Skip to main content

January 12, 2024 - Content Release

This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.


  • [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
    • Updated name expression to reduce insight false positivity
  • [Updated] MATCH-S00686 Base64 Decode in Command Line
  • [Updated] MATCH-S00373 BlueMashroom DLL Load
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [Updated] FIRST-S00013 First Seen Driver Load - Global
  • [Updated] FIRST-S00014 First Seen Driver Load - Host
  • [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
  • [Updated] MATCH-S00705 Registry Modification - Authentication Package
  • [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
  • [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
  • [Updated] MATCH-S00379 WMIExec VBS Script
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
    • Corrected expression to exclude OS SID from user_userId; prior expression was incorrectly referencing SubjectLogonID
  • [Updated] MATCH-S00724 Windows Update Agent DLL Changed
  • [Updated] MATCH-S00435 XSL Script Processing

Log Mappers

  • [New] 1Password Item Audit Actions
  • [New] 1Password Item Usage Actions
  • [New] Zeek DNS Activity
  • [New] Zeek HTTP Activity
  • [New] Zeek conn Activity


  • [New] /Parsers/System/1Password/1Password
  • [New] /Parsers/System/1PasswordC2C/1PasswordC2C
  • [New] /Parsers/System/Zeek/Zeek


  • [New] metadata_sourceBlockId
    • The _blockId of the original source log message (from Sumo Logic)
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.