Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.
fingerprint_certificate Options - Optional parameters are added to alter the behavior of the fingerprint_certificate parser.
fingerprint_minidump - Detects Windows Minidump files. Meta will be output as filetype - 'minidump' This parser will also detect minidump files containing lsass memory and output meta as ioc – ‘lsass minidump’
fingerprint_certificate - This parser is updated for efficiency improvements as well as added detection with more customization using options file.
HTTP_lua – Updated for accuracy and efficiency.
SMB_lua – Functionally has been added to support SMBv3.
MAIL_lua – Updated for accuracy and efficiency.
TLS_lua - Added a new option to TLS_lua to limit examination of sessions to only the ports specified in the option. If enabled, ports not listed will not be parsed by TLS_lua and thus will not be identified as service 443. This will reduce the workload of TLS_lua by eliminating identification of SSL/TLS sessions on unknown ports.
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.