Skip to main content

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules

  • [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
    • Updated rule expression to reduce false positivity.
  • [Updated] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event
    • Updated Severity from 4 to 1.
  • [Updated] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
    • Fixed description and summary transposition and lowered severity from 3 to 1.

Log Mappers

Added userAgent mapping to Okta.

  • [New] Kaltura Audits
  • [Updated] Okta Authentication - auth_via_mfa
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All

Parsers

  • [New] /Parsers/System/Kaltura/Kaltura

This content release includes modifications and additions to Citrix Cloud C2C to handle additional event types and bring existing event mapping into line with new events, support for Code42 Incydr via C2C, Abnormal Security via C2C, and JumpCloud Directory Insights via C2C.

Log Mappers

  • [Deleted] Citrix Cloud Client
    • This mapping is replaced by new mappers for Citrix Cloud below
  • [New] Abnormal Security Threats
  • [New] Citrix Cloud Operation Logs
  • [New] Citrix Cloud System Logs
  • [New] Code42 Incydr Alerts C2C
  • [New] Code42 Incydr Audits C2C
  • [New] Code42 Incydr FileEvents C2C
  • [New] JumpCloud Directory Insights - Admin Logon
  • [New] JumpCloud Directory Insights - Catch All

Parsers

  • [New] /Parsers/System/Abnormal Security/Abnormal Security
  • [New] /Parsers/System/Code42/Code42 Incydr
  • [New] /Parsers/System/JumpCloud/JumpCloud Directory Insights
  • [Updated] /Parsers/System/Citrix/Citrix Cloud C2C

Minor changes and enhancements

  • [New] Continuing our work to better align the Cloud SIEM UI pages with Log Analytics UI pages to improve usability and provide a consistent user experience, the color palette has been adjusted slightly, some page decoration has been removed or altered, and some controls have been updated.
  • [New] On the Entity list page, you can now filter by reputation indicator (i.e. Malicious, Suspicious or NotFlagged).
  • [New] Users can now navigate directly from the Entity Activity panel on the HUD to the Entity List page, with the proper filter pre-applied.
  • [Updated] The Object Type attribute has been added back to the Signal summary section, next to the timestamp, so that it is visible whether the Signal details are expanded or collapsed.
  • [New] A user-editable Description field has been added to Rule Tuning Expressions.

Bug fixes

  • Sorting by value was not working properly on the Entities list page.
  • Sometimes, if the target value was left blank (default), domain normalization would append a colon to the resulting value.
  • Customers were experiencing rate limiting with VirusTotal due to a change to their API and constant retries due to resultant errors in Cloud SIEM. This has been resolved, as has an issue with enrichments for file hashes.
  • Some Entities were not showing as being included in Entity Groups properly (even though attributes had been set correctly).
  • The MITRE ATT&CK® stage attribute was missing from some Signals in the audit logs.
  • Custom inventory sources were not included in the appropriate dropdown in Entity Group configuration.
  • On the Entity Details page, if the only Signals that existed were in Prototype mode, they would not be visible.
  • The reputation indicator on the Entity Details page was being rendered, then hidden.

This release includes new log mapping and parsing content for Druva Cyber Resilience:

Log Mappers

  • [New] Druva Cyber Resilience - Admin Logon
  • [New] Druva Cyber Resilience - Catch All

Parsers

  • [New] /Parsers/System/Druva/Druva Cyber Resilience

Bug Fixes

  • Recently, two rules, FIRST-S00052 and FIRST-S00049, were released to customers erroneously. Soon after, these rules started generating false positive Signals and Insights. We have removed those rules from all customer environments so they can be tuned properly and re-released after comprehensive testing. The process error that led to the release has been identified and corrected. Sumo Logic apologizes for the inadvertent Signals and Insights this error generated. If needed, please contact Support for assistance in closing the Insights.

This release includes new parsing and mapping support for C2C sources and mapping changes enumerated below.

Log Mappers

  • [New] Trellix mVision ePO Threats
  • [New] Zero Networks Segment Audit Activity
  • [New] Zero Networks Segment Network Activity
  • [Updated] AzureActivityLog 01
    • Remapped Application from properties.clientAppUsed to properties.appDisplayName for consistency

Parsers

  • [New] /Parsers/System/Trellix/Trellix MVision EPO
  • [New] /Parsers/System/Zero Networks/Zero Networks Segment

This release includes minor mapping adjustments to Duo and MS Graph Identify Protection Risk logs. Specific changes are enumerated below.

Log Mappers

  • [Updated] Duo Security Admin API - Audit
    • Added mappings for source host and source IP
  • [Updated] Duo Security Admin API - Authentication
    • Added mappings for source host and source IP
  • [Updated] Duo Security Admin API - Non-User Audit Changes
    • Added mappings for source host and source IP
  • [Updated] Duo Security Admin API - Targeted User Audit Changes
    • Added mappings for source host and source IP
  • [Updated] Microsoft Graph Identity Protection API C2C - riskDetections
    • Added principal as primary user_username key
  • [Updated] Microsoft Graph Identity Protection API C2C - riskyUsers
    • Added principal as primary user_username key
tip

For all the up-to-date Cloud SIEM content, see the Cloud SIEM Content Catalog.

This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.

Rules

  • [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
    • Updated name expression to reduce insight false positivity
  • [Updated] MATCH-S00686 Base64 Decode in Command Line
  • [Updated] MATCH-S00373 BlueMashroom DLL Load
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [Updated] FIRST-S00013 First Seen Driver Load - Global
  • [Updated] FIRST-S00014 First Seen Driver Load - Host
  • [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
  • [Updated] MATCH-S00705 Registry Modification - Authentication Package
  • [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
  • [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
  • [Updated] MATCH-S00379 WMIExec VBS Script
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
    • Corrected expression to exclude OS SID from user_userId; prior expression was incorrectly referencing SubjectLogonID
  • [Updated] MATCH-S00724 Windows Update Agent DLL Changed
  • [Updated] MATCH-S00435 XSL Script Processing

Log Mappers

  • [New] 1Password Item Audit Actions
  • [New] 1Password Item Usage Actions
  • [New] Zeek DNS Activity
  • [New] Zeek HTTP Activity
  • [New] Zeek conn Activity

Parsers

  • [New] /Parsers/System/1Password/1Password
  • [New] /Parsers/System/1PasswordC2C/1PasswordC2C
  • [New] /Parsers/System/Zeek/Zeek

Schema

  • [New] metadata_sourceBlockId
    • The _blockId of the original source log message (from Sumo Logic)

This is an archive of 2023 Cloud SIEM Release Notes. The current Cloud SIEM Release Notes are here.

To view the full archive, click here.

This is an archive of 2022 Cloud SIEM Release Notes. The current Cloud SIEM Release Notes are here.

To view the full archive, click here.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.