Skip to main content

July 21, 2023 - Content Release

This release includes:

  • Removal of unused legacy parsers and directly associated mappers and rule content.
  • Support for Windows Event Log JSON ingested via Open Telemetry collector. XML and JSON via OTel are now fully supported in CSE.

Rules

  • [New] FIRST-S00038 First Seen Wget Usage from User
    • Observes for execution of Wget from a user for the first time since the baseline period (14 days).
  • [Updated] LEGACY-S00009 Bluecoat Proxy - Suspicious or Malicious Categories
    • Fix to account for minor difference from legacy parser to current parser.
  • [Updated] FIRST-S00016 First Seen Non-Network/Non-System Logon from User
    • Excludes LogonTypes for System Startup, Batch, and Service to reduce volume of records matching.
  • [Deleted] MATCH-S00073 Palo Alto - Traps Templated Events

Log Mappers

  • [Updated] AWS Security Hub
    • Lowered normalizedSeverity to reduce false positivity of passthrough signals.
  • [Updated] CrowdStrike Falcon Identity Protection (CNC)
    • Adjusted IdentityProtectionEvent normalizedSeverity to use INFO, LOW, MEDIUM, and HIGH instead of numeric values to improve consistency.
  • [Updated] Windows - Security - 4627
    • Added mapping for logonType '0' representing a system startup.
  • [Deleted] AD Audit DNS
  • [Deleted] AD Audit Comp
  • [Deleted] AD Audit LDAP
  • [Deleted] AD Audit Local Logon
  • [Deleted] AD Audit Server
  • [Deleted] AD Audit User
  • [Deleted] Blue Coat Proxy 1
  • [Deleted] Blue Coat Proxy 3
  • [Deleted] Cisco Firepower Malware Event 430005
  • [Deleted] Cisco Ironport WSA NOHD 02
  • [Deleted] Citrix Xenserver Auth Message
  • [Deleted] Cylance_Audit_1
  • [Deleted] Cylance_Audit_2
  • [Deleted] Ironport Cisco
  • [Deleted] LINUX Root Login
  • [Deleted] LINUX Root Login with Username
  • [Deleted] LINUX User Authenticated
  • [Deleted] LINUX User Authenticated no Username
  • [Deleted] LINUX User Session Open/Close
  • [Deleted] Palo Alto Traps Misc
  • [Deleted] Symantec SEP Compressed File
  • [Deleted] Symantec SEP MEM System
  • [Deleted] Symantec SEP Potential Risk Found 04
  • [Deleted] Symantec SEP Security Risk Found 2
  • [Deleted] Symantec SEP Sonar Detection Variation 2
  • [Deleted] Symantec SEP Virus Found
  • [Deleted] Tanium S05 Logs

Parsers

  • [New] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

Legacy Parsers

  • [Deleted] ADAUDIT_COMP
  • [Deleted] ADAUDIT_DNS
  • [Deleted] ADAUDIT_LDAP
  • [Deleted] ADAUDIT_LOCAL_LOGON
  • [Deleted] ADAUDIT_SERVER
  • [Deleted] ADAUDIT_USER
  • [Deleted] BLUECOAT_PROXY_1
  • [Deleted] BLUECOAT_PROXY_3
  • [Deleted] CYLANCE_AUDIT1
  • [Deleted] CYLANCE_AUDIT2
  • [Deleted] Firepower_Malware_Event_430005
  • [Deleted] IRON_PORT_CISCO
  • [Deleted] IRON_PORT_WSA_NOHD_02
  • [Deleted] LINUX_AUTH
  • [Deleted] LINUX_ROOT_GENERIC
  • [Deleted] LINUX_ROOT_LOGIN
  • [Deleted] LINUX_ROOT_NO_USER
  • [Deleted] LINUX_ROOT_USER
  • [Deleted] PAN_TRAPS_MISC
  • [Deleted] SYMANTEC_SEP_CF
  • [Deleted] SYMANTEC_SEP_MEMS
  • [Deleted] SYMANTEC_SEP_PRF_04
  • [Deleted] SYMANTEC_SEP_SDN_02
  • [Deleted] SYMANTEC_SEP_SRF_2
  • [Deleted] SYMANTEC_SEP_VF_01
  • [Deleted] TANIUM_S05_TYPE_LOGS
  • [Deleted] VDM_LOG_SECURE
  • [Deleted] citrix_xenserver_auth_message
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.