10 posts tagged with "content update"

This content release includes a corrective update to a match rule summary expression and a log mapping bug fix. Changes are enumerated below.

• Rules
  • [Updated] MATCH-S00137 Office Application or Browser Launching Shell
    • Fix typo in summary expression key
    • Keys updated: summary_expression, normalized_summary
• Log Mappers
  • [Updated] Microsoft Office 365 Active Directory Authentication Events
    • Office_365 Mapping Correction
    • Keys updated: user_userId

This content release includes updated log mappers for Windows Sysmon as enumerated below.

Log Mappers​

• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules​

• [Updated] MATCH-S00610 PSExec Named Pipe Created by Non-PsExec Process
  • Expression Key updated
• [Updated] MATCH-S00159 Windows - Permissions Group Discovery
  • Removed FirstSeen language in the match rule

Log Mappers​

• [New] Cato Networks Security Events - Catch All
• [New] Windows - Security - 5156
• [Updated] 1Password Item Audit Actions
  • Updated event id pattern
• [Updated] 1Password Item Usage Actions
  • Updated event id pattern
• [Updated] Azure Application Service Console Logs
  • Azure Custom Parser Normalized Severity key update
• [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
  • Azure Custom Parser Normalized Severity key update
• [Updated] Azure Risky Users
  • Azure Custom Parser Normalized Severity key update
• [Updated] Azure User Risk Events
  • Azure Custom Parser Normalized Severity key update
• [Updated] Microsoft Defender for Cloud - Security Alerts
  • Azure Custom Parser Normalized Severity key update
• [Updated] Okta Authentication - sso
  • Application key updated

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules​

• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
  • Updated rule expression to reduce false positivity.
• [Updated] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event
  • Updated Severity from 4 to 1.
• [Updated] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
  • Fixed description and summary transposition and lowered severity from 3 to 1.

Log Mappers​

Added userAgent mapping to Okta.

• [New] Kaltura Audits
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All

Parsers​

• [New] /Parsers/System/Kaltura/Kaltura

This content release includes modifications and additions to Citrix Cloud C2C to handle additional event types and bring existing event mapping into line with new events, support for Code42 Incydr via C2C, Abnormal Security via C2C, and JumpCloud Directory Insights via C2C.

Log Mappers​

• [Deleted] Citrix Cloud Client
  • This mapping is replaced by new mappers for Citrix Cloud below
• [New] Abnormal Security Threats
• [New] Citrix Cloud Operation Logs
• [New] Citrix Cloud System Logs
• [New] Code42 Incydr Alerts C2C
• [New] Code42 Incydr Audits C2C
• [New] Code42 Incydr FileEvents C2C
• [New] JumpCloud Directory Insights - Admin Logon
• [New] JumpCloud Directory Insights - Catch All

Parsers​

• [New] /Parsers/System/Abnormal Security/Abnormal Security
• [New] /Parsers/System/Code42/Code42 Incydr
• [New] /Parsers/System/JumpCloud/JumpCloud Directory Insights
• [Updated] /Parsers/System/Citrix/Citrix Cloud C2C

This release includes new log mapping and parsing content for Druva Cyber Resilience:

Log Mappers​

• [New] Druva Cyber Resilience - Admin Logon
• [New] Druva Cyber Resilience - Catch All

Parsers​

• [New] /Parsers/System/Druva/Druva Cyber Resilience

Bug Fixes​

• Recently, two rules, FIRST-S00052 and FIRST-S00049, were released to customers erroneously. Soon after, these rules started generating false positive Signals and Insights. We have removed those rules from all customer environments so they can be tuned properly and re-released after comprehensive testing. The process error that led to the release has been identified and corrected. Sumo Logic apologizes for the inadvertent Signals and Insights this error generated. If needed, please contact Support for assistance in closing the Insights.

This release includes new parsing and mapping support for C2C sources and mapping changes enumerated below.

Log Mappers​

• [New] Trellix mVision ePO Threats
• [New] Zero Networks Segment Audit Activity
• [New] Zero Networks Segment Network Activity
• [Updated] AzureActivityLog 01
  • Remapped Application from properties.clientAppUsed to properties.appDisplayName for consistency

Parsers​

• [New] /Parsers/System/Trellix/Trellix MVision EPO
• [New] /Parsers/System/Zero Networks/Zero Networks Segment

This release includes minor mapping adjustments to Duo and MS Graph Identify Protection Risk logs. Specific changes are enumerated below.

Log Mappers​

• [Updated] Duo Security Admin API - Audit
  • Added mappings for source host and source IP
• [Updated] Duo Security Admin API - Authentication
  • Added mappings for source host and source IP
• [Updated] Duo Security Admin API - Non-User Audit Changes
  • Added mappings for source host and source IP
• [Updated] Duo Security Admin API - Targeted User Audit Changes
  • Added mappings for source host and source IP
• [Updated] Microsoft Graph Identity Protection API C2C - riskDetections
  • Added principal as primary user_username key
• [Updated] Microsoft Graph Identity Protection API C2C - riskyUsers
  • Added principal as primary user_username key

This content release includes updates to log mappers for Zeek fixing several bugs that were preventing fields from mapping properly.

Log Mappers​

• [Updated] Zeek DNS Activity
• [Updated] Zeek HTTP Activity
• [Updated] Zeek conn Activity

This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.

Rules​

• [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
  • Updated name expression to reduce insight false positivity
• [Updated] MATCH-S00686 Base64 Decode in Command Line
• [Updated] MATCH-S00373 BlueMashroom DLL Load
• [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
• [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
• [Updated] FIRST-S00013 First Seen Driver Load - Global
• [Updated] FIRST-S00014 First Seen Driver Load - Host
• [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
• [Updated] MATCH-S00705 Registry Modification - Authentication Package
• [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
• [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
• [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
• [Updated] MATCH-S00379 WMIExec VBS Script
• [Updated] MATCH-S00570 WMIPRVSE Spawning Process
  • Corrected expression to exclude OS SID from user_userId; prior expression was incorrectly referencing SubjectLogonID
• [Updated] MATCH-S00724 Windows Update Agent DLL Changed
• [Updated] MATCH-S00435 XSL Script Processing

Log Mappers​

• [New] 1Password Item Audit Actions
• [New] 1Password Item Usage Actions
• [New] Zeek DNS Activity
• [New] Zeek HTTP Activity
• [New] Zeek conn Activity

Parsers​

• [New] /Parsers/System/1Password/1Password
• [New] /Parsers/System/1PasswordC2C/1PasswordC2C
• [New] /Parsers/System/Zeek/Zeek

Schema​

• [New] metadata_sourceBlockId
  • The _blockId of the original source log message (from Sumo Logic)