Skip to main content

August 16, 2024 - Content Release

icon

This content release includes:

  • Updates to Azure rules to reflect a name change in the Company Administrator role to Global Administrator.
  • New Linux OS Syslog mappers.
  • Addition of sessionId mapping to Okta mappers.

Individual changes are enumerated below.

Rules

  • [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
  • [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
  • [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role
  • [Renamed] FIRST-S00088 First Seen User Performing NTLM Authentication to Host -> First Seen NTLM Authentication to Host (User)

Log Mappers

  • [New] Linux OS Syslog - Process sudo - Authentication Failure
  • [New] Linux OS Syslog - Systemd-user Session Open|Closed
  • [New] Linux OS Syslog - sshd - Postponed publickey
  • [New] Linux OS Syslog - sshd - User not allowed
  • [New] MicrosoftGraphActivityLogs
  • [Updated] AWS Redshift - Authentication Log
    • Added normalizedAction mapping for logon and a success boolean lookup on event_name
  • [Updated] Aruba ClearPass Guest Access
    • Added normalizedAction mapping for logon and a success boolean lookup on error codes
  • [Updated] Check Point Failed Log In
    • Updated record type to Authentication and adjusted normalizedAction mapping to logon
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
    • Added logon normalizedAction and mapped success boolean to checkMfa
  • [Updated] Infoblox NIOS - DNS
    • Updated mapping for dns_query to fix dns enrichments
  • [Updated] JumpCloud IdP Authentication
    • Adds logon normalizedAction to mapper
  • [Updated] Linux OS Syslog - Cron - Session Opened
    • Adds mappings for targetUser_username, targetUser_userId, user_userId
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
    • Adds "check pass" to event ID pattern
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
    • Added description mapping
  • [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
    • Updated mapper name, and added "sshd-disconnect" to event ID pattern. Adds mappings for srcDevice_ip, description, action.
  • [Updated] Linux OS Syslog - Process sshd - SSH Session Opened
    • Adds mapping for srcDevice_ip
  • [Updated] Linux OS Syslog - Process sshd - SSH Session Starting
    • Adds mappings for srcDevice_ip, srcPort
  • [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
    • Adds mapping for description
  • [Updated] PingFederate - Authentication Event
    • Added logon normalizedAction to mapper
  • [Updated] Pulse Secure Custom Parser - AUT24326
    • Added logon normalizedAction to mapper
  • [Updated] Windows - Security - 4648
    • Adds logon normalizedAction mapping
  • [Updated] Okta Authentication - auth_via_AD_agent
  • [Updated] Okta Authentication - auth_via_mfa
  • [Updated] Okta Authentication - auth_via_radius
  • [Updated] Okta Authentication - sso
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All
  • [Updated] Okta Security Threat Events

Parsers

  • [Updated] /Parsers/System/Linux/Linux OS Syslog
    • Adds new parsing patterns for cron, sshd, sudo, and systemd. Adjusts existing sshd parsing patterns.

Schema

  • [New] repository
    • The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.