts
- [Updated] Netskope - Anomaly - Bulk Download
- [Updated] Netskope - Anomaly - User Shared Credentials
- [Updated] Netskope - Application Events
- [Updated] Netskope - Audit Authentication Events - Logoff
- [Updated] Netskope - Audit Authentication Events - Logon
- [Updated] Netskope - Audit Events
- [Updated] Netskope - Catch All
- [Updated] Netskope - DLP Alerts
- [Updated] Netskope - Incidents
- [Updated] Netskope - Network Events
- [Updated] Netskope - Page Events
- [Updated] Netskope - nspolicy
Parsers
- [Updated] /Parsers/System/AWS/AWS CloudWatch
- [Updated] /Parsers/System/Imperva/Imperva Incapsula
- [Updated] /Parsers/System/Infoblox/Infoblox
- [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON
- [Updated] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C
Schema
- [New] grandparentBaseImage
- [New] grandparentCommandLine
- [New] grandparentPid