5 posts tagged with "cloud siem release notes"

Entity Relationship Graph​

We are excited to announce the new Entity Relationship Graph. With this feature, you can now see a graphical visualization of all related Entities in an Insight, as well as additional relationships beyond the Insight. This enables you to more quickly understand relationships among Entities and the larger context behind a potential security threat.

The Entity Relationship Graph (and the Related Entities list) displays all Entities involved in the Insight (those referred to in a record in a Signal in the Insight) as well as additional Entity relationships (for example, if Cloud SIEM detects an IP address may also have had a specific hostname at the time the Insight was generated).

However, unlike the Related Entities list, the graph can visualize additional Entity relationships that existed outside of the Insight during a specified time frame.

Both the list and this new graph are available on the Entities tab of the Insight details page:

You can toggle between the list view and the graph view using the control in the upper-right corner of the main panel.

Each node in the graph represents a single Entity. The graph also displays the relationship types and any Indicators. Hovering over an Entity will highlight it and all of its relationships to other Entities, and when an Entity is selected, details about the Entity are displayed on the right.

The graph also includes a number of controls for zoom, full screen mode, filtering by Entity type, and adjusting the time frame for relationship detection.

For more information about how to use the Entity Relationship Graph, see the online documentation. You will also see an introduction to the feature the first time you visit an Insight details page.

Minor Changes and Enhancements​

• [New] First Seen Rules now support the use of non-normalized record fields.
• [New] When a file is attached to a Signal, it is now available via API (previously it would only be available if part of a Yara Signal or Threat Intel match). The endpoint is /api/v1/extracted-file?filename=
• [Update] The default time frame on the Entity Timeline is now 3 days instead of 24 hours.
• [Update] The http v2 Insight Action payload now includes a numeric severity value (1-4) in addition to the human-readable severity name (LOW, MEDIUM, HIGH, CRITICAL).
• [Update] On the new Active Entities panel on the HUD, if the Entity is a Username, you can now navigate directly to that Entity’s Timeline by hovering over the Entity name and clicking the link.

Bug Fixes​

• In some cases, Cloud SIEM was unable to properly extract the user name from an AWS ARN.
• A recent change caused checkboxes to malfunction in Firefox.
• On the Entity Timeline record details, the timestamp wasn’t displaying properly.

First Seen Rules​

Sumo Logic is pleased to announce new features in Cloud SIEM that deliver enhanced User and Entity Behavioral Analytics (UEBA) capabilities. These new UEBA capabilities enable additional methods to detect and investigate anomalous or unexpected behavior that may signify a security threat.

The first feature is called a First Seen Rule. With this new rule type, Cloud SIEM can detect events such as “the first time a user logs in from a new location” without having to define a rule expression that is unique to each user in your environment (and the location(s) from which he/she usually logs in). Other examples include detecting the unusual granting of administrative privileges, Windows recon command, AWS Secrets Manager API calls, API gateway enumeration, and more.

First Seen Rules are defined like any other rule type, through the Content menu in Cloud SIEM.

First Seen Rules operate based on a baseline. During this period of time - typically between 7 and 30 days - the system will learn what normal and expected behavior looks like. After the baseline is established, Cloud SIEM will begin generating Signals when unusual behavior is detected compared to that baseline. Baselines can be per-entity or global. (Note that the longer the baseline, the more accurate the model will be.)

Cloud SIEM will include a set of more than twenty First Seen Rules out of the box. These rules can be tuned and customized like any other rule type, and custom First Seen Rules can also be created.

For more information about how to use First Seen Rules, see the online documentation. You can also see an introduction to the feature by navigating to a new First Seen Rule in the Cloud SIEM UI.

Entity Timeline​

Another new feature that will help analysts investigate unusual activity with user accounts is the Entity Timeline:

This feature visualizes all activity for a user – including all normalized records – in an easy-to-read timeline, eliminating the need to perform manual record searches.

Related actions are grouped together and Signals and Insights generated on that user are also displayed in the timeline with the relevant record(s). Actions can be clicked on to see a more detailed set of information, and full details can be easily opened in a new tab.

The feature can be found on the new Timeline tab on each Username Entity’s Detail page with quick links from Signal and Insight detail pages (located with the Entity summaries). It is only available for the Username Entity type at this time.

For more information about how to use the Entity Timeline, see the online documentation.

Minor Changes and Enhancements​

• [Updated] Entities listed in the Signals index (sec_signal) now include criticality and suppressed attributes (which reflect the state of those Entities when the Signal was generated).
• [New] The Cloud SIEM API now supports searching the Threat Intelligence data by sourceName.
• [Updated] The Threat Intelligence API GetThreatIntelIndicators endpoint now supports data sets of more than 10,000 indicators.
• [Updated] The Insights API now supports searching (filtering) by confidence score.
• [Updated] Cloud SIEM now supports up to 1000 inventory-based Entity Groups (the previous limit was 50).
• [Updated] When viewing an Insight, a label is displayed that indicates the source. When an Insight is generated by a Custom Insight, it will now say Custom Insight (Rule) (instead of Rule) and Custom Insight (Signal) (instead of Signal) to reduce confusion with Insights generated by the Insight Algorithm through standard Rules and Signals.
• [New] Entity Groups can now be managed in bulk by uploading CSV files from the Entity Groups list page.

Bug Fixes​

• The consolidated Insight ‘board’ view was not displaying properly in some instances.
• An improper error message was displayed when attempting to create a rule with the same name as one that already existed.
• The Insight Updates section on the HUD was displaying incorrectly if there were no recent updates.
• The Insight creation source label was not positioned properly when scrolling an Insight Details page.
• Entity notes could not be deleted.

Rules​

• [New] FIRST-S00001 First Seen Administrative Privileges Granted for User
• [New] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
• [New] FIRST-S00004 First Seen Local Group Addition by User
• [New] FIRST-S00005 First Seen User Creation From User
• [New] FIRST-S00006 First Seen Weak Kerberos Encryption from User
• [New] FIRST-S00007 First Seen DynamoDB Enumeration from User
• [New] FIRST-S00008 First Seen whoami command From User
• [New] FIRST-S00009 First Seen RDP From User
• [New] FIRST-S00010 First Seen PowerShell Execution from Computer
• [New] FIRST-S00011 First Seen Sysmon IMPHASH - Global
• [New] FIRST-S00012 First Seen Sysmon IMPHASH - Host
• [New] FIRST-S00013 First Seen Driver Load - Global
• [New] FIRST-S00014 First Seen Driver Load - Host
• [New] FIRST-S00015 First Seen Macro Execution from User
• [New] FIRST-S00016 First Seen Non-Network Logon from User
• [New] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
• [New] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
• [New] FIRST-S00019 First Seen Azure Member Addition to Group from User
• [New] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
• [New] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
• [New] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
• [New] FIRST-S00023 First Seen AWS API Gateway Enumeration By User
• [New] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
• [New] FIRST-S00025 First Seen SMB Allowed Traffic From IP
• [New] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
• [New] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
• [New] FIRST-S00028 First Seen Common Windows Recon Commands From User
• [Updated] MATCH-S00534 MacOS - Re-Opened Applications

Log Mappers​

• [New] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand

Active Entities Panel​

To assist analysts detect potential security issues as early as possible, a new panel has been added to the Heads Up Display (HUD):

This panel lists the top five most active entities, ranked by Signal Severity Total. This metric, which was introduced with the Related Entities enhancement last year, is the total sum of the severities of all unique Signals the Entity appears in during the current Insight detection window (typically, the past 14 days).

The count of Active Signals (Signals within the detection window that have not been included in an Insight) is also listed.

When hovering over the Entity value, the Entity’s type will be displayed. The Entity value is a link to that Entity’s details page.

Analysts can use this tool to investigate what appears to be risky activity and potentially proactively security issues before they are raised to the level of an Insight.

Minor Changes and Enhancements​

• [New] When looking at Signals in the new sec_signal index, attributes and values in array fields are now properly supported by auto-parsing, syntax like count by, and features like right-click > filter selected value.
• [New] An attribute attackStage has been added to the new sec_signal index. This attribute summarizes the Mitre attack stage represented by the rule which triggered the signal. The value is defined the same way as the attack_stage attribute included in the older Signal forwarding feature.
• [Updated] The subResolution attribute is now included in the Insight payload for http v2 actions.
• [Updated] The way Release Notes are listed in the Cloud SIEM UI is changing. There is no longer a “bell” item on the top menu; it has been replaced with a link to the Release Notes page in the Help menu. In addition, Release Notes are now directly visible in the UI when they are published.
• [New] When executing a context action on a Signal, fields will now be passed to the context action if they are available based on the record(s) in context.

Bug Fixes​

• The “Radar” graph of records, Signals and Insights on the HUD has been updated so that the discontinuity at the top of the Signals section of the graph has been removed.
• When viewing the raw log message corresponding to a normalized record, the wrong message was displayed.
• The Network Block(s) associated with an Entity were not listed on the Entity details page.
• When testing Rule expressions, sometimes the selected Tuning expression was not included.
• Changes to entity tags or Criticality were not being listed on the History section of the Entity.
• Entity Criticality was sometimes not displaying properly on the Insight details page.

Minor Changes and Enhancements​

• [Updated] On the HUD, the Insight Activity widget has been updated. When selecting the Insight to display, the HUD will now choose based on this order of preference: In “New”, Unassigned, Highest GIS Confidence Score, Highest Severity, Newest. In addition, the design has been updated to improve readability.
• [New] Users who wish to substitute custom Insight status(es) for the built-in “In Progress” status can now do so. After creating and organizing the custom statu(es), the user can now disable the “In Progress” status. (It cannot be deleted.) Note that it can be disabled only if there are no Insights currently set to “In Progress.”
• Changes to Entity tags and criticality now appear in the Entity’s change history list.
• The Sumo Terraform provider now includes support for custom columns in match lists.
• Kubernetes (k8s) attribute fields are now normalized to include the namespace. The normalized fields are: normalizedPodName, normalizedDeploymentName, and normalizedReplicaSetName.

Resolved Issues​

• Some Insights could not be closed via the UI (though they could via API).
• In the consolidated (parent/child) Insight view, in “Board” mode, scrolling was not working properly. In addition, links to other orgs had an error in the URL (a duplicate “/sec”).