January 12, 2024 - Content Release
This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.
Rules
- [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
- Updated name expression to reduce insight false positivity
- [Updated] MATCH-S00686 Base64 Decode in Command Line
- [Updated] MATCH-S00373 BlueMashroom DLL Load
- [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
- [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
- [Updated] FIRST-S00013 First Seen Driver Load - Global
- [Updated] FIRST-S00014 First Seen Driver Load - Host
- [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
- [Updated] MATCH-S00705 Registry Modification - Authentication Package
- [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
- [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
- [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
- [Updated] MATCH-S00379 WMIExec VBS Script
- [Updated] MATCH-S00570 WMIPRVSE Spawning Process
- Corrected expression to exclude OS SID from
user_userId
; prior expression was incorrectly referencingSubjectLogonID
- Corrected expression to exclude OS SID from
- [Updated] MATCH-S00724 Windows Update Agent DLL Changed
- [Updated] MATCH-S00435 XSL Script Processing
Log Mappers
- [New] 1Password Item Audit Actions
- [New] 1Password Item Usage Actions
- [New] Zeek DNS Activity
- [New] Zeek HTTP Activity
- [New] Zeek conn Activity
Parsers
- [New] /Parsers/System/1Password/1Password
- [New] /Parsers/System/1PasswordC2C/1PasswordC2C
- [New] /Parsers/System/Zeek/Zeek
Schema
- [New] metadata_sourceBlockId
- The _blockId of the original source log message (from Sumo Logic)