Skip to main content

July 14, 2023 - Content Release

Starting with this release, the rule type for First Seen rules is now "Anomaly", and Outlier Rules have been promoted from prototype mode.

NOTE: Due to performance and efficacy findings, OUTLIER-S00012 will be deleted on July 28th. If you wish to retain this rule, it must be duplicated in the CSE Rules UI.


  • [Updated] OUTLIER-S00001 Spike in login failures from a user
    • Removed incorrect match list from expression.
    • Will remain in prototype an additional week due to changes made to the rule expression.
  • [Updated] OUTLIER-S00002 Spike in Successful Distinct Share Access
  • [Updated] OUTLIER-S00003 Spike in Failed Share Access by User
  • [Updated] OUTLIER-S00004 Spike in Azure Firewall Deny Events from Source IP
  • [Updated] OUTLIER-S00005 Spike in AWS API Call from User
  • [Updated] OUTLIER-S00006 Spike in Data Transferred Outbound by User
  • [Updated] OUTLIER-S00007 Spike in Windows Administrative Privileges Granted for User
  • [Updated] OUTLIER-S00008 Spike in Failed Azure Sign In Attempts Due to Bad Password from IP Address
  • [Updated] OUTLIER-S00009 Spike in PowerShell Command Line Length From Host
  • [Updated] OUTLIER-S00010 Spike in URL Length from IP Address
  • [Updated] OUTLIER-S00011 Spike in AWS AccessDenied Events by assumedrole


  • [New] http_referer_queryParameters
    • New queryParameters enrichment/mappable field
  • [New] http_url_queryParameters
    • New queryParameters enrichment/mappable field
  • [New] objectClassification
    • Allows objectClassification to be used in CSE rule expressions.
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.