This content release includes:

• Rule update
• New support for CommScope Ruckus SmartZone
• Additional mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
• Updates for existing mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
  • Added normalizedAction and action fields to Windows PowerShell mappers
• Changes to Windows PowerShell JSON parsing to support additional log formats

Changes are enumerated below.

Rules​

• [Updated] MATCH-S00068 O365 - Users Password Changed
  • Updated to use targetUser_username

Log mappers​

• [New] CommScope Ruckus SmartZone Default
• [New] CrowdStrike FDR - DNSRequest
• [New] Google G Suite - login - risky_sensitive_action_allowed
• [New] Google G Suite - login challange
• [New] Windows - Windows PowerShell
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
  • Added alternate field for threat_name
• [Updated] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
  • Added alternate field for threat_name
• [Updated] Google G Suite - login - password_change/recovery_info_change
  • Added additional mapped fields
• [Updated] Google G Suite - login.login
  • Added additional mapped fields
• [Updated] Google G Suite - logout
  • Added additional mapped fields
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4103
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4106

Parsers​

• [New] /Parsers/System/CommScope/CommScope Ruckus SmartZone
• [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON

This release includes:

• New rules for monitoring AWS services (see below for tuning guidance).
• Updated rules for Microsoft O365 and Powershell.
• Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity.
• Updates to Cisco Umbrella mappers to add user_username.
• Updates to SentinelOne mappers to drop null values.
• New parsers for Azure Virtual Network and SentinelOne MGMT API.
• Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C.

Changes are enumerated below.

Rules​

• [New] OUTLIER-S00033 AWS DynamoDB Outlier in PutItem Events from User
  • [Disabled by Default] This rule detects an unusual amount of PutItem events to a DynamoDB resource within an hour time period (DynamoDB data events are required). Verify the user is authorized to modify the DynamoDB tables and instances. This rule is disabled by default due to potential volume of signals, before enabling consider excluding authorized users via match lists, and adjust floor value and model sensitivity as needed.
• [New] FIRST-S00100 First Seen User Enumerating Custom AWS Bedrock Models
  • [Disabled by Default] Detection of a user account's first enumeration of custom AWS Bedrock models via ListCustomModels API. Verify the user is authorized for AWS Bedrock access. The http_userAgent field indicates whether a browser or CLI tool was used. This rule is disabled by default due to potential high volume of alerts, particularly from service accounts. Before enabling, consider excluding authorized users and service accounts (such as CNAPP monitoring accounts with timestamp-based usernames) through rule tuning expressions.
• [New] OUTLIER-S00032 Outlier in Data Transferred from an S3 Bucket by User
  • [Disabled by Default] This rule detects an unusual amount of data transferred outbound from an S3 bucket (requires AWS Data events are required). Verify if the user, role and IP address associated with this activity are authorized. This rule is disabled by default due to potential signal volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
• [New] OUTLIER-S00031 Outlier in Data Transferred into an S3 Bucket by User
  • [Disabled by Default] Detects unusual amounts of inbound data transfers to S3 buckets (requires AWS Data events). Verify if the user, role, and IP address associated with this activity are authorized. This rule is disabled by default due to potential alert volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
• [Updated] MATCH-S00069 O365 - Users Password Reset
  • Changed Entity and Summary, replacing user_username with targetUser_username.
• [Updated] MATCH-S00449 Powershell Execution Policy Bypass
  • Fixed camel case in commandLine field.

Log Mappers​

• [New] Azure Virtual Network Flow logs
• [Updated] Abnormal Security Threats
• [Updated] Cisco ASA 103001 JSON
• [Updated] Cisco ASA 103004 JSON
• [Updated] Cisco ASA 106001 JSON
• [Updated] Cisco ASA 106002 JSON
• [Updated] Cisco ASA 106006 JSON
• [Updated] Cisco ASA 106007 JSON
• [Updated] Cisco ASA 106010 JSON
• [Updated] Cisco ASA 106012 JSON
• [Updated] Cisco ASA 106014 JSON
• [Updated] Cisco ASA 106015 JSON
• [Updated] Cisco ASA 106021 JSON
• [Updated] Cisco ASA 106023 JSON
• [Updated] Cisco ASA 106027 JSON
• [Updated] Cisco ASA 106100 JSON
• [Updated] Cisco ASA 106102-3 JSON
• [Updated] Cisco ASA 109005-8 JSON
• [Updated] Cisco ASA 110002 JSON
• [Updated] Cisco ASA 111008-9 JSON
• [Updated] Cisco ASA 111010 JSON
• [Updated] Cisco ASA 113003 JSON
• [Updated] Cisco ASA 113004 JSON
• [Updated] Cisco ASA 113005 JSON
• [Updated] Cisco ASA 113006 JSON
• [Updated] Cisco ASA 113007 JSON
• [Updated] Cisco ASA 113008 JSON
• [Updated] Cisco ASA 113009 JSON
• [Updated] Cisco ASA 113012-17 JSON
• [Updated] Cisco ASA 113019 JSON
• [Updated] Cisco ASA 113021 JSON
• [Updated] Cisco ASA 113039 JSON
• [Updated] Cisco ASA 209004 JSON
• [Updated] Cisco ASA 302010 JSON
• [Updated] Cisco ASA 302020-1 JSON
• [Updated] Cisco ASA 303002 JSON
• [Updated] Cisco ASA 304001 JSON
• [Updated] Cisco ASA 304002 JSON
• [Updated] Cisco ASA 305011-12 JSON
• [Updated] Cisco ASA 313001 JSON
• [Updated] Cisco ASA 313004 JSON
• [Updated] Cisco ASA 313005 JSON
• [Updated] Cisco ASA 314003 JSON
• [Updated] Cisco ASA 315011 JSON
• [Updated] Cisco ASA 322001 JSON
• [Updated] Cisco ASA 322003 JSON
• [Updated] Cisco ASA 338001-8+338201-4 JSON
• [Updated] Cisco ASA 4000nn JSON
• [Updated] Cisco ASA 402117 JSON
• [Updated] Cisco ASA 402119 JSON
• [Updated] Cisco ASA 405001 JSON
• [Updated] Cisco ASA 405002 JSON
• [Updated] Cisco ASA 406001 JSON
• [Updated] Cisco ASA 406002 JSON
• [Updated] Cisco ASA 419001 JSON
• [Updated] Cisco ASA 419002 JSON
• [Updated] Cisco ASA 500004 JSON
• [Updated] Cisco ASA 502101-2 JSON
• [Updated] Cisco ASA 502103 JSON
• [Updated] Cisco ASA 602303-4 JSON
• [Updated] Cisco ASA 605004-5 JSON
• [Updated] Cisco ASA 609002 JSON
• [Updated] Cisco ASA 611101-2 JSON
• [Updated] Cisco ASA 611103 JSON
• [Updated] Cisco ASA 710002-3 JSON
• [Updated] Cisco ASA 710005 JSON
• [Updated] Cisco ASA 713052 JSON
• [Updated] Cisco ASA 713172 JSON
• [Updated] Cisco ASA 713228 JSON
• [Updated] Cisco ASA 716014-7-8 JSON
• [Updated] Cisco ASA 716038 JSON
• [Updated] Cisco ASA 716039 JSON
• [Updated] Cisco ASA 716059 JSON
• [Updated] Cisco ASA 719022-3 JSON
• [Updated] Cisco ASA 721016-8 JSON
• [Updated] Cisco ASA 722034 JSON
• [Updated] Cisco ASA 722051 JSON
• [Updated] Cisco ASA 722055 JSON
• [Updated] Cisco ASA 733100 JSON
• [Updated] Cisco ASA 751011 JSON
• [Updated] Cisco ASA 751023 JSON
• [Updated] Cisco ASA 751025 JSON
• [Updated] Cisco ASA tcp_udp_sctp_builds JSON
• [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
• [Updated] Cisco Umbrella DNS Logs
• [Updated] Cisco Umbrella IP Logs
• [Updated] Cisco Umbrella Proxy Logs
• [Updated] SentinelOne Logs - C2C activities
• [Updated] SentinelOne Logs - C2C agents
• [Updated] SentinelOne Logs - C2C alerts
• [Updated] SentinelOne Logs - C2C threats
• [Updated] SentinelOne Logs - C2C users
• [Updated] SentinelOne Logs - Syslog Custom Parser

Parsers​

• [New] /Parsers/System/Microsoft/Azure Virtual Network
• [New] /Parsers/System/SentinelOne/SentinelOne MGMT API
• [Updated] /Parsers/System/Abnormal Security/Abnormal Security
  • Updated the parser to support new events.
• [Updated] /Parsers/System/Cisco/Cisco ASA
  • Updated regex to fix ASA-6-721016 events.
• [Updated] /Parsers/System/Cisco/Cisco ISE
  • Updated parser to drop certain non-actionable logs.
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
  • Updated parser to support additional event format variations.
• [Updated] /Parsers/System/Cylance/Cylance Syslog
  • Updated parser to support new events.
• [Updated] /Parsers/System/KnowBe4/KnowBe4 KMSAT C2C
  • Updated parser to drop phishing test events.

This content release includes:

• Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
• Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.

Rules​

• [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
• [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
• [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
• [Updated] MATCH-S01000 Threat Intel - MD5 Match
• [Updated] MATCH-S01001 Threat Intel - PEHASH Match
• [Updated] MATCH-S01003 Threat Intel - SHA1 Match
• [Updated] MATCH-S01004 Threat Intel - SHA256 Match
• [Updated] MATCH-S01002 Threat Intel - SSDEEP Match

Log Mappers​

• [Updated] Microsoft Office 365 Active Directory Authentication Events
• [Updated] Microsoft Office 365 AzureActiveDirectory Events

Parsers​

• [Updated] /Parsers/System/Microsoft/Office 365

This content release includes:

• Additional data requirements for GitHub rules added to rule descriptions.
• Spelling corrections for AWS Lambda rules.
• New Slack Anomaly Event log mapper and supporting parsing changes:
  • Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
  • Requires parser be defined for passthrough detection.
• Updates to Sysdig parsing and mapping to support additional events.
• Support for Microsoft Windows Sysmon-29 event.
• Additional normalized field mappings for Microsoft Windows Sysmon events.
• New user_phoneNumber and targetUser_phoneNumber schema fields.

Rules​

• [Updated] MATCH-S00874 AWS Lambda Function Recon
• [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
• [Updated] MATCH-S00953 GitHub - Audit Logging Modification
• [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
• [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
• [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
• [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
• [Updated] MATCH-S00955 GitHub - Member Permissions Modification
• [Updated] MATCH-S00956 GitHub - OAuth Application Activity
• [Updated] MATCH-S00957 GitHub - Organization Transfer
• [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
• [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
• [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
• [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
• [Updated] MATCH-S00960 GitHub - Repository Transfer
• [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
• [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
• [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
• [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
• [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
• [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
• [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization

Log Mappers​

• [New] Slack Anomaly Event
• [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
• [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
• [New] Windows - Microsoft-Windows-Sysmon/Operational-29
• [Updated] Sysdig Secure Packages
• [Updated] Sysdig Secure Vulnerability
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27

Parsers​

• [New] /Parsers/System/Slack/Slack Enterprise Audit
• [Updated] /Parsers/System/Sysdig/Sysdig Secure

Schema​

• [New] targetUser_phoneNumber
• [New] user_phoneNumber

New Threat Intelligence Source​

We’re excited to announce a new default source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from Intel 471.

For more information, see our release note in the Service release notes section.

This content release includes new and updated log mappers and parsers for Bitwarden, CommScope, Mimecast, and Sysdig Secure. Updates to Mimecast mappers are to support additional fields and events with new log parser.

Log Mappers​

• [New] Bitwarden Authentication
• [New] Bitwarden Catch All
• [New] CommScope Authentication Event
• [New] CommScope STP and DHCPC Event
• [New] CommScope System|Security
• [New] Sysdig Secure Packages
• [New] Sysdig Secure Vulnerability
• [Updated] Mimecast AV Event
• [Updated] Mimecast Audit Authentication Logs
• [Updated] Mimecast Audit Hold Messages
• [Updated] Mimecast Audit Logs
• [Updated] Mimecast DLP Logs
• [Updated] Mimecast Email logs
• [Updated] Mimecast Impersonation Event
• [Updated] Mimecast Spam Event
• [Updated] Mimecast Targeted Threat Protection Logs

Parsers​

• [New] /Parsers/System/Bitwarden/Bitwarden
• [New] /Parsers/System/CommScope/CommScope
• [New] /Parsers/System/Mimecast/Mimecast
• [New] /Parsers/System/Sysdig/Sysdig Secure

This content release includes Threat Intelligence match rules that use the new hasThreatMatch operator to support both global and custom threat intelligence feeds.

To reduce initial signal volume, basic inbound and outbound IP address threat match rules with a low or medium confidence level are disabled by default (see below). We highly recommend tuning these rules before enabling them to reduce signal volume, and therefore entity risk assignment, to manageable levels.

Rules​

• MATCH-S00999 Threat Intel - IMPHASH Match
• MATCH-S01000 Threat Intel - MD5 Match
• MATCH-S01001 Threat Intel - PEHASH Match
• MATCH-S01002 Threat Intel - SSDEEP Match
• MATCH-S01003 Threat Intel - SHA1 Match
• MATCH-S01004 Threat Intel - SHA256 Match
• MATCH-S01005 Threat Intel - Source Hostname
• MATCH-S01006 Threat Intel - Device Hostname
• MATCH-S01007 Threat Intel - Destination Device Hostname
• MATCH-S01008 Threat Intel - HTTP Hostname
• MATCH-S01009 Threat Intel - HTTP Referrer Hostname
• MATCH-S01010 Threat Intel - DNS Query Domain
• MATCH-S01011 Threat Intel - DNS Reply Domain
• MATCH-S01012 Threat Intel - HTTP Referrer Domain
• MATCH-S01013 Threat Intel - HTTP URL Root Domain
• MATCH-S01014 Threat Intel - HTTP URL FQDN
• MATCH-S01015 Threat Intel - HTTP URL
• MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence) - Disabled By Default
• MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence) - Disabled By Default
• MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence) - Disabled By Default
• MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence) - Disabled By Default
• MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
• MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
• MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

This release includes::

• Updates to parsing and mapping for Airtable and Windows Defender to support additional events and field mappings.
• New parsing and mapping for VMware ESXi.
• Updates to Baracuda Firewall and System Event mapping for normalizedSeverity lookup translation.

Changes are enumerated below.

Log Mappers​

• [New] Airtable Audit C2C Authentication
• [New] VMware ESXi Authentication
• [New] VMware ESXi Catch All
• [New] Windows Defender Catch All
• [Updated] Airtable Audit C2C Catch All
• [Updated] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
• [Updated] Barracuda System Event
• [Updated] Windows Defender ATP Alert
  • Enables additional passthrough alerts.

Parsers​

• [New] /Parsers/System/VMware/VMware ESXi
• [Updated] /Parsers/System/Airtable/Airtable Audit C2C
• [Updated] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON

This release includes:

• New detection rules for Azure DevOps to identify suspicious or sensitive activity in CI/CD pipelines
• New support for Barracuda WAF and CloudGen Firewall
• Support for CyberArk Audit events
• Updates to 1Password mappers to realign field mappings to reflect proper directionality
• Fix for normalizedActions in AWS CloudTrail Policy Change mapper
• Additions to CrowdStrike Audit and UserActivity log mappers to map additional fields and add alternate values
• Support for additional events from Kubernetes and Linux OS logs

Rules​

• [New] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
  • This detection monitors for the creation and deletion of Agent Pools within 5 days by the same user, with the intent of finding Agent Pools active for short durations.
• [New] MATCH-S00997 Azure DevOps - Browser Observed in Personal Access Token (PAT) Use
  • This detection monitors for the use of a PAT for authentication from a User Agent String indicating a web browser.
• [New] MATCH-S00995 Azure DevOps - Change Made to Administrator Group
  • This detection monitors for additions to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrators, Project Collection Build Administrators
• [New] FIRST-S00098 Azure DevOps - First Seen Pull Request Policy Bypassed
  • This detection monitors for when a user performs a pull request bypass for the first time.
• [New] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
  • This detection monitors for new users creating an agent pool. This user has not been observed creating agent pools during the baseline period and may be a new admin or involved in suspicious account activity.
• [New] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
  • This detection monitors for users creating a release pipeline for the first time after the baseline period (by default, 90 days).
• [New] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
  • This detection monitors for a user modifying a variable group for the first time.
• [New] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
  • This detection monitors for users modifying a release pipeline for the first time after the baseline period (by default, 90 days).
• [New] MATCH-S00998 Azure DevOps - Known Malicious Tooling Detected ADOKit
  • This is a simple detection matching on “ADOKit” at the start of the HTTP User Agent String (UAS). This detection effectively catches basic ADOKit use. It is brittle to attackers changing the User Agent String to another more innocuous browser to mask the traffic.
• [New] MATCH-S00994 Azure DevOps - Member Added to Sensitive Group
  • This detection monitors for changes to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrator
• [New] FIRST-S00095 Azure DevOps - New Agent OS Added to Agent Pool
  • This detection monitors for the addition of an agent to an agent pool when the OS of the agent has not been observed in this pool during the baseline period.
• [New] FIRST-S00094 Azure DevOps - New Extension Installed
  • This detection monitors for new extensions installed organization-wide after a 30-day baseline, based on the user installing the new extension.
• [New] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
  • This detection identifies statistical outliers in user behavior for the number of pools deleted in an hourly window.
• [New] MATCH-S00996 Azure DevOps - Personal Access Token (PAT) Misuse Observed
  • This detection monitors for use of a Personal Access Token in conjunction with categories of action that aren’t normally associated with PAT authentication.
• [New] CHAIN-S00021 Azure DevOps - Pipeline Created and Deleted within a Short Period
  • This detection monitors for the creation and deletion of the same pipeline within a short period (by default, a day).
• [New] MATCH-S00993 Azure DevOps - Pipeline Retention Settings Reduced
  • This detection monitors for any reduction in the pipeline retention settings.

Log Mappers​

• [New] Barracuda Authentication
• [New] Barracuda Catch All
• [New] Barracuda CloudGen Auth Service dcclient and events
• [New] Barracuda CloudGen Firewall Activity
• [New] Barracuda CloudGen Settings DNS
• [New] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
• [New] Barracuda System Event
• [New] CyberArk Audit Authentication
• [New] CyberArk Audit Catch All
• [Updated] 1Password Item Audit Actions
• [Updated] 1Password Item Usage Actions
• [Updated] 1Password Item Usage C2C
• [Updated] 1Password Signin C2C
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] CrowdStrike Audit Logs
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
• [Updated] CrowdStrike UserActivity Logs
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
• [Updated] Linux OS Syslog - Process sshd - SSH Bind Listening and negotiate event

Parsers​

• [New] /Parsers/System/Barracuda/Barracuda CloudGen
• [New] /Parsers/System/Barracuda/Barracuda WAF
• [New] /Parsers/System/Cyber-Ark/CyberArk Audit
• [Updated] /Parsers/System/Kubernetes/Kubernetes
• [Updated] /Parsers/System/Linux/Linux OS Syslog

Strict signal configuration​

We're happy to announce that now when you create custom insights, you can select an option to generate insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded. This allows you to generate insights for an immediate and targeted response.

Learn more.

Threat Intelligence​

We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis.

For more information, see our release note in the Service release notes section.

This content release includes updates to mapping and parsing to support additional AWS CloudTrail, F5 Firewall, and modify behavior in Microsoft Office 365 login events.

Changes are enumerated below.

Log Mappers​

• [New] CloudTrail Batch get Partition
• [New] F5 Tmm Audit and APMD Audit - Custom Parser
• [New] F5 Session and adfs proxy - Custom Parser
• [Updated] F5 SSHD and Apmd - Custom Parser
  • Expands scope of existing mapper to include Apmd events.
• [Updated] Microsoft Office 365 Active Directory Authentication Events
  • Adds exclusion for invalid user ID 00000000-0000-0000-0000-000000000000.

Parsers​

• [Updated] /Parsers/System/F5/F5 Syslog

This content release includes updates to Netskope Security Cloud log parsers and mappers to ensure anomaly events are properly mapped by adjusting parser logic to map event IDs from varying locations depending on event type.

Log Mappers​

• [Updated] Netskope - Anomaly - Bulk Download
• [Updated] Netskope - Anomaly - User Shared Credentials
• [Updated] Netskope - nspolicy

Parsers​

• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This content release includes:

• New and updated mappers and parsers for Carbon Black, Cisco ISE, Cisco Umbrella, PAN Firewall CSV and LEEF, and Signal Science (Fastly) WAF.
• ❤️

Changes are enumerated below.

Log Mappers​

• [New] Carbon Black Cloud - alert event
• [Updated] Cisco ISE Radius Diagnostics
  • Supports additional Radius Diagnostic messages.
• [Updated] Cisco Umbrella DNS Logs
  • Adds dstDevice_ip, normalizedAction, and user_email.
• [Updated] Cisco Umbrella IP Logs
  • Adds alternate value for dstDevice_ip and adds user_email.
• [Updated] Cisco Umbrella Proxy Logs
  • Adds user_email.

Parsers​

• [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • Adds support for alert event event ID.
• [Updated] /Parsers/System/Cisco/Cisco ISE
  • Adds key value parsing for descriptions.
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
  • Adds a transform for capturing email addresses.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • Modifies parse_system_format_1 regular expression to support additional events.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
  • Normalizes parsing of subtype to have consistent case.
• [Updated] /Parsers/System/Signal Science/Signal Science WAF
  • Adds additional timestamp handling.

This content release includes:

• Removal and updates to Cloud SIEM rules.
• Parsing and mapping support for new products.
• Updates to existing parsing and mappers to support additional events and field mappings.

Changes are enumerated below.

Rules​

• [Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".
• [Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".

Log Mappers​

• [New] Crowdstrike FileVantage Catch All
• [New] Dragos Communication
• [New] Dragos Indicator
• [New] Dragos System|Asset
• [New] Extrahop JSON Catch All
• [New] F5 TMM Http Request|TMM Network|TMM Connection error
• [New] F5 TMSH - Custom Parser
• [New] Zendesk - Login events

Updated Field Mappings​

• [Updated] Code42 Incydr Alerts C2C
• [Updated] Cyber Ark EPM AggregateEvent
• [Updated] Google G Suite - meet
• [Updated] Palo Alto GlobalProtect - Custom Parser
• [Updated] Palo Alto GlobalProtect Auth - Custom Parser
• [Updated] Zendesk Catch All

Parsers​

• [New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
• [New] /Parsers/System/Extrahop/Extrahop JSON

Updated parsers to handle additional events and field parsing​

• [Updated] /Parsers/System/Code42/Code42 Incydr
• [Updated] /Parsers/System/Dragos/Dragos
• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

This content release includes:

• Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
• Adds parsing and mapping support for additional OpenVPN events.
• Adds additional timestamp format handling to Azure JSON log parsing.

Log Mappers​

• [Updated] Azure DevOps Auditing Catch All
• [Updated] OpenVPN Audit Event
• [Updated] OpenVPN Network Event

Parsers​

• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog

This content release includes:

• Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
• Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.

Log Mappers​

• [New] Azure DevOps Auditing Catch All
• [New] Check Point Application Control URL Filtering
• [New] Cisco ISE Radius Diagnostics
• [New] Linux OS Syslog - KRB5 Child - Authentication Failure
• [New] Linux OS Syslog - Process systemd - Systemd Session
• [New] Linux OS Syslog - Process systemd - Systemd Session Scope
• [New] Linux OS Syslog - Process systemd - session logout
• [New] Pfsense Firewall filterlog
• [New] Pfsense Firewall nginx
• [New] Pfsense Firewall openvpn Authentication
• [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
• [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
• [Updated] Cisco ISE Authentication Failure
  • Adds normalizedSeverity mapping
• [Updated] Cisco ISE Authentication Success
  • Adds normalizedSeverity mapping
• [Updated] Cloudflare - Logpush
  • Adds mapping for dns_query, http_hostname, http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol.
• [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
  • Adds mapping for normalizedAction
• [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
  • Added support for additional events and mapping of file_path

Parsers​

• [New] /Parsers/System/Pfsense/Pfsense Firewall
• [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
• [Updated] /Parsers/System/Cisco/Cisco ISE
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Linux/Linux OS Syslog
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here.