Sumo Logic Cloud SIEM Release Notes

This content release includes:

• New AWS Bedrock audit logging to track knowledge base deletion events.
• Enhanced field mappings and parsing for Netskope security events, improving username extraction, threat categorization, and anomaly detection across 14 log mappers.
• Updated Microsoft Exchange Message Trace mapper and parser to support Graph API log format with improved email tracking and user identification.
• Expanded AWS CloudWatch and IAM logging with improved identity field mapping, timestamp parsing, and resource tracking.
• Parser enhancements for Imperva Incapsula (cslabel field support) and Infoblox (new log format support).
• New schema fields for grandparent process tracking to improve visibility into process execution chains.

Additional changes are enumerated below.

Log Mappers​

• [New] CloudTrail - bedrock.amazonaws.com - DeleteKnowledgeBase
• [Updated] AWS CloudWatch Custom
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] Microsoft O365 Exchange Message Trace C2C
• [Updated] Netskope - Alerts
• [Updated] Netskope - Anomaly - Bulk Download
• [Updated] Netskope - Anomaly - User Shared Credentials
• [Updated] Netskope - Application Events
• [Updated] Netskope - Audit Authentication Events - Logoff
• [Updated] Netskope - Audit Authentication Events - Logon
• [Updated] Netskope - Audit Events
• [Updated] Netskope - Catch All
• [Updated] Netskope - DLP Alerts
• [Updated] Netskope - Incidents
• [Updated] Netskope - Network Events
• [Updated] Netskope - Page Events
• [Updated] Netskope - nspolicy

Parsers​

• [Updated] /Parsers/System/AWS/AWS CloudWatch
• [Updated] /Parsers/System/Imperva/Imperva Incapsula
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON
• [Updated] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C

Schema​

• [New] grandparentBaseImage
• [New] grandparentCommandLine
• [New] grandparentPid

This content release includes:

• New support for Proofpoint TRAP threat response and Teleport access management.
• Improved Fortinet traffic visibility with additional byte count field mappings across application control, traffic, and web filter logs.
• Enhanced Microsoft Office 365 authentication event normalization for action and cause fields.
• Infoblox DHCP log parsing improvements for broader log format coverage.

Additional changes are enumerated below.

Log Mappers​

• [New] Proofpoint TRAP Default Mapping
• [New] Teleport Authentication
• [New] Teleport Default
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Microsoft Office 365 Active Directory Authentication Events

Parsers​

• [New] /Parsers/System/Proofpoint/Proofpoint TRAP
• [New] /Parsers/System/Teleport/Teleport
• [Updated] /Parsers/System/Infoblox/Infoblox

This content release includes:

• New Cloudflare DNS event visibility with a dedicated log mapper and enhanced parser support for DNS query logging.
• Improved Infoblox DHCP event handling with updated field mappings and additional timestamp format support.
• Refined detection logic for Office 365 MailItemsAccessed events. Now using global baselines for more accurate first-seen analysis.
• Performance optimization for Windows critical service monitoring rule.

Additional changes are enumerated below.

Rules​

• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line

Log Mappers​

• [New] Cloudflare - DNS Events
• [Updated] Infoblox DDI - DHCP

Parsers​

• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Linux/Linux OS Syslog

• This content release includes:
  • Added MITRE ATLAS Tactics and Techniques to tag schema for improved attack pattern classification and detection rule development.
  • Expanded Ubiquiti Unifi network visibility with 7 new log mappers and parser enhancements covering process execution, DHCP events, DNS queries, and general network traffic.
  • Enhanced field mappings and parsing for email security, web traffic analysis, and authentication monitoring:
    • Abnormal Security threat detection now captures email metadata, sender/recipient details, and threat categorization.
    • Netskope web transactions include network connection details, file hashes, and error context.
    • Okta Active Directory authentication events provide standardized user identification.

Additional changes are enumerated below.

Log Mappers​

• [New] Unifi - Process Cron - Command Execution
• [New] Unifi - Process sudo - Superuser Do Command Execution
• [New] Unifi DHCP ACK Event
• [New] Unifi DHCP Offer Event
• [New] Unifi DHCP Request and DHCP DISCOVER Event
• [New] Unifi DNS Network Event
• [New] Unifi Network Event
• [Updated] Abnormal Security Threats
• [Updated] Netskope - WebTx Events
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Unifi Catch All
• [Updated] Unifi HTTP Request Logs

Parsers​

• [Updated] /Parsers/System/Abnormal Security/Abnormal Security
• [Updated] /Parsers/System/Netskope/Netskope WebTx
• [Updated] /Parsers/System/Okta/Okta
• [Updated] /Parsers/System/Ubiquiti/Ubiquiti Unifi

Bulk update insights​

We're happy to announce that you can use the UI or API to update multiple insights at a time, including closing, reassigning, adding comments, or giving them a new status. Acting on multiple insights at once speeds up your insight resolution. Learn more.

This content release includes:

• New support for OpenAI and Anthropic Claude Code audit logging to monitor AI platform usage, API key lifecycle, and organizational access.
• New support for Akamai Noname API Security threat detection and analysis.
• Enhanced CrowdStrike Falcon detection coverage including XDR events, automated lead summaries, and data protection alerts.
• Standardized device IP field mappings across Cisco ASA log mappers for improved asset correlation.

Additional changes are enumerated below.

Rules​

• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line. Updated detection expression for improved query performance.

Log Mappers​

• [New] Akamai Noname API Security Insight Log
• [New] Anthropic Claude Code - api_request|api_error|user_prompt|tool_result|tool_decision
• [New] Anthropic Claude Code Catch All
• [New] CrowdStrike Alert - All Detections
• [New] CrowdStrike Falcon - AutomatedLeadSummaryEvent|XdrDetectionSummaryEvent
• [New] CrowdStrike Falcon - DataProtectionDetectionSummaryEvent
• [New] OpenAI Audit - API Key Events
• [New] OpenAI Audit - Invite Events
• [New] OpenAI Audit - Login Events
• [New] OpenAI Audit - Organization Events
• [New] OpenAI Audit - Project Events
• [New] OpenAI Audit - Role Assignment Events
• [New] OpenAI Audit - Role Events
• [New] OpenAI Audit - Service Account Events
• [New] OpenAI Audit - User Management Events
• [New] OpenAI Audit - Workflow Events
• [New] OpenAI Audit Catch All
• [Updated] Cisco ASA 106001 JSON
• [Updated] Cisco ASA 106102-3 JSON
• [Updated] Cisco ASA 109201|109207|113022
• [Updated] Cisco ASA 4180(18|19|44)
• [Updated] Cisco ASA 609002 JSON
• [Updated] Cisco ASA 713172 JSON
• [Updated] Cisco ASA 713nnn JSON
• [Updated] Cisco ASA 716039 JSON
• [Updated] Cisco ASA 716059 JSON
• [Updated] Cisco ASA 725016|771002
• [Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
• [Updated] Cisco Umbrella DNS Logs
• [Updated] Unifi HTTP Request Logs

Parsers​

• [New] /Parsers/System/Akamai/Noname API Security
• [New] /Parsers/System/Anthropic/Claude Code
• [New] /Parsers/System/OpenAI/OpenAI Audit
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON

This content release includes:

• New parsing and mapping support for Ubiquiti Unifi.
• Updates to Infoblox DDI and NIOS log mappers and parsers to extract and map hostname, IP, port, and MAC address fields.
• Updates to Check Point Firewall Syslog parser to improve user extraction.
• Update to Netskope Security Cloud JSON parser to add a static alert name in the absence of specific alert name data.

Log Mappers​

• [New] Unifi Catch All
• [New] Unifi Http Request Logs
• [New] Unifi Traffic Logs
• [Updated] Infoblox DDI - Catch All
• [Updated] Infoblox DDI - DHCP
• [Updated] Infoblox DDI - DNS
• [Updated] Infoblox NIOS - Catch All
• [Updated] Infoblox NIOS - DHCP
• [Updated] Infoblox NIOS - DNS

Parsers​

• [New] /Parsers/System/Ubiquiti/Ubiquiti Unifi
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Infoblox/Infoblox
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This release adds support for OCSF 1.6 and Netskope WebTx logs. Changes are enumerated below.

Rules​

• [New] MATCH-S01148 OCSF IAM Analysis Finding
  • Passes through IAM analysis findings from OCSF conforming sources.
• [Updated] MATCH-S00445 Known Ransomware File Extensions
  • Corrects spelling in rule description.

Log Mappers​

• [Updated] Netskope - WebTx Events

Parsers​

• [New] /Parsers/System/Netskope/Netskope WebTx

This content release includes:

• Rule update.
• New parsing and mapping support for VMware vSphere Web Services.
• Updates to Fortinet parsing and mapping to better capture inbound and outbound traffic bytes and packets.
• Updates to Okta mapping to standardize srcDevice_ip mappings.

Changes are enumerated below.

Rules​

• [Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
  • Added exclusion to rule expression to exclude consideration of null values in baseline.

Log Mappers​

• [New] Check Point Anti Malware
• [New] Check Point New Anti Virus
• [New] vSphere Web Services - Login/Logout
• [New] vSphere Web Services - default
• [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
  • Update to parser and mapper to correctly capture IP directionality.
• [Updated] Fortinet Appctrl1
• [Updated] Fortinet Traffic Logs
• [Updated] Fortinet Traffic Syslog 1
• [Updated] Fortinet Traffic1
• [Updated] Fortinet Traffic2
• [Updated] Fortinet Webfilter Logs
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events
• [Updated] Oracle Cloud Infrastructure Audit Catch All
  • Update to mapper to correctly capture source IP address.

Parsers​

• [New] /Parsers/System/VMware/vSphere Web Services
• [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-JSON

This is an archive of 2025 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.