Skip to main content

May 12, 2023 - Content Release

Across the latest content release, the Threat Labs team has made a series of new AWS specific detections and a set of improvements both to the mappers and parser to include proper inbound / outbound network connection directional flow, and port assignments for AWS GuardDuty. Additional context and minor corrections/improvements can found within the list below.

Rules

  • [New] MATCH-S00874 AWS Lambda Function Recon
  • [New] MATCH-S00875 AWS VPC FLow Log Deletion
  • [New] MATCH-S00876 Potential AWS Security Credential Access via curl
  • [Updated] MATCH-S00226 Azure - Add Member to Group, TLAB-542 Update Azure Group Add rule and mapper addition, Keys updated: summary_expression, normalized_summary

Log Mappers

  • [Updated] AWS GuardDuty Alerts from Sumo CIP
  • [Updated] AWSGuardDuty_Backdoor
  • [Updated] AWSGuardDuty_Behavior
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_CryptoCurrency
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] AWSGuardDuty_Exfiltration
  • [Updated] AWSGuardDuty_PenTest
  • [Updated] AWSGuardDuty_Trojan
  • [Updated] AzureActivityLog AuditLogs
  • [Updated] Recon_EC2_PortProbeUnprotectedPort
  • [Updated] Recon_EC2_Portscan
  • [Updated] Recon_IAMUser
  • [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • [Updated] UnauthorizedAccess_EC2_TorClient
  • [Updated] UnauthorizedAccess_EC2_TorIPCaller
  • [Updated] UnauthorizedAccess_EC2_TorRelay
  • [Updated] UnauthorizedAccess_IAMUser

Parsers

  • [Updated] /Parsers/System/AWS/AWS S3 Server Access Logs, AWS S3 Server Access Logs Parser Fix Related to New Fields and Wrapper
  • [Updated] /Parsers/System/Cisco/Cisco ASA, Modifies ASA header parser to account for additional delimiter variant
  • [Updated] /Parsers/System/AWS/GuardDuty
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.