Sumo Logic Cloud SIEM Release Notes

March 12th, 2026 - Content Release

Thu, 12 Mar 2026 00:00:00 GMT

This content release includes:

New Cloudflare DNS event visibility with a dedicated log mapper and enhanced parser support for DNS query logging.
Improved Infoblox DHCP event handling with updated field mappings and additional timestamp format support.
Refined detection logic for Office 365 MailItemsAccessed events. Now using global baselines for more accurate first-seen analysis.
Performance optimization for Windows critical service monitoring rule.

Additional changes are enumerated below.

Rules

[Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
[Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line

Log Mappers

[New] Cloudflare - DNS Events
[Updated] Infoblox DDI - DHCP

Parsers

[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
[Updated] /Parsers/System/Infoblox/Infoblox
[Updated] /Parsers/System/Linux/Linux OS Syslog

February 24th, 2026 - Content Release

Tue, 24 Feb 2026 00:00:00 GMT

This content release includes:
- Added MITRE ATLAS Tactics and Techniques to tag schema for improved attack pattern classification and detection rule development.
- Expanded Ubiquiti Unifi network visibility with 7 new log mappers and parser enhancements covering process execution, DHCP events, DNS queries, and general network traffic.
- Enhanced field mappings and parsing for email security, web traffic analysis, and authentication monitoring:
  - Abnormal Security threat detection now captures email metadata, sender/recipient details, and threat categorization.
  - Netskope web transactions include network connection details, file hashes, and error context.
  - Okta Active Directory authentication events provide standardized user identification.

Additional changes are enumerated below.

Log Mappers

[New] Unifi - Process Cron - Command Execution
[New] Unifi - Process sudo - Superuser Do Command Execution
[New] Unifi DHCP ACK Event
[New] Unifi DHCP Offer Event
[New] Unifi DHCP Request and DHCP DISCOVER Event
[New] Unifi DNS Network Event
[New] Unifi Network Event
[Updated] Abnormal Security Threats
[Updated] Netskope - WebTx Events
[Updated] Okta Authentication - auth_via_AD_agent
[Updated] Unifi Catch All
[Updated] Unifi HTTP Request Logs

Parsers

[Updated] /Parsers/System/Abnormal Security/Abnormal Security
[Updated] /Parsers/System/Netskope/Netskope WebTx
[Updated] /Parsers/System/Okta/Okta
[Updated] /Parsers/System/Ubiquiti/Ubiquiti Unifi

February 18, 2026 - Application Update

Wed, 18 Feb 2026 00:00:00 GMT

Bulk update insights

We're happy to announce that you can use the UI or API to update multiple insights at a time, including closing, reassigning, adding comments, or giving them a new status. Acting on multiple insights at once speeds up your insight resolution. Learn more.

February 9th, 2026 - Content Release

Mon, 09 Feb 2026 00:00:00 GMT

This content release includes:

New support for OpenAI and Anthropic Claude Code audit logging to monitor AI platform usage, API key lifecycle, and organizational access.
New support for Akamai Noname API Security threat detection and analysis.
Enhanced CrowdStrike Falcon detection coverage including XDR events, automated lead summaries, and data protection alerts.
Standardized device IP field mappings across Cisco ASA log mappers for improved asset correlation.

Additional changes are enumerated below.

Rules

[Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line. Updated detection expression for improved query performance.

Log Mappers

[New] Akamai Noname API Security Insight Log
[New] Anthropic Claude Code - api_request|api_error|user_prompt|tool_result|tool_decision
[New] Anthropic Claude Code Catch All
[New] CrowdStrike Alert - All Detections
[New] CrowdStrike Falcon - AutomatedLeadSummaryEvent|XdrDetectionSummaryEvent
[New] CrowdStrike Falcon - DataProtectionDetectionSummaryEvent
[New] OpenAI Audit - API Key Events
[New] OpenAI Audit - Invite Events
[New] OpenAI Audit - Login Events
[New] OpenAI Audit - Organization Events
[New] OpenAI Audit - Project Events
[New] OpenAI Audit - Role Assignment Events
[New] OpenAI Audit - Role Events
[New] OpenAI Audit - Service Account Events
[New] OpenAI Audit - User Management Events
[New] OpenAI Audit - Workflow Events
[New] OpenAI Audit Catch All
[Updated] Cisco ASA 106001 JSON
[Updated] Cisco ASA 106102-3 JSON
[Updated] Cisco ASA 109201|109207|113022
[Updated] Cisco ASA 4180(18|19|44)
[Updated] Cisco ASA 609002 JSON
[Updated] Cisco ASA 713172 JSON
[Updated] Cisco ASA 713nnn JSON
[Updated] Cisco ASA 716039 JSON
[Updated] Cisco ASA 716059 JSON
[Updated] Cisco ASA 725016|771002
[Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
[Updated] Cisco Umbrella DNS Logs
[Updated] Unifi HTTP Request Logs

Parsers

[New] /Parsers/System/Akamai/Noname API Security
[New] /Parsers/System/Anthropic/Claude Code
[New] /Parsers/System/OpenAI/OpenAI Audit
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON

January 23rd, 2026 - Content Release

Fri, 23 Jan 2026 00:00:00 GMT

This content release includes:

New parsing and mapping support for Ubiquiti Unifi.
Updates to Infoblox DDI and NIOS log mappers and parsers to extract and map hostname, IP, port, and MAC address fields.
Updates to Check Point Firewall Syslog parser to improve user extraction.
Update to Netskope Security Cloud JSON parser to add a static alert name in the absence of specific alert name data.

Log Mappers

[New] Unifi Catch All
[New] Unifi Http Request Logs
[New] Unifi Traffic Logs
[Updated] Infoblox DDI - Catch All
[Updated] Infoblox DDI - DHCP
[Updated] Infoblox DDI - DNS
[Updated] Infoblox NIOS - Catch All
[Updated] Infoblox NIOS - DHCP
[Updated] Infoblox NIOS - DNS

Parsers

[New] /Parsers/System/Ubiquiti/Ubiquiti Unifi
[Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
[Updated] /Parsers/System/Infoblox/Infoblox
[Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

January 15th, 2026 - Content Release

Thu, 15 Jan 2026 00:00:00 GMT

This release adds support for OCSF 1.6 and Netskope WebTx logs. Changes are enumerated below.

Rules

[New] MATCH-S01148 OCSF IAM Analysis Finding
- Passes through IAM analysis findings from OCSF conforming sources.
[Updated] MATCH-S00445 Known Ransomware File Extensions
- Corrects spelling in rule description.

Log Mappers

[Updated] Netskope - WebTx Events

Parsers

[New] /Parsers/System/Netskope/Netskope WebTx

January 9th, 2026 - Content Release

Fri, 09 Jan 2026 00:00:00 GMT

This content release includes:

Rule update.
New parsing and mapping support for VMware vSphere Web Services.
Updates to Fortinet parsing and mapping to better capture inbound and outbound traffic bytes and packets.
Updates to Okta mapping to standardize srcDevice_ip mappings.

Changes are enumerated below.

Rules

[Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
- Added exclusion to rule expression to exclude consideration of null values in baseline.

Log Mappers

[New] Check Point Anti Malware
[New] Check Point New Anti Virus
[New] vSphere Web Services - Login/Logout
[New] vSphere Web Services - default
[Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
- Update to parser and mapper to correctly capture IP directionality.
[Updated] Fortinet Appctrl1
[Updated] Fortinet Traffic Logs
[Updated] Fortinet Traffic Syslog 1
[Updated] Fortinet Traffic1
[Updated] Fortinet Traffic2
[Updated] Fortinet Webfilter Logs
[Updated] Okta Authentication - auth_via_AD_agent
[Updated] Okta Authentication - auth_via_mfa
[Updated] Okta Authentication - auth_via_radius
[Updated] Okta Authentication - sso
[Updated] Okta Authentication Events
[Updated] Okta Catch All
[Updated] Okta Security Threat Events
[Updated] Oracle Cloud Infrastructure Audit Catch All
- Update to mapper to correctly capture source IP address.

Parsers

[New] /Parsers/System/VMware/vSphere Web Services
[Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-JSON

2025 Release Notes Archive - Cloud SIEM

Wed, 31 Dec 2025 00:00:00 GMT

This is an archive of 2025 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

December 15, 2025 - Application Update

Threat Intel 471 update

We're happy to announce that the SumoLogic_ThreatIntel source and the Intel 471 Threat Intel Source, which incorporate threat indicators supplied by Intel 471, now include domain and email threat indicators. Now you can use these sources to identify threats based on domain URLs and email addresses.

For instructions on how to use these and other sources, see About Sumo Logic Threat Intelligence.

December 10, 2025 - Application Update

New look for list pages

We're excited to announce a new look for list pages in Cloud SIEM. We've replaced "cards" with table rows for a simpler, cleaner appearance that more closely matches how we present data in the rest of Sumo Logic. This new presentation lets you see more at a glance, allowing you to more quickly evaluate your SIEM data.

To learn more, see our list view documentation for:

December 05, 2025 - Content Release

This new and updated content is effective as of December 4, 2025.

This content release includes:

Updates to product naming from "G Suite" to "Google Workspace" across rules, log mappers, and parsers to reflect the current branding.
Update to product naming from "Dell SonicWall" to "SonicWall Firewall" in parsers and log mappers.
New support for Asana audit logging.

Additional changes are enumerated below.

Rules

[Updated] MATCH-S00630 GCP Audit IAM DeleteServiceAccount Observed
[Updated] MATCH-S00629 GCP Audit IAM DisableServiceAccount Observed
[Updated] MATCH-S00117 Google Workspace - Access - Access Transparency
[Updated] MATCH-S00115 Google Workspace - Admin - User Settings - Turn Off 2SV
[Updated] MATCH-S00133 Google Workspace - Admin Activity
[Updated] MATCH-S00125 Google Workspace - Drive - Drive Open To Public
[Updated] MATCH-S00301 Google Workspace - Excessive OAuth Application Permissions Scope
[Updated] MATCH-S00128 Google Workspace - Login - Account Warning
[Updated] MATCH-S00129 Google Workspace - Login - Government Attack Warning
[Updated] MATCH-S00121 Google Workspace - Mobile - Suspicious Activity
[Updated] MATCH-S00227 Google Workspace - Unauthorized OAuth Application
[Updated] MATCH-S00120 Google Workspace - User Accounts - 2SV Disabled

Log Mappers

[New] Asana Audit Authentication
[New] Asana Audit Catch All
[Updated] Azure ResourceHealth and ServiceHealth
[Updated] AzureActivityLog AuditLogs
[Updated] Google Workspace - access_transparency/GSUITE_RESOURCE/ACCESS
[Updated] Google Workspace - admin
[Updated] Google Workspace - calendar
[Updated] Google Workspace - drive.access
[Updated] Google Workspace - drive.acl_change
[Updated] Google Workspace - gcp
[Updated] Google Workspace - gplus
[Updated] Google Workspace - groups
[Updated] Google Workspace - groups_enterprise
[Updated] Google Workspace - login - password_change/recovery_info_change
[Updated] Google Workspace - login - risky_sensitive_action_allowed
[Updated] Google Workspace - login challenge
[Updated] Google Workspace - login-blocked_sender_change
[Updated] Google Workspace - login-email_forwarding_change
[Updated] Google Workspace - login.account_warning
[Updated] Google Workspace - login.gov_attack_warning
[Updated] Google Workspace - login.login
[Updated] Google Workspace - logout
[Updated] Google Workspace - meet
[Updated] Google Workspace - mobile
[Updated] Google Workspace - rules
[Updated] Google Workspace - saml
[Updated] Google Workspace - token
[Updated] Google Workspace - user_accounts
[Updated] Google Workspace Alert Center - AppMaker Editor
[Updated] Google Workspace Alert Center - Data Loss Prevention
[Updated] Google Workspace Alert Center - Domain wide takeout
[Updated] Google Workspace Alert Center - Gmail phishing
[Updated] Google Workspace Alert Center - Gmail phishing (Misconfigured whitelist)
[Updated] Google Workspace Alert Center - Google Operations
[Updated] Google Workspace Alert Center - Google identity
[Updated] Google Workspace Alert Center - Mobile device management (Device compromised)
[Updated] Google Workspace Alert Center - Mobile device management (Suspicious activity)
[Updated] Google Workspace Alert Center - Security Center rules
[Updated] Google Workspace Alert Center - Sensitive Admin Action
[Updated] Google Workspace Alert Center - State Sponsored Attack
[Updated] Google Workspace Alert Center - User Changes
[Updated] Netskope - Alerts
- Updated action and normalizedAction field mappings.
[Updated] SonicWall Firewall - Custom Parser
[Updated] SonicWall Flows
[Updated] Thinkst Canary Parser - Catch All
- Added additional field mappings.
[Updated] Windows - Security - 5145
- Removes redundant mapping of baseimage and device_ip fields.

Parsers

[New] /Parsers/System/Asana/Asana Audit
[New] /Parsers/System/Google/Google Workspace Alert Center
[New] /Parsers/System/Google/Google Workspace Audit
[New] /Parsers/System/SonicWall/SonicWall Firewall
[Updated] /Parsers/System/Dell/Dell SonicWall
[Updated] /Parsers/System/Google/G Suite Alert Center
[Updated] /Parsers/System/Google/G Suite Audit
[Updated] /Parsers/System/Linux/Linux OS Syslog
- Updated parser to drop certain systemd events not useful for security monitoring.
[Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
- Modified parser to improve field extraction.

November 14, 2025 - Content Release

This content release includes:

Updates to Microsoft Azure rules so rule summaries contain richer information around groups and roles that have been modified.
New and updated mappers for various products, including new support for PingIdentity MFA logs, better handling of severity scores for Netskope DLP alerts, and improved entity handling for Okta logs.
New and updated parsers, including new support for PingIdentity MFA logs and improved parsing for Netskope DLP events.

Changes are enumerated below.

Rules

[Updated] MATCH-S00226 Azure - Add Member to Group
[Updated] MATCH-S00220 Azure - Add Member to Role Outside of PIM
[Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
[Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
[Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role

Log Mappers

[New] Netskope - DLP Alerts
[New] Netskope - Incidents
[New] PingIdentity MFA - Authentication Event
[New] PingIdentity MFA - Catch All
[Updated] AzureActivityLog AuditLogs
[Updated] Keeper Authentication
[Updated] Netskope - Alerts
[Updated] Netskope - Catch All
[Updated] Okta Authentication - auth_via_AD_agent
[Updated] Okta Authentication - auth_via_mfa
[Updated] Okta Authentication - auth_via_radius
[Updated] Okta Authentication - sso
[Updated] Okta Authentication Events
[Updated] Okta Catch All
[Updated] Okta Security Threat Events

Parsers

[New] /Parsers/System/PingIdentity/PingIdentity MFA
[Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

November 06, 2025 - Content Release

This content release includes:

An updated parser and new log mappers for Netskope Cloud Security for improved handling of Netskope DLP logs.
An updated mapper for Azure Audit Logs which repurposes the changeTarget field mapping for changed items such as groups.
Updated Azure rules to accommodate the repurposed changeTarget field
Updated Keeper Authentication mapper to include the Success field.

note

If you are ingesting Netskope Cloud Security Logs or Azure Audit Logs ensure that the log source is set to use the appropriate system parser:

Netskope Cloud Security: /Parsers/System/Netskope/Netskope Security Cloud JSON
Azure Audit Logs: /Parsers/System/Microsoft/Microsoft Azure JSON

Rules

[Updated] MATCH-S00226 Azure - Add Member to Group
[Updated] MATCH-S00220 Azure - Add Member to Role Outside of PIM
[Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
[Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
[Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role

Log Mappers

[New] Netskope - DLP Alerts
[New] Netskope - Incidents
[Updated] AzureActivityLog AuditLogs
[Updated] Keeper Authentication

Parsers

[Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

October 29, 2025 - Content Release

This content release includes:

New log mappers for Crowdstrike Falcon to support eppDetectionSummary events from multiple ingest methods.
New parsers and log mappers for Databricks Audit logs and Varonis Alerts.

Log Mappers

[New] CrowdStrike Falcon - EppDetectionSummaryEvents (CNC)
[New] DataBricks Audit Catch All
[New] DataBricks Authentication
[New] Varonis Alerts Catch All

Parsers

[New] /Parsers/System/Databricks/Databricks Audit
[New] /Parsers/System/Varonis/Varonis Alert JSON

October 28, 2025 - Content Release

This content release includes:

New mappers for Crowdstrike Falcon events.
Updates to existing mappers for Crowdstrike Falcon, F5, and Okta events to support additional fields and events.
Updates to F5 Networks and Okta SSO parsers.

This new and updated content is effective as of October 22, 2025. Changes are enumerated below.

Log Mappers

[New] CrowdStrike Falcon Host API IdpDetectionSummaryEvent
[New] CrowdStrike Falcon Identity Protection
[Updated] CrowdStrike UserActivity Logs
[Updated] F5 Authentication Catch All
[Updated] F5 HTTPd Audit - Custom Parser
[Updated] F5 Session and adfs proxy - Custom Parser
[Updated] Okta Authentication - auth_via_AD_agent
[Updated] Okta Authentication - auth_via_mfa
[Updated] Okta Authentication - auth_via_radius
[Updated] Okta Authentication - sso
[Updated] Okta Authentication Events
[Updated] Okta Catch All
[Updated] Okta Security Threat Events

Parsers

[Updated] /Parsers/System/F5/F5 Syslog
[Updated] /Parsers/System/Okta/Okta

October 10, 2025 - Content Release

This content release includes:

New and updated rules.
Updated Threat Intelligence rules with match lists which can be populated with exclusions to prevent the generation of undesired signals.
Mapping update.

Changes are enumerated below.

Rules

[New] CHAIN-S00023 Administrative Remote Interactive Brute Force Login
This rule correlates a high number of failed authentication attempts with a successful remote interactive login (such as via RDP) coming from the same source IP address and user account.
[New] CHAIN-S00024 RDP Brute Force Login Attempt
This rule correlates a high number of failed authentication attempts with repeated inbound connections over port 3389 (the default RDP port).
[New] MATCH-S01056 Administrative Remote Interactive Login
This rule triggers on a successful remote interactive login (such as via RDP) of a privileged user.
[Updated] MATCH-S00139 Abnormal Parent-Child Process Combination
Updated to reduce false positive matches for certain parent-child process combinations.
[Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
[Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
[Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
[Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
[Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
[Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
[Updated] MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

Log Mappers

[Updated] Slack Anomaly Event
Updated to include threat_name mapping for improved context in alerts.

October 01, 2025 - Content Release

This content release includes:

Support for CrowdStrike Falcon EppDetectionSummaryEvents.
Updates to Barracuda CloudGen log mappers and parser to fix unmatching logs and expand coverage.
Enhancements to Check Point Avanan log mapper to support passthrough signals.
Updates to Sophos Masters log mappers for improved IP address mapping.

Log Mappers

[New] CrowdStrike Falcon - EppDetectionSummaryEvents
[Updated] Barracuda CloudGen Authenticaton Events
[Updated] Barracuda CloudGen Network Events
[Updated] Check Point Avanan
[Updated] Sophos - Masters
[Updated] Sophos - Masters - Threat Events

Parsers

[Updated] /Parsers/System/Barracuda/Barracuda CloudGen

September 22, 2025 - Application Update

Insight summary

We’re excited to announce the new insight summary pane, an AI-generated synopsis for each insight that describes the threat incidents that led to its creation. This helps security teams understand incidents faster and accelerate response time. The summary is generated by Sumo Logic's Summary Agent, an agentic AI tool.

Learn more.

September 19, 2025 - Content Release

This content release includes:

New rules for passing through OCSF Findings, such as those generated by AWS Security Hub.
Updates to rules for impossible travel to exclude local system accounts.
New log mappers for Cisco Meraki Traffic Events, OCI Authentication Events, and TippingPoint TPS Cloud.
Updates to existing log mappers to support new event IDs and enhance functionality.
New parser for TippingPoint TPS Cloud.
Updates to existing parsers for Cisco ASA, Cisco Meraki C2C, Kaspersky Endpoint Security, and Oracle Cloud Infrastructure to support new events.
Schema update to include ocsf as an enforced value for threat_ruleType.

Changes are enumerated below.

Rules

[New] MATCH-S01053 OCSF Compliance Finding
Passes through compliance findings from OCSF sources.
[New] MATCH-S01054 OCSF Detection Finding
Passes through detection findings from OCSF sources.
[New] MATCH-S01055 OCSF Vulnerability Finding
Passes through vulnerability findings from OCSF sources.
[Updated] THRESHOLD-S00097 Impossible Travel - Successful
Exclude local system accounts from the rule.
[Updated] THRESHOLD-S00098 Impossible Travel - Unsuccessful
Exclude local system accounts from the rule.

Log Mappers

[New] Cisco Meraki Traffic Events
[New] OCI Catch Authentication events
[New] TippingPoint TPS Cloud Catch All
[Updated] AWS GuardDuty - OCSF Finding Events
Modified to support dedicated OCSF finding rules.
[Updated] AWS Inspector - OCSF Finding Events
Modified to support dedicated OCSF finding rules.
[Updated] AWS Security Hub - OCSF Finding Events
Modified to support dedicated OCSF finding rules.
[Updated] AWS Security Hub Coverage - OCSF Finding Events
Modified to support dedicated OCSF finding rules.
[Updated] AWS Security Hub Exposure Detection - OCSF Finding Events
Modified to support dedicated OCSF finding rules.
[Updated] Cisco ASA 109201|109207|113022
[Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
[Updated] Kaspersky Endpoint Security Catch All
[Updated] Oracle Cloud Infrastructure Audit Catch All
[Updated] Windows - Security - 4624
Added user_role field to identify admin users
[Updated] Windows - Security - 4648
Added user_role field to identify admin users.

Parsers

[New] /Parsers/System/TippingPoint/TippingPoint TPS Cloud
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Cisco/Cisco Meraki C2C
[Updated] /Parsers/System/Kaspersky/Kaspersky Endpoint Security
[Updated] /Parsers/System/Oracle/Oracle Cloud Infrastructure Schema
[Updated] threat_ruleType
Updated enforced values to include ocsf as an option for mappers representing Findings records as categorized in the Open Cybersecurity Schema Framework (OCSF).

August 27, 2025 - Content Release

This content release includes:

New mappers and parsing support for additional Cisco ASA events and updates to existing Cisco ASA mappers to support additional fields.
Updates to AWS Security Hub OCSF Findings mappers to handle username alternate mappings.
Updates to McAfee Web Gateway CSV parser and mapper to support additional fields.
Fix to Sysdig Policy Detection JSON mapper to correctly map threat signal name and summary.

Changes are enumerated below.

Log Mappers

[New] Cisco ASA 109201|109207|113022
[New] Cisco ASA 317077|317078
[New] Cisco ASA 725016|771002
[Updated] AWS GuardDuty - OCSF Finding Events
[Updated] AWS Inspector - OCSF Finding Events
[Updated] AWS Security Hub - OCSF Finding Events
[Updated] AWS Security Hub Coverage - OCSF Finding Events
[Updated] AWS Security Hub Exposure Detection - OCSF Finding Events
[Updated] Cisco ASA 113008 JSON
[Updated] Cisco ASA 302010 JSON
[Updated] Cisco ASA 303002 JSON
[Updated] Cisco ASA 313001 JSON
[Updated] Cisco ASA 50000(4|3) JSON
[Updated] Cisco ASA 602303-4|602101
[Updated] Cisco ASA 710005|716058
[Updated] Cisco ASA 713nnn JSON
[Updated] Cisco ASA 722034
[Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041 JSON
[Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
[Updated] Cisco ASA 751023|725001|725002|725003|725006|725007|750001|750003|750006|750007|751022 JSON
[Updated] Cisco ASA Network events
[Updated] McAfee WebGateway - Parser
[Updated] Sysdig Policy Detection JSON

Parsers

[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/McAfee/McAfee Web Gateway CSV

August 20, 2025 - Content Release

This content release includes new log mappers to cover additional security finding sources collected via AWS Security Hub.

Log Mappers

[New] AWS GuardDuty - OCSF Finding Events
[New] AWS Inspector - OCSF Finding Events
[New] AWS Security Hub Coverage - OCSF Finding Events
[New] AWS Security Hub Exposure Detection - OCSF Finding Events

August 19, 2025 - Application Update

New TAXII 2 Threat Intelligence Sources

We're excited to announce the following new threat intelligence sources that allow you to collect TAXII feeds with greater ease. These sources are based on the underlying code of our STIX/TAXII 2 Client Source, but are tailored for each of the vendors to facilitate setup:

CISA TAXII Client
Dragos TAXII Client
Nozomi TAXII Client
Recorded Future TAXII Client
Unit42 TAXII Client

When you set up a source, search for "taxii" and select the tile for the source you want to install:

Learn more.

August 15, 2025 - Content Release

This content release includes:

New product support for Vectra AI.
Updated parsers and log mappers for Azure Event Hub, Barracuda CloudGen Firewall, Microsoft IIS, and Surepass.
Updated Surepass to the correct vendor name.

Changes are enumerated below.

Log Mappers

[New] Vectra AI Catch All
[New] Vectra AI User Login
[Updated] Azure Event Hub - Windows Defender Logs
- Updated field mappings to include new fields.
[Updated] Barracuda CloudGen Firewall Activity
- Updated event_id criteria to handle abridged event types in some logs.
[Updated] Microsoft IIS Parser - Catch All
- Updated to support http_url and downstream enrichment.
[Updated] Surepass Authentication
[Updated] Surepass Catch All
[Updated] Surepass Network Event

Parsers

[New] /Parsers/System/Vectra/Vectra AI
[Updated] /Parsers/System/Barracuda/Barracuda CloudGen
- Updated event_id criteria to handle abridged event types in some logs and to support additional log formats.
[Updated] /Parsers/System/Cylance/Cylance Syslog
- Updated timestamp parsing.
[Updated] /Parsers/System/DocuSign/DocuSign Monitor
- Updated timestamp parsing.
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- Updated parser to parse additional nested fields.
[Updated] /Parsers/System/Microsoft/Microsoft IIS
- Updated to form http_url for downstream enrichment.

August 01, 2025 - Content Release

This content release includes:

New rules to assist in detection of the ToolShell exploit against Microsoft SharePoint Server (CVE-2025-53770, CVE-2025-53771) and other web shell attack activity.
Updates to rules.
Parsing support for Open Cybersecurity Schema Framework (OCSF) logging.
- Designed to support AWS Security Hub Findings via OCSF, but broadly compatible with other OCSF data sources.
Mapping support for AWS Security Hub Findings via OCSF.
- AWS Security Hub via OCSF mapping support includes mappers which can be easily cloned and repurposed to support additional sources of data which use OCSF. Not all OCSF categories and classes are necessarily pertinent to AWS Security Hub data produced at this time.
- Additional mappers for OCSF data sources will be added in future releases.
Updates to AWS Security Hub (non-OCSF) mapper to reduce signal volume by using a less granular field for threat_signalName and to map general resources into resource field.
New mappers for Citrix NetScaler and Palo Alto Firewall events.
Updates to existing mappers/parsers for AWS, Azure, Citrix NetScaler, Linux Sysmon, Windows Sysmon, and Zscaler to support additional events and field mappings.
Allows resource to be used as an entity in rules.

Other changes are enumerated below.

Rules

[New] MATCH-S01050 IIS - Executable File Added to Directory
- Executable files added to Microsoft Internet Information Server (IIS) directories can indicate the installation of a web shell by an attacker. For example, the ToolShell exploit (CVE-2025-53770, CVE-2025-53771) included the installation of spinstall10.aspx in an executable directory.
[New] MATCH-S01051 SharePoint Server ToolShell Exploitation (CVE-2025-53770, CVE-2025-53771)
- Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
[New] MATCH-S01052 SharePoint Server ToolShell Web Shell Interaction (CVE-2025-53771)
- Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
[Updated] MATCH-S00402 Normalized Security Signal
- Adjusted summary to remove {{device_hostname}} to avoid null values for blank hostnames.
- Added resource to entity selector
[Updated] MATCH-S00061 Zscaler - Allowed Elevated Risk Score Events
- Updated rule expression and severity score to use normalized fields.

Log Mappers

[New] AWS Security Hub - OCSF Finding Events
[New] AWS Security Hub - Application Activity *
[New] AWS Security Hub - Authentication Event*
[New] AWS Security Hub - DHCP Activity*
[New] AWS Security Hub - DNS Activity*
[New] AWS Security Hub - Discovery Event*
[New] AWS Security Hub - Email Activity*
[New] AWS Security Hub - File System events*
[New] AWS Security Hub - HTTP Activity*
[New] AWS Security Hub - IAM Account change|Authorize Session|Entity Management|User Access Management|Group Management*
[New] AWS Security Hub - Kernel Extension Activity|Kernel Activity|Memory Activity|Module Activity|Scheduled Job Activity|Process Activity|Event Log Activity|Script Activity*
[New] AWS Security Hub - Network Activity|RDP Activity|SMB Activity|SMB Activity|SSH Activity|FTP Activity|NTP Activity|Tunnel Activity|Network Remediation Activity*
[New] AWS Security Hub - Remediation Activity|Process Remediation Activity*
[New] AWS Security Hub - Unmanned Systems*
[New] Citrix NetScaler - AAA-AUTH-REQ
[New] Palo Alto Audit Authentication logs
[New] Palo Alto Audit Catch All
[Updated] AWS Security Hub
[Updated] Azure Event Hub - Windows Defender Audit file events
[Updated] Citrix NetScaler - AAA-LOGIN_FAILED
[Updated] Citrix NetScaler - Command Executed
[Updated] Citrix NetScaler - MESSAGE
[Updated] Citrix NetScaler - SSL Handshake Success
[Updated] Citrix NetScaler - SSLVPN-LOGIN
[Updated] Keeper Authentication
[Updated] Keeper Catch All
[Updated] Mimecast AV Event
[Updated] Mimecast Email logs
[Updated] Linux-Sysmon/Operational - 11
- Added more normalized fields
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
- Added more normalized fields.
[Updated] Zscaler - Nanolog Streaming Service - JSON
- Added normalizedAction for allow/deny actions and alternate values for IPs.

* Security Hub via OCSF is currently limited to the OCSF Findings category. Additional mappers are in place to support potential future Security Hub events that utilize other OCSF categories and classes. These can be cloned and repurposed to support additional sources of data which use OCSF.

Parsers

[Deleted] /Parsers/System/Mindpoint Group/Mindpoint SurePass
- Updated erroneous vendor name in parser.
- Any existing references to this parser path will need to be updated to the new parser path.
[New] /Parsers/System/Keeper/Keeper
- New parser for Keeper with correct vendor name.
[New] /Parsers/System/OCSF/OCSF
[New] /Parsers/System/SurePass/SurePass
- New parser path for Surepass to reflect correct vendor name.
[Updated] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
- Updated parser to point to new parser path with correct vendor name.
[Updated] /Parsers/System/Microsoft/Office 365
- Updated to fix issue with normalizedLogon field not being populated correctly.
[Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
- Updated header regex, added support for new events, and added new time format.
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- Updated to handle new log formats and fields.

Schema

[Updated] resource
- Enables resource as an entity.

July 09, 2025 - Content Release

This release includes:

Rule bug fix.
New device support for Aruba WAP, Oracle Cloud Infrastructure, and Mindpoint SurePass.
Updated mapper alternate values for Cloudflare Logpush.

Rules

[Updated] LEGACY-S00005 Possible Black Energy Command and Control
- Corrected rule expression for rootDomain to use correct schema field name.

Log Mappers

[New] Aruba WAP
[New] Oracle Cloud Infrastructure Audit Catch All
[New] Surepass Authentication
[New] Surepass Cath All
[New] Surepass Network Event
[Updated] Cloudflare - Logpush

Parsers

[New] /Parsers/System/HP/Aruba WAP
[New] /Parsers/System/Mindpoint Group/Mindpoint SurePass
[New] /Parsers/System/Oracle/Oracle Cloud Infrastructure

June 26, 2025 - Content Release

This content release includes:

Device support for AWS VPN and VMware Avi Load Balancer.
Updates to Cisco ASA and Umbrella parsers to support additional log pattern variations.
Bug fix for year timestamp parsing with the potential of creating incorrect timestamps around the new year for records.

Log Mappers

[New] AWS VPN
[New] VMware Avi Load Balancer Catch All

Parsers

[New] /Parsers/System/AWS/AWS VPN
[New] /Parsers/System/VMware/VMware Avi Load Balancer
[Updated] /Parsers/System/Atlassian/Atlassian Audit Events
[Updated] /Parsers/System/Microsoft/Azure Storage Analytics
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
[Updated] /Parsers/System/Cylance/Cylance Syslog
[Updated] /Parsers/System/Cylance/Cylance Threat JSON
[Updated] /Parsers/System/JumpCloud/JumpCloud Directory Insights
[Updated] /Parsers/System/Miro/Miro Audit C2C
[Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
[Updated] /Parsers/System/Pulse Secure/Pulse Secure Appliance
[Updated] /Parsers/System/RSA/RSA SecurID SinglePoint
[Updated] /Parsers/System/Symantec/Symantec Endpoint Protection/Symantec Endpoint Protection-Syslog
[Updated] /Parsers/System/Tanium/Tanium CEF
[Updated] /Parsers/System/Trellix/Trellix MVision EPO
[Updated] /Parsers/System/Twistlock/Twistlock
[Updated] /Parsers/System/Zeek/Zeek
[Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-CEF
[Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON
[Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF

June 12, 2025 - Content Release

This content release includes:

New detection rules for browser extension persistence, Kerberos certificate authentication, GitHub vulnerability alerts, Okta application access monitoring, and threat intelligence email matching.
New product support for Atlassian audit and login events.
Enhanced Azure Event Hub Windows Defender integration with new threat event mapping for passthrough alerts.
Cisco ASA updates with new network event support and NAT IP handling improvements.
Citrix NetScaler mapping updates to support additional events.
Update to Auth0 successful/unsuccessful login mappings to properly classify each.
CrowdStrike NextGen SIEM Alert event support.
Mimecast security event mapping improvements across several event types.
AWS CloudTrail network event enhancements with event success/failure handling and protocol support.
Parser updates to support additional event formats for multiple platforms.

Changes are enumerated below.

Rules

[New] MATCH-S00897 Chromium Extension Installed
- Threat actors may install browser extensions as a form of persistence on victim systems. Look up the 32 character extension ID in order to ensure that the extension is valid and expected to be installed as part of normal business operations. This extension ID can be found in the following values: file_path and/or changeTarget depending on the source of the telemetry. This rule logic utilizes Sysmon file creation events, which need to be enabled and configured on relevant assets.
[New] FIRST-S00064 First Seen Certificate Thumbprint in Successful Kerberos Authentication
- This alert looks for a first seen certificate thumbprint being used to authenticate to an Active Directory environment, resulting in a Kerberos ticket being successfully issued. This alert is designed to catch Active Directory Certificate Services related attacks, ensure the certificate thumprint is valid, correlate the thumbprint ID with other Certificate Services events, particularly looking for recently issued templates.
[New] MATCH-S00949 GitHub - Vulnerability Alerts
- Detects vulnerability alerts created for a GitHub repository.
[New] FIRST-S00070 Okta - First Seen Application Accessed by User
- This signal looks for a user that is accessing an application behind Okta SSO that is first seen since the baseline period. Ensure that access of this application is expected and authorized, look for other Okta events around the user account in question to determine whether access to this application is expected and authorized.
[New] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
- This rule detects when a user has utilized multiple distinct operating systems when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. Examine other Okta related events surrounding the time period for this signal, pivoting off the username value to examine if any other suspicious activity has taken place. If this rule is generating false positives, adjust the threshold value and consider excluding certain user accounts via tuning expression or a match list.
[New] MATCH-S01020 Threat Intel - Matched Target Email
- Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
[New] MATCH-S01019 Threat Intel - Matched User Email
- Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
[Updated] MATCH-S00170 Windows - Scheduled Task Creation
- Fixed spelling error.

Log Mappers

[New] Altassian audit events
[New] Altassian login events
[New] Azure Event Hub - Windows Defender Azure Alert
[New] Cisco ASA 4180(18|19|44)
[New] Cisco ASA 713nnn JSON
[New] Cisco ASA Network events
[New] Citrix NetScaler - SSL Handshake Failure
[New] CrowdStrike NextGen SIEM
[Updated] Auth0 Failed Authentication
[Updated] Auth0 Successful Authentication
[Updated] Azure Event Hub - Windows Defender Logs
[Updated] Cisco ASA 106010 JSON
[Updated] Cisco ASA 20900(4|5) JSON
[Updated] Cisco ASA 50000(4|3) JSON
[Updated] Citrix NetScaler - TCP Connection
[Updated] CloudTrail - ec2.amazonaws.com - All Network Events
[Updated] F5 HTTP Request
[Updated] Mimecast AV Event
[Updated] Mimecast Audit Authentication Logs
[Updated] Mimecast Audit Hold Messages
[Updated] Mimecast Audit Logs
[Updated] Mimecast DLP Logs
[Updated] Mimecast Email logs
[Updated] Mimecast Impersonation Event
[Updated] Mimecast Spam Event
[Updated] Mimecast Targeted Threat Protection Logs

Parsers

[New] /Parsers/System/Atlassian/Atlassian Audit Events
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
[Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
[Updated] /Parsers/System/AWS/CloudTrail
[Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
[Updated] /Parsers/System/F5/F5 Syslog
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

June 02, 2025 - Application Update

New method for building baselines

We're happy to announce that now when you create or update a first seen or outlier rule, the baseline starts building immediately using existing system data. Typically, the baseline is ready within minutes. You no longer need to wait days for a baseline learning period to complete before it becomes usable. This change enables you to gain insights faster and iterate on your first seen and outlier rules rapidly, reducing tuning time from weeks to minutes.

To learn more, see our information about baselines for first seen rules and outlier rules.

note

This feature update applies only to new and changed first seen and outlier rules. Unchanged existing rules will continue to use their existing baselines.

May 30, 2025 - Content Release

This content release includes:

Rule updates.
New log parsers and mappers to support Akamai CPC and Contrast Security ADR.
New and updated log mappers for Azure Event Hub - Windows Defender logs, Cisco ISE, Microsoft Office 365, and Snowflake.
Modifications to existing parsers for Microsoft Azure JSON, Nginx Syslog, and Snowflake to support additional formats and events.

Changes are enumerated below.

Rules

[Updated] MATCH-S00068 O365 - Users Password Changed
- Updated entity selectors to include both user_username and targetUser_username
[Updated] MATCH-S00069 O365 - Users Password Reset
- Updated entity selectors to include both user_username and targetUser_username

Log Mappers

[New] Akamai CPC
[New] Azure Event Hub - Windows Defender Audit events
[New] Azure Event Hub - Windows Defender Audit file events
[New] Azure Event Hub - Windows Defender Authentication events
[New] Azure Event Hub - Windows Defender Email events
[New] Azure Event Hub - Windows Defender Endpoint Process events
[New] Azure Event Hub - Windows Defender Network events
[New] Contrast Security ADR Default Mapping
[New] Snowflake Query History
[New] Snowflake Session
[Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
[Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
[Updated] Cisco ISE Catch All
[Updated] Microsoft Office 365 Active Directory Authentication Events
[Updated] Snowflake Catch All
[Updated] Snowflake Login

Parsers

[New] /Parsers/System/Akamai/Akamai CPC
[New] /Parsers/System/Contrast Security/Contrast ADR
[Updated] /Parsers/System/Cisco/Cisco ISE
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Nginx/Nginx Syslog
[Updated] /Parsers/System/Microsoft/Office 365
[Updated] /Parsers/System/Snowflake/Snowflake
[Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
[Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

May 23, 2025 - Content Release

This content release includes:

Rule update
New support for CommScope Ruckus SmartZone
Additional mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
Updates for existing mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
- Added normalizedAction and action fields to Windows PowerShell mappers
Changes to Windows PowerShell JSON parsing to support additional log formats

Changes are enumerated below.

Rules

[Updated] MATCH-S00068 O365 - Users Password Changed
- Updated to use targetUser_username

Log mappers

[New] CommScope Ruckus SmartZone Default
[New] CrowdStrike FDR - DNSRequest
[New] Google G Suite - login - risky_sensitive_action_allowed
[New] Google G Suite - login challange
[New] Windows - Windows PowerShell
[Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
- Added alternate field for threat_name
[Updated] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
- Added alternate field for threat_name
[Updated] Google G Suite - login - password_change/recovery_info_change
- Added additional mapped fields
[Updated] Google G Suite - login.login
- Added additional mapped fields
[Updated] Google G Suite - logout
- Added additional mapped fields
[Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4103
[Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
[Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
[Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4106

Parsers

[New] /Parsers/System/CommScope/CommScope Ruckus SmartZone
[Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON

May 09, 2025 - Content Release

This release includes:

New rules for monitoring AWS services (see below for tuning guidance).
Updated rules for Microsoft O365 and Powershell.
Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity.
Updates to Cisco Umbrella mappers to add user_username.
Updates to SentinelOne mappers to drop null values.
New parsers for Azure Virtual Network and SentinelOne MGMT API.
Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C.

Changes are enumerated below.

Rules

[New] OUTLIER-S00033 AWS DynamoDB Outlier in PutItem Events from User
- [Disabled by Default] This rule detects an unusual amount of PutItem events to a DynamoDB resource within an hour time period (DynamoDB data events are required). Verify the user is authorized to modify the DynamoDB tables and instances. This rule is disabled by default due to potential volume of signals, before enabling consider excluding authorized users via match lists, and adjust floor value and model sensitivity as needed.
[New] FIRST-S00100 First Seen User Enumerating Custom AWS Bedrock Models
- [Disabled by Default] Detection of a user account's first enumeration of custom AWS Bedrock models via ListCustomModels API. Verify the user is authorized for AWS Bedrock access. The http_userAgent field indicates whether a browser or CLI tool was used. This rule is disabled by default due to potential high volume of alerts, particularly from service accounts. Before enabling, consider excluding authorized users and service accounts (such as CNAPP monitoring accounts with timestamp-based usernames) through rule tuning expressions.
[New] OUTLIER-S00032 Outlier in Data Transferred from an S3 Bucket by User
- [Disabled by Default] This rule detects an unusual amount of data transferred outbound from an S3 bucket (requires AWS Data events are required). Verify if the user, role and IP address associated with this activity are authorized. This rule is disabled by default due to potential signal volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
[New] OUTLIER-S00031 Outlier in Data Transferred into an S3 Bucket by User
- [Disabled by Default] Detects unusual amounts of inbound data transfers to S3 buckets (requires AWS Data events). Verify if the user, role, and IP address associated with this activity are authorized. This rule is disabled by default due to potential alert volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
[Updated] MATCH-S00069 O365 - Users Password Reset
- Changed Entity and Summary, replacing user_username with targetUser_username.
[Updated] MATCH-S00449 Powershell Execution Policy Bypass
- Fixed camel case in commandLine field.

Log Mappers

[New] Azure Virtual Network Flow logs
[Updated] Abnormal Security Threats
[Updated] Cisco ASA 103001 JSON
[Updated] Cisco ASA 103004 JSON
[Updated] Cisco ASA 106001 JSON
[Updated] Cisco ASA 106002 JSON
[Updated] Cisco ASA 106006 JSON
[Updated] Cisco ASA 106007 JSON
[Updated] Cisco ASA 106010 JSON
[Updated] Cisco ASA 106012 JSON
[Updated] Cisco ASA 106014 JSON
[Updated] Cisco ASA 106015 JSON
[Updated] Cisco ASA 106021 JSON
[Updated] Cisco ASA 106023 JSON
[Updated] Cisco ASA 106027 JSON
[Updated] Cisco ASA 106100 JSON
[Updated] Cisco ASA 106102-3 JSON
[Updated] Cisco ASA 109005-8 JSON
[Updated] Cisco ASA 110002 JSON
[Updated] Cisco ASA 111008-9 JSON
[Updated] Cisco ASA 111010 JSON
[Updated] Cisco ASA 113003 JSON
[Updated] Cisco ASA 113004 JSON
[Updated] Cisco ASA 113005 JSON
[Updated] Cisco ASA 113006 JSON
[Updated] Cisco ASA 113007 JSON
[Updated] Cisco ASA 113008 JSON
[Updated] Cisco ASA 113009 JSON
[Updated] Cisco ASA 113012-17 JSON
[Updated] Cisco ASA 113019 JSON
[Updated] Cisco ASA 113021 JSON
[Updated] Cisco ASA 113039 JSON
[Updated] Cisco ASA 209004 JSON
[Updated] Cisco ASA 302010 JSON
[Updated] Cisco ASA 302020-1 JSON
[Updated] Cisco ASA 303002 JSON
[Updated] Cisco ASA 304001 JSON
[Updated] Cisco ASA 304002 JSON
[Updated] Cisco ASA 305011-12 JSON
[Updated] Cisco ASA 313001 JSON
[Updated] Cisco ASA 313004 JSON
[Updated] Cisco ASA 313005 JSON
[Updated] Cisco ASA 314003 JSON
[Updated] Cisco ASA 315011 JSON
[Updated] Cisco ASA 322001 JSON
[Updated] Cisco ASA 322003 JSON
[Updated] Cisco ASA 338001-8+338201-4 JSON
[Updated] Cisco ASA 4000nn JSON
[Updated] Cisco ASA 402117 JSON
[Updated] Cisco ASA 402119 JSON
[Updated] Cisco ASA 405001 JSON
[Updated] Cisco ASA 405002 JSON
[Updated] Cisco ASA 406001 JSON
[Updated] Cisco ASA 406002 JSON
[Updated] Cisco ASA 419001 JSON
[Updated] Cisco ASA 419002 JSON
[Updated] Cisco ASA 500004 JSON
[Updated] Cisco ASA 502101-2 JSON
[Updated] Cisco ASA 502103 JSON
[Updated] Cisco ASA 602303-4 JSON
[Updated] Cisco ASA 605004-5 JSON
[Updated] Cisco ASA 609002 JSON
[Updated] Cisco ASA 611101-2 JSON
[Updated] Cisco ASA 611103 JSON
[Updated] Cisco ASA 710002-3 JSON
[Updated] Cisco ASA 710005 JSON
[Updated] Cisco ASA 713052 JSON
[Updated] Cisco ASA 713172 JSON
[Updated] Cisco ASA 713228 JSON
[Updated] Cisco ASA 716014-7-8 JSON
[Updated] Cisco ASA 716038 JSON
[Updated] Cisco ASA 716039 JSON
[Updated] Cisco ASA 716059 JSON
[Updated] Cisco ASA 719022-3 JSON
[Updated] Cisco ASA 721016-8 JSON
[Updated] Cisco ASA 722034 JSON
[Updated] Cisco ASA 722051 JSON
[Updated] Cisco ASA 722055 JSON
[Updated] Cisco ASA 733100 JSON
[Updated] Cisco ASA 751011 JSON
[Updated] Cisco ASA 751023 JSON
[Updated] Cisco ASA 751025 JSON
[Updated] Cisco ASA tcp_udp_sctp_builds JSON
[Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
[Updated] Cisco Umbrella DNS Logs
[Updated] Cisco Umbrella IP Logs
[Updated] Cisco Umbrella Proxy Logs
[Updated] SentinelOne Logs - C2C activities
[Updated] SentinelOne Logs - C2C agents
[Updated] SentinelOne Logs - C2C alerts
[Updated] SentinelOne Logs - C2C threats
[Updated] SentinelOne Logs - C2C users
[Updated] SentinelOne Logs - Syslog Custom Parser

Parsers

[New] /Parsers/System/Microsoft/Azure Virtual Network
[New] /Parsers/System/SentinelOne/SentinelOne MGMT API
[Updated] /Parsers/System/Abnormal Security/Abnormal Security
- Updated the parser to support new events.
[Updated] /Parsers/System/Cisco/Cisco ASA
- Updated regex to fix ASA-6-721016 events.
[Updated] /Parsers/System/Cisco/Cisco ISE
- Updated parser to drop certain non-actionable logs.
[Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
- Updated parser to support additional event format variations.
[Updated] /Parsers/System/Cylance/Cylance Syslog
- Updated parser to support new events.
[Updated] /Parsers/System/KnowBe4/KnowBe4 KMSAT C2C
- Updated parser to drop phishing test events.

April 25, 2025 - Content Release

This content release includes:

Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.

Rules

[Updated] MATCH-S01009 Threat Intel - HTTP Referrer
[Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
[Updated] MATCH-S00999 Threat Intel - IMPHASH Match
[Updated] MATCH-S01000 Threat Intel - MD5 Match
[Updated] MATCH-S01001 Threat Intel - PEHASH Match
[Updated] MATCH-S01003 Threat Intel - SHA1 Match
[Updated] MATCH-S01004 Threat Intel - SHA256 Match
[Updated] MATCH-S01002 Threat Intel - SSDEEP Match

Log Mappers

[Updated] Microsoft Office 365 Active Directory Authentication Events
[Updated] Microsoft Office 365 AzureActiveDirectory Events

Parsers

[Updated] /Parsers/System/Microsoft/Office 365

April 14, 2025 - Content Release

This content release includes:

Additional data requirements for GitHub rules added to rule descriptions.
Spelling corrections for AWS Lambda rules.
New Slack Anomaly Event log mapper and supporting parsing changes:
- Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
- Requires parser be defined for passthrough detection.
Updates to Sysdig parsing and mapping to support additional events.
Support for Microsoft Windows Sysmon-29 event.
Additional normalized field mappings for Microsoft Windows Sysmon events.
New user_phoneNumber and targetUser_phoneNumber schema fields.

Rules

[Updated] MATCH-S00874 AWS Lambda Function Recon
[Updated] MATCH-S00952 GitHub - Administrator Added or Invited
[Updated] MATCH-S00953 GitHub - Audit Logging Modification
[Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
[Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
[Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
[Updated] MATCH-S00950 GitHub - Member Invitation or Addition
[Updated] MATCH-S00955 GitHub - Member Permissions Modification
[Updated] MATCH-S00956 GitHub - OAuth Application Activity
[Updated] MATCH-S00957 GitHub - Organization Transfer
[Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
[Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
[Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
[Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
[Updated] MATCH-S00960 GitHub - Repository Transfer
[Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
[Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
[Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
[Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
[Updated] MATCH-S00951 GitHub - Secret Scanning Alert
[Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
[Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization

Log Mappers

[New] Slack Anomaly Event
[New] Windows - Microsoft-Windows-Sysmon/Operational - 16
[New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
[New] Windows - Microsoft-Windows-Sysmon/Operational-29
[Updated] Sysdig Secure Packages
[Updated] Sysdig Secure Vulnerability
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27

Parsers

[New] /Parsers/System/Slack/Slack Enterprise Audit
[Updated] /Parsers/System/Sysdig/Sysdig Secure

Schema

[New] targetUser_phoneNumber
[New] user_phoneNumber

April 08, 2025 - Application Update

New Threat Intelligence Source

We’re excited to announce a new default source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from Intel 471.

For more information, see our release note in the Service release notes section.

April 03, 2025 - Content Release

This content release includes new and updated log mappers and parsers for Bitwarden, CommScope, Mimecast, and Sysdig Secure. Updates to Mimecast mappers are to support additional fields and events with new log parser.

Log Mappers

[New] Bitwarden Authentication
[New] Bitwarden Catch All
[New] CommScope Authentication Event
[New] CommScope STP and DHCPC Event
[New] CommScope System|Security
[New] Sysdig Secure Packages
[New] Sysdig Secure Vulnerability
[Updated] Mimecast AV Event
[Updated] Mimecast Audit Authentication Logs
[Updated] Mimecast Audit Hold Messages
[Updated] Mimecast Audit Logs
[Updated] Mimecast DLP Logs
[Updated] Mimecast Email logs
[Updated] Mimecast Impersonation Event
[Updated] Mimecast Spam Event
[Updated] Mimecast Targeted Threat Protection Logs

Parsers

[New] /Parsers/System/Bitwarden/Bitwarden
[New] /Parsers/System/CommScope/CommScope
[New] /Parsers/System/Mimecast/Mimecast
[New] /Parsers/System/Sysdig/Sysdig Secure

March 24, 2025 - Content Release

This content release includes Threat Intelligence match rules that use the new hasThreatMatch operator to support both global and custom threat intelligence feeds.

To reduce initial signal volume, basic inbound and outbound IP address threat match rules with a low or medium confidence level are disabled by default (see below). We highly recommend tuning these rules before enabling them to reduce signal volume, and therefore entity risk assignment, to manageable levels.

Rules

MATCH-S00999 Threat Intel - IMPHASH Match
MATCH-S01000 Threat Intel - MD5 Match
MATCH-S01001 Threat Intel - PEHASH Match
MATCH-S01002 Threat Intel - SSDEEP Match
MATCH-S01003 Threat Intel - SHA1 Match
MATCH-S01004 Threat Intel - SHA256 Match
MATCH-S01005 Threat Intel - Source Hostname
MATCH-S01006 Threat Intel - Device Hostname
MATCH-S01007 Threat Intel - Destination Device Hostname
MATCH-S01008 Threat Intel - HTTP Hostname
MATCH-S01009 Threat Intel - HTTP Referrer Hostname
MATCH-S01010 Threat Intel - DNS Query Domain
MATCH-S01011 Threat Intel - DNS Reply Domain
MATCH-S01012 Threat Intel - HTTP Referrer Domain
MATCH-S01013 Threat Intel - HTTP URL Root Domain
MATCH-S01014 Threat Intel - HTTP URL FQDN
MATCH-S01015 Threat Intel - HTTP URL
MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence) - Disabled By Default
MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence) - Disabled By Default
MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence) - Disabled By Default
MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence) - Disabled By Default
MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

March 18, 2025 - Content Release

This release includes::

Updates to parsing and mapping for Airtable and Windows Defender to support additional events and field mappings.
New parsing and mapping for VMware ESXi.
Updates to Baracuda Firewall and System Event mapping for normalizedSeverity lookup translation.

Changes are enumerated below.

Log Mappers

[New] Airtable Audit C2C Authentication
[New] VMware ESXi Authentication
[New] VMware ESXi Catch All
[New] Windows Defender Catch All
[Updated] Airtable Audit C2C Catch All
[Updated] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
[Updated] Barracuda System Event
[Updated] Windows Defender ATP Alert
- Enables additional passthrough alerts.

Parsers

[New] /Parsers/System/VMware/VMware ESXi
[Updated] /Parsers/System/Airtable/Airtable Audit C2C
[Updated] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON

March 13, 2025 - Content Release

This release includes:

New detection rules for Azure DevOps to identify suspicious or sensitive activity in CI/CD pipelines
New support for Barracuda WAF and CloudGen Firewall
Support for CyberArk Audit events
Updates to 1Password mappers to realign field mappings to reflect proper directionality
Fix for normalizedActions in AWS CloudTrail Policy Change mapper
Additions to CrowdStrike Audit and UserActivity log mappers to map additional fields and add alternate values
Support for additional events from Kubernetes and Linux OS logs

Rules

[New] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
- This detection monitors for the creation and deletion of Agent Pools within 5 days by the same user, with the intent of finding Agent Pools active for short durations.
[New] MATCH-S00997 Azure DevOps - Browser Observed in Personal Access Token (PAT) Use
- This detection monitors for the use of a PAT for authentication from a User Agent String indicating a web browser.
[New] MATCH-S00995 Azure DevOps - Change Made to Administrator Group
- This detection monitors for additions to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrators, Project Collection Build Administrators
[New] FIRST-S00098 Azure DevOps - First Seen Pull Request Policy Bypassed
- This detection monitors for when a user performs a pull request bypass for the first time.
[New] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
- This detection monitors for new users creating an agent pool. This user has not been observed creating agent pools during the baseline period and may be a new admin or involved in suspicious account activity.
[New] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
- This detection monitors for users creating a release pipeline for the first time after the baseline period (by default, 90 days).
[New] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
- This detection monitors for a user modifying a variable group for the first time.
[New] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
- This detection monitors for users modifying a release pipeline for the first time after the baseline period (by default, 90 days).
[New] MATCH-S00998 Azure DevOps - Known Malicious Tooling Detected ADOKit
- This is a simple detection matching on “ADOKit” at the start of the HTTP User Agent String (UAS). This detection effectively catches basic ADOKit use. It is brittle to attackers changing the User Agent String to another more innocuous browser to mask the traffic.
[New] MATCH-S00994 Azure DevOps - Member Added to Sensitive Group
- This detection monitors for changes to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrator
[New] FIRST-S00095 Azure DevOps - New Agent OS Added to Agent Pool
- This detection monitors for the addition of an agent to an agent pool when the OS of the agent has not been observed in this pool during the baseline period.
[New] FIRST-S00094 Azure DevOps - New Extension Installed
- This detection monitors for new extensions installed organization-wide after a 30-day baseline, based on the user installing the new extension.
[New] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
- This detection identifies statistical outliers in user behavior for the number of pools deleted in an hourly window.
[New] MATCH-S00996 Azure DevOps - Personal Access Token (PAT) Misuse Observed
- This detection monitors for use of a Personal Access Token in conjunction with categories of action that aren’t normally associated with PAT authentication.
[New] CHAIN-S00021 Azure DevOps - Pipeline Created and Deleted within a Short Period
- This detection monitors for the creation and deletion of the same pipeline within a short period (by default, a day).
[New] MATCH-S00993 Azure DevOps - Pipeline Retention Settings Reduced
- This detection monitors for any reduction in the pipeline retention settings.

Log Mappers

[New] Barracuda Authentication
[New] Barracuda Catch All
[New] Barracuda CloudGen Auth Service dcclient and events
[New] Barracuda CloudGen Firewall Activity
[New] Barracuda CloudGen Settings DNS
[New] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
[New] Barracuda System Event
[New] CyberArk Audit Authentication
[New] CyberArk Audit Catch All
[Updated] 1Password Item Audit Actions
[Updated] 1Password Item Usage Actions
[Updated] 1Password Item Usage C2C
[Updated] 1Password Signin C2C
[Updated] CloudTrail - iam.amazonaws.com - Policy Change
[Updated] CrowdStrike Audit Logs
[Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
[Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
[Updated] CrowdStrike UserActivity Logs
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
[Updated] Linux OS Syslog - Process sshd - SSH Bind Listening and negotiate event

Parsers

[New] /Parsers/System/Barracuda/Barracuda CloudGen
[New] /Parsers/System/Barracuda/Barracuda WAF
[New] /Parsers/System/Cyber-Ark/CyberArk Audit
[Updated] /Parsers/System/Kubernetes/Kubernetes
[Updated] /Parsers/System/Linux/Linux OS Syslog

March 10, 2025 - Application Update

Strict signal configuration

We're happy to announce that now when you create custom insights, you can select an option to generate insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded. This allows you to generate insights for an immediate and targeted response.

Learn more.

March 03, 2025 - Application Update

Threat Intelligence

We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis.

For more information, see our release note in the Service release notes section.

February 27, 2025 - Content Release

This content release includes updates to mapping and parsing to support additional AWS CloudTrail, F5 Firewall, and modify behavior in Microsoft Office 365 login events.

Changes are enumerated below.

Log Mappers

[New] CloudTrail Batch get Partition
[New] F5 Tmm Audit and APMD Audit - Custom Parser
[New] F5 Session and adfs proxy - Custom Parser
[Updated] F5 SSHD and Apmd - Custom Parser
- Expands scope of existing mapper to include Apmd events.
[Updated] Microsoft Office 365 Active Directory Authentication Events
- Adds exclusion for invalid user ID 00000000-0000-0000-0000-000000000000.

Parsers

[Updated] /Parsers/System/F5/F5 Syslog

February 20, 2025 - Content Release

This content release includes updates to Netskope Security Cloud log parsers and mappers to ensure anomaly events are properly mapped by adjusting parser logic to map event IDs from varying locations depending on event type.

Log Mappers

[Updated] Netskope - Anomaly - Bulk Download
[Updated] Netskope - Anomaly - User Shared Credentials
[Updated] Netskope - nspolicy

Parsers

[Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

February 14, 2025 - Content Release

This content release includes new and updated mappers and parsers for Carbon Black, Cisco ISE, Cisco Umbrella, PAN Firewall CSV and LEEF, and Signal Science (Fastly) WAF.

Changes are enumerated below.

Log Mappers

[New] Carbon Black Cloud - alert event
[Updated] Cisco ISE Radius Diagnostics
- Supports additional Radius Diagnostic messages.
[Updated] Cisco Umbrella DNS Logs
- Adds dstDevice_ip, normalizedAction, and user_email.
[Updated] Cisco Umbrella IP Logs
- Adds alternate value for dstDevice_ip and adds user_email.
[Updated] Cisco Umbrella Proxy Logs
- Adds user_email.

Parsers

[Updated] /Parsers/System/VMware/Carbon Black Cloud
- Adds support for alert event event ID.
[Updated] /Parsers/System/Cisco/Cisco ISE
- Adds key value parsing for descriptions.
[Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
- Adds a transform for capturing email addresses.
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- Modifies parse_system_format_1 regular expression to support additional events.
[Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
- Normalizes parsing of subtype to have consistent case.
[Updated] /Parsers/System/Signal Science/Signal Science WAF
- Adds additional timestamp handling.

January 31, 2025 - Content Release

This content release includes:

Removal and updates to Cloud SIEM rules.
Parsing and mapping support for new products.
Updates to existing parsing and mappers to support additional events and field mappings.

Changes are enumerated below.

Rules

[Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
[Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
- Corrected typo in "MailItemsAccessed".
[Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
- Corrected typo in "MailItemsAccessed".

Log Mappers

[New] Crowdstrike FileVantage Catch All
[New] Dragos Communication
[New] Dragos Indicator
[New] Dragos System|Asset
[New] Extrahop JSON Catch All
[New] F5 TMM Http Request|TMM Network|TMM Connection error
[New] F5 TMSH - Custom Parser
[New] Zendesk - Login events

Updated Field Mappings

[Updated] Code42 Incydr Alerts C2C
[Updated] Cyber Ark EPM AggregateEvent
[Updated] Google G Suite - meet
[Updated] Palo Alto GlobalProtect - Custom Parser
[Updated] Palo Alto GlobalProtect Auth - Custom Parser
[Updated] Zendesk Catch All

Parsers

[New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
[New] /Parsers/System/Extrahop/Extrahop JSON

Updated parsers to handle additional events and field parsing

[Updated] /Parsers/System/Code42/Code42 Incydr
[Updated] /Parsers/System/Dragos/Dragos
[Updated] /Parsers/System/F5/F5 Syslog
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Microsoft/Office 365
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

January 28, 2025 - Content Release

This content release includes:

Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
Adds parsing and mapping support for additional OpenVPN events.
Adds additional timestamp format handling to Azure JSON log parsing.

Log Mappers

[Updated] Azure DevOps Auditing Catch All
[Updated] OpenVPN Audit Event
[Updated] OpenVPN Network Event

Parsers

[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/OpenVPN/OpenVPN Syslog

January 14, 2025 - Content Release

This content release includes:

Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.

note

In two weeks, MATCH-S00604 "OneLogin - API Credentials - Key Used from Untrusted Location" will be deleted from the out-of-the-box Cloud SIEM rules due to unmanageable deny list logic and low adoption. To retain this rule, a duplicate must be made prior to the deletion.

Log Mappers

[New] Azure DevOps Auditing Catch All
[New] Check Point Application Control URL Filtering
[New] Cisco ISE Radius Diagnostics
[New] Linux OS Syslog - KRB5 Child - Authentication Failure
[New] Linux OS Syslog - Process systemd - Systemd Session
[New] Linux OS Syslog - Process systemd - Systemd Session Scope
[New] Linux OS Syslog - Process systemd - session logout
[New] Pfsense Firewall filterlog
[New] Pfsense Firewall nginx
[New] Pfsense Firewall openvpn Authentication
[New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
[New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
[Updated] Cisco ISE Authentication Failure
- Adds normalizedSeverity mapping
[Updated] Cisco ISE Authentication Success
- Adds normalizedSeverity mapping
[Updated] Cloudflare - Logpush
- Adds mapping for dns_query, http_hostname, http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol.
[Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
- Adds mapping for normalizedAction
[Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
- Added support for additional events and mapping of file_path

Parsers

[New] /Parsers/System/Pfsense/Pfsense Firewall
[Updated] /Parsers/System/Check Point/Check Point Firewall JSON
[Updated] /Parsers/System/Cisco/Cisco ISE
[Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
[Updated] /Parsers/System/Linux/Linux OS Syslog
[Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
[Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

2024 Release Notes Archive - Cloud SIEM

Tue, 31 Dec 2024 00:00:00 GMT

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

December 20, 2024 - Content Release

This content release includes:

New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management).
AWS Cloudtrail updates.
- Adds alternate mapping for user_userId in anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see Important changes to CloudTrail events for AWS IAM Identity Center.
Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower.
Rule updates.

Changes are are enumerated below.

Rules

[Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
- Rule has been replaced by FIRST-S00065 as this version was not enabled by default.
[Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
- Updated "First Seen" value from ClientInfoString to Client to reduce false positives.
[Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
- Replaces FIRST-S00029.

Log Mappers

[New] Dragos Catch All
[New] Mindpoint Group Keeper Authentication
[New] Mindpoint Group Keeper Catch All
[New] Trust Login Authentication
[New] Trust Login Catch All
[Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
[Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
[Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
[Updated] CloudTrail Default Mapping
[Updated] Firepower Catch All
- Additional new field mappings to support Firepower events and improve records classification.
[Updated] Palo Alto Config - Custom Parser
- Adds alternate field mappings.
[Updated] Palo Alto System - Custom Parser
- Adds alternate field mappings.
[Updated] Palo Alto System Auth - Custom Parser
- Support additional panorama-auth-success and alternate fields for mapped fields.

Parsers

[New] /Parsers/System/Dragos/Dragos
[New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
[New] /Parsers/System/Trust Login/Trust Login
[Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
- Adds support for FTD 430002 and 430003 events.
[Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
- Adds support for 'panorama-auth-success' events and improves timestamp handling.

December 6, 2024 - Content Release

This content release:

Introduces new Cloud SIEM detection rules for monitoring activity and alerts from GitHub Enterprise.
New and updated log parsing and mapping support for:
- AWS VPC Transit Gateways Flow Logs
- Alert Logic
- Google G Suite Alert Center
- Microsoft Defender Advanced Hunting
- Azure Provisioning, Alert, ResourceHealth, and ServiceHealth events

Changes are enumerated below.

note

First Seen Successful Authentication From Unexpected Country (FIRST-S00029), which is disabled by default, has been replaced by a rule of the same name (FIRST-S00065) which is enabled by default. FIRST-S00029 will be removed in a subsequent release in 2 weeks (week of December 16). Any tuning expressions applied to FIRST-S00029 will need to be migrated to FIRST-S00065 to continue functioning.

Rules

[New] MATCH-S00952 GitHub - Administrator Added or Invited
- Detects additions or invitations of GitHub Administrators. Illegitimate addition of administrative users could be an indication of privilege escalation or persistence by adversaries.
[New] MATCH-S00953 GitHub - Audit Logging Modification
- Detects modifications to the GitHub Enterprise Audit Log. Modifications and deletions have the potential to reduce visibility of malicious activity.
[New] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
- Observes for GitHub staff manually revoking copilot access for a user. This action is likely to be rare and may be indicative of a user violating the acceptable use policy for GitHub.
[New] FIRST-S00091 GitHub - First Seen Activity From Country for User
- Detects GitHub user activity from a new country. User account compromises can be detected through unusual geolocation in some cases. To lower possible false positives, a tuning expression for expected country names or codes can be added,.
[New] FIRST-S00090 GitHub - First Seen Application Interacting with API
- Detects new application usage of the GitHub API. New applications utilizing the API may be routine, however this may also reveal malicious applications utilizing the API.
[New] MATCH-S00950 GitHub - Member Invitation or Addition
- Detects new user additions or invitations to the business or organization GitHub. New user additions/invitations should be monitored as they could be a vector for malicious actors to establish access or persistence.
[New] MATCH-S00955 GitHub - Member Permissions Modification
- Detects modifications of GitHub user permissions. Added permissions for a user should be monitored for potential privilege escalation by an adversary.
[New] MATCH-S00956 GitHub - OAuth Application Activity
- Detects OAuth application activities within GitHub. OAuth application management and access activity should be monitored for potential abuse by potential malicious actors, either by creating malicious access paths within GitHub, or destruction of GitHub infrastructure.
[New] MATCH-S00957 GitHub - Organization Transfer
- Detects transfers of an organization to another enterprise This is a sensitive activity that should be monitored to ensure organizations and their repositories are not being transferred without proper authorization.
[New] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
- Detects an outlier in the number of distinct user agent strings for a GitHub user. Unusual user agent strings for a user account could indicate account takeover.
[New] OUTLIER-S00028 GitHub - Outlier in Removal Actions by User
- Detects a higher than usual number of removal actions undertaken by a user. This detection has a broad scope to detect any unusual number of destroy, delete, or remove actions undertaken by a user to help detect a range of different potential destructive activities in GitHub.
[New] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
- Detects an unusual number of repository clones for a user. Unusual repository cloning could indicate data exfiltration or discovery.
[New] MATCH-S00958 GitHub - PR Review Requirement Removed
- Detects GitHub pull request review requirements being removed from a repository either via branch protection rule or ruleset.
[New] MATCH-S00959 GitHub - Repository Public Key Deletion
- Detects deletions of SSH keys in GitHub. Unusual deletions could represent an adversary attempting to disrupt normal operations by denying access.
[New] MATCH-S00960 GitHub - Repository Transfer
- Detects transfers of a repository to another organization or user. This is a sensitive activity that GitHub places in the "Danger Zone" of repository setting and should be monitored to ensure no unauthorized transfers are taking place.
[New] MATCH-S00961 GitHub - Repository Visibility Changed to Public
- Detects a user making a repository public. This action should be closely monitored and mitigative actions taken even if the published repository is deleted, or reverted to private. Reference: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
[New] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
- Detects repository visibility permissions being changed to allow members of an organization to change the visibility of repositories. This activity introduces the potential for data leakage if a private or internal repository is changed to public and should be monitored to ensure no inadvertent or malicious publication of a repository.
[New] MATCH-S00963 GitHub - SSH Key Created for Private Repo
- Detects the creation of an SSH key for a private GitHub repository. Performed maliciously, creating an SSH key could create a parallel access path for an attacker.
[New] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
- Detects activities accessing SSO recovery codes. SSO recovery codes can enable a user to bypass normal more stringent authentication routes.
[New] MATCH-S00951 GitHub - Secret Scanning Alert
- Observes for secret scanning alerts from GitHub. Secrets detected by GitHub Enterprise Cloud undergo validation by GitHub automatically, to determine whether they are actively in use, this is not surfaced in the audit log, and will require separate inspection. For more information see Evaluating alerts from secret scanning.
[New] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
- Detects actions which disable or modify secret scanning policies for an organization or repository. Modifying or disabling secret scanning may lead to inadvertent leaking of credentials.
[New] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
- Observes for two-factor authentication being disabled for a GitHub organization. Removing two-factor authentication requirements significantly degrades the security of the GitHub organization by permitting password only authentication.
[Updated] THRESHOLD-S00095 Password Attack from Host
- Modified the rule expression to remove the srcDevice_ip entity selector and the isNull from the rule expression for entities from the existing rule, and creates a new rule for those entities so that there are 2 versions of the rule's intent.

Log Mappers

[New] AWS VPC Transit Gateways Flow Logs
[New] Alert Logic Catch All
[New] Azure ResourceHealth and ServiceHealth
[New] Google G Suite Alert Center - User Changes
[New] Microsoft Defender Advanced Hunting - Alert
[New] Microsoft Defender Advanced Hunting - Audit
[New] Microsoft Defender Advanced Hunting - Email events
[New] Microsoft Defender Advanced Hunting - Logon
[New] Microsoft Defender Advanced Hunting - Network
[Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
- Adds support for additional event types and field mappings.
[Updated] Trend Micro Vision One Custom Parser
- Supports additional field names.

Parsers

[New] /Parsers/System/AWS/AWS VPC Transit Gateways Flow Logs
[New] /Parsers/System/Alert Logic/Alert Logic
[New] /Parsers/System/Microsoft/Microsoft Defender Advanced Hunting
[Updated] /Parsers/System/Trend Micro/Trend Micro Vision One
- Parser updated to support additional event format.

November 22, 2024 - Content Release

This content release includes:

New mapping support for: Qumulo Core, and Teramind Teraserver.
Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta.
Updates to the existing Okta log mappings to support a new HTTP source log formatting.
Updates to Code42 Incydr Alerts C2C mapping to support new alert log format.

Changes are enumerated below.

Rules

[Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
- Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place.
[New] THRESHOLD-S00116 Password Attack from IP
- This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping.
[Updated] FIRST-S00095 Password Attack from Host
- Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity.
[Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application
- Baseline retention window size increased from 35 days to the standard 90 day retention.
- Modified the summary description to read as follows: "User: {{user_username}} has successfully accessed the Okta Admin Application".

Log Mappers

[New] Palo Alto Threat DLP non File - Custom Parser
- Mapping support added for event id pattern: threat-dlp-non-file.
[New] Qumulo Core - Catch All
[New] Qumulo Core - Login
[New] Teramind Authentication
[New] Teramind Catch All
[New] Teramind Email
[Updated] Code42 Incydr Alerts C2C
[Updated] Okta Authentication - auth_via_AD_agent
[Updated] Okta Authentication - auth_via_mfa
[Updated] Okta Authentication - auth_via_radius
[Updated] Okta Authentication - sso
[Updated] Okta Authentication Events
[Updated] Okta Catch All
[Updated] Okta Security Threat Events

Parsers

[New] /Parsers/System/Qumulo/Qumulo Core
[New] /Parsers/System/Salesforce/Salesforce
[New] /Parsers/System/Teramind/Teramind Teraserver
[Updated] /Parsers/System/Code42/Code42 Incydr
- Transform update for a new alert log format for tenantId.
[Updated] /Parsers/System/Okta/Okta
- Modified event_id from eventType to event_type.
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- Additional parsing support for a new Palo Alto Threat event format.

November 8, 2024 - Application Update

Cloud SIEM network sensor end-of-life

The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed Zeek network sensor as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.

Learn more here.

November 7, 2024 - Content Release

This content release includes:

New detection rules.
Updates to existing detection rules to correct rule logic and reduce false positives.
New parsing and mapping support for Automox, WatchGuard Firewall, and Digital Guardian ARC.
Update to existing AWS Application Load Balancer parsing and mapping to support Connection logs.
Update to MITRE ATT&CK tag schema to support ATT&CK v16.0.

Changes are enumerated below.

Rules

[New] CHAIN-S00018 Autorun file created after USB disk mount on host
- This signal looks for a USB drive being mounted on a Windows host followed by a file creation event with the file name of "autorun.inf" within a 5-minute time frame. This activity could be indicative of an attempt at lateral movement or initial access avenues through a USB device. Ensure that the machine in question is authorized to use USB devices and look for other file creation events from this host around the same time frame.
[New] FIRST-S00071 First Seen AWS ConsoleLogin by User
- First observance of a user logging on to the Amazon AWS console. This could be indicative of new administrator onboarding, or an unauthorized access to the AWS console. Recommended to investigate the nature of the user account and the login.
[New] FIRST-S00080 First Seen Azure Portal access by User
- First observance of a user logging on to the Microsoft Azure Portal. This could be indicative of new user onboarding, or an unauthorized access to the Azure portal. Recommended to investigate the nature of the user account and the login.
[New] FIRST-S00073 First Seen Get-ADDefaultDomainPasswordPolicy
- The first observed execution of the PowerShell CMDLet Get-ADDefaultDomainPasswordPolicy on this host. This CMDLet can be used in the discovery of Windows Domain Password Policies by threat actors. Investigating the host and active users for additional activity around the time of execution is recommended.
[New] FIRST-S00072 First Seen Group Policy Discovery Operation
- This detection is a first observed execution of Windows process or PowerShell commands that can be run by users or administrators in order to gather password policy and other types of system information in an enterprise environment. The detections in this signal are based off variations found in Atomic Red Team test cases. Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md. Look at the command line and parent process details of the signal in order to determine if this execution is legitimate or part of system provisioning or systems administration operations.
[New] FIRST-S00076 First Seen Net Command Use on Host
- Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the first observance of a Net related command on a system related to these discovery tactics. It is recommended to investigate the host and user to determine if this is authorized admin activity or needs further inspection.
[New] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
- First Seen rule which triggers when there are at least two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives, such as known VPN addresses.(If degradation issues occur it is recommendation implementing tuning around your expected network.)
[New] FIRST-S00074 First Seen driverquery execution on host
- First observed execution of the driverquery command on the following device host: {{device_hostname}}. Driverquery is a useful command for an attacker to enumerate local device drivers to determine next steps in the attack. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
[New] FIRST-S00079 First Seen gpresult execution on host
- This detection is first observed execution of gpresult on a host. This command may be used by attackers to access detailed password policy information in an enterprise environment. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
[New] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
- This signal looks for a new Client ID value ( mapped to the user_username field ) and ASN combination being issued an OIDC token, excluding the Okta Browser Plugin and Okta Dashboard. Use the Okta admin portal and look at the "Applications" section to cross-reference the Client ID value. Ensure that the IP address that is requesting the token is known and that this operation is expected and authorized.
[New] FIRST-S00068 Okta - First Seen User Accessing Admin Application
- A user not seen since the baseline period has accessed the Okta admin application. Ensure that this user is expected to perform Okta administrative activities. If this user is expected and authroized, consider adding the user to the "Okta_Admins" match list to exclude the user from this signal.
[New] FIRST-S00066 Okta - First Seen User Requesting Report
- This signal looks for a first seen user requesting an export of an Okta report. The various Okta report types can be found in the “Reports” section of the Okta administrative portal and can include various report types such as application password help, MFA usage, and reports around user access. During the October 2023 Okta incident, threat actors downloaded reports from Okta portals to extract information regarding user contact information. Ensure that the user that is requesting such reports is authorized and that this activity is expected. If a suspicious report generation event occurs, look at the “target” element within the event to gain more detailed information as to the type of report being generated and exported.
[New] OUTLIER-S00018 Okta - Outlier in ASNs Used to Access Applications
- This signal looks for an outlier in the number of distinct autonomous system numbers (ASNs) that a particular user utilizes to access Okta resources within an hour time period. This is designed to alert on various forms of token or credential theft as well as general Okta session anomalies.
[New] OUTLIER-S00017 Okta - Outlier in MFA Attempts Denied by User
- This signal builds an hourly baseline of MFA denied events per user and triggers when an outlier in the number of denied attempts is detected. This signal is designed to trigger on MFA-fatigue type attacks. If false positives are detected, consider excluding certain users from the alerting logic or raise the minimum count value within the rule configuration.
[New] OUTLIER-S00016 Okta - Outlier in OIDC token request failures
- This signal looks for an outlier in the number of OpenID Connect (OIDC) token request failures for an Okta client application. Use the Okta admin portal to correlate the Client ID (mapped to user_username) to determine what application is being targeted. Pivot off the Client ID and IP address values to examine the raw Okta events in order to ensure that this activity is planned and expected. This activity can occur during setup and development of Okta applications and integrations.
[New] OUTLIER-S00013 Outlier in Data Outbound Per Day by Admin or Sensitive Device
- A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
[New] OUTLIER-S00015 Outlier in Data Outbound Per Hour by Admin or Sensitive Device
- A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
[Updated] THRESHOLD-S00095 Password Attack
- Added NULL exclusion to rule expression to prevent false-positives stemming from NULL IP or hostnames.
[Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port
- Added missing parenthesis to match expression.

Log Mappers

[New] AWS - Application Load Balancer - Connection
[New] Automox - Audit logs
[New] Automox - Audit logs - Logon
[New] Automox - Event logs
[New] Digital Guardian ARC - Audit Events
[New] Digital Guardian ARC - Mail
[New] Digital Guardian ARC - Network
[New] Digital Guardian ARC - User Login|Logoff
[New] Watchguard Fireware - Firewall
[New] Watchguard Fireware - http/https-proxy

Parsers

[New] /Parsers/System/Automox/Automox
[New] /Parsers/System/Digital Guardian/Digital Guardian ARC
[New] /Parsers/System/WatchGuard/WatchGuard Fireware
[Updated] /Parsers/System/AWS/AWS ALB
- Updated parser to support AWS Application Load Balancer Connection logs

October 31, 2024 - Content Release

This content release includes:

New Detection rules for Github Enterprise Audit.
New Detection rules for Okta identity and access management.
Updated parser and mappers for Cisco Meraki firewall, and Cisco Meraki Flows:
- Updated the pattern lookup for: action, normalized action, and success.
Updated log mappers for Github Enterprise Audit:
- Updated the name of the product and the internal ID that corresponds to it.
Updated parser for Github Enterprise Audit time handling.
New parsers and mappers for Apache HTTP server and Kandji EDR.
Other changes enumerated below.

Please be advised that rule FIRST-S00031 (First Seen IP Address Associated with User for a Successful Azure AD Sign In Event) is not performing as intended and will be decommissioned in a forthcoming release. Please use FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) which provides an accurate and less sensitive detection point.

Rules

[New] MATCH-S00922 AWS Bedrock Agent Created.
- This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications.
[New] MATCH-S00924 AWS Bedrock Guardrail Deleted.
- AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change.
[New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User.
- A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock.
[New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed.
- An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized.
[New] OUTLIER-S00024 AWS DynamoDB Outlier in GetItem Events from User.
- An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances.
[New] OUTLIER-S00025 AWS S3 Outlier in PutObject Denied Events
- This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function.
[New] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe
- Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. Audit Object Access (success and failure) must be enabled for this rule to function.
[New] MATCH-S00896 Azure Authentication Policy Change
- Various authentication related policy configurations exist within Azure. These are tenant-wide policy changes that affect aspects such as enabling of number matching, changing of which authentication methods users are allowed to use, or the exclusion of certain groups from various authentication methods.
[New] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
- This rule detects credential dumping using copy command from a shadow copy.
[New] FIRST-S00084 First Seen AWS Bedrock API Call from User
- This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services.
[New] FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
- This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process. This can be indictive of enumeration of certificate templates which can potentially lead to forged certificates and privilege escalation avenues.
[New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period.
[New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
- A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model.
[New] FIRST-S00088 First Seen NTLM Authentication to Host (User)
- A user has performed NTLM authentication to a host on the network for the first time since the baseline period has been established.
[New] FIRST-S00076 First Seen Net Command Use on Host
[New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
- An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation.
[New] FIRST-S00061 First Seen USB device in use on Windows host
- This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics.
[New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
- AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM.
[New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
- A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock.
[New] FIRST-S00059 First Seen esentutl command From User
- Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
[New] FIRST-S00058 First Seen vssadmin command From User
- Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
[New] FIRST-S00060 First Seen wbadmin command From User
- Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
[New] MATCH-S00429 LSASS Memory Dumping
- Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
[New] MATCH-S00161 Malicious PowerShell Get Commands
- This rule detects commandlets from common PowerShell exploitation frameworks.
[New] MATCH-S00895 NinjaCopy Usage Detected
- NinjaCopy is a legacy PowerShell tool that can copy files from an NTFS volume in a manner that bypasses SACL auditing as well as DACL controls such as only allowing SYSTEM to open a file.
[New] MATCH-S00906 Okta - Application Created
- This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications.
[New] MATCH-S00903 Okta - Device Added To User
- An Okta device was added to a user. This activity may occur as part of normal user operations such as lost device.
[New] MATCH-S00904 Okta - Device Removed From User
- An Okta device was removed from a user. It is recommended that the user performing the action be cross-referenced to a list of approved Okta administrators.
[New] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon
- This signal looks for a single user explicitly denying at least two (2) multi factor authentication prompts, followed by a successful Okta login via multi factor authentication within a twenty-five (25) minute window. This logic is designed to catch successful MFA fatigue type attacks.
[New] MATCH-S00908 Okta - MFA Request Denied by User
- This signal will trigger when a user denies an MFA request within the Okta authenticator application.
[New] MATCH-S00907 Okta - Policy Rule Added
- An Okta policy rule has been added through the Okta admin application.
[New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint
- This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta “users” API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks.
[New] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
- This rule detects when a user has utilized multiple distinct ASNs when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly.
[New] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
- This rule detects when a user has utilized multiple distinct User Agents when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly.
[New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
- An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts.
[New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
- An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts.
[New] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded
- This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows domain users full control over the certificate
[New] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration
- This alert looks for two events in a particular order, the first event involves a certificate template being loaded with a certificate request agent application policy.
[New] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded
- This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows all domain users the ability to enroll the template.
[New] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded
- This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows the enrolee to supply a subject and allows all domain users to enroll.
[New] MATCH-S00899 Suspicious Active Directory Certificate Modification
- This alert looks for an Active Directory certificate being modified with the "Any Purpose" OID.
[New] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent
- This alert looks for an Active Directory certificate being modified with an Enrollment Agent value that allows an Active Directory principal to enroll a certificate on behalf of another user.
[New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method
- This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates.
[New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution
- Detects the use of PowerShell for Applicaiton Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling.
[New] MATCH-S00918 Suspicious cat of PAM common-password policy
- The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users.
[New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call.
[New] MATCH-S00583 WCE wceaux.dll Access
- Obvserves for access of wceaux.dll, which may be indicative of credential access.
[New] MATCH-S00159 Windows - Permissions Group Discovery
- Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the use net.exe related commands on a system related to these discovery tactics.
[New] THRESHOLD-S00067 ZeroLogon Privilege Escalation Behavior
- An attack against CVE-2020-1472 may create thousands of NetrServerReqChallenge and NetrServerAuthenticate3 requests in a short amount of time.
[New] MATCH-S00919 chage command use on host
- The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the -l flag to determine when the user’s password or account is due to expire.

Log Mappers

[New] Apache HTTP Server - Access log
[New] Kandji EDR - catch all
[Updated] Cisco Meraki Firewall - Custom Parser
[Updated] Cisco Meraki Flows - Custom Parser
[Updated] GitHub Enterprise Audit - Access Events
[Updated] GitHub Enterprise Audit - Authentication Events
[Updated] GitHub Enterprise Audit - Create Events
[Updated] GitHub Enterprise Audit - Modify Events
[Updated] GitHub Enterprise Audit - Remove Events
[Updated] GitHub Enterprise Audit - Restore Events
[Updated] GitHub Enterprise Audit - Transfer Events
[Updated] GitHub Enterprise Audit Catch All

Parsers

[New] /Parsers/System/Apache/Apache HTTP Server
[New] /Parsers/System/Kandji/Kandji EDR
[Updated] /Parsers/System/Cisco/Cisco Meraki
- Corrected parser to address incorrect mapping leading to alert errors.
[Updated] /Parsers/System/Github/GitHub Enterprise Audit
- Parser modification to the MAPPER:product from Github Enterpries to Github Enterprise Audit
[Updated] /Parsers/System/Kemp/Kemp LoadMaster Syslog
- Corrected parser transform for the log-entry format of the Process_Syslog_Header
[Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON
- Corrected the JSON parser for MAPPER:event_id to facilitiate proper mapping processing

October 4, 2024 - Content Release

This content release includes:

Detection rules centered around Amazon Bedrock activities.
Consolidation of AWS CloudTrail mappers to replicate current mapper behavior with fewer distinct mappers.
New support for GitHub Enterprise Audit (parsing and mapping).
New support for Honeywell Pro-Watch (parsing and mapping).
New support for Citrix Zendesk (parsing and mapping).
Further mapping updates to better employ Normalized Classification fields across data sources.
Removal of some duplicate mapped fields.
Other changes enumerated below.

Rules

[New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
- An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment.
[New] MATCH-S00922 AWS Bedrock Agent Created
- This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
[New] MATCH-S00924 AWS Bedrock Guardrail Deleted
- AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. Look at other activity from this user account, focusing on the Bedrock service and pivoting from there if the event is deemed suspicious.
[New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User
- A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. However, it could also be a malicious attempt at running a particular model via AWS Bedrock. Take a look at the username, IP address, role type, role and model via the "requestParameters.modelId" field.
[New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
- A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. Ensure this model is authorized to be utilized in the environment and that the user requesting access to the model is authorized to perform these actions.
[New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
- A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed.
[New] FIRST-S00084 - First Seen AWS Bedrock API Call from User
- This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. Look at the "action" field to determine what API calls are being made and whether this activity is expected.
[New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
- An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
[New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
[New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
- AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives.
[New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
- An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
[New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
- An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
[New] OUTLIER-S00024 - AWS DynamoDB Outlier in GetItem Events from User
- An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. Consider excluding authorized users from this signal or tweaking the minimum count value if this signal is triggering too often. Data events from DynamoDB are required in order for this signal to function.
[New] OUTLIER-S00025 - AWS S3 Outlier in PutObject Denied Events
- This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. Denied PutObject access events can stem from IAM policies or bucket policies. Look at the user, role, IP address from the events to determine whether this activity is expected. In certain cases, access denied events to S3 can also result in unexpected AWS charges.
[New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.

Log Mappers

New Event/Source Support

[New] Fortinet utm-ssl Logs
[New] GitHub Enterprise Audit - Access Events
[New] GitHub Enterprise Audit - Authentication Events
[New] GitHub Enterprise Audit - Create Events
[New] GitHub Enterprise Audit - Modify Events
[New] GitHub Enterprise Audit - Remove Events
[New] GitHub Enterprise Audit - Restore Events
[New] GitHub Enterprise Audit - Transfer Events
[New] GitHub Enterprise Audit Catch All
[New] Honeywell Pro-Watch Catch All
[New] Zendesk Catch All

Extended Normalized Classification Support

[Updated] Azure Event Hub - Windows Defender Logs
[Updated] Azure ManagedIdentitySignInLogs
[Updated] Azure NonInteractiveUserSignInLogs
[Updated] Azure ServicePrincipalSignInLogs
[Updated] Azure Write and Delete Logs
[Updated] AzureActivityLog 01
[Updated] Carbon Black Cloud - Observation event
[Updated] Carbon Black Cloud Script Load
[Updated] Cisco ASA 109005-8 JSON
[Updated] Cisco ASA 113005
[Updated] Cisco ASA 113005 JSON
[Updated] Cisco ASA 113012-17 JSON
[Updated] Cisco ASA 716039 JSON
[Updated] Cisco ASA 719022-3 JSON
[Updated] Cisco ASA 751011 JSON
[Updated] Citrix NetScaler - AAA-LOGIN_FAILED
[Updated] CrowdStrike FDR - CriticalFileAccessed
[Updated] CylancePROTECT Threats
[Updated] Fortinet Event Logs
[Updated] Fortinet Virus Logs
[Updated] Kaspersky Endpoint Security Catch All
[Updated] Lacework Alert
[Updated] Linux OS Syslog - Cron - Session Closed
[Updated] Linux OS Syslog - Cron - Session Opened
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
[Updated] Linux OS Syslog - Process sshd - SSH Public Key Not Allowed
[Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
[Updated] Linux OS Syslog - Process systemd - Systemd Session Start
[Updated] McAfee WebGateway - CEF - User Login Failed
[Updated] Microsoft Defender for Cloud - Security Alerts
[Updated] Microsoft Office 365 Active Directory Authentication Events
[Updated] Microsoft Office 365 Threat Intelligence Atp Content Events
[Updated] OSSEC Alert
[Updated] OpenVPN Authentication Attempt
[Updated] OpenVPN Logon Attempt
[Updated] Osquery Process Auditing
[Updated] Palo Alto Traps - Custom Parser
[Updated] RSA SecurID SinglePoint Authentication
[Updated] Snowflake Login
[Updated] Symantec Agent Behavior Logs
[Updated] Symantec Agent Risk Logs
[Updated] Symantec Agent Risk SONAR Logs
[Updated] Symantec Agent Scan Logs
[Updated] Sysdig Kubernetes JSON
[Updated] Tanium IOC Event - CEF Custom Parser
[Updated] Windows - Security - 4625

Added 'Cause' mapping and added 'null' as a skipped value

[Updated] Okta Authentication - auth_via_AD_agent
[Updated] Okta Authentication - auth_via_mfa
[Updated] Okta Authentication - auth_via_radius
[Updated] Okta Authentication - sso
[Updated] Okta Authentication Events
[Updated] Okta Catch All
[Updated] Okta Security Threat Events

Consolidated CloudTrail Mappings

[Deleted] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
[Deleted] CloudTrail - cloudtrail.amazonaws.com - StartLogging
[Deleted] CloudTrail - cloudtrail.amazonaws.com - StopLogging
[Deleted] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
[Deleted] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
[Deleted] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
[Deleted] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
[Deleted] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
[Deleted] CloudTrail - ec2.amazonaws.com - CreateKeyPair
[Deleted] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
[Deleted] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
[Deleted] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
[Deleted] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
[Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
[Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
[Deleted] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
[Deleted] CloudTrail - ec2.amazonaws.com - ImportKeyPair
[Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
[Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
[Deleted] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
[Deleted] CloudTrail - iam.amazonaws.com - AttachRolePolicy
[Deleted] CloudTrail - iam.amazonaws.com - AttachUserPolicy
[Deleted] CloudTrail - iam.amazonaws.com - CreateAccessKey
[Deleted] CloudTrail - iam.amazonaws.com - CreatePolicy
[Deleted] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
[Deleted] CloudTrail - iam.amazonaws.com - CreateUser
[Deleted] CloudTrail - iam.amazonaws.com - DeletePolicy
[Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
[Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
[Deleted] CloudTrail - iam.amazonaws.com - DeleteUser
[Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
[Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
[Deleted] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
[Deleted] CloudTrail - iam.amazonaws.com - DetachRolePolicy
[Deleted] CloudTrail - iam.amazonaws.com - DetachUserPolicy
[Deleted] CloudTrail - iam.amazonaws.com - PutGroupPolicy
[Deleted] CloudTrail - iam.amazonaws.com - PutRolePolicy
[Deleted] CloudTrail - iam.amazonaws.com - PutUserPolicy
[Deleted] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
[Deleted] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
[Deleted] CloudTrail - lambda.amazonaws.com - AddPermission
[Deleted] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping
[Deleted] CloudTrail - lambda.amazonaws.com - CreateFunction
[Deleted] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig
[Deleted] CloudTrail - lambda.amazonaws.com - DeleteFunction
[Deleted] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping
[Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration
[Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig
[Deleted] CloudTrail - lambda.amazonaws.com - PublishLayerVersion
[Deleted] CloudTrail - lambda.amazonaws.com - RemovePermission
[Deleted] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping
[Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode
[Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration
[Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig
[Deleted] CloudTrail - logs.amazonaws.com - DeleteLogGroup
[Deleted] CloudTrail - logs.amazonaws.com - DeleteLogStream
[Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketCors
[Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
[Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
[Deleted] CloudTrail - s3.amazonaws.com - PutBucketAcl
[Deleted] CloudTrail - s3.amazonaws.com - PutBucketCors
[Deleted] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
[Deleted] CloudTrail - s3.amazonaws.com - PutBucketPolicy
[Deleted] CloudTrail - s3.amazonaws.com - PutBucketReplication
[Deleted] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
[Deleted] CloudTrail - signin.amazonaws.com - CheckMfa
[Deleted] CloudTrail - signin.amazonaws.com - ExitRole
[Deleted] CloudTrail - signin.amazonaws.com - RenewRole
[Deleted] CloudTrail - signin.amazonaws.com - SwitchRole
[Deleted] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
[Updated] CloudTrail - cloudtrail.amazonaws.com - Trail Change|Logging
[Updated] CloudTrail - ec2.amazonaws.com - All Network Events
[Updated] CloudTrail - iam.amazonaws.com - Policy Change
[Updated] CloudTrail - kms.amazonaws.com - DisableKey|ScheduleKeyDeletion
[Updated] CloudTrail - lambda.amazonaws.com - Audit Change
[Updated] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping|DeleteFunction
[Updated] CloudTrail - lambda.amazonaws.com - GetPolicy|GetLayerVersionPolicy
[Updated] CloudTrail - lambda.amazonaws.com - Resource Access
[Updated] CloudTrail - logs.amazonaws.com - DeleteDestination|DeleteLogGroup|DeleteLogStream
[Updated] CloudTrail - s3.amazonaws.com - Bucket Change
[Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded|RotationStarted
[Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
[Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication

Parsers

[New] /Parsers/System/Github/GitHub Enterprise Audit
[New] /Parsers/System/Honeywell/Honeywell Pro-Watch
[New] /Parsers/System/Zendesk/Zendesk
[Updated] /Parsers/System/AWS/AWS ALB
- Extends AWS ALB parser to handle additional conn_trace_id field
[Updated] /Parsers/System/Citrix/Citrix Cloud C2C
- Modifies time handling and drops logs without security value
[Updated] /Parsers/System/Dell/Dell SonicWall
- Minor regex fix for port and protocol handling
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- Additional TRAFFIC log format handling

September 19, 2024 - Content Release

This content release includes:

Updates to 111 rules to improve the user experience by removing often lengthy command lines from rule summary expressions (retained in record and signal).
Deletion of a low efficacy rule.
Mapping updates to better employ normalized classification fields across data sources.
Adds alternate case handling for Windows Security Event Log error codes.
Updates to LastPass parsing and mapping to support Reporting and Failed Logon events.
Adds support for Thinkst Canary JSON logging.
Adjusts time handling for Thinkst Canary Syslog.

Other changes are enumerated below.

Rules

[Deleted] LEGACY-S00180 DNS query for dynamic DNS provider
[Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
[Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container
[Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
[Updated] MATCH-S00727 CPL File Executed from Temp Directory
[Updated] MATCH-S00412 Command Line Execution with Suspicious URL and AppData Strings
[Updated] MATCH-S00658 Container Management Utility in Container
[Updated] MATCH-S00410 Copy from Admin Share
[Updated] MATCH-S00443 Create Windows Share
[Updated] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
[Updated] MATCH-S00526 Credential Dumping Via Symlink To Shadow Copy
[Updated] MATCH-S00348 Curl Start Combination
[Updated] MATCH-S00385 DTRACK Process Creation
[Updated] MATCH-S00441 Delete Windows Share
[Updated] MATCH-S00543 Detect Psexec With Accepteula Flag
[Updated] MATCH-S00319 Dridex Process Pattern
[Updated] MATCH-S00590 Elise Backdoor
[Updated] MATCH-S00392 File or Folder Permissions Modifications
[Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
[Updated] FIRST-S00059 First Seen esentutl command From User
[Updated] FIRST-S00041 First Seen networksetup Usage from User
[Updated] FIRST-S00058 First Seen vssadmin command From User
[Updated] FIRST-S00060 First Seen wbadmin command From User
[Updated] FIRST-S00008 First Seen whoami command From User
[Updated] MATCH-S00414 Grabbing Sensitive Hives via Reg Utility
[Updated] MATCH-S00325 Greenbug Campaign Indicators
[Updated] MATCH-S00367 Impacket Lateralization Detection
[Updated] MATCH-S00482 Impacket-Obfuscation SMBEXEC Utility
[Updated] MATCH-S00483 Impacket-Obfuscation WMIEXEC Utility
[Updated] MATCH-S00322 Judgement Panda Credential Access Activity
[Updated] MATCH-S00334 Judgement Panda Exfil Activity
[Updated] MATCH-S00651 Kubernetes CreateCronjob
[Updated] MATCH-S00652 Kubernetes DeleteCronjob
[Updated] MATCH-S00650 Kubernetes ListCronjobs
[Updated] MATCH-S00648 Kubernetes ListSecrets
[Updated] MATCH-S00647 Kubernetes Pod Deletion
[Updated] MATCH-S00649 Kubernetes Service Account Token File Accessed
[Updated] MATCH-S00461 LNKSmasher Utility Commands
[Updated] MATCH-S00746 Loadable Kernel Module Dependency Install
[Updated] MATCH-S00745 Loadable Kernel Module Enumeration
[Updated] MATCH-S00723 Loadable Kernel Module Modifications
[Updated] MATCH-S00352 MSHTA Suspicious Execution
[Updated] MATCH-S00534 MacOS - Re-Opened Applications
[Updated] MATCH-S00729 MacOS Gatekeeper Bypass
[Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
[Updated] MATCH-S00161 Malicious PowerShell Get Commands
[Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
[Updated] MATCH-S00198 Malicious PowerShell Keywords
[Updated] MATCH-S00331 MavInject Process Injection
[Updated] MATCH-S00466 MsiExec Web Install
[Updated] MATCH-S00288 NotPetya Ransomware Activity
[Updated] MATCH-S00698 PATH Set to Current Directory
[Updated] MATCH-S00659 Package Management Utility in Container
[Updated] MATCH-S00697 Pkexec Privilege Escalation - CVE-2021-4034
[Updated] MATCH-S00149 PowerShell File Download
[Updated] MATCH-S00449 Powershell Execution Policy Bypass
[Updated] MATCH-S00427 Process Dump via Rundll32 and Comsvcs.dll
[Updated] MATCH-S00439 Psr.exe Capture Screenshots
[Updated] MATCH-S00167 Recon Using Common Windows Commands
[Updated] MATCH-S00346 Ryuk Ransomware Endpoint Indicator
[Updated] MATCH-S00506 SC Exe Manipulating Windows Services
[Updated] MATCH-S00153 Scheduled Task Created via PowerShell
[Updated] MATCH-S00529 Schtasks Scheduling Job On Remote System
[Updated] MATCH-S00530 Schtasks Used For Forcing A Reboot
[Updated] MATCH-S00359 Suspicious Certutil Command
[Updated] MATCH-S00356 Suspicious Compression Tool Parameters
[Updated] MATCH-S00362 Suspicious Curl File Upload
[Updated] MATCH-S00476 Suspicious Execution of Search Indexer
[Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution
[Updated] MATCH-S00191 Suspicious PowerShell Keywords
[Updated] MATCH-S00431 Suspicious Use of Procdump
[Updated] MATCH-S00477 Suspicious Use of Workflow Compiler for Payload Execution
[Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
[Updated] MATCH-S00279 TAIDOOR RAT DLL Load
[Updated] MATCH-S00531 Unload Sysmon Filter Driver
[Updated] MATCH-S00762 Unusual Staging Directory - PolicyDefinitions
[Updated] MATCH-S00761 Volume Shadow Copy Service Stopped
[Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
[Updated] MATCH-S00760 WMI Ping Sweep
[Updated] MATCH-S00146 WMI Process Call Create
[Updated] MATCH-S00151 WMI Process Get Brief
[Updated] MATCH-S00379 WMIExec VBS Script
[Updated] MATCH-S00400 Web Download via Office Binaries
[Updated] MATCH-S00539 Web Servers Executing Suspicious Processes
[Updated] MATCH-S00174 Web Services Executing Common Web Shell Commands
[Updated] MATCH-S00284 Windows - Delete Windows Backup Catalog
[Updated] MATCH-S00181 Windows - Domain Trust Discovery
[Updated] MATCH-S00168 Windows - Local System executing whoami.exe
[Updated] MATCH-S00162 Windows - Network trace capture using netsh.exe
[Updated] MATCH-S00159 Windows - Permissions Group Discovery
[Updated] MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas
[Updated] MATCH-S00276 Windows - Possible Squiblydoo Technique Observed
[Updated] MATCH-S00281 Windows - PowerShell Process Discovery
[Updated] MATCH-S00171 Windows - Powershell Scheduled Task Creation from PowerSploit or Empire
[Updated] MATCH-S00185 Windows - Remote System Discovery
[Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
[Updated] MATCH-S00170 Windows - Scheduled Task Creation
[Updated] MATCH-S00192 Windows - System Network Configuration Discovery
[Updated] MATCH-S00194 Windows - System Time Discovery
[Updated] MATCH-S00172 Windows - WiFi Credential Harvesting with netsh
[Updated] MATCH-S00532 Windows Adfind Exe
[Updated] MATCH-S00552 Windows Connhost Started Forcefully
[Updated] MATCH-S00398 Windows Defender Download Activity
[Updated] MATCH-S00179 Windows Network Sniffing
[Updated] MATCH-S00157 Windows Process Name Impersonation
[Updated] MATCH-S00178 Windows Query Registry
[Updated] MATCH-S00533 Windows Security Account Manager Stopped
[Updated] LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path
[Updated] MATCH-S00724 Windows Update Agent DLL Changed
[Updated] MATCH-S00382 Winnti Pipemon Characteristics
[Updated] MATCH-S00435 XSL Script Processing
[Updated] MATCH-S00726 macOS Kernel Extension Load

Log Mappers

[New] LastPass Failed Login Attempt
[New] LastPass Reporting
[Updated] Thinkst Canary Parser - Catch All
- Removed time handling from mapper to favor parser time handling
[Updated] 1Password Item Audit Actions
[Updated] 1Password Item Usage Actions
[Updated] AWS Config - Custom Parser
[Updated] AWS EKS - Custom Parser
[Updated] AWS Inspector - Custom Parser
[Updated] AWS Route 53 Logs
[Updated] AWS S3 Server Access Log - Custom Parser
[Updated] AWS Security Hub
[Updated] AWSGuardDuty - Audit Events
[Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
[Updated] AWSGuardDuty - Reconnaissance and malicious activity detection
[Updated] AWSGuardDuty - Tor Client and Relay
[Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
[Updated] AWSGuardDuty_Catch_All
[Updated] Adaxes - Custom Parser
[Updated] ApplicationGatewayAccessLog
[Updated] ApplicationGatewayFirewallLog
[Updated] Aqua Runtime Policy Match
[Updated] Azure Appplication Service Console Logs
[Updated] Azure AuditEvent logs
[Updated] Azure Event Hub - Windows Defender Logs
[Updated] Azure Firewall Application Rule
[Updated] Azure Firewall DNS Proxy
[Updated] Azure Firewall Network Rule
[Updated] Azure NSG Flows
[Updated] Azure Policy Logs
[Updated] AzureActivityLog
[Updated] AzureActivityLog 01
[Updated] AzureActivityLog AuditLogs
[Updated] AzureDevOpsAuditing
[Updated] Cato Networks Audits
[Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
[Updated] Cyber Ark EPM AggregateEvent
[Updated] Druva Cyber Resilience - Catch All
[Updated] GCP App Engine Logs
[Updated] GCP Audit Logs
[Updated] GCP IDS
[Updated] GCP Parser - Load Balancer
[Updated] Google Security Command Center
[Updated] JumpCloud IdP - Catch All
[Updated] Kaltura Audits
[Updated] Microsoft Defender for Cloud - Security Alerts
[Updated] Microsoft Office 365 AzureActiveDirectory Events
[Updated] Microsoft Office 365 MicrosoftStream Events
[Updated] Microsoft Office 365 PowerApps Events
[Updated] Microsoft Office 365 Sway Events
[Updated] Microsoft Office 365 Teams Events
[Updated] Microsoft Office 365 Yammer Events
[Updated] MicrosoftGraphActivityLogs
[Updated] Office 365 - MicrosoftFlow
[Updated] Office 365 - Security Compliance Alerts
[Updated] Osquery Catchall
[Updated] Osquery FIM
[Updated] Osquery Process Auditing
[Updated] Osquery Socket Events
[Updated] Osquery Startup Items
[Updated] Palo Alto Config - Custom Parser
[Updated] Palo Alto Threat Spyware - Custom Parser
[Updated] RSA SecurID Runtime Authn Logout
[Updated] RSA SecurID Runtime Catchall
[Updated] UnauthorizedAccess_EC2_SSHBruteForce
[Updated] Windows - Security - 4625
[Updated] Windows - Security - 4634

Parsers

[New] /Parsers/System/Thinkst Canary/Thinkst Canary JSON
[Updated] /Parsers/System/LastPass/LastPass
[Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
- Updated time handling to use _messagetime metadata

August 27, 2024 - Content Release

This release reverts a change to our AWS CloudTrail default (catch all) mapper for how user_username is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some AssumedRole events.

AWS AssumedRole events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the August 5th, 2024 content release to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.

AWS best practices suggest defining sourceIdentity to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor sourceIdentity if it is present in CloudTrail logs. If it is not present, then userIdentity.arn will be used and the resource-id will be mapped to user_username, creating potential for false positives from dynamic session identifiers. See Viewing source identity in CloudTrail in the AWS documentation for more information.

Alternatively, known service accounts which generate dynamic sessions identifers can be tuned out from signals using rule tuning expressions, Field Extraction Rules (FERs), or at the CloudTrail parser to reduce potential for false positive signals.

Log Mappers

[Updated] CloudTrail Default Mapping

August 23, 2024 - Content Release

This content release includes:

Updates to rules to improve the user experience
Specific updates are enumerated and summarized below

note

Rule DNS query for dynamic DNS provider (LEGACY-S00180) is slated for removal the week of 2024-09-02. The rule is being removed from global content due to the untenable nature of maintaining the list of dynamic DNS providers within the rule expression. To retain this rule, it must be duplicated prior to the date of removal.

Rules

[Updated] MATCH-S00816 Interactive Logon to Domain Controller
- Updated expression match list to use new domain_controllers_hostnames instead of domain_controllers which was generating false positives due to IP dependency.
[Updated] LEGACY-S00105 Suspicious DC Logon
- Updated expression match list to use new domain_controllers_hostnames instead of domain_controllers which was generating false positives due to IP dependency.

srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid `null` values for the following rules:

[Updated] MATCH-S00874 AWS Lambda Function Recon
[Updated] MATCH-S00825 AWS Secrets Manager Enumeration
[Updated] MATCH-S00513 Critical Severity Intrusion Signature
[Updated] THRESHOLD-S00085 Excessive Outbound Firewall Blocks
[Updated] MATCH-S00666 High Severity Intrusion Signature
[Updated] MATCH-S00669 Informational Severity Intrusion Signature
[Updated] MATCH-S00668 Low Severity Intrusion Signature
[Updated] MATCH-S00667 Medium Severity Intrusion Signature
[Updated] THRESHOLD-S00095 Password Attack

Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules:

[Updated] MATCH-S00429 LSASS Memory Dumping +
[Updated] MATCH-S00161 Malicious PowerShell Get Commands +
[Updated] MATCH-S00190 Malicious PowerShell Invoke Commands +
[Updated] MATCH-S00198 Malicious PowerShell Keywords +
[Updated] MATCH-S00191 Suspicious PowerShell Keywords +
[Updated] MATCH-S00431 Suspicious Use of Procdump +
[Updated] MATCH-S00583 WCE wceaux.dll Access +
[Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected +
[Updated] MATCH-S00291 Windows Credential Editor (WCE) in use +

Added exclusion to match expression for `OneDrive` to reduce false positives and removed fields producing nulls in the signal summary for the following rules:

[Updated] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
[Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User
[Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
[Updated] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents

August 16, 2024 - Content Release

This content release includes:

Updates to Azure rules to reflect a name change in the Company Administrator role to Global Administrator.
New Linux OS Syslog mappers.
Addition of sessionId mapping to Okta mappers.

Individual changes are enumerated below.

Rules

[Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
[Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
[Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role
[Renamed] FIRST-S00088 First Seen User Performing NTLM Authentication to Host -> First Seen NTLM Authentication to Host (User)

Log Mappers

[New] Linux OS Syslog - Process sudo - Authentication Failure
[New] Linux OS Syslog - Systemd-user Session Open|Closed
[New] Linux OS Syslog - sshd - Postponed publickey
[New] Linux OS Syslog - sshd - User not allowed
[New] MicrosoftGraphActivityLogs
[Updated] AWS Redshift - Authentication Log
- Added normalizedAction mapping for logon and a success boolean lookup on event_name
[Updated] Aruba ClearPass Guest Access
- Added normalizedAction mapping for logon and a success boolean lookup on error codes
[Updated] Check Point Failed Log In
- Updated record type to Authentication and adjusted normalizedAction mapping to logon
[Updated] CloudTrail - signin.amazonaws.com - CheckMfa
- Added logon normalizedAction and mapped success boolean to checkMfa
[Updated] Infoblox NIOS - DNS
- Updated mapping for dns_query to fix dns enrichments
[Updated] JumpCloud IdP Authentication
- Adds logon normalizedAction to mapper
[Updated] Linux OS Syslog - Cron - Session Opened
- Adds mappings for targetUser_username, targetUser_userId, user_userId
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
- Adds "check pass" to event ID pattern
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
- Added description mapping
[Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
- Updated mapper name, and added "sshd-disconnect" to event ID pattern. Adds mappings for srcDevice_ip, description, action.
[Updated] Linux OS Syslog - Process sshd - SSH Session Opened
- Adds mapping for srcDevice_ip
[Updated] Linux OS Syslog - Process sshd - SSH Session Starting
- Adds mappings for srcDevice_ip, srcPort
[Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
- Adds mapping for description
[Updated] PingFederate - Authentication Event
- Added logon normalizedAction to mapper
[Updated] Pulse Secure Custom Parser - AUT24326
- Added logon normalizedAction to mapper
[Updated] Windows - Security - 4648
- Adds logon normalizedAction mapping
[Updated] Okta Authentication - auth_via_AD_agent
[Updated] Okta Authentication - auth_via_mfa
[Updated] Okta Authentication - auth_via_radius
[Updated] Okta Authentication - sso
[Updated] Okta Authentication Events
[Updated] Okta Catch All
[Updated] Okta Security Threat Events

Parsers

[Updated] /Parsers/System/Linux/Linux OS Syslog
- Adds new parsing patterns for cron, sshd, sudo, and systemd. Adjusts existing sshd parsing patterns.

Schema

[New] repository
- The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts.

August 5, 2024 - Content Release

This content release includes:

A new Cloud SIEM First Seen rule
Consolidation of AWSGuardDuty log mappers
CrowdStrike FDR mapping modifications by adding aid as a value for device_hostname as primary or alternate
Mapping update to Windows PowerShell operational events to facilitate a JSON data set from the legacy Windows format
Several new log mappers, parsers, and multiple updated parsers

Release specifics are enumerated below.

Rules

NEW FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
- This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process.

Log Mappers

[Deleted] AWS GuardDuty Alerts from Sumo CIP
[Deleted] AWSGuardDuty_Backdoor
[Deleted] AWSGuardDuty_Behavior
[Deleted] AWSGuardDuty_Catch_All
[Deleted] AWSGuardDuty_CryptoCurrency
[Deleted] AWSGuardDuty_Discovery
[Deleted] AWSGuardDuty_Exfiltration
[Deleted] AWSGuardDuty_PenTest
[Deleted] AWSGuardDuty_Persistence
[Deleted] AWSGuardDuty_Policy
[Deleted] AWSGuardDuty_ResourceConsumption
[Deleted] AWSGuardDuty_Stealth
[Deleted] AWSGuardDuty_Trojan
[Retired] AwsServiceEvent-AWS API Call via CloudTrail
[Deleted] Recon_EC2_PortProbeUnprotectedPort
[Deleted] Recon_EC2_Portscan
[Deleted] Recon_IAMUser
[Deleted] UnauthorizedAccess_EC2_SSHBruteForce
[Deleted] UnauthorizedAccess_EC2_TorClient
[Deleted] UnauthorizedAccess_EC2_TorIPCaller
[Deleted] UnauthorizedAccess_EC2_TorRelay
[Deleted] UnauthorizedAccess_IAMUser
[Updated] AWS GuardDuty Alerts from Sumo CIP
[New] AWS Redshift - ACTIVITY_LOG
[New] AWS Redshift - Authentication Log
[New] AWS Redshift - Connection Log
[New] AWS Redshift - USER_LOG
[New] AWSGuardDuty - Audit Events
[Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
[New] AWSGuardDuty - Reconnaissance and malicious activity detection
[Updated] AWSGuardDuty - Tor Client and Relay
[Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
[Updated] AWSGuardDuty_Catch_All
[New] Forescout CounterACT - NAC Policy Log
[New] PingFederate - Authentication Event
[New] Symantec Endpoint Security - All
[Updated] UnauthorizedAccess_EC2_SSHBruteForce
[New] VMware NSX - Firewall
[Updated] CloudTrail Default Mapping
- Added alternate values for userIdentity.arn, and requestParameters.sourceIdentity applied to user_role. Additional mappings for bytesIn, and bytesOut.
[Updated] CrowdStrike FDR - Catch All
[Updated] CrowdStrike FDR - CriticalFileAccessed
[Updated] CrowdStrike FDR - NetworkConnectIP4
[Updated] CrowdStrike FDR - NetworkConnectIP6
[Updated] CrowdStrike FDR - ProcessRollup2
[Updated] CrowdStrike FDR - SuspiciousDnsRequest
[Updated] PingFederate Event
- Narrowed the lookup scope where success is true.
[Updated] Windows - Microsoft-Windows-PowerShell/Operational Events - 4103 through 4105
- Updated keys for: user_userId, user_username, commandLine, baseImage, file_path, and severity.

Parsers

[New] /Parsers/System/AWS/AWS Redshift
[Updated] /Parsers/System/Forescout/Forescout CounterACT
- Updated the start time field.
[New] /Parsers/System/Symantec/Symantec Endpoint Security
[New] /Parsers/System/VMware/VMware NSX
[Updated] /Parsers/System/Cisco/Cisco Meraki
- Added support for URLS new format.
[Updated] /Parsers/System/PingIdentity/PingFederate
- Added support of new log format.
[Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
- Dropped the redundant message field.

July 16, 2024 - Content Release

This content release includes rule and parser bug fixes, and parsing and mapping support for new log sources. Changes are enumerated below.

Rules

[Updated] MATCH-S00419 Multiple File Extensions
- Fixed bug in summary expression causing baseImage to appear as null
[Updated] MATCH-S00755 Outlook Form Creation
- Fixed bug in rule expression where baseImage had incorrect case

Log mappers

[New] CrowdStrike Spotlight - Vulnerability
[New] JumpCloud IdP - Catch All
[New] JumpCloud IdP Authentication
[New] Kaspersky Endpoint Security Catch All
[New] Linux OS Syslog - sshd - Command Execution
[New] Linux OS Syslog - sshd - connection

Parsers

[New] /Parsers/System/CrowdStrike/CrowdStrike Spotlight
[New] /Parsers/System/JumpCloud/JumpCloud IdP
[New] /Parsers/System/Kaspersky/Kaspersky Endpoint Security
[Updated] /Parsers/System/Cisco/Cisco ISE
- Bug fix for variation in syslog headers
[Updated] /Parsers/System/Linux/Linux OS Syslog
- Added support for additional variations in SSHD and CRON logs

July 3, 2024 - Content Release

This content release includes new and updated rules, log mappers, and parsers. Details are enumerated below.

Rules

[Updated] MATCH-S00139 Abnormal Parent-Child Process Combination
- Removed leading backslash from like matches

Log Mappers

[New] ApplicationGatewayAccessLog
[New] ApplicationGatewayFirewallLog
[New] Citrix NetScaler - TCP-CONN_TERMINATE
[New] Google G Suite - login - password_change/recovery_info_change
[New] Google G Suite - login-blocked_sender_change
[New] JFrog Artifactory - Access logs
[New] JFrog Artifactory - Login Access logs
[New] JFrog Artifactory - Request Logs
[New] Synergis Genetec - all
[Updated] AWS EKS - Custom Parser
- Keys updated: 'srcDevice_ip', 'http_response_statusCode', 'http_url', 'http_userAgent', 'user_username', 'user_userId', 'action', 'device_k8s_namespace'
[Updated] Abnormal Security Threats
- Keys updated: 'threat_referenceUrl', 'email_subject', 'resource', 'email_sender', 'user_email', 'user_username', 'targetUser_email', 'action', 'threat_identifier', 'user_authDomain', 'srcDevice_ip', 'email_messageId', 'srcDevice_hostname', 'threat_name', 'threat_category', 'timestamp'
[Updated] Cisco ASA 305011-12 JSON
- Keys updated: 'user_authDomain', 'user_username'
[Updated] GitHub JSON
- Keys updated: 'user_username', 'user_role', 'user_userId', 'description', 'http_url', 'device_hostname'
[Updated] SentinelOne Logs - Syslog Custom Parser
- Keys updated: 'srcDevice_osName'

Parsers

[New] /Parsers/System/Atlassian/Atlassian Jira
[New] /Parsers/System/Genetec/Genetec Synergis
[New] /Parsers/System/Github/Github
[New] /Parsers/System/JFrog/JFrog Artifactory
[Updated] /Parsers/System/AWS/AWS EKS
[Updated] /Parsers/System/Abnormal Security/Abnormal Security
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
[Updated] /Parsers/System/Cylance/Cylance Syslog
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Orca Security/Orca Security
[Updated] /Parsers/System/SentinelOne/SentinelOne CEF

May 30, 2024 - Content Release

This content release includes several new and multiple updated log mappers, plus several updated parsers. Details are enumerated below:

Log Mappers

[New] Cisco Meraki Firewall - Custom Parser
- Minor changes in cisco meraki mapper
[New] Jamf Parser - Alert
- Removed wrong field
[New] Jamf Parser - Network
- Removed wrong field
[Updated] AWS GuardDuty Alerts from Sumo CIP
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWS S3 Server Access Log - Custom Parser
- Map bytesIn/bytesOut in AWS CloudTrail Data Events
- Keys updated: bytesIn, bytesOut
[Updated] AWSGuardDuty_Backdoor
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Behavior
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Catch_All
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_CryptoCurrency
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Discovery
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Exfiltration
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_PenTest
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Persistence
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Policy
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_ResourceConsumption
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Stealth
- Added region field in all the events
- Keys updated: cloud_region
[Updated] AWSGuardDuty_Trojan
- Added region field in all the events
- Keys updated: cloud_region
Updated] AwsServiceEvent-AWS API Call via CloudTrail
- Added region field in all the events
- Keys updated: cloud_region
[Updated] BlueCat DHCP Parser - Catch All
- Changed mac address field in mapper
- Keys updated: device_mac, timestamp
[Updated] Code42 Incydr FileEvents C2C
- Mapper adjustments
- Keys updated: event_id_pattern, user_username, file_path, severity, normalizedSeverity, threat_name
[Updated] Recon_EC2_PortProbeUnprotectedPort
- Added region field in all the events
- Keys updated: cloud_region
[Updated] Recon_EC2_Portscan
- Added region field in all the events
- Keys updated: cloud_region
[Updated] Recon_IAMUser
- Added region field in all the events
- Keys updated: cloud_region
[Updated] UnauthorizedAccess_EC2_SSHBruteForce
- Added region field in all the events
- Keys updated: cloud_region
[Updated] UnauthorizedAccess_EC2_TorClient
- Added region field in all the events
- Keys updated: cloud_region
[Updated] UnauthorizedAccess_EC2_TorIPCaller
- Added region field in all the events
- Keys updated: cloud_region
[Updated] UnauthorizedAccess_EC2_TorRelay
- Added region field in all the events
- Keys updated: cloud_region
[Updated] UnauthorizedAccess_IAMUser
- Added region field in all the events
- Keys updated: cloud_region

Parsers

[Updated] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
[Updated] /Parsers/System/Cisco/Cisco Meraki
[Updated] /Parsers/System/Code42/Code42 Incydr
[Updated] /Parsers/System/Jamf/Jamf
[Updated] /Parsers/System/Microsoft/Shared/Syslog Headers Microsoft
[Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers
[Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security

May 30, 2024 - Application Update

Minor Changes and Enhancements

[New] To help facilitate investigations and audits, a list of the sourceMessageIds for each of the records that contributed to a Threshold, Chain, or Aggregation Signal are now included in that Signal's record in the sec_signal index, in the new aggregatedMessageIds field.

Bug Fixes

The Community view on the MITRE ATT&CK® Threat Coverage Explorer was not filtering by default properly.

May 23, 2024 - Content Release

This release includes new Cloud SIEM detection rules, and updates to existing rules to correct summary and description expressions. All changes are enumerated below.

Rules

[New] FIRST-S00061 First Seen USB device in use on Windows host
- This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. If the device name is unexpected and not authorized to be used in the environment, investigate the alert further and look for file creation events to the drive in question. The fields["EventData.DeviceDescription"] field contains the device name.
[New] FIRST-S00059 First Seen esentutl command From User
- Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. Esentutl can also be utilized to download files from a remote share or URL. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance.
[New] FIRST-S00058 First Seen vssadmin command From User
- Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. If this activity is performed as part of normal system maintenance, the rule can be tuned to exclude these groups of users.
[New] FIRST-S00060 First Seen wbadmin command From User
- Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance.
[New] MATCH-S00908 Okta - MFA Request Denied by User
- This signal will trigger when a user denies an MFA request within the Okta authenticator application. Examine other authentication attempts for this particular user, and undertake confirmation efforts to ensure that this activity is expected and valid.
[New] MATCH-S00907 Okta - Policy Rule Added
- This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. Check the Okta administrator portal for more details regarding the application in question such as scopes and access levels. The field fields["target.1.alternateId"] contains the name of the application that was created
[New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint
- This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta users API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. A full list of functionality for this endpoint can be found in the Okta documentation here. The \u201cSuccess\u201d field will indicate whether this API request was successful or not, and the \u201cDescription\u201d field will contain the event that was generated by the API request. Both failed and successful requests should be investigated. Ensure that this request was performed for legitimate purposes such as developer workflows or other automation mechanisms. Consider adding a match list exclusion with authorized accounts who perform requests to this Okta API endpoint via programmatic methods if this signal is triggering false positives.
[New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method
- This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates. Investigation of the host is recommended to identify the behavior leading to and around the execution of this PowerShell process.
[New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution
- Detects the use of PowerShell for Application Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling. Investigation into the host and user to identify the process executing the PowerShell function. See here for reference.
[New] MATCH-S00918 Suspicious cat of PAM common-password policy
- The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users. The common-password file defines behavior of password use in Linux subsystems. This detection looks for use of cat to display the contents of the common-password file, which should not be a common occurrence on systems. It is recommended to investigate the host upon which this detection occurs to understand the exposure of the password policies for the system.
[New] MATCH-S00919 chage command use on host
- The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the -l flag to determine when the user's password or account is due to expire. It is recommended to investigate the system and account the command has been executed on, to assess the intent of this execution. Additionally, looking at the command line and parent process is helpful in identifying valid automated processes executing this command that would benefit from tuning out via Rule Tuning.
[Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User
[Updated] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User
[Updated] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address
[Updated] FIRST-S00032 First Seen Kubectl Command From User
[Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
[Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP
[Updated] MATCH-S00906 Okta - Application Created
[Updated] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
[Updated] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
[Updated] MATCH-S00865 Potential Docker Escape via Command Line
[Updated] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
[Updated] MATCH-S00883 macOS - Keychain Enumeration

May 15, 2024 - Content Release

This content release includes an updated log mapper, and two updated parsers. Details are enumerated below.

Additionally, MATCH-S00408 has been decommissioned because it was not functioning as intended.

Rules

[Deleted] MATCH-S00408 Fake Windows Processes

Log Mappers

[Updated] SentinelOne Logs - C2C threats

Parsers

[Updated] /Parsers/System/Dell/Dell SonicWall
[Updated] /Parsers/System/Okta/Okta

May 15, 2024 - Application Update

Rule-Based Signal Suppression

We've added an advanced rule feature that allows users to override the global signal suppression period. This is most useful for individual rules that require much shorter (or no) suppression, such as rules that pass alerts through from external data sources such as endpoint detection systems.

This setting can be accessed from the rule details page:

The setting is in the "Show Advanced" section. You can specify a suppression period for the rule between 0 and 168 hours (if you set it to 0, suppression is completely disabled for the rule).

Minor Changes and Enhancements

Users can now view the MITRE ATT&CK® Threat Coverage Explorer with only the View Rules permission; previously users had to have the Manage Rules permission to access the Explorer.

Bug Fixes

Some system events that automatically occur after an Insight is created (such as enrichment, automation service calls, and so on) were not consistently executing.
Some system events that automatically occur just before rule processing (such as adding Geo IP and ASN data, checking match lists, and so on) were not consistently executing.
Users were unable to duplicate rules due to an internal error.

May 2, 2024 - Content Release

This content release includes seventeen new rules and two updated rules. Details are enumerated below.

Rules

[NEW] MATCH-S00896 Azure Authentication Policy Change
[NEW] MATCH-S00895 NinjaCopy Usage Detected
[NEW] MATCH-S00906 Okta - Application Created
[NEW] MATCH-S00903 Okta - Device Added To User
[NEW] MATCH-S00904 Okta - Device Removed From User
[NEW] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon
[NEW] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
[NEW] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
[NEW] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
[NEW] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded
[NEW] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration
[NEW] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded
[NEW] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded
[NEW] MATCH-S00706 Registry Modification - Time Providers
[NEW] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load
[NEW] MATCH-S00899 Suspicious Active Directory Certificate Modification
[NEW] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent
[Updated] MATCH-S00706 Registry Modification - Time Providers
- Improved logic expression
[Updated] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load
- Clarified Summary

April 11, 2024 - Application Update

MITRE ATT&CK® Coverage Enhancements

We're excited to announce multiple enhancements to our MITRE ATT&CK Threat Coverage Explorer.

Rules Filtering - You can now easily filter the coverage visualization based on rules, including out-of-the-box and user-created rules, as well as enabled, disabled, production and prototype rules.
All Community Activity - This view now defaults to show only the vendor and product logs that are being sent to Cloud SIEM from your data sources. This gives you a better comparison between what your theoretical and historical coverage shows and what other customers of Cloud SIEM using those same log sources are seeing. You can still change the filter to display other (or all) log sources.
Customizable Colors - You can now customize the tile colors to your own scheme.

For full details, see the MITRE ATT&CK Coverage documentation.

New UI Themes for Cloud SIEM

We are also excited to announce that Cloud SIEM now supports two different UI themes: the default "dark" theme, and a new "light" theme:

The theme is set per user, and can be changed on the Sumo Logic user preferences page:

Note that the setting currently only affects Cloud SIEM and the Automation Service, but in the future this setting will also affect other pages in the Sumo Logic UI.

Bug fixes

Terraform no longer times out while waiting for match lists to be updated.

April 5, 2024 - Content Release

This content release includes a corrective update to a match rule summary expression and a log mapping bug fix. Changes are enumerated below.

Rules
- [Updated] MATCH-S00137 Office Application or Browser Launching Shell
  - Fix typo in summary expression key
  - Keys updated: summary_expression, normalized_summary
Log Mappers
- [Updated] Microsoft Office 365 Active Directory Authentication Events
  - Office_365 Mapping Correction
  - Keys updated: user_userId

March 28, 2024 - Content Release

This content release includes updated log mappers for Windows Sysmon as enumerated below.

Log Mappers

[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9

March 22, 2024 - Application Update

Minor changes and enhancements

Two enhancements have been implemented for the MITRE ATT&CK® Threat Coverage Explorer:
- The current tactic, technique and sub-technique metrics for the (default) Theoretical and Historical views are now written to the sumologic_system_events audit logs daily. This data can be used in dashboards to track coverage and events over time.
- It is now possible, using the /mitre-attack/json endpoint, to extract the MITRE Explorer-formatted JSON via API. (This works the same as the Export button in the UI.)
On the Insight details page, on the Entities tab, the default view is now the Graph view instead of the List view.
Threat reputation icons/labels are now visible in a number of additional places throughout the UI. These can be set via enrichment.

Bug fixes

In some cases, events that are supposed to occur automatically after an Insight is opened were not executing, or were severely delayed.
If an Insight comment included a long URL, text wrapping was not behaving correctly and some text was being clipped from view. Also, newline characters were not always being honored properly in comments.

March 21, 2024 - Content Release

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules

[Updated] MATCH-S00610 PSExec Named Pipe Created by Non-PsExec Process
- Expression Key updated
[Updated] MATCH-S00159 Windows - Permissions Group Discovery
- Removed FirstSeen language in the match rule

Log Mappers

[New] Cato Networks Security Events - Catch All
[New] Windows - Security - 5156
[Updated] 1Password Item Audit Actions
- Updated event id pattern
[Updated] 1Password Item Usage Actions
- Updated event id pattern
[Updated] Azure Application Service Console Logs
- Azure Custom Parser Normalized Severity key update
[Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
- Azure Custom Parser Normalized Severity key update
[Updated] Azure Risky Users
- Azure Custom Parser Normalized Severity key update
[Updated] Azure User Risk Events
- Azure Custom Parser Normalized Severity key update
[Updated] Microsoft Defender for Cloud - Security Alerts
- Azure Custom Parser Normalized Severity key update
[Updated] Okta Authentication - sso
- Application key updated

March 11, 2024 - Content Release

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules

[Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
- Updated rule expression to reduce false positivity.
[Updated] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event
- Updated Severity from 4 to 1.
[Updated] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
- Fixed description and summary transposition and lowered severity from 3 to 1.

Log Mappers

Added userAgent mapping to Okta.

[New] Kaltura Audits
[Updated] Okta Authentication - auth_via_mfa
[Updated] Okta Authentication Events
[Updated] Okta Catch All

Parsers

[New] /Parsers/System/Kaltura/Kaltura

February 23, 2024 - Content Release

This content release includes modifications and additions to Citrix Cloud C2C to handle additional event types and bring existing event mapping into line with new events, support for Code42 Incydr via C2C, Abnormal Security via C2C, and JumpCloud Directory Insights via C2C.

Log Mappers

[Deleted] Citrix Cloud Client
- This mapping is replaced by new mappers for Citrix Cloud below
[New] Abnormal Security Threats
[New] Citrix Cloud Operation Logs
[New] Citrix Cloud System Logs
[New] Code42 Incydr Alerts C2C
[New] Code42 Incydr Audits C2C
[New] Code42 Incydr FileEvents C2C
[New] JumpCloud Directory Insights - Admin Logon
[New] JumpCloud Directory Insights - Catch All

Parsers

[New] /Parsers/System/Abnormal Security/Abnormal Security
[New] /Parsers/System/Code42/Code42 Incydr
[New] /Parsers/System/JumpCloud/JumpCloud Directory Insights
[Updated] /Parsers/System/Citrix/Citrix Cloud C2C

February 19, 2024 - Content Release

This release includes new log mapping and parsing content for Druva Cyber Resilience:

Log Mappers

[New] Druva Cyber Resilience - Admin Logon
[New] Druva Cyber Resilience - Catch All

Parsers

[New] /Parsers/System/Druva/Druva Cyber Resilience

Bug Fixes

Recently, two rules, FIRST-S00052 and FIRST-S00049, were released to customers erroneously. Soon after, these rules started generating false positive Signals and Insights. We have removed those rules from all customer environments so they can be tuned properly and re-released after comprehensive testing. The process error that led to the release has been identified and corrected. Sumo Logic apologizes for the inadvertent Signals and Insights this error generated. If needed, please contact Support for assistance in closing the Insights.

February 19, 2024 - Application Update

Minor changes and enhancements

[New] Continuing our work to better align the Cloud SIEM UI pages with Log Analytics UI pages to improve usability and provide a consistent user experience, the color palette has been adjusted slightly, some page decoration has been removed or altered, and some controls have been updated.
[New] On the Entity list page, you can now filter by reputation indicator (i.e. Malicious, Suspicious or NotFlagged).
[New] Users can now navigate directly from the Entity Activity panel on the HUD to the Entity List page, with the proper filter pre-applied.
[Updated] The Object Type attribute has been added back to the Signal summary section, next to the timestamp, so that it is visible whether the Signal details are expanded or collapsed.
[New] A user-editable Description field has been added to Rule Tuning Expressions.

Bug fixes

Sorting by value was not working properly on the Entities list page.
Sometimes, if the target value was left blank (default), domain normalization would append a colon to the resulting value.
Customers were experiencing rate limiting with VirusTotal due to a change to their API and constant retries due to resultant errors in Cloud SIEM. This has been resolved, as has an issue with enrichments for file hashes.
Some Entities were not showing as being included in Entity Groups properly (even though attributes had been set correctly).
The MITRE ATT&CK® stage attribute was missing from some Signals in the audit logs.
Custom inventory sources were not included in the appropriate dropdown in Entity Group configuration.
On the Entity Details page, if the only Signals that existed were in Prototype mode, they would not be visible.
The reputation indicator on the Entity Details page was being rendered, then hidden.

February 13, 2024 - Content Release

This release includes new parsing and mapping support for C2C sources and mapping changes enumerated below.

Log Mappers

[New] Trellix mVision ePO Threats
[New] Zero Networks Segment Audit Activity
[New] Zero Networks Segment Network Activity
[Updated] AzureActivityLog 01
- Remapped Application from properties.clientAppUsed to properties.appDisplayName for consistency

Parsers

[New] /Parsers/System/Trellix/Trellix MVision EPO
[New] /Parsers/System/Zero Networks/Zero Networks Segment

February 2, 2024 - Content Release

This release includes minor mapping adjustments to Duo and MS Graph Identify Protection Risk logs. Specific changes are enumerated below.

Log Mappers

[Updated] Duo Security Admin API - Audit
- Added mappings for source host and source IP
[Updated] Duo Security Admin API - Authentication
- Added mappings for source host and source IP
[Updated] Duo Security Admin API - Non-User Audit Changes
- Added mappings for source host and source IP
[Updated] Duo Security Admin API - Targeted User Audit Changes
- Added mappings for source host and source IP
[Updated] Microsoft Graph Identity Protection API C2C - riskDetections
- Added principal as primary user_username key
[Updated] Microsoft Graph Identity Protection API C2C - riskyUsers
- Added principal as primary user_username key

tip

For all the up-to-date Cloud SIEM content, see the Cloud SIEM Content Catalog.

January 30, 2024 - Content Release

This content release includes updates to log mappers for Zeek fixing several bugs that were preventing fields from mapping properly.

Log Mappers

[Updated] Zeek DNS Activity
[Updated] Zeek HTTP Activity
[Updated] Zeek conn Activity

tip

For all the up-to-date Cloud SIEM content, see the Cloud SIEM Content Catalog.

January 12, 2024 - Content Release

This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.

Rules

[Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
- Updated name expression to reduce insight false positivity
[Updated] MATCH-S00686 Base64 Decode in Command Line
[Updated] MATCH-S00373 BlueMashroom DLL Load
[Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
[Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
[Updated] FIRST-S00013 First Seen Driver Load - Global
[Updated] FIRST-S00014 First Seen Driver Load - Host
[Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
[Updated] MATCH-S00705 Registry Modification - Authentication Package
[Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
[Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
[Updated] MATCH-S00279 TAIDOOR RAT DLL Load
[Updated] MATCH-S00379 WMIExec VBS Script
[Updated] MATCH-S00570 WMIPRVSE Spawning Process
- Corrected expression to exclude OS SID from user_userId; prior expression was incorrectly referencing SubjectLogonID
[Updated] MATCH-S00724 Windows Update Agent DLL Changed
[Updated] MATCH-S00435 XSL Script Processing

Log Mappers

[New] 1Password Item Audit Actions
[New] 1Password Item Usage Actions
[New] Zeek DNS Activity
[New] Zeek HTTP Activity
[New] Zeek conn Activity

Parsers

[New] /Parsers/System/1Password/1Password
[New] /Parsers/System/1PasswordC2C/1PasswordC2C
[New] /Parsers/System/Zeek/Zeek

Schema

[New] metadata_sourceBlockId
- The _blockId of the original source log message (from Sumo Logic)

2023 Release Notes Archive - Cloud SIEM

Sun, 31 Dec 2023 00:00:00 GMT

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

December 14, 2023 - Application Update

Minor changes and enhancements

[New] A new attribute section has been added to Signal and Insight details returned by the API endpoints GET /signals/{id} and GET /insights/{id}. The section will include the log search string (along with start and end times) that you can use to retrieve the queried records for a given Signal. The stanza looks like this:
```
"recordSearchDetails": {
  "query": "{string}",
  "queryStartTime": "{timestamp}",
  "queryEndTime": "{timestamp}"
},
```

Bug fixes

Some users were seeing duplicate schema tags (with an extra "s" at the end) in the UI.
In some scenarios, the UI would react slowly when users attempted to enter comments for Insights.
The UI was not properly enforcing the 100 character limit for rule names (and instead displaying an unknown error if the user attempted to set a rule name that was too long).

December 6, 2023 - Application Update

Automation Service Enhancements

The Automation Service has been updated to include several new enhancements:

Containment action types are now supported. Typically, these actions will perform some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall. Many integrations in App Central now include containment actions.
User Choice nodes (and manual steps) are now supported. When executing a playbook if a user choice node is encountered, the execution will pause until a user selects an option. For example, after enrichment, a user could be asked whether to proceed with a containment action or to perform additional enrichment first. When a playbook is paused at a user choice node, the status of that playbook will say Waiting user interaction.
In the initial release of the Automation Service, playbooks would not appear in the Create New Automation Cloud SIEM dialog unless they defined as type CSE. This restriction has been lifted; all playbooks will now appear in the dropdown.

For full details, see the Automation Service documentation.

Minor Changes and Enhancements

[New] Entity Groups now support second-level unnormalized attributes (fields..).
[New] Log Mappings can now be enabled or disabled via API using the PUT /log-mappings/{*id*}/enabled endpoint.
[New] The Record Count field on Sumo Logic-provided Chain Rules can now be overridden (like other Rule fields).

Bug Fixes

Users were unable to manually change the Criticality assigned to an Entity.
Users were getting a 500 error when attempting to duplicate a rule.

Rule Expression Validation

When writing Rules and Rule Tuning Expressions, it's possible to write an expression that is syntactically correct (and passes validation) but that will still fail when executed. There are two specific cases we have identified:

Using a non-normalized field that does not exist in the log records (schema fields will always exist)
Introducing a type mismatch (that is, matching a string to an integer value)

If you test a Rule (from the Rules Details page), an error will be displayed in these cases, but the error is not obvious and not clear, and the normal editor validation does not catch these kinds of errors.

In addition, while the Cloud SIEM Rules engine does not generate runtime errors in these cases (there just isn't a match), the Log Search engine does generate errors and refuses to return any results in these cases.

A few weeks ago, we made a change to Signal and Insight detail pages, where for multi-signal Rules (such as Chain Rules), where we would attach a subset of rules on the details page and the user would have to go to the Queried Records tab to view any other potentially related records, we combined those views and began showing both the attached and queried records on the main page. Unfortunately, the way the new design worked, no records were displayed if the queried record log search failed.

As a result of these issues, we have made two changes:

On the Rules Details page, if the test (a log search) returns an error, instead of saying "No Records Found," the screen will say, "Check the Rule/Tuning Expressions."
On the Signal and Insight Details pages, all attached record(s) will be displayed even if the log search query cannot be completed.

Note that fixing the rule expression(s) will not fix any Signals or Insights that have already been generated; you will have to use the View in Log Search feature and manually fix the log search string to see the log records.

Other tips:

A malformed tuning expression will affect any rule that it is associated with, whether provided by Sumo Logic or custom-written.
We highly recommend using only schema fields in your rule and tuning expressions.
- Sumo Logic's parsers and mappers are updated weekly, so please contact Support if you need to add a mapping from the raw log format to the normalized schema.
- Sumo Logic's schema is extensible, so please contact Support if there's a field you'd like to add.
- Links from the legend for the new Insights by Status panel on the HUD were not enabled properly.

November 13, 2023 - Content Release

This release includes the changes and enhancement enumerated below:

Rules

[New] MATCH-S00894 HAR file creation observed on host
- HAR files contain session telemetry and network traffic. These file types are typically generated using the "developer tools" options on modern browsers like Chrome, Edge, or Firefox. These files may contain various sensitive data such as session keys, tokens, or cookies which may be extracted by a threat actor in order to access systems which the keys, tokens, or cookies in the HAR files have access to. Ensure that this operation is expected and ensure to sanitize the HAR file of any sensitive credential material.

Log Mappers

[Updated] Microsoft Office 365 Exchange Mailbox Audit Events
- Maps client field to resource.

Parsers

[Updated] /Parsers/System/Microsoft/Office 365
- Enhanced user agent parsing.
[Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry
- Adds support for forthcoming format change and fixes event ID formulation breaking mapping.

November 2, 2023 - Content Release

This content release includes new out-of-the-box parsing and mapping support for Claroty xDome in CEF. Additionally, parser templates were updated to remove extraneous commenting in uncommented parser templates.

Log Mappers

[New] (Claroty xDome) Alert
[New] (Claroty xDome) Communications Events
[New] (Claroty xDome) Vulnerability

Parsers

[New] /Parsers/System/Claroty/Claroty xDome CEF
[Updated] /Parsers/System/Parser Templates/CEF Template Commented
[Updated] /Parsers/System/Parser Templates/JSON Template
[Updated] /Parsers/System/Parser Templates/Key Value Pair Template
[Updated] /Parsers/System/Parser Templates/Unstructured Template Commented
[Updated] /Parsers/System/Parser Templates/Windows XML Template
[Updated] /Parsers/System/Parser Templates/XML Template

November 1, 2023 - Application Update

Multi-Record Signal Changes

To improve the usability of the Signals user interface, we've changed the way that records are displayed on Signals generated by multi-record (Threshold, Chain, and Aggregation) Rules. Instead of attaching a sample set of records to the Signal and then providing a Queried Record tab to manually search for additional records, all records that were part of the Signal will be displayed in the UI. (As a result, the Queried Records tab has been removed from the UI.)

Behind the scenes, we will attach the first record directly to the Signal (in the API and sec_signal index, this is listed in the allRecords section). In the UI, the other records will be gathered via an automatic background log search. (In the API and shortly in the sec_signal index, any involved Entities - up to a maximum of 100 - will be included in a new involvedEntities section.)

In addition, the number of attached records has been removed from the Signals list view, since it will now always be 1.

This change will also bring an enhancement for Outlier Rule Signals. Previously those Signals would only show a single record, but with this change they will also show all related records as well.

This change has no effect on the Rules themselves; they will continue to operate as before.

Automation Service Audit Logging

The Automation Service has been updated to include support for Audit Logging. Events like updates to integrations and playbook execution will now be automatically logged to the standard Sumo Logic Audit Logging indices.

For full details, see the Cloud SOAR documentation (the Automation Service will log a subset of those events).

Bug Fixes

In some cases, Insights would appear to be open after they had been closed/resolved.

October 26, 2023 - Content Release

This content release includes templates for creating Cloud SIEM parsers. There are two versions of each, one with comments that explain the purpose of each parser component, and “clean” versions that you can use to start quickly creating custom parsers. Further documentation on using these parsers will be available on Sumo Logic Docs in the coming weeks. Other changes in this release are enumerated below.

Rules

[New] FIRST-S00047 First Seen ASN Associated with User for a Successful Azure AD Sign In Event
- This rule will trigger when a new ASN value is associated with a successful Entra ID sign-in event for a particular username since the baseline period. This may be suspicious activity as a user's IP address may change periodically, but typically users authenticate from a set of ASNs (one ASN value for their home network, another ASN value for their mobile device). A sign in with a new ASN not seen since the baseline period could be indicative of credential theft. Look at other events occurring for the user in question for the same time period to ascertain whether access was malicious or benign.
[New] FIRST-S00048 First Seen Azure Device Code Authentication from User
- Azure Device Code authentication can be utilized in phishing attacks. This specific rule looks for a user performing device code authentication to an Azure resource for the first time since the baseline period. If this action is not expected, it could be a sign of malicious activity. Examine the event for odd user agent values and look at what other actions the affected account is performing within the Azure estate.
[Updated] MATCH-S00891 Azure OAUTH Application Consent from User
- Fixed mismatched description and summary fields
[Updated] MATCH-S00832 Office 365 Inbox Rule Updated
- Added fix to exclude blank or null rules

Parsers

[New] /Parsers/System/Parser Templates/CEF Template
[New] /Parsers/System/Parser Templates/CEF Template Commented
[New] /Parsers/System/Parser Templates/CSV Template
[New] /Parsers/System/Parser Templates/CSV Template Commented
[New] /Parsers/System/Parser Templates/JSON Template
[New] /Parsers/System/Parser Templates/JSON Template Commented
[New] /Parsers/System/Parser Templates/Key Value Pair Template
[New] /Parsers/System/Parser Templates/Key Value Pair Template Commented
[New] /Parsers/System/Parser Templates/LEEF Template
[New] /Parsers/System/Parser Templates/LEEF Template Commented
[New] /Parsers/System/Parser Templates/Unstructured Template
[New] /Parsers/System/Parser Templates/Unstructured Template Commented
[New] /Parsers/System/Parser Templates/Windows XML Template
[New] /Parsers/System/Parser Templates/Windows XML Template Commented
[New] /Parsers/System/Parser Templates/XML Template
[New] /Parsers/System/Parser Templates/XML Template Commented

October 26, 2023 - Application Update

Enhanced Support for Custom Insight Statuses

Sumo Logic is pleased to announce two enhancements to Cloud SIEM related to custom Insight statuses.

First, the In Progress status can now be disabled (not deleted). Many customers create multiple statuses that all represent an "In Progress" state, so this option can help reduce confusion in those cases.

Second, while Cloud SIEM has long supported custom Insight statuses, Insights in any custom status have been reported together (as one group on the HUD or using the same color in other instances). To improve this experience, custom statuses can now be assigned a unique color:

This color will be used wherever an Insight is displayed with that status (such as in the Insight list and board views). For existing custom statuses, the color will remain white (as it has been) until the configuration is changed.

The HUD has been updated as well; for example, the Insights by Status widget has been updated to properly display each status instead of grouping custom statuses together:

A corresponding attribute (color) has also been added to the custom status API.

Minor Changes and Enhancements

[New] Searches in Cloud SIEM (from the top menu bar) are now case-insensitive.
[New] Custom match list columns now support unnormalized attributes (like fields.foo)
[New] The records search page in Cloud SIEM now includes a link to view the equivalent search in the Log Analytics Platform log search page.
[Updated] When a comment is added to an Insight by an Action from the Automation Service, it will be attributed to a system user called "Automation Service".

Bug Fixes

The Insight data forwarded to the Automation Service did not include the full set of attributes for attached Signals.
Some hostnames in CrowdStrike FDR inventory sources were not getting normalized properly.
Entity Groups were being applied to the wrong Entity types.
Duplicate audit log entries for Insights were being created. (Note that while this has been resolved, the duplicate entries have not been removed from customer audit logs.)
When entering closing an Insight, users can enter comments and the UI will suggest content based on comment history. These suggestions were broken and have been reset.
When configuring Entity Groups, the UI was not allowing users to specify unnormalized inventory attributes (like fields.foo).

October 18, 2023 - Application Update

Legacy Signal Forwarding Deprecation

Since July 2022, Signals generated by Cloud SIEM are automatically saved in a standardized sec_signal index. This special partition is similar to the existing sec_record indices in that, unlike data retained using the legacy Signal Forwarding feature, it is stored in a format that supports keyword search, nested attributes, and other standard log search features.

The new index is automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.

As a result, the optional legacy Signal Forwarding feature in Cloud SIEM will be deprecated on November 15, 2023. Existing data will not be deleted, but new Signals generated after that date will no longer be forwarded using that feature and the option will no longer be available. (Signals will continue to be forwarded automatically to sec_signal.) Customers leveraging data forwarded using the legacy feature to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before then. Note that the content of the sec_signal index is not identical to the content in data forwarded using the legacy option.

October 11, 2023 - Content Release

This content release contains rules mostly pertaining to Microsoft Azure OAUTH Application Registration, NSG, and Key Vault services. Pertinent to CVE-2023-38545 and CVE-2023-38546, this release also includes a new rule (FIRST-S00040 described below) to aid in detecting unusual cURL tool usage by a user as it may pertain to exploitation of these vulnerabilities.

Rules

[New] MATCH-S00891 Azure OAUTH Application Consent from User
- A user has consented to application permissions.
[New] CHAIN-S00017 Change of Azure MFA Method followed by Risky SignIn
- This alert looks for an Azure MFA authentication method change, followed by a risky sign in detected by Azure within a six hour time period for the same user account.
[New] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event from User
- This alert looks at a first seen application ID accessing an Office 365/Exchange mail box item. The MailItemsAccessed may not always be enabled within an Entra/Azure/Office 365 tenant and is dependent on Microsoft licensing requirements. See the following guide from CISA for additional information on this event type and investigation steps: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.
[New] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
- This alert looks at a First Seen client accessing an Office 365/Exchange mail box item. The MailItemsAccessed may not always be enabled within an Entra/Azure/Office 365 tenant and is dependent on Microsoft licensing requirements. See the following guide from CISA for additional information on this event type and investigation steps: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.
[New] FIRST-S00040 First Seen cURL execution from User
- First Seen execution of cURL by a user from a device. The cURL tool is designed to retrieve files using various internet protocols in a programmatic manner; it is often abused by threat actors to download various files as part of broader executions. If this usage of cURL comes from an unexpected user, it is recommended that the command line value be reviewed and the URL which was used as part of cURL command be investigated.
[New] MATCH-S00888 Microsoft Teams External Access Enabled
- Microsoft Teams External Access has been enabled; this setting allows any users that are external to your Teams/Office organization to message users that are within your Teams/Office organization. If this setting change is unplanned or unexpected it is recommended that this activity be reviewed. Microsoft Teams provides administrators the ability to allow only specific external domains to message users within the organization. Look for Office 365 events with the MessageSent or MemberAdded event names in order to gain more detail as to what users were invited to which Teams channels, if any.
[New] MATCH-S00889 Microsoft Teams Guest Access Enabled
- Microsoft Teams Guest Access has been enabled globally; this setting allows any users that are external to your Teams/Office organization to be invited into your Teams/Office organization. If this setting change is unplanned or unexpected it is recommended that this activity be reviewed. MIcrosoft Teams provides administrators the ability to allow only specific guest actions to take place within the Teams/Office organization.
[New] MATCH-S00890 Owner Added to Azure Service Principal
- An owner was added to an Azure service principal. Threat actors may add owners to Azure service principals for privilege escalation or persistence avenues. Ensure this action is expected and approved.
[New] MATCH-S00893 Secret Added to Azure Service Principal
- Secrets can be added to Azure Service Principals as a persistence mechanism. The properties.targetResources.1.modifiedProperties.1.newValue field will have details regarding the secret or certificate added.
[New] MATCH-S00892 Value Added to Azure NSG Group
- This alert looks for a value being added to an Azure Network Security Group (NSG) successfully. Depending on the environment, other Azure services such as Azure Firewall may provide egress and ingress controls. Ensure this activity is authorized and expected. The raw data for the event contains the exact values being modified.

October 2, 2023 - Application Update

MITRE ATT&CK® Threat Coverage Explorer

We are excited to announce a new feature in Cloud SIEM, the MITRE ATT&CK® Threat Coverage Explorer. This interactive tool gives you the ability to see how Rules, Signals, and log sources map to adversary actions using the MITRE ATT&CK® Matrix for Enterprise.

The MITRE Explorer can be used to identify gaps in coverage and understand the impact of specific log sources and Rules to the overall threat coverage and value of Cloud SIEM.

The tool can be accessed in the Content Menu. It supports three different views:

Recent Activity - Your environment's actual coverage (Rules that generated Signals) over the past six months
All Community Activity - All Cloud SIEM customers' anonymized and aggregated coverage over the past six months.
Theoretical Coverage - Potential coverage if all rules are enabled and all log sources are connected.

The MITRE Explorer uses the built-in MITRE tactic, technique, and sub-technique tags to track coverage, so if custom Rules are tagged appropriately, they will also be included.

Clicking on a technique will open a detailed view which describes the technique (and any included sub-techniques) and lists the Rules and Signals that match.

The view is filterable by tactic, technique, and sub-technique, as well as log source and coverage level. There are multiple view options so the display can be customized, and the data can be exported in MITRE's JSON format so it can be combined with data from other tools to view your total coverage. There is also an API to retrieve coverage data and the JSON content.

For more details on how to use the MITRE Explorer, check out the online documentation.

Minor Changes and Enhancements

[New] When viewing Insight details, users can now select multiple Signals and remove them from the Insight with a single click.
[New] When viewing Entity inventory data, unnormalized fields with millisecond-based timestamps are now automatically converted to human-readable format when possible.
[New] Tag schemas and context actions can now be managed via Terraform. See the API documentation for details.

Bug Fixes

The ability to add items to a Match List via Terraform was not working properly.
Timestamps on the Entity Timeline were using different time zones.
A UI error was preventing users from overriding some fields on First Seen and Outlier Rules.

September 22, 2023 - Content Release

This content release includes new parsing, mapping, and passthrough rule support for Qualys Vulnerability Data as well as changes enumerated below.

Rules

[New] MATCH-S00887 Port Forwarding Enabled via Visual Studio Code
- A local port has been forwarded and made available for external connectivity utilizing the Visual Studio Code port forwarding feature

Log Mappers

[New] Qualys Vulnerability Data
[Updated] Windows - Security - 4886
- Adds alternate fields for user_username and device_hostname
[Updated] Windows - Security - 4887
- Adds alternate fields for user_username and device_hostname

Parsers

[New] /Parsers/System/Qualys/Qualys Vulnerability Data

September 21, 2023 - Application Update

Entity Groups Inventory Enhancements

We are happy to announce some important enhancements to the Entity Group feature in Cloud SIEM.

With this release, Entity Groups can now use any attribute available in your inventory data - including non-normalized attributes. (Previously, only the group attribute was available.) Non-normalized attributes can be used by adding the fields. prefix.

In addition, the release introduces the ability to auto-set schema tag values on matching Entities based on the value of a given inventory attribute. In this example, any user Entity that has a value for location in inventory data will have that value set in a tag (such as Location:Austin).

When using dynamic schema tags, you can still set static tags, criticality, and suppression state.

These two enhancements will reduce the number of Entity Groups needed to properly configure your Entities automatically and will automate a more complete and accurate set of Entity attributes, improving Rule and Analyst efficiency.

There much more information about Entity Groups and these enhancements in the online documentation.

Bug Fixes

Multiple entries were being added to the audit log when some Insights were created.
Some Insights were not getting enriched with VirusTotal using the direct integration.
Time-to-live was temporarily considered a mandatory attribute for match lists.

September 11, 2023 - Application Update

Automation Service

Sumo Logic is excited to announce that the Automation Service for Cloud SIEM is now generally available for all Cloud SIEM customers. The Automation Service uses Cloud SOAR capabilities -- without needing Cloud SOAR itself -- to allow you to define and automate smart actions, including enrichments and notifications. These actions can be automatically triggered when certain events occur in Cloud SIEM, helping you to quickly investigate, understand, and react to potential security threats.

You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that could include parallel actions and logic steps. Actions are defined as part of integrations with specific internal and external applications. Sumo Logic provides hundreds of integrations, actions, and playbooks out of the box that you can use and customize. You can also create your own.

Automations are accessible through the Configuration menu, under Integrations. Automation results are accessible from Insight and Entity detail pages.

The Automation Service does not include the full capabilities of Cloud SOAR. For example, the Automation Service only supports enrichment, nofification, and custom action types, and Automation Service playbooks can only be triggered from Cloud SIEM. There is also a limit to the number of actions you can run per hour. However, if you do have Cloud SOAR, then once you have upgraded to the Fall 2023 release of Cloud SOAR (currently in Beta), Cloud SIEM will use it to run automations instead of the Automation Service, giving Cloud SIEM access to the full capabilities of Cloud SOAR.

Over time, the legacy Insight Actions and Cloud SIEM Enrichment Service features will be deprecated in favor of this new service. (The new service includes integrations and actions corresponding to the legacy Insight Actions and can run existing Enrichment Service PowerShell scripts. The online documentation has more information about migrating.) Note that the Automation Service is not yet available in the FedRAMP environment.

There is much more information about the Automation Service and how to use it in the online documentation.

Minor Changes and Enhancements

[New] Tag schemas and context actions can now be managed via API (/tag-schemas and /context-actions). See the API documentation for details.
[Updated] Threat indicator icons will now appear where appropriate in the Active Entities panel on the HUD.

Bug Fixes

Some records were not being auto-enriched with Network Block data.
Some internal IP addresses were being marked as external.
The HUD was not updating Insight status counts in a timely fashion.
Window size was not saving correctly when defining a new Outlier rule.

September 7, 2023 - Content Release

This release includes new detections for macOS systems and mapping support for Dataminr Alerts. It also includes fixes aimed to reduce false positivity and correct the transposition of description and summary on several rules. Other changes are enumerated below.

Rules

[New] CHAIN-S00016 macOS - Suspicious Osascript Execution and Network Activity
[New]* FIRST-S00039 First Seen mdfind Usage from User
[New]* FIRST-S00041 First Seen networksetup Usage from User
[New]* FIRST-S00042 First Seen Ioreg Usage from User
[New]* FIRST-S00043 First Seen pbpaste Usage from User
[New] MATCH-S00878 macOS - Suspicious Osascript Parent Execution
[New] MATCH-S00879 macOS - Suspicious Osascript Execution
[New] MATCH-S00880 macOS - Entitlement Enumeration via Xattr
[New]* MATCH-S00881 macOS - csrutil status Usage Detected
[New] MATCH-S00882 macOS - System Preference Enumeration via Security Binary
[New] MATCH-S00883 macOS - Keychain Enumeration
[New] MATCH-S00884 macOS - Suspicious Python PIP Execution
[New] MATCH-S00885 macOS - Screen Sharing Session Established
[New]* MATCH-S00886 Suspicious chmod Execution

* These rules were originally released September 1, but have been updated in this release.

Log Mappers

[New] Dataminr Alerts
[Updated] Squid Proxy - Parser
- Updated mapper to take advantage of additional parsed data (see parser updates)

Parsers

[Updated] /Parsers/System/Squid/Squid Proxy Syslog
- Updated parser to extract port and protocol information from URL when present

August 22, 2023 - Content Release

This release contains updates to MITRE tags used in several rules that have been deprecated, removed, or were otherwise invalid. Other changes are enumerated below.

Rules

[New] MATCH-S00886 Suspicious chmod Execution
- This alert looks for a "chmod" execution on a file that is found on the /tmp directory of a Linux or macOS host. Threat actors may download and copy files to this directory and add execution bits or change permissions on these files.
[Updated] MATCH-S00516 Antivirus Ransomware Detection
[Updated] MATCH-S00534 MacOS - Re-Opened Applications
[Updated] MATCH-S00149 PowerShell File Download
[Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher

Log Mappers

[Updated] Microsoft Defender for Cloud - Security Alerts
- Adds support for Security Alerts via Azure Activity Log
[Updated] Zscaler - Nanolog Streaming Service - JSON
- Adds alternate values for NSS mappers to ensure proper normalization
[Updated] Zscaler Firewall
- Adds alternate values for ZScaler Firewall mappers to ensure proper normalization

August 22, 2023 - Application Update

Deprecation Notice

After careful evaluation, we have deprecated Grok patterns immediately for customers who've not used the feature in the last 30 days. Our more robust and configurable solution is already available for customers in the Sumo Logic parsers. More details on how parsing works in Sumo Logic can be found in the Parsing Language Reference Guide.

For customers who are still using Grok, further communication along with a path to migrate to the Sumo Logic parsers will be provided in the coming weeks.

August 4, 2023 - Content Release

This release includes minor updates and a new log mapper for Microsoft Defender.

Rules

[Updated] MATCH-S00231 Azure - Member Added to Company Administrator Role
- Updated expression to account for parser and vendor schema changes
[Updated] THRESHOLD-S00097 Impossible Travel - Successful
- Removed vendor/product grouping
[Updated] THRESHOLD-S00098 Impossible Travel - Unsuccessful
- Removed vendor/product grouping
[Updated] MATCH-S00167 Recon Using Common Windows Commands
- Bug fix for Qualys path exclusion not working

Log Mappers

[New] Microsoft Defender for Cloud - Security Alerts
- Support for new log schema

Parsers

[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- Added additional time format

August 3, 2023 - Content Release

This release includes updated MITRE ATT&CK™ technique tags on several rules and added support for Microsoft Graph Security Alert API 1.0 via C2C.

Rules

[Deleted] OUTLIER-S00012 Spike in AWS New Service Creation or Port Connection from Source Address
- As advised in the advanced notice on July 14th, 2023 - this Outlier rule was deleted due to performance and efficacy findings.
[Updated] MATCH-S00679 AWS Route 53 Domain Registered
[Updated] FIRST-S00038 First Seen Wget Usage from User
[Updated] MATCH-S00830 Office 365 Forwarding Rule Created
[Updated] LEGACY-S00064 Potentially vulnerable software detected
[Updated] LEGACY-S00086 SSL Certificate Not Valid Yet
[Updated] LEGACY-S00087 SSL Heartbleed Attack
[Updated] LEGACY-S00089 SSL Heartbleed Many Requests
[Updated] LEGACY-S00090 SSL Heartbleed Odd Length
[Updated] LEGACY-S00091 SSL Invalid Server Cert
[Updated] LEGACY-S00096 Shellshock

Log Mappers

[New] Microsoft Graph Security Alert API C2C

Parsers

[New] /Parsers/System/Microsoft/Graph Security Alert API

July 21, 2023 - Content Release

This release includes:

Removal of unused legacy parsers and directly associated mappers and rule content.
Support for Windows Event Log JSON ingested via Open Telemetry collector. XML and JSON via OTel are now fully supported in Cloud SIEM.

Rules

[New] FIRST-S00038 First Seen Wget Usage from User
- Observes for execution of Wget from a user for the first time since the baseline period (14 days).
[Updated] LEGACY-S00009 Bluecoat Proxy - Suspicious or Malicious Categories
- Fix to account for minor difference from legacy parser to current parser.
[Updated] FIRST-S00016 First Seen Non-Network/Non-System Logon from User
- Excludes LogonTypes for System Startup, Batch, and Service to reduce volume of records matching.
[Deleted] MATCH-S00073 Palo Alto - Traps Templated Events

Log Mappers

[Updated] AWS Security Hub
- Lowered normalizedSeverity to reduce false positivity of passthrough signals.
[Updated] CrowdStrike Falcon Identity Protection (CNC)
- Adjusted IdentityProtectionEvent normalizedSeverity to use INFO, LOW, MEDIUM, and HIGH instead of numeric values to improve consistency.
[Updated] Windows - Security - 4627
- Added mapping for logonType '0' representing a system startup.
[Deleted] AD Audit DNS
[Deleted] AD Audit Comp
[Deleted] AD Audit LDAP
[Deleted] AD Audit Local Logon
[Deleted] AD Audit Server
[Deleted] AD Audit User
[Deleted] Blue Coat Proxy 1
[Deleted] Blue Coat Proxy 3
[Deleted] Cisco Firepower Malware Event 430005
[Deleted] Cisco Ironport WSA NOHD 02
[Deleted] Citrix Xenserver Auth Message
[Deleted] Cylance_Audit_1
[Deleted] Cylance_Audit_2
[Deleted] Ironport Cisco
[Deleted] LINUX Root Login
[Deleted] LINUX Root Login with Username
[Deleted] LINUX User Authenticated
[Deleted] LINUX User Authenticated no Username
[Deleted] LINUX User Session Open/Close
[Deleted] Palo Alto Traps Misc
[Deleted] Symantec SEP Compressed File
[Deleted] Symantec SEP MEM System
[Deleted] Symantec SEP Potential Risk Found 04
[Deleted] Symantec SEP Security Risk Found 2
[Deleted] Symantec SEP Sonar Detection Variation 2
[Deleted] Symantec SEP Virus Found
[Deleted] Tanium S05 Logs

Parsers

[New] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

Legacy Parsers

[Deleted] ADAUDIT_COMP
[Deleted] ADAUDIT_DNS
[Deleted] ADAUDIT_LDAP
[Deleted] ADAUDIT_LOCAL_LOGON
[Deleted] ADAUDIT_SERVER
[Deleted] ADAUDIT_USER
[Deleted] BLUECOAT_PROXY_1
[Deleted] BLUECOAT_PROXY_3
[Deleted] CYLANCE_AUDIT1
[Deleted] CYLANCE_AUDIT2
[Deleted] Firepower_Malware_Event_430005
[Deleted] IRON_PORT_CISCO
[Deleted] IRON_PORT_WSA_NOHD_02
[Deleted] LINUX_AUTH
[Deleted] LINUX_ROOT_GENERIC
[Deleted] LINUX_ROOT_LOGIN
[Deleted] LINUX_ROOT_NO_USER
[Deleted] LINUX_ROOT_USER
[Deleted] PAN_TRAPS_MISC
[Deleted] SYMANTEC_SEP_CF
[Deleted] SYMANTEC_SEP_MEMS
[Deleted] SYMANTEC_SEP_PRF_04
[Deleted] SYMANTEC_SEP_SDN_02
[Deleted] SYMANTEC_SEP_SRF_2
[Deleted] SYMANTEC_SEP_VF_01
[Deleted] TANIUM_S05_TYPE_LOGS
[Deleted] VDM_LOG_SECURE
[Deleted] citrix_xenserver_auth_message

July 21, 2023 - Application Update

Minor Changes and Enhancements

[Update] The Cloud SIEM UI has been updated with refreshed fonts and colors to better align with the core Sumo Logic pages. This is the first change in a greater series of updates designed to present a more unified user experience across Sumo Logic feature sets.
[New] The Signal Severity Total, an indication of the activity for an Entity, has been added to the Entity list and details views. The Signal Severity Total is calculated by adding up the severity value for each of the Signals generated against a given Entity during the current detection window (by default 14 days), not including duplicate or suppressed Signals.

Bug Fixes

With the recent changes to log mapping, some users were seeing an error when attempting to use custom input vendors and/or products.
Entity lookup normalization was taking place after Entity Groups were processed; normalization now happens first.

July 14, 2023 - Content Release

Starting with this release, the rule type for First Seen rules is now "Anomaly", and Outlier Rules have been promoted from prototype mode.

NOTE: Due to performance and efficacy findings, OUTLIER-S00012 will be deleted on July 28th. If you wish to retain this rule, it must be duplicated in the Cloud SIEM Rules UI.

Rules

[Updated] OUTLIER-S00001 Spike in login failures from a user
- Removed incorrect match list from expression.
- Will remain in prototype an additional week due to changes made to the rule expression.
[Updated] OUTLIER-S00002 Spike in Successful Distinct Share Access
[Updated] OUTLIER-S00003 Spike in Failed Share Access by User
[Updated] OUTLIER-S00004 Spike in Azure Firewall Deny Events from Source IP
[Updated] OUTLIER-S00005 Spike in AWS API Call from User
[Updated] OUTLIER-S00006 Spike in Data Transferred Outbound by User
[Updated] OUTLIER-S00007 Spike in Windows Administrative Privileges Granted for User
[Updated] OUTLIER-S00008 Spike in Failed Azure Sign In Attempts Due to Bad Password from IP Address
[Updated] OUTLIER-S00009 Spike in PowerShell Command Line Length From Host
[Updated] OUTLIER-S00010 Spike in URL Length from IP Address
[Updated] OUTLIER-S00011 Spike in AWS AccessDenied Events by assumedrole

Schema

[New] http_referer_queryParameters
- New queryParameters enrichment/mappable field
[New] http_url_queryParameters
- New queryParameters enrichment/mappable field
[New] objectClassification
- Allows objectClassification to be used in Cloud SIEM rule expressions.

July 13, 2023 - Application Update

New RBAC Capabilities

Reminder: Earlier this week, we introduced new RBAC capabilities for Cloud SIEM: View Entities and Manage Entities. Users with the built-in administrator role received these capabilities automatically, but admins must manually add these capabilities to other roles as appropriate. If a user does not have either role, they will not be able to see Entity details or interact with or manage Entities in any way.

Minor Changes and Enhancements

[Update] The Entity Timeline feature is now available for all Entity types, including custom types.
[New] When viewing an Entity's detail page, both Entity Groups that apply to that Entity and membership in a suppression list will now be listed.

Bug Fixes

Some customers were seeing non-blocking errors loading Insight detail pages, and links to Cloud SOAR, when they should not have.
The number of records ingested into Cloud SIEM was not being reported consistently on the HUD.

July 11, 2023 - Content Release

This content release includes parsing and mapping updates to Fortinet to account for variations in URL information present in the log sometimes leading to malformed URLs being normalized, adjustments to Jamf mappings to account for case variations in certain fields, as well as changes enumerated below.

Rules

[Updated] OUTLIER-S00010 Spike in URL Length from IP Address
- Narrowed rule expression to NetworkHTTP and NetworkProxy records

Log Mappers

[Updated] Fortinet App Control Logs
[Updated] Fortinet DLP Logs
[Updated] Fortinet Event Logs
[Updated] Fortinet IPS Logs
[Updated] Fortinet Traffic Logs
[Updated] Fortinet Virus Logs
[Updated] Fortinet Webfilter Logs
[Updated] Jamf Audit User - Audit
[Updated] Jamf Audit User - Authentication
[Updated] Jamf Audit User - Endpoint
[Updated] Jamf Audit User - Network
[Updated] SentinelOne Logs - C2C threats
- Adds alternate value for normalizedSeverity lookup

Parsers

[Updated] /Parsers/System/Cisco/Cisco Meraki
- Support for more variation in content filtering block logs and additional drops for events of limited to no security value.

June 29, 2023 - Content Release

This release includes parsing and mapping updates to Fortinet to account for variations in URL information present in the log sometimes leading to malformed URLs being normalized, adjustments to Jamf mappings to account for case variations in certain fields, as well as changes enumerated below.

Rules

[Updated] OUTLIER-S00010 Spike in URL Length from IP Address
- Narrowed rule expression to NetworkHTTP and NetworkProxy records

Log Mappers

[Updated] Fortinet App Control Logs
[Updated] Fortinet DLP Logs
[Updated] Fortinet Event Logs
[Updated] Fortinet IPS Logs
[Updated] Fortinet Traffic Logs
[Updated] Fortinet Virus Logs
[Updated] Fortinet Webfilter Logs
[Updated] Jamf Audit User - Audit
[Updated] Jamf Audit User - Authentication
[Updated] Jamf Audit User - Endpoint
[Updated] Jamf Audit User - Network
[Updated] SentinelOne Logs - C2C threats
- Adds alternate value for normalizedSeverity lookup

Parsers

[Updated] /Parsers/System/Cisco/Cisco Meraki
- Support for more variation in content filtering block logs and additional drops for events of limited to no security value.
[Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog

June 29, 2023 - Application Update

New RBAC Capabilities

Starting Thursday, July 6, we're introducing new RBAC capabilities for Cloud SIEM: View Entities and Manage Entities. Users with the built-in administrator role will receive these capabilities automatically, but admins must manually add these capabilities to other roles as appropriate. If a user does not have either role, they will not be able to see Entity details or interact with/manage Entities in any way.

Minor Changes and Enhancements

[New] Nodes can now be moved around individually on the Insight Related Entities Graph.
[Update] To align more closely with accepted industry definitions, we are changing the Dwell Time label on Insight metrics in the UI to Detection Time. Note that only the label is changing, not now the metric is calculated (i.e., the period of time between when the first record in an Insight was observed and when the Insight was created).
[Update] Match list update containing more than 1000 entries are now supported by our Terraform provider.
[Update] When a custom product or vendor is selected in log mapping, the string entered by the user is now indexed instead of the word "Custom", so that the custom entry can be searchable/filterable. This only applies to mappings configured going forward.
[New] Custom tag schemas can now be retrieved via API (GET /tag-schemas).
[New] When viewing Rule Tuning Expressions, if one applies to all rules, it will now say All instead of giving a numerical count.
[Update] The Cloud SIEM UI color palette has been updated to more closely align with the standard Sumo Logic "dark mode" color palette.

Bug Fixes

Insight sub-resolutions were not being passed to XSOAR correctly in some circumstances.
Some users were unable to override fields on some Sumo-provided rules.
When extracting fields in rule expressions, double quotes were not working ({{fields[""]}}).

June 22, 2023 - Content Release

This release includes additional parser and mappers for Aruba ClearPass Syslog events, minor bug fixes to several First Seen type rules, and other specifically enumerated changes below.

Rules

[Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
- Adds requirement that commandLine is present for a match
[Updated] FIRST-S00016 First Seen Non-Network Logon from User
[Updated] FIRST-S00008 First Seen whoami command From User
[Updated] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
- Adds dstDevice_ip to entity selection

Log Mappers

[New] Aruba ClearPass Guest Access
[New] Aruba ClearPass WiFi Access Tracker
[New] Aruba ClearPass Wifi Failed Tracker
[Updated] Aruba ClearPass Syslog
[Updated] Tenable.io Authentication
- Adds alternative key matches for vuln_cve and description fields

Parsers

[Updated] /Parsers/System/HP/Aruba ClearPass - Syslog

June 20, 2023 - Application Update

Outlier Rules

Sumo Logic is pleased to announce a new rule type for Cloud SIEM: Outlier Rules. This new rule type further enhances Cloud SIEM’s User and Entity Behavioral Analytics (UEBA) capabilities. With these rules, Cloud SIEM can detect events that deviate from the usual behavior of an Entity, such as a spike in login failures from a user, without having to define a static threshold. Once the rule is set, Cloud SIEM automatically builds a normal behavior baseline for each Entity based on the rule expression. It creates a signal only when a deviation from normal behavior is detected (in this case, too many login failures compared to their normal baseline behavior). Other examples include detecting a spike in Windows administrative privileges granted and a spike in AWS calls from a user.

Outlier Rules are defined like any other rule type through the Content menu in Cloud SIEM.

Outlier Rules operate based on a baseline. During this period - typically between 7 and 30 days - the system will learn what normal behavior looks like. After the baseline is established, Cloud SIEM will begin generating Signals when unusual behavior is detected compared to that baseline. (Note that the longer the baseline, the more accurate the model will be.)

Cloud SIEM will include a set of Outlier Rules out of the box. These rules can be tuned and customized like any other rule type, and custom Outlier Rules can also be created.

For more information about how to use Outlier Rules, see the online documentation. You can also see an introduction to the feature by navigating to the Rules page in Cloud SIEM.

Minor Changes and Enhancements

[New] Users can now customize the global Signal Suppression period. During this period, which is set to 72 hours by default, duplicate signals (with identical names and Entities) are suppressed (for example, they do not “count” towards Insights). With this new feature, this period can be lowered globally (for all rules) to as low as 24 hours. (Note that lowering this value can lead to a higher number of potentially duplicate Insights.) The setting is accessible via the Workflow > Detection option in the Configuration menu.
[Updated] Cloud SIEM application status will now be published on the main Sumo Logic status page, https://status.sumologic.com/. (Previously it was published on https://cse-status.sumologic.com/.) Existing email subscriptions and status notifications will be moved to the new page automatically.

June 12, 2023 - Application Update

Minor Changes and Enhancements

[New] The Entity Timeline now supports all Entity types (including custom types).
[New] The GetSignals API call now includes an attribute with a timestamp when each Signal was created.
[Updated] The log mapping UI has been updated so that if a standard vendor and product is selected, those values will be auto-filled on the record configuration, avoiding an issue where customers were accidentally creating 'custom' values.

Bug Fixes

An error would occur when sorting entity groups by entity type.
The control used to select schema tags for Entities was not working properly.
The "View in Log Search / Normalized Data" button was opening a log search window with an incorrect time frame.
Global search was not displaying previous searches, and was not returning some Entities.
The rule tuning expression editor would not scroll for very long expressions.
Importing a rule via the UI was not working in some scenarios.

June 2, 2023 - Content Release

Within this release, we made modifications to the Threat Intel MATCH-S00815 Rule to include the user_username associated with the 'src_Device_ip' to capture the account the threat IP authenticated with and to correlate on actions by the account. We also made a modification to the Azure Sign in Log mapper so that 'properties.userAgent' is mapped to the entity field 'http_userAgent'.

Rules

[Updated] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP

Log Mappers

[Updated] AzureActivityLog 01

May 26, 2023 - Content Release

This release changes Crowdstrike mapper record types from 'Endpoint' to 'Audit' logs to align with Crowdstrike documentation, fixes to Fortinet severity scoring, SentinelOne IP mappings, additional values for Windows mappers for Snare, Snare parser updates for Windows Event 4947, updates to TrendMicro Deep Security CEF parser to allow for additional timestamp formats, and a minor rule update.

Rules

[Updated] AGGREGATION-S00005 Suspicious System Enumeration Occurring in Quick Succession, Rule no longer in prototype

Log Mappers

[Updated] CrowdStrike Audit Logs
[Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
[Updated] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
[Updated] CrowdStrike Falcon Identity Protection (CNC)
[Updated] CrowdStrike Remote Response Session (CNC)
[Updated] CrowdStrike UserActivity Logs
[Updated] Fortinet DLP Logs
[Updated] Fortinet IPS Logs
[Updated] SentinelOne Logs - C2C agents
[Updated] SentinelOne Logs - C2C threats
[Updated] Windows - Security - 4947
[Updated] Windows - Security - 4948

Parsers

[Updated] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF
[Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security

May 12, 2023 - Content Release

Across the latest content release, the Threat Labs team has made a series of new AWS specific detections and a set of improvements both to the mappers and parser to include proper inbound / outbound network connection directional flow, and port assignments for AWS GuardDuty. Additional context and minor corrections/improvements can found within the list below.

Rules

[New] MATCH-S00874 AWS Lambda Function Recon
[New] MATCH-S00875 AWS VPC FLow Log Deletion
[New] MATCH-S00876 Potential AWS Security Credential Access via curl
[Updated] MATCH-S00226 Azure - Add Member to Group, TLAB-542 Update Azure Group Add rule and mapper addition, Keys updated: summary_expression, normalized_summary

Log Mappers

[Updated] AWS GuardDuty Alerts from Sumo CIP
[Updated] AWSGuardDuty_Backdoor
[Updated] AWSGuardDuty_Behavior
[Updated] AWSGuardDuty_Catch_All
[Updated] AWSGuardDuty_CryptoCurrency
[Updated] AWSGuardDuty_Discovery
[Updated] AWSGuardDuty_Exfiltration
[Updated] AWSGuardDuty_PenTest
[Updated] AWSGuardDuty_Trojan
[Updated] AzureActivityLog AuditLogs
[Updated] Recon_EC2_PortProbeUnprotectedPort
[Updated] Recon_EC2_Portscan
[Updated] Recon_IAMUser
[Updated] UnauthorizedAccess_EC2_SSHBruteForce
[Updated] UnauthorizedAccess_EC2_TorClient
[Updated] UnauthorizedAccess_EC2_TorIPCaller
[Updated] UnauthorizedAccess_EC2_TorRelay
[Updated] UnauthorizedAccess_IAMUser

Parsers

[Updated] /Parsers/System/AWS/AWS S3 Server Access Logs, AWS S3 Server Access Logs Parser Fix Related to New Fields and Wrapper
[Updated] /Parsers/System/Cisco/Cisco ASA, Modifies ASA header parser to account for additional delimiter variant
[Updated] /Parsers/System/AWS/GuardDuty

May 5, 2023 - Content Release

The latest iteration of our content release include Office 365 changes that address Mapping, Parsing and Rule changes that better take into account fields that were previously encapsulated within the Parameters field. Additionally, we performed improvements to the Zscaler Nanolog mapping and parsing to more accurately present port data even when extracted from URLs.

Rules

[Updated] MATCH-S00830 Office 365 Forwarding Rule Created
[Updated] MATCH-S00831 Office 365 Unified Audit Logging Disabled

Log Mappers

[Updated] Microsoft Office 365 Exchange Mailbox Audit Events: Keys updated: 'targetUser_username'
[Updated] Office 365 - Exchange Admin Events: Keys updated: 'user_username', 'targetUser_username'
[Updated] Zscaler - Nanolog Streaming Service - JSON: Keys updated: 'dstPort'

Parsers

[Updated] /Parsers/System/Cisco/Cisco Firepower Syslog: REGEX modifications to parse the Firepower Event ID
[Updated] /Parsers/System/Microsoft/Office 365
[Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-CEF
[Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON
[Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF

May 3, 2023 - Application Update

Cloud SIEM Insight Trainer

We are excited to announce the release of Cloud SIEM Insight Trainer, a dashboard packaged with the Cloud SIEM Application.

Many security teams spend time every week tuning their SIEM to improve detections and focus SOC analyst attention on the most serious threats. Insight Trainer utilizes machine learning to provide Rule tuning recommendations and severity adjustments to significantly reduce the burden of manual tuning. Insight Trainer learns Rule severity adjustments from your Insights' history that reduces false positive, and optionally, "No Action" Insights.

Some of the highlights of Insight Trainer include:

Customer-Specific Tuning Recommendations - Insight Trainer makes recommendations specific to each customer based on their unique set of Rules, Insight history, and analyst Insight resolutions.
Improved SOC Efficiency - Insight Trainer automates the manual process of identifying Rules that are candidates for tuning or severity adjustment and provides impact analysis of the changes.
Machine Learning/AI-Driven Analytics - Insight Trainer leverages machine learning and AI to deliver outcome-based recommendations geared towards the reduction of false positive and non-actionable Insights without compromising the actual detection value or true positive Insights in Cloud SIEM.
Easy Adoption - The dashboard is available as an update to our already existing Enterprise Audit Cloud SIEM application and can be set up to run with no additional configuration or data science knowledge.

Periodic application of the recommended changes will improve the quality of Insights generated by Cloud SIEM. For more information about the Insight Trainer, see our detailed online documentation.

Bug Fixes

On the Insight Related Entities list, some of the Signal counts were incorrect.
Whitespace, including new lines, were being stripped from some Enrichments formatted in JSON.
Indicators not using the proper case were being accepted but displaying as "NotFlagged" in the UI.

April 28, 2023 - Content Release

Rules

Updates several Azure based rules to account for modifications made to normalization mappers.

[New] MATCH-S00873 AWS EKS Cluster Configuration Updated: AWS EKS clusters contain various configuration options, including for which IP addresses can access the cluster API. Ensure that this change is authorized and expected.
[New] MATCH-S00872 AWS EKS Failed Curl Authentication Attempt: Failed instances of curl usage within a containerized environment should occur rarely. Investigate the source IP address used to ensure that it is legitimate.
[New] MATCH-S00871 AWS EKS Pod Shared Object Modification or Creation: A Kubernetes pod was either created, updated or patched with a shared process namespace.
[New] MATCH-S00870 AWS EKS Secrets Created: Kubernetes secrets may be created for legitimate purposes. Ensure that the secret created is from an IAM account that is expected to manage Kubernetes workloads on EKS.
[New] MATCH-S00869 AWS EKS Secrets Deleted: Kubernetes secrets may be deleted for legitimate purposes. Ensure that the secret created is from an IAM account that is expected to manage Kubernetes workloads on EKS.
[New] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User: The user user_username has performed an operation on an EKS cluster for the first time since the baseline period.
[New] FIRST-S00037 First Seen AWS EKS Admission Controller Created by IP Address: First Seen Admission Controllers (submit a new MutatingWebhookConfiguration or ValidatingWebhookConfiguration object via the Kubernetes API, or update an existing one.)
[New] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address: srcDevice_ip has enumerated secrets on an AWS EKS cluster for the first time since the baseline period.
[New] FIRST-S00034 First Seen Session Token Granted to User from New IP: An AWS Session token was issued for the first time since the baseline period to user_username using the IP address of srcDevice_ip.
[New] FIRST-S00033 First Seen Terminal-Attached Pod Deployed to EKS: A pod was deployed with an attached terminal (stdin=true,stdout=true,tty=true) for the first time since the baseline period.
[New] THRESHOLD-S00114 HTTP Response Error Spike to AWS EKS: HTTP web services provide response codes to client requests. The response code numbers in the 400s are used to indicate a client related error and response code numbers in the 500s represent server related errors. This rule looks for a AWS EKS cluster receiving a large frequency of web errors within a short period of time. It is unusual for a web client to cause this many errors in a short period of time. Common occurrences for this behavior is scanning/probing activity or scripted web clients which are now encountering errors due to a misconfiguration or recent change. This rule alerts when a host on the monitored network triggers the threshold.
[New] MATCH-S00868 New Binding Role Created on AWS EKS: A role binding grants a resource superuser or administrative access to a Kubernetes cluster. Ensure this action is expected and performed by known Kubernetes administrators.
[New] MATCH-S00867 New Cluster Admin Binding Role Created on AWS EKS: A cluster-admin role binding grants a resource superuser or administrative access to a Kubernetes cluster. Ensure this action is expected and performed by known Kubernetes administrators.
[New] MATCH-S00866 Privileged Pod Created on AWS EKS: Privileged containers have all capabilities of the host machine. These privileged containers may perform actions directly on the host that they are running on. Ensure that this event is expected and occurs from a user account or IP address that normally works with privileged containers within the cluster. Customers are encouraged to set up an exclusion list for spec.securitycontext.capabilities for pods that are frequently going to be managed with privileged escalation.
[Updated] MATCH-S00864 Azure Firewall Rule Modified
[Updated] MATCH-S00839 Azure Virtual Machine RunCommand Issued
[Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
[Updated] FIRST-S00032 First Seen Kubectl Command From User: Expanded record types considered to include Endpoint.
[Updated] CHAIN-S00012 Potential Azure Persistence via Automation Accounts
[Updated] MATCH-S00167 Recon Using Common Windows Commands: Narrowed rule criteria to Windows executables to prevent erroneous matches from *nix based systems

Log Mappers

[New] Administrator Audit Trail: Modified CyberArk EPM mappers to include alternate field values.
[New] Administrator Logon
[New] Darktrace Parser - Anomalous Connection: Modifies Darktrace mappers to include alternate field values and supports additional events.
[New] Darktrace Parser - Brute Force Attempt
[New] DocuSign Monitor - Alert
[New] DocuSign Monitor - Catch All: Adds support for DocuSign Monitor events via C2C.
[New] Druva inSync - Catch All: Adds support for Druva events via C2C.
[New] Jamf Audit User - Authentication
[New] Jamf Audit User - Endpoint
[New] Jamf Audit User - Network
[New] Workday - Sign On: Expands mapping support for Workday logs ingested via C2C.
[Updated] Azure Administrative logs
[Updated] Cisco Meraki IDS Alert - C2C: Corrects typo in mapper for some IP/port fields
[Updated] Darktrace Parser - Catch All:
[Updated] Darktrace Parser - New Device
[Updated] Darktrace Parser Events
[Updated] Jamf Audit User - Audit
[Updated] Sysdig Benchmark JSON: Corrects bug in severity mapping for Sysdig mappers.
[Updated] Sysdig Policy Detection JSON: Corrects bug in severity mapping for Sysdig mappers.
[Updated] Sysdig Scanning JSON: Corrects bug in severity mapping for Sysdig mappers.
[Updated] Workday - Catch All: Expands mapping support for Workday logs ingested via C2C.
[Updated] Zscaler - Nanolog Streaming Service - JSON: Corrects NSS record type to NetworkProxy instead of NetworkFlow

Parsers

Adds support for DocuSign Monitor and Druva inSync Cloud, and additional support for Meraki, CyberArk, and Workday events.

[New] /Parsers/System/DocuSign/DocuSign Monitor
[New] /Parsers/System/Druva/Druva inSync Cloud
[Updated] /Parsers/System/Cisco/Cisco Meraki: Strip off extraneous … from URLs
[Updated] /Parsers/System/Cyber-Ark/CyberArk EPM JSON: Corrected time parsing
[Updated] /Parsers/System/Darktrace/Darktrace JSON
[Updated] /Parsers/System/Duo Security/Duo Multi-Factor Authentication: Duo Parser Fix for Setting Event ID Correctly
[Updated] /Parsers/System/Palo Alto/PAN Firewall CEF: Adds support for Network events ingested via a log forwarder or Cortex Data Lake.
[Updated] /Parsers/System/Workday/Workday

April 21, 2023 - Application Update

Automation Service

Sumo Logic is excited to announce a new feature that integrates functionality previously available only in our Cloud SOAR solution directly into Cloud SIEM. This new feature, the Automation Service, allows you to define and automate smart actions, including enrichments and notifications, enabling your security analysts to address potential security threats faster and more accurately.

You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that can include parallel actions and logic steps. Actions are defined as part of integrations.

The Automation Service includes over 350 integrations out of the box, each including several predefined actions:

Many playbooks are also included, providing instant value with practically no effort - simply connect the integration to the appropriate endpoint and enable the corresponding automation in Cloud SIEM. Playbooks can be automatically triggered when Insights are created or closed, or triggered manually.

You can also customize these objects or create entirely new ones. While the out of the box actions primarily execute directly from the Sumo Logic cloud, custom actions run through a proxy called a Bridge which runs on a system managed by you.

Automations (and other objects) are accessible through the Configuration menu, under Integrations:

Automation results are accessible from Insight and Entity detail pages.

The Insight Enrichment Server and the Actions functionality in Cloud SIEM, which is replaced by the Automation Service, will be deprecated on November 30, 2023. Until then, they will continue to be fully supported and operational. To aid in migration, all current Enrichment Server examples and Actions have equivalent actions and playbooks in the Automation Service. In addition, through the Bridge, customers can execute any existing PowerShell script currently connected to the Insight Enrichment Server.

note

The Automation Service currently has Limited Availability. This means that it is fully functional and supported in production environments, but not automatically deployed to every customer. If you would like it deployed to your environment, please contact Sumo Logic and we will enable it for you.

There is much more information about the Automation Service and how to use it in the online documentation.

Threat Indicators

The way enrichments are displayed in Cloud SIEM is also being enhanced to provide important information to security analysts when they need it, without having to look it up.

First, the Enrichment tabs have been reorganized by Entity (instead of by Enrichment) and additional filter controls have been added:

In addition, Entity enrichments will now persist outside of Insights. So, for example, if an Entity is enriched as part of an Insight, those enrichment details will be visible from that Entity’s details page.

This persistence can be controlled by setting an expiration date as part of the enrichment. In addition, URLs can be attached to enrichments (so that users can click on the link to see more detailed information about the enrichment by, for example, going to the VirusTotal web page for that indicator).

Finally, enrichments can now set reputation indicators. These indicators will be visible anywhere in the UI that the Entity is displayed. Where there is sufficient room, a color-coded text label will be displayed (as in the example above); in other situations, an icon will be displayed instead.

The reputation is not set automatically; the enrichment must pass a reputation to Cloud SIEM. More information about this, and the other new features, is available in online documentation.

Minor Changes and Enhancements

[Updated] The Entity Relationship Graph view on Insights has exited open Beta and is now fully supported.
[New] When using custom columns with Match Lists, CIDR block matches are now supported with IP address-related fields.
[New] When referring to Match Lists, specific columns can now be specified in rule conditions for all Match List types. (Previously this functionality was only available for Threat Intelligence lists.)

April 20, 2023 - Content Release

Summary

Within our latest content release we are introducing a new set of rules related to our 5th Threat Research Campaign structured around Docker, Azure, and Linux. We also made Mapper additions to support Cisco Meraki events ingested via C2C, Cyber Ark Mapper improvements, and new Jamf Audit User Event and Jamf Protect Mappers.

Rules

[New] MATCH-S00864 Azure Firewall Rule Modified Description: The Azure Firewall may provide egress and ingress controls for a variety of Azure services; unexpected or unplanned firewall modifications should be investigated.
[New] AGGREGATION-S00006 Docker Enumeration Detected on Host Description: Threat actors will aim to enumerate various permissions and settings on hosts with Docker installed; this enumeration can potentially lead to exploitation avenues.
[New] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event Description: User has successfully signed into an Azure resource with a first seen IP address since the baseline period.
[New] FIRST-S00032 First Seen Kubectl Command From User Description: User has issued a Kubectl command which was first seen since the baseline period on hostname.
[New] THRESHOLD-S00112 Multiple Azure Firewall Deny Events for IP Description: An Azure firewall has denied a large number of request from an IP address within a short time window.
[New] THRESHOLD-S00113 Multiple Azure Firewall Deny Events for URL Description: An Azure firewall has denied a large number of requests to a URL within a short time window.
[New] MATCH-S00865 Potential Docker Escape via Command Line Description: This rule looks for whether the raw Docker socket was used for container creation as well as a bind mount of /hostfs which could facilitate a container escape and allow command execution on the Docker host.
[New] CHAIN-S00014 Potential Docker container escape via Cgroups. Description: A Docker container running with the privileged flag may be exploited by threat actors, potentially resulting in an escape from the Docker container to the host that it is running on. This can result in various privilege escalation opportunities.
[New] CHAIN-S00015 Suspicious Linux Execution Chain Description: This alert looks for a number of search expressions that result in a suspicious Linux execution chain. Specifically, a file that is created in a users' home directory or in /tmp, followed by a chmod and file execution, as well as the process making a network connection.

Log Mappers

[New] Cisco Meraki File Scanned - C2C
[New] Cisco Meraki IDS Alert - C2C
[New] Cisco Meraki Organization Configuration Change - C2C
[New] Cisco Meraki Wireless Air Marshall - C2C
[New] Jamf Audit User - Events
[New] Jamf Protect Analytics - Events
[Updated] Cisco Meraki 8021x
[Updated] Cisco Meraki Catch All - Custom Parser
[Updated] Cisco Meraki Client Association
[Updated] Cisco Meraki Content Filtering Block - Custom Parser
[Updated] Cisco Meraki Flow Start_End - Custom Parser
[Updated] Cisco Meraki Flows - Custom Parser
[Updated] Cisco Meraki IDS - Custom Parser
[Updated] Cisco Meraki Security Filtering Disposition Change - Custom Parser
[Updated] Cisco Meraki Security Filtering File Scanned - Custom Parser
[Updated] Cisco Meraki URLS - Custom Parser
[Updated] Cisco Meraki WPA - Custom Parser
[Updated] Cyber Ark 01
[Updated] Cyber Ark EPM AggregateEvent
[Updated] Cyber Ark EPM AuditAdmin
[Updated] Cyber Ark EPM GetComputer
[Updated] Cyber Ark EPM Policy
[Updated] Cyber Ark EPM RawDetails
[Updated] Cyber Ark EPM RawEvents
[Updated] Cyber Ark Vault JSON
[Updated] Jamf Parser - Catch All

Parsers

[New] /Parsers/System/Cisco/Cisco Meraki C2C
[New] /Parsers/System/Sophos/Sophos Central C2C JSON
[Updated] /Parsers/System/Jamf/Jamf

April 13, 2023 - Content Release

Summary

Updated GuardDuty mappers to use detail.type instead of overly verbose detail.description.
Added parsing and mapping support for Citrix Cloud C2C.
Secondary update corrections around Matchlist fix for column specifc filters.
New Sophos C2C mapper expansion around Event and Alert normalization.
Net-new OOBB content for Zoom; eight-Match rules, six Mappers, one Parser.

Rules

[New] MATCH-S00856 Zoom - Account Created
[New] MATCH-S00857 Zoom - Account Deleted
[New] MATCH-S00858 Zoom - Group Admin Added
[New] MATCH-S00859 Zoom - Group Admin Deleted
[New] MATCH-S00860 Zoom - Group Changes
[New] MATCH-S00861 Zoom - Information Barrier Policy Changes
[New] MATCH-S00862 Zoom - Meeting Risk Alert
[New] MATCH-S00863 Zoom - Recording Modification
[Updated] THRESHOLD-S00096 Brute Force Attempt
[Updated] MATCH-S00565 Direct Outbound DNS Traffic
[Updated] THRESHOLD-S00103 Domain Brute Force Attempt
[Updated] THRESHOLD-S00102 Domain Password Attack
[Updated] THRESHOLD-S00095 Password Attack
[Updated] CHAIN-S00008 Successful Brute Force

Log Mappers

[New] Citrix Cloud Client Created or Deleted
[New] Sophos - C2C Alerts
[New] Sophos - C2C Event Threat Detections
[New] Zoom - Account Creations or Deletions
[New] Zoom - Catch All
[New] Zoom - Group Modifications
[New] Zoom - Information Barrier Policy Modifications
[New] Zoom - Meeting Risk Alert
[New] Zoom - Recording Deleted or Trashed
[Updated] AWSGuardDuty_PenTest
[Updated] AWSGuardDuty_Stealth
[Updated] Recon_EC2_PortProbeUnprotectedPort
[Updated] Recon_IAMUser

Parsers

[New] /Parsers/System/Citrix/Citrix Cloud C2C
[New] /Parsers/System/Zoom/Zoom

April 13, 2023 - Application Update

Minor Changes and Enhancements

[New] When logs fail to parse or map, a detailed error message will be logged in the sec_record_failure index, in the fields.reason attribute.
[New] Where possible, private domains are now automatically enriched by Cloud SIEM during record processing.
[Updated] Insight comments can now contain up to 1024 characters (up from 256).
[New] On the list of Rule Tuning Expressions, each Tuning Expression now lists the number of Rules to which it is currently applied.
[New] For First Seen Rules, the UI will display the baseline model status (i.e., building, with amount of progress, or complete). (Note it will only display the status on Rules that were created or updated after this feature became available.)

Bug Fixes

In some cases, inventory data from an AWS EC2 source was not being displayed in Cloud SIEM properly.
For Yara-based signals with file attachments, users were unable to download the file.
Occasionally, some related Entities were not visible in the Insight Related Entities graph but were included correctly on the list.
Entity suppression state was being reported incorrectly on several screens.
The Manage Entity Groups permission was required to view Entity Groups. Now only View Entity Groups is required.
Links to the Cloud SIEM API no longer require a trailing slash.

April 7, 2023 - Content Release

This release includes bug fixes for several rules using match lists using the "column" field in the rule expression.

Rules

[New] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address; External connections over the internet to port 445 could be indictative of hash leak attempts, including exploitation attempts for vulnerabilities such as CVE-2023-2397. This alert looks at a source IP address making a connection to a new external destination IP address since the baseline period.
[Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country; Added additional logic to help reduce false positives
[Updated] THRESHOLD-S00096 Brute Force Attempt
[Updated] MATCH-S00565 Direct Outbound DNS Traffic
[Updated] THRESHOLD-S00103 Domain Brute Force Attempt
[Updated] THRESHOLD-S00102 Domain Password Attack
[Updated] THRESHOLD-S00095 Password Attack
[Updated] CHAIN-S00008 Successful Brute Force

Log Mappers

[New] OpenVPN Logon Attempt
[New] OpenVPN Network Event
[New] Snowflake Catch All
[New] Snowflake Login
[New] Windows Defender ATP Alert
[Updated] Netskope - Audit Authentication Events - Logoff; Made eventID match more permissive

Parsers

[New] /Parsers/System/Snowflake/Snowflake
[New] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON
[Updated] /Parsers/System/Cisco/Cisco ASA; Build/Teardown parsing bug fix
[Updated] /Parsers/System/OpenVPN/OpenVPN Syslog; Added support for additional format

March 24, 2023 - Content Release

Overall improvements to OOTB First Seen rules include minor baseline tweaks and severity adjustments for the following rules. For corrections involving logic adjustment, additional context is included within the individual rule. This update also adds Alternative Values for ProofPoint TAP Mappers.

Rules

[Updated] FIRST-S00002 First Seen AWS API Call from User; General logic improvement to filter on valid Identity type
[Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User; General logic improvement to filter on valid application
[Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
[Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
[Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
[Updated] FIRST-S00004 First Seen Local Group Addition by User
[Updated] FIRST-S00009 First Seen RDP Logon From User
[Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
[Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
[Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
[Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global; Reconfigured to be disabled by default
[Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host; Reconfigured to be disabled by default
[Updated] FIRST-S00005 First Seen User Creation From User
[Updated] FIRST-S00008 First Seen whoami command From User

Log Mappers

[Updated] Proofpoint Targeted Attack Protection C2C - Click Blocked
[Updated] Proofpoint Targeted Attack Protection C2C - Click Permitted
[Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
[Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
[Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted

March 16, 2023 - Application Update

Minor Changes and Enhancements

[New] The Entity Timeline can now be filtered by record type:

Bug Fixes

When an Entity normalization lookup table was deleted and then re-created in the Sumo platform, the configuration in Cloud SIEM was not automatically updated, causing the normalization to fail.
Match lists with custom columns were not working properly during record processing.
The Network Blocks section was missing from the Entity details panel.
Links for schema tags were not displaying in the UI properly.

March 15, 2023 - Content Release

Rules

[New] CHAIN-S00013 GCP IDS Detection Followed by API Call; Detects a GCP IDS hit followed by an API call, indicating the source IP was able to gain access to GCP.
[Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking; Adjusts "Slack - Possible Session Hijacking" to use 'sessionId' schema field.

Log Mappers

[New] GCP IDS; Mapper for GCP IDS events
[New] Netskope - Catch All; Added 'Catch All' Mapper to account for unavailability of event identifier in all messages.
[New] Slack Login; Added mapping specific to logon success/failure events
[Updated] Slack Catch All; Adjusts mapper use new sessionIdschema field in place of sourceUid

Parsers

[Updated] /Parsers/System/Cisco/Cisco Firepower Syslog; Adjusts Cisco Firepower parser for some FTD events and corrected routing for Snort like and ASA messages which pass through the Firepower parser.
[Updated] /Parsers/System/Google/GCP; Adds additional time format handling

Schema

[New] sessionId; An ephemeral and at least semi-unique identifier of a connection between two systems (e.g., HTTP session, user logon session, TCP session identifiers)

March 10, 2023 - Content Release

This release contains a new set of mappers related to AWS CloudTrail Lambda functions, permissions, and sources and how changes related to them can align across our schema. In addition to that we have a correction to the parsing rerouted path 'System' in the parser path for Snort-like formatted messages.

Log Mappers

[New] CloudTrail - lambda.amazonaws.com - AddLayerVersionPermission
[New] CloudTrail - lambda.amazonaws.com - AddPermission
[New] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping
[New] CloudTrail - lambda.amazonaws.com - CreateFunction
[New] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig
[New] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping
[New] CloudTrail - lambda.amazonaws.com - DeleteFunction
[New] CloudTrail - lambda.amazonaws.com - DeleteFunctionUrlConfig
[New] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping
[New] CloudTrail - lambda.amazonaws.com - GetFunction
[New] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration
[New] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig
[New] CloudTrail - lambda.amazonaws.com - GetLayerVersionPolicy
[New] CloudTrail - lambda.amazonaws.com - GetPolicy
[New] CloudTrail - lambda.amazonaws.com - ListEventSourceMappings
[New] CloudTrail - lambda.amazonaws.com - ListFunctionUrlConfigs
[New] CloudTrail - lambda.amazonaws.com - ListFunctions
[New] CloudTrail - lambda.amazonaws.com - PublishLayerVersion
[New] CloudTrail - lambda.amazonaws.com - RemovePermission
[New] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping
[New] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode
[New] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration
[New] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig

Parsers

[Updated] /Parsers/System/Suricata/Suricata Syslog

March 7, 2023 Application Update

Entity Relationship Graph

We are excited to announce the new Entity Relationship Graph. With this feature, you can now see a graphical visualization of all related Entities in an Insight, as well as additional relationships beyond the Insight. This enables you to more quickly understand relationships among Entities and the larger context behind a potential security threat.

note

This feature is available to all customers but is currently in Beta. If you encounter any issues with this feature, report them to Sumo Logic Support. We appreciate your feedback.

The Entity Relationship Graph (and the Related Entities list) displays all Entities involved in the Insight (those referred to in a record in a Signal in the Insight) as well as additional Entity relationships (for example, if Cloud SIEM detects an IP address may also have had a specific hostname at the time the Insight was generated).

However, unlike the Related Entities list, the graph can visualize additional Entity relationships that existed outside of the Insight during a specified time frame.

Both the list and this new graph are available on the Entities tab of the Insight details page:

You can toggle between the list view and the graph view using the control in the upper-right corner of the main panel.

Each node in the graph represents a single Entity. The graph also displays the relationship types and any Indicators. Hovering over an Entity will highlight it and all of its relationships to other Entities, and when an Entity is selected, details about the Entity are displayed on the right.

The graph also includes a number of controls for zoom, full screen mode, filtering by Entity type, and adjusting the time frame for relationship detection.

For more information about how to use the Entity Relationship Graph, see the online documentation. You will also see an introduction to the feature the first time you visit an Insight details page.

Minor Changes and Enhancements

[New] First Seen Rules now support the use of non-normalized record fields.
[New] When a file is attached to a Signal, it is now available via API (previously it would only be available if part of a Yara Signal or Threat Intel match). The endpoint is /api/v1/extracted-file?filename=
[Update] The default time frame on the Entity Timeline is now 3 days instead of 24 hours.
[Update] The http v2 Insight Action payload now includes a numeric severity value (1-4) in addition to the human-readable severity name (LOW, MEDIUM, HIGH, CRITICAL).
[Update] On the new Active Entities panel on the HUD, if the Entity is a Username, you can now navigate directly to that Entity’s Timeline by hovering over the Entity name and clicking the link.

Bug Fixes

In some cases, Cloud SIEM was unable to properly extract the user name from an AWS ARN.
A recent change caused checkboxes to malfunction in Firefox.
On the Entity Timeline record details, the timestamp wasn’t displaying properly.

March 2, 2023 - Content Release

This release contains changes to how the Palo Alto Firewall CSV parser handles timestamps. Time parsing now relies on _messagetime metadata generated at collection time. This allows individual sources to set timezone information if it is not available in the raw message and as a result, reflect more accurate timestamps for records being created.

Rules

[New] MATCH-S00844 LastPass - Account Created
[New] MATCH-S00854 LastPass - Failed Login
[New] MATCH-S00846 LastPass - Folder Permissions Updated
[New] MATCH-S00855 LastPass - Login
[New] MATCH-S00847 LastPass - Master Password Changed
[New] MATCH-S00848 LastPass - Password Changed
[New] MATCH-S00849 LastPass - Personal Share
[New] MATCH-S00850 LastPass - Policy Added
[New] MATCH-S00851 LastPass - Policy Deleted
[New] MATCH-S00852 LastPass - Shared Folder Created
[New] MATCH-S00853 LastPass - Super Admin Password Reset

Log Mappers

[New] LastPass - Account Created
[New] LastPass - Failed Login
[New] LastPass - Folder Permissions Updated
[New] LastPass - Login
[New] LastPass - Master Password Changed
[New] LastPass - Password Changed
[New] LastPass - Personal Share
[New] LastPass - Policy Modifications
[New] LastPass - Shared Folder Created
[New] LastPass - Super Admin Password Reset
[New] LastPass Catch All
[New] Sysdig Audit Trail JSON
[New] Sysdig Benchmark JSON
[New] Sysdig Command JSON
[New] Sysdig Connection JSON
[New] Sysdig File Access JSON
[New] Sysdig Kubernetes JSON
[New] Sysdig Policy Detection JSON
[New] Sysdig Scanning JSON
[Updated] Azure Firewall Network Rule
[Updated] Mimecast Email logs

Parsers

[New] /Parsers/System/LastPass/LastPass
[New] /Parsers/System/Sysdig/Sysdig JSON
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
[Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers
[Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security
[Updated] /Parsers/System/Microsoft/Windows-Syslog Snare

February 24, 2023 - Content Release

This release includes small modifications to First Seen rule type baseline and retention periods, and switches rule status from Prototype state, allowing more of these rules to contribute to Cloud SIEM Insights. The Microsoft Office 365 Audit parser now formulates key value pairs from the 'OperationProperties' array included in some messages.

Rules

[Updated] FIRST-S00002 First Seen AWS API Call from User
[Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User
[Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
[Updated] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
[Updated] FIRST-S00001 First Seen Administrative Privileges Granted for User
[Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
[Updated] FIRST-S00019 First Seen Azure Member Addition to Group from User
[Updated] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
[Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
[Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
[Updated] FIRST-S00013 First Seen Driver Load - Global
[Updated] FIRST-S00014 First Seen Driver Load - Host
[Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
[Updated] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
[Updated] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
[Updated] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
[Updated] FIRST-S00004 First Seen Local Group Addition by User
[Updated] FIRST-S00015 First Seen Macro Execution from User
[Updated] FIRST-S00016 First Seen Non-Network Logon from User
[Updated] FIRST-S00010 First Seen PowerShell Execution from Computer
[Updated] FIRST-S00009 First Seen RDP Logon From User
[Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
[Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
[Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global
[Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host

Parsers

[Updated] /Parsers/System/Microsoft/Office 365

February 22, 2023 - Content Release

Rules

[New] FIRST-S00001 First Seen Administrative Privileges Granted for User
[New] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
[New] FIRST-S00004 First Seen Local Group Addition by User
[New] FIRST-S00005 First Seen User Creation From User
[New] FIRST-S00006 First Seen Weak Kerberos Encryption from User
[New] FIRST-S00007 First Seen DynamoDB Enumeration from User
[New] FIRST-S00008 First Seen whoami command From User
[New] FIRST-S00009 First Seen RDP From User
[New] FIRST-S00010 First Seen PowerShell Execution from Computer
[New] FIRST-S00011 First Seen Sysmon IMPHASH - Global
[New] FIRST-S00012 First Seen Sysmon IMPHASH - Host
[New] FIRST-S00013 First Seen Driver Load - Global
[New] FIRST-S00014 First Seen Driver Load - Host
[New] FIRST-S00015 First Seen Macro Execution from User
[New] FIRST-S00016 First Seen Non-Network Logon from User
[New] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
[New] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
[New] FIRST-S00019 First Seen Azure Member Addition to Group from User
[New] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
[New] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
[New] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
[New] FIRST-S00023 First Seen AWS API Gateway Enumeration By User
[New] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
[New] FIRST-S00025 First Seen SMB Allowed Traffic From IP
[New] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
[New] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
[New] FIRST-S00028 First Seen Common Windows Recon Commands From User
[Updated] MATCH-S00534 MacOS - Re-Opened Applications

Log Mappers

[New] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand

February 22, 2023 Application Update

First Seen Rules

Sumo Logic is pleased to announce new features in Cloud SIEM that deliver enhanced User and Entity Behavioral Analytics (UEBA) capabilities. These new UEBA capabilities enable additional methods to detect and investigate anomalous or unexpected behavior that may signify a security threat.

The first feature is called a First Seen Rule. With this new rule type, Cloud SIEM can detect events such as “the first time a user logs in from a new location” without having to define a rule expression that is unique to each user in your environment (and the location(s) from which he/she usually logs in). Other examples include detecting the unusual granting of administrative privileges, Windows recon command, AWS Secrets Manager API calls, API gateway enumeration, and more.

First Seen Rules are defined like any other rule type, through the Content menu in Cloud SIEM.

First Seen Rules operate based on a baseline. During this period of time - typically between 7 and 30 days - the system will learn what normal and expected behavior looks like. After the baseline is established, Cloud SIEM will begin generating Signals when unusual behavior is detected compared to that baseline. Baselines can be per-entity or global. (Note that the longer the baseline, the more accurate the model will be.)

Cloud SIEM will include a set of more than twenty First Seen Rules out of the box. These rules can be tuned and customized like any other rule type, and custom First Seen Rules can also be created.

For more information about how to use First Seen Rules, see the online documentation. You can also see an introduction to the feature by navigating to a new First Seen Rule in the Cloud SIEM UI.

Entity Timeline

Another new feature that will help analysts investigate unusual activity with user accounts is the Entity Timeline:

This feature visualizes all activity for a user – including all normalized records – in an easy-to-read timeline, eliminating the need to perform manual record searches.

Related actions are grouped together and Signals and Insights generated on that user are also displayed in the timeline with the relevant record(s). Actions can be clicked on to see a more detailed set of information, and full details can be easily opened in a new tab.

The feature can be found on the new Timeline tab on each Username Entity’s Detail page with quick links from Signal and Insight detail pages (located with the Entity summaries). It is only available for the Username Entity type at this time.

For more information about how to use the Entity Timeline, see the online documentation.

Minor Changes and Enhancements

[Updated] Entities listed in the Signals index (sec_signal) now include criticality and suppressed attributes (which reflect the state of those Entities when the Signal was generated).
[New] The Cloud SIEM API now supports searching the Threat Intelligence data by sourceName.
[Updated] The Threat Intelligence API GetThreatIntelIndicators endpoint now supports data sets of more than 10,000 indicators.
[Updated] The Insights API now supports searching (filtering) by confidence score.
[Updated] Cloud SIEM now supports up to 1000 inventory-based Entity Groups (the previous limit was 50).
[Updated] When viewing an Insight, a label is displayed that indicates the source. When an Insight is generated by a Custom Insight, it will now say Custom Insight (Rule) (instead of Rule) and Custom Insight (Signal) (instead of Signal) to reduce confusion with Insights generated by the Insight Algorithm through standard Rules and Signals.
[New] Entity Groups can now be managed in bulk by uploading CSV files from the Entity Groups list page.

Bug Fixes

The consolidated Insight ‘board’ view was not displaying properly in some instances.
An improper error message was displayed when attempting to create a rule with the same name as one that already existed.
The Insight Updates section on the HUD was displaying incorrectly if there were no recent updates.
The Insight creation source label was not positioned properly when scrolling an Insight Details page.
Entity notes could not be deleted.

February 17, 2023 - Content Release

Rules

[New] MATCH-S00842 Suspicious Azure CLI Keys Access on Linux Host
[New] MATCH-S00843 Suspicious GCP CLI Keys Access on Linux Host

Note that the following updates do not change detection capabilities and are only updates to descriptions and other metadata.

[Updated] MATCH-S00308 AWS CloudTrail - OpsWorks Describe Permissions Event
[Updated] MATCH-S00210 AWS CloudTrail - SQS List Queues Event
[Updated] MATCH-S00238 AWS CloudTrail - sensitive activity in KMS
[Updated] MATCH-S00594 Alibaba ActionTrail KMS Activity
[Updated] MATCH-S00417 Attrib.exe use to Hide Files and Folders
[Updated] MATCH-S00786 Azure - SQL Database Export
[Updated] MATCH-S00304 External Device Installation Denied
[Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
[Updated] MATCH-S00614 GCP Audit KMS Activity
[Updated] MATCH-S00466 MsiExec Web Install
[Updated] MATCH-S00288 NotPetya Ransomware Activity
[Updated] MATCH-S00634 Okta Admin App Access Attempt Failed
[Updated] MATCH-S00633 Okta Admin App Accessed
[Updated] MATCH-S00756 Outlook Homepage Modification
[Updated] MATCH-S00465 PXELoot Utility
[Updated] MATCH-S00200 Potential Pass the Hash Activity
[Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
[Updated] MATCH-S00265 QuarksPwDump Dump File Observed
[Updated] MATCH-S00747 Registry Modification - Active Setup
[Updated] MATCH-S00754 Registry Modification - Microsoft Office Test Function Registry Entry
[Updated] MATCH-S00422 Spaces Before File Extension
[Updated] MATCH-S00196 Successful Overpass the Hash Attempt
[Updated] MATCH-S00293 Suspicious External Device Installation
[Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
[Updated] MATCH-S00279 TAIDOOR RAT DLL Load

Log Mappers

[Deleted] Sysdig Monitor C2C
[New] CloudTrail - s3.amazonaws.com - GetBucketAcl
[Updated] CloudTrail - s3.amazonaws.com - CreateBucket
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
[Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
[Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
[Updated] Fortinet App Control Logs
[Updated] Fortinet DLP Logs
[Updated] Fortinet DNS Logs
[Updated] Fortinet Event Logs
[Updated] Fortinet IPS Logs
[Updated] Fortinet Traffic Logs
[Updated] Fortinet VOIP Logs
[Updated] Fortinet Virus Logs
[Updated] Fortinet Webfilter Logs

Parsers

[Deleted] /Parsers/System/Sysdig/Sysdig Monitor C2C
[Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
[Updated] /Parsers/System/Pulse Secure/Pulse Secure Appliance

February 13, 2023 - Application Update

Active Entities Panel

To assist analysts detect potential security issues as early as possible, a new panel has been added to the Heads Up Display (HUD):

This panel lists the top five most active entities, ranked by Signal Severity Total. This metric, which was introduced with the Related Entities enhancement last year, is the total sum of the severities of all unique Signals the Entity appears in during the current Insight detection window (typically, the past 14 days).

The count of Active Signals (Signals within the detection window that have not been included in an Insight) is also listed.

When hovering over the Entity value, the Entity’s type will be displayed. The Entity value is a link to that Entity’s details page.

Analysts can use this tool to investigate what appears to be risky activity and potentially proactively security issues before they are raised to the level of an Insight.

Minor Changes and Enhancements

[New] When looking at Signals in the new sec_signal index, attributes and values in array fields are now properly supported by auto-parsing, syntax like count by, and features like right-click > filter selected value*.
[New] An attribute attackStage has been added to the new sec_signal index. This attribute summarizes the Mitre attack stage represented by the rule which triggered the signal. The value is defined the same way as the attack_stage attribute included in the older Signal forwarding feature.
[Updated] The subResolution attribute is now included in the Insight payload for http v2 actions.
[Updated] The way Release Notes are listed in the Cloud SIEM UI is changing. There is no longer a “bell” item on the top menu; it has been replaced with a link to the Release Notes page in the Help menu. In addition, Release Notes are now directly visible in the UI when they are published.
[New] When executing a context action on a Signal, fields will now be passed to the context action if they are available based on the record(s) in context.

Bug Fixes

The “Radar” graph of records, Signals and Insights on the HUD has been updated so that the discontinuity at the top of the Signals section of the graph has been removed.
When viewing the raw log message corresponding to a normalized record, the wrong message was displayed.
The Network Block(s) associated with an Entity were not listed on the Entity details page.
When testing Rule expressions, sometimes the selected Tuning expression was not included.
Changes to entity tags or Criticality were not being listed on the History section of the Entity.
Entity Criticality was sometimes not displaying properly on the Insight details page.

February 8, 2023 - Content Release

Rules

[New] MATCH-S00838 Azure Active Directory Authentication Method Changed
[New] MATCH-S00836 Azure Conditional Access Policy Disabled
[New] MATCH-S00839 Azure Virtual Machine RunCommand Issued
[New] MATCH-S00837 Kubernetes Secrets Enumeration via Kubectl
[New] MATCH-S00835 Possible Dynamic URL Domain
[New] CHAIN-S00012 Potential Azure Persistence via Automation Accounts
[New] MATCH-S00841 Suspicious AWS CLI Keys Access on Linux Host
[New] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
[Updated] THRESHOLD-S00074 Excessive Firewall Denies
[Updated] LEGACY-S00008 Possible Dynamic DNS Domain
[Updated] LEGACY-S00108 Threat Intel - Matched File Hash

Log Mappers

[New] Airtable Audit C2C
[New] Cisco Meraki Catch All - Custom Parser
[Updated] Linux OS Syslog - Process fw - iptables Events
[Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
[Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
[Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted
[Updated] Windows - Security - 4624

Parsers

[New] /Parsers/System/Airtable/Airtable Audit C2C
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Cisco/Cisco Meraki
[Updated] /Parsers/System/Google/G Suite Audit
[Updated] /Parsers/System/Linux/Linux OS Syslog
[Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
[Updated] /Parsers/System/Okta/Okta

January 20, 2023 - Content Release

Rules

[New] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
[New] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents
[Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User

January 19, 2023 Application Update

Minor Changes and Enhancements

[Updated] On the HUD, the Insight Activity widget has been updated. When selecting the Insight to display, the HUD will now choose based on this order of preference: In “New”, Unassigned, Highest GIS Confidence Score, Highest Severity, Newest. In addition, the design has been updated to improve readability.
[New] Users who wish to substitute custom Insight status(es) for the built-in “In Progress” status can now do so. After creating and organizing the custom statu(es), the user can now disable the “In Progress” status. (It cannot be deleted.) Note that it can be disabled only if there are no Insights currently set to “In Progress.”
Changes to Entity tags and criticality now appear in the Entity’s change history list.
The Sumo Terraform provider now includes support for custom columns in match lists.
Kubernetes (k8s) attribute fields are now normalized to include the namespace. The normalized fields are: normalizedPodName, normalizedDeploymentName, and normalizedReplicaSetName.

Resolved Issues

Some Insights could not be closed via the UI (though they could via API).
In the consolidated (parent/child) Insight view, in “Board” mode, scrolling was not working properly. In addition, links to other orgs had an error in the URL (a duplicate “/sec”).

January 13, 2023 - Content Release

Rules

[New] MATCH-S00825 AWS Secrets Manager Enumeration
[New] MATCH-S00827 Exposed AWS SNS Topic Created
[New] MATCH-S00823 Exposed AWS SQS Queue Created
[New] MATCH-S00828 Office 365 Exchange Transport Rule Created
[New] MATCH-S00829 Office 365 Exchange Transport Rule Enabled
[New] MATCH-S00830 Office 365 Forwarding Rule Created
[New] MATCH-S00833 Office 365 Inbox Rule Created
[New] MATCH-S00832 Office 365 Inbox Rule Updated
[New] MATCH-S00831 Office 365 Unified Audit Logging Disabled
[New] MATCH-S00824 Potential XMRig Execution with Traffic
[New] MATCH-S00826 SSH Keys Added to EC2 Instance
[New] MATCH-S00834 Sensitive Registry Key (WDigest) Edit
[Updated] MATCH-S00480 Solarwinds Suspicious Child Processes
[Updated] MATCH-S00504 User Added to Local Administrators

Log Mappers

[New] Windows - Microsoft-Windows-Sysmon/Operational - 22
[New] Windows - Microsoft-Windows-Sysmon/Operational - 23
[New] Windows - Microsoft-Windows-Sysmon/Operational - 24
[New] Windows - Microsoft-Windows-Sysmon/Operational - 25
[New] Windows - Microsoft-Windows-Sysmon/Operational - 26
[New] Windows - Microsoft-Windows-Sysmon/Operational - 27
[New] Windows - Microsoft-Windows-Sysmon/Operational - 28
[Updated] Cloudflare - Logpush
[Updated] Microsoft Office 365 AzureActiveDirectory Events
[Updated] Microsoft Office 365 Exchange Mailbox Audit Events
[Updated] Microsoft Office 365 Exchange Mailbox Authentication Events
[Updated] Microsoft Office 365 ExchangeItem Events
[Updated] Microsoft Office 365 ExchangeItemGroup Events
[Updated] Microsoft Office 365 RecordType 105
[Updated] Microsoft Office 365 RecordType 37
[Updated] Microsoft Office 365 RecordType 57
[Updated] Office 365 - Exchange Admin Events

Parsers

[New] /Parsers/System/Microsoft/Windows-Syslog WinCollect

Schema

[Updated] device_k8s_normalizedDeploymentName
[Updated] device_k8s_normalizedPodName
[Updated] device_k8s_normalizedReplicaSetName
[Updated] dstDevice_k8s_normalizedDeploymentName
[Updated] dstDevice_k8s_normalizedPodName
[Updated] dstDevice_k8s_normalizedReplicaSetName
[Updated] srcDevice_k8s_normalizedDeploymentName
[Updated] srcDevice_k8s_normalizedPodName
[Updated] srcDevice_k8s_normalizedReplicaSetName

January 5, 2023 - Content Release

Rules

[Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port

Log Mappers

[New] Google G Suite - login-email_forwarding_change
[New] Laurel Linux Audit - Catch All
[New] Laurel Linux Audit - System Call
[New] Laurel Linux Audit - User Logon
[Updated] Lacework Alert

Parsers

[New] /Parsers/System/AWS/AWS Security Hub
[New] /Parsers/System/Laurel/Laurel Linux Audit
[New] /Parsers/System/Signal Science/Signal Science WAF
[New] /Parsers/System/Workday/Workday

Schema

[Updated] device_k8s_deployment
[Updated] device_k8s_pod
[Updated] device_k8s_replicaSet
[Updated] dstDevice_k8s_deployment
[Updated] dstDevice_k8s_pod
[Updated] dstDevice_k8s_replicaSet
[Updated] srcDevice_k8s_deployment
[Updated] srcDevice_k8s_pod
[Updated] srcDevice_k8s_replicaSet

2022 Release Notes Archive - Cloud SIEM

Sat, 31 Dec 2022 00:00:00 GMT

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here. Release notes are available on our website for a rolling multi-year period. For information about older releases, contact Support.

December 21, 2022 - Content Release

Rules

[Updated] MATCH-S00547 Script Execution Via WMI
[Updated] MATCH-S00684 Wget Passed to Script Execution Command

Log Mappers

[New] Azure Firewall Application Rule
[New] Azure Firewall DNS Proxy
[New] Azure Firewall Network Rule
[New] Microsoft O365 Exchange Message Trace C2C

Parsers

[New] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C
[New] /Parsers/System/Microsoft/Windows XML from Azure
[Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON

Schema

[New] email_recipient

December 14, 2022 - Content Release

Log Mappers

[Updated] Cisco ASA 710002-3 JSON
[Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
[Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
[Updated] Windows - Security - 4732

Parsers

[New] /Parsers/System/Snort/Snort
[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
[Updated] /Parsers/System/Okta/Okta
[Updated] /Parsers/System/Suricata/Suricata Syslog
[Updated] /Parsers/System/Zscaler/Zscaler Private Access/Zscaler Private Access-JSON

December 13, 2022 Application Update

New Entity Types

Eight new predefined Entity types have been added to Cloud SIEM. This will enable customers to more accurately associate Signals and Insights with security threats. They are listed below long with the related normalized record schema attributes (which can be specified in Rule definitions):

Entity Type	Schema Attributes
Command	`commandLine`
Domain	`http_referer_fqdn`, `http_url_fqdn`
Email	`targetUser_email`, `user_email`
File	`file_path`, `file_basename`
Hash	`file_hash_imphash`, `file_hash_md5`, `file_hash_pehash`, `file_hash_sha1`, `file_hash_sha256`, `file_hash_ssdeep`
Process	`baseImage`, `parentBaseImage`
URL	`http_url`
User Agent	`http_userAgent`

If you already had a custom Entity type with the same or similar name, it will not be affected and will not be automatically migrated to the corresponding standard Entity type.

Entity Notes

Similar to the functionality on Insights, users can now attach notes to Entities:

These notes are retained permanently on the associated Entity and are visible to all users who can view the Entity.

Custom Time Windows for Rules

Threshold, Aggregation and Chain Rules now support custom time windows. Previously, when writing a Rule, a time window had to be chosen from a list of predefined options. With this new enhancement, users can define any time window defined in minutes, hours, or days, with a minimum of 1 minute and a maximum of 5 days (120 hours):

Inventory Favorite Fields

Where inventory data is shown for an Entity, such as the Entity details page or the Insight details page, users can now “favorite” the inventory fields that should be shown in the summary list.

To do this, simply expand the Full Details view, hover to the left of the field, and click the star icon that appears. To remove the favorite selection, simply unclick the star icon. The field selections are applied across all users and retained across sessions. (This behavior is the same as for favorite fields on Records.)

Minor Changes and Enhancements

[Updated] The previously announced migration of our out-of-the-box rules from standard match lists to Entity tags has been postponed. New dates for this migration will be announced in the near future.
[New] Service providers using the Consolidated Insight List can now see Insights from client organizations across deployments.
[Updated] The usability of filters for list views when searching for an object that includes a specific tag schema has been enhanced.
[Removed] The link to download the Insight Enrichment Service has been removed from the Enrichment page. The link is specified in the installation instructions online.
[New] Users can now filter Records by Sensor Zone.

Resolved Issues

Importing data from CSV files via the UI was not working properly.
The http_url field was not being concatenated properly in some mapper scenarios.
Entity domain normalization was not working properly.
The Copy Expression feature in the UI did not copy Boolean values to the clipboard properly.
The Rule Tuning Expression list page was not auto-refreshing correctly.
Users were unable to filter the Signals list based on severity.
IP addresses in the 198.18.0.0/15 and 169.254.0.0/15 ranges were not being marked as private subnets per RFC1918.
Users without the proper permissions were able to add comments and Signals to Insights.
Regular expressions ending with an asterisk * were not working properly in search/list filters.

December 8, 2022 - Content Release

Rules

[Updated] MATCH-S00159 Windows - Permissions Group Discovery

Log Mappers

[Updated] Azure Administrative logs
[Updated] Azure NSG Flows
[Updated] Squid Proxy - Parser
[Updated] Windows - Security - 4624

Parsers

[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

December 1, 2022 - Content Release

Log Mappers

[New] Azure Risky Users
[New] Azure User Risk Events
[New] CrowdStrike Falcon CustomerIOCEvent (CNC)
[New] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
[New] CrowdStrike Falcon Identity Protection (CNC)
[New] Microsoft Office 365 RecordType 105
[New] Microsoft Office 365 RecordType 37
[New] Microsoft Office 365 RecordType 57
[New] Windows - Security - Default
[Updated] Azure Event Hub - Windows Defender Logs
[Updated] Cisco ASA 106100 JSON
[Updated] Microsoft Office 365 Events
[Updated] Windows - Security - 4740

Parsers

[New] /Parsers/System/Microsoft/Microsoft Azure Nested JSON
[New] /Parsers/System/Microsoft/Windows-JSON
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

November 22, 2022 - Content Release

Rules

[Updated] MATCH-S00570 WMIPRVSE Spawning Process

Log Mappers

[Updated] Gigamon Threat Insight - Catch All
[Updated] Gigamon Threat Insight - Suricata
[Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

[New] /Parsers/System/Gigamon/GigamonTI
[Updated] /Parsers/System/Lacework/Lacework JSON
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Schema

[Updated] baseImage
[Updated] commandLine
[Updated] file_basename
[Updated] file_hash_imphash
[Updated] file_hash_md5
[Updated] file_hash_pehash
[Updated] file_hash_sha1
[Updated] file_hash_sha256
[Updated] file_hash_ssdeep
[Updated] file_path
[Updated] http_referer_fqdn
[Updated] http_url
[Updated] http_url_fqdn
[Updated] http_userAgent
[Updated] parentBaseImage
[Updated] targetUser_email
[Updated] user_email

November 17, 2022 - Content Release

Log Mappers

[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
[Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7

Parsers

[Updated] /Parsers/System/Microsoft/Sysmon-JSON

November 15, 2022 - Content Release

Rules

[New] MATCH-S00822 Potential Microsoft Office In-Memory Token Theft
[Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port

Log Mappers

[New] Cisco Meraki 8021x
[New] Cisco Meraki Client Association
[Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

[Updated] /Parsers/System/Cisco/Cisco Meraki

November 11, 2022 - Content Release

Rules

[Updated] MATCH-S00582 Malicious Service Installs
[Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking

Log Mappers

[New] BigQuery Gmail C2C - Catch All
[New] BigQuery Gmail C2C - Error in Delivery
[New] BigQuery Gmail C2C - Failed Delivery
[New] BigQuery Gmail C2C - Message was dropped by Gmail
[New] BigQuery Gmail C2C - Message was rejected by Google Groups
[Updated] AWSGuardDuty_Catch_All
[Updated] AWSGuardDuty_Discovery
[Updated] Azure Access Logs
[Updated] Azure Action Logs
[Updated] Azure Administrative logs
[Updated] Azure AuditEvent logs
[Updated] Azure ManagedIdentitySignInLogs
[Updated] Azure NonInteractiveUserSignInLogs
[Updated] Azure ServicePrincipalSignInLogs
[Updated] Azure Storage Analytics
[Updated] Azure Write and Delete Logs
[Updated] AzureActivityLog
[Updated] AzureActivityLog 01
[Updated] AzureActivityLog AuditLogs
[Updated] AzureDevOpsAuditing
[Updated] AzureDiagnosticLog
[Updated] Cisco ASA 113039 JSON
[Updated] Cisco Ironport MID - Custom Parser
[Updated] Cisco Ironport SFIMS - Custom Parser
[Updated] Cisco Ironport WSA - Custom Parser
[Updated] GCP App Engine Logs
[Updated] GCP Audit Logs
[Updated] GCP Firewall
[Updated] GCP Parser - Load Balancer
[Updated] GCP VPC Flows
[Updated] Kubernetes
[Updated] Office 365 - Exchange Admin Events
[Updated] Windows - Security - 4697
[Updated] Windows - Security - 4820

Parsers

[New] /Parsers/System/Google/GCP BigQuery Gmail
[Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
[Updated] /Parsers/System/Dell/Dell SonicWall
[Updated] /Parsers/System/Infoblox/Infoblox

Schema

[New] device_k8s_normalizedDeploymentName
[New] device_k8s_normalizedReplicaSetName
[New] dstDevice_k8s_normalizedDeploymentName
[New] dstDevice_k8s_normalizedReplicaSetName
[New] srcDevice_k8s_normalizedDeploymentName
[New] srcDevice_k8s_normalizedReplicaSetName

October 27, 2022 - Content Release

Rules

[New] CHAIN-S00011 Potential InstallUtil Allow List Bypass
[Updated] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
[Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution

Log Mappers

[Updated] AWS - Application Load Balancer - ALB
[Updated] AWS - Application Load Balancer - JSON
[Updated] AWS API Gateway
[Updated] AWS CloudFront
[Updated] AWS EKS - Custom Parser
[Updated] AWS Elastic Load Balancer - Custom Parser
[Updated] AWS GuardDuty Alerts from Sumo CIP
[Updated] AWS Inspector - Custom Parser
[Updated] AWS Network Firewall Alerts
[Updated] AWS Network Firewall Flow
[Updated] AWS Network Firewall Netflow
[Updated] AWS Route 53 Logs
[Updated] AWS S3 Server Access Log - Custom Parser
[Updated] AWS Security Hub
[Updated] AWS Trusted Advisor
[Updated] AWS VPC Flow Logs - Default Format
[Updated] AWS VPC Flow Logs - JSON Format
[Updated] AWS WAF Allow Logs
[Updated] AWS WAF Block Logs
[Updated] AWSGuardDuty_Backdoor
[Updated] AWSGuardDuty_Behavior
[Updated] AWSGuardDuty_Catch_All
[Updated] AWSGuardDuty_CryptoCurrency
[Updated] AWSGuardDuty_Discovery
[Updated] AWSGuardDuty_Exfiltration
[Updated] AWSGuardDuty_PenTest
[Updated] AWSGuardDuty_Persistence
[Updated] AWSGuardDuty_Policy
[Updated] AWSGuardDuty_ResourceConsumption
[Updated] AWSGuardDuty_Stealth
[Updated] AWSGuardDuty_Trojan
[Updated] AwsServiceEvent-AWS API Call via CloudTrail
[Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
[Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
[Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
[Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
[Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
[Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
[Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
[Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
[Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
[Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
[Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
[Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
[Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
[Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
[Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
[Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
[Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
[Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
[Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
[Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
[Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
[Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
[Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
[Updated] CloudTrail - iam.amazonaws.com - CreateUser
[Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
[Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
[Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - DeleteUser
[Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
[Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
[Updated] CloudTrail - kms.amazonaws.com - DisableKey
[Updated] CloudTrail - kms.amazonaws.com - RotateKey
[Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
[Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
[Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
[Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
[Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
[Updated] CloudTrail - s3.amazonaws.com - CreateBucket
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
[Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
[Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
[Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
[Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
[Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
[Updated] CloudTrail - signin.amazonaws.com - CheckMfa
[Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
[Updated] CloudTrail - signin.amazonaws.com - ExitRole
[Updated] CloudTrail - signin.amazonaws.com - RenewRole
[Updated] CloudTrail - signin.amazonaws.com - SwitchRole
[Updated] CloudTrail - sso.amazonaws.com - Federate
[Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
[Updated] CloudTrail Default Mapping
[Updated] Falco Detection JSON
[Updated] Juniper SSG Series Firewall - Audit Messaging
[Updated] Juniper SSG Series Firewall - Traffic Messaging
[Updated] Microsoft IIS Parser - Catch All
[Updated] Recon_EC2_PortProbeUnprotectedPort
[Updated] Recon_EC2_Portscan
[Updated] Recon_IAMUser
[Updated] UnauthorizedAccess_EC2_SSHBruteForce
[Updated] UnauthorizedAccess_EC2_TorClient
[Updated] UnauthorizedAccess_EC2_TorIPCaller
[Updated] UnauthorizedAccess_EC2_TorRelay
[Updated] UnauthorizedAccess_IAMUser

Parsers

[Renamed] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog -> /Parsers/System/Juniper/Juniper SSG Series Firewall Syslog
[New] /Parsers/System/Netskope/Netskope Security Cloud JSON
[Updated] /Parsers/System/Falco/Falco JSON
[Updated] /Parsers/System/Microsoft/Microsoft IIS

October 20, 2022 - Content Release

Rules

[Updated] MATCH-S00640 Kubernetes Pod Created in Kube Namespace
[Updated] MATCH-S00642 Kubernetes Service Account Created in Kube Namespace

Log Mappers

[New] Juniper SSC Series Firewall - Audit Messaging
[New] Juniper SSC Series Firewall - Traffic Messaging
[New] Linux-Sysmon/Operational - 1
[New] Linux-Sysmon/Operational - 10
[New] Linux-Sysmon/Operational - 11
[New] Linux-Sysmon/Operational - 15
[New] Linux-Sysmon/Operational - 16
[New] Linux-Sysmon/Operational - 17
[New] Linux-Sysmon/Operational - 18
[New] Linux-Sysmon/Operational - 2
[New] Linux-Sysmon/Operational - 23
[New] Linux-Sysmon/Operational - 3
[New] Linux-Sysmon/Operational - 4
[New] Linux-Sysmon/Operational - 5
[New] Linux-Sysmon/Operational - 6
[New] Linux-Sysmon/Operational - 7
[New] Linux-Sysmon/Operational - 8
[New] Linux-Sysmon/Operational - 9
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Azure Advanced Threat Protection
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Defender for Cloud Apps
[Updated] Kubernetes
[Updated] Microsoft Office 365 Threat Intelligence Events

Parsers

[New] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog
[New] /Parsers/System/Linux/Linux Sysmon XML

Schema

[New] device_k8s_deployment
[New] device_k8s_namespace
[New] device_k8s_normalizedPodName
[New] device_k8s_pod
[New] device_k8s_replicaSet
[New] dstDevice_k8s_deployment
[New] dstDevice_k8s_namespace
[New] dstDevice_k8s_normalizedPodName
[New] dstDevice_k8s_pod
[New] dstDevice_k8s_replicaSet
[New] srcDevice_k8s_deployment
[New] srcDevice_k8s_namespace
[New] srcDevice_k8s_normalizedPodName
[New] srcDevice_k8s_pod
[New] srcDevice_k8s_replicaSet
[Updated] device_container_runtime

October 20, 2022 - Application Update

Support for Custom Inventory Sources

Cloud SIEM now supports custom sources of inventory data. Now, if you want to ingest inventory data from a source that Sumo Logic does not provide a pre-built connnector for, you can use this new feature. See the new document Configure a Custom Inventory Source for details.

Standard Match Lists

As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the previous announcement. This will continue until January 20, 2023, when the migration will be complete.

Minor Changes and Enhancements

[New] API endpoints have been creeated enabling users to upload attribute changes (such as tags or criticality) for multiple Entities in a single call, rather than having to do so one at a time. The new endpoints are /entities/bulk-add-tags, /entities/bulk-update-tags, /entities/bulk-remove-tags, /entities/bulk-update-suppressed, and /entities/bulk-update-criticality. Note that these API endpoints have a limit of 1000 entries per call. More details are available via the API Documentation link in Cloud SIEM.
[Updated] Previously, a new feature was added to the Enrichments tab that enabled you to hide any attribute-value pair with an "empty" value for clarity. This included values like "0" or "N/A". However, some of those values are often useful to the analyst (for example, number_of_threat_reports="0"). Starting with this release, this feature will only hide attributes with truly empty values (i.e., attribute="").

Resolved Issues

The CSV file upload method for updating Entity attributes did not support sensor zones or normalized entity names properly.
Cloud SIEM has switched providers of lists of public dynamic DNS domains, which has resolved an issue with rules utilizing these lists.

October 13, 2022 - Application Update

Announcement: Standard Match Lists Migration to Entity Tags

Currently, Cloud SIEM defines a set of standard Match Lists as a way to allow users to specify lists of Entities and other indicators that should affect whether or not Rules create Signals. However, starting next week, the Rules included with Cloud SIEM will begin transitioning to leverage Entity tags for this purpose instead. Tags on Entities are more flexible and can also provide context to analysts during the investigation phase.

Next week, a new set of standard tag schemas will be introduced in Cloud SIEM. These tag schemas will correspond to the existing standard Match Lists:

Key	Allowed Values	Equivalent Match List
_deviceGroup	admin	admin_ips
	awsAdmin	AWS_admin_ips
	business	business_ips
	gcpAdmin	GCP_admin_ips
	googleWorkspaceAdmin	Google_Workspace_admin_ips
	salesforceAdmin	salesforce_admin_ips
	sandbox	sandbox_ips
	scanTarget	scanner_targets
_deviceService	dns	dns_servers dns_servers_dst dns_servers_src
	ftp	ftp_servers
	smtp	smtp_servers
	sql	sql_servers
	ssh	ssh_servers
	telnet	telnet_servers
_deviceType	authServer	auth_servers auth_servers_dst auth_servers_src
	lanScanner	lan_scanner_exception_ips
	nms	nms_ips
	paloAltoSinkhole	palo_alto_sinkhole_ips
	proxyServer	proxy_servers proxy_servers_dst proxy_servers_src
	vpnServer	vpn_servers
	vulnerabilityScanner	vuln_scanners
	webServer	http_servers
_networkType	guest	guest_networks
	nat	nat_ips
	vpn	vpn_networks
_userGroup	awsAdmin	AWS_admin_users
	dsReplication	ds_replication_authorized_users
	gcpAdmin	GCP_admin_users
	googleWorkspaceAdmin	Google_Workspace_admin_users
	kerberosDowngrade	downgrade_krb5_etype_authorized_users
	salesforceAdmin	salesforce_admin_users

(There are five standard match lists not affected by this change, as they do not contain Entities. These include: business_asns, business_domains, business_hostnames, threat, and verified_uri_paths.)

Beginning Thursday, October 20, the contents of the standard match lists listed above will automatically be copied to tags set on the individual entities. So, for example, if an Entity 1.2.3.4 is in match list sql_servers, a tag _deviceService:sql will be set on it. Cloud SIEM will continue to automatically create these tags from the standard match lists for a period of 3 months, until January 20, 2023. During this period, pre-defined rules will be updated to reference these tags instead of the standard match lists, so by the end of this period all rules will be updated and Cloud SIEM will no longer automatically create these tags.

Please update any process you use to maintain the members of standard match lists by January 20, 2023 to maintain standard Entity tags instead (or in addition). We highly recommend you take advantage of Entity Groups to set Entity tags rather than individually setting tags. Entity Groups enable the automatic application of attributes like tags based on the Entity's value, IP address range, or inventory group.

Note that you cannot extend the standard tag schemas (for example, you cannot add a value azureAdmin to _userGroup). (The underscore prefix in the schema name means it's a system-defined schema.) Instead, create a different tag schema (such as customUserGroup) with such extended values.

You can refer to Entity tags in Rule expressions. For example, if you've attached the tag _deviceService:sql to an Entity, this statement will return "true" if that Entity is listed in a Record's srcDevice_ip field:

array_contains(fieldTags["srcDevice_ip"], "_deviceService:sql")

Additional information about the standard tag schema, match lists, Entity groups, and using these features with Rules is available in the Cloud SIEM Documentation.

Minor Changes and Enhancements

[New] Users can now filter object lists based on tag schema. The list results will include all objects that have a tag that are part of that schema. For example, if you search for _networkType (from the note above) the list results will include any object that has a tag of _networkType:guest, _networkType:nat, and/or _networkType:vpn.

Resolved Issues

Entity relationships were not taking sensor zones into account properly.
Entity details pages were only briefly displaying the proper Criticality.
The Entities Count links on the Entity Criticality list pages were pointing at the wrong URLs.

October 12, 2022 - Introducing Sumo Logic Open Source Docs

Welcome to the Sumo Logic Cloud SIEM Release Notes on our new docs site! We're now open source and encourage you to contribute. We welcome all contributions, from minor typo fixes to brand new docs. Your expertise and sharing can help fellow users learn and expand their knowledge of Sumo Logic.

Here you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM.

To view Release Notes from previous years, check the archive.

October 6, 2022 - Application Update

Application Update: Minor Changes and Enhancements

[Updated] Dynamic severity in rules has been enhanced. Users can now specify ranges of values to match to a specific severity. There are now multiple options, and these options can be combined (the first rule that matches is used; if none match then the default is used):
- Equal to Exact string or mathematical match ("Equal to 4" will match "4" and 4.0 but not 4.01)
- Greater than and Less than Mathematical only, not inclusive ("Less than 5" will match 4.9 but not 5)
- Between Mathematical only, inclusive ("Between 5 and 10" will match 5 or 7 but not 10.1)
- Not in the record Will match when the attribute is not listed in the record. (if there is no "bro_irc_value" attribute then this rule will match; if "bro_irc_value" exists but is empty/null, this does not match)
[New] Users can now filter the Signals list based on the type of Rule that generated the Signal (Match, Chain, Aggregation, etc.)
[New] Users can now perform negative keyword searches ("not:aws" would return all objects that do not include the keyword "aws")
[New] Entity domain normalization can now be managed via Terraform
[New] Users can now configure the Email Action to send emails in plain text in addition to the previously supported multipart HTML5/text format
[New] Changes to the Insight Threshold are now noted in the Audit Log
[Deleted] As previously announced, the IBM Resilient and Sensor actions have been removed from Cloud SIEM

Resolved Issues

Match list items were not matching properly in some instances, such as after deletion
Keyword searches did not properly support values (such as hostnames) with embedded dashes
Changes to prototype state were not visible in the rule history
In some cases, the system was parsing domain names/TLDs incorrectly

Content Release

Log Mappers

[New] Azure Application Service Console Logs
[New] Google G Suite Alert Center - Sensitive Admin Action
[Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents

Parsers

[Updated] /Parsers/System/Google/G Suite Alert Center

Legacy Parsers

[Updated] CISCO_MERAKI_SECURITY_FILTERING_FILE_SCANNED
[Updated] CISCO_MERAKI_URLS
[Updated] Twistlock_Logs

September 29, 2022 - Content Release

Rules

[Deleted] MATCH-S00070 Checkpoint Firewall

Log Mappers

[New] Cyber Ark EPM AggregateEvent
[New] Cyber Ark EPM AuditAdmin
[New] Cyber Ark EPM GetComputer
[New] Cyber Ark EPM Policy
[New] Cyber Ark EPM RawDetails
[New] Cyber Ark EPM RawEvents

Parsers

[New] /Parsers/System/Cyber-Ark/CyberArk EPM JSON
[Updated] /Parsers/System/Auth0/Auth0

September 19, 2022 - Content Release

Rules

[Deleted] CHAIN-S00009 Proofpoint TAP Click Permitted Followed by Successful Request

Log Mappers

[New] Wiz Catch All
[Updated] Orca Security Parser - Catch All

Schema

[New] cloud_provider
[New] cloud_region
[New] cloud_service
[New] cloud_zone
[New] device_container_id
[New] device_container_name
[New] device_container_runtime
[New] device_image
[New] device_type
[New] dstDevice_container_id
[New] dstDevice_container_name
[New] dstDevice_container_runtime
[New] dstDevice_image
[New] dstDevice_type
[New] resourceType
[New] srcDevice_container_id
[New] srcDevice_container_name
[New] srcDevice_container_runtime
[New] srcDevice_image
[New] srcDevice_type
[Updated] dstDevice_uniqueId

September 12, 2022 - Application Update

Insight Enrichment Server for Fed deployment

[Update] We’ve released a new version of the Insight Enrichment Server that runs on the Sumo Logic FedRAMP-compliant deployment. This makes Cloud SIEM on FedRAMP functionally equivalent to commercial deployments of Cloud SIEM.

September 9, 2022 - Application Update

Minor Changes and Enhancements

[New] An API endpoint has been added which enables user to delete multiple entries in a match list in one operation: POST: /match-list-items/bulk-delete
[Updated] When inventory data for hosts includes both private and public IP addresses, that data will be attached to both Entities. Previously it was only attached to one of the IP address Entities.
[Updated] Previously we announced that the severity attribute for Insights in the Audit Logs would be switching from numbers (1-4) to text (LOW, MEDIUM, HIGH, etc). Instead, we have retained the existing numerical attribute and added a new attribute severityName containing the human-readable text.

Resolved Issues

In some Audit Log messages related to Insight comments, the insight_readable_id was not set correctly.
In some cases, manually adding or removing tags in an Insight was not being recorded in the Audit Logs properly.
For some customers, the bar chart on the Records list page was not rendering properly.
Time/date stamps were not being displayed consistently across the UI.
Some pages were returning intermittent 404 or internal errors.

September 8, 2022 - Content Release

In one week (2022-09-15), we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules

[Updated] MATCH-S00819 Chromium Process Started With Debugging Port

Log Mappers

[Updated] Aruba ClearPass Syslog

Parsers

[Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/Microsoft/Microsoft IIS

September 1, 2022 - Application Update

Announcements

Starting October 1, 2022, _suppressed _Signals will be retained in Cloud SIEM for 30 days (previously, they were retained for 90 days). All Signals are automatically stored in the Sumo sec_signals index for 2 years, so users searching for suppressed Signals more than 30 days old should search in that index instead of in the Cloud SIEM UI.
- Note also that in the past, Signals attached to Insights were searchable from the Cloud SIEM Signals list page indefinitely. Starting on October 1, they will only be searchable for 365 days. (They will still be visible from the Insight details page beyond that period.)
As previously announced, the Sensor and IBM Resilient actions are no longer supported. They will be removed from Cloud SIEM by the end of this month.

Minor Changes and Enhancements

[New] In the Audit Log, when an Insight is created, the sum of the included Signals' severity is now included with the insight in the risk_score field (i.e. if there were three Signals each with a severity of 4, the sum of 12 will be included).
[Updated] The "Copy Expression" mouse action for record fields can now be activated using Shift+Click. The Click action now brings up a "Copy Value" action instead.
[New] Users can now delete Match Lists from the list view (i.e. users no longer have to go into the details).
[New] On the Criticality list page, the number of Entity Groups associated with each Criticality is now listed on the cards.

Resolved Issues

In some cases where the Signals were relatively old, the Signals that contributed to an Insight were no longer visible in the Insight in the UI.
Time stamps were missing from Records in some views.

Content Release

In 2 weeks (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules

[New] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
[New] MATCH-S00821 Chromium Browser History Access by Non-Browser Process
[New] MATCH-S00819 Chromium Process Started With Debugging Port
[New] MATCH-S00820 Cloud Credential File Accessed
[New] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
[Updated] MATCH-S00235 Azure - Create User

Log Mappers

[New] Mimecast AV Event
[New] Mimecast Impersonation Event
[New] Mimecast Spam Event
[Updated] AzureActivityLog AuditLogs

August 25, 2022 - Application Update

Application Update

Cloud SIEM App is now available

The Cloud SIEM app gives you visibility into what’s going on in Cloud SIEM. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by Cloud SIEM. You can also get insight in Cloud SIEM rules, including rule management activity, and which rules have fired.

This app is available to all licensed Cloud SIEM customers in the Sumo Logic App Catalog. For more information, see Cloud SIEM App.

Content Release

Rules

[Updated] MATCH-S00632 Okta Administrator Access Granted
[Updated] MATCH-S00683 Overly Permissive Chmod Command

Log Mappers

[New] Check Point Avanan
[New] Cisco ISE Authentication Failure
[New] Cisco ISE Authentication Success
[New] Cisco ISE Catch All
[New] FireEye Web MPS Event
[Updated] Microsoft Office 365 Threat Intelligence Events
[Updated] Windows Microsoft-Windows-Sysmon/Operational 3
[Updated] Windows Security 4688

Parsers

[New] /Parsers/System/Check Point/Check Point Avanan JSON
[New] /Parsers/System/Cisco/Cisco ISE
[New] /Parsers/System/FireEye/FireEye Web MPS JSON

August 18, 2022 - Application Update

Resolved Issues

Several issues were resolved related to the bulk upload of Entity attributes, including errors with CSV file parsing, editing uploaded attributes in the UI, and a lack of audit logging.
On the Entity details page, the criticality was not being displayed properly. Labels were not being created properly based on Network Blocks for a small number of customers.
InsightCommentCreated audit events did not include the readableId attribute.
For some record types, the Actions field was not being displayed if selected as a favorite field.

July 28, 2022 - Application Update

Read-Only User Capabilities for Cloud SIEM

New user capabilities (permissions) have been created enabling read-only access to content and configuration features in Cloud SIEM.

These can be used when defining roles in the Sumo Logic platform.

(For those with Cloud SIEM instances in the jask.ai domain, these capabilities are accessed via the Configuration > Roles page in Cloud SIEM.)

Users with these capabilities (without the corresponding Manage capabilities) will be able to view the corresponding pages but will not be able to make changes on those pages. (Previously, users without the Manage capabilities could not see the corresponding pages.)

These permissions also apply to Cloud SIEM APIs, so View (only) capabilities can now be assigned if desired.

Minor Changes and Enhancements

[Updated] When Threat Intelligence polling fails, the corresponding event will now include more information about the specific error that occurred.
[Updated] The API endpoints that return information about Signals (GET /signals, GET /signals/, and GET /signals/all) now include the summary field (previously only accessible via the UI).
[New] The Sumo Logic audit logs will now include events when a user adds or removes a Signal to/from an Insight, and when a user adds a comment to an Insight.

Resolved Issues

The GET /rules and GET /rules/ API endpoints did not require role capabilities for access; they now require either View Rules or Manage Rules.
Favorite Fields were not always being displayed on Signals generated by Threshold Rules.

July 14, 2022 - Application Update

Minor Changes and Enhancements

[Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.

Announcement Update

The new Signal Index (recently announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.

July 21 - Application Update

Entity Groups

There are a number of ways that the use of Entity attributes - tags, criticality and suppression - provide value to users of Cloud SIEM: Investigations can be completed faster with more context, Insights can be better prioritized with the appropriate severity, and false positive signals from test instances can be prevented, for example. However, setting those attributes has been a manual process and keeping them in sync as new Entities are defined is difficult.

That's why we are pleased to announce a new feature called Entity Groups. By defining Entity Groups, attributes can be automatically applied (or removed) based on Entity value (name), IP address, or Inventory group membership. For example, all high-risk laptops will receive higher criticality -- even if such a laptop is added to your environment months later.

Entities can even be members of more than one Entity Group, so a high-risk laptop in the Austin office could both get a tag identifying its location and receive the higher criticality. And if you later reassigned it so that it was no longer in a high-risk group, the criticality would be automatically removed.

To create an Entity Group, a new configuration menu item has been added:

On the Entity Groups page, click the Create button:

This will open the detail dialog:

Here you can decide what attribute Group membership should be based on:

Group membership in your Inventory system (such as Active Directory)
Entity value (name) - prefix or suffix (such as "aus-" or "-public")
IP address range (for IP Address entities) defined using the CIDR format

Entity Groups also support sensor zones.

Then you can define what attribute(s) should be applied to member Entities - tags, criticality and/or suppression.

This release also includes API and Terraform support for Entity Groups.

More information about this exciting new feature and how to use it is in the documentation at Using Entity Groups.

Signal Index

Starting today, Signals generated by Cloud SIEM will be automatically saved in a new sec_signal index. This special partition is similar to the existing sec_record_* indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index is automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.

As a result, the optional Signal Forwarding feature will be deprecated on September 22, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in Cloud SIEM.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before September 22.

Note that because the new index is a special partition, a single query cannot be used to search both the sec_signal index and older forwarded Signal data simultaneously.

More information about using the special security indices is in the documentation at Searching for Cloud SIEM Data in Sumo Logic.

Minor Changes and Enhancements

[Updated] The page used to configure the detection window and Insight threshold has moved. Where previously it was accessed from a button on the Custom Insights list page, it is now accessed via a new Workflow > Detection option in the Configuration menu:

Note the URL has also changed as a result; please update any bookmarks.

Resolved Issues

When navigating to a Cloud SIEM page (with sumologic.com in the domain name), if the user had to login/authenticate first, they were not auto-forwarded to the appropriate Cloud SIEM page after doing so (but instead was taken to the Continuous Intelligence Platform home page). This has now been resolved and users will be auto-forwarded correctly.

July 21, 2022 - Content Release

Rules

[Updated] MATCH-S00587 Empire PowerShell Launch Parameters
[Updated] MATCH-S00161 Malicious PowerShell Get Commands
[Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
[Updated] MATCH-S00191 Suspicious PowerShell Keywords

Log Mappers

[New] OSSEC Alert

Parsers

[New] /Parsers/System/OSSEC/OSSEC JSON
[Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
[Updated] /Parsers/System/Kubernetes/Kubernetes
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

July 14, 2022 - Application Update

Minor Changes and Enhancements

[Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.

Announcement Update

The new Signal Index (recently announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.

July 14 - Content Release

Log Mappers

[New] Carbon Black Cloud Alert - Tuned Activity
[Updated] Cisco ASA 106001 JSON
[Updated] Cisco ASA 106002 JSON
[Updated] Cisco ASA 106006 JSON
[Updated] Cisco ASA 106007 JSON
[Updated] Cisco ASA 106010 JSON
[Updated] Cisco ASA 106012 JSON
[Updated] Cisco ASA 106014 JSON
[Updated] Cisco ASA 106015 JSON
[Updated] Cisco ASA 106021 JSON
[Updated] Cisco ASA 106027 JSON
[Updated] Cisco ASA 106100 JSON
[Updated] Cisco ASA 106102-3 JSON
[Updated] Cisco ASA 109005-8 JSON
[Updated] Cisco ASA 110002 JSON
[Updated] Cisco ASA 113004 JSON
[Updated] Cisco ASA 113005 JSON
[Updated] Cisco ASA 113012-17 JSON
[Updated] Cisco ASA 209004 JSON
[Updated] Cisco ASA 302020-1 JSON
[Updated] Cisco ASA 303002 JSON
[Updated] Cisco ASA 304001 JSON
[Updated] Cisco ASA 304002 JSON
[Updated] Cisco ASA 305011-12 JSON
[Updated] Cisco ASA 313001 JSON
[Updated] Cisco ASA 313004 JSON
[Updated] Cisco ASA 313005 JSON
[Updated] Cisco ASA 314003 JSON
[Updated] Cisco ASA 322001 JSON
[Updated] Cisco ASA 338001-8+338201-4 JSON
[Updated] Cisco ASA 4000nn JSON
[Updated] Cisco ASA 406001 JSON
[Updated] Cisco ASA 406002 JSON
[Updated] Cisco ASA 419001 JSON
[Updated] Cisco ASA 419002 JSON
[Updated] Cisco ASA 500004 JSON
[Updated] Cisco ASA 602303-4 JSON
[Updated] Cisco ASA 605004-5 JSON
[Updated] Cisco ASA 710002-3 JSON
[Updated] Cisco ASA 710005 JSON
[Updated] Cisco ASA tcp_udp_sctp_teardowns JSON

Parsers

[Updated] /Parsers/System/VMware/Carbon Black Cloud
[Updated] /Parsers/System/Cisco/Cisco ASA

July 8, 2022 - Application Update

Announcement

The built-in HipChat Action will be deprecated on August 25, 2022.

Minor Changes and Enhancements

[Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.

Resolved Issues

In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.
Mapper field format_parameters was not populating.
Some of the links on the Related Entities tab of the Insight detail pages were malformed.

July 7, 2022 - Content Release

Rules

[New] MATCH-S00816 Interactive Logon to Domain Controller

Log Mappers

[Updated] Palo Alto GlobalProtect - Custom Parser
Updated] Palo Alto GlobalProtect Auth - Custom Parser
[Updated] Windows - System - 7045
[Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

[Updated] /Parsers/System/F5/F5 Syslog
[Updated] /Parsers/System/Google/GCP
[Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
[Updated] THRESHOLD-S00096 Brute Force Attempt
[Updated] MATCH-S00565 Direct Outbound DNS Traffic
[Updated] THRESHOLD-S00103 Domain Brute Force Attempt
[Updated] THRESHOLD-S00102 Domain Password Attack
[Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
[Updated] THRESHOLD-S00095 Password Attack
[Updated] CHAIN-S00008 Successful Brute Force
[Updated] MATCH-S00185 Windows - Remote System Discovery

July 5, 2022 - Content Release

Rules

[Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
[Updated] THRESHOLD-S00096 Brute Force Attempt
[Updated] MATCH-S00565 Direct Outbound DNS Traffic
[Updated] THRESHOLD-S00103 Domain Brute Force Attempt
[Updated] THRESHOLD-S00102 Domain Password Attack
[Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
[Updated] THRESHOLD-S00095 Password Attack
[Updated] CHAIN-S00008 Successful Brute Force
[Updated] MATCH-S00185 Windows - Remote System Discovery

Log Mappers

[Updated] McAfee Endpoint Security Custom Parser
[Updated] Microsoft SQL Server Parser - Authentication

Parsers

[Updated] /Parsers/System/Linux/Linux OS Syslog
[Updated] /Parsers/System/McAfee/McAfee EPO XML
[Updated] /Parsers/System/Microsoft/Microsoft SQL Server
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
[Updated] /Parsers/System/Twistlock/Twistlock

June 24, 2022 - Announcement

Beginning July 15, 2022, Signals generated by Cloud SIEM will be automatically saved in a new sec_signals index. This index/special partition will be similar to the existing sec_record_ indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index will be automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.

As a result, the optional Signal Forwarding feature in Cloud SIEM will be deprecated on September 15, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in Cloud SIEM.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signals index before September 15.

If you have any questions or concerns, please contact Sumo Logic customer support.

June 24, 2022 - Application Update

Minor Changes and Enhancements

[New] On the Insight details pages, if the user has selected the Show Related Signals option, the related Signals will appear on the Signals Timeline graph.

Resolved Issues

The /sec/v1/insights/{}/tags API endpoint was returning a 500/INTERNAL_SERVER_ERROR.

June 21, 2022 - Content Release

Log Mappers

[Updated] McAfee Avecto Defendpoint

Parsers

[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/McAfee/McAfee EPO XML

June 15, 2022 - Content Release

Rules

[Updated] MATCH-S00400 Web Download via Office Binaries

Log Mappers

[New] GCP Parser - Load Balancer

Parsers

[Updated] /Parsers/System/Google/GCP
[Updated] /Parsers/System/Orca Security/Orca Security
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

June 13, 2022 Application Update

Minor Changes and Enhancements

[Updated] List filters have been updated to better support custom Entity types; users no longer have to specify the Entity type in order to filter by Entity value (i.e. name). (Old bookmark will continue to work.)
[Updated] On the Insight Details pages, the sort order for Signals has been reverted to oldest first. As always, the user can change the sort order and in an upcoming release, the UI will be updated to retain the user's selected sort order across sessions.
[Deleted] The standalone Suppressed Entities list page has been removed from the UI as it was confusing to users. To retrieve a list of suppressed Entities, users should filter the Entities list page.

Resolved Issues

CSV upload for Network Blocks was not working unless the (optional) "label" field was provided.
Then filtering lists by date, the "include current" checkbox was not working consistently.

June 9, 2022 - Content Release

Rules

[New] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
[Updated] MATCH-S00687 Linux Security Tool Usage
[Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

[Updated] Cyber Ark Vault JSON

Parsers

[New] /Parsers/System/Cyber-Ark/Cyber-Ark Vault - CEF
[Updated] /Parsers/System/AWS/AWS ELB
[Updated] /Parsers/System/AWS/AWS WAF

June 7, 2022 - Content Release

Rules

[Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
[Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution

Log Mappers

[New] Bitdefender - avc
[New] Bitdefender - fw
[New] Bitdefender - hd
[New] Bitdefender - network-monitor
[New] Bitdefender - new-incident
[New] Linux OS Syslog - Cron - Generic
[New] Linux OS Syslog - sshd - session timeout
[Updated] Bitdefender Catch All
[Updated] SonicWall Firewall - Custom Parser

Parsers

[Updated] /Parsers/System/Dell/Dell SonicWall
[Updated] /Parsers/System/Linux/Linux OS Syslog

June 3, 2022 - Content Release

Rules

[New] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
[New] MATCH-S00813 Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
[New] MATCH-S00812 Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
[Updated] THRESHOLD-S00080 Internal Port Scan
[Updated] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190

Log Mappers

[New] Google G Suite - logout
[New] McAfee Mvision ENS incidents - Parser
[New] McAfee Mvision ENS threats - Parser
[New] Okta Authentication - auth_via_AD_agent
[New] Okta Authentication - auth_via_mfa
[New] Okta Authentication - auth_via_radius
[New] Okta Authentication - sso
[Updated] Google G Suite - login.login
[Updated] Okta Authentication Events
[Updated] Salesforce LoginAs Mapping

Parsers

[New] /Parsers/System/McAfee/McAfee Mvision ENS

Schema

[Updated] device_ip_asnNumber
[Updated] device_ip_asnOrg
[Updated] device_ip_city
[Updated] device_ip_countryCode
[Updated] device_ip_countryName
[Updated] device_ip_isp
[Updated] device_ip_latitude
[Updated] device_ip_longitude
[Updated] device_ip_region
[Updated] device_natIp_asnNumber
[Updated] device_natIp_asnOrg
[Updated] device_natIp_city
[Updated] device_natIp_countryCode
[Updated] device_natIp_countryName
[Updated] device_natIp_isp
[Updated] device_natIp_latitude
[Updated] device_natIp_longitude
[Updated] device_natIp_region
[Updated] dns_replyIp_asnNumber
[Updated] dns_replyIp_asnOrg
[Updated] dns_replyIp_city
[Updated] dns_replyIp_countryCode
[Updated] dns_replyIp_countryName
[Updated] dns_replyIp_isp
[Updated] dns_replyIp_latitude
[Updated] dns_replyIp_longitude
[Updated] dns_replyIp_region
[Updated] dstDevice_ip_asnNumber
[Updated] dstDevice_ip_asnOrg
[Updated] dstDevice_ip_city
[Updated] dstDevice_ip_countryCode
[Updated] dstDevice_ip_countryName
[Updated] dstDevice_ip_isp
[Updated] dstDevice_ip_latitude
[Updated] dstDevice_ip_longitude
[Updated] dstDevice_ip_region
[Updated] srcDevice_ip_asnNumber
[Updated] srcDevice_ip_asnOrg
[Updated] srcDevice_ip_city
[Updated] srcDevice_ip_countryCode
[Updated] srcDevice_ip_countryName
[Updated] srcDevice_ip_isp
[Updated] srcDevice_ip_latitude
[Updated] srcDevice_ip_longitude
[Updated] srcDevice_ip_region

June 1, 2022 - Announcement

Geographical Data for IP Addresses

As previously announced, Cloud SIEM has switched to a new provider for geographical data for IP addresses. One consequence of this change is that the various _isp enrichment fields (listed below) are no longer being populated. However, that data is available in the equivalent _asnOrg fields (such as device_ip_asnOrg). If you have any rules that leverage the _isp fields, please switch to the _asnOrg fields as soon as possible.
Because these fields will no longer be populated, they will be removed on June 7, 2022:
- device_ip_isp
- device_natIp_isp
- device_replyIp_isp
- dstDevice_ip_isp
- dstDevice_natIp_isp
- srcDevice_ip_isp
- srcDevice_natIp_isp

May 31, 2022 - Content Release

Rules

[New] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
[Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
[Updated] MATCH-S00766 Okta MFA Deactivated for User
[Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
[Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

[New] Aruba ClearPass User Authentication Failed
[New] Aruba ClearPass User Authentication Successful
[New] Cisco Secure Email Parser - Catch All
[New] Exabeam Parser - Catch All
[New] Jamf Parser - Catch All
[New] Juniper SRX Series Firewall - Parser
[New] McAfee Network Security Parser - Catch All
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
[New] Orca Security Parser - Catch All
[New] Squid Proxy - Parser
[New] Thinkst Canary Parser - Catch All
[New] Zscaler Workload Segmentation Catch All - Parser
[Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
[Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
[Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
[Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
[Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
[Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
[Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
[Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
[Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
[Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
[Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
[Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
[Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
[Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
[Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
[Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
[Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
[Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
[Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
[Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
[Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
[Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
[Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
[Updated] CloudTrail - iam.amazonaws.com - CreateUser
[Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
[Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
[Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - DeleteUser
[Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
[Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
[Updated] CloudTrail - kms.amazonaws.com - DisableKey
[Updated] CloudTrail - kms.amazonaws.com - RotateKey
[Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
[Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
[Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
[Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
[Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
[Updated] CloudTrail - s3.amazonaws.com - CreateBucket
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
[Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
[Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
[Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
[Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
[Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
[Updated] CloudTrail - signin.amazonaws.com - CheckMfa
[Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
[Updated] CloudTrail - signin.amazonaws.com - ExitRole
[Updated] CloudTrail - signin.amazonaws.com - RenewRole
[Updated] CloudTrail - signin.amazonaws.com - SwitchRole
[Updated] CloudTrail - sso.amazonaws.com - Federate
[Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
[Updated] CloudTrail Default Mapping
[Updated] Cloudflare - Logpush
[Updated] Egnyte DLP Parser - Catch All
[Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
[Updated] Okta Authentication Events
[Updated] Okta Catch All
[Updated] Okta Security Threat Events
[Updated] Windows - Security - 4688

Parsers

[New] /Parsers/System/Cisco/Cisco Secure Email
[New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
[New] /Parsers/System/Jamf/Jamf
[New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
[New] /Parsers/System/McAfee/McAfee Network Security
[New] /Parsers/System/Orca Security/Orca Security
[New] /Parsers/System/Squid/Squid Proxy Syslog
[New] /Parsers/System/Thinkst Canary/Thinkst Canary
[New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
[Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
[Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
[Updated] /Parsers/System/Egnyte/Egnyte DLP
[Updated] /Parsers/System/F5/F5 Syslog
[Updated] /Parsers/System/Linux/Linux OS Syslog
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
[Updated] /Parsers/System/Shared/Syslog Headers
[Updated] /Parsers/System/Twistlock/Twistlock

May 27, 2022 - Application Update

Upcoming Changes

[Updated] Starting later next week, the severity attribute in audit log records for Insights (such as InsightCreated) will be changing. Instead of a number (represented as a string) from 1 to 4, the value will be a human-readable string matching the values in the UI (LOW, MEDIUM, HIGH, CRITICAL). Please update any dashboards or other consumers of this data.
[Deleted] Later next week, the Content > Suppressed Entities page will be removed from the UI to simplify the application. Instead, users can use a filter on the Content > Entities page to retrieve the list of suppressed Entities.

Minor Changes and Enhancements

[Updated] On the Insight Details pages, Signals are now sorted in order of the most recent Signal first by default. (As always, the user can change the sort order.)
[New] When creating a copy of a Rule, users are now given then option to apply the Rule Tuning Expression(s) that are applied on the original rule to the copy as well.
[New] In the Cloud SIEM UI, timestamps now explicitly include the time zone.
[New] Users can now specify a maximum look-back window (in days) for TAXII feeds.
[New] The current status (enabled/disabled) for each feed is now displayed on the Threat Intelligence list page.

Resolved Issues

If a user had defined a high number of favorite fields, the system would show the first 50.
When specifying tags, the auto-complete feature was not working properly in some instances.

May 26, 2022 - Content Release

Rules

[Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
[Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
[Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

[New] Cisco Secure Email Parser - Catch All
[New] Exabeam Parser - Catch All
[New] Jamf Parser - Catch All
[New] Juniper SRX Series Firewall - Parser
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
[New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
[New] Squid Proxy - Parser
[New] Thinkst Canary Parser - Catch All
[New] Zscaler Workload Segmentation Catch All - Parser
[Updated] Egnyte DLP Parser - Catch All
[Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change

Parsers

[New] /Parsers/System/Cisco/Cisco Secure Email
[New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
[New] /Parsers/System/Jamf/Jamf
[New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
[New] /Parsers/System/Squid/Squid Proxy Syslog
[New] /Parsers/System/Thinkst Canary/Thinkst Canary
[New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
[Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
[Updated] /Parsers/System/Egnyte/Egnyte DLP
[Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

May 17, 2022 - Application Update

Minor Changes and Enhancements

[Updated] The _sourceName and _sourceHost values in records ingested by Cloud SIEM will now reflect the original values defined when ingested into the Sumo Logic platform.
[Updated] The "Board" list view for Insights has been updated to include the resolution:

Resolved Issues

In the new Entities tab in Insights, duplicate Entities were sometimes listed if the raw and normalized names didn't match. Also, the cards will now respond better to very low screen/browser widths.
When viewing some verbose content (like Record properties), mousing over the content would cause it to reflow.
When creating match list items via Terraform, the process was occasionally timing out.
Email-based actions were not functioning properly on instances with domains ending in jask.ai.

May 12, 2022 - Content Release

Rules

[Updated] LEGACY-S00078 SQL Injection Victim

Log Mappers

[New] Check Point Application Control
[New] Check Point SmartDefense
[New] Check Point URL Filtering
[Updated] Check Point Block

Parsers

[Updated] /Parsers/System/Check Point/Check Point Firewall JSON
[Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
[Updated] /Parsers/System/Microsoft/Office 365

May 10, 2022 - Content Release

Rules

[Deleted] MATCH-S00258 Authentication Brute Force Attempt
[Updated] MATCH-S00176 RDP Login from Localhost

Log Mappers

[Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
[Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
[Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
[Deleted] Windows - Security - 1100 - CIP
[Deleted] Windows - Security - 1102 - CIP
[Deleted] Windows - Security - 4624 - CIP
[Deleted] Windows - Security - 4625 - CIP
[Deleted] Windows - Security - 4634 - CIP
[Deleted] Windows - Security - 4648 - CIP
[Deleted] Windows - Security - 4649 - CIP
[Deleted] Windows - Security - 4656 - CIP
[Deleted] Windows - Security - 4658 - CIP
[Deleted] Windows - Security - 4661 - CIP
[Deleted] Windows - Security - 4662 - CIP
[Deleted] Windows - Security - 4663 - CIP
[Deleted] Windows - Security - 4672 - CIP
[Deleted] Windows - Security - 4674 - CIP
[Deleted] Windows - Security - 4688 - CIP
[Deleted] Windows - Security - 4689 - CIP
[Deleted] Windows - Security - 4697 - CIP
[Deleted] Windows - Security - 4698 - CIP
[Deleted] Windows - Security - 4702 - CIP
[Deleted] Windows - Security - 4704 - CIP
[Deleted] Windows - Security - 4720 - CIP
[Deleted] Windows - Security - 4726 - CIP
[Deleted] Windows - Security - 4728 - CIP
[Deleted] Windows - Security - 4732 - CIP
[Deleted] Windows - Security - 4740 - CIP
[Deleted] Windows - Security - 4742 - CIP
[Deleted] Windows - Security - 4754 - CIP
[Deleted] Windows - Security - 4755 - CIP
[Deleted] Windows - Security - 4756 - CIP
[Deleted] Windows - Security - 4768 - CIP
[Deleted] Windows - Security - 4769 - CIP
[Deleted] Windows - Security - 4770 - CIP
[Deleted] Windows - Security - 4771 - CIP
[Deleted] Windows - Security - 4776 - CIP
[Deleted] Windows - Security - 4778 - CIP
[Deleted] Windows - Security - 4779 - CIP
[Deleted] Windows - Security - 4780 - CIP
[Deleted] Windows - Security - 4793 - CIP
[Deleted] Windows - Security - 4798 - CIP
[Deleted] Windows - Security - 4799 - CIP
[Deleted] Windows - Security - 5038 - CIP
[Deleted] Windows - Security - 5058 - CIP
[Deleted] Windows - Security - 5059 - CIP
[Deleted] Windows - Security - 5061 - CIP
[Deleted] Windows - Security - 5140 - CIP
[Deleted] Windows - Security - 5379 - CIP
[Deleted] Windows - Security - 5805 - CIP
[Deleted] Windows - Security - 6272 - CIP
[Deleted] Windows - Security - 6273 - CIP
[Deleted] Windows - Security - 6275 - CIP
[Deleted] Windows - Security - 6278 - CIP
[Deleted] Windows - Security - 6416 - CIP
[Deleted] Windows - Security - 6423 - CIP
[Deleted] Windows - Security - 6424 - CIP
[Deleted] Windows - System - 5138 - CIP
[Deleted] Windows - System - 6005 - CIP
[Deleted] Windows - System - 6006 - CIP
[Deleted] Windows - System - 7045 - CIP
[New] BlueCat DNS Parser - Catch All
[Updated] AWS WAF Allow Logs
[Updated] AWS WAF Block Logs
[Updated] Firepower Catch All
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
[Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
[Updated] Linux OS Syslog - Process sshd - SSH Auth Success

Parsers

[Deleted] /Parsers/System/BlueCat/BlueCat DHCP Syslog
[New] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
[New] /Parsers/System/Cisco/Cisco Firepower JSON
[Updated] /Parsers/System/AWS/AWS WAF
[Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

April 29, 2022 - Application Update

[New] The Cloud SIEM team is excited to announce a newly enhanced feature: Related Entities. Although Insights and the Signals they contain are focused on a single Entity (a user, or host for example), there are often a number of additional Entities referenced in the Records/Signals contained in the Insight. In addition, Cloud SIEM can detect relationships between Entities (for example, determining that an IP address was associated with a given hostname during the Insight detection window).

To provide an easy way for analysts to explore all of these Related Entities, a new tab has been added to the Insight Details page:

The Entities tab contains a list of all of the Entities detected in the Insight’s Signals and Records. The Primary Entity is listed first, and then the other Related Entities are listed in descending order of appearance. Where Cloud SIEM has determined a relationship between entities, that is called out (for example, 192.168.1.101 may also be hostname ‘na’).

Details listed with each entity include tags, the number of Signals the Entity was seen in, the number of recent Insights and Signals that featured that Entity, and the total sum of the Severities for those Signals.

As each Entity is selected by the user, the right column changes to show more details, such as a link to the full Entity Details page, inventory and other metadata, a Signal timeline, and a list of the recent Signals and Insights (containing links to those individual details pages).

This new feature should help users understand the context of security events more quickly by providing this data at a glance, reducing the amount of time it would have previously taken to gather that same information.

More information can be found in the online documentation.

Minor Changes and Enhancements

[Update] For Signals generated by Threshold, Aggregation and Chain Rules, there is a feature called Queried Records that enables users to find additional records that also apply to the Signal beyond those that were needed to meet the conditions for the Rule.The page that lists these Queried Records now explicitly shows the search query and time window that is being checked. If a user clicks on the query, it will open a Log Search window with the query and time window pre-filled for deeper investigation.

April 29, 2022 - Content Release

Rules

[Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
[Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
[Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
[Updated] THRESHOLD-S00044 DNS DGA Lookup Behavior - NXDOMAIN Responses
[Updated] THRESHOLD-S00088 GCP Audit Reconnaissance Activity
[Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
[Updated] CHAIN-S00004 Lateral Movement Using the Windows Hidden Admin Share
[Updated] MATCH-S00687 Linux Security Tool Usage
[Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
[Updated] THRESHOLD-S00040 Possible DNS over TLS (DoT) Activity
[Updated] THRESHOLD-S00031 RDP Brute Force Attempt
[Updated] THRESHOLD-S00034 SSH Authentication Failures

Log Mappers

[New] BlueCat DHCP Parser - Catch All
[New] Microsoft Exchange Catch All
[New] Microsoft Exchange HTTP Error
[New] Microsoft Exchange IIS
[New] Varonis DatAlert - Parser
[Updated] Varonis DatAdvantage - CEF

Parsers

[New] /Parsers/System/BlueCat/BlueCat DHCP Syslog
[New] /Parsers/System/Microsoft/Exchange
[New] /Parsers/System/Varonis/Varonis DatAlert Syslog
[Updated] /Parsers/System/F5/F5 Syslog

April 26, 2022 - Content Release

Rules

[New] MATCH-S00808 Azure - Container Instance Creation/Modification
[New] MATCH-S00809 Azure - Container Start
[New] MATCH-S00807 Azure - Image Created/Modified
[New] MATCH-S00810 Azure - Image Deleted

Log Mappers

[New] Darktrace Parser Events
[Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

[New] /Parsers/System/Darktrace/Darktrace Syslog
[New] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

April 20, 2022 - Content Release

Rules

[New] MATCH-S00798 Azure - Anonymous Blob Access
[New] MATCH-S00805 Azure - Bastion Host Created/Modified
[New] MATCH-S00806 Azure - Bastion Host Deleted
[New] MATCH-S00795 Azure - Diagnostic Setting Deleted
[New] MATCH-S00796 Azure - Diagnostic Setting Modified
[New] MATCH-S00797 Azure - Event Hub Deleted
[New] THRESHOLD-S00109 Azure - Excessive Key Vault Get Requests
[New] MATCH-S00788 Azure - Key Deletion
[New] MATCH-S00789 Azure - Key Purged
[New] MATCH-S00792 Azure - Key Vault Deleted
[New] MATCH-S00787 Azure - Protected Item Deletion Attempt
[New] MATCH-S00794 Azure - Secret Backup
[New] MATCH-S00791 Azure - Secret Deleted
[New] MATCH-S00790 Azure - Secret Purged
[New] MATCH-S00800 Azure - Storage Deletion
[New] MATCH-S00799 Azure - Storage Modification
[New] MATCH-S00803 Azure - Virtual Machine Creation/Modification
[New] MATCH-S00804 Azure - Virtual Machine Deleted
[New] MATCH-S00801 Azure - Virtual Machine Started
[New] MATCH-S00802 Azure - Virtual Machine Stopped
[Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
[Updated] MATCH-S00494 Backdoor.HTTP.BEACON.[Yelp Request]
[Updated] MATCH-S00492 Backdoor.HTTP.GORAT.[SID1]
[Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
[Updated] MATCH-S00445 Known Ransomware File Extensions

Log Mappers

[New] Dropbox - Authentication
[New] Dropbox - Catch All
[Updated] Azure AuditEvent logs

Parsers

[Updated] /Parsers/System/AWS/GuardDuty

April 19, 2022 - Announcement

We will be consolidating Authentication Brute Force Attempt MATCH-S00258 on Tuesday May 10 into the normalized intrusion rule set. For more information on the normalized intrusion rule set, please visit the help page.

April 18, 2022 - Application Update

Minor Changes and Enhancements

[New] API endpoints are now available to add or remove a given Signal to/from a given Insight, PUT "/insights//signals" and DELETE "/insights//signals" respectively. (For both endpoints, the request body is a list containing signal ID(s) to add or remove from the insight as the request body, the response is the updated Insight.)
[Update] The way Cloud SIEM displays group membership in Active Directory inventory objects is changing. Previously, it was displayed in LDAP form (i.e., cn=groupname,dc=something,dc=domain,dc=com); now it will just show the group name.

Resolved Issues

Signal and Insight timestamps in the Cloud SIEM UI were not always displayed in the user’s preferred time zone.

April 15, 2022 - Announcements

Because it can now be connected via more standardized TAXII feeds, the integration between Cloud SIEM and Anomali ThreatStream has been deprecated as of April 15, 2022. If you are using this integration, be sure to convert to a TAXII feed. To set up a feed, first follow Anomali’s documentation for Setting up a TAXII feed for ThreatStream then Sumo Logic’s documentation for Integrating Cloud SIEM with a TAXII Feed.
The Entity API has been updated to include a new field IsSuppressed. This field replaces IsWhitelisted which has been deprecated as of April 15, 2022. If you were previously using IsWhitelisted please ensure you have switched to the new field.

April 14, 2022 - Content Release

Rules

[New] MATCH-S00785 Azure - Blob Container Deletion
[New] MATCH-S00786 Azure - SQL Database Export
[Updated] MATCH-S00243 Azure - High Risk Sign-In (Aggregate)
[Updated] MATCH-S00245 Azure - High Risk Sign-In (Real Time)
[Updated] MATCH-S00224 Azure - Risky User State : User Confirmed Compromised
[Updated] MATCH-S00250 Azure - Suspicious User Risk State Associated with Login
[Updated] LEGACY-S00066 PowerShell Remote Administration
[Updated] LEGACY-S00105 Suspicious DC Logon
[Updated] THRESHOLD-S00075 Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)

Log Mappers

[Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
[Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
[Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
[Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
[Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
[Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
[Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
[Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
[Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
[Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
[Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
[Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
[Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
[Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
[Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
[Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
[Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
[Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
[Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
[Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
[Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
[Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
[Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
[Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
[Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
[Updated] CloudTrail - iam.amazonaws.com - CreateUser
[Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
[Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
[Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - DeleteUser
[Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
[Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
[Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
[Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
[Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
[Updated] CloudTrail - kms.amazonaws.com - DisableKey
[Updated] CloudTrail - kms.amazonaws.com - RotateKey
[Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
[Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
[Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
[Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
[Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
[Updated] CloudTrail - s3.amazonaws.com - CreateBucket
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
[Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
[Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
[Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
[Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
[Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
[Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
[Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
[Updated] CloudTrail - signin.amazonaws.com - CheckMfa
[Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
[Updated] CloudTrail - signin.amazonaws.com - ExitRole
[Updated] CloudTrail - signin.amazonaws.com - RenewRole
[Updated] CloudTrail - signin.amazonaws.com - SwitchRole
[Updated] CloudTrail - sso.amazonaws.com - Federate
[Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
[Updated] CloudTrail Default Mapping
[Updated] Microsoft Graph AD Reporting API C2C - DirectoryAudits
[Updated] Microsoft Graph AD Reporting API C2C - Provisioning
[Updated] Microsoft Graph AD Reporting API C2C - Signin
[Updated] Trend Micro CEF logs

Parsers

[New] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF

April 12, 2022 - Content Release

Rules

[New] MATCH-S00784 Linux Host Entered Promiscuous Mode

Log Mappers

[Deleted] AWS VPC Flow Logs - Custom Format 1
[Deleted] Adaxes Execute Event
[Deleted] Adaxes Modify Event
[Deleted] Adaxes Run PowerShell Event
[Deleted] Aruba Error Logs
[Deleted] Aruba ICMP Logs
[Deleted] Aruba LDAP Server Logs
[Deleted] Aruba PoniUnwired HTTPD CGID Samples
[Deleted] Aruba PoniUnwired HTTPD Core Error Samples
[Deleted] Aruba PoniUnwired HTTPD Core Warn Samples
[Deleted] Aruba PoniUnwired HTTPD ssl error Samples
[Deleted] Aruba PoniUnwired Warn Samples
[Deleted] BIND DNS Query
[Deleted] BIND DNS Update Zone
[Deleted] BIND DNS Update Zone Failed
[Deleted] BIOC Credential Access logs
[Deleted] BIOC Dropper logs
[Deleted] BIOC Evasion Variation 2 logs
[Deleted] BIOC Evasion logs
[Deleted] BIOC Infiltration logs
[Deleted] BIOC Persistence and Execution logs
[Deleted] BIOC Privilege logs
[Deleted] BIOC Reconnaissance logs
[Deleted] BIOC Reconnaissance logs Variation 2
[Deleted] BIOC Tampering logs
[Deleted] BIOC create and write logs
[Deleted] Bandura Domain Logs
[Deleted] Bandura Packet Logs
[Deleted] Barracuda Proxy
[Deleted] Bind DHCP Full
[Deleted] Bind DHCP On
[Deleted] Bind DHCP Short
[Deleted] Bind DNS log 1
[Deleted] Bind DNS log 10
[Deleted] Bind DNS log 2
[Deleted] Bind DNS log 3
[Deleted] Bind DNS log 4
[Deleted] Bind DNS log 5
[Deleted] Bind DNS log 6
[Deleted] Bind DNS log 7
[Deleted] Bind DNS log 8
[Deleted] Bind DNS log 9
[Deleted] Bind9 DNS
[Deleted] Blue Coat Proxy 2
[Deleted] Blue Coat Proxy 4
[Deleted] Blue Coat Proxy 5
[Deleted] Blue Coat Proxy 6
[Deleted] Blue Coat Proxy 7
[Deleted] Blue Coat Proxy Logs
[Deleted] BlueCat DHCP Bootrequest
[Deleted] BlueCat DHCP Decline
[Deleted] BlueCat DHCP INFORM Logs
[Deleted] BlueCat DHCP Offer Logs
[Deleted] BlueCat DHCP Reuse Lease
[Deleted] BlueCat DHCP failover
[Deleted] BlueCat DNS
[Deleted] BlueCat DNS with Key
[Deleted] CB Protection
[Deleted] CB Protection Username
[Deleted] CB Response Server 1
[Deleted] CB Response Server 10
[Deleted] CB Response Server 11
[Deleted] CB Response Server 13
[Deleted] CB Response Server 14
[Deleted] CB Response Server 15
[Deleted] CB Response Server 17
[Deleted] CB Response Server 2
[Deleted] CB Response Server 20
[Deleted] CB Response Server 3
[Deleted] CB Response Server 4
[Deleted] CB Response Server 5
[Deleted] CB Response Server 6
[Deleted] CB Response Server 7
[Deleted] CB Response Server 9
[Deleted] CB Response Severity 1
[Deleted] CB Response Severity 2
[Deleted] CB Response Severity 3
[Deleted] CICSCOFW434002
[Deleted] Check Point ACCEPT Grok
[Deleted] Check Point DROP
[Deleted] Check Point VPN
[Deleted] Check Point encrypt/decrypt
[Deleted] Check Point key install
[Deleted] Cisco ACS FAILED-ATTEMPT
[Deleted] Cisco ACS FAILED-AUTHENTICATION
[Deleted] Cisco ACS Passed-Authentication
[Deleted] Cisco ACS Tacacs-Accounting
[Deleted] Cisco ASA 106002
[Deleted] Cisco ASA 106012
[Deleted] Cisco ASA 106013
[Deleted] Cisco ASA 106018
[Deleted] Cisco ASA 106022
[Deleted] Cisco ASA 113039
[Deleted] Cisco ASA 716037
[Deleted] Cisco ASA 716038
[Deleted] Cisco ASA 716039
[Deleted] Cisco ASA 722056
[Deleted] Cisco ASA 725012
[Deleted] Cisco ASA 725017
[Deleted] Cisco ASA 734003
[Deleted] Cisco ASA 746012
[Deleted] Cisco AnyConnect NAT RULES Logs
[Deleted] Cisco Authentication Message 01
[Deleted] Cisco Authentication Message 02
[Deleted] Cisco Authentication Message 03
[Deleted] Cisco Authentication Message 04
[Deleted] Cisco Authentication Message 05
[Deleted] Cisco Authentication Message 06
[Deleted] Cisco Authentication Message 07
[Deleted] Cisco Authentication Message 08
[Deleted] Cisco Authentication Message 09
[Deleted] Cisco Authentication Message 10
[Deleted] Cisco Authentication Message 11
[Deleted] Cisco Authentication Message 12
[Deleted] Cisco Authentication Message 13
[Deleted] Cisco Authentication Message 14
[Deleted] Cisco Authentication Message 15
[Deleted] Cisco IOS Message
[Deleted] Cisco IOS Queue Full
[Deleted] Cisco Ironport WSA
[Deleted] Cisco Ironport WSA NOHD
[Deleted] Cisco Ironport WSA NOHD 01
[Deleted] Cisco Ironport WSA NOHD 03
[Deleted] Cisco Meraki IDS-Alerts
[Deleted] Cisco Meraki Security Event
[Deleted] Cisco Meraki Security Filtering Disposition Change
[Deleted] Cisco Umbrella IP Logs Custom
[Deleted] Citrix NetScaler AAA Message
[Deleted] Citrix NetScaler API CMD EXECUTED
[Deleted] Citrix NetScaler Delinked Message
[Deleted] Citrix NetScaler Delinked Message 01
[Deleted] Citrix NetScaler TCP Connection Terminated
[Deleted] DNS_Additions
[Deleted] EPO_THREATS_AV
[Deleted] EXABEAM
[Deleted] F5 HTTPd Audit
[Deleted] F5 SSHD Samples
[Deleted] F5 SSL Request
[Deleted] Firepower Access Control
[Deleted] Firepower Access Control 2
[Deleted] Firepower Access Control 3
[Deleted] Firepower Access Control 4
[Deleted] Firepower Access Control 5
[Deleted] Firepower Alerts
[Deleted] Forcepoint NEW
[Deleted] Huawei SNMP LOGS
[Deleted] IBM WebSpheredatadevice error 1
[Deleted] IBM WebSpheredatadevice error 2
[Deleted] IBM WebSpheredatadevice error 3
[Deleted] IBM WebSpheredatadevice error 4
[Deleted] IBM WebSpheredatadevice error 5
[Deleted] INFOBLOX_DNS_QUERIES LOGS
[Deleted] INFOBLOX_DNS_QUERIES LOGS - NIOS
[Deleted] Infoblox DHCP Updater 1
[Deleted] Infoblox DHCP Updater 2
[Deleted] Infoblox DHCP Updater 3
[Deleted] Infoblox DHCP Updater 4
[Deleted] Infoblox DHCP Updater 5
[Deleted] Infoblox DHCPACK RENEW Samples
[Deleted] Infoblox DHCPACK v2 Samples
[Deleted] Infoblox DHCPDISCOVER Samples
[Deleted] Infoblox DHCPDISCOVER Samples 2
[Deleted] Infoblox DHCPDISCOVER Unknown network Sample
[Deleted] Infoblox DHCPEXPIRE Samples
[Deleted] Infoblox DHCPNAK Samples
[Deleted] Infoblox DHCPOFFER UID Samples
[Deleted] Infoblox DHCPRELEASE Samples
[Deleted] Infoblox DNS Request AXRF Ended
[Deleted] Infoblox DNS Request AXRF Started
[Deleted] Infoblox DNS Response
[Deleted] Infoblox DNS Zone Update 1
[Deleted] Infoblox DNS Zone Update 2
[Deleted] Infoblox DNS Zone Update 3
[Deleted] Infoblox DNS Zone Update 4
[Deleted] Infoblox DNS Zone Update 5
[Deleted] Infoblox DNS Zone Update 6
[Deleted] Infoblox Domain Notified
[Deleted] Invalid Login
[Deleted] IronPort Quarantined MID
[Deleted] IronPort Quarantined TO
[Deleted] Ironport DCID Message
[Deleted] Ironport DKIM
[Deleted] Ironport ICID Message
[Deleted] Ironport Info IC
[Deleted] Ironport Info IC and Msg
[Deleted] Ironport Info ISQ or RPC
[Deleted] Ironport Info Message
[Deleted] Ironport Info Mid Info
[Deleted] Ironport WSA SFIMS Protocol 1
[Deleted] Ironport WSA SFIMS Protocol 2
[Deleted] Ironport WSA SFIMS Protocol 3
[Deleted] Ironport WSA SFIMS Protocol 4
[Deleted] Ironport Warn Message
[Deleted] Ironport Warning Connection Error
[Deleted] Ironport Warning Full
[Deleted] Ironport Warning Invalid DNS FULL
[Deleted] Ironport Warning LIMIT
[Deleted] Juniper Flow Reassemble Logs
[Deleted] Juniper Session Error Logs
[Deleted] LINUX User Auth with Hostname
[Deleted] Linux Laravel Activity Logs
[Deleted] Linux Laravel Activity Logs 01
[Deleted] Linux Laravel Login Logs
[Deleted] LinuxServer Audit Logs 01
[Deleted] LinuxServer Audit Logs 02
[Deleted] LinuxServer Log 1
[Deleted] LinuxServer Log 11
[Deleted] LinuxServer Log 2
[Deleted] LinuxServer Log 3
[Deleted] LinuxServer Log 4
[Deleted] LinuxServer Log 5
[Deleted] LinuxServer Log 6
[Deleted] LinuxServer Log 7
[Deleted] Mcafee MVISION CASB Log
[Deleted] NSM_THREAT_IPS
[Deleted] Network Management Logs
[Deleted] Oauth Logs
[Deleted] Ossec Group Addition Logs
[Deleted] Ossec Insecure Connection Logs
[Deleted] Ossec Integrity checksum Logs
[Deleted] Ossec Root Login Refused Logs
[Deleted] Ossec ssh server Logs
[Deleted] Palo Alto Traps Analytics
[Deleted] Palo Alto Traps Analytics - Cloud
[Deleted] Palo Alto Traps Config - Cloud
[Deleted] Palo Alto Traps Event
[Deleted] Palo Alto Traps Events Updated
[Deleted] Palo Alto Traps Misc - Cloud
[Deleted] Palo Alto Traps System - Cloud
[Deleted] Pulse Secure Endpoint
[Deleted] Pulse Secure Logs
[Deleted] Renew Logs
[Deleted] Shibboleth DUO
[Deleted] Shibboleth HTTP Redirect EDU
[Deleted] Shibboleth HTTP Redirect Email
[Deleted] Shibboleth LDAP
[Deleted] Shibboleth LDAP Email
[Deleted] Snare AgentHeartBeat Logs
[Deleted] Snare Windows DHCP Logs
[Deleted] SonicWall Bad FTP Protocol
[Deleted] SonicWall Block Dropped Events
[Deleted] SonicWall Flood Attack
[Deleted] SonicWall IPS
[Deleted] SonicWall Port Scan
[Deleted] SonicWall URL Filter
[Deleted] Successful Login
[Deleted] Successful Logins
[Deleted] Successful SSH Login
[Deleted] Suricata HTTP Logs
[Deleted] Suricata LogStash
[Deleted] Suricata Logstash Custom
[Deleted] Suricata Threat Logs
[Deleted] Symantec SEP AntiVirus
[Deleted] Symantec SEP Potential Risk Found 01
[Deleted] Symantec SEP Potential Risk Found 2
[Deleted] Symantec SEP Potential Risk Found 3
[Deleted] Symantec SEP SONAR
[Deleted] Symantec SEP Security Risk Found
[Deleted] Symantec SEP Sonar Detection
[Deleted] Symantec SEP USB Drive
[Deleted] Tanium S24 Logs
[Deleted] VLT Vault Extra
[Deleted] VMware Logs 1
[Deleted] VMware Logs 2
[Deleted] VMware Logs 3
[Deleted] VMware Logs 4
[Deleted] VMware Logs 5
[Deleted] VMware Logs 6
[Deleted] VMware Logs 7
[Deleted] VMware Logs 8
[Deleted] VPN Messages
[Deleted] VPN Messages 2
[Deleted] VPN Messages 3
[Deleted] VPN Messages 4
[Deleted] VPN Messages 5
[Deleted] WatchGuard flow log
[Deleted] WatchGuard flow log 2
[Deleted] Windows DHCP
[Deleted] Windows Defender Unstructured
[Deleted] Windows QUICK FIX
[Deleted] Zscaler Firewall Grok
[Deleted] cisco17
[Deleted] cisco20
[Deleted] ePO Threat Event
[New] AWS EKS - Custom Parser
[New] Azure Storage Analytics
[New] Citrix NetScaler - SSL Handshake Success
[Updated] Azure Administrative logs
[Updated] Azure Write and Delete Logs
[Updated] Citrix NetScaler - AAA-LOGIN_FAILED
[Updated] Citrix NetScaler - Command Executed
[Updated] Citrix NetScaler - SSLVPN-HTTPREQUEST
[Updated] Citrix NetScaler - SSLVPN-ICA Events
[Updated] Citrix NetScaler - SSLVPN-LOGIN
[Updated] Citrix NetScaler - SSLVPN-LOGOUT
[Updated] Citrix NetScaler - SSLVPN-TCPCONNSTAT

Parsers

[New] /Parsers/System/AWS/AWS EKS
[New] /Parsers/System/Microsoft/Azure Storage Analytics
[Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog

Legacy Parsers

[Deleted] 4624
[Deleted] ARUBA_PONIUNWIRED_HTTPD_CGID_SAMPLES
[Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_ERROR_SAMPLES
[Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_WARN_SAMPLES
[Deleted] ARUBA_PONIUNWIRED_HTTPD_SSL_ERROR_SAMPLES
[Deleted] ARUBA_PONIUNWIRED_WARN_SAMPLES
[Deleted] ASA_106002
[Deleted] ASA_106013
[Deleted] ASA_106018
[Deleted] ASA_106022
[Deleted] ASA_113039
[Deleted] ASA_5_746012
[Deleted] ASA_6_106012
[Deleted] ASA_716037
[Deleted] ASA_716038
[Deleted] ASA_716039
[Deleted] ASA_722056
[Deleted] ASA_7_725012
[Deleted] ASA_7_725017
[Deleted] ASA_7_734003
[Deleted] AWS_VPC_FLOW_CUSTOM_1
[Deleted] Adaxes_Execute_Event
[Deleted] Adaxes_Modify_Event
[Deleted] Adaxes_Run_PowerShell_Event
[Deleted] Aruba_Error_Logs
[Deleted] Aruba_ICMP_Logs
[Deleted] Aruba_LDAP_Server_Logs
[Deleted] BANDURA_DOMAIN_LOGS
[Deleted] BANDURA_PACKET_LOGS
[Deleted] BARRACUDA_PROXY
[Deleted] BIND9
[Deleted] BIND_DHCP_FOR_FULL
[Deleted] BIND_DHCP_FOR_SHORT
[Deleted] BIND_DHCP_ON
[Deleted] BIND_Query
[Deleted] BIND_Update_Zone
[Deleted] BIND_Update_Zone_Failure
[Deleted] BIOC_CREATE_AND_WRITE
[Deleted] BIOC_CREDENTIAL_ACCESS
[Deleted] BIOC_DROPPER
[Deleted] BIOC_EVASION
[Deleted] BIOC_EVASION_VARIATION_2
[Deleted] BIOC_INFILTRATION
[Deleted] BIOC_PERSISTENCE_EXECUTION
[Deleted] BIOC_PRIVILEGE
[Deleted] BIOC_RECONNAISSANCE
[Deleted] BIOC_RECONNAISSANCE_VARIATION_2
[Deleted] BIOC_TAMPERING
[Deleted] BLUECAT_DHCP_BOOTREQUEST
[Deleted] BLUECAT_DHCP_DECLINE
[Deleted] BLUECAT_DHCP_INFORM
[Deleted] BLUECAT_DHCP_OFFER
[Deleted] BLUECAT_DHCP_failover
[Deleted] BLUECAT_DHCP_reuse_lease
[Deleted] BLUECAT_DNS_NO_KEY
[Deleted] BLUECAT_DNS_WITH_KEY
[Deleted] BLUECOAT_PROXY
[Deleted] BLUECOAT_PROXY_2
[Deleted] BLUECOAT_PROXY_4
[Deleted] BLUECOAT_PROXY_5
[Deleted] BLUECOAT_PROXY_6
[Deleted] BLUECOAT_PROXY_7
[Deleted] Bind_DNS_log_1
[Deleted] Bind_DNS_log_10
[Deleted] Bind_DNS_log_2
[Deleted] Bind_DNS_log_3
[Deleted] Bind_DNS_log_4
[Deleted] Bind_DNS_log_5
[Deleted] Bind_DNS_log_6
[Deleted] Bind_DNS_log_7
[Deleted] Bind_DNS_log_8
[Deleted] Bind_DNS_log_9
[Deleted] CB_PROTECT
[Deleted] CB_PROTECT_USERNAME
[Deleted] CB_RESPONSE_SERVER_1
[Deleted] CB_RESPONSE_SERVER_10
[Deleted] CB_RESPONSE_SERVER_11
[Deleted] CB_RESPONSE_SERVER_13
[Deleted] CB_RESPONSE_SERVER_14
[Deleted] CB_RESPONSE_SERVER_15
[Deleted] CB_RESPONSE_SERVER_17
[Deleted] CB_RESPONSE_SERVER_2
[Deleted] CB_RESPONSE_SERVER_20
[Deleted] CB_RESPONSE_SERVER_3
[Deleted] CB_RESPONSE_SERVER_4
[Deleted] CB_RESPONSE_SERVER_5
[Deleted] CB_RESPONSE_SERVER_6
[Deleted] CB_RESPONSE_SERVER_7
[Deleted] CB_RESPONSE_SERVER_9
[Deleted] CB_RESPONSE_SEVERITY_1
[Deleted] CB_RESPONSE_SEVERITY_2
[Deleted] CB_RESPONSE_SEVERITY_3
[Deleted] CHECKPOINT_ACCEPT
[Deleted] CHECKPOINT_CRYPT
[Deleted] CHECKPOINT_DROP
[Deleted] CHECKPOINT_KEY_INSTALL
[Deleted] CHECKPOINT_VPN_ROUTE
[Deleted] CICSCOFW434002
[Deleted] CISCOFW321001
[Deleted] CISCOFW419001
[Deleted] CISCO_ACS_FAILED_ATTEMPT
[Deleted] CISCO_ACS_FAILED_AUTHENTICATION
[Deleted] CISCO_ACS_PASSED_AUTHENTICATION
[Deleted] CISCO_ACS_TACACS_ACCOUNTING
[Deleted] CISCO_MERAKI_IDS_ALERTS
[Deleted] CISCO_MERAKI_SECURITY_EVENT
[Deleted] CISCO_MERAKI_SECURITY_EVENT_SECURITY_FILTERING_DISPOSITION_CHANGE
[Deleted] CRM_VODLOG
[Deleted] Cisco_Umbrella_IP_Logs
[Deleted] Dns_Update
[Deleted] EPO_THREATS_AV
[Deleted] EPO_THREAT_EVENT
[Deleted] EXABEAM
[Deleted] F5_HTTPD_AUDIT
[Deleted] F5_SSHD_SAMPLES
[Deleted] F5_SSL_REQUEST
[Deleted] FLOW_REASSEMBLE
[Deleted] FORCEPOINT_NEW_AND_IMPROVED
[Deleted] Failed_Logon
[Deleted] Firepower_ALERT_IDS
[Deleted] Firepower_Access_Control
[Deleted] Firepower_Access_Control_2
[Deleted] Firepower_Access_Control_3
[Deleted] Firepower_Access_Control_4
[Deleted] Firepower_Access_Control_5
[Deleted] IBM_WebSpheredatadevice_error_1
[Deleted] IBM_WebSpheredatadevice_error_2
[Deleted] IBM_WebSpheredatadevice_error_3
[Deleted] IBM_WebSpheredatadevice_error_4
[Deleted] IBM_WebSpheredatadevice_error_5
[Deleted] INFLOBLOX_DNS_MESSAGE
[Deleted] INFOBLOX_DHCPACK_RENEW_SAMPLES
[Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES
[Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES_2
[Deleted] INFOBLOX_DHCPDISCOVER_UNKNOWN_NETWORK_SAMPLE
[Deleted] INFOBLOX_DHCPEXPIRE_SAMPLES
[Deleted] INFOBLOX_DHCPNAK_SAMPLES
[Deleted] INFOBLOX_DHCPOFFER_UID_SAMPLES
[Deleted] INFOBLOX_DHCPRELEASE_SAMPLES
[Deleted] INFOBLOX_DHCP_UPDATER_1
[Deleted] INFOBLOX_DHCP_UPDATER_2
[Deleted] INFOBLOX_DHCP_UPDATER_3
[Deleted] INFOBLOX_DHCP_UPDATER_4
[Deleted] INFOBLOX_DHCP_UPDATER_5
[Deleted] INFOBLOX_DHCP_V2_SAMPLES
[Deleted] INFOBLOX_DNS_QUERIES
[Deleted] INFOBLOX_DNS_REQUEST_AXFR_ENDED
[Deleted] INFOBLOX_DNS_REQUEST_AXFR_STARTED
[Deleted] INFOBLOX_DNS_RESPONSE
[Deleted] INFOBLOX_DNS_ZONE_UPDATE_1
[Deleted] INFOBLOX_DNS_ZONE_UPDATE_2
[Deleted] INFOBLOX_DNS_ZONE_UPDATE_3
[Deleted] INFOBLOX_DNS_ZONE_UPDATE_4
[Deleted] INFOBLOX_DNS_ZONE_UPDATE_5
[Deleted] INFOBLOX_DNS_ZONE_UPDATE_6
[Deleted] INFOBLOX_DOMAIN_NOTIFIED
[Deleted] IRONPORT_QUARANTINE_MID
[Deleted] IRONPORT_QUARANTINE_TO
[Deleted] IRON_PORT_CONNECTION
[Deleted] IRON_PORT_DCID_MSG
[Deleted] IRON_PORT_DKIM
[Deleted] IRON_PORT_ICID_MSG
[Deleted] IRON_PORT_INFO_ICID
[Deleted] IRON_PORT_INFO_MID
[Deleted] IRON_PORT_INFO_MID_ICID
[Deleted] IRON_PORT_INFO_MSG
[Deleted] IRON_PORT_ISQ_RPC
[Deleted] IRON_PORT_WARN_FULL
[Deleted] IRON_PORT_WARN_INVALID_DNS_FULL
[Deleted] IRON_PORT_WARN_LIMIT
[Deleted] IRON_PORT_WARN_MSG
[Deleted] IRON_PORT_WSA
[Deleted] IRON_PORT_WSA_NOHD
[Deleted] IRON_PORT_WSA_NOHD_01
[Deleted] IRON_PORT_WSA_NOHD_03
[Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_1
[Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_2
[Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_3
[Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_4
[Deleted] Internal_Auth_Logs
[Deleted] LINUXSERVER_AUDIT_LOGS_1
[Deleted] LINUXSERVER_AUDIT_LOGS_2
[Deleted] LINUXSERVER_LOG_1
[Deleted] LINUXSERVER_LOG_11
[Deleted] LINUXSERVER_LOG_2
[Deleted] LINUXSERVER_LOG_3
[Deleted] LINUXSERVER_LOG_4
[Deleted] LINUXSERVER_LOG_5
[Deleted] LINUXSERVER_LOG_6
[Deleted] LINUXSERVER_LOG_7
[Deleted] LINUX_USER_AND_HOSTNAME
[Deleted] Linux_Laravel_Logs1
[Deleted] Linux_Laravel_Logs2
[Deleted] Linux_Laravel_Logs3
[Deleted] MVISION_CASB
[Deleted] NAT_RULES_MATCH
[Deleted] NMS_LOGS
[Deleted] NSM_THREAT_IPS
[Deleted] OAUTH_LOG
[Deleted] Ossec_Logs_01
[Deleted] Ossec_Logs_02
[Deleted] Ossec_Logs_03
[Deleted] Ossec_Logs_04
[Deleted] Ossec_Logs_06
[Deleted] PALO_ALTO_TRAPS
[Deleted] PALO_TRAPS_EXTRA
[Deleted] PAN_TRAPS_ANALYTICS
[Deleted] PAN_TRAPS_ANALYTICS_CLOUD
[Deleted] PAN_TRAPS_CONFIG_CLOUD
[Deleted] PAN_TRAPS_MISC_CLOUD
[Deleted] PAN_TRAPS_SYSTEM_CLOUD
[Deleted] PULSESECURE_LOGS
[Deleted] PULSESECURE_LOGS2
[Deleted] Renew_Logs
[Deleted] SESSION_ERROR
[Deleted] SHIBBOLETH_DUO
[Deleted] SHIBBOLETH_HTTP_EDU
[Deleted] SHIBBOLETH_HTTP_MAIL
[Deleted] SHIBBOLETH_LDAP
[Deleted] SHIBBOLETH_LDAP_EMAIL
[Deleted] SNARE_AGENTHEARTBEAT_LOGS
[Deleted] SNARE_WINDOWS_DHCP_LOGS
[Deleted] SNMP_LOGS
[Deleted] SURICATA_HTTP_LOGS
[Deleted] SURICATA_LOGSTASH
[Deleted] SURICATA_LOGSTASH_CUSTOM
[Deleted] SURICATA_THREAT_LOGS
[Deleted] SYMANTEC_SEP_Anti_Virus
[Deleted] SYMANTEC_SEP_PRF_01
[Deleted] SYMANTEC_SEP_PRF_02
[Deleted] SYMANTEC_SEP_PRF_03
[Deleted] SYMANTEC_SEP_SDN
[Deleted] SYMANTEC_SEP_SONAR
[Deleted] SYMANTEC_SEP_SRF
[Deleted] SYMANTEC_SEP_USB_1
[Deleted] SonicWall_Bad_FTP_Protocol
[Deleted] SonicWall_Block_Dropped_Events
[Deleted] SonicWall_Flood_Attack
[Deleted] SonicWall_IPS
[Deleted] SonicWall_Port_Scan
[Deleted] SonicWall_URL_Filter
[Deleted] Successful_Logon
[Deleted] TANIUM_S24_TYPE_LOGS
[Deleted] VAR_LOG_SECURE_SUCCESSFUL_LOGIN
[Deleted] VDM_LOG_EXTRA
[Deleted] VDM_MESSAGES_CONNECT
[Deleted] VDM_MESSAGES_DIRECTORY
[Deleted] VDM_MESSAGES_FROM
[Deleted] VDM_MESSAGES_FTP
[Deleted] VDM_MESSAGES_WARN
[Deleted] VLT_VAULT_EXTRA
[Deleted] VPN_Message_2
[Deleted] VPN_Message_3
[Deleted] VPN_Message_4
[Deleted] VPN_Message_5
[Deleted] VPN_Messages
[Deleted] Vmware_Logs_1
[Deleted] Vmware_Logs_2
[Deleted] Vmware_Logs_3
[Deleted] Vmware_Logs_4
[Deleted] Vmware_Logs_5
[Deleted] Vmware_Logs_6
[Deleted] Vmware_Logs_7
[Deleted] Vmware_Logs_8
[Deleted] WATCHGUARD_FLOW_LOG
[Deleted] WATCHGUARD_FLOW_LOG_2
[Deleted] WINDOWS_DHCP_LOG
[Deleted] WINDOWS_QUICK_FIX
[Deleted] Zscaler_Firewall
[Deleted] cisco_authentication_01
[Deleted] cisco_authentication_02
[Deleted] cisco_authentication_03
[Deleted] cisco_authentication_04
[Deleted] cisco_authentication_05
[Deleted] cisco_authentication_06
[Deleted] cisco_authentication_07
[Deleted] cisco_authentication_08
[Deleted] cisco_authentication_09
[Deleted] cisco_authentication_10
[Deleted] cisco_authentication_11
[Deleted] cisco_authentication_12
[Deleted] cisco_authentication_13
[Deleted] cisco_authentication_14
[Deleted] cisco_authentication_15
[Deleted] cisco_ios_system_log_message
[Deleted] cisco_ios_system_log_message_queue_full
[Deleted] citrix_netscaler_AAA_Messsage
[Deleted] citrix_netscaler_API_CMD_EXECUTED
[Deleted] citrix_netscaler_TCP_connection_terminated
[Deleted] citrix_netscaler_delinked_message
[Deleted] citrix_netscaler_delinked_message_01
[Deleted] windows_defender

Schema

[New] _cipSourceHost
[New] _cipSourceName

April 7, 2022 - Announcement

On April 21, 2022 we will be removing the following legacy log mappers related to the CIP Windows collector from the Cloud SIEM platform. These log mappers are in use with only a small portion of our customer base and we are working with our technical account teams to reach out directly to those impacted and migrate to our newer Sumo parsers.

No loss of out-of-the-box functionality will occur and no out-of-the-box rules are impacted as the Sumo parsers map all of the same information. Please be sure to check any custom rules that leverage Windows logging for compatibility with the new parsing and mapping, particularly where the "fields" field is referenced.

Windows - Security - 1100 - CIP
Windows - Security - 1102 - CIP
Windows - Security - 4625 - CIP
Windows - Security - 4624 - CIP
Windows - Security - 4634 - CIP
Windows - Security - 4648 - CIP
Windows - Security - 4649 - CIP
Windows - Security - 4672 - CIP
Windows - Security - 4688 - CIP
Windows - Security - 4697 - CIP
Windows - Security - 4698 - CIP
Windows - Security - 4702 - CIP
Windows - Security - 4720 - CIP
Windows - Security - 4726 - CIP
Windows - Security - 4740 - CIP
Windows - Security - 4742 - CIP
Windows - Security - 5805 - CIP
Windows - Security - 4768 - CIP
Windows - Security - 4769 - CIP
Windows - Security - 4770 - CIP
Windows - Security - 4771 - CIP
Windows - Security - 4776 - CIP
Windows - Security - 4778 - CIP
Windows - Security - 4779 - CIP
Windows - Security - 5140 - CIP
Windows - Security - 4728 - CIP
Windows - Security - 4732 - CIP
Windows - Security - 4756 - CIP
Windows - Security - 4661 - CIP
Windows - Security - 4704 - CIP
Windows - Security - 4754 - CIP
Windows - Security - 4780 - CIP
Windows - Security - 4793 - CIP
Windows - Security - 5038 - CIP
Windows - Security - 6272 - CIP
Windows - Security - 6273 - CIP
Windows - Security - 6275 - CIP
Windows - Security - 6278 - CIP
Windows - Security - 4662 - CIP
Windows - Security - 4755 - CIP
Windows - Security - 4689 - CIP
Windows - Security - 4798 - CIP
Windows - Security - 6416 - CIP
Windows - Security - 6423 - CIP
Windows - Security - 6424 - CIP
Windows - Security - 4656 - CIP
Windows - Security - 4663 - CIP
Windows - Security - 4658 - CIP
Windows - Security - 4674 - CIP
Windows - Security - 4799 - CIP
Windows - Security - 5058 - CIP
Windows - Security - 5059 - CIP
Windows - Security - 5061 - CIP
Windows - Security - 5379 - CIP
Windows - System - 5138 - CIP
Windows - System - 6005 - CIP
Windows - System - 6006 - CIP
Windows - System - 7045 - CIP
Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP

April 7, 2022 - Content Release

Rules

[Updated] MATCH-S00599 Alibaba ActionTrail Root Login
[Updated] MATCH-S00476 Suspicious Execution of Search Indexer
[Updated] MATCH-S00570 WMIPRVSE Spawning Process
[Updated] MATCH-S00168 Windows - Local System executing whoami.exe

Log Mappers

[New] Cisco ASA 313004 JSON
[New] Linux OS Syslog - Process kernel - Promiscuous Mode Change
[Updated] AzureActivityLog 01
[Updated] AzureActivityLog AuditLogs

Parsers

[Updated] /Parsers/System/Cisco/Cisco ASA
[Updated] /Parsers/System/Linux/Linux OS Syslog
[Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
[Updated] /Parsers/System/SentinelOne/SentinelOne Syslog

April 6, 2022 - Announcement

Upcoming Removal of Unused Content

On Tuesday, April 12th, unused legacy grok parsers and their corresponding log mappers will be removed from Cloud SIEM.

This update is part of a longer transition as we begin decommissioning legacy grok parsers in favor of our current parser set. Sumo Logic has confirmed customers are NOT actively using any of the legacy grok parsers or log mappers we plan to remove in this future update.

It's important to note that this future content update does NOT remove or change existing legacy grok parsers or associated log mappers still used by customers today. We do not expect this update to cause any operational changes.

April 1, 2022 - Content Release

Spring4Shell Exploitation

A new Rule is being deployed designed to detect attempts to exploit Spring4Shell (MATCH-S00783). This Rule does not necessarily indicate whether the exploitation was successful, but Cloud SIEM already includes a number of Rules that provide extensive coverage of common post exploitation activities, notably:

MATCH-S00348 Curl Start Combination
MATCH-S00362 Suspicious Curl File Upload
LEGACY-S00044 HTTP Shell Script Download Disguised as a Common Web File
MATCH-S00149 PowerShell File Download
MATCH-S00164 Suspicious Shells Spawned by Web Servers
MATCH-S00174 Web Services Executing Common Web Shell Commands

Rules

[New] MATCH-S00783 Spring4Shell Exploitation - URL
[Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

[New] Netskope - WebTx Events
[New] Tenable.io Authentication
[New] Tenable.io Catch All
[Updated] AWS CloudFront
[Updated] AWS WAF Block Logs
[Updated] Microsoft Office 365 Active Directory Authentication Events
[Updated] Tenable.io Vulnerability

Sumo Logic Cloud SIEM Release Notes

March 12th, 2026 - Content Release

Rules​

Log Mappers​

Parsers​

February 24th, 2026 - Content Release

Log Mappers​

Parsers​

February 18, 2026 - Application Update

Bulk update insights​

February 9th, 2026 - Content Release

Rules​

Log Mappers​

Parsers​

January 23rd, 2026 - Content Release

Log Mappers​

Parsers​

January 15th, 2026 - Content Release

Rules​

Log Mappers​

Parsers​

January 9th, 2026 - Content Release

Rules​

Log Mappers​

Parsers​

2025 Release Notes Archive - Cloud SIEM

December 15, 2025 - Application Update​

Threat Intel 471 update​

December 10, 2025 - Application Update​

New look for list pages​

December 05, 2025 - Content Release​

Rules​

Log Mappers​

Parsers​

November 14, 2025 - Content Release​

Rules​

Log Mappers​

Parsers​

November 06, 2025 - Content Release​

Rules​

Log Mappers​

Parsers​

October 29, 2025 - Content Release​

Log Mappers​

Parsers​

October 28, 2025 - Content Release​

Log Mappers​

Parsers​

October 10, 2025 - Content Release​

Rules​

Log Mappers​

October 01, 2025 - Content Release​

Log Mappers​

Parsers​

September 22, 2025 - Application Update​

Insight summary​

September 19, 2025 - Content Release​

Rules​

Log Mappers​

Parsers​

August 27, 2025 - Content Release​

Log Mappers​

Parsers​

August 20, 2025 - Content Release​

Log Mappers​

August 19, 2025 - Application Update​

New TAXII 2 Threat Intelligence Sources​

August 15, 2025 - Content Release​

Log Mappers​

Parsers​

August 01, 2025 - Content Release​

Rules​

Log Mappers​

Parsers​

Schema​

July 09, 2025 - Content Release​

Rules​

Log Mappers​

Parsers​

June 26, 2025 - Content Release​

Rules

Log Mappers

Parsers

Log Mappers

Parsers

Bulk update insights

Rules

Log Mappers

Parsers

Log Mappers

Parsers

Rules

Log Mappers

Parsers

Rules

Log Mappers

Parsers

December 15, 2025 - Application Update

Threat Intel 471 update

December 10, 2025 - Application Update

New look for list pages

December 05, 2025 - Content Release

Rules

Log Mappers

Parsers

November 14, 2025 - Content Release

Rules

Log Mappers

Parsers

November 06, 2025 - Content Release

Rules

Log Mappers

Parsers

October 29, 2025 - Content Release

Log Mappers

Parsers

October 28, 2025 - Content Release

Log Mappers

Parsers

October 10, 2025 - Content Release

Rules

Log Mappers

October 01, 2025 - Content Release

Log Mappers

Parsers

September 22, 2025 - Application Update

Insight summary

September 19, 2025 - Content Release

Rules

Log Mappers

Parsers

August 27, 2025 - Content Release

Log Mappers

Parsers

August 20, 2025 - Content Release

Log Mappers

August 19, 2025 - Application Update

New TAXII 2 Threat Intelligence Sources

August 15, 2025 - Content Release

Log Mappers

Parsers

August 01, 2025 - Content Release

Rules

Log Mappers

Parsers

Schema

July 09, 2025 - Content Release

Rules

Log Mappers

Parsers

June 26, 2025 - Content Release

Log Mappers

Parsers

June 12, 2025 - Content Release

Rules

Log Mappers

Parsers

June 02, 2025 - Application Update

New method for building baselines

May 30, 2025 - Content Release