16 posts tagged with "application update"

Entity Groups Inventory Enhancements​

We are happy to announce some important enhancements to the Entity Group feature in Cloud SIEM Enterprise (CSE).

With this release, Entity Groups can now use any attribute available in your inventory data - including non-normalized attributes. (Previously, only the group attribute was available.) Non-normalized attributes can be used by adding the fields. prefix.

In addition, the release introduces the ability to auto-set schema tag values on matching Entities based on the value of a given inventory attribute. In this example, any user Entity that has a value for location in inventory data will have that value set in a tag (such as Location:Austin).

When using dynamic schema tags, you can still set static tags, criticality, and suppression state.

These two enhancements will reduce the number of Entity Groups needed to properly configure your Entities automatically and will automate a more complete and accurate set of Entity attributes, improving Rule and Analyst efficiency.

There much more information about Entity Groups and these enhancements in the online documentation.

Bug Fixes​

• Multiple entries were being added to the audit log when some Insights were created.
• Some Insights were not getting enriched with VirusTotal using the direct integration.
• Time-to-live was temporarily considered a mandatory attribute for match lists.

Automation Service​

Sumo Logic is excited to announce that the Automation Service for Cloud SIEM Enterprise (CSE) is now generally available for all CSE customers. The Automation Service uses Cloud SOAR capabilities -- without needing Cloud SOAR itself -- to allow you to define and automate smart actions, including enrichments and notifications. These actions can be automatically triggered when certain events occur in CSE, helping you to quickly investigate, understand, and react to potential security threats.

You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that could include parallel actions and logic steps. Actions are defined as part of integrations with specific internal and external applications. Sumo Logic provides hundreds of integrations, actions, and playbooks out of the box that you can use and customize. You can also create your own.

Automations are accessible through the Configuration menu, under Integrations. Automation results are accessible from Insight and Entity detail pages.

The Automation Service does not include the full capabilities of Cloud SOAR. For example, the Automation Service only supports enrichment, nofification, and custom action types, and Automation Service playbooks can only be triggered from CSE. There is also a limit to the number of actions you can run per hour. However, if you do have Cloud SOAR, then once you have upgraded to the Fall 2023 release of Cloud SOAR (currently in Beta), CSE will use it to run automations instead of the Automation Service, giving CSE access to the full capabilities of Cloud SOAR.

Over time, the legacy Insight Actions and CSE Enrichment Service features will be deprecated in favor of this new service. (The new service includes integrations and actions corresponding to the legacy Insight Actions and can run existing Enrichment Service PowerShell scripts. The online documentation has more information about migrating.) Note that the Automation Service is not yet available in the FedRAMP environment.

There is much more information about the Automation Service and how to use it in the online documentation.

Minor Changes and Enhancements​

• [New] Tag schemas and context actions can now be managed via API (/tag-schemas and /context-actions). See the API documentation for details.
• [Updated] Threat indicator icons will now appear where appropriate in the Active Entities panel on the HUD.

Bug Fixes​

• Some records were not being auto-enriched with Network Block data.
• Some internal IP addresses were being marked as external.
• The HUD was not updating Insight status counts in a timely fashion.
• Window size was not saving correctly when defining a new Outlier rule.

Deprecation Notice​

After careful evaluation, we have deprecated Grok patterns immediately for customers who've not used the feature in the last 30 days. Our more robust and configurable solution is already available for customers in the Sumo Logic parsers. More details on how parsing works in Sumo Logic can be found in the Parsing Language Reference Guide.

For customers who are still using Grok, further communication along with a path to migrate to the Sumo Logic parsers will be provided in the coming weeks.

Minor Changes and Enhancements​

• [Update] The Cloud SIEM UI has been updated with refreshed fonts and colors to better align with the core Sumo Logic pages. This is the first change in a greater series of updates designed to present a more unified user experience across Sumo Logic feature sets.
• [New] The Signal Severity Total, an indication of the activity for an Entity, has been added to the Entity list and details views. The Signal Severity Total is calculated by adding up the severity value for each of the Signals generated against a given Entity during the current detection window (by default 14 days), not including duplicate or suppressed Signals.

Bug Fixes​

• With the recent changes to log mapping, some users were seeing an error when attempting to use custom input vendors and/or products.
• Entity lookup normalization was taking place after Entity Groups were processed; normalization now happens first.

New RBAC Capabilities​

Reminder: Earlier this week, we introduced new RBAC capabilities for Cloud SIEM Enterprise (CSE): View Entities and Manage Entities. Users with the built-in administrator role received these capabilities automatically, but admins must manually add these capabilities to other roles as appropriate. If a user does not have either role, they will not be able to see Entity details or interact with or manage Entities in any way.

Minor Changes and Enhancements​

• [Update] The Entity Timeline feature is now available for all Entity types, including custom types.
• [New] When viewing an Entity's detail page, both Entity Groups that apply to that Entity and membership in a suppression list will now be listed.

Bug Fixes​

• Some customers were seeing non-blocking errors loading Insight detail pages, and links to Cloud SOAR, when they should not have.
• The number of records ingested into CSE was not being reported consistently on the HUD.

New RBAC Capabilities​

Starting Thursday, July 6, we're introducing new RBAC capabilities for Cloud SIEM Enterprise (CSE): View Entities and Manage Entities. Users with the built-in administrator role will receive these capabilities automatically, but admins must manually add these capabilities to other roles as appropriate. If a user does not have either role, they will not be able to see Entity details or interact with/manage Entities in any way.

Minor Changes and Enhancements​

• [New] Nodes can now be moved around individually on the Insight Related Entities Graph.
• [Update] To align more closely with accepted industry definitions, we are changing the Dwell Time label on Insight metrics in the UI to Detection Time. Note that only the label is changing, not now the metric is calculated (i.e., the period of time between when the first record in an Insight was observed and when the Insight was created).
• [Update] Match list update containing more than 1000 entries are now supported by our Terraform provider.
• [Update] When a custom product or vendor is selected in log mapping, the string entered by the user is now indexed instead of the word "Custom", so that the custom entry can be searchable/filterable. This only applies to mappings configured going forward.
• [New] Custom tag schemas can now be retrieved via API (GET /tag-schemas).
• [New] When viewing Rule Tuning Expressions, if one applies to all rules, it will now say All instead of giving a numerical count.
• [Update] The CSE UI color palette has been updated to more closely align with the standard Sumo Logic "dark mode" color palette.

Bug Fixes​

• Insight sub-resolutions were not being passed to XSOAR correctly in some circumstances.
• Some users were unable to override fields on some Sumo-provided rules.
• When extrating fields in rule expressions, double quotes were not working ({{fields["<field_name>"]}}).

Outlier Rules​

Sumo Logic is pleased to announce a new rule type for Cloud SIEM Enterprise (CSE): Outlier Rules. This new rule type further enhances CSE’s User and Entity Behavioral Analytics (UEBA) capabilities. With these rules, CSE can detect events that deviate from the usual behavior of an Entity, such as a spike in login failures from a user, without having to define a static threshold. Once the rule is set, CSE automatically builds a normal behavior baseline for each Entity based on the rule expression. It creates a signal only when a deviation from normal behavior is detected (in this case, too many login failures compared to their normal baseline behavior). Other examples include detecting a spike in Windows administrative privileges granted and a spike in AWS calls from a user.

Outlier Rules are defined like any other rule type through the Content menu in CSE.

Outlier Rules operate based on a baseline. During this period - typically between 7 and 30 days - the system will learn what normal behavior looks like. After the baseline is established, CSE will begin generating Signals when unusual behavior is detected compared to that baseline. (Note that the longer the baseline, the more accurate the model will be.)

CSE will include a set of Outlier Rules out of the box. These rules can be tuned and customized like any other rule type, and custom Outlier Rules can also be created.

For more information about how to use Outlier Rules, see the online documentation. You can also see an introduction to the feature by navigating to the Rules page in CSE.

Minor Changes and Enhancements​

• [New] Users can now customize the global Signal Suppression period. During this period, which is set to 72 hours by default, duplicate signals (with identical names and Entities) are suppressed (for example, they do not “count” towards Insights). With this new feature, this period can be lowered globally (for all rules) to as low as 24 hours. (Note that lowering this value can lead to a higher number of potentially duplicate Insights.) The setting is accessible via the Workflow > Detection option in the Configuration menu.
• [Updated] CSE application status will now be published on the main Sumo Logic status page, https://status.sumologic.com/. (Previously it was published on https://cse-status.sumologic.com/.) Existing email subscriptions and status notifications will be moved to the new page automatically.

Minor Changes and Enhancements​

• [New] The Entity Timeline now supports all Entity types (including custom types).
• [New] The GetSignals API call now includes an attribute with a timestamp when each Signal was created.
• [Updated] The log mapping UI has been updated so that if a standard vendor and product is selected, those values will be auto-filled on the record configuration, avoiding an issue where customers were accidentally creating 'custom' values.

Bug Fixes​

• An error would occur when sorting entity groups by entity type.
• The control used to select schema tags for Entities was not working properly.
• The "View in Log Search / Normalized Data" button was opening a log search window with an incorrect time frame.
• Global search was not displaying previous searches, and was not returning some Entities.
• The rule tuning expression editor would not scroll for very long expressions.
• Importing a rule via the UI was not working in some scenarios.

Cloud SIEM Insight Trainer​

We are excited to announce the release of Cloud SIEM Insight Trainer, a dashboard packaged with the CSE Application.

Many security teams spend time every week tuning their SIEM to improve detections and focus SOC analyst attention on the most serious threats. Insight Trainer utilizes machine learning to provide Rule tuning recommendations and severity adjustments to significantly reduce the burden of manual tuning. Insight Trainer learns Rule severity adjustments from your Insights' history that reduces false positive, and optionally, "No Action" Insights.

Some of the highlights of Insight Trainer include:

• Customer-Specific Tuning Recommendations - Insight Trainer makes recommendations specific to each customer based on their unique set of Rules, Insight history, and analyst Insight resolutions.
• Improved SOC Efficiency - Insight Trainer automates the manual process of identifying Rules that are candidates for tuning or severity adjustment and provides impact analysis of the changes.
• Machine Learning/AI-Driven Analytics - Insight Trainer leverages machine learning and AI to deliver outcome-based recommendations geared towards the reduction of false positive and non-actionable Insights without compromising the actual detection value or true positive Insights in Cloud SIEM.
• Easy Adoption - The dashboard is available as an update to our already existing Enterprise Audit Cloud SIEM application and can be set up to run with no additional configuration or data science knowledge.

Periodic application of the recommended changes will improve the quality of Insights generated by Cloud SIEM. For more information about the Insight Trainer, see our detailed online documentation.

Bug Fixes​

• On the Insight Related Entities list, some of the Signal counts were incorrect.
• Whitespace, including new lines, were being stripped from some Enrichments formatted in JSON.
• Indicators not using the proper case were being accepted but displaying as "NotFlagged" in the UI.

Automation Service​

Sumo Logic is excited to announce a new feature that integrates functionality previously available only in our Cloud SOAR solution directly into Cloud SIEM Enterprise (CSE). This new feature, the Automation Service, allows you to define and automate smart actions, including enrichments and notifications, enabling your security analysts to address potential security threats faster and more accurately.

You can interact with the service through automations, which execute playbooks. Playbooks are composed of one or more actions with a workflow that can include parallel actions and logic steps. Actions are defined as part of integrations.

The Automation Service includes over 350 integrations out of the box, each including several predefined actions:

Many playbooks are also included, providing instant value with practically no effort - simply connect the integration to the appropriate endpoint and enable the corresponding automation in CSE. Playbooks can be automatically triggered when Insights are created or closed, or triggered manually.

You can also customize these objects or create entirely new ones. While the out of the box actions primarily execute directly from the Sumo Logic cloud, custom actions run through a proxy called a Bridge which runs on a system managed by you.

Automations (and other objects) are accessible through the Configuration menu, under Integrations:

Automation results are accessible from Insight and Entity detail pages.

The Insight Enrichment Server and the Actions functionality in CSE, which is replaced by the Automation Service, will be deprecated on November 30, 2023. Until then, they will continue to be fully supported and operational. To aid in migration, all current Enrichment Server examples and Actions have equivalent actions and playbooks in the Automation Service. In addition, through the Bridge, customers can execute any existing Powershell script currently connected to the Insight Enrichment Server.

There is much more information about the Automation Service and how to use it in the online documentation.

Threat Indicators​

The way enrichments are displayed in CSE is also being enhanced to provide important information to security analysts when they need it, without having to look it up.

First, the Enrichment tabs have been reorganized by Entity (instead of by Enrichment) and additional filter controls have been added:

In addition, Entity enrichments will now persist outside of Insights. So, for example, if an Entity is enriched as part of an Insight, those enrichment details will be visible from that Entity’s details page.

This persistence can be controlled by setting an expiration date as part of the enrichment. In addition, URLs can be attached to enrichments (so that users can click on the link to see more detailed information about the enrichment by, for example, going to the VirusTotal web page for that indicator).

Finally, enrichments can now set reputation indicators. These indicators will be visible anywhere in the UI that the Entity is displayed. Where there is sufficient room, a color-coded text label will be displayed (as in the example above); in other situations, an icon will be displayed instead.

The reputation is not set automatically; the enrichment must pass a reputation to CSE. More information about this, and the other new features, is available in online documentation.

Minor Changes and Enhancements​

• [Updated] The Entity Relationship Graph view on Insights has exited open Beta and is now fully supported.
• [New] When using custom columns with Match Lists, CIDR block matches are now supported with IP address-related fields.
• [New] When referring to Match Lists, specific columns can now be specified in rule conditions for all Match List types. (Previously this functionality was only available for Threat Intelligence lists.)

Minor Changes and Enhancements​

• [New] When logs fail to parse or map, a detailed error message will be logged in the sec_record_failure index, in the fields.reason attribute.
• [New] Where possible, private domains are now automatically enriched by CSE during record processing.
• [Updated] Insight comments can now contain up to 1024 characters (up from 256).
• [New] On the list of Rule Tuning Expressions, each Tuning Expression now lists the number of Rules to which it is currently applied.
• [New] For First Seen Rules, the UI will display the baseline model status (i.e., building, with amount of progress, or complete). (Note it will only display the status on Rules that were created or updated after this feature became available.)

Bug Fixes​

• In some cases, inventory data from an AWS EC2 source was not being displayed in CSE properly.
• For Yara-based signals with file attachments, users were unable to download the file.
• Occasionally, some related Entities were not visible in the Insight Related Entities graph but were included correctly on the list.
• Entity suppression state was being reported incorrectly on several screens.
• The Manage Entity Groups permission was required to view Entity Groups. Now only View Entity Groups is required.
• Links to the CSE API no longer require a trailing slash.

Minor Changes and Enhancements​

• [New] The Entity Timeline can now be filtered by record type:

Bug Fixes​

• When an Entity normalization lookup table was deleted and then re-created in the Sumo platform, the configuration in CSE was not automatically updated, causing the normalization to fail.
• Match lists with custom columns were not working properly during record processing.
• The Network Blocks section was missing from the Entity details panel.
• Links for schema tags were not displaying in the UI properly.

Entity Relationship Graph​

We are excited to announce the new Entity Relationship Graph. With this feature, you can now see a graphical visualization of all related Entities in an Insight, as well as additional relationships beyond the Insight. This enables you to more quickly understand relationships among Entities and the larger context behind a potential security threat.

The Entity Relationship Graph (and the Related Entities list) displays all Entities involved in the Insight (those referred to in a record in a Signal in the Insight) as well as additional Entity relationships (for example, if CSE detects an IP address may also have had a specific hostname at the time the Insight was generated).

However, unlike the Related Entities list, the graph can visualize additional Entity relationships that existed outside of the Insight during a specified time frame.

Both the list and this new graph are available on the Entities tab of the Insight details page:

You can toggle between the list view and the graph view using the control in the upper-right corner of the main panel.

Each node in the graph represents a single Entity. The graph also displays the relationship types and any Indicators. Hovering over an Entity will highlight it and all of its relationships to other Entities, and when an Entity is selected, details about the Entity are displayed on the right.

The graph also includes a number of controls for zoom, full screen mode, filtering by Entity type, and adjusting the time frame for relationship detection.

For more information about how to use the Entity Relationship Graph, see the online documentation. You will also see an introduction to the feature the first time you visit an Insight details page.

Minor Changes and Enhancements​

• [New] First Seen Rules now support the use of non-normalized record fields.
• [New] When a file is attached to a Signal, it is now available via API (previously it would only be available if part of a Yara Signal or Threat Intel match). The endpoint is /api/v1/extracted-file?filename=
• [Update] The default time frame on the Entity Timeline is now 3 days instead of 24 hours.
• [Update] The http v2 Insight Action payload now includes a numeric severity value (1-4) in addition to the human-readable severity name (LOW, MEDIUM, HIGH, CRITICAL).
• [Update] On the new Active Entities panel on the HUD, if the Entity is a Username, you can now navigate directly to that Entity’s Timeline by hovering over the Entity name and clicking the link.

Bug Fixes​

• In some cases, CSE was unable to properly extract the user name from an AWS ARN.
• A recent change caused checkboxes to malfunction in Firefox.
• On the Entity Timeline record details, the timestamp wasn’t displaying properly.

First Seen Rules​

Sumo Logic is pleased to announce new features in Cloud SIEM Enterprise (CSE) that deliver enhanced User and Entity Behavioral Analytics (UEBA) capabilities. These new UEBA capabilities enable additional methods to detect and investigate anomalous or unexpected behavior that may signify a security threat.

The first feature is called a First Seen Rule. With this new rule type, CSE can detect events such as “the first time a user logs in from a new location” without having to define a rule expression that is unique to each user in your environment (and the location(s) from which he/she usually logs in). Other examples include detecting the unusual granting of administrative privileges, Windows recon command, AWS Secrets Manager API calls, API gateway enumeration, and more.

First Seen Rules are defined like any other rule type, through the Content menu in CSE.

First Seen Rules operate based on a baseline. During this period of time - typically between 7 and 30 days - the system will learn what normal and expected behavior looks like. After the baseline is established, CSE will begin generating Signals when unusual behavior is detected compared to that baseline. Baselines can be per-entity or global. (Note that the longer the baseline, the more accurate the model will be.)

CSE will include a set of more than twenty First Seen Rules out of the box. These rules can be tuned and customized like any other rule type, and custom First Seen Rules can also be created.

For more information about how to use First Seen Rules, see the online documentation. You can also see an introduction to the feature by navigating to a new First Seen Rule in the CSE UI.

Entity Timeline​

Another new feature that will help analysts investigate unusual activity with user accounts is the Entity Timeline:

This feature visualizes all activity for a user – including all normalized records – in an easy-to-read timeline, eliminating the need to perform manual record searches.

Related actions are grouped together and Signals and Insights generated on that user are also displayed in the timeline with the relevant record(s). Actions can be clicked on to see a more detailed set of information, and full details can be easily opened in a new tab.

The feature can be found on the new Timeline tab on each Username Entity’s Detail page with quick links from Signal and Insight detail pages (located with the Entity summaries). It is only available for the Username Entity type at this time.

For more information about how to use the Entity Timeline, see the online documentation.

Minor Changes and Enhancements​

• [Updated] Entities listed in the Signals index (sec_signal) now include criticality and suppressed attributes (which reflect the state of those Entities when the Signal was generated).
• [New] The CSE API now supports searching the Threat Intelligence data by sourceName.
• [Updated] The Threat Intelligence API GetThreatIntelIndicators endpoint now supports data sets of more than 10,000 indicators.
• [Updated] The Insights API now supports searching (filtering) by confidence score.
• [Updated] CSE now supports up to 1000 inventory-based Entity Groups (the previous limit was 50).
• [Updated] When viewing an Insight, a label is displayed that indicates the source. When an Insight is generated by a Custom Insight, it will now say Custom Insight (Rule) (instead of Rule) and Custom Insight (Signal) (instead of Signal) to reduce confusion with Insights generated by the Insight Algorithm through standard Rules and Signals.
• [New] Entity Groups can now be managed in bulk by uploading CSV files from the Entity Groups list page.

Bug Fixes​

• The consolidated Insight ‘board’ view was not displaying properly in some instances.
• An improper error message was displayed when attempting to create a rule with the same name as one that already existed.
• The Insight Updates section on the HUD was displaying incorrectly if there were no recent updates.
• The Insight creation source label was not positioned properly when scrolling an Insight Details page.
• Entity notes could not be deleted.

Active Entities Panel​

To assist analysts detect potential security issues as early as possible, a new panel has been added to the Heads Up Display (HUD):

This panel lists the top five most active entities, ranked by Signal Severity Total. This metric, which was introduced with the Related Entities enhancement last year, is the total sum of the severities of all unique Signals the Entity appears in during the current Insight detection window (typically, the past 14 days).

The count of Active Signals (Signals within the detection window that have not been included in an Insight) is also listed.

When hovering over the Entity value, the Entity’s type will be displayed. The Entity value is a link to that Entity’s details page.

Analysts can use this tool to investigate what appears to be risky activity and potentially proactively security issues before they are raised to the level of an Insight.

Minor Changes and Enhancements​

• [New] When looking at Signals in the new sec_signal index, attributes and values in array fields are now properly supported by auto-parsing, syntax like count by, and features like right-click > filter selected value.
• [New] An attribute attackStage has been added to the new sec_signal index. This attribute summarizes the Mitre attack stage represented by the rule which triggered the signal. The value is defined the same way as the attack_stage attribute included in the older Signal forwarding feature.
• [Updated] The subResolution attribute is now included in the Insight payload for http v2 actions.
• [Updated] The way Release Notes are listed in the CSE UI is changing. There is no longer a “bell” item on the top menu; it has been replaced with a link to the Release Notes page in the Help menu. In addition, Release Notes are now directly visible in the UI when they are published.
• [New] When executing a context action on a Signal, fields will now be passed to the context action if they are available based on the record(s) in context.

Bug Fixes​

• The “Radar” graph of records, Signals and Insights on the HUD has been updated so that the discontinuity at the top of the Signals section of the graph has been removed.
• When viewing the raw log message corresponding to a normalized record, the wrong message was displayed.
• The Network Block(s) associated with an Entity were not listed on the Entity details page.
• When testing Rule expressions, sometimes the selected Tuning expression was not included.
• Changes to entity tags or Criticality were not being listed on the History section of the Entity.
• Entity Criticality was sometimes not displaying properly on the Insight details page.

Minor Changes and Enhancements​

• [Updated] On the HUD, the Insight Activity widget has been updated. When selecting the Insight to display, the HUD will now choose based on this order of preference: In “New”, Unassigned, Highest GIS Confidence Score, Highest Severity, Newest. In addition, the design has been updated to improve readability.
• [New] Users who wish to substitute custom Insight status(es) for the built-in “In Progress” status can now do so. After creating and organizing the custom statu(es), the user can now disable the “In Progress” status. (It cannot be deleted.) Note that it can be disabled only if there are no Insights currently set to “In Progress.”
• Changes to Entity tags and criticality now appear in the Entity’s change history list.
• The Sumo Terraform provider now includes support for custom columns in match lists.
• Kubernetes (k8s) attribute fields are now normalized to include the namespace. The normalized fields are: normalizedPodName, normalizedDeploymentName, and normalizedReplicaSetName.

Resolved Issues​

• Some Insights could not be closed via the UI (though they could via API).
• In the consolidated (parent/child) Insight view, in “Board” mode, scrolling was not working properly. In addition, links to other orgs had an error in the URL (a duplicate “/sec”).