Skip to main content

August 05, 2024 - Content Release

icon

This content release includes:

  • A new Cloud SIEM First Seen rule
  • Consolidation of AWSGuardDuty log mappers
  • CrowdStrike FDR mapping modifications by adding aid as a value for device_hostname as primary or alternate
  • Mapping update to Windows PowerShell operational events to facilitate a JSON data set from the legacy Windows format
  • Several new log mappers, parsers, and multiple updated parsers

Release specifics are enumerated below.

Rules

  • NEW FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
    • This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process.

Log Mappers

  • [Deleted] AWS GuardDuty Alerts from Sumo CIP
  • [Deleted] AWSGuardDuty_Backdoor
  • [Deleted] AWSGuardDuty_Behavior
  • [Deleted] AWSGuardDuty_Catch_All
  • [Deleted] AWSGuardDuty_CryptoCurrency
  • [Deleted] AWSGuardDuty_Discovery
  • [Deleted] AWSGuardDuty_Exfiltration
  • [Deleted] AWSGuardDuty_PenTest
  • [Deleted] AWSGuardDuty_Persistence
  • [Deleted] AWSGuardDuty_Policy
  • [Deleted] AWSGuardDuty_ResourceConsumption
  • [Deleted] AWSGuardDuty_Stealth
  • [Deleted] AWSGuardDuty_Trojan
  • [Retired] AwsServiceEvent-AWS API Call via CloudTrail
  • [Deleted] Recon_EC2_PortProbeUnprotectedPort
  • [Deleted] Recon_EC2_Portscan
  • [Deleted] Recon_IAMUser
  • [Deleted] UnauthorizedAccess_EC2_SSHBruteForce
  • [Deleted] UnauthorizedAccess_EC2_TorClient
  • [Deleted] UnauthorizedAccess_EC2_TorIPCaller
  • [Deleted] UnauthorizedAccess_EC2_TorRelay
  • [Deleted] UnauthorizedAccess_IAMUser
  • [Updated] AWS GuardDuty Alerts from Sumo CIP
  • [New] AWS Redshift - ACTIVITY_LOG
  • [New] AWS Redshift - Authentication Log
  • [New] AWS Redshift - Connection Log
  • [New] AWS Redshift - USER_LOG
  • [New] AWSGuardDuty - Audit Events
  • [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
  • [New] AWSGuardDuty - Reconnaissance and malicious activity detection
  • [Updated] AWSGuardDuty - Tor Client and Relay
  • [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
  • [Updated] AWSGuardDuty_Catch_All
  • [New] Forescout CounterACT - NAC Policy Log
  • [New] PingFederate - Authentication Event
  • [New] Symantec Endpoint Security - All
  • [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • [New] VMware NSX - Firewall
  • [Updated] CloudTrail Default Mapping
    • Added alternate values for userIdentity.arn, and requestParameters.sourceIdentity applied to user_role. Additional mappings for bytesIn, and bytesOut.
  • [Updated] CrowdStrike FDR - Catch All
  • [Updated] CrowdStrike FDR - CriticalFileAccessed
  • [Updated] CrowdStrike FDR - NetworkConnectIP4
  • [Updated] CrowdStrike FDR - NetworkConnectIP6
  • [Updated] CrowdStrike FDR - ProcessRollup2
  • [Updated] CrowdStrike FDR - SuspiciousDnsRequest
  • [Updated] PingFederate Event
    • Narrowed the lookup scope where success is true.
  • [Updated] Windows - Microsoft-Windows-PowerShell/Operational Events - 4103 through 4105
    • Updated keys for: user_userId, user_username, commandLine, baseImage, file_path, and severity.

Parsers

  • [New] /Parsers/System/AWS/AWS Redshift
  • [Updated] /Parsers/System/Forescout/Forescout CounterACT
    • Updated the start time field.
  • [New] /Parsers/System/Symantec/Symantec Endpoint Security
  • [New] /Parsers/System/VMware/VMware NSX
  • [Updated] /Parsers/System/Cisco/Cisco Meraki
    • Added support for URLS new format.
  • [Updated] /Parsers/System/PingIdentity/PingFederate
    • Added support of new log format.
  • [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
    • Dropped the redundant message field.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.