Skip to main content

October 26, 2023 - Content Release

This content release includes templates for creating Cloud SIEM parsers. There are two versions of each, one with comments that explain the purpose of each parser component, and “clean” versions that you can use to start quickly creating custom parsers. Further documentation on using these parsers will be available on Sumo Logic Docs in the coming weeks. Other changes in this release are enumerated below.

Rules

  • [New] FIRST-S00047 First Seen ASN Associated with User for a Successful Azure AD Sign In Event
    • This rule will trigger when a new ASN value is associated with a successful Entra ID sign-in event for a particular username since the baseline period. This may be suspicious activity as a user's IP address may change periodically, but typically users authenticate from a set of ASNs (one ASN value for their home network, another ASN value for their mobile device). A sign in with a new ASN not seen since the baseline period could be indicative of credential theft. Look at other events occurring for the user in question for the same time period to ascertain whether access was malicious or benign.
  • [New] FIRST-S00048 First Seen Azure Device Code Authentication from User
    • Azure Device Code authentication can be utilized in phishing attacks. This specific rule looks for a user performing device code authentication to an Azure resource for the first time since the baseline period. If this action is not expected, it could be a sign of malicious activity. Examine the event for odd user agent values and look at what other actions the affected account is performing within the Azure estate.
  • [Updated] MATCH-S00891 Azure OAUTH Application Consent from User
    • Fixed mismatched description and summary fields
  • [Updated] MATCH-S00832 Office 365 Inbox Rule Updated
    • Added fix to exclude blank or null rules

Parsers

  • [New] /Parsers/System/Parser Templates/CEF Template
  • [New] /Parsers/System/Parser Templates/CEF Template Commented
  • [New] /Parsers/System/Parser Templates/CSV Template
  • [New] /Parsers/System/Parser Templates/CSV Template Commented
  • [New] /Parsers/System/Parser Templates/JSON Template
  • [New] /Parsers/System/Parser Templates/JSON Template Commented
  • [New] /Parsers/System/Parser Templates/Key Value Pair Template
  • [New] /Parsers/System/Parser Templates/Key Value Pair Template Commented
  • [New] /Parsers/System/Parser Templates/LEEF Template
  • [New] /Parsers/System/Parser Templates/LEEF Template Commented
  • [New] /Parsers/System/Parser Templates/Unstructured Template
  • [New] /Parsers/System/Parser Templates/Unstructured Template Commented
  • [New] /Parsers/System/Parser Templates/Windows XML Template
  • [New] /Parsers/System/Parser Templates/Windows XML Template Commented
  • [New] /Parsers/System/Parser Templates/XML Template
  • [New] /Parsers/System/Parser Templates/XML Template Commented
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.