This content release includes:

• Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
• Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.

Rules​

• [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
• [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
• [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
• [Updated] MATCH-S01000 Threat Intel - MD5 Match
• [Updated] MATCH-S01001 Threat Intel - PEHASH Match
• [Updated] MATCH-S01003 Threat Intel - SHA1 Match
• [Updated] MATCH-S01004 Threat Intel - SHA256 Match
• [Updated] MATCH-S01002 Threat Intel - SSDEEP Match

Log Mappers​

• [Updated] Microsoft Office 365 Active Directory Authentication Events
• [Updated] Microsoft Office 365 AzureActiveDirectory Events

Parsers​

• [Updated] /Parsers/System/Microsoft/Office 365

This content release includes:

• Additional data requirements for GitHub rules added to rule descriptions.
• Spelling corrections for AWS Lambda rules.
• New Slack Anomaly Event log mapper and supporting parsing changes:
  • Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
  • Requires parser be defined for passthrough detection.
• Updates to Sysdig parsing and mapping to support additional events.
• Support for Microsoft Windows Sysmon-29 event.
• Additional normalized field mappings for Microsoft Windows Sysmon events.
• New user_phoneNumber and targetUser_phoneNumber schema fields.

Rules​

• [Updated] MATCH-S00874 AWS Lambda Function Recon
• [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
• [Updated] MATCH-S00953 GitHub - Audit Logging Modification
• [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
• [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
• [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
• [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
• [Updated] MATCH-S00955 GitHub - Member Permissions Modification
• [Updated] MATCH-S00956 GitHub - OAuth Application Activity
• [Updated] MATCH-S00957 GitHub - Organization Transfer
• [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
• [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
• [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
• [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
• [Updated] MATCH-S00960 GitHub - Repository Transfer
• [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
• [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
• [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
• [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
• [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
• [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
• [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization

Log Mappers​

• [New] Slack Anomaly Event
• [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
• [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
• [New] Windows - Microsoft-Windows-Sysmon/Operational-29
• [Updated] Sysdig Secure Packages
• [Updated] Sysdig Secure Vulnerability
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27

Parsers​

• [New] /Parsers/System/Slack/Slack Enterprise Audit
• [Updated] /Parsers/System/Sysdig/Sysdig Secure

Schema​

• [New] targetUser_phoneNumber
• [New] user_phoneNumber

New Threat Intelligence Source​

We’re excited to announce a new default source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from Intel 471.

For more information, see our release note in the Service release notes section.

This content release includes new and updated log mappers and parsers for Bitwarden, CommScope, Mimecast, and Sysdig Secure. Updates to Mimecast mappers are to support additional fields and events with new log parser.

Log Mappers​

• [New] Bitwarden Authentication
• [New] Bitwarden Catch All
• [New] CommScope Authentication Event
• [New] CommScope STP and DHCPC Event
• [New] CommScope System|Security
• [New] Sysdig Secure Packages
• [New] Sysdig Secure Vulnerability
• [Updated] Mimecast AV Event
• [Updated] Mimecast Audit Authentication Logs
• [Updated] Mimecast Audit Hold Messages
• [Updated] Mimecast Audit Logs
• [Updated] Mimecast DLP Logs
• [Updated] Mimecast Email logs
• [Updated] Mimecast Impersonation Event
• [Updated] Mimecast Spam Event
• [Updated] Mimecast Targeted Threat Protection Logs

Parsers​

• [New] /Parsers/System/Bitwarden/Bitwarden
• [New] /Parsers/System/CommScope/CommScope
• [New] /Parsers/System/Mimecast/Mimecast
• [New] /Parsers/System/Sysdig/Sysdig Secure

This content release includes Threat Intelligence match rules that use the new hasThreatMatch operator to support both global and custom threat intelligence feeds.

To reduce initial signal volume, basic inbound and outbound IP address threat match rules with a low or medium confidence level are disabled by default (see below). We highly recommend tuning these rules before enabling them to reduce signal volume, and therefore entity risk assignment, to manageable levels.

Rules​

• MATCH-S00999 Threat Intel - IMPHASH Match
• MATCH-S01000 Threat Intel - MD5 Match
• MATCH-S01001 Threat Intel - PEHASH Match
• MATCH-S01002 Threat Intel - SSDEEP Match
• MATCH-S01003 Threat Intel - SHA1 Match
• MATCH-S01004 Threat Intel - SHA256 Match
• MATCH-S01005 Threat Intel - Source Hostname
• MATCH-S01006 Threat Intel - Device Hostname
• MATCH-S01007 Threat Intel - Destination Device Hostname
• MATCH-S01008 Threat Intel - HTTP Hostname
• MATCH-S01009 Threat Intel - HTTP Referrer Hostname
• MATCH-S01010 Threat Intel - DNS Query Domain
• MATCH-S01011 Threat Intel - DNS Reply Domain
• MATCH-S01012 Threat Intel - HTTP Referrer Domain
• MATCH-S01013 Threat Intel - HTTP URL Root Domain
• MATCH-S01014 Threat Intel - HTTP URL FQDN
• MATCH-S01015 Threat Intel - HTTP URL
• MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence) - Disabled By Default
• MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence) - Disabled By Default
• MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence) - Disabled By Default
• MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence) - Disabled By Default
• MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
• MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
• MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

This release includes::

• Updates to parsing and mapping for Airtable and Windows Defender to support additional events and field mappings.
• New parsing and mapping for VMware ESXi.
• Updates to Baracuda Firewall and System Event mapping for normalizedSeverity lookup translation.

Changes are enumerated below.

Log Mappers​

• [New] Airtable Audit C2C Authentication
• [New] VMware ESXi Authentication
• [New] VMware ESXi Catch All
• [New] Windows Defender Catch All
• [Updated] Airtable Audit C2C Catch All
• [Updated] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
• [Updated] Barracuda System Event
• [Updated] Windows Defender ATP Alert
  • Enables additional passthrough alerts.

Parsers​

• [New] /Parsers/System/VMware/VMware ESXi
• [Updated] /Parsers/System/Airtable/Airtable Audit C2C
• [Updated] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON

This release includes:

• New detection rules for Azure DevOps to identify suspicious or sensitive activity in CI/CD pipelines
• New support for Barracuda WAF and CloudGen Firewall
• Support for CyberArk Audit events
• Updates to 1Password mappers to realign field mappings to reflect proper directionality
• Fix for normalizedActions in AWS CloudTrail Policy Change mapper
• Additions to CrowdStrike Audit and UserActivity log mappers to map additional fields and add alternate values
• Support for additional events from Kubernetes and Linux OS logs

Rules​

• [New] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
  • This detection monitors for the creation and deletion of Agent Pools within 5 days by the same user, with the intent of finding Agent Pools active for short durations.
• [New] MATCH-S00997 Azure DevOps - Browser Observed in Personal Access Token (PAT) Use
  • This detection monitors for the use of a PAT for authentication from a User Agent String indicating a web browser.
• [New] MATCH-S00995 Azure DevOps - Change Made to Administrator Group
  • This detection monitors for additions to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrators, Project Collection Build Administrators
• [New] FIRST-S00098 Azure DevOps - First Seen Pull Request Policy Bypassed
  • This detection monitors for when a user performs a pull request bypass for the first time.
• [New] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
  • This detection monitors for new users creating an agent pool. This user has not been observed creating agent pools during the baseline period and may be a new admin or involved in suspicious account activity.
• [New] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
  • This detection monitors for users creating a release pipeline for the first time after the baseline period (by default, 90 days).
• [New] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
  • This detection monitors for a user modifying a variable group for the first time.
• [New] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
  • This detection monitors for users modifying a release pipeline for the first time after the baseline period (by default, 90 days).
• [New] MATCH-S00998 Azure DevOps - Known Malicious Tooling Detected ADOKit
  • This is a simple detection matching on “ADOKit” at the start of the HTTP User Agent String (UAS). This detection effectively catches basic ADOKit use. It is brittle to attackers changing the User Agent String to another more innocuous browser to mask the traffic.
• [New] MATCH-S00994 Azure DevOps - Member Added to Sensitive Group
  • This detection monitors for changes to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrator
• [New] FIRST-S00095 Azure DevOps - New Agent OS Added to Agent Pool
  • This detection monitors for the addition of an agent to an agent pool when the OS of the agent has not been observed in this pool during the baseline period.
• [New] FIRST-S00094 Azure DevOps - New Extension Installed
  • This detection monitors for new extensions installed organization-wide after a 30-day baseline, based on the user installing the new extension.
• [New] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
  • This detection identifies statistical outliers in user behavior for the number of pools deleted in an hourly window.
• [New] MATCH-S00996 Azure DevOps - Personal Access Token (PAT) Misuse Observed
  • This detection monitors for use of a Personal Access Token in conjunction with categories of action that aren’t normally associated with PAT authentication.
• [New] CHAIN-S00021 Azure DevOps - Pipeline Created and Deleted within a Short Period
  • This detection monitors for the creation and deletion of the same pipeline within a short period (by default, a day).
• [New] MATCH-S00993 Azure DevOps - Pipeline Retention Settings Reduced
  • This detection monitors for any reduction in the pipeline retention settings.

Log Mappers​

• [New] Barracuda Authentication
• [New] Barracuda Catch All
• [New] Barracuda CloudGen Auth Service dcclient and events
• [New] Barracuda CloudGen Firewall Activity
• [New] Barracuda CloudGen Settings DNS
• [New] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
• [New] Barracuda System Event
• [New] CyberArk Audit Authentication
• [New] CyberArk Audit Catch All
• [Updated] 1Password Item Audit Actions
• [Updated] 1Password Item Usage Actions
• [Updated] 1Password Item Usage C2C
• [Updated] 1Password Signin C2C
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] CrowdStrike Audit Logs
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
• [Updated] CrowdStrike UserActivity Logs
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
• [Updated] Linux OS Syslog - Process sshd - SSH Bind Listening and negotiate event

Parsers​

• [New] /Parsers/System/Barracuda/Barracuda CloudGen
• [New] /Parsers/System/Barracuda/Barracuda WAF
• [New] /Parsers/System/Cyber-Ark/CyberArk Audit
• [Updated] /Parsers/System/Kubernetes/Kubernetes
• [Updated] /Parsers/System/Linux/Linux OS Syslog

Strict signal configuration​

We're happy to announce that now when you create custom insights, you can select an option to generate insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded. This allows you to generate insights for an immediate and targeted response.

Learn more.

Threat Intelligence​

We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis.

For more information, see our release note in the Service release notes section.

This content release includes updates to mapping and parsing to support additional AWS CloudTrail, F5 Firewall, and modify behavior in Microsoft Office 365 login events.

Changes are enumerated below.

Log Mappers​

• [New] CloudTrail Batch get Partition
• [New] F5 Tmm Audit and APMD Audit - Custom Parser
• [New] F5 Session and adfs proxy - Custom Parser
• [Updated] F5 SSHD and Apmd - Custom Parser
  • Expands scope of existing mapper to include Apmd events.
• [Updated] Microsoft Office 365 Active Directory Authentication Events
  • Adds exclusion for invalid user ID 00000000-0000-0000-0000-000000000000.

Parsers​

• [Updated] /Parsers/System/F5/F5 Syslog

This content release includes updates to Netskope Security Cloud log parsers and mappers to ensure anomaly events are properly mapped by adjusting parser logic to map event IDs from varying locations depending on event type.

Log Mappers​

• [Updated] Netskope - Anomaly - Bulk Download
• [Updated] Netskope - Anomaly - User Shared Credentials
• [Updated] Netskope - nspolicy

Parsers​

• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This content release includes:

• New and updated mappers and parsers for Carbon Black, Cisco ISE, Cisco Umbrella, PAN Firewall CSV and LEEF, and Signal Science (Fastly) WAF.
• ❤️

Changes are enumerated below.

Log Mappers​

• [New] Carbon Black Cloud - alert event
• [Updated] Cisco ISE Radius Diagnostics
  • Supports additional Radius Diagnostic messages.
• [Updated] Cisco Umbrella DNS Logs
  • Adds dstDevice_ip, normalizedAction, and user_email.
• [Updated] Cisco Umbrella IP Logs
  • Adds alternate value for dstDevice_ip and adds user_email.
• [Updated] Cisco Umbrella Proxy Logs
  • Adds user_email.

Parsers​

• [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • Adds support for alert event event ID.
• [Updated] /Parsers/System/Cisco/Cisco ISE
  • Adds key value parsing for descriptions.
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
  • Adds a transform for capturing email addresses.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • Modifies parse_system_format_1 regular expression to support additional events.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
  • Normalizes parsing of subtype to have consistent case.
• [Updated] /Parsers/System/Signal Science/Signal Science WAF
  • Adds additional timestamp handling.

This content release includes:

• Removal and updates to Cloud SIEM rules.
• Parsing and mapping support for new products.
• Updates to existing parsing and mappers to support additional events and field mappings.

Changes are enumerated below.

Rules​

• [Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".
• [Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".

Log Mappers​

• [New] Crowdstrike FileVantage Catch All
• [New] Dragos Communication
• [New] Dragos Indicator
• [New] Dragos System|Asset
• [New] Extrahop JSON Catch All
• [New] F5 TMM Http Request|TMM Network|TMM Connection error
• [New] F5 TMSH - Custom Parser
• [New] Zendesk - Login events

Updated Field Mappings​

• [Updated] Code42 Incydr Alerts C2C
• [Updated] Cyber Ark EPM AggregateEvent
• [Updated] Google G Suite - meet
• [Updated] Palo Alto GlobalProtect - Custom Parser
• [Updated] Palo Alto GlobalProtect Auth - Custom Parser
• [Updated] Zendesk Catch All

Parsers​

• [New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
• [New] /Parsers/System/Extrahop/Extrahop JSON

Updated parsers to handle additional events and field parsing​

• [Updated] /Parsers/System/Code42/Code42 Incydr
• [Updated] /Parsers/System/Dragos/Dragos
• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

This content release includes:

• Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
• Adds parsing and mapping support for additional OpenVPN events.
• Adds additional timestamp format handling to Azure JSON log parsing.

Log Mappers​

• [Updated] Azure DevOps Auditing Catch All
• [Updated] OpenVPN Audit Event
• [Updated] OpenVPN Network Event

Parsers​

• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog

This content release includes:

• Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
• Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.

Log Mappers​

• [New] Azure DevOps Auditing Catch All
• [New] Check Point Application Control URL Filtering
• [New] Cisco ISE Radius Diagnostics
• [New] Linux OS Syslog - KRB5 Child - Authentication Failure
• [New] Linux OS Syslog - Process systemd - Systemd Session
• [New] Linux OS Syslog - Process systemd - Systemd Session Scope
• [New] Linux OS Syslog - Process systemd - session logout
• [New] Pfsense Firewall filterlog
• [New] Pfsense Firewall nginx
• [New] Pfsense Firewall openvpn Authentication
• [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
• [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
• [Updated] Cisco ISE Authentication Failure
  • Adds normalizedSeverity mapping
• [Updated] Cisco ISE Authentication Success
  • Adds normalizedSeverity mapping
• [Updated] Cloudflare - Logpush
  • Adds mapping for dns_query, http_hostname, http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol.
• [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
  • Adds mapping for normalizedAction
• [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
  • Added support for additional events and mapping of file_path

Parsers​

• [New] /Parsers/System/Pfsense/Pfsense Firewall
• [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
• [Updated] /Parsers/System/Cisco/Cisco ISE
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Linux/Linux OS Syslog
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here.