Skip to main content

May 4th, 2026 - Content Release

  • This content release includes:
    • Enhanced Fortinet field mappings with standardized severity normalization, session tracking, and device identification across 27 log mappers, plus removal of 3 redundant mappers
    • Windows and Linux Sysmon mapper improvements ensuring normalizedAction and normalizedResource fields are consistently populated across all 44 event types for better query performance and standardization
    • Citrix Cloud C2C parser and mapper updates adding session log support for monitoring user authentication, connection lifecycle, and session state transitions
    • MITRE ATT&CK Tactics & Techniques updated to v19
      • Rule updates corresponding to new and deprecated Tactics & Techniques.
    • Changes are enumerated below

Rules

  • [Updated] MATCH-S00924 AWS Bedrock Guardrail Deleted
  • [Updated] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
  • [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
  • [Updated] MATCH-S00540 AWS CloudTrail Network Access Control List Deleted
  • [Updated] MATCH-S00664 AWS CloudWatch Alarm Actions Disabled
  • [Updated] MATCH-S00663 AWS CloudWatch Alarm Deletion
  • [Updated] MATCH-S00662 AWS CloudWatch Anomaly Detector Deletion
  • [Updated] MATCH-S00665 AWS CloudWatch Log Group Deletion
  • [Updated] MATCH-S00661 AWS CloudWatch Log Stream Deletion
  • [Updated] MATCH-S00671 AWS Config Recorder Deletion
  • [Updated] MATCH-S00672 AWS Config Recorder Stopped
  • [Updated] MATCH-S00670 AWS Config Service Tampering
  • [Updated] MATCH-S00677 AWS Route 53 Service Tampering
  • [Updated] MATCH-S00674 AWS WAF Access Control List Updated
  • [Updated] MATCH-S00676 AWS WAF Rule Group Updated
  • [Updated] MATCH-S00675 AWS WAF Rule Updated
  • [Updated] MATCH-S00673 AWS WAF Service Tampering
  • [Updated] MATCH-S00598 Alibaba ActionTrail Logging Configuration Change Observed
  • [Updated] MATCH-S00589 Alibaba ActionTrail Network Access Control List Deleted
  • [Updated] MATCH-S00516 Antivirus Ransomware Detection
  • [Updated] MATCH-S00415 Attempt to Clear Windows Event Logs Using Wevtutil
  • [Updated] MATCH-S00795 Azure - Diagnostic Setting Deleted
  • [Updated] MATCH-S00796 Azure - Diagnostic Setting Modified
  • [Updated] MATCH-S00797 Azure - Event Hub Deleted
  • [Updated] MATCH-S00864 Azure Firewall Rule Modified
  • [Updated] MATCH-S00373 BlueMashroom DLL Load
  • [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
  • [Updated] LEGACY-S00037 Fortinet Critical App-Risk
  • [Updated] LEGACY-S00038 Fortinet High App-Risk
  • [Updated] MATCH-S00620 GCP Audit Cloud SQL Database Modified
  • [Updated] MATCH-S00621 GCP Audit GCE Firewall Rule Modified
  • [Updated] MATCH-S00622 GCP Audit GCE Network Route Created or Modified
  • [Updated] MATCH-S00623 GCP Audit GCE VPC Network Modified
  • [Updated] MATCH-S00626 GCP Audit Logging Sink Modified
  • [Updated] MATCH-S00627 GCP Audit Pub/Sub Subscriber Modified
  • [Updated] MATCH-S00628 GCP Audit Pub/Sub Topic Deleted
  • [Updated] MATCH-S00953 GitHub - Audit Logging Modification
  • [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
  • [Updated] MATCH-S00288 NotPetya Ransomware Activity
  • [Updated] MATCH-S00831 Office 365 Unified Audit Logging Disabled
  • [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
  • [Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
  • [Updated] LEGACY-S00080 SSH Interesting Hostname Login
  • [Updated] LEGACY-S00170 The Audit Log was Cleared - 1102
  • [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
  • [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
  • [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
  • [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
  • [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
  • [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
  • [Updated] MATCH-S00531 Unload Sysmon Filter Driver
  • [Updated] MATCH-S00892 Value Added to Azure NSG Group
  • [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
  • [Updated] MATCH-S00549 Windows Disable Antispyware Registry
  • [Updated] MATCH-S00538 Windows Firewall Rule Added
  • [Updated] MATCH-S00537 Windows Firewall Rule Deleted
  • [Updated] MATCH-S00536 Windows Firewall Rule Modified
  • [Updated] MATCH-S00533 Windows Security Account Manager Stopped

Log Mappers

  • [Deleted] Fortinet DNS Query
  • [Deleted] Fortinet Traffic2
  • [Deleted] Fortinet dns Logs
  • [New] Citrix Cloud Session Logs
  • [Updated] Fortinet Anomaly Logs
  • [Updated] Fortinet Appctrl1
  • [Updated] Fortinet Appctrl2
  • [Updated] Fortinet Authentication
  • [Updated] Fortinet DLP Logs
  • [Updated] Fortinet DNS
  • [Updated] Fortinet Endpoint
  • [Updated] Fortinet Event Logs
  • [Updated] Fortinet FortiGate-200D Auth CEF
  • [Updated] Fortinet FortiGate-200D Endpoint CEF
  • [Updated] Fortinet FortiGate-200D Flow CEF
  • [Updated] Fortinet Traffic
  • [Updated] Fortinet UTM IDS1
  • [Updated] Fortinet VPN
  • [Updated] Fortinet Virus
  • [Updated] Fortinet ha Logs
  • [Updated] Fortinet perf-stats pba-close Systems Logs
  • [Updated] Fortinet security-rating Logs
  • [Updated] Fortinet ssl Logs
  • [Updated] Fortinet voip Logs
  • [Updated] Fortinet wad Logs
  • [Updated] Fortinet waf Logs
  • [Updated] Fortinet wireless Logs
  • [Updated] Linux-Sysmon/Operational - 1
  • [Updated] Linux-Sysmon/Operational - 10
  • [Updated] Linux-Sysmon/Operational - 15
  • [Updated] Linux-Sysmon/Operational - 16
  • [Updated] Linux-Sysmon/Operational - 17
  • [Updated] Linux-Sysmon/Operational - 18
  • [Updated] Linux-Sysmon/Operational - 2
  • [Updated] Linux-Sysmon/Operational - 23
  • [Updated] Linux-Sysmon/Operational - 3
  • [Updated] Linux-Sysmon/Operational - 4
  • [Updated] Linux-Sysmon/Operational - 5
  • [Updated] Linux-Sysmon/Operational - 6
  • [Updated] Linux-Sysmon/Operational - 7
  • [Updated] Linux-Sysmon/Operational - 8
  • [Updated] Linux-Sysmon/Operational - 9
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 16
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational-29

Parsers

  • [Updated] /Parsers/System/Citrix/Citrix Cloud C2C

Schema

Updated MITRE ATT&CK Tactics & Techniques to v19

Status
Legal
Privacy Statement
Terms of Use
CA Privacy Notice

Copyright © 2026 by Sumo Logic, Inc.