2022 Archive
This is an archive of 2022 Cloud SIEM Release Notes.
December 21, 2022 - Content Release
Rules
- [Updated] MATCH-S00547 Script Execution Via WMI
- [Updated] MATCH-S00684 Wget Passed to Script Execution Command
Log Mappers
- [New] Azure Firewall Application Rule
- [New] Azure Firewall DNS Proxy
- [New] Azure Firewall Network Rule
- [New] Microsoft O365 Exchange Message Trace C2C
Parsers
- [New] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C
- [New] /Parsers/System/Microsoft/Windows XML from Azure
- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
Schema
- [New] email_recipient
December 14, 2022 - Content Release
Log Mappers
- [Updated] Cisco ASA 710002-3 JSON
- [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
- [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
- [Updated] Windows - Security - 4732
Parsers
- [New] /Parsers/System/Snort/Snort
- [Updated] /Parsers/System/Cisco/Cisco ASA
- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
- [Updated] /Parsers/System/Okta/Okta
- [Updated] /Parsers/System/Suricata/Suricata Syslog
- [Updated] /Parsers/System/Zscaler/Zscaler Private Access/Zscaler Private Access-JSON
December 13, 2022 Application Update
New Entity Types
Eight new predefined Entity types have been added to Cloud SIEM. This will enable customers to more accurately associate Signals and Insights with security threats. They are listed below long with the related normalized record schema attributes (which can be specified in Rule definitions):
Entity Type | Schema Attributes |
---|---|
Command | commandLine |
Domain | http_referer_fqdn , http_url_fqdn |
targetUser_email , user_email | |
File | file_path , file_basename |
Hash | file_hash_imphash , file_hash_md5 , file_hash_pehash , file_hash_sha1 , file_hash_sha256 , file_hash_ssdeep |
Process | baseImage , parentBaseImage |
URL | http_url |
User Agent | http_userAgent |
If you already had a custom Entity type with the same or similar name, it will not be affected and will not be automatically migrated to the corresponding standard Entity type.
Entity Notes
Similar to the functionality on Insights, users can now attach notes to Entities:
These notes are retained permanently on the associated Entity and are visible to all users who can view the Entity.
Custom Time Windows for Rules
Threshold, Aggregation and Chain Rules now support custom time windows. Previously, when writing a Rule, a time window had to be chosen from a list of predefined options. With this new enhancement, users can define any time window defined in minutes, hours, or days, with a minimum of 1 minute and a maximum of 5 days (120 hours):
Inventory Favorite Fields
Where inventory data is shown for an Entity, such as the Entity details page or the Insight details page, users can now “favorite” the inventory fields that should be shown in the summary list.
To do this, simply expand the Full Details view, hover to the left of the field, and click the star icon that appears. To remove the favorite selection, simply unclick the star icon. The field selections are applied across all users and retained across sessions. (This behavior is the same as for favorite fields on Records.)
Minor Changes and Enhancements
- [Updated] The previously announced migration of our out-of-the-box rules from standard match lists to Entity tags has been postponed. New dates for this migration will be announced in the near future.
- [New] Service providers using the Consolidated Insight List can now see Insights from client organizations across deployments.
- [Updated] The usability of filters for list views when searching for an object that includes a specific tag schema has been enhanced.
- [Removed] The link to download the Insight Enrichment Service has been removed from the Enrichment page. The link is specified in the installation instructions online.
- [New] Users can now filter Records by Sensor Zone.
Resolved Issues
- Importing data from CSV files via the UI was not working properly.
- The
http_url
field was not being concatenated properly in some mapper scenarios. - Entity domain normalization was not working properly.
- The Copy Expression feature in the UI did not copy Boolean values to the clipboard properly.
- The Rule Tuning Expression list page was not auto-refreshing correctly.
- Users were unable to filter the Signals list based on severity.
- IP addresses in the 198.18.0.0/15 and 169.254.0.0/15 ranges were not being marked as private subnets per RFC1918.
- Users without the proper permissions were able to add comments and Signals to Insights.
- Regular expressions ending with an asterisk
*
were not working properly in search/list filters.
December 8, 2022 - Content Release
Rules
- [Updated] MATCH-S00159 Windows - Permissions Group Discovery
Log Mappers
- [Updated] Azure Administrative logs
- [Updated] Azure NSG Flows
- [Updated] Squid Proxy - Parser
- [Updated] Windows - Security - 4624
Parsers
- [Updated] /Parsers/System/Cisco/Cisco ASA
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
December 1, 2022 - Content Release
Log Mappers
- [New] Azure Risky Users
- [New] Azure User Risk Events
- [New] CrowdStrike Falcon CustomerIOCEvent (CNC)
- [New] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
- [New] CrowdStrike Falcon Identity Protection (CNC)
- [New] Microsoft Office 365 RecordType 105
- [New] Microsoft Office 365 RecordType 37
- [New] Microsoft Office 365 RecordType 57
- [New] Windows - Security - Default
- [Updated] Azure Event Hub - Windows Defender Logs
- [Updated] Cisco ASA 106100 JSON
- [Updated] Microsoft Office 365 Events
- [Updated] Windows - Security - 4740
Parsers
- [New] /Parsers/System/Microsoft/Microsoft Azure Nested JSON
- [New] /Parsers/System/Microsoft/Windows-JSON
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
November 22, 2022 - Content Release
Rules
- [Updated] MATCH-S00570 WMIPRVSE Spawning Process
Log Mappers
- [Updated] Gigamon Threat Insight - Catch All
- [Updated] Gigamon Threat Insight - Suricata
- [Updated] Microsoft Office 365 Threat Intelligence Url Events
Parsers
- [New] /Parsers/System/Gigamon/GigamonTI
- [Updated] /Parsers/System/Lacework/Lacework JSON
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
Schema
- [Updated] baseImage
- [Updated] commandLine
- [Updated] file_basename
- [Updated] file_hash_imphash
- [Updated] file_hash_md5
- [Updated] file_hash_pehash
- [Updated] file_hash_sha1
- [Updated] file_hash_sha256
- [Updated] file_hash_ssdeep
- [Updated] file_path
- [Updated] http_referer_fqdn
- [Updated] http_url
- [Updated] http_url_fqdn
- [Updated] http_userAgent
- [Updated] parentBaseImage
- [Updated] targetUser_email
- [Updated] user_email
November 17, 2022 - Content Release
Log Mappers
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
Parsers
- [Updated] /Parsers/System/Microsoft/Sysmon-JSON
November 15, 2022 - Content Release
Rules
- [New] MATCH-S00822 Potential Microsoft Office In-Memory Token Theft
- [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port
Log Mappers
- [New] Cisco Meraki 8021x
- [New] Cisco Meraki Client Association
- [Updated] Microsoft Office 365 Threat Intelligence Url Events
Parsers
- [Updated] /Parsers/System/Cisco/Cisco Meraki
November 11, 2022 - Content Release
Rules
- [Updated] MATCH-S00582 Malicious Service Installs
- [Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking
Log Mappers
- [New] BigQuery Gmail C2C - Catch All
- [New] BigQuery Gmail C2C - Error in Delivery
- [New] BigQuery Gmail C2C - Failed Delivery
- [New] BigQuery Gmail C2C - Message was dropped by Gmail
- [New] BigQuery Gmail C2C - Message was rejected by Google Groups
- [Updated] AWSGuardDuty_Catch_All
- [Updated] AWSGuardDuty_Discovery
- [Updated] Azure Access Logs
- [Updated] Azure Action Logs
- [Updated] Azure Administrative logs
- [Updated] Azure AuditEvent logs
- [Updated] Azure ManagedIdentitySignInLogs
- [Updated] Azure NonInteractiveUserSignInLogs
- [Updated] Azure ServicePrincipalSignInLogs
- [Updated] Azure Storage Analytics
- [Updated] Azure Write and Delete Logs
- [Updated] AzureActivityLog
- [Updated] AzureActivityLog 01
- [Updated] AzureActivityLog AuditLogs
- [Updated] AzureDevOpsAuditing
- [Updated] AzureDiagnosticLog
- [Updated] Cisco ASA 113039 JSON
- [Updated] Cisco Ironport MID - Custom Parser
- [Updated] Cisco Ironport SFIMS - Custom Parser
- [Updated] Cisco Ironport WSA - Custom Parser
- [Updated] GCP App Engine Logs
- [Updated] GCP Audit Logs
- [Updated] GCP Firewall
- [Updated] GCP Parser - Load Balancer
- [Updated] GCP VPC Flows
- [Updated] Kubernetes
- [Updated] Office 365 - Exchange Admin Events
- [Updated] Windows - Security - 4697
- [Updated] Windows - Security - 4820
Parsers
- [New] /Parsers/System/Google/GCP BigQuery Gmail
- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
- [Updated] /Parsers/System/Dell/Dell SonicWall
- [Updated] /Parsers/System/Infoblox/Infoblox
Schema
- [New] device_k8s_normalizedDeploymentName
- [New] device_k8s_normalizedReplicaSetName
- [New] dstDevice_k8s_normalizedDeploymentName
- [New] dstDevice_k8s_normalizedReplicaSetName
- [New] srcDevice_k8s_normalizedDeploymentName
- [New] srcDevice_k8s_normalizedReplicaSetName
October 27, 2022 - Content Release
Rules
- [New] CHAIN-S00011 Potential InstallUtil Allow List Bypass
- [Updated] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
- [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution
Log Mappers
- [Updated] AWS - Application Load Balancer - ALB
- [Updated] AWS - Application Load Balancer - JSON
- [Updated] AWS API Gateway
- [Updated] AWS CloudFront
- [Updated] AWS EKS - Custom Parser
- [Updated] AWS Elastic Load Balancer - Custom Parser
- [Updated] AWS GuardDuty Alerts from Sumo CIP
- [Updated] AWS Inspector - Custom Parser
- [Updated] AWS Network Firewall Alerts
- [Updated] AWS Network Firewall Flow
- [Updated] AWS Network Firewall Netflow
- [Updated] AWS Route 53 Logs
- [Updated] AWS S3 Server Access Log - Custom Parser
- [Updated] AWS Security Hub
- [Updated] AWS Trusted Advisor
- [Updated] AWS VPC Flow Logs - Default Format
- [Updated] AWS VPC Flow Logs - JSON Format
- [Updated] AWS WAF Allow Logs
- [Updated] AWS WAF Block Logs
- [Updated] AWSGuardDuty_Backdoor
- [Updated] AWSGuardDuty_Behavior
- [Updated] AWSGuardDuty_Catch_All
- [Updated] AWSGuardDuty_CryptoCurrency
- [Updated] AWSGuardDuty_Discovery
- [Updated] AWSGuardDuty_Exfiltration
- [Updated] AWSGuardDuty_PenTest
- [Updated] AWSGuardDuty_Persistence
- [Updated] AWSGuardDuty_Policy
- [Updated] AWSGuardDuty_ResourceConsumption
- [Updated] AWSGuardDuty_Stealth
- [Updated] AWSGuardDuty_Trojan
- [Updated] AwsServiceEvent-AWS API Call via CloudTrail
- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
- [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
- [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
- [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
- [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
- [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
- [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
- [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
- [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
- [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
- [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
- [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
- [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
- [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
- [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
- [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
- [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
- [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
- [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
- [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
- [Updated] CloudTrail - iam.amazonaws.com - CreateUser
- [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
- [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
- [Updated] CloudTrail - kms.amazonaws.com - DisableKey
- [Updated] CloudTrail - kms.amazonaws.com - RotateKey
- [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
- [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
- [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
- [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
- [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
- [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
- [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
- [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
- [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
- [Updated] CloudTrail - signin.amazonaws.com - ExitRole
- [Updated] CloudTrail - signin.amazonaws.com - RenewRole
- [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
- [Updated] CloudTrail - sso.amazonaws.com - Federate
- [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
- [Updated] CloudTrail Default Mapping
- [Updated] Falco Detection JSON
- [Updated] Juniper SSG Series Firewall - Audit Messaging
- [Updated] Juniper SSG Series Firewall - Traffic Messaging
- [Updated] Microsoft IIS Parser - Catch All
- [Updated] Recon_EC2_PortProbeUnprotectedPort
- [Updated] Recon_EC2_Portscan
- [Updated] Recon_IAMUser
- [Updated] UnauthorizedAccess_EC2_SSHBruteForce
- [Updated] UnauthorizedAccess_EC2_TorClient
- [Updated] UnauthorizedAccess_EC2_TorIPCaller
- [Updated] UnauthorizedAccess_EC2_TorRelay
- [Updated] UnauthorizedAccess_IAMUser
Parsers
- [Renamed] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog -> /Parsers/System/Juniper/Juniper SSG Series Firewall Syslog
- [New] /Parsers/System/Netskope/Netskope Security Cloud JSON
- [Updated] /Parsers/System/Falco/Falco JSON
- [Updated] /Parsers/System/Microsoft/Microsoft IIS
October 20, 2022 - Content Release
Rules
- [Updated] MATCH-S00640 Kubernetes Pod Created in Kube Namespace
- [Updated] MATCH-S00642 Kubernetes Service Account Created in Kube Namespace
Log Mappers
- [New] Juniper SSC Series Firewall - Audit Messaging
- [New] Juniper SSC Series Firewall - Traffic Messaging
- [New] Linux-Sysmon/Operational - 1
- [New] Linux-Sysmon/Operational - 10
- [New] Linux-Sysmon/Operational - 11
- [New] Linux-Sysmon/Operational - 15
- [New] Linux-Sysmon/Operational - 16
- [New] Linux-Sysmon/Operational - 17
- [New] Linux-Sysmon/Operational - 18
- [New] Linux-Sysmon/Operational - 2
- [New] Linux-Sysmon/Operational - 23
- [New] Linux-Sysmon/Operational - 3
- [New] Linux-Sysmon/Operational - 4
- [New] Linux-Sysmon/Operational - 5
- [New] Linux-Sysmon/Operational - 6
- [New] Linux-Sysmon/Operational - 7
- [New] Linux-Sysmon/Operational - 8
- [New] Linux-Sysmon/Operational - 9
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Azure Advanced Threat Protection
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Defender for Cloud Apps
- [Updated] Kubernetes
- [Updated] Microsoft Office 365 Threat Intelligence Events
Parsers
- [New] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog
- [New] /Parsers/System/Linux/Linux Sysmon XML
Schema
- [New] device_k8s_deployment
- [New] device_k8s_namespace
- [New] device_k8s_normalizedPodName
- [New] device_k8s_pod
- [New] device_k8s_replicaSet
- [New] dstDevice_k8s_deployment
- [New] dstDevice_k8s_namespace
- [New] dstDevice_k8s_normalizedPodName
- [New] dstDevice_k8s_pod
- [New] dstDevice_k8s_replicaSet
- [New] srcDevice_k8s_deployment
- [New] srcDevice_k8s_namespace
- [New] srcDevice_k8s_normalizedPodName
- [New] srcDevice_k8s_pod
- [New] srcDevice_k8s_replicaSet
- [Updated] device_container_runtime
October 20, 2022 - Application Update
Support for Custom Inventory Sources
Cloud SIEM now supports custom sources of inventory data. Now, if you want to ingest inventory data from a source that Sumo Logic does not provide a pre-built connnector for, you can use this new feature. See the new document Configure a Custom Inventory Source for details.
Standard Match Lists
As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the previous announcement. This will continue until January 20, 2023, when the migration will be complete.
Minor Changes and Enhancements
- [New] API endpoints have been creeated enabling users to upload attribute changes (such as tags or criticality) for multiple Entities in a single call, rather than having to do so one at a time. The new endpoints are
/entities/bulk-add-tags
,/entities/bulk-update-tags
,/entities/bulk-remove-tags
,/entities/bulk-update-suppressed
, and/entities/bulk-update-criticality
. Note that these API endpoints have a limit of 1000 entries per call. More details are available via the API Documentation link in Cloud SIEM. - [Updated] Previously, a new feature was added to the Enrichments tab that enabled you to hide any attribute-value pair with an "empty" value for clarity. This included values like "0" or "N/A". However, some of those values are often useful to the analyst (for example,
number_of_threat_reports="0"
). Starting with this release, this feature will only hide attributes with truly empty values (i.e.,attribute=""
).
Resolved Issues
- The CSV file upload method for updating Entity attributes did not support sensor zones or normalized entity names properly.
- Cloud SIEM has switched providers of lists of public dynamic DNS domains, which has resolved an issue with rules utilizing these lists.
October 13, 2022 - Application Update
Announcement: Standard Match Lists Migration to Entity Tags
Currently, Cloud SIEM defines a set of standard Match Lists as a way to allow users to specify lists of Entities and other indicators that should affect whether or not Rules create Signals. However, starting next week, the Rules included with Cloud SIEM will begin transitioning to leverage Entity tags for this purpose instead. Tags on Entities are more flexible and can also provide context to analysts during the investigation phase.
Next week, a new set of standard tag schemas will be introduced in Cloud SIEM. These tag schemas will correspond to the existing standard Match Lists:
Key | Allowed Values | Equivalent Match List |
---|---|---|
_deviceGroup | admin | admin_ips |
awsAdmin | AWS_admin_ips | |
business | business_ips | |
gcpAdmin | GCP_admin_ips | |
googleWorkspaceAdmin | Google_Workspace_admin_ips | |
salesforceAdmin | salesforce_admin_ips | |
sandbox | sandbox_ips | |
scanTarget | scanner_targets | |
_deviceService | dns | dns_servers dns_servers_dst dns_servers_src |
ftp | ftp_servers | |
smtp | smtp_servers | |
sql | sql_servers | |
ssh | ssh_servers | |
telnet | telnet_servers | |
_deviceType | authServer | auth_servers auth_servers_dst auth_servers_src |
lanScanner | lan_scanner_exception_ips | |
nms | nms_ips | |
paloAltoSinkhole | palo_alto_sinkhole_ips | |
proxyServer | proxy_servers proxy_servers_dst proxy_servers_src | |
vpnServer | vpn_servers | |
vulnerabilityScanner | vuln_scanners | |
webServer | http_servers | |
_networkType | guest | guest_networks |
nat | nat_ips | |
vpn | vpn_networks | |
_userGroup | awsAdmin | AWS_admin_users |
dsReplication | ds_replication_authorized_users | |
gcpAdmin | GCP_admin_users | |
googleWorkspaceAdmin | Google_Workspace_admin_users | |
kerberosDowngrade | downgrade_krb5_etype_authorized_users | |
salesforceAdmin | salesforce_admin_users |
(There are five standard match lists not affected by this change, as they do not contain Entities. These include: business_asns, business_domains, business_hostnames, threat, and verified_uri_paths.)
Beginning Thursday, October 20, the contents of the standard match lists listed above will automatically be copied to tags set on the individual entities. So, for example, if an Entity 1.2.3.4
is in match list sql_servers
, a tag _deviceService:sql
will be set on it. Cloud SIEM will continue to automatically create these tags from the standard match lists for a period of 3 months, until January 20, 2023. During this period, pre-defined rules will be updated to reference these tags instead of the standard match lists, so by the end of this period all rules will be updated and Cloud SIEM will no longer automatically create these tags.
Please update any process you use to maintain the members of standard match lists by January 20, 2023 to maintain standard Entity tags instead (or in addition). We highly recommend you take advantage of Entity Groups to set Entity tags rather than individually setting tags. Entity Groups enable the automatic application of attributes like tags based on the Entity's value, IP address range, or inventory group.
Note that you cannot extend the standard tag schemas (for example, you cannot add a value azureAdmin
to _userGroup
). (The underscore prefix in the schema name means it's a system-defined schema.) Instead, create a different tag schema (such as customUserGroup
) with such extended values.
You can refer to Entity tags in Rule expressions. For example, if you've attached the tag _deviceService:sql
to an Entity, this statement will return "true" if that Entity is listed in a Record's srcDevice_ip
field:
array_contains(fieldTags["srcDevice_ip"], "_deviceService:sql")
Additional information about the standard tag schema, match lists, Entity groups, and using these features with Rules is available in the Cloud SIEM Documentation.
Minor Changes and Enhancements
- [New] Users can now filter object lists based on tag schema. The list results will include all objects that have a tag that are part of that schema. For example, if you search for
_networkType
(from the note above) the list results will include any object that has a tag of_networkType:guest
,_networkType:nat
, and/or_networkType:vpn
.
Resolved Issues
- Entity relationships were not taking sensor zones into account properly.
- Entity details pages were only briefly displaying the proper Criticality.
- The Entities Count links on the Entity Criticality list pages were pointing at the wrong URLs.
October 12, 2022 - Introducing Sumo Logic Open Source Docs
Welcome to the Sumo Logic Cloud SIEM Release Notes on our new docs site! We're now open source and encourage you to contribute. We welcome all contributions, from minor typo fixes to brand new docs. Your expertise and sharing can help fellow users learn and expand their knowledge of Sumo Logic.
Here you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM.
To view Release Notes from previous years, check the archive.
Click here to subscribeOctober 6, 2022 - Application Update
Application Update: Minor Changes and Enhancements
- [Updated] Dynamic severity in rules has been enhanced. Users can now specify ranges of values to match to a specific severity. There are now multiple options, and these options can be combined (the first rule that matches is used; if none match then the default is used):
- Equal to Exact string or mathematical match ("Equal to 4" will match "4" and 4.0 but not 4.01)
- Greater than and Less than Mathematical only, not inclusive ("Less than 5" will match 4.9 but not 5)
- Between Mathematical only, inclusive ("Between 5 and 10" will match 5 or 7 but not 10.1)
- Not in the record Will match when the attribute is not listed in the record. (if there is no "bro_irc_value" attribute then this rule will match; if "bro_irc_value" exists but is empty/null, this does not match)
- [New] Users can now filter the Signals list based on the type of Rule that generated the Signal (Match, Chain, Aggregation, etc.)
- [New] Users can now perform negative keyword searches ("not:aws" would return all objects that do not include the keyword "aws")
- [New] Entity domain normalization can now be managed via Terraform
- [New] Users can now configure the Email Action to send emails in plain text in addition to the previously supported multipart HTML5/text format
- [New] Changes to the Insight Threshold are now noted in the Audit Log
- [Deleted] As previously announced, the IBM Resilient and Sensor actions have been removed from Cloud SIEM
Resolved Issues
- Match list items were not matching properly in some instances, such as after deletion
- Keyword searches did not properly support values (such as hostnames) with embedded dashes
- Changes to prototype state were not visible in the rule history
- In some cases, the system was parsing domain names/TLDs incorrectly
Content Release
Log Mappers
- [New] Azure Application Service Console Logs
- [New] Google G Suite Alert Center - Sensitive Admin Action
- [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
Parsers
- [Updated] /Parsers/System/Google/G Suite Alert Center
Legacy Parsers
- [Updated] CISCO_MERAKI_SECURITY_FILTERING_FILE_SCANNED
- [Updated] CISCO_MERAKI_URLS
- [Updated] Twistlock_Logs
September 29, 2022 - Content Release
Rules
- [Deleted] MATCH-S00070 Checkpoint Firewall
Log Mappers
- [New] Cyber Ark EPM AggregateEvent
- [New] Cyber Ark EPM AuditAdmin
- [New] Cyber Ark EPM GetComputer
- [New] Cyber Ark EPM Policy
- [New] Cyber Ark EPM RawDetails
- [New] Cyber Ark EPM RawEvents
Parsers
- [New] /Parsers/System/Cyber-Ark/CyberArk EPM JSON
- [Updated] /Parsers/System/Auth0/Auth0
September 19, 2022 - Content Release
Rules
- [Deleted] CHAIN-S00009 Proofpoint TAP Click Permitted Followed by Successful Request
Log Mappers
- [New] Wiz Catch All
- [Updated] Orca Security Parser - Catch All
Schema
- [New] cloud_provider
- [New] cloud_region
- [New] cloud_service
- [New] cloud_zone
- [New] device_container_id
- [New] device_container_name
- [New] device_container_runtime
- [New] device_image
- [New] device_type
- [New] dstDevice_container_id
- [New] dstDevice_container_name
- [New] dstDevice_container_runtime
- [New] dstDevice_image
- [New] dstDevice_type
- [New] resourceType
- [New] srcDevice_container_id
- [New] srcDevice_container_name
- [New] srcDevice_container_runtime
- [New] srcDevice_image
- [New] srcDevice_type
- [Updated] dstDevice_uniqueId
September 12, 2022 - Application Update
Insight Enrichment Server for Fed deployment
[Update] We’ve released a new version of the Insight Enrichment Server that runs on the Sumo Logic FedRAMP-compliant deployment. This makes Cloud SIEM on FedRAMP functionally equivalent to commercial deployments of Cloud SIEM.
September 9, 2022 - Application Update
Minor Changes and Enhancements
- [New] An API endpoint has been added which enables user to delete multiple entries in a match list in one operation:
POST: /match-list-items/bulk-delete
- [Updated] When inventory data for hosts includes both private and public IP addresses, that data will be attached to both Entities. Previously it was only attached to one of the IP address Entities.
- [Updated] Previously we announced that the severity attribute for Insights in the Audit Logs would be switching from numbers (1-4) to text (LOW, MEDIUM, HIGH, etc). Instead, we have retained the existing numerical attribute and added a new attribute
severityName
containing the human-readable text.
Resolved Issues
- In some Audit Log messages related to Insight comments, the
insight_readable_id
was not set correctly. - In some cases, manually adding or removing tags in an Insight was not being recorded in the Audit Logs properly.
- For some customers, the bar chart on the Records list page was not rendering properly.
- Time/date stamps were not being displayed consistently across the UI.
- Some pages were returning intermittent 404 or internal errors.
September 8, 2022 - Content Release
In one week (2022-09-15), we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.
Rules
- [Updated] MATCH-S00819 Chromium Process Started With Debugging Port
Log Mappers
- [Updated] Aruba ClearPass Syslog
Parsers
- [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- [Updated] /Parsers/System/Microsoft/Microsoft IIS
September 1, 2022 - Application Update
Announcements
- Starting October 1, 2022, _suppressed _Signals will be retained in Cloud SIEM for 30 days (previously, they were retained for 90 days). All Signals are automatically stored in the Sumo sec_signals index for 2 years, so users searching for suppressed Signals more than 30 days old should search in that index instead of in the Cloud SIEM UI.
- Note also that in the past, Signals attached to Insights were searchable from the Cloud SIEM Signals list page indefinitely. Starting on October 1, they will only be searchable for 365 days. (They will still be visible from the Insight details page beyond that period.)
- As previously announced, the Sensor and IBM Resilient actions are no longer supported. They will be removed from Cloud SIEM by the end of this month.
Minor Changes and Enhancements
- [New] In the Audit Log, when an Insight is created, the sum of the included Signals' severity is now included with the insight in the
risk_score
field (i.e. if there were three Signals each with a severity of 4, the sum of 12 will be included). - [Updated] The "Copy Expression" mouse action for record fields can now be activated using Shift+Click. The Click action now brings up a "Copy Value" action instead.
- [New] Users can now delete Match Lists from the list view (i.e. users no longer have to go into the details).
- [New] On the Criticality list page, the number of Entity Groups associated with each Criticality is now listed on the cards.
Resolved Issues
- In some cases where the Signals were relatively old, the Signals that contributed to an Insight were no longer visible in the Insight in the UI.
- Time stamps were missing from Records in some views.
Content Release
In 2 weeks (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.
Rules
- [New] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
- [New] MATCH-S00821 Chromium Browser History Access by Non-Browser Process
- [New] MATCH-S00819 Chromium Process Started With Debugging Port
- [New] MATCH-S00820 Cloud Credential File Accessed
- [New] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
- [Updated] MATCH-S00235 Azure - Create User
Log Mappers
- [New] Mimecast AV Event
- [New] Mimecast Impersonation Event
- [New] Mimecast Spam Event
- [Updated] AzureActivityLog AuditLogs
August 25, 2022 - Application Update
Application Update
Cloud SIEM App is now available
The Cloud SIEM app gives you visibility into what’s going on in Cloud SIEM. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by Cloud SIEM. You can also get insight in Cloud SIEM rules, including rule management activity, and which rules have fired.
This app is available to all licensed Cloud SIEM customers in the Sumo Logic App Catalog. For more information, see Cloud SIEM App.
Content Release
Rules
- [Updated] MATCH-S00632 Okta Administrator Access Granted
- [Updated] MATCH-S00683 Overly Permissive Chmod Command
Log Mappers
- [New] Check Point Avanan
- [New] Cisco ISE Authentication Failure
- [New] Cisco ISE Authentication Success
- [New] Cisco ISE Catch All
- [New] FireEye Web MPS Event
- [Updated] Microsoft Office 365 Threat Intelligence Events
- [Updated] Windows Microsoft-Windows-Sysmon/Operational 3
- [Updated] Windows Security 4688
Parsers
- [New] /Parsers/System/Check Point/Check Point Avanan JSON
- [New] /Parsers/System/Cisco/Cisco ISE
- [New] /Parsers/System/FireEye/FireEye Web MPS JSON
August 18, 2022 - Application Update
Resolved Issues
- Several issues were resolved related to the bulk upload of Entity attributes, including errors with CSV file parsing, editing uploaded attributes in the UI, and a lack of audit logging.
- On the Entity details page, the criticality was not being displayed properly. Labels were not being created properly based on Network Blocks for a small number of customers.
- InsightCommentCreated audit events did not include the
readableId
attribute. - For some record types, the
Actions
field was not being displayed if selected as a favorite field.
July 28, 2022 - Application Update
Read-Only User Capabilities for Cloud SIEM
New user capabilities (permissions) have been created enabling read-only access to content and configuration features in Cloud SIEM.
These can be used when defining roles in the Sumo Logic platform (at Administration > Users and Roles > Roles).
(For those with Cloud SIEM instances in the jask.ai
domain, these capabilities are accessed via the Configuration > Roles page in Cloud SIEM.)
Users with these capabilities (without the corresponding Manage capabilities) will be able to view the corresponding pages but will not be able to make changes on those pages. (Previously, users without the Manage capabilities could not see the corresponding pages.)
These permissions also apply to Cloud SIEM APIs, so View (only) capabilities can now be assigned if desired.
Minor Changes and Enhancements
- [Updated] When Threat Intelligence polling fails, the corresponding event will now include more information about the specific error that occurred.
- [Updated] The API endpoints that return information about Signals (
GET /signals
,GET /signals/<id>
, andGET /signals/all
) now include the summary field (previously only accessible via the UI). - [New] The Sumo Logic audit logs will now include events when a user adds or removes a Signal to/from an Insight, and when a user adds a comment to an Insight.
Resolved Issues
- The
GET /rules
andGET /rules/<id>
API endpoints did not require role capabilities for access; they now require either View Rules or Manage Rules. - Favorite Fields were not always being displayed on Signals generated by Threshold Rules.
July 14, 2022 - Application Update
Minor Changes and Enhancements
- [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.
Resolved Issues
- In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.
Announcement Update
- The new Signal Index (recently announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.
July 21 - Application Update
Entity Groups
There are a number of ways that the use of Entity attributes - tags, criticality and suppression - provide value to users of Cloud SIEM: Investigations can be completed faster with more context, Insights can be better prioritized with the appropriate severity, and false positive signals from test instances can be prevented, for example. However, setting those attributes has been a manual process and keeping them in sync as new Entities are defined is difficult.
That's why we are pleased to announce a new feature called Entity Groups. By defining Entity Groups, attributes can be automatically applied (or removed) based on Entity value (name), IP address, or Inventory group membership. For example, all high-risk laptops will receive higher criticality -- even if such a laptop is added to your environment months later.
Entities can even be members of more than one Entity Group, so a high-risk laptop in the Austin office could both get a tag identifying its location and receive the higher criticality. And if you later reassigned it so that it was no longer in a high-risk group, the criticality would be automatically removed.
To create an Entity Group, a new configuration menu item has been added:
On the Entity Groups page, click the Create button:
This will open the detail dialog:
Here you can decide what attribute Group membership should be based on:
- Group membership in your Inventory system (such as Active Directory)
- Entity value (name) - prefix or suffix (such as "aus-" or "-public")
- IP address range (for IP Address entities) defined using the CIDR format
Entity Groups also support sensor zones.
Then you can define what attribute(s) should be applied to member Entities - tags, criticality and/or suppression.
This release also includes API and Terraform support for Entity Groups.
More information about this exciting new feature and how to use it is in the documentation at Using Entity Groups.
Signal Index
Starting today, Signals generated by Cloud SIEM will be automatically saved in a new sec_signal index. This special partition is similar to the existing sec_record_* indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.
The new index is automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.
As a result, the optional Signal Forwarding feature will be deprecated on September 22, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in Cloud SIEM.
Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before September 22.
Note that because the new index is a special partition, a single query cannot be used to search both the sec_signal index and older forwarded Signal data simultaneously.
More information about using the special security indices is in the documentation at Searching for Cloud SIEM Data in Sumo Logic.
Minor Changes and Enhancements
- [Updated] The page used to configure the detection window and Insight threshold has moved. Where previously it was accessed from a button on the Custom Insights list page, it is now accessed via a new Workflow > Detection option in the Configuration menu:
Note the URL has also changed as a result; please update any bookmarks.
Resolved Issues
When navigating to a Cloud SIEM page (with sumologic.com
in the domain name), if the user had to login/authenticate first, they were not auto-forwarded to the appropriate Cloud SIEM page after doing so (but instead was taken to the Continuous Intelligence Platform home page). This has now been resolved and users will be auto-forwarded correctly.
July 21, 2021 - Content Release
Rules
- [Updated] MATCH-S00587 Empire PowerShell Launch Parameters
- [Updated] MATCH-S00161 Malicious PowerShell Get Commands
- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
- [Updated] MATCH-S00191 Suspicious PowerShell Keywords
Log Mappers
- [New] OSSEC Alert
Parsers
- [New] /Parsers/System/OSSEC/OSSEC JSON
- [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
- [Updated] /Parsers/System/Kubernetes/Kubernetes
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
July 14, 2022 - Application Update
Minor Changes and Enhancements
- [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.
Resolved Issues
- In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.
Announcement Update
The new Signal Index (recently announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.
July 14 - Content Release
Log Mappers
- [New] Carbon Black Cloud Alert - Tuned Activity
- [Updated] Cisco ASA 106001 JSON
- [Updated] Cisco ASA 106002 JSON
- [Updated] Cisco ASA 106006 JSON
- [Updated] Cisco ASA 106007 JSON
- [Updated] Cisco ASA 106010 JSON
- [Updated] Cisco ASA 106012 JSON
- [Updated] Cisco ASA 106014 JSON
- [Updated] Cisco ASA 106015 JSON
- [Updated] Cisco ASA 106021 JSON
- [Updated] Cisco ASA 106027 JSON
- [Updated] Cisco ASA 106100 JSON
- [Updated] Cisco ASA 106102-3 JSON
- [Updated] Cisco ASA 109005-8 JSON
- [Updated] Cisco ASA 110002 JSON
- [Updated] Cisco ASA 113004 JSON
- [Updated] Cisco ASA 113005 JSON
- [Updated] Cisco ASA 113012-17 JSON
- [Updated] Cisco ASA 209004 JSON
- [Updated] Cisco ASA 302020-1 JSON
- [Updated] Cisco ASA 303002 JSON
- [Updated] Cisco ASA 304001 JSON
- [Updated] Cisco ASA 304002 JSON
- [Updated] Cisco ASA 305011-12 JSON
- [Updated] Cisco ASA 313001 JSON
- [Updated] Cisco ASA 313004 JSON
- [Updated] Cisco ASA 313005 JSON
- [Updated] Cisco ASA 314003 JSON
- [Updated] Cisco ASA 322001 JSON
- [Updated] Cisco ASA 338001-8+338201-4 JSON
- [Updated] Cisco ASA 4000nn JSON
- [Updated] Cisco ASA 406001 JSON
- [Updated] Cisco ASA 406002 JSON
- [Updated] Cisco ASA 419001 JSON
- [Updated] Cisco ASA 419002 JSON
- [Updated] Cisco ASA 500004 JSON
- [Updated] Cisco ASA 602303-4 JSON
- [Updated] Cisco ASA 605004-5 JSON
- [Updated] Cisco ASA 710002-3 JSON
- [Updated] Cisco ASA 710005 JSON
- [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
Parsers
- [Updated] /Parsers/System/VMware/Carbon Black Cloud
- [Updated] /Parsers/System/Cisco/Cisco ASA
July 8, 2022 - Application Update
Announcement
- The built-in HipChat Action will be deprecated on August 25, 2022.
Minor Changes and Enhancements
- [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.
Resolved Issues
- In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.
- Mapper field format_parameters was not populating.
- Some of the links on the Related Entities tab of the Insight detail pages were malformed.
July 7, 2022 - Content Release
Rules
- [New] MATCH-S00816 Interactive Logon to Domain Controller
Log Mappers
- [Updated] Palo Alto GlobalProtect - Custom Parser
- Updated] Palo Alto GlobalProtect Auth - Custom Parser
- [Updated] Windows - System - 7045
- [Updated] Zscaler - Nanolog Streaming Service - JSON
Parsers
- [Updated] /Parsers/System/F5/F5 Syslog
- [Updated] /Parsers/System/Google/GCP
- [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
- [Updated] THRESHOLD-S00096 Brute Force Attempt
- [Updated] MATCH-S00565 Direct Outbound DNS Traffic
- [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
- [Updated] THRESHOLD-S00102 Domain Password Attack
- [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
- [Updated] THRESHOLD-S00095 Password Attack
- [Updated] CHAIN-S00008 Successful Brute Force
- [Updated] MATCH-S00185 Windows - Remote System Discovery
July 5, 2022 - Content Release
Rules
- [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
- [Updated] THRESHOLD-S00096 Brute Force Attempt
- [Updated] MATCH-S00565 Direct Outbound DNS Traffic
- [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
- [Updated] THRESHOLD-S00102 Domain Password Attack
- [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
- [Updated] THRESHOLD-S00095 Password Attack
- [Updated] CHAIN-S00008 Successful Brute Force
- [Updated] MATCH-S00185 Windows - Remote System Discovery
Log Mappers
- [Updated] McAfee Endpoint Security Custom Parser
- [Updated] Microsoft SQL Server Parser - Authentication
Parsers
- [Updated] /Parsers/System/Linux/Linux OS Syslog
- [Updated] /Parsers/System/McAfee/McAfee EPO XML
- [Updated] /Parsers/System/Microsoft/Microsoft SQL Server
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- [Updated] /Parsers/System/Twistlock/Twistlock
June 24, 2022 - Announcement
Beginning July 15, 2022, Signals generated by Cloud SIEM will be automatically saved in a new sec_signals index. This index/special partition will be similar to the existing sec_record_ indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.
The new index will be automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.
As a result, the optional Signal Forwarding feature in Cloud SIEM will be deprecated on September 15, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in Cloud SIEM.
Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signals index before September 15.
If you have any questions or concerns, please contact Sumo Logic customer support.
June 24, 2022 - Application Update
Minor Changes and Enhancements
- [New] On the Insight details pages, if the user has selected the Show Related Signals option, the related Signals will appear on the Signals Timeline graph.
Resolved Issues
- The
/sec/v1/insights/{}/tags
API endpoint was returning a 500/INTERNAL_SERVER_ERROR.
June 21, 2022 - Content Release
Log Mappers
- [Updated] McAfee Avecto Defendpoint
Parsers
- [Updated] /Parsers/System/Cisco/Cisco ASA
- [Updated] /Parsers/System/McAfee/McAfee EPO XML
June 15, 2022 - Content Release
Rules
- [Updated] MATCH-S00400 Web Download via Office Binaries
Log Mappers
- [New] GCP Parser - Load Balancer
Parsers
- [Updated] /Parsers/System/Google/GCP
- [Updated] /Parsers/System/Orca Security/Orca Security
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
June 13, 2022 Application Update
Minor Changes and Enhancements
- [Updated] List filters have been updated to better support custom Entity types; users no longer have to specify the Entity type in order to filter by Entity value (i.e. name). (Old bookmark will continue to work.)
- [Updated] On the Insight Details pages, the sort order for Signals has been reverted to oldest first. As always, the user can change the sort order and in an upcoming release, the UI will be updated to retain the user's selected sort order across sessions.
- [Deleted] The standalone Suppressed Entities list page has been removed from the UI as it was confusing to users. To retrieve a list of suppressed Entities, users should filter the Entities list page.
Resolved Issues
- CSV upload for Network Blocks was not working unless the (optional) "label" field was provided.
- Then filtering lists by date, the "include current" checkbox was not working consistently.
June 9, 2022 - Content Release
Rules
- [New] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
- [Updated] MATCH-S00687 Linux Security Tool Usage
- [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context
Log Mappers
- [Updated] Cyber Ark Vault JSON
Parsers
- [New] /Parsers/System/Cyber-Ark/Cyber-Ark Vault - CEF
- [Updated] /Parsers/System/AWS/AWS ELB
- [Updated] /Parsers/System/AWS/AWS WAF
June 7, 2022 - Content Release
Rules
- [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
- [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
Log Mappers
- [New] Bitdefender - avc
- [New] Bitdefender - fw
- [New] Bitdefender - hd
- [New] Bitdefender - network-monitor
- [New] Bitdefender - new-incident
- [New] Linux OS Syslog - Cron - Generic
- [New] Linux OS Syslog - sshd - session timeout
- [Updated] Bitdefender Catch All
- [Updated] SonicWall Firewall - Custom Parser
Parsers
- [Updated] /Parsers/System/Dell/Dell SonicWall
- [Updated] /Parsers/System/Linux/Linux OS Syslog
June 3, 2022 - Content Release
Rules
- [New] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
- [New] MATCH-S00813 Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
- [New] MATCH-S00812 Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
- [Updated] THRESHOLD-S00080 Internal Port Scan
- [Updated] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
Log Mappers
- [New] Google G Suite - logout
- [New] McAfee Mvision ENS incidents - Parser
- [New] McAfee Mvision ENS threats - Parser
- [New] Okta Authentication - auth_via_AD_agent
- [New] Okta Authentication - auth_via_mfa
- [New] Okta Authentication - auth_via_radius
- [New] Okta Authentication - sso
- [Updated] Google G Suite - login.login
- [Updated] Okta Authentication Events
- [Updated] Salesforce LoginAs Mapping
Parsers
- [New] /Parsers/System/McAfee/McAfee Mvision ENS
Schema
- [Updated] device_ip_asnNumber
- [Updated] device_ip_asnOrg
- [Updated] device_ip_city
- [Updated] device_ip_countryCode
- [Updated] device_ip_countryName
- [Updated] device_ip_isp
- [Updated] device_ip_latitude
- [Updated] device_ip_longitude
- [Updated] device_ip_region
- [Updated] device_natIp_asnNumber
- [Updated] device_natIp_asnOrg
- [Updated] device_natIp_city
- [Updated] device_natIp_countryCode
- [Updated] device_natIp_countryName
- [Updated] device_natIp_isp
- [Updated] device_natIp_latitude
- [Updated] device_natIp_longitude
- [Updated] device_natIp_region
- [Updated] dns_replyIp_asnNumber
- [Updated] dns_replyIp_asnOrg
- [Updated] dns_replyIp_city
- [Updated] dns_replyIp_countryCode
- [Updated] dns_replyIp_countryName
- [Updated] dns_replyIp_isp
- [Updated] dns_replyIp_latitude
- [Updated] dns_replyIp_longitude
- [Updated] dns_replyIp_region
- [Updated] dstDevice_ip_asnNumber
- [Updated] dstDevice_ip_asnOrg
- [Updated] dstDevice_ip_city
- [Updated] dstDevice_ip_countryCode
- [Updated] dstDevice_ip_countryName
- [Updated] dstDevice_ip_isp
- [Updated] dstDevice_ip_latitude
- [Updated] dstDevice_ip_longitude
- [Updated] dstDevice_ip_region
- [Updated] srcDevice_ip_asnNumber
- [Updated] srcDevice_ip_asnOrg
- [Updated] srcDevice_ip_city
- [Updated] srcDevice_ip_countryCode
- [Updated] srcDevice_ip_countryName
- [Updated] srcDevice_ip_isp
- [Updated] srcDevice_ip_latitude
- [Updated] srcDevice_ip_longitude
- [Updated] srcDevice_ip_region
June 1, 2022 - Announcement
Geographical Data for IP Addresses
- As previously announced, Cloud SIEM has switched to a new provider for geographical data for IP addresses. One consequence of this change is that the various
_isp
enrichment fields (listed below) are no longer being populated. However, that data is available in the equivalent_asnOrg
fields (such asdevice_ip_asnOrg
). If you have any rules that leverage the_isp
fields, please switch to the_asnOrg
fields as soon as possible. - Because these fields will no longer be populated, they will be removed on June 7, 2022:
device_ip_isp
device_natIp_isp
device_replyIp_isp
dstDevice_ip_isp
dstDevice_natIp_isp
srcDevice_ip_isp
srcDevice_natIp_isp
May 31, 2022 - Content Release
Rules
- [New] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
- [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
- [Updated] MATCH-S00766 Okta MFA Deactivated for User
- [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
- [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
Log Mappers
- [New] Aruba ClearPass User Authentication Failed
- [New] Aruba ClearPass User Authentication Successful
- [New] Cisco Secure Email Parser - Catch All
- [New] Exabeam Parser - Catch All
- [New] Jamf Parser - Catch All
- [New] Juniper SRX Series Firewall - Parser
- [New] McAfee Network Security Parser - Catch All
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
- [New] Orca Security Parser - Catch All
- [New] Squid Proxy - Parser
- [New] Thinkst Canary Parser - Catch All
- [New] Zscaler Workload Segmentation Catch All - Parser
- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
- [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
- [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
- [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
- [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
- [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
- [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
- [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
- [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
- [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
- [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
- [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
- [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
- [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
- [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
- [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
- [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
- [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
- [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
- [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
- [Updated] CloudTrail - iam.amazonaws.com - CreateUser
- [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
- [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
- [Updated] CloudTrail - kms.amazonaws.com - DisableKey
- [Updated] CloudTrail - kms.amazonaws.com - RotateKey
- [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
- [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
- [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
- [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
- [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
- [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
- [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
- [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
- [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
- [Updated] CloudTrail - signin.amazonaws.com - ExitRole
- [Updated] CloudTrail - signin.amazonaws.com - RenewRole
- [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
- [Updated] CloudTrail - sso.amazonaws.com - Federate
- [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
- [Updated] CloudTrail Default Mapping
- [Updated] Cloudflare - Logpush
- [Updated] Egnyte DLP Parser - Catch All
- [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
- [Updated] Okta Authentication Events
- [Updated] Okta Catch All
- [Updated] Okta Security Threat Events
- [Updated] Windows - Security - 4688
Parsers
- [New] /Parsers/System/Cisco/Cisco Secure Email
- [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
- [New] /Parsers/System/Jamf/Jamf
- [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
- [New] /Parsers/System/McAfee/McAfee Network Security
- [New] /Parsers/System/Orca Security/Orca Security
- [New] /Parsers/System/Squid/Squid Proxy Syslog
- [New] /Parsers/System/Thinkst Canary/Thinkst Canary
- [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
- [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
- [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
- [Updated] /Parsers/System/Egnyte/Egnyte DLP
- [Updated] /Parsers/System/F5/F5 Syslog
- [Updated] /Parsers/System/Linux/Linux OS Syslog
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- [Updated] /Parsers/System/Shared/Syslog Headers
- [Updated] /Parsers/System/Twistlock/Twistlock
May 27, 2022 - Application Update
Upcoming Changes
- [Updated] Starting later next week, the
severity
attribute in audit log records for Insights (such asInsightCreated
) will be changing. Instead of a number (represented as a string) from 1 to 4, the value will be a human-readable string matching the values in the UI (LOW, MEDIUM, HIGH, CRITICAL). Please update any dashboards or other consumers of this data. - [Deleted] Later next week, the Content > Suppressed Entities page will be removed from the UI to simplify the application. Instead, users can use a filter on the Content > Entities page to retrieve the list of suppressed Entities.
Minor Changes and Enhancements
- [Updated] On the Insight Details pages, Signals are now sorted in order of the most recent Signal first by default. (As always, the user can change the sort order.)
- [New] When creating a copy of a Rule, users are now given then option to apply the Rule Tuning Expression(s) that are applied on the original rule to the copy as well.
- [New] In the Cloud SIEM UI, timestamps now explicitly include the time zone.
- [New] Users can now specify a maximum look-back window (in days) for TAXII feeds.
- [New] The current status (enabled/disabled) for each feed is now displayed on the Threat Intelligence list page.
Resolved Issues
- If a user had defined a high number of favorite fields, the system would show the first 50.
- When specifying tags, the auto-complete feature was not working properly in some instances.
May 26, 2022 - Content Release
Rules
- [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
- [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
- [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
Log Mappers
- [New] Cisco Secure Email Parser - Catch All
- [New] Exabeam Parser - Catch All
- [New] Jamf Parser - Catch All
- [New] Juniper SRX Series Firewall - Parser
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
- [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
- [New] Squid Proxy - Parser
- [New] Thinkst Canary Parser - Catch All
- [New] Zscaler Workload Segmentation Catch All - Parser
- [Updated] Egnyte DLP Parser - Catch All
- [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
Parsers
- [New] /Parsers/System/Cisco/Cisco Secure Email
- [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
- [New] /Parsers/System/Jamf/Jamf
- [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
- [New] /Parsers/System/Squid/Squid Proxy Syslog
- [New] /Parsers/System/Thinkst Canary/Thinkst Canary
- [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
- [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
- [Updated] /Parsers/System/Egnyte/Egnyte DLP
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
May 17, 2022 - Application Update
Minor Changes and Enhancements
- [Updated] The
_sourceName
and_sourceHost
values in records ingested by Cloud SIEM will now reflect the original values defined when ingested into the Sumo Logic platform. - [Updated] The "Board" list view for Insights has been updated to include the resolution:
Resolved Issues
- In the new Entities tab in Insights, duplicate Entities were sometimes listed if the raw and normalized names didn't match. Also, the cards will now respond better to very low screen/browser widths.
- When viewing some verbose content (like Record properties), mousing over the content would cause it to reflow.
- When creating match list items via Terraform, the process was occasionally timing out.
- Email-based actions were not functioning properly on instances with domains ending in
jask.ai
.
May 12, 2022 - Content Release
Rules
- [Updated] LEGACY-S00078 SQL Injection Victim
Log Mappers
- [New] Check Point Application Control
- [New] Check Point SmartDefense
- [New] Check Point URL Filtering
- [Updated] Check Point Block
Parsers
- [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
- [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
- [Updated] /Parsers/System/Microsoft/Office 365
May 10, 2022 - Content Release
Rules
- [Deleted] MATCH-S00258 Authentication Brute Force Attempt
- [Updated] MATCH-S00176 RDP Login from Localhost
Log Mappers
- [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
- [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
- [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
- [Deleted] Windows - Security - 1100 - CIP
- [Deleted] Windows - Security - 1102 - CIP
- [Deleted] Windows - Security - 4624 - CIP
- [Deleted] Windows - Security - 4625 - CIP
- [Deleted] Windows - Security - 4634 - CIP
- [Deleted] Windows - Security - 4648 - CIP
- [Deleted] Windows - Security - 4649 - CIP
- [Deleted] Windows - Security - 4656 - CIP
- [Deleted] Windows - Security - 4658 - CIP
- [Deleted] Windows - Security - 4661 - CIP
- [Deleted] Windows - Security - 4662 - CIP
- [Deleted] Windows - Security - 4663 - CIP
- [Deleted] Windows - Security - 4672 - CIP
- [Deleted] Windows - Security - 4674 - CIP
- [Deleted] Windows - Security - 4688 - CIP
- [Deleted] Windows - Security - 4689 - CIP
- [Deleted] Windows - Security - 4697 - CIP
- [Deleted] Windows - Security - 4698 - CIP
- [Deleted] Windows - Security - 4702 - CIP
- [Deleted] Windows - Security - 4704 - CIP
- [Deleted] Windows - Security - 4720 - CIP
- [Deleted] Windows - Security - 4726 - CIP
- [Deleted] Windows - Security - 4728 - CIP
- [Deleted] Windows - Security - 4732 - CIP
- [Deleted] Windows - Security - 4740 - CIP
- [Deleted] Windows - Security - 4742 - CIP
- [Deleted] Windows - Security - 4754 - CIP
- [Deleted] Windows - Security - 4755 - CIP
- [Deleted] Windows - Security - 4756 - CIP
- [Deleted] Windows - Security - 4768 - CIP
- [Deleted] Windows - Security - 4769 - CIP
- [Deleted] Windows - Security - 4770 - CIP
- [Deleted] Windows - Security - 4771 - CIP
- [Deleted] Windows - Security - 4776 - CIP
- [Deleted] Windows - Security - 4778 - CIP
- [Deleted] Windows - Security - 4779 - CIP
- [Deleted] Windows - Security - 4780 - CIP
- [Deleted] Windows - Security - 4793 - CIP
- [Deleted] Windows - Security - 4798 - CIP
- [Deleted] Windows - Security - 4799 - CIP
- [Deleted] Windows - Security - 5038 - CIP
- [Deleted] Windows - Security - 5058 - CIP
- [Deleted] Windows - Security - 5059 - CIP
- [Deleted] Windows - Security - 5061 - CIP
- [Deleted] Windows - Security - 5140 - CIP
- [Deleted] Windows - Security - 5379 - CIP
- [Deleted] Windows - Security - 5805 - CIP
- [Deleted] Windows - Security - 6272 - CIP
- [Deleted] Windows - Security - 6273 - CIP
- [Deleted] Windows - Security - 6275 - CIP
- [Deleted] Windows - Security - 6278 - CIP
- [Deleted] Windows - Security - 6416 - CIP
- [Deleted] Windows - Security - 6423 - CIP
- [Deleted] Windows - Security - 6424 - CIP
- [Deleted] Windows - System - 5138 - CIP
- [Deleted] Windows - System - 6005 - CIP
- [Deleted] Windows - System - 6006 - CIP
- [Deleted] Windows - System - 7045 - CIP
- [New] BlueCat DNS Parser - Catch All
- [Updated] AWS WAF Allow Logs
- [Updated] AWS WAF Block Logs
- [Updated] Firepower Catch All
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Success
Parsers
- [Deleted] /Parsers/System/BlueCat/BlueCat DHCP Syslog
- [New] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
- [New] /Parsers/System/Cisco/Cisco Firepower JSON
- [Updated] /Parsers/System/AWS/AWS WAF
- [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON
April 29, 2022 - Application Update
Related Entities
[New] The Cloud SIEM team is excited to announce a newly enhanced feature: Related Entities. Although Insights and the Signals they contain are focused on a single Entity (a user, or host for example), there are often a number of additional Entities referenced in the Records/Signals contained in the Insight. In addition, Cloud SIEM can detect relationships between Entities (for example, determining that an IP address was associated with a given hostname during the Insight detection window).
To provide an easy way for analysts to explore all of these Related Entities, a new tab has been added to the Insight Details page:
The Entities tab contains a list of all of the Entities detected in the Insight’s Signals and Records. The Primary Entity is listed first, and then the other Related Entities are listed in descending order of appearance. Where Cloud SIEM has determined a relationship between entities, that is called out (for example, 192.168.1.101 may also be hostname ‘na’).
Details listed with each entity include tags, the number of Signals the Entity was seen in, the number of recent Insights and Signals that featured that Entity, and the total sum of the Severities for those Signals.
As each Entity is selected by the user, the right column changes to show more details, such as a link to the full Entity Details page, inventory and other metadata, a Signal timeline, and a list of the recent Signals and Insights (containing links to those individual details pages).
This new feature should help users understand the context of security events more quickly by providing this data at a glance, reducing the amount of time it would have previously taken to gather that same information.
More information can be found in the online documentation.
Minor Changes and Enhancements
[Update] For Signals generated by Threshold, Aggregation and Chain Rules, there is a feature called Queried Records that enables users to find additional records that also apply to the Signal beyond those that were needed to meet the conditions for the Rule.The page that lists these Queried Records now explicitly shows the search query and time window that is being checked. If a user clicks on the query, it will open a Log Search window with the query and time window pre-filled for deeper investigation.
April 29, 2022 - Content Release
Rules
- [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
- [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
- [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
- [Updated] THRESHOLD-S00044 DNS DGA Lookup Behavior - NXDOMAIN Responses
- [Updated] THRESHOLD-S00088 GCP Audit Reconnaissance Activity
- [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
- [Updated] CHAIN-S00004 Lateral Movement Using the Windows Hidden Admin Share
- [Updated] MATCH-S00687 Linux Security Tool Usage
- [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
- [Updated] THRESHOLD-S00040 Possible DNS over TLS (DoT) Activity
- [Updated] THRESHOLD-S00031 RDP Brute Force Attempt
- [Updated] THRESHOLD-S00034 SSH Authentication Failures
Log Mappers
- [New] BlueCat DHCP Parser - Catch All
- [New] Microsoft Exchange Catch All
- [New] Microsoft Exchange HTTP Error
- [New] Microsoft Exchange IIS
- [New] Varonis DatAlert - Parser
- [Updated] Varonis DatAdvantage - CEF
Parsers
- [New] /Parsers/System/BlueCat/BlueCat DHCP Syslog
- [New] /Parsers/System/Microsoft/Exchange
- [New] /Parsers/System/Varonis/Varonis DatAlert Syslog
- [Updated] /Parsers/System/F5/F5 Syslog
April 26, 2022 - Content Release
Rules
- [New] MATCH-S00808 Azure - Container Instance Creation/Modification
- [New] MATCH-S00809 Azure - Container Start
- [New] MATCH-S00807 Azure - Image Created/Modified
- [New] MATCH-S00810 Azure - Image Deleted
Log Mappers
- [New] Darktrace Parser Events
- [Updated] Zscaler - Nanolog Streaming Service - JSON
Parsers
- [New] /Parsers/System/Darktrace/Darktrace Syslog
- [New] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON
April 20, 2022 - Content Release
Rules
- [New] MATCH-S00798 Azure - Anonymous Blob Access
- [New] MATCH-S00805 Azure - Bastion Host Created/Modified
- [New] MATCH-S00806 Azure - Bastion Host Deleted
- [New] MATCH-S00795 Azure - Diagnostic Setting Deleted
- [New] MATCH-S00796 Azure - Diagnostic Setting Modified
- [New] MATCH-S00797 Azure - Event Hub Deleted
- [New] THRESHOLD-S00109 Azure - Excessive Key Vault Get Requests
- [New] MATCH-S00788 Azure - Key Deletion
- [New] MATCH-S00789 Azure - Key Purged
- [New] MATCH-S00792 Azure - Key Vault Deleted
- [New] MATCH-S00787 Azure - Protected Item Deletion Attempt
- [New] MATCH-S00794 Azure - Secret Backup
- [New] MATCH-S00791 Azure - Secret Deleted
- [New] MATCH-S00790 Azure - Secret Purged
- [New] MATCH-S00800 Azure - Storage Deletion
- [New] MATCH-S00799 Azure - Storage Modification
- [New] MATCH-S00803 Azure - Virtual Machine Creation/Modification
- [New] MATCH-S00804 Azure - Virtual Machine Deleted
- [New] MATCH-S00801 Azure - Virtual Machine Started
- [New] MATCH-S00802 Azure - Virtual Machine Stopped
- [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
- [Updated] MATCH-S00494 Backdoor.HTTP.BEACON.[Yelp Request]
- [Updated] MATCH-S00492 Backdoor.HTTP.GORAT.[SID1]
- [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
- [Updated] MATCH-S00445 Known Ransomware File Extensions
Log Mappers
- [New] Dropbox - Authentication
- [New] Dropbox - Catch All
- [Updated] Azure AuditEvent logs
Parsers
- [Updated] /Parsers/System/AWS/GuardDuty
April 19, 2022 - Announcement
We will be consolidating Authentication Brute Force Attempt MATCH-S00258 on Tuesday May 10 into the normalized intrusion rule set. For more information on the normalized intrusion rule set, please visit the help page.
April 18, 2022 - Application Update
Minor Changes and Enhancements
- [New] API endpoints are now available to add or remove a given Signal to/from a given Insight,
PUT "/insights/<insightId>/signals"
andDELETE "/insights/<insightId>/signals"
respectively. (For both endpoints, the request body is a list containing signal ID(s) to add or remove from the insight as the request body, the response is the updated Insight.) - [Update] The way Cloud SIEM displays group membership in Active Directory inventory objects is changing. Previously, it was displayed in LDAP form (i.e.,
cn=groupname,dc=something,dc=domain,dc=com
); now it will just show the group name.
Resolved Issues
- Signal and Insight timestamps in the Cloud SIEM UI were not always displayed in the user’s preferred time zone.
April 15, 2022 - Announcements
- Because it can now be connected via more standardized TAXII feeds, the integration between Cloud SIEM and Anomali ThreatStream has been deprecated as of April 15, 2022. If you are using this integration, be sure to convert to a TAXII feed. To set up a feed, first follow Anomali’s documentation for Setting up a TAXII feed for ThreatStream then Sumo Logic’s documentation for Integrating Cloud SIEM with a TAXII Feed.
- The Entity API has been updated to include a new field
IsSuppressed
. This field replacesIsWhitelisted
which has been deprecated as of April 15, 2022. If you were previously usingIsWhitelisted
please ensure you have switched to the new field.
April 14, 2022 - Content Release
Rules
- [New] MATCH-S00785 Azure - Blob Container Deletion
- [New] MATCH-S00786 Azure - SQL Database Export
- [Updated] MATCH-S00243 Azure - High Risk Sign-In (Aggregate)
- [Updated] MATCH-S00245 Azure - High Risk Sign-In (Real Time)
- [Updated] MATCH-S00224 Azure - Risky User State : User Confirmed Compromised
- [Updated] MATCH-S00250 Azure - Suspicious User Risk State Associated with Login
- [Updated] LEGACY-S00066 PowerShell Remote Administration
- [Updated] LEGACY-S00105 Suspicious DC Logon
- [Updated] THRESHOLD-S00075 Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)
Log Mappers
- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
- [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
- [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
- [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
- [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
- [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
- [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
- [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
- [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
- [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
- [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
- [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
- [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
- [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
- [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
- [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
- [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
- [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
- [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
- [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
- [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
- [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
- [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
- [Updated] CloudTrail - iam.amazonaws.com - CreateUser
- [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
- [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
- [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
- [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
- [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
- [Updated] CloudTrail - kms.amazonaws.com - DisableKey
- [Updated] CloudTrail - kms.amazonaws.com - RotateKey
- [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
- [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
- [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
- [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
- [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
- [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
- [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
- [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
- [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
- [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
- [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
- [Updated] CloudTrail - signin.amazonaws.com - ExitRole
- [Updated] CloudTrail - signin.amazonaws.com - RenewRole
- [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
- [Updated] CloudTrail - sso.amazonaws.com - Federate
- [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
- [Updated] CloudTrail Default Mapping
- [Updated] Microsoft Graph AD Reporting API C2C - DirectoryAudits
- [Updated] Microsoft Graph AD Reporting API C2C - Provisioning
- [Updated] Microsoft Graph AD Reporting API C2C - Signin
- [Updated] Trend Micro CEF logs
Parsers
- [New] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF
April 12, 2022 - Content Release
Rules
- [New] MATCH-S00784 Linux Host Entered Promiscuous Mode
Log Mappers
- [Deleted] AWS VPC Flow Logs - Custom Format 1
- [Deleted] Adaxes Execute Event
- [Deleted] Adaxes Modify Event
- [Deleted] Adaxes Run PowerShell Event
- [Deleted] Aruba Error Logs
- [Deleted] Aruba ICMP Logs
- [Deleted] Aruba LDAP Server Logs
- [Deleted] Aruba PoniUnwired HTTPD CGID Samples
- [Deleted] Aruba PoniUnwired HTTPD Core Error Samples
- [Deleted] Aruba PoniUnwired HTTPD Core Warn Samples
- [Deleted] Aruba PoniUnwired HTTPD ssl error Samples
- [Deleted] Aruba PoniUnwired Warn Samples
- [Deleted] BIND DNS Query
- [Deleted] BIND DNS Update Zone
- [Deleted] BIND DNS Update Zone Failed
- [Deleted] BIOC Credential Access logs
- [Deleted] BIOC Dropper logs
- [Deleted] BIOC Evasion Variation 2 logs
- [Deleted] BIOC Evasion logs
- [Deleted] BIOC Infiltration logs
- [Deleted] BIOC Persistence and Execution logs
- [Deleted] BIOC Privilege logs
- [Deleted] BIOC Reconnaissance logs
- [Deleted] BIOC Reconnaissance logs Variation 2
- [Deleted] BIOC Tampering logs
- [Deleted] BIOC create and write logs
- [Deleted] Bandura Domain Logs
- [Deleted] Bandura Packet Logs
- [Deleted] Barracuda Proxy
- [Deleted] Bind DHCP Full
- [Deleted] Bind DHCP On
- [Deleted] Bind DHCP Short
- [Deleted] Bind DNS log 1
- [Deleted] Bind DNS log 10
- [Deleted] Bind DNS log 2
- [Deleted] Bind DNS log 3
- [Deleted] Bind DNS log 4
- [Deleted] Bind DNS log 5
- [Deleted] Bind DNS log 6
- [Deleted] Bind DNS log 7
- [Deleted] Bind DNS log 8
- [Deleted] Bind DNS log 9
- [Deleted] Bind9 DNS
- [Deleted] Blue Coat Proxy 2
- [Deleted] Blue Coat Proxy 4
- [Deleted] Blue Coat Proxy 5
- [Deleted] Blue Coat Proxy 6
- [Deleted] Blue Coat Proxy 7
- [Deleted] Blue Coat Proxy Logs
- [Deleted] BlueCat DHCP Bootrequest
- [Deleted] BlueCat DHCP Decline
- [Deleted] BlueCat DHCP INFORM Logs
- [Deleted] BlueCat DHCP Offer Logs
- [Deleted] BlueCat DHCP Reuse Lease
- [Deleted] BlueCat DHCP failover
- [Deleted] BlueCat DNS
- [Deleted] BlueCat DNS with Key
- [Deleted] CB Protection
- [Deleted] CB Protection Username
- [Deleted] CB Response Server 1
- [Deleted] CB Response Server 10
- [Deleted] CB Response Server 11
- [Deleted] CB Response Server 13
- [Deleted] CB Response Server 14
- [Deleted] CB Response Server 15
- [Deleted] CB Response Server 17
- [Deleted] CB Response Server 2
- [Deleted] CB Response Server 20
- [Deleted] CB Response Server 3
- [Deleted] CB Response Server 4
- [Deleted] CB Response Server 5
- [Deleted] CB Response Server 6
- [Deleted] CB Response Server 7
- [Deleted] CB Response Server 9
- [Deleted] CB Response Severity 1
- [Deleted] CB Response Severity 2
- [Deleted] CB Response Severity 3
- [Deleted] CICSCOFW434002
- [Deleted] Check Point ACCEPT Grok
- [Deleted] Check Point DROP
- [Deleted] Check Point VPN
- [Deleted] Check Point encrypt/decrypt
- [Deleted] Check Point key install
- [Deleted] Cisco ACS FAILED-ATTEMPT
- [Deleted] Cisco ACS FAILED-AUTHENTICATION
- [Deleted] Cisco ACS Passed-Authentication
- [Deleted] Cisco ACS Tacacs-Accounting
- [Deleted] Cisco ASA 106002
- [Deleted] Cisco ASA 106012
- [Deleted] Cisco ASA 106013
- [Deleted] Cisco ASA 106018
- [Deleted] Cisco ASA 106022
- [Deleted] Cisco ASA 113039
- [Deleted] Cisco ASA 716037
- [Deleted] Cisco ASA 716038
- [Deleted] Cisco ASA 716039
- [Deleted] Cisco ASA 722056
- [Deleted] Cisco ASA 725012
- [Deleted] Cisco ASA 725017
- [Deleted] Cisco ASA 734003
- [Deleted] Cisco ASA 746012
- [Deleted] Cisco AnyConnect NAT RULES Logs
- [Deleted] Cisco Authentication Message 01
- [Deleted] Cisco Authentication Message 02
- [Deleted] Cisco Authentication Message 03
- [Deleted] Cisco Authentication Message 04
- [Deleted] Cisco Authentication Message 05
- [Deleted] Cisco Authentication Message 06
- [Deleted] Cisco Authentication Message 07
- [Deleted] Cisco Authentication Message 08
- [Deleted] Cisco Authentication Message 09
- [Deleted] Cisco Authentication Message 10
- [Deleted] Cisco Authentication Message 11
- [Deleted] Cisco Authentication Message 12
- [Deleted] Cisco Authentication Message 13
- [Deleted] Cisco Authentication Message 14
- [Deleted] Cisco Authentication Message 15
- [Deleted] Cisco IOS Message
- [Deleted] Cisco IOS Queue Full
- [Deleted] Cisco Ironport WSA
- [Deleted] Cisco Ironport WSA NOHD
- [Deleted] Cisco Ironport WSA NOHD 01
- [Deleted] Cisco Ironport WSA NOHD 03
- [Deleted] Cisco Meraki IDS-Alerts
- [Deleted] Cisco Meraki Security Event
- [Deleted] Cisco Meraki Security Filtering Disposition Change
- [Deleted] Cisco Umbrella IP Logs Custom
- [Deleted] Citrix NetScaler AAA Message
- [Deleted] Citrix NetScaler API CMD EXECUTED
- [Deleted] Citrix NetScaler Delinked Message
- [Deleted] Citrix NetScaler Delinked Message 01
- [Deleted] Citrix NetScaler TCP Connection Terminated
- [Deleted] DNS_Additions
- [Deleted] EPO_THREATS_AV
- [Deleted] EXABEAM
- [Deleted] F5 HTTPd Audit
- [Deleted] F5 SSHD Samples
- [Deleted] F5 SSL Request
- [Deleted] Firepower Access Control
- [Deleted] Firepower Access Control 2
- [Deleted] Firepower Access Control 3
- [Deleted] Firepower Access Control 4
- [Deleted] Firepower Access Control 5
- [Deleted] Firepower Alerts
- [Deleted] Forcepoint NEW
- [Deleted] Huawei SNMP LOGS
- [Deleted] IBM WebSpheredatadevice error 1
- [Deleted] IBM WebSpheredatadevice error 2
- [Deleted] IBM WebSpheredatadevice error 3
- [Deleted] IBM WebSpheredatadevice error 4
- [Deleted] IBM WebSpheredatadevice error 5
- [Deleted] INFOBLOX_DNS_QUERIES LOGS
- [Deleted] INFOBLOX_DNS_QUERIES LOGS - NIOS
- [Deleted] Infoblox DHCP Updater 1
- [Deleted] Infoblox DHCP Updater 2
- [Deleted] Infoblox DHCP Updater 3
- [Deleted] Infoblox DHCP Updater 4
- [Deleted] Infoblox DHCP Updater 5
- [Deleted] Infoblox DHCPACK RENEW Samples
- [Deleted] Infoblox DHCPACK v2 Samples
- [Deleted] Infoblox DHCPDISCOVER Samples
- [Deleted] Infoblox DHCPDISCOVER Samples 2
- [Deleted] Infoblox DHCPDISCOVER Unknown network Sample
- [Deleted] Infoblox DHCPEXPIRE Samples
- [Deleted] Infoblox DHCPNAK Samples
- [Deleted] Infoblox DHCPOFFER UID Samples
- [Deleted] Infoblox DHCPRELEASE Samples
- [Deleted] Infoblox DNS Request AXRF Ended
- [Deleted] Infoblox DNS Request AXRF Started
- [Deleted] Infoblox DNS Response
- [Deleted] Infoblox DNS Zone Update 1
- [Deleted] Infoblox DNS Zone Update 2
- [Deleted] Infoblox DNS Zone Update 3
- [Deleted] Infoblox DNS Zone Update 4
- [Deleted] Infoblox DNS Zone Update 5
- [Deleted] Infoblox DNS Zone Update 6
- [Deleted] Infoblox Domain Notified
- [Deleted] Invalid Login
- [Deleted] IronPort Quarantined MID
- [Deleted] IronPort Quarantined TO
- [Deleted] Ironport DCID Message
- [Deleted] Ironport DKIM
- [Deleted] Ironport ICID Message
- [Deleted] Ironport Info IC
- [Deleted] Ironport Info IC and Msg
- [Deleted] Ironport Info ISQ or RPC
- [Deleted] Ironport Info Message
- [Deleted] Ironport Info Mid Info
- [Deleted] Ironport WSA SFIMS Protocol 1
- [Deleted] Ironport WSA SFIMS Protocol 2
- [Deleted] Ironport WSA SFIMS Protocol 3
- [Deleted] Ironport WSA SFIMS Protocol 4
- [Deleted] Ironport Warn Message
- [Deleted] Ironport Warning Connection Error
- [Deleted] Ironport Warning Full
- [Deleted] Ironport Warning Invalid DNS FULL
- [Deleted] Ironport Warning LIMIT
- [Deleted] Juniper Flow Reassemble Logs
- [Deleted] Juniper Session Error Logs
- [Deleted] LINUX User Auth with Hostname
- [Deleted] Linux Laravel Activity Logs
- [Deleted] Linux Laravel Activity Logs 01
- [Deleted] Linux Laravel Login Logs
- [Deleted] LinuxServer Audit Logs 01
- [Deleted] LinuxServer Audit Logs 02
- [Deleted] LinuxServer Log 1
- [Deleted] LinuxServer Log 11
- [Deleted] LinuxServer Log 2
- [Deleted] LinuxServer Log 3
- [Deleted] LinuxServer Log 4
- [Deleted] LinuxServer Log 5
- [Deleted] LinuxServer Log 6
- [Deleted] LinuxServer Log 7
- [Deleted] Mcafee MVISION CASB Log
- [Deleted] NSM_THREAT_IPS
- [Deleted] Network Management Logs
- [Deleted] Oauth Logs
- [Deleted] Ossec Group Addition Logs
- [Deleted] Ossec Insecure Connection Logs
- [Deleted] Ossec Integrity checksum Logs
- [Deleted] Ossec Root Login Refused Logs
- [Deleted] Ossec ssh server Logs
- [Deleted] Palo Alto Traps Analytics
- [Deleted] Palo Alto Traps Analytics - Cloud
- [Deleted] Palo Alto Traps Config - Cloud
- [Deleted] Palo Alto Traps Event
- [Deleted] Palo Alto Traps Events Updated
- [Deleted] Palo Alto Traps Misc - Cloud
- [Deleted] Palo Alto Traps System - Cloud
- [Deleted] Pulse Secure Endpoint
- [Deleted] Pulse Secure Logs
- [Deleted] Renew Logs
- [Deleted] Shibboleth DUO
- [Deleted] Shibboleth HTTP Redirect EDU
- [Deleted] Shibboleth HTTP Redirect Email
- [Deleted] Shibboleth LDAP
- [Deleted] Shibboleth LDAP Email
- [Deleted] Snare AgentHeartBeat Logs
- [Deleted] Snare Windows DHCP Logs
- [Deleted] SonicWall Bad FTP Protocol
- [Deleted] SonicWall Block Dropped Events
- [Deleted] SonicWall Flood Attack
- [Deleted] SonicWall IPS
- [Deleted] SonicWall Port Scan
- [Deleted] SonicWall URL Filter
- [Deleted] Successful Login
- [Deleted] Successful Logins
- [Deleted] Successful SSH Login
- [Deleted] Suricata HTTP Logs
- [Deleted] Suricata LogStash
- [Deleted] Suricata Logstash Custom
- [Deleted] Suricata Threat Logs
- [Deleted] Symantec SEP AntiVirus
- [Deleted] Symantec SEP Potential Risk Found 01
- [Deleted] Symantec SEP Potential Risk Found 2
- [Deleted] Symantec SEP Potential Risk Found 3
- [Deleted] Symantec SEP SONAR
- [Deleted] Symantec SEP Security Risk Found
- [Deleted] Symantec SEP Sonar Detection
- [Deleted] Symantec SEP USB Drive
- [Deleted] Tanium S24 Logs
- [Deleted] VLT Vault Extra
- [Deleted] VMware Logs 1
- [Deleted] VMware Logs 2
- [Deleted] VMware Logs 3
- [Deleted] VMware Logs 4
- [Deleted] VMware Logs 5
- [Deleted] VMware Logs 6
- [Deleted] VMware Logs 7
- [Deleted] VMware Logs 8
- [Deleted] VPN Messages
- [Deleted] VPN Messages 2
- [Deleted] VPN Messages 3
- [Deleted] VPN Messages 4
- [Deleted] VPN Messages 5
- [Deleted] WatchGuard flow log
- [Deleted] WatchGuard flow log 2
- [Deleted] Windows DHCP
- [Deleted] Windows Defender Unstructured
- [Deleted] Windows QUICK FIX
- [Deleted] Zscaler Firewall Grok
- [Deleted] cisco17
- [Deleted] cisco20
- [Deleted] ePO Threat Event
- [New] AWS EKS - Custom Parser
- [New] Azure Storage Analytics
- [New] Citrix NetScaler - SSL Handshake Success
- [Updated] Azure Administrative logs
- [Updated] Azure Write and Delete Logs
- [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
- [Updated] Citrix NetScaler - Command Executed
- [Updated] Citrix NetScaler - SSLVPN-HTTPREQUEST
- [Updated] Citrix NetScaler - SSLVPN-ICA Events
- [Updated] Citrix NetScaler - SSLVPN-LOGIN
- [Updated] Citrix NetScaler - SSLVPN-LOGOUT
- [Updated] Citrix NetScaler - SSLVPN-TCPCONNSTAT
Parsers
- [New] /Parsers/System/AWS/AWS EKS
- [New] /Parsers/System/Microsoft/Azure Storage Analytics
- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
Legacy Parsers
- [Deleted] 4624
- [Deleted] ARUBA_PONIUNWIRED_HTTPD_CGID_SAMPLES
- [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_ERROR_SAMPLES
- [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_WARN_SAMPLES
- [Deleted] ARUBA_PONIUNWIRED_HTTPD_SSL_ERROR_SAMPLES
- [Deleted] ARUBA_PONIUNWIRED_WARN_SAMPLES
- [Deleted] ASA_106002
- [Deleted] ASA_106013
- [Deleted] ASA_106018
- [Deleted] ASA_106022
- [Deleted] ASA_113039
- [Deleted] ASA_5_746012
- [Deleted] ASA_6_106012
- [Deleted] ASA_716037
- [Deleted] ASA_716038
- [Deleted] ASA_716039
- [Deleted] ASA_722056
- [Deleted] ASA_7_725012
- [Deleted] ASA_7_725017
- [Deleted] ASA_7_734003
- [Deleted] AWS_VPC_FLOW_CUSTOM_1
- [Deleted] Adaxes_Execute_Event
- [Deleted] Adaxes_Modify_Event
- [Deleted] Adaxes_Run_PowerShell_Event
- [Deleted] Aruba_Error_Logs
- [Deleted] Aruba_ICMP_Logs
- [Deleted] Aruba_LDAP_Server_Logs
- [Deleted] BANDURA_DOMAIN_LOGS
- [Deleted] BANDURA_PACKET_LOGS
- [Deleted] BARRACUDA_PROXY
- [Deleted] BIND9
- [Deleted] BIND_DHCP_FOR_FULL
- [Deleted] BIND_DHCP_FOR_SHORT
- [Deleted] BIND_DHCP_ON
- [Deleted] BIND_Query
- [Deleted] BIND_Update_Zone
- [Deleted] BIND_Update_Zone_Failure
- [Deleted] BIOC_CREATE_AND_WRITE
- [Deleted] BIOC_CREDENTIAL_ACCESS
- [Deleted] BIOC_DROPPER
- [Deleted] BIOC_EVASION
- [Deleted] BIOC_EVASION_VARIATION_2
- [Deleted] BIOC_INFILTRATION
- [Deleted] BIOC_PERSISTENCE_EXECUTION
- [Deleted] BIOC_PRIVILEGE
- [Deleted] BIOC_RECONNAISSANCE
- [Deleted] BIOC_RECONNAISSANCE_VARIATION_2
- [Deleted] BIOC_TAMPERING
- [Deleted] BLUECAT_DHCP_BOOTREQUEST
- [Deleted] BLUECAT_DHCP_DECLINE
- [Deleted] BLUECAT_DHCP_INFORM
- [Deleted] BLUECAT_DHCP_OFFER
- [Deleted] BLUECAT_DHCP_failover
- [Deleted] BLUECAT_DHCP_reuse_lease
- [Deleted] BLUECAT_DNS_NO_KEY
- [Deleted] BLUECAT_DNS_WITH_KEY
- [Deleted] BLUECOAT_PROXY
- [Deleted] BLUECOAT_PROXY_2
- [Deleted] BLUECOAT_PROXY_4
- [Deleted] BLUECOAT_PROXY_5
- [Deleted] BLUECOAT_PROXY_6
- [Deleted] BLUECOAT_PROXY_7
- [Deleted] Bind_DNS_log_1
- [Deleted] Bind_DNS_log_10
- [Deleted] Bind_DNS_log_2
- [Deleted] Bind_DNS_log_3
- [Deleted] Bind_DNS_log_4
- [Deleted] Bind_DNS_log_5
- [Deleted] Bind_DNS_log_6
- [Deleted] Bind_DNS_log_7
- [Deleted] Bind_DNS_log_8
- [Deleted] Bind_DNS_log_9
- [Deleted] CB_PROTECT
- [Deleted] CB_PROTECT_USERNAME
- [Deleted] CB_RESPONSE_SERVER_1
- [Deleted] CB_RESPONSE_SERVER_10
- [Deleted] CB_RESPONSE_SERVER_11
- [Deleted] CB_RESPONSE_SERVER_13
- [Deleted] CB_RESPONSE_SERVER_14
- [Deleted] CB_RESPONSE_SERVER_15
- [Deleted] CB_RESPONSE_SERVER_17
- [Deleted] CB_RESPONSE_SERVER_2
- [Deleted] CB_RESPONSE_SERVER_20
- [Deleted] CB_RESPONSE_SERVER_3
- [Deleted] CB_RESPONSE_SERVER_4
- [Deleted] CB_RESPONSE_SERVER_5
- [Deleted] CB_RESPONSE_SERVER_6
- [Deleted] CB_RESPONSE_SERVER_7
- [Deleted] CB_RESPONSE_SERVER_9
- [Deleted] CB_RESPONSE_SEVERITY_1
- [Deleted] CB_RESPONSE_SEVERITY_2
- [Deleted] CB_RESPONSE_SEVERITY_3
- [Deleted] CHECKPOINT_ACCEPT
- [Deleted] CHECKPOINT_CRYPT
- [Deleted] CHECKPOINT_DROP
- [Deleted] CHECKPOINT_KEY_INSTALL
- [Deleted] CHECKPOINT_VPN_ROUTE
- [Deleted] CICSCOFW434002
- [Deleted] CISCOFW321001
- [Deleted] CISCOFW419001
- [Deleted] CISCO_ACS_FAILED_ATTEMPT
- [Deleted] CISCO_ACS_FAILED_AUTHENTICATION
- [Deleted] CISCO_ACS_PASSED_AUTHENTICATION
- [Deleted] CISCO_ACS_TACACS_ACCOUNTING
- [Deleted] CISCO_MERAKI_IDS_ALERTS
- [Deleted] CISCO_MERAKI_SECURITY_EVENT
- [Deleted] CISCO_MERAKI_SECURITY_EVENT_SECURITY_FILTERING_DISPOSITION_CHANGE
- [Deleted] CRM_VODLOG
- [Deleted] Cisco_Umbrella_IP_Logs
- [Deleted] Dns_Update
- [Deleted] EPO_THREATS_AV
- [Deleted] EPO_THREAT_EVENT
- [Deleted] EXABEAM
- [Deleted] F5_HTTPD_AUDIT
- [Deleted] F5_SSHD_SAMPLES
- [Deleted] F5_SSL_REQUEST
- [Deleted] FLOW_REASSEMBLE
- [Deleted] FORCEPOINT_NEW_AND_IMPROVED
- [Deleted] Failed_Logon
- [Deleted] Firepower_ALERT_IDS
- [Deleted] Firepower_Access_Control
- [Deleted] Firepower_Access_Control_2
- [Deleted] Firepower_Access_Control_3
- [Deleted] Firepower_Access_Control_4
- [Deleted] Firepower_Access_Control_5
- [Deleted] IBM_WebSpheredatadevice_error_1
- [Deleted] IBM_WebSpheredatadevice_error_2
- [Deleted] IBM_WebSpheredatadevice_error_3
- [Deleted] IBM_WebSpheredatadevice_error_4
- [Deleted] IBM_WebSpheredatadevice_error_5
- [Deleted] INFLOBLOX_DNS_MESSAGE
- [Deleted] INFOBLOX_DHCPACK_RENEW_SAMPLES
- [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES
- [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES_2
- [Deleted] INFOBLOX_DHCPDISCOVER_UNKNOWN_NETWORK_SAMPLE
- [Deleted] INFOBLOX_DHCPEXPIRE_SAMPLES
- [Deleted] INFOBLOX_DHCPNAK_SAMPLES
- [Deleted] INFOBLOX_DHCPOFFER_UID_SAMPLES
- [Deleted] INFOBLOX_DHCPRELEASE_SAMPLES
- [Deleted] INFOBLOX_DHCP_UPDATER_1
- [Deleted] INFOBLOX_DHCP_UPDATER_2
- [Deleted] INFOBLOX_DHCP_UPDATER_3
- [Deleted] INFOBLOX_DHCP_UPDATER_4
- [Deleted] INFOBLOX_DHCP_UPDATER_5
- [Deleted] INFOBLOX_DHCP_V2_SAMPLES
- [Deleted] INFOBLOX_DNS_QUERIES
- [Deleted] INFOBLOX_DNS_REQUEST_AXFR_ENDED
- [Deleted] INFOBLOX_DNS_REQUEST_AXFR_STARTED
- [Deleted] INFOBLOX_DNS_RESPONSE
- [Deleted] INFOBLOX_DNS_ZONE_UPDATE_1
- [Deleted] INFOBLOX_DNS_ZONE_UPDATE_2
- [Deleted] INFOBLOX_DNS_ZONE_UPDATE_3
- [Deleted] INFOBLOX_DNS_ZONE_UPDATE_4
- [Deleted] INFOBLOX_DNS_ZONE_UPDATE_5
- [Deleted] INFOBLOX_DNS_ZONE_UPDATE_6
- [Deleted] INFOBLOX_DOMAIN_NOTIFIED
- [Deleted] IRONPORT_QUARANTINE_MID
- [Deleted] IRONPORT_QUARANTINE_TO
- [Deleted] IRON_PORT_CONNECTION
- [Deleted] IRON_PORT_DCID_MSG
- [Deleted] IRON_PORT_DKIM
- [Deleted] IRON_PORT_ICID_MSG
- [Deleted] IRON_PORT_INFO_ICID
- [Deleted] IRON_PORT_INFO_MID
- [Deleted] IRON_PORT_INFO_MID_ICID
- [Deleted] IRON_PORT_INFO_MSG
- [Deleted] IRON_PORT_ISQ_RPC
- [Deleted] IRON_PORT_WARN_FULL
- [Deleted] IRON_PORT_WARN_INVALID_DNS_FULL
- [Deleted] IRON_PORT_WARN_LIMIT
- [Deleted] IRON_PORT_WARN_MSG
- [Deleted] IRON_PORT_WSA
- [Deleted] IRON_PORT_WSA_NOHD
- [Deleted] IRON_PORT_WSA_NOHD_01
- [Deleted] IRON_PORT_WSA_NOHD_03
- [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_1
- [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_2
- [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_3
- [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_4
- [Deleted] Internal_Auth_Logs
- [Deleted] LINUXSERVER_AUDIT_LOGS_1
- [Deleted] LINUXSERVER_AUDIT_LOGS_2
- [Deleted] LINUXSERVER_LOG_1
- [Deleted] LINUXSERVER_LOG_11
- [Deleted] LINUXSERVER_LOG_2
- [Deleted] LINUXSERVER_LOG_3
- [Deleted] LINUXSERVER_LOG_4
- [Deleted] LINUXSERVER_LOG_5
- [Deleted] LINUXSERVER_LOG_6
- [Deleted] LINUXSERVER_LOG_7
- [Deleted] LINUX_USER_AND_HOSTNAME
- [Deleted] Linux_Laravel_Logs1
- [Deleted] Linux_Laravel_Logs2
- [Deleted] Linux_Laravel_Logs3
- [Deleted] MVISION_CASB
- [Deleted] NAT_RULES_MATCH
- [Deleted] NMS_LOGS
- [Deleted] NSM_THREAT_IPS
- [Deleted] OAUTH_LOG
- [Deleted] Ossec_Logs_01
- [Deleted] Ossec_Logs_02
- [Deleted] Ossec_Logs_03
- [Deleted] Ossec_Logs_04
- [Deleted] Ossec_Logs_06
- [Deleted] PALO_ALTO_TRAPS
- [Deleted] PALO_TRAPS_EXTRA
- [Deleted] PAN_TRAPS_ANALYTICS
- [Deleted] PAN_TRAPS_ANALYTICS_CLOUD
- [Deleted] PAN_TRAPS_CONFIG_CLOUD
- [Deleted] PAN_TRAPS_MISC_CLOUD
- [Deleted] PAN_TRAPS_SYSTEM_CLOUD
- [Deleted] PULSESECURE_LOGS
- [Deleted] PULSESECURE_LOGS2
- [Deleted] Renew_Logs
- [Deleted] SESSION_ERROR
- [Deleted] SHIBBOLETH_DUO
- [Deleted] SHIBBOLETH_HTTP_EDU
- [Deleted] SHIBBOLETH_HTTP_MAIL
- [Deleted] SHIBBOLETH_LDAP
- [Deleted] SHIBBOLETH_LDAP_EMAIL
- [Deleted] SNARE_AGENTHEARTBEAT_LOGS
- [Deleted] SNARE_WINDOWS_DHCP_LOGS
- [Deleted] SNMP_LOGS
- [Deleted] SURICATA_HTTP_LOGS
- [Deleted] SURICATA_LOGSTASH
- [Deleted] SURICATA_LOGSTASH_CUSTOM
- [Deleted] SURICATA_THREAT_LOGS
- [Deleted] SYMANTEC_SEP_Anti_Virus
- [Deleted] SYMANTEC_SEP_PRF_01
- [Deleted] SYMANTEC_SEP_PRF_02
- [Deleted] SYMANTEC_SEP_PRF_03
- [Deleted] SYMANTEC_SEP_SDN
- [Deleted] SYMANTEC_SEP_SONAR
- [Deleted] SYMANTEC_SEP_SRF
- [Deleted] SYMANTEC_SEP_USB_1
- [Deleted] SonicWall_Bad_FTP_Protocol
- [Deleted] SonicWall_Block_Dropped_Events
- [Deleted] SonicWall_Flood_Attack
- [Deleted] SonicWall_IPS
- [Deleted] SonicWall_Port_Scan
- [Deleted] SonicWall_URL_Filter
- [Deleted] Successful_Logon
- [Deleted] TANIUM_S24_TYPE_LOGS
- [Deleted] VAR_LOG_SECURE_SUCCESSFUL_LOGIN
- [Deleted] VDM_LOG_EXTRA
- [Deleted] VDM_MESSAGES_CONNECT
- [Deleted] VDM_MESSAGES_DIRECTORY
- [Deleted] VDM_MESSAGES_FROM
- [Deleted] VDM_MESSAGES_FTP
- [Deleted] VDM_MESSAGES_WARN
- [Deleted] VLT_VAULT_EXTRA
- [Deleted] VPN_Message_2
- [Deleted] VPN_Message_3
- [Deleted] VPN_Message_4
- [Deleted] VPN_Message_5
- [Deleted] VPN_Messages
- [Deleted] Vmware_Logs_1
- [Deleted] Vmware_Logs_2
- [Deleted] Vmware_Logs_3
- [Deleted] Vmware_Logs_4
- [Deleted] Vmware_Logs_5
- [Deleted] Vmware_Logs_6
- [Deleted] Vmware_Logs_7
- [Deleted] Vmware_Logs_8
- [Deleted] WATCHGUARD_FLOW_LOG
- [Deleted] WATCHGUARD_FLOW_LOG_2
- [Deleted] WINDOWS_DHCP_LOG
- [Deleted] WINDOWS_QUICK_FIX
- [Deleted] Zscaler_Firewall
- [Deleted] cisco_authentication_01
- [Deleted] cisco_authentication_02
- [Deleted] cisco_authentication_03
- [Deleted] cisco_authentication_04
- [Deleted] cisco_authentication_05
- [Deleted] cisco_authentication_06
- [Deleted] cisco_authentication_07
- [Deleted] cisco_authentication_08
- [Deleted] cisco_authentication_09
- [Deleted] cisco_authentication_10
- [Deleted] cisco_authentication_11
- [Deleted] cisco_authentication_12
- [Deleted] cisco_authentication_13
- [Deleted] cisco_authentication_14
- [Deleted] cisco_authentication_15
- [Deleted] cisco_ios_system_log_message
- [Deleted] cisco_ios_system_log_message_queue_full
- [Deleted] citrix_netscaler_AAA_Messsage
- [Deleted] citrix_netscaler_API_CMD_EXECUTED
- [Deleted] citrix_netscaler_TCP_connection_terminated
- [Deleted] citrix_netscaler_delinked_message
- [Deleted] citrix_netscaler_delinked_message_01
- [Deleted] windows_defender
Schema
- [New] _cipSourceHost
- [New] _cipSourceName
April 7, 2022 - Announcement
On April 21, 2022 we will be removing the following legacy log mappers related to the CIP Windows collector from the Cloud SIEM platform. These log mappers are in use with only a small portion of our customer base and we are working with our technical account teams to reach out directly to those impacted and migrate to our newer Sumo parsers.
No loss of out-of-the-box functionality will occur and no out-of-the-box rules are impacted as the Sumo parsers map all of the same information. Please be sure to check any custom rules that leverage Windows logging for compatibility with the new parsing and mapping, particularly where the "fields" field is referenced.
- Windows - Security - 1100 - CIP
- Windows - Security - 1102 - CIP
- Windows - Security - 4625 - CIP
- Windows - Security - 4624 - CIP
- Windows - Security - 4634 - CIP
- Windows - Security - 4648 - CIP
- Windows - Security - 4649 - CIP
- Windows - Security - 4672 - CIP
- Windows - Security - 4688 - CIP
- Windows - Security - 4697 - CIP
- Windows - Security - 4698 - CIP
- Windows - Security - 4702 - CIP
- Windows - Security - 4720 - CIP
- Windows - Security - 4726 - CIP
- Windows - Security - 4740 - CIP
- Windows - Security - 4742 - CIP
- Windows - Security - 5805 - CIP
- Windows - Security - 4768 - CIP
- Windows - Security - 4769 - CIP
- Windows - Security - 4770 - CIP
- Windows - Security - 4771 - CIP
- Windows - Security - 4776 - CIP
- Windows - Security - 4778 - CIP
- Windows - Security - 4779 - CIP
- Windows - Security - 5140 - CIP
- Windows - Security - 4728 - CIP
- Windows - Security - 4732 - CIP
- Windows - Security - 4756 - CIP
- Windows - Security - 4661 - CIP
- Windows - Security - 4704 - CIP
- Windows - Security - 4754 - CIP
- Windows - Security - 4780 - CIP
- Windows - Security - 4793 - CIP
- Windows - Security - 5038 - CIP
- Windows - Security - 6272 - CIP
- Windows - Security - 6273 - CIP
- Windows - Security - 6275 - CIP
- Windows - Security - 6278 - CIP
- Windows - Security - 4662 - CIP
- Windows - Security - 4755 - CIP
- Windows - Security - 4689 - CIP
- Windows - Security - 4798 - CIP
- Windows - Security - 6416 - CIP
- Windows - Security - 6423 - CIP
- Windows - Security - 6424 - CIP
- Windows - Security - 4656 - CIP
- Windows - Security - 4663 - CIP
- Windows - Security - 4658 - CIP
- Windows - Security - 4674 - CIP
- Windows - Security - 4799 - CIP
- Windows - Security - 5058 - CIP
- Windows - Security - 5059 - CIP
- Windows - Security - 5061 - CIP
- Windows - Security - 5379 - CIP
- Windows - System - 5138 - CIP
- Windows - System - 6005 - CIP
- Windows - System - 6006 - CIP
- Windows - System - 7045 - CIP
- Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
- Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
- Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
April 7, 2022 - Content Release
Rules
- [Updated] MATCH-S00599 Alibaba ActionTrail Root Login
- [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
- [Updated] MATCH-S00570 WMIPRVSE Spawning Process
- [Updated] MATCH-S00168 Windows - Local System executing whoami.exe
Log Mappers
- [New] Cisco ASA 313004 JSON
- [New] Linux OS Syslog - Process kernel - Promiscuous Mode Change
- [Updated] AzureActivityLog 01
- [Updated] AzureActivityLog AuditLogs
Parsers
- [Updated] /Parsers/System/Cisco/Cisco ASA
- [Updated] /Parsers/System/Linux/Linux OS Syslog
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- [Updated] /Parsers/System/SentinelOne/SentinelOne Syslog
April 6, 2022 - Announcement
Upcoming Removal of Unused Content
On Tuesday, April 12th, unused legacy grok parsers and their corresponding log mappers will be removed from Cloud SIEM.
This update is part of a longer transition as we begin decommissioning legacy grok parsers in favor of our current parser set. Sumo Logic has confirmed customers are NOT actively using any of the legacy grok parsers or log mappers we plan to remove in this future update.
It's important to note that this future content update does NOT remove or change existing legacy grok parsers or associated log mappers still used by customers today. We do not expect this update to cause any operational changes.
April 1, 2022 - Content Release
Spring4Shell Exploitation
A new Rule is being deployed designed to detect attempts to exploit Spring4Shell (MATCH-S00783). This Rule does not necessarily indicate whether the exploitation was successful, but Cloud SIEM already includes a number of Rules that provide extensive coverage of common post exploitation activities, notably:
- MATCH-S00348 Curl Start Combination
- MATCH-S00362 Suspicious Curl File Upload
- LEGACY-S00044 HTTP Shell Script Download Disguised as a Common Web File
- MATCH-S00149 PowerShell File Download
- MATCH-S00164 Suspicious Shells Spawned by Web Servers
- MATCH-S00174 Web Services Executing Common Web Shell Commands
Rules
- [New] MATCH-S00783 Spring4Shell Exploitation - URL
- [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context
Log Mappers
- [New] Netskope - WebTx Events
- [New] Tenable.io Authentication
- [New] Tenable.io Catch All
- [Updated] AWS CloudFront
- [Updated] AWS WAF Block Logs
- [Updated] Microsoft Office 365 Active Directory Authentication Events
- [Updated] Tenable.io Vulnerability