Skip to main content

March 13, 2025 - Content Release

icon

This release includes:

  • New detection rules for Azure DevOps to identify suspicious or sensitive activity in CI/CD pipelines
  • New support for Barracuda WAF and CloudGen Firewall
  • Support for CyberArk Audit events
  • Updates to 1Password mappers to realign field mappings to reflect proper directionality
  • Fix for normalizedActions in AWS CloudTrail Policy Change mapper
  • Additions to CrowdStrike Audit and UserActivity log mappers to map additional fields and add alternate values
  • Support for additional events from Kubernetes and Linux OS logs

Rules​

  • [New] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
    • This detection monitors for the creation and deletion of Agent Pools within 5 days by the same user, with the intent of finding Agent Pools active for short durations.
  • [New] MATCH-S00997 Azure DevOps - Browser Observed in Personal Access Token (PAT) Use
    • This detection monitors for the use of a PAT for authentication from a User Agent String indicating a web browser.
  • [New] MATCH-S00995 Azure DevOps - Change Made to Administrator Group
    • This detection monitors for additions to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrators, Project Collection Build Administrators
  • [New] FIRST-S00098 Azure DevOps - First Seen Pull Request Policy Bypassed
    • This detection monitors for when a user performs a pull request bypass for the first time.
  • [New] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
    • This detection monitors for new users creating an agent pool. This user has not been observed creating agent pools during the baseline period and may be a new admin or involved in suspicious account activity.
  • [New] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
    • This detection monitors for users creating a release pipeline for the first time after the baseline period (by default, 90 days).
  • [New] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
    • This detection monitors for a user modifying a variable group for the first time.
  • [New] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
    • This detection monitors for users modifying a release pipeline for the first time after the baseline period (by default, 90 days).
  • [New] MATCH-S00998 Azure DevOps - Known Malicious Tooling Detected ADOKit
    • This is a simple detection matching on “ADOKit” at the start of the HTTP User Agent String (UAS). This detection effectively catches basic ADOKit use. It is brittle to attackers changing the User Agent String to another more innocuous browser to mask the traffic.
  • [New] MATCH-S00994 Azure DevOps - Member Added to Sensitive Group
    • This detection monitors for changes to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrator
  • [New] FIRST-S00095 Azure DevOps - New Agent OS Added to Agent Pool
    • This detection monitors for the addition of an agent to an agent pool when the OS of the agent has not been observed in this pool during the baseline period.
  • [New] FIRST-S00094 Azure DevOps - New Extension Installed
    • This detection monitors for new extensions installed organization-wide after a 30-day baseline, based on the user installing the new extension.
  • [New] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
    • This detection identifies statistical outliers in user behavior for the number of pools deleted in an hourly window.
  • [New] MATCH-S00996 Azure DevOps - Personal Access Token (PAT) Misuse Observed
    • This detection monitors for use of a Personal Access Token in conjunction with categories of action that aren’t normally associated with PAT authentication.
  • [New] CHAIN-S00021 Azure DevOps - Pipeline Created and Deleted within a Short Period
    • This detection monitors for the creation and deletion of the same pipeline within a short period (by default, a day).
  • [New] MATCH-S00993 Azure DevOps - Pipeline Retention Settings Reduced
    • This detection monitors for any reduction in the pipeline retention settings.

Log Mappers​

  • [New] Barracuda Authentication
  • [New] Barracuda Catch All
  • [New] Barracuda CloudGen Auth Service dcclient and events
  • [New] Barracuda CloudGen Firewall Activity
  • [New] Barracuda CloudGen Settings DNS
  • [New] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
  • [New] Barracuda System Event
  • [New] CyberArk Audit Authentication
  • [New] CyberArk Audit Catch All
  • [Updated] 1Password Item Audit Actions
  • [Updated] 1Password Item Usage Actions
  • [Updated] 1Password Item Usage C2C
  • [Updated] 1Password Signin C2C
  • [Updated] CloudTrail - iam.amazonaws.com - Policy Change
  • [Updated] CrowdStrike Audit Logs
  • [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
  • [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
  • [Updated] CrowdStrike UserActivity Logs
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
  • [Updated] Linux OS Syslog - Process sshd - SSH Bind Listening and negotiate event

Parsers​

  • [New] /Parsers/System/Barracuda/Barracuda CloudGen
  • [New] /Parsers/System/Barracuda/Barracuda WAF
  • [New] /Parsers/System/Cyber-Ark/CyberArk Audit
  • [Updated] /Parsers/System/Kubernetes/Kubernetes
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.