Skip to main content

Log Mappers

  • [New] Azure Risky Users
  • [New] Azure User Risk Events
  • [New] CrowdStrike Falcon CustomerIOCEvent (CNC)
  • [New] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
  • [New] CrowdStrike Falcon Identity Protection (CNC)
  • [New] Microsoft Office 365 RecordType 105
  • [New] Microsoft Office 365 RecordType 37
  • [New] Microsoft Office 365 RecordType 57
  • [New] Windows - Security - Default
  • [Updated] Azure Event Hub - Windows Defender Logs
  • [Updated] Cisco ASA 106100 JSON
  • [Updated] Microsoft Office 365 Events
  • [Updated] Windows - Security - 4740

Parsers

  • [New] /Parsers/System/Microsoft/Microsoft Azure Nested JSON
  • [New] /Parsers/System/Microsoft/Windows-JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Rules

  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process

Log Mappers

  • [Updated] Gigamon Threat Insight - Catch All
  • [Updated] Gigamon Threat Insight - Suricata
  • [Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

  • [New] /Parsers/System/Gigamon/GigamonTI
  • [Updated] /Parsers/System/Lacework/Lacework JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Schema

  • [Updated] baseImage
  • [Updated] commandLine
  • [Updated] file_basename
  • [Updated] file_hash_imphash
  • [Updated] file_hash_md5
  • [Updated] file_hash_pehash
  • [Updated] file_hash_sha1
  • [Updated] file_hash_sha256
  • [Updated] file_hash_ssdeep
  • [Updated] file_path
  • [Updated] http_referer_fqdn
  • [Updated] http_url
  • [Updated] http_url_fqdn
  • [Updated] http_userAgent
  • [Updated] parentBaseImage
  • [Updated] targetUser_email
  • [Updated] user_email

Log Mappers

  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7

Parsers

  • [Updated] /Parsers/System/Microsoft/Sysmon-JSON

Rules

  • [New] MATCH-S00822 Potential Microsoft Office In-Memory Token Theft
  • [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port

Log Mappers

  • [New] Cisco Meraki 8021x
  • [New] Cisco Meraki Client Association
  • [Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Meraki

Rules

  • [Updated] MATCH-S00582 Malicious Service Installs
  • [Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking

Log Mappers

  • [New] BigQuery Gmail C2C - Catch All
  • [New] BigQuery Gmail C2C - Error in Delivery
  • [New] BigQuery Gmail C2C - Failed Delivery
  • [New] BigQuery Gmail C2C - Message was dropped by Gmail
  • [New] BigQuery Gmail C2C - Message was rejected by Google Groups
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] Azure Access Logs
  • [Updated] Azure Action Logs
  • [Updated] Azure Administrative logs
  • [Updated] Azure AuditEvent logs
  • [Updated] Azure ManagedIdentitySignInLogs
  • [Updated] Azure NonInteractiveUserSignInLogs
  • [Updated] Azure ServicePrincipalSignInLogs
  • [Updated] Azure Storage Analytics
  • [Updated] Azure Write and Delete Logs
  • [Updated] AzureActivityLog
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs
  • [Updated] AzureDevOpsAuditing
  • [Updated] AzureDiagnosticLog
  • [Updated] Cisco ASA 113039 JSON
  • [Updated] Cisco Ironport MID - Custom Parser
  • [Updated] Cisco Ironport SFIMS - Custom Parser
  • [Updated] Cisco Ironport WSA - Custom Parser
  • [Updated] GCP App Engine Logs
  • [Updated] GCP Audit Logs
  • [Updated] GCP Firewall
  • [Updated] GCP Parser - Load Balancer
  • [Updated] GCP VPC Flows
  • [Updated] Kubernetes
  • [Updated] Office 365 - Exchange Admin Events
  • [Updated] Windows - Security - 4697
  • [Updated] Windows - Security - 4820

Parsers

  • [New] /Parsers/System/Google/GCP BigQuery Gmail
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Infoblox/Infoblox

Schema

  • [New] device_k8s_normalizedDeploymentName
  • [New] device_k8s_normalizedReplicaSetName
  • [New] dstDevice_k8s_normalizedDeploymentName
  • [New] dstDevice_k8s_normalizedReplicaSetName
  • [New] srcDevice_k8s_normalizedDeploymentName
  • [New] srcDevice_k8s_normalizedReplicaSetName

Rules

  • [New] CHAIN-S00011 Potential InstallUtil Allow List Bypass
  • [Updated] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
  • [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution

Log Mappers

  • [Updated] AWS - Application Load Balancer - ALB
  • [Updated] AWS - Application Load Balancer - JSON
  • [Updated] AWS API Gateway
  • [Updated] AWS CloudFront
  • [Updated] AWS EKS - Custom Parser
  • [Updated] AWS Elastic Load Balancer - Custom Parser
  • [Updated] AWS GuardDuty Alerts from Sumo CIP
  • [Updated] AWS Inspector - Custom Parser
  • [Updated] AWS Network Firewall Alerts
  • [Updated] AWS Network Firewall Flow
  • [Updated] AWS Network Firewall Netflow
  • [Updated] AWS Route 53 Logs
  • [Updated] AWS S3 Server Access Log - Custom Parser
  • [Updated] AWS Security Hub
  • [Updated] AWS Trusted Advisor
  • [Updated] AWS VPC Flow Logs - Default Format
  • [Updated] AWS VPC Flow Logs - JSON Format
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] AWSGuardDuty_Backdoor
  • [Updated] AWSGuardDuty_Behavior
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_CryptoCurrency
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] AWSGuardDuty_Exfiltration
  • [Updated] AWSGuardDuty_PenTest
  • [Updated] AWSGuardDuty_Persistence
  • [Updated] AWSGuardDuty_Policy
  • [Updated] AWSGuardDuty_ResourceConsumption
  • [Updated] AWSGuardDuty_Stealth
  • [Updated] AWSGuardDuty_Trojan
  • [Updated] AwsServiceEvent-AWS API Call via CloudTrail
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Falco Detection JSON
  • [Updated] Juniper SSG Series Firewall - Audit Messaging
  • [Updated] Juniper SSG Series Firewall - Traffic Messaging
  • [Updated] Microsoft IIS Parser - Catch All
  • [Updated] Recon_EC2_PortProbeUnprotectedPort
  • [Updated] Recon_EC2_Portscan
  • [Updated] Recon_IAMUser
  • [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • [Updated] UnauthorizedAccess_EC2_TorClient
  • [Updated] UnauthorizedAccess_EC2_TorIPCaller
  • [Updated] UnauthorizedAccess_EC2_TorRelay
  • [Updated] UnauthorizedAccess_IAMUser

Parsers

  • [Renamed] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog -> /Parsers/System/Juniper/Juniper SSG Series Firewall Syslog
  • [New] /Parsers/System/Netskope/Netskope Security Cloud JSON
  • [Updated] /Parsers/System/Falco/Falco JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft IIS

Support for Custom Inventory Sources

Cloud SIEM Enterprise now supports custom sources of inventory data. Now, if you want to ingest inventory data from a source that Sumo Logic does not provide a pre-built connnector for, you can use this new feature. See the new document Configure a Custom Inventory Source for details.

Standard Match Lists

As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the previous announcement. This will continue until January 20, 2023, when the migration will be complete.

Minor Changes and Enhancements

  • [New] API endpoints have been creeated enabling users to upload attribute changes (such as tags or criticality) for multiple Entities in a single call, rather than having to do so one at a time. The new endpoints are /entities/bulk-add-tags, /entities/bulk-update-tags, /entities/bulk-remove-tags, /entities/bulk-update-suppressed, and /entities/bulk-update-criticality. Note that these API endpoints have a limit of 1000 entries per call. More details are available via the API Documentation link in Cloud SIEM Enterprise.
  • [Updated] Previously, a new feature was added to the Enrichments tab that enabled you to hide any attribute-value pair with an "empty" value for clarity. This included values like "0" or "N/A". However, some of those values are often useful to the analyst (for example, number_of_threat_reports="0"). Starting with this release, this feature will only hide attributes with truly empty values (i.e., attribute="").

Resolved Issues

  • The CSV file upload method for updating Entity attributes did not support sensor zones or normalized entity names properly.
  • CSE has switched providers of lists of public dynamic DNS domains, which has resolved an issue with rules utilizing these lists.

Rules

  • [Updated] MATCH-S00640 Kubernetes Pod Created in Kube Namespace
  • [Updated] MATCH-S00642 Kubernetes Service Account Created in Kube Namespace

Log Mappers

  • [New] Juniper SSC Series Firewall - Audit Messaging
  • [New] Juniper SSC Series Firewall - Traffic Messaging
  • [New] Linux-Sysmon/Operational - 1
  • [New] Linux-Sysmon/Operational - 10
  • [New] Linux-Sysmon/Operational - 11
  • [New] Linux-Sysmon/Operational - 15
  • [New] Linux-Sysmon/Operational - 16
  • [New] Linux-Sysmon/Operational - 17
  • [New] Linux-Sysmon/Operational - 18
  • [New] Linux-Sysmon/Operational - 2
  • [New] Linux-Sysmon/Operational - 23
  • [New] Linux-Sysmon/Operational - 3
  • [New] Linux-Sysmon/Operational - 4
  • [New] Linux-Sysmon/Operational - 5
  • [New] Linux-Sysmon/Operational - 6
  • [New] Linux-Sysmon/Operational - 7
  • [New] Linux-Sysmon/Operational - 8
  • [New] Linux-Sysmon/Operational - 9
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Azure Advanced Threat Protection
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Defender for Cloud Apps
  • [Updated] Kubernetes
  • [Updated] Microsoft Office 365 Threat Intelligence Events

Parsers

  • [New] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog
  • [New] /Parsers/System/Linux/Linux Sysmon XML

Schema

  • [New] device_k8s_deployment
  • [New] device_k8s_namespace
  • [New] device_k8s_normalizedPodName
  • [New] device_k8s_pod
  • [New] device_k8s_replicaSet
  • [New] dstDevice_k8s_deployment
  • [New] dstDevice_k8s_namespace
  • [New] dstDevice_k8s_normalizedPodName
  • [New] dstDevice_k8s_pod
  • [New] dstDevice_k8s_replicaSet
  • [New] srcDevice_k8s_deployment
  • [New] srcDevice_k8s_namespace
  • [New] srcDevice_k8s_normalizedPodName
  • [New] srcDevice_k8s_pod
  • [New] srcDevice_k8s_replicaSet
  • [Updated] device_container_runtime

Announcement: Standard Match Lists Migration to Entity Tags

Currently, CSE defines a set of standard Match Lists as a way to allow users to specify lists of Entities and other indicators that should affect whether or not Rules create Signals. However, starting next week, the Rules included with CSE will begin transitioning to leverage Entity tags for this purpose instead. Tags on Entities are more flexible and can also provide context to analysts during the investigation phase.

Next week, a new set of standard tag schemas will be introduced in CSE. These tag schemas will correspond to the existing standard Match Lists:

KeyAllowed ValuesEquivalent Match List
_deviceGroupadminadmin_ips
awsAdminAWS_admin_ips
businessbusiness_ips
gcpAdminGCP_admin_ips
googleWorkspaceAdminGoogle_Workspace_admin_ips
salesforceAdminsalesforce_admin_ips
sandboxsandbox_ips
scanTargetscanner_targets
_deviceServicednsdns_servers
dns_servers_dst
dns_servers_src
ftpftp_servers
smtpsmtp_servers
sqlsql_servers
sshssh_servers
telnettelnet_servers
_deviceTypeauthServerauth_servers
auth_servers_dst
auth_servers_src
lanScannerlan_scanner_exception_ips
nmsnms_ips
paloAltoSinkholepalo_alto_sinkhole_ips
proxyServerproxy_servers
proxy_servers_dst
proxy_servers_src
vpnServervpn_servers
vulnerabilityScannervuln_scanners
webServerhttp_servers
_networkTypeguestguest_networks
natnat_ips
vpnvpn_networks
_userGroupawsAdminAWS_admin_users
dsReplicationds_replication_authorized_users
gcpAdminGCP_admin_users
googleWorkspaceAdminGoogle_Workspace_admin_users
kerberosDowngradedowngrade_krb5_etype_authorized_users
salesforceAdminsalesforce_admin_users

(There are five standard match lists not affected by this change, as they do not contain Entities. These include: business_asns, business_domains, business_hostnames, threat, and verified_uri_paths.)

Beginning Thursday, October 20, the contents of the standard match lists listed above will automatically be copied to tags set on the individual entities. So, for example, if an Entity 1.2.3.4 is in match list sql_servers, a tag _deviceService:sql will be set on it. CSE will continue to automatically create these tags from the standard match lists for a period of 3 months, until January 20, 2023. During this period, pre-defined rules will be updated to reference these tags instead of the standard match lists, so by the end of this period all rules will be updated and CSE will no longer automatically create these tags.

Please update any process you use to maintain the members of standard match lists by January 20, 2023 to maintain standard Entity tags instead (or in addition). We highly recommend you take advantage of Entity Groups to set Entity tags rather than individually setting tags. Entity Groups enable the automatic application of attributes like tags based on the Entity's value, IP address range, or inventory group.

Note that you cannot extend the standard tag schemas (for example, you cannot add a value azureAdmin to _userGroup). (The underscore prefix in the schema name means it's a system-defined schema.) Instead, create a different tag schema (such as customUserGroup) with such extended values.

You can refer to Entity tags in Rule expressions. For example, if you've attached the tag _deviceService:sql to an Entity, this statement will return "true" if that Entity is listed in a Record's srcDevice_ip field:

array_contains(fieldsTags["srcDevice_ip"], "_deviceService:sql")

Additional information about the standard tag schema, match lists, Entity groups, and using these features with Rules is available in the Cloud SIEM Documentation.

Minor Changes and Enhancements

  • [New] Users can now filter object lists based on tag schema. The list results will include all objects that have a tag that are part of that schema. For example, if you search for _networkType (from the note above) the list results will include any object that has a tag of _networkType:guest, _networkType:nat, and/or _networkType:vpn.

Resolved Issues

  • Entity relationships were not taking sensor zones into account properly.
  • Entity details pages were only briefly displaying the proper Criticality.
  • The Entities Count links on the Entity Criticality list pages were pointing at the wrong URLs.

Welcome to the Sumo Logic Cloud SIEM Release Notes on our new docs site! We're now open source and encourage you to contribute. We welcome all contributions, from minor typo fixes to brand new docs. Your expertise and sharing can help fellow users learn and expand their knowledge of Sumo Logic.


Here you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM Enterprise.

To view Release Notes from previous years, check the archive.

Click here to subscribe

Application Update: Minor Changes and Enhancements

  • [Updated] Dynamic severity in rules has been enhanced. Users can now specify ranges of values to match to a specific severity. There are now multiple options, and these options can be combined (the first rule that matches is used; if none match then the default is used):
    • Equal to Exact string or mathematical match ("Equal to 4" will match "4" and 4.0 but not 4.01)
    • Greater than and Less than Mathematical only, not inclusive ("Less than 5" will match 4.9 but not 5)
    • Between Mathematical only, inclusive ("Between 5 and 10" will match 5 or 7 but not 10.1)
    • Not in the record Will match when the attribute is not listed in the record. (if there is no "broirc_value" attribute then this rule will match; if "bro_irc_value" exists but is empty/null, this does _not match)
  • [New] Users can now filter the Signals list based on the type of Rule that generated the Signal (Match, Chain, Aggregation, etc.)
  • [New] Users can now perform negative keyword searches ("not:aws" would return all objects that do not include the keyword "aws")
  • [New] Entity domain normalization can now be managed via Terraform
  • [New] Users can now configure the Email Action to send emails in plain text in addition to the previously supported multipart HTML5/text format
  • [New] Changes to the Insight Threshold are now noted in the Audit Log
  • [Deleted] As previously announced, the IBM Resilient and Sensor actions have been removed from CSE

Resolved Issues

  • Match list items were not matching properly in some instances, such as after deletion
  • Keyword searches did not properly support values (such as hostnames) with embedded dashes
  • Changes to prototype state were not visible in the rule history
  • In some cases, the system was parsing domain names/TLDs incorrectly

Content Release

Log Mappers

  • [New] Azure Application Service Console Logs
  • [New] Google G Suite Alert Center - Sensitive Admin Action
  • [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents

Parsers

  • [Updated] /Parsers/System/Google/G Suite Alert Center

Legacy Parsers

  • [Updated] CISCO_MERAKI_SECURITY_FILTERING_FILE_SCANNED
  • [Updated] CISCO_MERAKI_URLS
  • [Updated] Twistlock_Logs

Rules

  • [Deleted] MATCH-S00070 Checkpoint Firewall

Log Mappers

  • [New] Cyber Ark EPM AggregateEvent
  • [New] Cyber Ark EPM AuditAdmin
  • [New] Cyber Ark EPM GetComputer
  • [New] Cyber Ark EPM Policy
  • [New] Cyber Ark EPM RawDetails
  • [New] Cyber Ark EPM RawEvents

Parsers

  • [New] /Parsers/System/Cyber-Ark/CyberArk EPM JSON
  • [Updated] /Parsers/System/Auth0/Auth0

Rules

  • [Deleted] CHAIN-S00009 Proofpoint TAP Click Permitted Followed by Successful Request

Log Mappers

  • [New] Wiz Catch All
  • [Updated] Orca Security Parser - Catch All

Schema

  • [New] cloud_provider
  • [New] cloud_region
  • [New] cloud_service
  • [New] cloud_zone
  • [New] device_container_id
  • [New] device_container_name
  • [New] device_container_runtime
  • [New] device_image
  • [New] device_type
  • [New] dstDevice_container_id
  • [New] dstDevice_container_name
  • [New] dstDevice_container_runtime
  • [New] dstDevice_image
  • [New] dstDevice_type
  • [New] resourceType
  • [New] srcDevice_container_id
  • [New] srcDevice_container_name
  • [New] srcDevice_container_runtime
  • [New] srcDevice_image
  • [New] srcDevice_type
  • [Updated] dstDevice_uniqueId

Insight Enrichment Server for Fed deployment

[Update] We’ve released a new version of the Insight Enrichment Server that runs on the Sumo Logic FedRAMP-compliant deployment. This makes Cloud SIEM Enterprise (CSE) on FedRAMP functionally equivalent to commercial deployments of CSE.

Minor Changes and Enhancements

  • [New] An API endpoint has been added which enables user to delete multiple entries in a match list in one operation: POST: /match-list-items/bulk-delete
  • [Updated] When inventory data for hosts includes both private and public IP addresses, that data will be attached to both Entities. Previously it was only attached to one of the IP address Entities.
  • [Updated] Previously we announced that the severity attribute for Insights in the Audit Logs would be switching from numbers (1-4) to text (LOW, MEDIUM, HIGH, etc). Instead, we have retained the existing numerical attribute and added a new attribute severityName containing the human-readable text.

Resolved Issues

  • In some Audit Log messages related to Insight comments, the insight_readable_id was not set correctly.
  • In some cases, manually adding or removing tags in an Insight was not being recorded in the Audit Logs properly.
  • For some customers, the bar chart on the Records list page was not rendering properly.
  • Time/date stamps were not being displayed consistently across the UI.
  • Some pages were returning intermittent 404 or internal errors.

In one week (2022-09-15), we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules

  • [Updated] MATCH-S00819 Chromium Process Started With Debugging Port

Log Mappers

  • [Updated] Aruba ClearPass Syslog

Parsers

  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft IIS

Announcements

  • Starting October 1, 2022, _suppressed _Signals will be retained in CSE for 30 days (previously, they were retained for 90 days). All Signals are automatically stored in the Sumo sec_signals index for 2 years, so users searching for suppressed Signals more than 30 days old should search in that index instead of in the CSE UI.
    • Note also that in the past, Signals attached to Insights were searchable from the CSE Signals list page indefinitely. Starting on October 1, they will only be searchable for 365 days. (They will still be visible from the Insight details page beyond that period.)
  • As previously announced, the Sensor and IBM Resilient actions are no longer supported. They will be removed from CSE by the end of this month.

Minor Changes and Enhancements

  • [New] In the Audit Log, when an Insight is created, the sum of the included Signals' severity is now included with the insight in the risk_score field (i.e. if there were three Signals each with a severity of 4, the sum of 12 will be included).
  • [Updated] The "Copy Expression" mouse action for record fields can now be activated using Shift+Click. The Click action now brings up a "Copy Value" action instead.
  • [New] Users can now delete Match Lists from the list view (i.e. users no longer have to go into the details).
  • [New] On the Criticality list page, the number of Entity Groups associated with each Criticality is now listed on the cards.

Resolved Issues

  • In some cases where the Signals were relatively old, the Signals that contributed to an Insight were no longer visible in the Insight in the UI.
  • Time stamps were missing from Records in some views.

Content Release

In 2 weeks (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules

  • [New] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
  • [New] MATCH-S00821 Chromium Browser History Access by Non-Browser Process
  • [New] MATCH-S00819 Chromium Process Started With Debugging Port
  • [New] MATCH-S00820 Cloud Credential File Accessed
  • [New] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
  • [Updated] MATCH-S00235 Azure - Create User

Log Mappers

  • [New] Mimecast AV Event
  • [New] Mimecast Impersonation Event
  • [New] Mimecast Spam Event
  • [Updated] AzureActivityLog AuditLogs

Application Update

Cloud SIEM Enterprise App is now available

The CSE app gives you visibility into what’s going on in Cloud SIEM Enterprise. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by CSE. You can also get insight in CSE rules, including rule management activity, and which rules have fired.

This app is available to all licensed CSE customers in the Sumo Logic App Catalog. For more information, see CSE App.

Content Release

Rules

  • [Updated] MATCH-S00632 Okta Administrator Access Granted
  • [Updated] MATCH-S00683 Overly Permissive Chmod Command

Log Mappers

  • [New] Check Point Avanan
  • [New] Cisco ISE Authentication Failure
  • [New] Cisco ISE Authentication Success
  • [New] Cisco ISE Catch All
  • [New] FireEye Web MPS Event
  • [Updated] Microsoft Office 365 Threat Intelligence Events
  • [Updated] Windows Microsoft-Windows-Sysmon/Operational 3
  • [Updated] Windows Security 4688

Parsers

  • [New] /Parsers/System/Check Point/Check Point Avanan JSON
  • [New] /Parsers/System/Cisco/Cisco ISE
  • [New] /Parsers/System/FireEye/FireEye Web MPS JSON

Resolved Issues

  • Several issues were resolved related to the bulk upload of Entity attributes, including errors with CSV file parsing, editing uploaded attributes in the UI, and a lack of audit logging.
  • On the Entity details page, the criticality was not being displayed properly. Labels were not being created properly based on Network Blocks for a small number of customers.
  • InsightCommentCreated audit events did not include the readableId attribute.
  • For some record types, the Actions field was not being displayed if selected as a favorite field.

Archive of July 2022 Cloud SIEM Release Notes.


July 28, 2022 - Application Update

Read-Only User Capabilities for CSE

New user capabilities (permissions) have been created enabling read-only access to content and configuration features in CSE.

These can be used when defining roles in the Sumo Logic platform (at Administration > Users and Roles > Roles).

read-only roles

(For those with CSE instances in the jask.ai domain, these capabilities are accessed via the Configuration > Roles page in CSE.)

Users with these capabilities (without the corresponding Manage capabilities) will be able to view the corresponding pages but will not be able to make changes on those pages. (Previously, users without the Manage capabilities could not see the corresponding pages.)

These permissions also apply to CSE APIs, so View (only) capabilities can now be assigned if desired.

Minor Changes and Enhancements

  • [Updated] When Threat Intelligence polling fails, the corresponding event will now include more information about the specific error that occurred.
  • [Updated] The API endpoints that return information about Signals (GET /signals, GET /signals/<id>, and GET /signals/all) now include the summary field (previously only accessible via the UI).
  • [New] The Sumo Logic audit logs will now include events when a user adds or removes a Signal to/from an Insight, and when a user adds a comment to an Insight.

Resolved Issues

  • The GET /rules and GET /rules/<id> API endpoints did not require role capabilities for access; they now require either View Rules or Manage Rules.
  • Favorite Fields were not always being displayed on Signals generated by Threshold Rules.

July 14, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

  • In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.

Announcement Update

  • The new Signal Index (recently announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.

July 21 - Application Update

Entity Groups

There are a number of ways that the use of Entity attributes - tags, criticality and suppression - provide value to users of Cloud SIEM Enterprise: Investigations can be completed faster with more context, Insights can be better prioritized with the appropriate severity, and false positive signals from test instances can be prevented, for example. However, setting those attributes has been a manual process and keeping them in sync as new Entities are defined is difficult.

That's why we are pleased to announce a new feature called Entity Groups. By defining Entity Groups, attributes can be automatically applied (or removed) based on Entity value (name), IP address, or Inventory group membership. For example, all high-risk laptops will receive higher criticality -- even if such a laptop is added to your environment months later.

Entities can even be members of more than one Entity Group, so a high-risk laptop in the Austin office could both get a tag identifying its location and receive the higher criticality. And if you later reassigned it so that it was no longer in a high-risk group, the criticality would be automatically removed.

To create an Entity Group, a new configuration menu item has been added:

entity groups menu

On the Entity Groups page, click the Create button:

entity groups list

This will open the detail dialog:

create entity group

Here you can decide what attribute Group membership should be based on:

  • Group membership in your Inventory system (such as Active Directory)
  • Entity value (name) - prefix or suffix (such as "aus-" or "-public")
  • IP address range (for IP Address entities) defined using the CIDR format

Entity Groups also support sensor zones.

Then you can define what attribute(s) should be applied to member Entities - tags, criticality and/or suppression.

This release also includes API and Terraform support for Entity Groups.

More information about this exciting new feature and how to use it is in the documentation at Using Entity Groups.

Signal Index

Starting today, Signals generated by Cloud SIEM Enterprise will be automatically saved in a new secsignal index. This special partition is similar to the existing sec_record* indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index is automatically generated and retained for a period of 2 years at no additional cost for all CSE customers.

As a result, the optional Signal Forwarding feature will be deprecated on September 22, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in CSE.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before September 22.

Note that because the new index is a special partition, a single query cannot be used to search both the sec_signal index and older forwarded Signal data simultaneously.

More information about using the special security indices is in the documentation at Searching for CSE Data in Sumo Logic.

Minor Changes and Enhancements

  • [Updated] The page used to configure the detection window and Insight threshold has moved. Where previously it was accessed from a button on the Custom Insights list page, it is now accessed via a new Workflow > Detection option in the Configuration menu:
threshold menu

Note the URL has also changed as a result; please update any bookmarks.

Resolved Issues

When navigating to a CSE page (with sumologic.com in the domain name), if the user had to login/authenticate first, they were not auto-forwarded to the appropriate CSE page after doing so (but instead was taken to the Continuous Intelligence Platform home page). This has now been resolved and users will be auto-forwarded correctly.


July 21, 2021 - Content Release

Rules

  • [Updated] MATCH-S00587 Empire PowerShell Launch Parameters
  • [Updated] MATCH-S00161 Malicious PowerShell Get Commands
  • [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
  • [Updated] MATCH-S00191 Suspicious PowerShell Keywords

Log Mappers

  • [New] OSSEC Alert

Parsers

  • [New] /Parsers/System/OSSEC/OSSEC JSON
  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
  • [Updated] /Parsers/System/Kubernetes/Kubernetes
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

July 14, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

  • In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.

Announcement Update

The new Signal Index (previously announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.


July 14 - Content Release

Log Mappers

  • [New] Carbon Black Cloud Alert - Tuned Activity
  • [Updated] Cisco ASA 106001 JSON
  • [Updated] Cisco ASA 106002 JSON
  • [Updated] Cisco ASA 106006 JSON
  • [Updated] Cisco ASA 106007 JSON
  • [Updated] Cisco ASA 106010 JSON
  • [Updated] Cisco ASA 106012 JSON
  • [Updated] Cisco ASA 106014 JSON
  • [Updated] Cisco ASA 106015 JSON
  • [Updated] Cisco ASA 106021 JSON
  • [Updated] Cisco ASA 106027 JSON
  • [Updated] Cisco ASA 106100 JSON
  • [Updated] Cisco ASA 106102-3 JSON
  • [Updated] Cisco ASA 109005-8 JSON
  • [Updated] Cisco ASA 110002 JSON
  • [Updated] Cisco ASA 113004 JSON
  • [Updated] Cisco ASA 113005 JSON
  • [Updated] Cisco ASA 113012-17 JSON
  • [Updated] Cisco ASA 209004 JSON
  • [Updated] Cisco ASA 302020-1 JSON
  • [Updated] Cisco ASA 303002 JSON
  • [Updated] Cisco ASA 304001 JSON
  • [Updated] Cisco ASA 304002 JSON
  • [Updated] Cisco ASA 305011-12 JSON
  • [Updated] Cisco ASA 313001 JSON
  • [Updated] Cisco ASA 313004 JSON
  • [Updated] Cisco ASA 313005 JSON
  • [Updated] Cisco ASA 314003 JSON
  • [Updated] Cisco ASA 322001 JSON
  • [Updated] Cisco ASA 338001-8+338201-4 JSON
  • [Updated] Cisco ASA 4000nn JSON
  • [Updated] Cisco ASA 406001 JSON
  • [Updated] Cisco ASA 406002 JSON
  • [Updated] Cisco ASA 419001 JSON
  • [Updated] Cisco ASA 419002 JSON
  • [Updated] Cisco ASA 500004 JSON
  • [Updated] Cisco ASA 602303-4 JSON
  • [Updated] Cisco ASA 605004-5 JSON
  • [Updated] Cisco ASA 710002-3 JSON
  • [Updated] Cisco ASA 710005 JSON
  • [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON

Parsers

  • [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • [Updated] /Parsers/System/Cisco/Cisco ASA

July 8, 2022 - Application Update

Announcement

  • The built-in HipChat Action will be deprecated on August 25, 2022.

Minor Changes and Enhancements

  • [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.

Resolved Issues

  • In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.
  • Mapper field format_parameters was not populating.
  • Some of the links on the Related Entities tab of the Insight detail pages were malformed.

July 8, 2022 - Application Update

Announcement

The built-in HipChat Action will be deprecated on August 25, 2022.

Minor Changes and Enhancements

  • [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.

Resolved Issues

In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.

tags: application

July 7, 2022 - Content Release

Rules

  • [New] MATCH-S00816 Interactive Logon to Domain Controller

Log Mappers

  • [Updated] Palo Alto GlobalProtect - Custom Parser
  • Updated] Palo Alto GlobalProtect Auth - Custom Parser
  • [Updated] Windows - System - 7045
  • [Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Google/GCP
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery

July 5, 2022 - Content Release

Rules

  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery

Log Mappers

  • [Updated] McAfee Endpoint Security Custom Parser
  • [Updated] Microsoft SQL Server Parser - Authentication

Parsers

  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML
  • [Updated] /Parsers/System/Microsoft/Microsoft SQL Server
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Twistlock/Twistlock

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed

Archive of June 2022 Cloud SIEM Release Notes.


June 24, 2022 Announcement

Beginning July 15, 2022, Signals generated by Cloud SIEM Enterprise will be automatically saved in a new sec_signals index. This index/special partition will be similar to the existing secrecord indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index will be automatically generated and retained for a period of 2 years at no additional cost for all CSE customers.

As a result, the optional Signal Forwarding feature in CSE will be deprecated on September 15, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in CSE.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signals index before September 15.

If you have any questions or concerns, please contact Sumo Logic customer support.


June 24, 2022 - Application Update

Minor Changes and Enhancements

  • [New] On the Insight details pages, if the user has selected the Show Related Signals option, the related Signals will appear on the Signals Timeline graph.

Resolved Issues

  • The /sec/v1/insights/{}/tags API endpoint was returning a 500/INTERNAL_SERVER_ERROR.

June 21, 2022 - Content Release

Log Mappers

  • [Updated] McAfee Avecto Defendpoint

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML

June 15, 2022 - Content Release

Rules

  • [Updated] MATCH-S00400 Web Download via Office Binaries

Log Mappers

  • [New] GCP Parser - Load Balancer

Parsers

  • [Updated] /Parsers/System/Google/GCP
  • [Updated] /Parsers/System/Orca Security/Orca Security
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

June 13, 2022 Application Update

Minor Changes and Enhancements

  • [Updated] List filters have been updated to better support custom Entity types; users no longer have to specify the Entity type in order to filter by Entity value (i.e. name). (Old bookmark will continue to work.)
  • [Updated] On the Insight Details pages, the sort order for Signals has been reverted to oldest first. As always, the user can change the sort order and in an upcoming release, the UI will be updated to retain the user's selected sort order across sessions.
  • [Deleted] The standalone Suppressed Entities list page has been removed from the UI as it was confusing to users. To retrieve a list of suppressed Entities, users should filter the Entities list page.

Resolved Issues

  • CSV upload for Network Blocks was not working unless the (optional) "label" field was provided.
  • Then filtering lists by date, the "include current" checkbox was not working consistently.

June 9, 2022 - Content Release

Rules

  • [New] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [Updated] Cyber Ark Vault JSON

Parsers

  • [New] /Parsers/System/Cyber-Ark/Cyber-Ark Vault - CEF
  • [Updated] /Parsers/System/AWS/AWS ELB
  • [Updated] /Parsers/System/AWS/AWS WAF

June 7, 2022 - Content Release 2022-06-07

Rules

  • [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution

Log Mappers

  • [New] Bitdefender - avc
  • [New] Bitdefender - fw
  • [New] Bitdefender - hd
  • [New] Bitdefender - network-monitor
  • [New] Bitdefender - new-incident
  • [New] Linux OS Syslog - Cron - Generic
  • [New] Linux OS Syslog - sshd - session timeout
  • [Updated] Bitdefender Catch All
  • [Updated] SonicWall Firewall - Custom Parser

Parsers

  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Linux/Linux OS Syslog

June 3, 2022 - Content Release

Rules

  • [New] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [New] MATCH-S00813 Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
  • [New] MATCH-S00812 Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
  • [Updated] THRESHOLD-S00080 Internal Port Scan
  • [Updated] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190

Log Mappers

  • [New] Google G Suite - logout
  • [New] McAfee Mvision ENS incidents - Parser
  • [New] McAfee Mvision ENS threats - Parser
  • [New] Okta Authentication - auth_via_AD_agent
  • [New] Okta Authentication - auth_via_mfa
  • [New] Okta Authentication - auth_via_radius
  • [New] Okta Authentication - sso
  • [Updated] Google G Suite - login.login
  • [Updated] Okta Authentication Events
  • [Updated] Salesforce LoginAs Mapping

Parsers

  • [New] /Parsers/System/McAfee/McAfee Mvision ENS

Schema

  • [Updated] device_ip_asnNumber
  • [Updated] device_ip_asnOrg
  • [Updated] device_ip_city
  • [Updated] device_ip_countryCode
  • [Updated] device_ip_countryName
  • [Updated] device_ip_isp
  • [Updated] device_ip_latitude
  • [Updated] device_ip_longitude
  • [Updated] device_ip_region
  • [Updated] device_natIp_asnNumber
  • [Updated] device_natIp_asnOrg
  • [Updated] device_natIp_city
  • [Updated] device_natIp_countryCode
  • [Updated] device_natIp_countryName
  • [Updated] device_natIp_isp
  • [Updated] device_natIp_latitude
  • [Updated] device_natIp_longitude
  • [Updated] device_natIp_region
  • [Updated] dns_replyIp_asnNumber
  • [Updated] dns_replyIp_asnOrg
  • [Updated] dns_replyIp_city
  • [Updated] dns_replyIp_countryCode
  • [Updated] dns_replyIp_countryName
  • [Updated] dns_replyIp_isp
  • [Updated] dns_replyIp_latitude
  • [Updated] dns_replyIp_longitude
  • [Updated] dns_replyIp_region
  • [Updated] dstDevice_ip_asnNumber
  • [Updated] dstDevice_ip_asnOrg
  • [Updated] dstDevice_ip_city
  • [Updated] dstDevice_ip_countryCode
  • [Updated] dstDevice_ip_countryName
  • [Updated] dstDevice_ip_isp
  • [Updated] dstDevice_ip_latitude
  • [Updated] dstDevice_ip_longitude
  • [Updated] dstDevice_ip_region
  • [Updated] srcDevice_ip_asnNumber
  • [Updated] srcDevice_ip_asnOrg
  • [Updated] srcDevice_ip_city
  • [Updated] srcDevice_ip_countryCode
  • [Updated] srcDevice_ip_countryName
  • [Updated] srcDevice_ip_isp
  • [Updated] srcDevice_ip_latitude
  • [Updated] srcDevice_ip_longitude
  • [Updated] srcDevice_ip_region

June 1, 2022 - Announcement

Geographical Data for IP Addresses

  • As previously announced, CSE has switched to a new provider for geographical data for IP addresses. One consequence of this change is that the various _isp enrichment fields (listed below) are no longer being populated. However, that data is available in the equivalent _asnOrg fields (such as device_ip_asnOrg). If you have any rules that leverage the _isp fields, please switch to the _asnOrg fields as soon as possible.
  • Because these fields will no longer be populated, they will be removed on June 7, 2022:
    • device_ip_isp
    • device_natIp_isp
    • device_replyIp_isp
    • dstDevice_ip_isp
    • dstDevice_natIp_isp
    • srcDevice_ip_isp
    • srcDevice_natIp_isp

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed

Archive of May 2022 Cloud SIEM Release Notes.


May 31, 2022 - Content Release

Rules

  • [New] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] MATCH-S00766 Okta MFA Deactivated for User
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Aruba ClearPass User Authentication Failed
  • [New] Aruba ClearPass User Authentication Successful
  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] McAfee Network Security Parser - Catch All
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Orca Security Parser - Catch All
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Cloudflare - Logpush
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All
  • [Updated] Okta Security Threat Events
  • [Updated] Windows - Security - 4688

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/McAfee/McAfee Network Security
  • [New] /Parsers/System/Orca Security/Orca Security
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Shared/Syslog Headers
  • [Updated] /Parsers/System/Twistlock/Twistlock

May 27, 2022 - Application Update

Upcoming Changes

  • [Updated] Starting later next week, the severity attribute in audit log records for Insights (such as InsightCreated) will be changing. Instead of a number (represented as a string) from 1 to 4, the value will be a human-readable string matching the values in the UI (LOW, MEDIUM, HIGH, CRITICAL). Please update any dashboards or other consumers of this data.
  • [Deleted] Later next week, the Content > Suppressed Entities page will be removed from the UI to simplify the application. Instead, users can use a filter on the Content > Entities page to retrieve the list of suppressed Entities.

Minor Changes and Enhancements

  • [Updated] On the Insight Details pages, Signals are now sorted in order of the most recent Signal first by default. (As always, the user can change the sort order.)
  • [New] When creating a copy of a Rule, users are now given then option to apply the Rule Tuning Expression(s) that are applied on the original rule to the copy as well.
  • [New] In the CSE UI, timestamps now explicitly include the time zone.
  • [New] Users can now specify a maximum look-back window (in days) for TAXII feeds.
  • [New] The current status (enabled/disabled) for each feed is now displayed on the Threat Intelligence list page.

Resolved Issues

  • If a user had defined a high number of favorite fields, the system would show the first 50.
  • When specifying tags, the auto-complete feature was not working properly in some instances.

May 26, 2022 - Content Release

Rules

  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

May 17, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The _sourceName and _sourceHost values in records ingested by CSE will now reflect the original values defined when ingested into the Sumo Logic platform.
  • [Updated] The "Board" list view for Insights has been updated to include the resolution:board-view

Resolved Issues

  • In the new Entities tab in Insights, duplicate Entities were sometimes listed if the raw and normalized names didn't match. Also, the cards will now respond better to very low screen/browser widths.
  • When viewing some verbose content (like Record properties), mousing over the content would cause it to reflow.
  • When creating match list items via Terraform, the process was occasionally timing out.
  • Email-based actions were not functioning properly on instances with domains ending in jask.ai.

May 12, 2022 - Content Release

Rules

  • [Updated] LEGACY-S00078 SQL Injection Victim

Log Mappers

  • [New] Check Point Application Control
  • [New] Check Point SmartDefense
  • [New] Check Point URL Filtering
  • [Updated] Check Point Block

Parsers

  • [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
  • [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
  • [Updated] /Parsers/System/Microsoft/Office 365

May 10, 2022 - Content Release

Rules

  • [Deleted] MATCH-S00258 Authentication Brute Force Attempt
  • [Updated] MATCH-S00176 RDP Login from Localhost

Log Mappers

  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • [Deleted] Windows - Security - 1100 - CIP
  • [Deleted] Windows - Security - 1102 - CIP
  • [Deleted] Windows - Security - 4624 - CIP
  • [Deleted] Windows - Security - 4625 - CIP
  • [Deleted] Windows - Security - 4634 - CIP
  • [Deleted] Windows - Security - 4648 - CIP
  • [Deleted] Windows - Security - 4649 - CIP
  • [Deleted] Windows - Security - 4656 - CIP
  • [Deleted] Windows - Security - 4658 - CIP
  • [Deleted] Windows - Security - 4661 - CIP
  • [Deleted] Windows - Security - 4662 - CIP
  • [Deleted] Windows - Security - 4663 - CIP
  • [Deleted] Windows - Security - 4672 - CIP
  • [Deleted] Windows - Security - 4674 - CIP
  • [Deleted] Windows - Security - 4688 - CIP
  • [Deleted] Windows - Security - 4689 - CIP
  • [Deleted] Windows - Security - 4697 - CIP
  • [Deleted] Windows - Security - 4698 - CIP
  • [Deleted] Windows - Security - 4702 - CIP
  • [Deleted] Windows - Security - 4704 - CIP
  • [Deleted] Windows - Security - 4720 - CIP
  • [Deleted] Windows - Security - 4726 - CIP
  • [Deleted] Windows - Security - 4728 - CIP
  • [Deleted] Windows - Security - 4732 - CIP
  • [Deleted] Windows - Security - 4740 - CIP
  • [Deleted] Windows - Security - 4742 - CIP
  • [Deleted] Windows - Security - 4754 - CIP
  • [Deleted] Windows - Security - 4755 - CIP
  • [Deleted] Windows - Security - 4756 - CIP
  • [Deleted] Windows - Security - 4768 - CIP
  • [Deleted] Windows - Security - 4769 - CIP
  • [Deleted] Windows - Security - 4770 - CIP
  • [Deleted] Windows - Security - 4771 - CIP
  • [Deleted] Windows - Security - 4776 - CIP
  • [Deleted] Windows - Security - 4778 - CIP
  • [Deleted] Windows - Security - 4779 - CIP
  • [Deleted] Windows - Security - 4780 - CIP
  • [Deleted] Windows - Security - 4793 - CIP
  • [Deleted] Windows - Security - 4798 - CIP
  • [Deleted] Windows - Security - 4799 - CIP
  • [Deleted] Windows - Security - 5038 - CIP
  • [Deleted] Windows - Security - 5058 - CIP
  • [Deleted] Windows - Security - 5059 - CIP
  • [Deleted] Windows - Security - 5061 - CIP
  • [Deleted] Windows - Security - 5140 - CIP
  • [Deleted] Windows - Security - 5379 - CIP
  • [Deleted] Windows - Security - 5805 - CIP
  • [Deleted] Windows - Security - 6272 - CIP
  • [Deleted] Windows - Security - 6273 - CIP
  • [Deleted] Windows - Security - 6275 - CIP
  • [Deleted] Windows - Security - 6278 - CIP
  • [Deleted] Windows - Security - 6416 - CIP
  • [Deleted] Windows - Security - 6423 - CIP
  • [Deleted] Windows - Security - 6424 - CIP
  • [Deleted] Windows - System - 5138 - CIP
  • [Deleted] Windows - System - 6005 - CIP
  • [Deleted] Windows - System - 6006 - CIP
  • [Deleted] Windows - System - 7045 - CIP
  • [New] BlueCat DNS Parser - Catch All
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] Firepower Catch All
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Success

Parsers

  • [Deleted] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
  • [New] /Parsers/System/Cisco/Cisco Firepower JSON
  • [Updated] /Parsers/System/AWS/AWS WAF
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed

Archive of April 2022 Cloud SIEM Release Notes.


April 29, 2022 - Application Update

[New] The Cloud SIEM Enterprise team is excited to announce a newly enhanced feature: Related Entities. Although Insights and the Signals they contain are focused on a single Entity (a user, or host for example), there are often a number of additional Entities referenced in the Records/Signals contained in the Insight. In addition, CSE can detect relationships between Entities (for example, determining that an IP address was associated with a given hostname during the Insight detection window).

To provide an easy way for analysts to explore all of these Related Entities, a new tab has been added to the Insight Details page:

The Entities tab contains a list of all of the Entities detected in the Insight’s Signals and Records. The Primary Entity is listed first, and then the other Related Entities are listed in descending order of appearance. Where CSE has determined a relationship between entities, that is called out (for example, 192.168.1.101 may also be hostname ‘na’).

Details listed with each entity include tags, the number of Signals the Entity was seen in, the number of recent Insights and Signals that featured that Entity, and the total sum of the Severities for those Signals.

As each Entity is selected by the user, the right column changes to show more details, such as a link to the full Entity Details page, inventory and other metadata, a Signal timeline, and a list of the recent Signals and Insights (containing links to those individual details pages).

This new feature should help users understand the context of security events more quickly by providing this data at a glance, reducing the amount of time it would have previously taken to gather that same information.

More information can be found in the online documentation.

Minor Changes and Enhancements

[Update] For Signals generated by Threshold, Aggregation and Chain Rules, there is a feature called Queried Records that enables users to find additional records that also apply to the Signal beyond those that were needed to meet the conditions for the Rule.The page that lists these Queried Records now explicitly shows the search query and time window that is being checked. If a user clicks on the query, it will open a Log Search window with the query and time window pre-filled for deeper investigation.

related-entities

April 29, 2022 - Content Release

Rules

  • [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
  • [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
  • [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
  • [Updated] THRESHOLD-S00044 DNS DGA Lookup Behavior - NXDOMAIN Responses
  • [Updated] THRESHOLD-S00088 GCP Audit Reconnaissance Activity
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] CHAIN-S00004 Lateral Movement Using the Windows Hidden Admin Share
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
  • [Updated] THRESHOLD-S00040 Possible DNS over TLS (DoT) Activity
  • [Updated] THRESHOLD-S00031 RDP Brute Force Attempt
  • [Updated] THRESHOLD-S00034 SSH Authentication Failures

Log Mappers

  • [New] BlueCat DHCP Parser - Catch All
  • [New] Microsoft Exchange Catch All
  • [New] Microsoft Exchange HTTP Error
  • [New] Microsoft Exchange IIS
  • [New] Varonis DatAlert - Parser
  • [Updated] Varonis DatAdvantage - CEF

Parsers

  • [New] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/Microsoft/Exchange
  • [New] /Parsers/System/Varonis/Varonis DatAlert Syslog
  • [Updated] /Parsers/System/F5/F5 Syslog

April 26, 2022 - Content Release

Rules

  • [New] MATCH-S00808 Azure - Container Instance Creation/Modification
  • [New] MATCH-S00809 Azure - Container Start
  • [New] MATCH-S00807 Azure - Image Created/Modified
  • [New] MATCH-S00810 Azure - Image Deleted

Log Mappers

  • [New] Darktrace Parser Events
  • [Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

  • [New] /Parsers/System/Darktrace/Darktrace Syslog
  • [New] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

April 20, 2022 - Content Release

Rules

  • [New] MATCH-S00798 Azure - Anonymous Blob Access
  • [New] MATCH-S00805 Azure - Bastion Host Created/Modified
  • [New] MATCH-S00806 Azure - Bastion Host Deleted
  • [New] MATCH-S00795 Azure - Diagnostic Setting Deleted
  • [New] MATCH-S00796 Azure - Diagnostic Setting Modified
  • [New] MATCH-S00797 Azure - Event Hub Deleted
  • [New] THRESHOLD-S00109 Azure - Excessive Key Vault Get Requests
  • [New] MATCH-S00788 Azure - Key Deletion
  • [New] MATCH-S00789 Azure - Key Purged
  • [New] MATCH-S00792 Azure - Key Vault Deleted
  • [New] MATCH-S00787 Azure - Protected Item Deletion Attempt
  • [New] MATCH-S00794 Azure - Secret Backup
  • [New] MATCH-S00791 Azure - Secret Deleted
  • [New] MATCH-S00790 Azure - Secret Purged
  • [New] MATCH-S00800 Azure - Storage Deletion
  • [New] MATCH-S00799 Azure - Storage Modification
  • [New] MATCH-S00803 Azure - Virtual Machine Creation/Modification
  • [New] MATCH-S00804 Azure - Virtual Machine Deleted
  • [New] MATCH-S00801 Azure - Virtual Machine Started
  • [New] MATCH-S00802 Azure - Virtual Machine Stopped
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] MATCH-S00494 Backdoor.HTTP.BEACON.[Yelp Request]
  • [Updated] MATCH-S00492 Backdoor.HTTP.GORAT.[SID1]
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] MATCH-S00445 Known Ransomware File Extensions

Log Mappers

  • [New] Dropbox - Authentication
  • [New] Dropbox - Catch All
  • [Updated] Azure AuditEvent logs

Parsers

  • [Updated] /Parsers/System/AWS/GuardDuty

April 19, 2022 - Announcement

We will be consolidating Authentication Brute Force Attempt MATCH-S00258 on Tuesday May 10 into the normalized intrusion rule set. For more information on the normalized intrusion rule set, please visit the help page.


April 18, 2022 - Application Update

Minor Changes and Enhancements

  • [New] API endpoints are now available to add or remove a given Signal to/from a given Insight, PUT "/insights/<insightId>/signals" and DELETE "/insights/<insightId>/signals" respectively. (For both endpoints, the request body is a list containing signal ID(s) to add or remove from the insight as the request body, the response is the updated Insight.)
  • [Update] The way CSE displays group membership in Active Directory inventory objects is changing. Previously, it was displayed in LDAP form (i.e., cn=groupname,dc=something,dc=domain,dc=com); now it will just show the group name.

Resolved Issues

  • Signal and Insight timestamps in the Cloud SIEM Enterprise UI were not always displayed in the user’s preferred time zone.

April 15, 2022 - Announcements

  • Because it can now be connected via more standardized TAXII feeds, the integration between Cloud SIEM Enterprise and Anomali ThreatStream has been deprecated as of April 15, 2022. If you are using this integration, be sure to convert to a TAXII feed. To set up a feed, first follow Anomali’s documentation for Setting up a TAXII feed for ThreatStream then Sumo Logic’s documentation for Integrating CSE with a TAXII Feed.
  • The Entity API has been updated to include a new field IsSuppressed. This field replaces IsWhitelisted which has been deprecated as of April 15, 2022. If you were previously using IsWhitelisted please ensure you have switched to the new field.

April 14, 2022 - Content Release

Rules

  • [New] MATCH-S00785 Azure - Blob Container Deletion
  • [New] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00243 Azure - High Risk Sign-In (Aggregate)
  • [Updated] MATCH-S00245 Azure - High Risk Sign-In (Real Time)
  • [Updated] MATCH-S00224 Azure - Risky User State : User Confirmed Compromised
  • [Updated] MATCH-S00250 Azure - Suspicious User Risk State Associated with Login
  • [Updated] LEGACY-S00066 PowerShell Remote Administration
  • [Updated] LEGACY-S00105 Suspicious DC Logon
  • [Updated] THRESHOLD-S00075 Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)

Log Mappers

  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Microsoft Graph AD Reporting API C2C - DirectoryAudits
  • [Updated] Microsoft Graph AD Reporting API C2C - Provisioning
  • [Updated] Microsoft Graph AD Reporting API C2C - Signin
  • [Updated] Trend Micro CEF logs

Parsers

  • [New] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF

April 12, 2022 - Content Release

Rules

  • [New] MATCH-S00784 Linux Host Entered Promiscuous Mode

Log Mappers

  • [Deleted] AWS VPC Flow Logs - Custom Format 1
  • [Deleted] Adaxes Execute Event
  • [Deleted] Adaxes Modify Event
  • [Deleted] Adaxes Run PowerShell Event
  • [Deleted] Aruba Error Logs
  • [Deleted] Aruba ICMP Logs
  • [Deleted] Aruba LDAP Server Logs
  • [Deleted] Aruba PoniUnwired HTTPD CGID Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Error Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Warn Samples
  • [Deleted] Aruba PoniUnwired HTTPD ssl error Samples
  • [Deleted] Aruba PoniUnwired Warn Samples
  • [Deleted] BIND DNS Query
  • [Deleted] BIND DNS Update Zone
  • [Deleted] BIND DNS Update Zone Failed
  • [Deleted] BIOC Credential Access logs
  • [Deleted] BIOC Dropper logs
  • [Deleted] BIOC Evasion Variation 2 logs
  • [Deleted] BIOC Evasion logs
  • [Deleted] BIOC Infiltration logs
  • [Deleted] BIOC Persistence and Execution logs
  • [Deleted] BIOC Privilege logs
  • [Deleted] BIOC Reconnaissance logs
  • [Deleted] BIOC Reconnaissance logs Variation 2
  • [Deleted] BIOC Tampering logs
  • [Deleted] BIOC create and write logs
  • [Deleted] Bandura Domain Logs
  • [Deleted] Bandura Packet Logs
  • [Deleted] Barracuda Proxy
  • [Deleted] Bind DHCP Full
  • [Deleted] Bind DHCP On
  • [Deleted] Bind DHCP Short
  • [Deleted] Bind DNS log 1
  • [Deleted] Bind DNS log 10
  • [Deleted] Bind DNS log 2
  • [Deleted] Bind DNS log 3
  • [Deleted] Bind DNS log 4
  • [Deleted] Bind DNS log 5
  • [Deleted] Bind DNS log 6
  • [Deleted] Bind DNS log 7
  • [Deleted] Bind DNS log 8
  • [Deleted] Bind DNS log 9
  • [Deleted] Bind9 DNS
  • [Deleted] Blue Coat Proxy 2
  • [Deleted] Blue Coat Proxy 4
  • [Deleted] Blue Coat Proxy 5
  • [Deleted] Blue Coat Proxy 6
  • [Deleted] Blue Coat Proxy 7
  • [Deleted] Blue Coat Proxy Logs
  • [Deleted] BlueCat DHCP Bootrequest
  • [Deleted] BlueCat DHCP Decline
  • [Deleted] BlueCat DHCP INFORM Logs
  • [Deleted] BlueCat DHCP Offer Logs
  • [Deleted] BlueCat DHCP Reuse Lease
  • [Deleted] BlueCat DHCP failover
  • [Deleted] BlueCat DNS
  • [Deleted] BlueCat DNS with Key
  • [Deleted] CB Protection
  • [Deleted] CB Protection Username
  • [Deleted] CB Response Server 1
  • [Deleted] CB Response Server 10
  • [Deleted] CB Response Server 11
  • [Deleted] CB Response Server 13
  • [Deleted] CB Response Server 14
  • [Deleted] CB Response Server 15
  • [Deleted] CB Response Server 17
  • [Deleted] CB Response Server 2
  • [Deleted] CB Response Server 20
  • [Deleted] CB Response Server 3
  • [Deleted] CB Response Server 4
  • [Deleted] CB Response Server 5
  • [Deleted] CB Response Server 6
  • [Deleted] CB Response Server 7
  • [Deleted] CB Response Server 9
  • [Deleted] CB Response Severity 1
  • [Deleted] CB Response Severity 2
  • [Deleted] CB Response Severity 3
  • [Deleted] CICSCOFW434002
  • [Deleted] Check Point ACCEPT Grok
  • [Deleted] Check Point DROP
  • [Deleted] Check Point VPN
  • [Deleted] Check Point encrypt/decrypt
  • [Deleted] Check Point key install
  • [Deleted] Cisco ACS FAILED-ATTEMPT
  • [Deleted] Cisco ACS FAILED-AUTHENTICATION
  • [Deleted] Cisco ACS Passed-Authentication
  • [Deleted] Cisco ACS Tacacs-Accounting
  • [Deleted] Cisco ASA 106002
  • [Deleted] Cisco ASA 106012
  • [Deleted] Cisco ASA 106013
  • [Deleted] Cisco ASA 106018
  • [Deleted] Cisco ASA 106022
  • [Deleted] Cisco ASA 113039
  • [Deleted] Cisco ASA 716037
  • [Deleted] Cisco ASA 716038
  • [Deleted] Cisco ASA 716039
  • [Deleted] Cisco ASA 722056
  • [Deleted] Cisco ASA 725012
  • [Deleted] Cisco ASA 725017
  • [Deleted] Cisco ASA 734003
  • [Deleted] Cisco ASA 746012
  • [Deleted] Cisco AnyConnect NAT RULES Logs
  • [Deleted] Cisco Authentication Message 01
  • [Deleted] Cisco Authentication Message 02
  • [Deleted] Cisco Authentication Message 03
  • [Deleted] Cisco Authentication Message 04
  • [Deleted] Cisco Authentication Message 05
  • [Deleted] Cisco Authentication Message 06
  • [Deleted] Cisco Authentication Message 07
  • [Deleted] Cisco Authentication Message 08
  • [Deleted] Cisco Authentication Message 09
  • [Deleted] Cisco Authentication Message 10
  • [Deleted] Cisco Authentication Message 11
  • [Deleted] Cisco Authentication Message 12
  • [Deleted] Cisco Authentication Message 13
  • [Deleted] Cisco Authentication Message 14
  • [Deleted] Cisco Authentication Message 15
  • [Deleted] Cisco IOS Message
  • [Deleted] Cisco IOS Queue Full
  • [Deleted] Cisco Ironport WSA
  • [Deleted] Cisco Ironport WSA NOHD
  • [Deleted] Cisco Ironport WSA NOHD 01
  • [Deleted] Cisco Ironport WSA NOHD 03
  • [Deleted] Cisco Meraki IDS-Alerts
  • [Deleted] Cisco Meraki Security Event
  • [Deleted] Cisco Meraki Security Filtering Disposition Change
  • [Deleted] Cisco Umbrella IP Logs Custom
  • [Deleted] Citrix NetScaler AAA Message
  • [Deleted] Citrix NetScaler API CMD EXECUTED
  • [Deleted] Citrix NetScaler Delinked Message
  • [Deleted] Citrix NetScaler Delinked Message 01
  • [Deleted] Citrix NetScaler TCP Connection Terminated
  • [Deleted] DNS_Additions
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EXABEAM
  • [Deleted] F5 HTTPd Audit
  • [Deleted] F5 SSHD Samples
  • [Deleted] F5 SSL Request
  • [Deleted] Firepower Access Control
  • [Deleted] Firepower Access Control 2
  • [Deleted] Firepower Access Control 3
  • [Deleted] Firepower Access Control 4
  • [Deleted] Firepower Access Control 5
  • [Deleted] Firepower Alerts
  • [Deleted] Forcepoint NEW
  • [Deleted] Huawei SNMP LOGS
  • [Deleted] IBM WebSpheredatadevice error 1
  • [Deleted] IBM WebSpheredatadevice error 2
  • [Deleted] IBM WebSpheredatadevice error 3
  • [Deleted] IBM WebSpheredatadevice error 4
  • [Deleted] IBM WebSpheredatadevice error 5
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS - NIOS
  • [Deleted] Infoblox DHCP Updater 1
  • [Deleted] Infoblox DHCP Updater 2
  • [Deleted] Infoblox DHCP Updater 3
  • [Deleted] Infoblox DHCP Updater 4
  • [Deleted] Infoblox DHCP Updater 5
  • [Deleted] Infoblox DHCPACK RENEW Samples
  • [Deleted] Infoblox DHCPACK v2 Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples 2
  • [Deleted] Infoblox DHCPDISCOVER Unknown network Sample
  • [Deleted] Infoblox DHCPEXPIRE Samples
  • [Deleted] Infoblox DHCPNAK Samples
  • [Deleted] Infoblox DHCPOFFER UID Samples
  • [Deleted] Infoblox DHCPRELEASE Samples
  • [Deleted] Infoblox DNS Request AXRF Ended
  • [Deleted] Infoblox DNS Request AXRF Started
  • [Deleted] Infoblox DNS Response
  • [Deleted] Infoblox DNS Zone Update 1
  • [Deleted] Infoblox DNS Zone Update 2
  • [Deleted] Infoblox DNS Zone Update 3
  • [Deleted] Infoblox DNS Zone Update 4
  • [Deleted] Infoblox DNS Zone Update 5
  • [Deleted] Infoblox DNS Zone Update 6
  • [Deleted] Infoblox Domain Notified
  • [Deleted] Invalid Login
  • [Deleted] IronPort Quarantined MID
  • [Deleted] IronPort Quarantined TO
  • [Deleted] Ironport DCID Message
  • [Deleted] Ironport DKIM
  • [Deleted] Ironport ICID Message
  • [Deleted] Ironport Info IC
  • [Deleted] Ironport Info IC and Msg
  • [Deleted] Ironport Info ISQ or RPC
  • [Deleted] Ironport Info Message
  • [Deleted] Ironport Info Mid Info
  • [Deleted] Ironport WSA SFIMS Protocol 1
  • [Deleted] Ironport WSA SFIMS Protocol 2
  • [Deleted] Ironport WSA SFIMS Protocol 3
  • [Deleted] Ironport WSA SFIMS Protocol 4
  • [Deleted] Ironport Warn Message
  • [Deleted] Ironport Warning Connection Error
  • [Deleted] Ironport Warning Full
  • [Deleted] Ironport Warning Invalid DNS FULL
  • [Deleted] Ironport Warning LIMIT
  • [Deleted] Juniper Flow Reassemble Logs
  • [Deleted] Juniper Session Error Logs
  • [Deleted] LINUX User Auth with Hostname
  • [Deleted] Linux Laravel Activity Logs
  • [Deleted] Linux Laravel Activity Logs 01
  • [Deleted] Linux Laravel Login Logs
  • [Deleted] LinuxServer Audit Logs 01
  • [Deleted] LinuxServer Audit Logs 02
  • [Deleted] LinuxServer Log 1
  • [Deleted] LinuxServer Log 11
  • [Deleted] LinuxServer Log 2
  • [Deleted] LinuxServer Log 3
  • [Deleted] LinuxServer Log 4
  • [Deleted] LinuxServer Log 5
  • [Deleted] LinuxServer Log 6
  • [Deleted] LinuxServer Log 7
  • [Deleted] Mcafee MVISION CASB Log
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] Network Management Logs
  • [Deleted] Oauth Logs
  • [Deleted] Ossec Group Addition Logs
  • [Deleted] Ossec Insecure Connection Logs
  • [Deleted] Ossec Integrity checksum Logs
  • [Deleted] Ossec Root Login Refused Logs
  • [Deleted] Ossec ssh server Logs
  • [Deleted] Palo Alto Traps Analytics
  • [Deleted] Palo Alto Traps Analytics - Cloud
  • [Deleted] Palo Alto Traps Config - Cloud
  • [Deleted] Palo Alto Traps Event
  • [Deleted] Palo Alto Traps Events Updated
  • [Deleted] Palo Alto Traps Misc - Cloud
  • [Deleted] Palo Alto Traps System - Cloud
  • [Deleted] Pulse Secure Endpoint
  • [Deleted] Pulse Secure Logs
  • [Deleted] Renew Logs
  • [Deleted] Shibboleth DUO
  • [Deleted] Shibboleth HTTP Redirect EDU
  • [Deleted] Shibboleth HTTP Redirect Email
  • [Deleted] Shibboleth LDAP
  • [Deleted] Shibboleth LDAP Email
  • [Deleted] Snare AgentHeartBeat Logs
  • [Deleted] Snare Windows DHCP Logs
  • [Deleted] SonicWall Bad FTP Protocol
  • [Deleted] SonicWall Block Dropped Events
  • [Deleted] SonicWall Flood Attack
  • [Deleted] SonicWall IPS
  • [Deleted] SonicWall Port Scan
  • [Deleted] SonicWall URL Filter
  • [Deleted] Successful Login
  • [Deleted] Successful Logins
  • [Deleted] Successful SSH Login
  • [Deleted] Suricata HTTP Logs
  • [Deleted] Suricata LogStash
  • [Deleted] Suricata Logstash Custom
  • [Deleted] Suricata Threat Logs
  • [Deleted] Symantec SEP AntiVirus
  • [Deleted] Symantec SEP Potential Risk Found 01
  • [Deleted] Symantec SEP Potential Risk Found 2
  • [Deleted] Symantec SEP Potential Risk Found 3
  • [Deleted] Symantec SEP SONAR
  • [Deleted] Symantec SEP Security Risk Found
  • [Deleted] Symantec SEP Sonar Detection
  • [Deleted] Symantec SEP USB Drive
  • [Deleted] Tanium S24 Logs
  • [Deleted] VLT Vault Extra
  • [Deleted] VMware Logs 1
  • [Deleted] VMware Logs 2
  • [Deleted] VMware Logs 3
  • [Deleted] VMware Logs 4
  • [Deleted] VMware Logs 5
  • [Deleted] VMware Logs 6
  • [Deleted] VMware Logs 7
  • [Deleted] VMware Logs 8
  • [Deleted] VPN Messages
  • [Deleted] VPN Messages 2
  • [Deleted] VPN Messages 3
  • [Deleted] VPN Messages 4
  • [Deleted] VPN Messages 5
  • [Deleted] WatchGuard flow log
  • [Deleted] WatchGuard flow log 2
  • [Deleted] Windows DHCP
  • [Deleted] Windows Defender Unstructured
  • [Deleted] Windows QUICK FIX
  • [Deleted] Zscaler Firewall Grok
  • [Deleted] cisco17
  • [Deleted] cisco20
  • [Deleted] ePO Threat Event
  • [New] AWS EKS - Custom Parser
  • [New] Azure Storage Analytics
  • [New] Citrix NetScaler - SSL Handshake Success
  • [Updated] Azure Administrative logs
  • [Updated] Azure Write and Delete Logs
  • [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
  • [Updated] Citrix NetScaler - Command Executed
  • [Updated] Citrix NetScaler - SSLVPN-HTTPREQUEST
  • [Updated] Citrix NetScaler - SSLVPN-ICA Events
  • [Updated] Citrix NetScaler - SSLVPN-LOGIN
  • [Updated] Citrix NetScaler - SSLVPN-LOGOUT
  • [Updated] Citrix NetScaler - SSLVPN-TCPCONNSTAT

Parsers

  • [New] /Parsers/System/AWS/AWS EKS
  • [New] /Parsers/System/Microsoft/Azure Storage Analytics
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog

Legacy Parsers

  • [Deleted] 4624
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CGID_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_WARN_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_SSL_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_WARN_SAMPLES
  • [Deleted] ASA_106002
  • [Deleted] ASA_106013
  • [Deleted] ASA_106018
  • [Deleted] ASA_106022
  • [Deleted] ASA_113039
  • [Deleted] ASA_5_746012
  • [Deleted] ASA_6_106012
  • [Deleted] ASA_716037
  • [Deleted] ASA_716038
  • [Deleted] ASA_716039
  • [Deleted] ASA_722056
  • [Deleted] ASA_7_725012
  • [Deleted] ASA_7_725017
  • [Deleted] ASA_7_734003
  • [Deleted] AWS_VPC_FLOW_CUSTOM_1
  • [Deleted] Adaxes_Execute_Event
  • [Deleted] Adaxes_Modify_Event
  • [Deleted] Adaxes_Run_PowerShell_Event
  • [Deleted] Aruba_Error_Logs
  • [Deleted] Aruba_ICMP_Logs
  • [Deleted] Aruba_LDAP_Server_Logs
  • [Deleted] BANDURA_DOMAIN_LOGS
  • [Deleted] BANDURA_PACKET_LOGS
  • [Deleted] BARRACUDA_PROXY
  • [Deleted] BIND9
  • [Deleted] BIND_DHCP_FOR_FULL
  • [Deleted] BIND_DHCP_FOR_SHORT
  • [Deleted] BIND_DHCP_ON
  • [Deleted] BIND_Query
  • [Deleted] BIND_Update_Zone
  • [Deleted] BIND_Update_Zone_Failure
  • [Deleted] BIOC_CREATE_AND_WRITE
  • [Deleted] BIOC_CREDENTIAL_ACCESS
  • [Deleted] BIOC_DROPPER
  • [Deleted] BIOC_EVASION
  • [Deleted] BIOC_EVASION_VARIATION_2
  • [Deleted] BIOC_INFILTRATION
  • [Deleted] BIOC_PERSISTENCE_EXECUTION
  • [Deleted] BIOC_PRIVILEGE
  • [Deleted] BIOC_RECONNAISSANCE
  • [Deleted] BIOC_RECONNAISSANCE_VARIATION_2
  • [Deleted] BIOC_TAMPERING
  • [Deleted] BLUECAT_DHCP_BOOTREQUEST
  • [Deleted] BLUECAT_DHCP_DECLINE
  • [Deleted] BLUECAT_DHCP_INFORM
  • [Deleted] BLUECAT_DHCP_OFFER
  • [Deleted] BLUECAT_DHCP_failover
  • [Deleted] BLUECAT_DHCP_reuse_lease
  • [Deleted] BLUECAT_DNS_NO_KEY
  • [Deleted] BLUECAT_DNS_WITH_KEY
  • [Deleted] BLUECOAT_PROXY
  • [Deleted] BLUECOAT_PROXY_2
  • [Deleted] BLUECOAT_PROXY_4
  • [Deleted] BLUECOAT_PROXY_5
  • [Deleted] BLUECOAT_PROXY_6
  • [Deleted] BLUECOAT_PROXY_7
  • [Deleted] Bind_DNS_log_1
  • [Deleted] Bind_DNS_log_10
  • [Deleted] Bind_DNS_log_2
  • [Deleted] Bind_DNS_log_3
  • [Deleted] Bind_DNS_log_4
  • [Deleted] Bind_DNS_log_5
  • [Deleted] Bind_DNS_log_6
  • [Deleted] Bind_DNS_log_7
  • [Deleted] Bind_DNS_log_8
  • [Deleted] Bind_DNS_log_9
  • [Deleted] CB_PROTECT
  • [Deleted] CB_PROTECT_USERNAME
  • [Deleted] CB_RESPONSE_SERVER_1
  • [Deleted] CB_RESPONSE_SERVER_10
  • [Deleted] CB_RESPONSE_SERVER_11
  • [Deleted] CB_RESPONSE_SERVER_13
  • [Deleted] CB_RESPONSE_SERVER_14
  • [Deleted] CB_RESPONSE_SERVER_15
  • [Deleted] CB_RESPONSE_SERVER_17
  • [Deleted] CB_RESPONSE_SERVER_2
  • [Deleted] CB_RESPONSE_SERVER_20
  • [Deleted] CB_RESPONSE_SERVER_3
  • [Deleted] CB_RESPONSE_SERVER_4
  • [Deleted] CB_RESPONSE_SERVER_5
  • [Deleted] CB_RESPONSE_SERVER_6
  • [Deleted] CB_RESPONSE_SERVER_7
  • [Deleted] CB_RESPONSE_SERVER_9
  • [Deleted] CB_RESPONSE_SEVERITY_1
  • [Deleted] CB_RESPONSE_SEVERITY_2
  • [Deleted] CB_RESPONSE_SEVERITY_3
  • [Deleted] CHECKPOINT_ACCEPT
  • [Deleted] CHECKPOINT_CRYPT
  • [Deleted] CHECKPOINT_DROP
  • [Deleted] CHECKPOINT_KEY_INSTALL
  • [Deleted] CHECKPOINT_VPN_ROUTE
  • [Deleted] CICSCOFW434002
  • [Deleted] CISCOFW321001
  • [Deleted] CISCOFW419001
  • [Deleted] CISCO_ACS_FAILED_ATTEMPT
  • [Deleted] CISCO_ACS_FAILED_AUTHENTICATION
  • [Deleted] CISCO_ACS_PASSED_AUTHENTICATION
  • [Deleted] CISCO_ACS_TACACS_ACCOUNTING
  • [Deleted] CISCO_MERAKI_IDS_ALERTS
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT_SECURITY_FILTERING_DISPOSITION_CHANGE
  • [Deleted] CRM_VODLOG
  • [Deleted] Cisco_Umbrella_IP_Logs
  • [Deleted] Dns_Update
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EPO_THREAT_EVENT
  • [Deleted] EXABEAM
  • [Deleted] F5_HTTPD_AUDIT
  • [Deleted] F5_SSHD_SAMPLES
  • [Deleted] F5_SSL_REQUEST
  • [Deleted] FLOW_REASSEMBLE
  • [Deleted] FORCEPOINT_NEW_AND_IMPROVED
  • [Deleted] Failed_Logon
  • [Deleted] Firepower_ALERT_IDS
  • [Deleted] Firepower_Access_Control
  • [Deleted] Firepower_Access_Control_2
  • [Deleted] Firepower_Access_Control_3
  • [Deleted] Firepower_Access_Control_4
  • [Deleted] Firepower_Access_Control_5
  • [Deleted] IBM_WebSpheredatadevice_error_1
  • [Deleted] IBM_WebSpheredatadevice_error_2
  • [Deleted] IBM_WebSpheredatadevice_error_3
  • [Deleted] IBM_WebSpheredatadevice_error_4
  • [Deleted] IBM_WebSpheredatadevice_error_5
  • [Deleted] INFLOBLOX_DNS_MESSAGE
  • [Deleted] INFOBLOX_DHCPACK_RENEW_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES_2
  • [Deleted] INFOBLOX_DHCPDISCOVER_UNKNOWN_NETWORK_SAMPLE
  • [Deleted] INFOBLOX_DHCPEXPIRE_SAMPLES
  • [Deleted] INFOBLOX_DHCPNAK_SAMPLES
  • [Deleted] INFOBLOX_DHCPOFFER_UID_SAMPLES
  • [Deleted] INFOBLOX_DHCPRELEASE_SAMPLES
  • [Deleted] INFOBLOX_DHCP_UPDATER_1
  • [Deleted] INFOBLOX_DHCP_UPDATER_2
  • [Deleted] INFOBLOX_DHCP_UPDATER_3
  • [Deleted] INFOBLOX_DHCP_UPDATER_4
  • [Deleted] INFOBLOX_DHCP_UPDATER_5
  • [Deleted] INFOBLOX_DHCP_V2_SAMPLES
  • [Deleted] INFOBLOX_DNS_QUERIES
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_ENDED
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_STARTED
  • [Deleted] INFOBLOX_DNS_RESPONSE
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_1
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_2
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_3
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_4
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_5
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_6
  • [Deleted] INFOBLOX_DOMAIN_NOTIFIED
  • [Deleted] IRONPORT_QUARANTINE_MID
  • [Deleted] IRONPORT_QUARANTINE_TO
  • [Deleted] IRON_PORT_CONNECTION
  • [Deleted] IRON_PORT_DCID_MSG
  • [Deleted] IRON_PORT_DKIM
  • [Deleted] IRON_PORT_ICID_MSG
  • [Deleted] IRON_PORT_INFO_ICID
  • [Deleted] IRON_PORT_INFO_MID
  • [Deleted] IRON_PORT_INFO_MID_ICID
  • [Deleted] IRON_PORT_INFO_MSG
  • [Deleted] IRON_PORT_ISQ_RPC
  • [Deleted] IRON_PORT_WARN_FULL
  • [Deleted] IRON_PORT_WARN_INVALID_DNS_FULL
  • [Deleted] IRON_PORT_WARN_LIMIT
  • [Deleted] IRON_PORT_WARN_MSG
  • [Deleted] IRON_PORT_WSA
  • [Deleted] IRON_PORT_WSA_NOHD
  • [Deleted] IRON_PORT_WSA_NOHD_01
  • [Deleted] IRON_PORT_WSA_NOHD_03
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_1
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_2
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_3
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_4
  • [Deleted] Internal_Auth_Logs
  • [Deleted] LINUXSERVER_AUDIT_LOGS_1
  • [Deleted] LINUXSERVER_AUDIT_LOGS_2
  • [Deleted] LINUXSERVER_LOG_1
  • [Deleted] LINUXSERVER_LOG_11
  • [Deleted] LINUXSERVER_LOG_2
  • [Deleted] LINUXSERVER_LOG_3
  • [Deleted] LINUXSERVER_LOG_4
  • [Deleted] LINUXSERVER_LOG_5
  • [Deleted] LINUXSERVER_LOG_6
  • [Deleted] LINUXSERVER_LOG_7
  • [Deleted] LINUX_USER_AND_HOSTNAME
  • [Deleted] Linux_Laravel_Logs1
  • [Deleted] Linux_Laravel_Logs2
  • [Deleted] Linux_Laravel_Logs3
  • [Deleted] MVISION_CASB
  • [Deleted] NAT_RULES_MATCH
  • [Deleted] NMS_LOGS
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] OAUTH_LOG
  • [Deleted] Ossec_Logs_01
  • [Deleted] Ossec_Logs_02
  • [Deleted] Ossec_Logs_03
  • [Deleted] Ossec_Logs_04
  • [Deleted] Ossec_Logs_06
  • [Deleted] PALO_ALTO_TRAPS
  • [Deleted] PALO_TRAPS_EXTRA
  • [Deleted] PAN_TRAPS_ANALYTICS
  • [Deleted] PAN_TRAPS_ANALYTICS_CLOUD
  • [Deleted] PAN_TRAPS_CONFIG_CLOUD
  • [Deleted] PAN_TRAPS_MISC_CLOUD
  • [Deleted] PAN_TRAPS_SYSTEM_CLOUD
  • [Deleted] PULSESECURE_LOGS
  • [Deleted] PULSESECURE_LOGS2
  • [Deleted] Renew_Logs
  • [Deleted] SESSION_ERROR
  • [Deleted] SHIBBOLETH_DUO
  • [Deleted] SHIBBOLETH_HTTP_EDU
  • [Deleted] SHIBBOLETH_HTTP_MAIL
  • [Deleted] SHIBBOLETH_LDAP
  • [Deleted] SHIBBOLETH_LDAP_EMAIL
  • [Deleted] SNARE_AGENTHEARTBEAT_LOGS
  • [Deleted] SNARE_WINDOWS_DHCP_LOGS
  • [Deleted] SNMP_LOGS
  • [Deleted] SURICATA_HTTP_LOGS
  • [Deleted] SURICATA_LOGSTASH
  • [Deleted] SURICATA_LOGSTASH_CUSTOM
  • [Deleted] SURICATA_THREAT_LOGS
  • [Deleted] SYMANTEC_SEP_Anti_Virus
  • [Deleted] SYMANTEC_SEP_PRF_01
  • [Deleted] SYMANTEC_SEP_PRF_02
  • [Deleted] SYMANTEC_SEP_PRF_03
  • [Deleted] SYMANTEC_SEP_SDN
  • [Deleted] SYMANTEC_SEP_SONAR
  • [Deleted] SYMANTEC_SEP_SRF
  • [Deleted] SYMANTEC_SEP_USB_1
  • [Deleted] SonicWall_Bad_FTP_Protocol
  • [Deleted] SonicWall_Block_Dropped_Events
  • [Deleted] SonicWall_Flood_Attack
  • [Deleted] SonicWall_IPS
  • [Deleted] SonicWall_Port_Scan
  • [Deleted] SonicWall_URL_Filter
  • [Deleted] Successful_Logon
  • [Deleted] TANIUM_S24_TYPE_LOGS
  • [Deleted] VAR_LOG_SECURE_SUCCESSFUL_LOGIN
  • [Deleted] VDM_LOG_EXTRA
  • [Deleted] VDM_MESSAGES_CONNECT
  • [Deleted] VDM_MESSAGES_DIRECTORY
  • [Deleted] VDM_MESSAGES_FROM
  • [Deleted] VDM_MESSAGES_FTP
  • [Deleted] VDM_MESSAGES_WARN
  • [Deleted] VLT_VAULT_EXTRA
  • [Deleted] VPN_Message_2
  • [Deleted] VPN_Message_3
  • [Deleted] VPN_Message_4
  • [Deleted] VPN_Message_5
  • [Deleted] VPN_Messages
  • [Deleted] Vmware_Logs_1
  • [Deleted] Vmware_Logs_2
  • [Deleted] Vmware_Logs_3
  • [Deleted] Vmware_Logs_4
  • [Deleted] Vmware_Logs_5
  • [Deleted] Vmware_Logs_6
  • [Deleted] Vmware_Logs_7
  • [Deleted] Vmware_Logs_8
  • [Deleted] WATCHGUARD_FLOW_LOG
  • [Deleted] WATCHGUARD_FLOW_LOG_2
  • [Deleted] WINDOWS_DHCP_LOG
  • [Deleted] WINDOWS_QUICK_FIX
  • [Deleted] Zscaler_Firewall
  • [Deleted] cisco_authentication_01
  • [Deleted] cisco_authentication_02
  • [Deleted] cisco_authentication_03
  • [Deleted] cisco_authentication_04
  • [Deleted] cisco_authentication_05
  • [Deleted] cisco_authentication_06
  • [Deleted] cisco_authentication_07
  • [Deleted] cisco_authentication_08
  • [Deleted] cisco_authentication_09
  • [Deleted] cisco_authentication_10
  • [Deleted] cisco_authentication_11
  • [Deleted] cisco_authentication_12
  • [Deleted] cisco_authentication_13
  • [Deleted] cisco_authentication_14
  • [Deleted] cisco_authentication_15
  • [Deleted] cisco_ios_system_log_message
  • [Deleted] cisco_ios_system_log_message_queue_full
  • [Deleted] citrix_netscaler_AAA_Messsage
  • [Deleted] citrix_netscaler_API_CMD_EXECUTED
  • [Deleted] citrix_netscaler_TCP_connection_terminated
  • [Deleted] citrix_netscaler_delinked_message
  • [Deleted] citrix_netscaler_delinked_message_01
  • [Deleted] windows_defender

Schema

  • [New] _cipSourceHost
  • [New] _cipSourceName

April 7, 2022 - Announcement

On April 21, 2022 we will be removing the following legacy log mappers related to the CIP Windows collector from the CSE platform. These log mappers are in use with only a small portion of our customer base and we are working with our technical account teams to reach out directly to those impacted and migrate to our newer Sumo parsers.

No loss of out-of-the-box functionality will occur and no out-of-the-box rules are impacted as the Sumo parsers map all of the same information. Please be sure to check any custom rules that leverage Windows logging for compatibility with the new parsing and mapping, particularly where the "fields" field is referenced.

  • Windows - Security - 1100 - CIP
  • Windows - Security - 1102 - CIP
  • Windows - Security - 4625 - CIP
  • Windows - Security - 4624 - CIP
  • Windows - Security - 4634 - CIP
  • Windows - Security - 4648 - CIP
  • Windows - Security - 4649 - CIP
  • Windows - Security - 4672 - CIP
  • Windows - Security - 4688 - CIP
  • Windows - Security - 4697 - CIP
  • Windows - Security - 4698 - CIP
  • Windows - Security - 4702 - CIP
  • Windows - Security - 4720 - CIP
  • Windows - Security - 4726 - CIP
  • Windows - Security - 4740 - CIP
  • Windows - Security - 4742 - CIP
  • Windows - Security - 5805 - CIP
  • Windows - Security - 4768 - CIP
  • Windows - Security - 4769 - CIP
  • Windows - Security - 4770 - CIP
  • Windows - Security - 4771 - CIP
  • Windows - Security - 4776 - CIP
  • Windows - Security - 4778 - CIP
  • Windows - Security - 4779 - CIP
  • Windows - Security - 5140 - CIP
  • Windows - Security - 4728 - CIP
  • Windows - Security - 4732 - CIP
  • Windows - Security - 4756 - CIP
  • Windows - Security - 4661 - CIP
  • Windows - Security - 4704 - CIP
  • Windows - Security - 4754 - CIP
  • Windows - Security - 4780 - CIP
  • Windows - Security - 4793 - CIP
  • Windows - Security - 5038 - CIP
  • Windows - Security - 6272 - CIP
  • Windows - Security - 6273 - CIP
  • Windows - Security - 6275 - CIP
  • Windows - Security - 6278 - CIP
  • Windows - Security - 4662 - CIP
  • Windows - Security - 4755 - CIP
  • Windows - Security - 4689 - CIP
  • Windows - Security - 4798 - CIP
  • Windows - Security - 6416 - CIP
  • Windows - Security - 6423 - CIP
  • Windows - Security - 6424 - CIP
  • Windows - Security - 4656 - CIP
  • Windows - Security - 4663 - CIP
  • Windows - Security - 4658 - CIP
  • Windows - Security - 4674 - CIP
  • Windows - Security - 4799 - CIP
  • Windows - Security - 5058 - CIP
  • Windows - Security - 5059 - CIP
  • Windows - Security - 5061 - CIP
  • Windows - Security - 5379 - CIP
  • Windows - System - 5138 - CIP
  • Windows - System - 6005 - CIP
  • Windows - System - 6006 - CIP
  • Windows - System - 7045 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP

April 7, 2022 - Content Release

Rules

  • [Updated] MATCH-S00599 Alibaba ActionTrail Root Login
  • [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
  • [Updated] MATCH-S00168 Windows - Local System executing whoami.exe

Log Mappers

  • [New] Cisco ASA 313004 JSON
  • [New] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/SentinelOne/SentinelOne Syslog

April 6, 2022 - Announcement

Upcoming Removal of Unused Content

On Tuesday, April 12th, unused legacy grok parsers and their corresponding log mappers will be removed from CSE.

This update is part of a longer transition as we begin decommissioning legacy grok parsers in favor of our current parser set. Sumo Logic has confirmed customers are NOT actively using any of the legacy grok parsers or log mappers we plan to remove in this future update.

It's important to note that this future content update does NOT remove or change existing legacy grok parsers or associated log mappers still used by customers today. We do not expect this update to cause any operational changes.


April 1, 2022 - Content Release

Spring4Shell Exploitation

A new Rule is being deployed designed to detect attempts to exploit Spring4Shell (MATCH-S00783). This Rule does not necessarily indicate whether the exploitation was successful, but CSE already includes a number of Rules that provide extensive coverage of common post exploitation activities, notably:

  • MATCH-S00348 Curl Start Combination
  • MATCH-S00362 Suspicious Curl File Upload
  • LEGACY-S00044 HTTP Shell Script Download Disguised as a Common Web File
  • MATCH-S00149 PowerShell File Download
  • MATCH-S00164 Suspicious Shells Spawned by Web Servers
  • MATCH-S00174 Web Services Executing Common Web Shell Commands

Rules

  • [New] MATCH-S00783 Spring4Shell Exploitation - URL
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [New] Netskope - WebTx Events
  • [New] Tenable.io Authentication
  • [New] Tenable.io Catch All
  • [Updated] AWS CloudFront
  • [Updated] AWS WAF Block Logs
  • [Updated] Microsoft Office 365 Active Directory Authentication Events
  • [Updated] Tenable.io Vulnerability

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed
Sumo Logic YouTubeSumo Logic Twitter
Legal
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.