Sumo Logic Cloud SIEM Release Notes

• This content release includes:
  • Enhanced Fortinet field mappings with standardized severity normalization, session tracking, and device identification across 27 log mappers, plus removal of 3 redundant mappers
  • Windows and Linux Sysmon mapper improvements ensuring normalizedAction and normalizedResource fields are consistently populated across all 44 event types for better query performance and standardization
  • Citrix Cloud C2C parser and mapper updates adding session log support for monitoring user authentication, connection lifecycle, and session state transitions
  • MITRE ATT&CK Tactics & Techniques updated to v19
    • Rule updates corresponding to new and deprecated Tactics & Techniques.
  • Changes are enumerated below

Rules​

• [Updated] MATCH-S00924 AWS Bedrock Guardrail Deleted
• [Updated] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
• [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
• [Updated] MATCH-S00540 AWS CloudTrail Network Access Control List Deleted
• [Updated] MATCH-S00664 AWS CloudWatch Alarm Actions Disabled
• [Updated] MATCH-S00663 AWS CloudWatch Alarm Deletion
• [Updated] MATCH-S00662 AWS CloudWatch Anomaly Detector Deletion
• [Updated] MATCH-S00665 AWS CloudWatch Log Group Deletion
• [Updated] MATCH-S00661 AWS CloudWatch Log Stream Deletion
• [Updated] MATCH-S00671 AWS Config Recorder Deletion
• [Updated] MATCH-S00672 AWS Config Recorder Stopped
• [Updated] MATCH-S00670 AWS Config Service Tampering
• [Updated] MATCH-S00677 AWS Route 53 Service Tampering
• [Updated] MATCH-S00674 AWS WAF Access Control List Updated
• [Updated] MATCH-S00676 AWS WAF Rule Group Updated
• [Updated] MATCH-S00675 AWS WAF Rule Updated
• [Updated] MATCH-S00673 AWS WAF Service Tampering
• [Updated] MATCH-S00598 Alibaba ActionTrail Logging Configuration Change Observed
• [Updated] MATCH-S00589 Alibaba ActionTrail Network Access Control List Deleted
• [Updated] MATCH-S00516 Antivirus Ransomware Detection
• [Updated] MATCH-S00415 Attempt to Clear Windows Event Logs Using Wevtutil
• [Updated] MATCH-S00795 Azure - Diagnostic Setting Deleted
• [Updated] MATCH-S00796 Azure - Diagnostic Setting Modified
• [Updated] MATCH-S00797 Azure - Event Hub Deleted
• [Updated] MATCH-S00864 Azure Firewall Rule Modified
• [Updated] MATCH-S00373 BlueMashroom DLL Load
• [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
• [Updated] LEGACY-S00037 Fortinet Critical App-Risk
• [Updated] LEGACY-S00038 Fortinet High App-Risk
• [Updated] MATCH-S00620 GCP Audit Cloud SQL Database Modified
• [Updated] MATCH-S00621 GCP Audit GCE Firewall Rule Modified
• [Updated] MATCH-S00622 GCP Audit GCE Network Route Created or Modified
• [Updated] MATCH-S00623 GCP Audit GCE VPC Network Modified
• [Updated] MATCH-S00626 GCP Audit Logging Sink Modified
• [Updated] MATCH-S00627 GCP Audit Pub/Sub Subscriber Modified
• [Updated] MATCH-S00628 GCP Audit Pub/Sub Topic Deleted
• [Updated] MATCH-S00953 GitHub - Audit Logging Modification
• [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
• [Updated] MATCH-S00288 NotPetya Ransomware Activity
• [Updated] MATCH-S00831 Office 365 Unified Audit Logging Disabled
• [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
• [Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
• [Updated] LEGACY-S00080 SSH Interesting Hostname Login
• [Updated] LEGACY-S00170 The Audit Log was Cleared - 1102
• [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
• [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
• [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
• [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
• [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
• [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
• [Updated] MATCH-S00531 Unload Sysmon Filter Driver
• [Updated] MATCH-S00892 Value Added to Azure NSG Group
• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
• [Updated] MATCH-S00549 Windows Disable Antispyware Registry
• [Updated] MATCH-S00538 Windows Firewall Rule Added
• [Updated] MATCH-S00537 Windows Firewall Rule Deleted
• [Updated] MATCH-S00536 Windows Firewall Rule Modified
• [Updated] MATCH-S00533 Windows Security Account Manager Stopped

Log Mappers​

• [Deleted] Fortinet DNS Query
• [Deleted] Fortinet Traffic2
• [Deleted] Fortinet dns Logs
• [New] Citrix Cloud Session Logs
• [Updated] Fortinet Anomaly Logs
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Appctrl2
• [Updated] Fortinet Authentication
• [Updated] Fortinet DLP Logs
• [Updated] Fortinet DNS
• [Updated] Fortinet Endpoint
• [Updated] Fortinet Event Logs
• [Updated] Fortinet FortiGate-200D Auth CEF
• [Updated] Fortinet FortiGate-200D Endpoint CEF
• [Updated] Fortinet FortiGate-200D Flow CEF
• [Updated] Fortinet Traffic
• [Updated] Fortinet UTM IDS1
• [Updated] Fortinet VPN
• [Updated] Fortinet Virus
• [Updated] Fortinet ha Logs
• [Updated] Fortinet perf-stats pba-close Systems Logs
• [Updated] Fortinet security-rating Logs
• [Updated] Fortinet ssl Logs
• [Updated] Fortinet voip Logs
• [Updated] Fortinet wad Logs
• [Updated] Fortinet waf Logs
• [Updated] Fortinet wireless Logs
• [Updated] Linux-Sysmon/Operational - 1
• [Updated] Linux-Sysmon/Operational - 10
• [Updated] Linux-Sysmon/Operational - 15
• [Updated] Linux-Sysmon/Operational - 16
• [Updated] Linux-Sysmon/Operational - 17
• [Updated] Linux-Sysmon/Operational - 18
• [Updated] Linux-Sysmon/Operational - 2
• [Updated] Linux-Sysmon/Operational - 23
• [Updated] Linux-Sysmon/Operational - 3
• [Updated] Linux-Sysmon/Operational - 4
• [Updated] Linux-Sysmon/Operational - 5
• [Updated] Linux-Sysmon/Operational - 6
• [Updated] Linux-Sysmon/Operational - 7
• [Updated] Linux-Sysmon/Operational - 8
• [Updated] Linux-Sysmon/Operational - 9
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 16
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational-29

Parsers​

• [Updated] /Parsers/System/Citrix/Citrix Cloud C2C

Schema​

Updated MITRE ATT&CK Tactics & Techniques to v19

This content release includes:

• New AWS Bedrock audit logging to track knowledge base deletion events.
• Enhanced field mappings and parsing for Netskope security events, improving username extraction, threat categorization, and anomaly detection across 14 log mappers.
• Updated Microsoft Exchange Message Trace mapper and parser to support Graph API log format with improved email tracking and user identification.
• Expanded AWS CloudWatch and IAM logging with improved identity field mapping, timestamp parsing, and resource tracking.
• Parser enhancements for Imperva Incapsula (cslabel field support) and Infoblox (new log format support).
• New schema fields for grandparent process tracking to improve visibility into process execution chains.

Additional changes are enumerated below.

Log Mappers​

• [New] CloudTrail - bedrock.amazonaws.com - DeleteKnowledgeBase
• [Updated] AWS CloudWatch Custom
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] Microsoft O365 Exchange Message Trace C2C
• [Updated] Netskope - Alerts
• [Updated] Netskope - Anomaly - Bulk Download
• [Updated] Netskope - Anomaly - User Shared Credentials
• [Updated] Netskope - Application Events
• [Updated] Netskope - Audit Authentication Events - Logoff
• [Updated] Netskope - Audit Authentication Events - Logon
• [Updated] Netskope - Audit Events
• [Updated] Netskope - Catch All
• [Updated] Netskope - DLP Alerts
• [Updated] Netskope - Incidents
• [Updated] Netskope - Network Events
• [Updated] Netskope - Page Events
• [Updated] Netskope - nspolicy

Parsers​

• [Updated] /Parsers/System/AWS/AWS CloudWatch
• [Updated] /Parsers/System/Imperva/Imperva Incapsula
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON
• [Updated] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C

Schema​

• [New] grandparentBaseImage
• [New] grandparentCommandLine
• [New] grandparentPid

This content release includes:

• New support for Proofpoint TRAP threat response and Teleport access management.
• Improved Fortinet traffic visibility with additional byte count field mappings across application control, traffic, and web filter logs.
• Enhanced Microsoft Office 365 authentication event normalization for action and cause fields.
• Infoblox DHCP log parsing improvements for broader log format coverage.

Additional changes are enumerated below.

Log Mappers​

• [New] Proofpoint TRAP Default Mapping
• [New] Teleport Authentication
• [New] Teleport Default
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Microsoft Office 365 Active Directory Authentication Events

Parsers​

• [New] /Parsers/System/Proofpoint/Proofpoint TRAP
• [New] /Parsers/System/Teleport/Teleport
• [Updated] /Parsers/System/Infoblox/Infoblox

This content release includes:

• New Cloudflare DNS event visibility with a dedicated log mapper and enhanced parser support for DNS query logging.
• Improved Infoblox DHCP event handling with updated field mappings and additional timestamp format support.
• Refined detection logic for Office 365 MailItemsAccessed events. Now using global baselines for more accurate first-seen analysis.
• Performance optimization for Windows critical service monitoring rule.

Additional changes are enumerated below.

Rules​

• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line

Log Mappers​

• [New] Cloudflare - DNS Events
• [Updated] Infoblox DDI - DHCP

Parsers​

• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Linux/Linux OS Syslog

• This content release includes:
  • Added MITRE ATLAS Tactics and Techniques to tag schema for improved attack pattern classification and detection rule development.
  • Expanded Ubiquiti Unifi network visibility with 7 new log mappers and parser enhancements covering process execution, DHCP events, DNS queries, and general network traffic.
  • Enhanced field mappings and parsing for email security, web traffic analysis, and authentication monitoring:
    • Abnormal Security threat detection now captures email metadata, sender/recipient details, and threat categorization.
    • Netskope web transactions include network connection details, file hashes, and error context.
    • Okta Active Directory authentication events provide standardized user identification.

Additional changes are enumerated below.

Log Mappers​

• [New] Unifi - Process Cron - Command Execution
• [New] Unifi - Process sudo - Superuser Do Command Execution
• [New] Unifi DHCP ACK Event
• [New] Unifi DHCP Offer Event
• [New] Unifi DHCP Request and DHCP DISCOVER Event
• [New] Unifi DNS Network Event
• [New] Unifi Network Event
• [Updated] Abnormal Security Threats
• [Updated] Netskope - WebTx Events
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Unifi Catch All
• [Updated] Unifi HTTP Request Logs

Parsers​

• [Updated] /Parsers/System/Abnormal Security/Abnormal Security
• [Updated] /Parsers/System/Netskope/Netskope WebTx
• [Updated] /Parsers/System/Okta/Okta
• [Updated] /Parsers/System/Ubiquiti/Ubiquiti Unifi

Bulk update insights​

We're happy to announce that you can use the UI or API to update multiple insights at a time, including closing, reassigning, adding comments, or giving them a new status. Acting on multiple insights at once speeds up your insight resolution. Learn more.

This content release includes:

• New support for OpenAI and Anthropic Claude Code audit logging to monitor AI platform usage, API key lifecycle, and organizational access.
• New support for Akamai Noname API Security threat detection and analysis.
• Enhanced CrowdStrike Falcon detection coverage including XDR events, automated lead summaries, and data protection alerts.
• Standardized device IP field mappings across Cisco ASA log mappers for improved asset correlation.

Additional changes are enumerated below.

Rules​

• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line. Updated detection expression for improved query performance.

Log Mappers​

• [New] Akamai Noname API Security Insight Log
• [New] Anthropic Claude Code - api_request|api_error|user_prompt|tool_result|tool_decision
• [New] Anthropic Claude Code Catch All
• [New] CrowdStrike Alert - All Detections
• [New] CrowdStrike Falcon - AutomatedLeadSummaryEvent|XdrDetectionSummaryEvent
• [New] CrowdStrike Falcon - DataProtectionDetectionSummaryEvent
• [New] OpenAI Audit - API Key Events
• [New] OpenAI Audit - Invite Events
• [New] OpenAI Audit - Login Events
• [New] OpenAI Audit - Organization Events
• [New] OpenAI Audit - Project Events
• [New] OpenAI Audit - Role Assignment Events
• [New] OpenAI Audit - Role Events
• [New] OpenAI Audit - Service Account Events
• [New] OpenAI Audit - User Management Events
• [New] OpenAI Audit - Workflow Events
• [New] OpenAI Audit Catch All
• [Updated] Cisco ASA 106001 JSON
• [Updated] Cisco ASA 106102-3 JSON
• [Updated] Cisco ASA 109201|109207|113022
• [Updated] Cisco ASA 4180(18|19|44)
• [Updated] Cisco ASA 609002 JSON
• [Updated] Cisco ASA 713172 JSON
• [Updated] Cisco ASA 713nnn JSON
• [Updated] Cisco ASA 716039 JSON
• [Updated] Cisco ASA 716059 JSON
• [Updated] Cisco ASA 725016|771002
• [Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
• [Updated] Cisco Umbrella DNS Logs
• [Updated] Unifi HTTP Request Logs

Parsers​

• [New] /Parsers/System/Akamai/Noname API Security
• [New] /Parsers/System/Anthropic/Claude Code
• [New] /Parsers/System/OpenAI/OpenAI Audit
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON

This content release includes:

• New parsing and mapping support for Ubiquiti Unifi.
• Updates to Infoblox DDI and NIOS log mappers and parsers to extract and map hostname, IP, port, and MAC address fields.
• Updates to Check Point Firewall Syslog parser to improve user extraction.
• Update to Netskope Security Cloud JSON parser to add a static alert name in the absence of specific alert name data.

Log Mappers​

• [New] Unifi Catch All
• [New] Unifi Http Request Logs
• [New] Unifi Traffic Logs
• [Updated] Infoblox DDI - Catch All
• [Updated] Infoblox DDI - DHCP
• [Updated] Infoblox DDI - DNS
• [Updated] Infoblox NIOS - Catch All
• [Updated] Infoblox NIOS - DHCP
• [Updated] Infoblox NIOS - DNS

Parsers​

• [New] /Parsers/System/Ubiquiti/Ubiquiti Unifi
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This release adds support for OCSF 1.6 and Netskope WebTx logs. Changes are enumerated below.

Rules​

• [New] MATCH-S01148 OCSF IAM Analysis Finding
  • Passes through IAM analysis findings from OCSF conforming sources.
• [Updated] MATCH-S00445 Known Ransomware File Extensions
  • Corrects spelling in rule description.

Log Mappers​

• [Updated] Netskope - WebTx Events

Parsers​

• [New] /Parsers/System/Netskope/Netskope WebTx

This content release includes:

• Rule update.
• New parsing and mapping support for VMware vSphere Web Services.
• Updates to Fortinet parsing and mapping to better capture inbound and outbound traffic bytes and packets.
• Updates to Okta mapping to standardize srcDevice_ip mappings.

Changes are enumerated below.

Rules​

• [Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
  • Added exclusion to rule expression to exclude consideration of null values in baseline.

Log Mappers​

• [New] Check Point Anti Malware
• [New] Check Point New Anti Virus
• [New] vSphere Web Services - Login/Logout
• [New] vSphere Web Services - default
• [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
  • Update to parser and mapper to correctly capture IP directionality.
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic Syslog 1
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events
• [Updated] Oracle Cloud Infrastructure Audit Catch All
  • Update to mapper to correctly capture source IP address.

Parsers​

• [New] /Parsers/System/VMware/vSphere Web Services
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-JSON

This is an archive of 2025 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.