Skip to main content

January 12, 2024 - Content Release

icon

This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.

Rules

  • [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
    • Updated name expression to reduce insight false positivity
  • [Updated] MATCH-S00686 Base64 Decode in Command Line
  • [Updated] MATCH-S00373 BlueMashroom DLL Load
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [Updated] FIRST-S00013 First Seen Driver Load - Global
  • [Updated] FIRST-S00014 First Seen Driver Load - Host
  • [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
  • [Updated] MATCH-S00705 Registry Modification - Authentication Package
  • [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
  • [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
  • [Updated] MATCH-S00379 WMIExec VBS Script
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
    • Corrected expression to exclude OS SID from user_userId; prior expression was incorrectly referencing SubjectLogonID
  • [Updated] MATCH-S00724 Windows Update Agent DLL Changed
  • [Updated] MATCH-S00435 XSL Script Processing

Log Mappers

  • [New] 1Password Item Audit Actions
  • [New] 1Password Item Usage Actions
  • [New] Zeek DNS Activity
  • [New] Zeek HTTP Activity
  • [New] Zeek conn Activity

Parsers

  • [New] /Parsers/System/1Password/1Password
  • [New] /Parsers/System/1PasswordC2C/1PasswordC2C
  • [New] /Parsers/System/Zeek/Zeek

Schema

  • [New] metadata_sourceBlockId
    • The _blockId of the original source log message (from Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.