Skip to main content

This release includes bug fixes for several rules using match lists using the "column" field in the rule expression.

Rules

  • [New] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address; External connections over the internet to port 445 could be indictative of hash leak attempts, including exploitation attempts for vulnerabilities such as CVE-2023-2397. This alert looks at a source IP address making a connection to a new external destination IP address since the baseline period.
  • [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country; Added additional logic to help reduce false positives
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force

Log Mappers

  • [New] OpenVPN Logon Attempt
  • [New] OpenVPN Network Event
  • [New] Snowflake Catch All
  • [New] Snowflake Login
  • [New] Windows Defender ATP Alert
  • [Updated] Netskope - Audit Authentication Events - Logoff; Made eventID match more permissive

Parsers

  • [New] /Parsers/System/Snowflake/Snowflake
  • [New] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON
  • [Updated] /Parsers/System/Cisco/Cisco ASA; Build/Teardown parsing bug fix
  • [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog; Added support for additional format

Within this content release, we have deprecated two of our First Seen rules linked to low fidelity as we continue to perform internal testing around similar detections. Additionally, we are bringing out a new set of Carbon Black mappers, expanding on our existing normalization with the product.

Rules

  • [Deleted] FIRST-S00011 First Seen Sysmon IMPHASH - Global
  • [Deleted] FIRST-S00012 First Seen Sysmon IMPHASH - Host

Log Mappers

  • [New] Carbon Black C2C Alert - DEVICE_CONTROL
  • [New] Carbon Black Cloud C2C API Call
  • [New] Carbon Black Cloud C2C Cross Process Event
  • [New] Carbon Black Cloud C2C File Modification
  • [New] Carbon Black Cloud C2C Module Load
  • [New] Carbon Black Cloud C2C Network Connection
  • [New] Carbon Black Cloud C2C Process Auditing
  • [New] Carbon Black Cloud C2C Registry Modification
  • [New] Carbon Black Cloud C2C Script Load
  • [New] Carbon Black Cloud C2C Watchlist Hit
  • [Updated] AWS Security Hub; Remaps Action field to more consistently appearing actionType, maps cloud region, description, and accountId, and adjusts mapper to use collapsed single list item array field names.
  • [Updated] Squid Proxy - Parser; Made minor additions to allow for Bytes In and Out normalization

Parsers

  • [Updated] /Parsers/System/AWS/AWS Security Hub; Modifies eventID to 'Title' which appears more consistently. Concatenates ResourceType and ID to create single strongly typed field. Collapses single listed item arrays.
  • [Updated] /Parsers/System/Squid/Squid Proxy Syslog; Made minor additions to allow for Bytes In and Out parsing

Overall improvements to OOTB First Seen rules include minor baseline tweaks and severity adjustments for the following rules. For corrections involving logic adjustment, additional context is included within the individual rule. This update also adds Alternative Values for ProofPoint TAP Mappers.

Rules

  • [Updated] FIRST-S00002 First Seen AWS API Call from User; General logic improvement to filter on valid Identity type
  • [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User; General logic improvement to filter on valid application
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [Updated] FIRST-S00004 First Seen Local Group Addition by User
  • [Updated] FIRST-S00009 First Seen RDP Logon From User
  • [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
  • [Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global; Reconfigured to be disabled by default
  • [Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host; Reconfigured to be disabled by default
  • [Updated] FIRST-S00005 First Seen User Creation From User
  • [Updated] FIRST-S00008 First Seen whoami command From User

Log Mappers

  • [Updated] Proofpoint Targeted Attack Protection C2C - Click Blocked
  • [Updated] Proofpoint Targeted Attack Protection C2C - Click Permitted
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted

Minor Changes and Enhancements

  • [New] The Entity Timeline can now be filtered by record type:
Entity Timeline Filter

Bug Fixes

  • When an Entity normalization lookup table was deleted and then re-created in the Sumo platform, the configuration in CSE was not automatically updated, causing the normalization to fail.
  • Match lists with custom columns were not working properly during record processing.
  • The Network Blocks section was missing from the Entity details panel.
  • Links for schema tags were not displaying in the UI properly.

Rules

  • [New] CHAIN-S00013 GCP IDS Detection Followed by API Call; Detects a GCP IDS hit followed by an API call, indicating the source IP was able to gain access to GCP.
  • [Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking; Adjusts "Slack - Possible Session Hijacking" to use 'sessionId' schema field.

Log Mappers

  • [New] GCP IDS; Mapper for GCP IDS events
  • [New] Netskope - Catch All; Added 'Catch All' Mapper to account for unavailability of event identifier in all messages.
  • [New] Slack Login; Added mapping specific to logon success/failure events
  • [Updated] Slack Catch All; Adjusts mapper use new sessionIdschema field in place of sourceUid

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog; Adjusts Cisco Firepower parser for some FTD events and corrected routing for Snort like and ASA messages which pass through the Firepower parser.
  • [Updated] /Parsers/System/Google/GCP; Adds additional time format handling

Schema

  • [New] sessionId; An ephemeral and at least semi-unique identifier of a connection between two systems (e.g., HTTP session, user logon session, TCP session identifiers)

This release contains a new set of mappers related to AWS Cloudtrail Lambda functions, permissions, and sources and how changes related to them can align across our schema. In addition to that we have a correction to the parsing rerouted path 'System' in the parser path for Snort-like formatted messages.

Log Mappers

  • [New] CloudTrail - lambda.amazonaws.com - AddLayerVersionPermission
  • [New] CloudTrail - lambda.amazonaws.com - AddPermission
  • [New] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - CreateFunction
  • [New] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig
  • [New] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - DeleteFunction
  • [New] CloudTrail - lambda.amazonaws.com - DeleteFunctionUrlConfig
  • [New] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - GetFunction
  • [New] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration
  • [New] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig
  • [New] CloudTrail - lambda.amazonaws.com - GetLayerVersionPolicy
  • [New] CloudTrail - lambda.amazonaws.com - GetPolicy
  • [New] CloudTrail - lambda.amazonaws.com - ListEventSourceMappings
  • [New] CloudTrail - lambda.amazonaws.com - ListFunctionUrlConfigs
  • [New] CloudTrail - lambda.amazonaws.com - ListFunctions
  • [New] CloudTrail - lambda.amazonaws.com - PublishLayerVersion
  • [New] CloudTrail - lambda.amazonaws.com - RemovePermission
  • [New] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping
  • [New] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode
  • [New] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration
  • [New] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig

Parsers

  • [Updated] /Parsers/System/Suricata/Suricata Syslog

Entity Relationship Graph

We are excited to announce the new Entity Relationship Graph. With this feature, you can now see a graphical visualization of all related Entities in an Insight, as well as additional relationships beyond the Insight. This enables you to more quickly understand relationships among Entities and the larger context behind a potential security threat.

note

This feature is available to all customers but is currently in Beta. If you encounter any issues with this feature, report them to Sumo Logic Support. We appreciate your feedback.

The Entity Relationship Graph (and the Related Entities list) displays all Entities involved in the Insight (those referred to in a record in a Signal in the Insight) as well as additional Entity relationships (for example, if CSE detects an IP address may also have had a specific hostname at the time the Insight was generated).

However, unlike the Related Entities list, the graph can visualize additional Entity relationships that existed outside of the Insight during a specified time frame.

Both the list and this new graph are available on the Entities tab of the Insight details page:

The Entity Relationship Graph UI

You can toggle between the list view and the graph view using the control in the upper-right corner of the main panel.

Each node in the graph represents a single Entity. The graph also displays the relationship types and any Indicators. Hovering over an Entity will highlight it and all of its relationships to other Entities, and when an Entity is selected, details about the Entity are displayed on the right.

The graph also includes a number of controls for zoom, full screen mode, filtering by Entity type, and adjusting the time frame for relationship detection.

For more information about how to use the Entity Relationship Graph, see the online documentation. You will also see an introduction to the feature the first time you visit an Insight details page.

Minor Changes and Enhancements

  • [New] First Seen Rules now support the use of non-normalized record fields.
  • [New] When a file is attached to a Signal, it is now available via API (previously it would only be available if part of a Yara Signal or Threat Intel match). The endpoint is /api/v1/extracted-file?filename=
  • [Update] The default time frame on the Entity Timeline is now 3 days instead of 24 hours.
  • [Update] The http v2 Insight Action payload now includes a numeric severity value (1-4) in addition to the human-readable severity name (LOW, MEDIUM, HIGH, CRITICAL).
  • [Update] On the new Active Entities panel on the HUD, if the Entity is a Username, you can now navigate directly to that Entity’s Timeline by hovering over the Entity name and clicking the link.

Bug Fixes

  • In some cases, CSE was unable to properly extract the user name from an AWS ARN.
  • A recent change caused checkboxes to malfunction in Firefox.
  • On the Entity Timeline record details, the timestamp wasn’t displaying properly.

This release contains changes to how the Palo Alto Firewall CSV parser handles timestamps. Time parsing now relies on _messagetime metadata generated at collection time. This allows individual sources to set timezone information if it is not available in the raw message and as a result, reflect more accurate timestamps for records being created.

Rules

  • [New] MATCH-S00844 LastPass - Account Created
  • [New] MATCH-S00854 LastPass - Failed Login
  • [New] MATCH-S00846 LastPass - Folder Permissions Updated
  • [New] MATCH-S00855 LastPass - Login
  • [New] MATCH-S00847 LastPass - Master Password Changed
  • [New] MATCH-S00848 LastPass - Password Changed
  • [New] MATCH-S00849 LastPass - Personal Share
  • [New] MATCH-S00850 LastPass - Policy Added
  • [New] MATCH-S00851 LastPass - Policy Deleted
  • [New] MATCH-S00852 LastPass - Shared Folder Created
  • [New] MATCH-S00853 LastPass - Super Admin Password Reset

Log Mappers

  • [New] LastPass - Account Created
  • [New] LastPass - Failed Login
  • [New] LastPass - Folder Permissions Updated
  • [New] LastPass - Login
  • [New] LastPass - Master Password Changed
  • [New] LastPass - Password Changed
  • [New] LastPass - Personal Share
  • [New] LastPass - Policy Modifications
  • [New] LastPass - Shared Folder Created
  • [New] LastPass - Super Admin Password Reset
  • [New] LastPass Catch All
  • [New] Sysdig Audit Trail JSON
  • [New] Sysdig Benchmark JSON
  • [New] Sysdig Command JSON
  • [New] Sysdig Connection JSON
  • [New] Sysdig File Access JSON
  • [New] Sysdig Kubernetes JSON
  • [New] Sysdig Policy Detection JSON
  • [New] Sysdig Scanning JSON
  • [Updated] Azure Firewall Network Rule
  • [Updated] Mimecast Email logs

Parsers

  • [New] /Parsers/System/LastPass/LastPass
  • [New] /Parsers/System/Sysdig/Sysdig JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers
  • [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security
  • [Updated] /Parsers/System/Microsoft/Windows-Syslog Snare

This release includes small modifications to First Seen rule type baseline and retention periods, and switches rule status from Prototype state, allowing more of these rules to contribute to CSE Insights. The Microsoft Office 365 Audit parser now formulates key value pairs from the 'OperationProperties' array included in some messages.

Rules

  • [Updated] FIRST-S00002 First Seen AWS API Call from User
  • [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User
  • [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [Updated] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
  • [Updated] FIRST-S00001 First Seen Administrative Privileges Granted for User
  • [Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [Updated] FIRST-S00019 First Seen Azure Member Addition to Group from User
  • [Updated] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
  • [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
  • [Updated] FIRST-S00013 First Seen Driver Load - Global
  • [Updated] FIRST-S00014 First Seen Driver Load - Host
  • [Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [Updated] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
  • [Updated] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
  • [Updated] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
  • [Updated] FIRST-S00004 First Seen Local Group Addition by User
  • [Updated] FIRST-S00015 First Seen Macro Execution from User
  • [Updated] FIRST-S00016 First Seen Non-Network Logon from User
  • [Updated] FIRST-S00010 First Seen PowerShell Execution from Computer
  • [Updated] FIRST-S00009 First Seen RDP Logon From User
  • [Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
  • [Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global
  • [Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host

Parsers

  • [Updated] /Parsers/System/Microsoft/Office 365

First Seen Rules

Sumo Logic is pleased to announce new features in Cloud SIEM Enterprise (CSE) that deliver enhanced User and Entity Behavioral Analytics (UEBA) capabilities. These new UEBA capabilities enable additional methods to detect and investigate anomalous or unexpected behavior that may signify a security threat.

The first feature is called a First Seen Rule. With this new rule type, CSE can detect events such as “the first time a user logs in from a new location” without having to define a rule expression that is unique to each user in your environment (and the location(s) from which he/she usually logs in). Other examples include detecting the unusual granting of administrative privileges, Windows recon command, AWS Secrets Manager API calls, API gateway enumeration, and more.

First Seen Rules are defined like any other rule type, through the Content menu in CSE.

A First Seen Rule definition

First Seen Rules operate based on a baseline. During this period of time - typically between 7 and 30 days - the system will learn what normal and expected behavior looks like. After the baseline is established, CSE will begin generating Signals when unusual behavior is detected compared to that baseline. Baselines can be per-entity or global. (Note that the longer the baseline, the more accurate the model will be.)

CSE will include a set of more than twenty First Seen Rules out of the box. These rules can be tuned and customized like any other rule type, and custom First Seen Rules can also be created.

For more information about how to use First Seen Rules, see the online documentation. You can also see an introduction to the feature by navigating to a new First Seen Rule in the CSE UI.

Entity Timeline

Another new feature that will help analysts investigate unusual activity with user accounts is the Entity Timeline:

The Entity Timeline

This feature visualizes all activity for a user – including all normalized records – in an easy-to-read timeline, eliminating the need to perform manual record searches.

Related actions are grouped together and Signals and Insights generated on that user are also displayed in the timeline with the relevant record(s). Actions can be clicked on to see a more detailed set of information, and full details can be easily opened in a new tab.

The feature can be found on the new Timeline tab on each Username Entity’s Detail page with quick links from Signal and Insight detail pages (located with the Entity summaries). It is only available for the Username Entity type at this time.

For more information about how to use the Entity Timeline, see the online documentation.

Minor Changes and Enhancements

  • [Updated] Entities listed in the Signals index (sec_signal) now include criticality and suppressed attributes (which reflect the state of those Entities when the Signal was generated).
  • [New] The CSE API now supports searching the Threat Intelligence data by sourceName.
  • [Updated] The Threat Intelligence API GetThreatIntelIndicators endpoint now supports data sets of more than 10,000 indicators.
  • [Updated] The Insights API now supports searching (filtering) by confidence score.
  • [Updated] CSE now supports up to 1000 inventory-based Entity Groups (the previous limit was 50).
  • [Updated] When viewing an Insight, a label is displayed that indicates the source. When an Insight is generated by a Custom Insight, it will now say Custom Insight (Rule) (instead of Rule) and Custom Insight (Signal) (instead of Signal) to reduce confusion with Insights generated by the Insight Algorithm through standard Rules and Signals.
  • [New] Entity Groups can now be managed in bulk by uploading CSV files from the Entity Groups list page.

Bug Fixes

  • The consolidated Insight ‘board’ view was not displaying properly in some instances.
  • An improper error message was displayed when attempting to create a rule with the same name as one that already existed.
  • The Insight Updates section on the HUD was displaying incorrectly if there were no recent updates.
  • The Insight creation source label was not positioned properly when scrolling an Insight Details page.
  • Entity notes could not be deleted.

Rules

  • [New] FIRST-S00001 First Seen Administrative Privileges Granted for User
  • [New] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
  • [New] FIRST-S00004 First Seen Local Group Addition by User
  • [New] FIRST-S00005 First Seen User Creation From User
  • [New] FIRST-S00006 First Seen Weak Kerberos Encryption from User
  • [New] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [New] FIRST-S00008 First Seen whoami command From User
  • [New] FIRST-S00009 First Seen RDP From User
  • [New] FIRST-S00010 First Seen PowerShell Execution from Computer
  • [New] FIRST-S00011 First Seen Sysmon IMPHASH - Global
  • [New] FIRST-S00012 First Seen Sysmon IMPHASH - Host
  • [New] FIRST-S00013 First Seen Driver Load - Global
  • [New] FIRST-S00014 First Seen Driver Load - Host
  • [New] FIRST-S00015 First Seen Macro Execution from User
  • [New] FIRST-S00016 First Seen Non-Network Logon from User
  • [New] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
  • [New] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
  • [New] FIRST-S00019 First Seen Azure Member Addition to Group from User
  • [New] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
  • [New] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [New] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [New] FIRST-S00023 First Seen AWS API Gateway Enumeration By User
  • [New] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [New] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [New] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [New] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
  • [New] FIRST-S00028 First Seen Common Windows Recon Commands From User
  • [Updated] MATCH-S00534 MacOS - Re-Opened Applications

Log Mappers

  • [New] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand

Rules

  • [New] MATCH-S00842 Suspicious Azure CLI Keys Access on Linux Host
  • [New] MATCH-S00843 Suspicious GCP CLI Keys Access on Linux Host

Note that the following updates do not change detection capabilities and are only updates to descriptions and other metadata.

  • [Updated] MATCH-S00308 AWS CloudTrail - OpsWorks Describe Permissions Event
  • [Updated] MATCH-S00210 AWS CloudTrail - SQS List Queues Event
  • [Updated] MATCH-S00238 AWS CloudTrail - sensitive activity in KMS
  • [Updated] MATCH-S00594 Alibaba ActionTrail KMS Activity
  • [Updated] MATCH-S00417 Attrib.exe use to Hide Files and Folders
  • [Updated] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00304 External Device Installation Denied
  • [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [Updated] MATCH-S00614 GCP Audit KMS Activity
  • [Updated] MATCH-S00466 MsiExec Web Install
  • [Updated] MATCH-S00288 NotPetya Ransomware Activity
  • [Updated] MATCH-S00634 Okta Admin App Access Attempt Failed
  • [Updated] MATCH-S00633 Okta Admin App Accessed
  • [Updated] MATCH-S00756 Outlook Homepage Modification
  • [Updated] MATCH-S00465 PXELoot Utility
  • [Updated] MATCH-S00200 Potential Pass the Hash Activity
  • [Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
  • [Updated] MATCH-S00265 QuarksPwDump Dump File Observed
  • [Updated] MATCH-S00747 Registry Modification - Active Setup
  • [Updated] MATCH-S00754 Registry Modification - Microsoft Office Test Function Registry Entry
  • [Updated] MATCH-S00422 Spaces Before File Extension
  • [Updated] MATCH-S00196 Successful Overpass the Hash Attempt
  • [Updated] MATCH-S00293 Suspicious External Device Installation
  • [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load

Log Mappers

  • [Deleted] Sysdig Monitor C2C
  • [New] CloudTrail - s3.amazonaws.com - GetBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] Fortinet App Control Logs
  • [Updated] Fortinet DLP Logs
  • [Updated] Fortinet DNS Logs
  • [Updated] Fortinet Event Logs
  • [Updated] Fortinet IPS Logs
  • [Updated] Fortinet Traffic Logs
  • [Updated] Fortinet VOIP Logs
  • [Updated] Fortinet Virus Logs
  • [Updated] Fortinet Webfilter Logs

Parsers

  • [Deleted] /Parsers/System/Sysdig/Sysdig Monitor C2C
  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
  • [Updated] /Parsers/System/Pulse Secure/Pulse Secure Appliance

Active Entities Panel

To assist analysts detect potential security issues as early as possible, a new panel has been added to the Heads Up Display (HUD):

Screenshot of the new Active Entities panel in CSE

This panel lists the top five most active entities, ranked by Signal Severity Total. This metric, which was introduced with the Related Entities enhancement last year, is the total sum of the severities of all unique Signals the Entity appears in during the current Insight detection window (typically, the past 14 days).

The count of Active Signals (Signals within the detection window that have not been included in an Insight) is also listed.

When hovering over the Entity value, the Entity’s type will be displayed. The Entity value is a link to that Entity’s details page.

Analysts can use this tool to investigate what appears to be risky activity and potentially proactively security issues before they are raised to the level of an Insight.

Minor Changes and Enhancements

  • [New] When looking at Signals in the new sec_signal index, attributes and values in array fields are now properly supported by auto-parsing, syntax like count by, and features like right-click > filter selected value.
  • [New] An attribute attackStage has been added to the new sec_signal index. This attribute summarizes the Mitre attack stage represented by the rule which triggered the signal. The value is defined the same way as the attack_stage attribute included in the older Signal forwarding feature.
  • [Updated] The subResolution attribute is now included in the Insight payload for http v2 actions.
  • [Updated] The way Release Notes are listed in the CSE UI is changing. There is no longer a “bell” item on the top menu; it has been replaced with a link to the Release Notes page in the Help menu. In addition, Release Notes are now directly visible in the UI when they are published.
  • [New] When executing a context action on a Signal, fields will now be passed to the context action if they are available based on the record(s) in context.

Bug Fixes

  • The “Radar” graph of records, Signals and Insights on the HUD has been updated so that the discontinuity at the top of the Signals section of the graph has been removed.
  • When viewing the raw log message corresponding to a normalized record, the wrong message was displayed.
  • The Network Block(s) associated with an Entity were not listed on the Entity details page.
  • When testing Rule expressions, sometimes the selected Tuning expression was not included.
  • Changes to entity tags or Criticality were not being listed on the History section of the Entity.
  • Entity Criticality was sometimes not displaying properly on the Insight details page.

Rules

  • [New] MATCH-S00838 Azure Active Directory Authentication Method Changed
  • [New] MATCH-S00836 Azure Conditional Access Policy Disabled
  • [New] MATCH-S00839 Azure Virtual Machine RunCommand Issued
  • [New] MATCH-S00837 Kubernetes Secrets Enumeration via Kubectl
  • [New] MATCH-S00835 Possible Dynamic URL Domain
  • [New] CHAIN-S00012 Potential Azure Persistence via Automation Accounts
  • [New] MATCH-S00841 Suspicious AWS CLI Keys Access on Linux Host
  • [New] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
  • [Updated] THRESHOLD-S00074 Excessive Firewall Denies
  • [Updated] LEGACY-S00008 Possible Dynamic DNS Domain
  • [Updated] LEGACY-S00108 Threat Intel - Matched File Hash

Log Mappers

  • [New] Airtable Audit C2C
  • [New] Cisco Meraki Catch All - Custom Parser
  • [Updated] Linux OS Syslog - Process fw - iptables Events
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
  • [Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted
  • [Updated] Windows - Security - 4624

Parsers

  • [New] /Parsers/System/Airtable/Airtable Audit C2C
  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Cisco/Cisco Meraki
  • [Updated] /Parsers/System/Google/G Suite Audit
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
  • [Updated] /Parsers/System/Okta/Okta

Rules

  • [New] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
  • [New] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User

Minor Changes and Enhancements

  • [Updated] On the HUD, the Insight Activity widget has been updated. When selecting the Insight to display, the HUD will now choose based on this order of preference: In “New”, Unassigned, Highest GIS Confidence Score, Highest Severity, Newest. In addition, the design has been updated to improve readability.
  • [New] Users who wish to substitute custom Insight status(es) for the built-in “In Progress” status can now do so. After creating and organizing the custom statu(es), the user can now disable the “In Progress” status. (It cannot be deleted.) Note that it can be disabled only if there are no Insights currently set to “In Progress.”
  • Changes to Entity tags and criticality now appear in the Entity’s change history list.
  • The Sumo Terraform provider now includes support for custom columns in match lists.
  • Kubernetes (k8s) attribute fields are now normalized to include the namespace. The normalized fields are: normalizedPodName, normalizedDeploymentName, and normalizedReplicaSetName.

Resolved Issues

  • Some Insights could not be closed via the UI (though they could via API).
  • In the consolidated (parent/child) Insight view, in “Board” mode, scrolling was not working properly. In addition, links to other orgs had an error in the URL (a duplicate “/sec”).

Rules

  • [New] MATCH-S00825 AWS Secrets Manager Enumeration
  • [New] MATCH-S00827 Exposed AWS SNS Topic Created
  • [New] MATCH-S00823 Exposed AWS SQS Queue Created
  • [New] MATCH-S00828 Office 365 Exchange Transport Rule Created
  • [New] MATCH-S00829 Office 365 Exchange Transport Rule Enabled
  • [New] MATCH-S00830 Office 365 Forwarding Rule Created
  • [New] MATCH-S00833 Office 365 Inbox Rule Created
  • [New] MATCH-S00832 Office 365 Inbox Rule Updated
  • [New] MATCH-S00831 Office 365 Unified Audit Logging Disabled
  • [New] MATCH-S00824 Potential XMRig Execution with Traffic
  • [New] MATCH-S00826 SSH Keys Added to EC2 Instance
  • [New] MATCH-S00834 Sensitive Registry Key (WDigest) Edit
  • [Updated] MATCH-S00480 Solarwinds Suspicious Child Processes
  • [Updated] MATCH-S00504 User Added to Local Administrators

Log Mappers

  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 22
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 23
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 24
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 25
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 26
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 27
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 28
  • [Updated] Cloudflare - Logpush
  • [Updated] Microsoft Office 365 AzureActiveDirectory Events
  • [Updated] Microsoft Office 365 Exchange Mailbox Audit Events
  • [Updated] Microsoft Office 365 Exchange Mailbox Authentication Events
  • [Updated] Microsoft Office 365 ExchangeItem Events
  • [Updated] Microsoft Office 365 ExchangeItemGroup Events
  • [Updated] Microsoft Office 365 RecordType 105
  • [Updated] Microsoft Office 365 RecordType 37
  • [Updated] Microsoft Office 365 RecordType 57
  • [Updated] Office 365 - Exchange Admin Events

Parsers

  • [New] /Parsers/System/Microsoft/Windows-Syslog WinCollect

Schema

  • [Updated] device_k8s_normalizedDeploymentName
  • [Updated] device_k8s_normalizedPodName
  • [Updated] device_k8s_normalizedReplicaSetName
  • [Updated] dstDevice_k8s_normalizedDeploymentName
  • [Updated] dstDevice_k8s_normalizedPodName
  • [Updated] dstDevice_k8s_normalizedReplicaSetName
  • [Updated] srcDevice_k8s_normalizedDeploymentName
  • [Updated] srcDevice_k8s_normalizedPodName
  • [Updated] srcDevice_k8s_normalizedReplicaSetName

Rules

  • [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port

Log Mappers

  • [New] Google G Suite - login-email_forwarding_change
  • [New] Laurel Linux Audit - Catch All
  • [New] Laurel Linux Audit - System Call
  • [New] Laurel Linux Audit - User Logon
  • [Updated] Lacework Alert

Parsers

  • [New] /Parsers/System/AWS/AWS Security Hub
  • [New] /Parsers/System/Laurel/Laurel Linux Audit
  • [New] /Parsers/System/Signal Science/Signal Science WAF
  • [New] /Parsers/System/Workday/Workday

Schema

  • [Updated] device_k8s_deployment
  • [Updated] device_k8s_pod
  • [Updated] device_k8s_replicaSet
  • [Updated] dstDevice_k8s_deployment
  • [Updated] dstDevice_k8s_pod
  • [Updated] dstDevice_k8s_replicaSet
  • [Updated] srcDevice_k8s_deployment
  • [Updated] srcDevice_k8s_pod
  • [Updated] srcDevice_k8s_replicaSet

Rules

  • [Updated] MATCH-S00547 Script Execution Via WMI
  • [Updated] MATCH-S00684 Wget Passed to Script Execution Command

Log Mappers

  • [New] Azure Firewall Application Rule
  • [New] Azure Firewall DNS Proxy
  • [New] Azure Firewall Network Rule
  • [New] Microsoft O365 Exchange Message Trace C2C

Parsers

  • [New] /Parsers/System/Microsoft/O365 Exchange Message Trace C2C
  • [New] /Parsers/System/Microsoft/Windows XML from Azure
  • [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON

Schema

  • [New] email_recipient

Log Mappers

  • [Updated] Cisco ASA 710002-3 JSON
  • [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
  • [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
  • [Updated] Windows - Security - 4732

Parsers

  • [New] /Parsers/System/Snort/Snort
  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog
  • [Updated] /Parsers/System/Okta/Okta
  • [Updated] /Parsers/System/Suricata/Suricata Syslog
  • [Updated] /Parsers/System/Zscaler/Zscaler Private Access/Zscaler Private Access-JSON

New Entity Types

Eight new predefined Entity types have been added to CSE. This will enable customers to more accurately associate Signals and Insights with security threats. They are listed below long with the related normalized record schema attributes (which can be specified in Rule definitions):

Entity TypeSchema Attributes
CommandcommandLine
Domainhttp_referer_fqdn, http_url_fqdn
EmailtargetUser_email, user_email
Filefile_path, file_basename
Hashfile_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_sha1, file_hash_sha256, file_hash_ssdeep
ProcessbaseImage, parentBaseImage
URLhttp_url
User Agenthttp_userAgent

If you already had a custom Entity type with the same or similar name, it will not be affected and will not be automatically migrated to the corresponding standard Entity type.

Entity Notes

Similar to the functionality on Insights, users can now attach notes to Entities:

Screenshot of Entity Notes user interface

These notes are retained permanently on the associated Entity and are visible to all users who can view the Entity.

Custom Time Windows for Rules

Threshold, Aggregation and Chain Rules now support custom time windows. Previously, when writing a Rule, a time window had to be chosen from a list of predefined options. With this new enhancement, users can define any time window defined in minutes, hours, or days, with a minimum of 1 minute and a maximum of 5 days (120 hours):

Screenshot of Custom Time Window for Rules user interface

Inventory Favorite Fields

Where inventory data is shown for an Entity, such as the Entity details page or the Insight details page, users can now “favorite” the inventory fields that should be shown in the summary list.

To do this, simply expand the Full Details view, hover to the left of the field, and click the star icon that appears. To remove the favorite selection, simply unclick the star icon. The field selections are applied across all users and retained across sessions. (This behavior is the same as for favorite fields on Records.)

Screenshot of Inventory Favorite Fields user interface

Minor Changes and Enhancements

  • [Updated] The previously announced migration of our out-of-the-box rules from standard match lists to Entity tags has been postponed. New dates for this migration will be announced in the near future.
  • [New] Service providers using the Consolidated Insight List can now see Insights from client organizations across deployments.
  • [Updated] The usability of filters for list views when searching for an object that includes a specific tag schema has been enhanced.
  • [Removed] The link to download the Insight Enrichment Service has been removed from the Enrichment page. The link is specified in the installation instructions online.
  • [New] Users can now filter Records by Sensor Zone.

Resolved Issues

  • Importing data from CSV files via the UI was not working properly.
  • The http_url field was not being concatenated properly in some mapper scenarios.
  • Entity domain normalization was not working properly.
  • The Copy Expression feature in the UI did not copy Boolean values to the clipboard properly.
  • The Rule Tuning Expression list page was not auto-refreshing correctly.
  • Users were unable to filter the Signals list based on severity.
  • IP addresses in the 198.18.0.0/15 and 169.254.0.0/15 ranges were not being marked as private subnets per RFC1918.
  • Users without the proper permissions were able to add comments and Signals to Insights.
  • Regular expressions ending with an asterisk * were not working properly in search/list filters.

Rules

  • [Updated] MATCH-S00159 Windows - Permissions Group Discovery

Log Mappers

  • [Updated] Azure Administrative logs
  • [Updated] Azure NSG Flows
  • [Updated] Squid Proxy - Parser
  • [Updated] Windows - Security - 4624

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Log Mappers

  • [New] Azure Risky Users
  • [New] Azure User Risk Events
  • [New] CrowdStrike Falcon CustomerIOCEvent (CNC)
  • [New] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
  • [New] CrowdStrike Falcon Identity Protection (CNC)
  • [New] Microsoft Office 365 RecordType 105
  • [New] Microsoft Office 365 RecordType 37
  • [New] Microsoft Office 365 RecordType 57
  • [New] Windows - Security - Default
  • [Updated] Azure Event Hub - Windows Defender Logs
  • [Updated] Cisco ASA 106100 JSON
  • [Updated] Microsoft Office 365 Events
  • [Updated] Windows - Security - 4740

Parsers

  • [New] /Parsers/System/Microsoft/Microsoft Azure Nested JSON
  • [New] /Parsers/System/Microsoft/Windows-JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Rules

  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process

Log Mappers

  • [Updated] Gigamon Threat Insight - Catch All
  • [Updated] Gigamon Threat Insight - Suricata
  • [Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

  • [New] /Parsers/System/Gigamon/GigamonTI
  • [Updated] /Parsers/System/Lacework/Lacework JSON
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

Schema

  • [Updated] baseImage
  • [Updated] commandLine
  • [Updated] file_basename
  • [Updated] file_hash_imphash
  • [Updated] file_hash_md5
  • [Updated] file_hash_pehash
  • [Updated] file_hash_sha1
  • [Updated] file_hash_sha256
  • [Updated] file_hash_ssdeep
  • [Updated] file_path
  • [Updated] http_referer_fqdn
  • [Updated] http_url
  • [Updated] http_url_fqdn
  • [Updated] http_userAgent
  • [Updated] parentBaseImage
  • [Updated] targetUser_email
  • [Updated] user_email

Log Mappers

  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7

Parsers

  • [Updated] /Parsers/System/Microsoft/Sysmon-JSON

Rules

  • [New] MATCH-S00822 Potential Microsoft Office In-Memory Token Theft
  • [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port

Log Mappers

  • [New] Cisco Meraki 8021x
  • [New] Cisco Meraki Client Association
  • [Updated] Microsoft Office 365 Threat Intelligence Url Events

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco Meraki

Rules

  • [Updated] MATCH-S00582 Malicious Service Installs
  • [Updated] THRESHOLD-S00087 Slack - Possible Session Hijacking

Log Mappers

  • [New] BigQuery Gmail C2C - Catch All
  • [New] BigQuery Gmail C2C - Error in Delivery
  • [New] BigQuery Gmail C2C - Failed Delivery
  • [New] BigQuery Gmail C2C - Message was dropped by Gmail
  • [New] BigQuery Gmail C2C - Message was rejected by Google Groups
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] Azure Access Logs
  • [Updated] Azure Action Logs
  • [Updated] Azure Administrative logs
  • [Updated] Azure AuditEvent logs
  • [Updated] Azure ManagedIdentitySignInLogs
  • [Updated] Azure NonInteractiveUserSignInLogs
  • [Updated] Azure ServicePrincipalSignInLogs
  • [Updated] Azure Storage Analytics
  • [Updated] Azure Write and Delete Logs
  • [Updated] AzureActivityLog
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs
  • [Updated] AzureDevOpsAuditing
  • [Updated] AzureDiagnosticLog
  • [Updated] Cisco ASA 113039 JSON
  • [Updated] Cisco Ironport MID - Custom Parser
  • [Updated] Cisco Ironport SFIMS - Custom Parser
  • [Updated] Cisco Ironport WSA - Custom Parser
  • [Updated] GCP App Engine Logs
  • [Updated] GCP Audit Logs
  • [Updated] GCP Firewall
  • [Updated] GCP Parser - Load Balancer
  • [Updated] GCP VPC Flows
  • [Updated] Kubernetes
  • [Updated] Office 365 - Exchange Admin Events
  • [Updated] Windows - Security - 4697
  • [Updated] Windows - Security - 4820

Parsers

  • [New] /Parsers/System/Google/GCP BigQuery Gmail
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Infoblox/Infoblox

Schema

  • [New] device_k8s_normalizedDeploymentName
  • [New] device_k8s_normalizedReplicaSetName
  • [New] dstDevice_k8s_normalizedDeploymentName
  • [New] dstDevice_k8s_normalizedReplicaSetName
  • [New] srcDevice_k8s_normalizedDeploymentName
  • [New] srcDevice_k8s_normalizedReplicaSetName

Rules

  • [New] CHAIN-S00011 Potential InstallUtil Allow List Bypass
  • [Updated] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
  • [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution

Log Mappers

  • [Updated] AWS - Application Load Balancer - ALB
  • [Updated] AWS - Application Load Balancer - JSON
  • [Updated] AWS API Gateway
  • [Updated] AWS CloudFront
  • [Updated] AWS EKS - Custom Parser
  • [Updated] AWS Elastic Load Balancer - Custom Parser
  • [Updated] AWS GuardDuty Alerts from Sumo CIP
  • [Updated] AWS Inspector - Custom Parser
  • [Updated] AWS Network Firewall Alerts
  • [Updated] AWS Network Firewall Flow
  • [Updated] AWS Network Firewall Netflow
  • [Updated] AWS Route 53 Logs
  • [Updated] AWS S3 Server Access Log - Custom Parser
  • [Updated] AWS Security Hub
  • [Updated] AWS Trusted Advisor
  • [Updated] AWS VPC Flow Logs - Default Format
  • [Updated] AWS VPC Flow Logs - JSON Format
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] AWSGuardDuty_Backdoor
  • [Updated] AWSGuardDuty_Behavior
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] AWSGuardDuty_CryptoCurrency
  • [Updated] AWSGuardDuty_Discovery
  • [Updated] AWSGuardDuty_Exfiltration
  • [Updated] AWSGuardDuty_PenTest
  • [Updated] AWSGuardDuty_Persistence
  • [Updated] AWSGuardDuty_Policy
  • [Updated] AWSGuardDuty_ResourceConsumption
  • [Updated] AWSGuardDuty_Stealth
  • [Updated] AWSGuardDuty_Trojan
  • [Updated] AwsServiceEvent-AWS API Call via CloudTrail
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Falco Detection JSON
  • [Updated] Juniper SSG Series Firewall - Audit Messaging
  • [Updated] Juniper SSG Series Firewall - Traffic Messaging
  • [Updated] Microsoft IIS Parser - Catch All
  • [Updated] Recon_EC2_PortProbeUnprotectedPort
  • [Updated] Recon_EC2_Portscan
  • [Updated] Recon_IAMUser
  • [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • [Updated] UnauthorizedAccess_EC2_TorClient
  • [Updated] UnauthorizedAccess_EC2_TorIPCaller
  • [Updated] UnauthorizedAccess_EC2_TorRelay
  • [Updated] UnauthorizedAccess_IAMUser

Parsers

  • [Renamed] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog -> /Parsers/System/Juniper/Juniper SSG Series Firewall Syslog
  • [New] /Parsers/System/Netskope/Netskope Security Cloud JSON
  • [Updated] /Parsers/System/Falco/Falco JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft IIS

Support for Custom Inventory Sources

Cloud SIEM Enterprise now supports custom sources of inventory data. Now, if you want to ingest inventory data from a source that Sumo Logic does not provide a pre-built connnector for, you can use this new feature. See the new document Configure a Custom Inventory Source for details.

Standard Match Lists

As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the previous announcement. This will continue until January 20, 2023, when the migration will be complete.

Minor Changes and Enhancements

  • [New] API endpoints have been creeated enabling users to upload attribute changes (such as tags or criticality) for multiple Entities in a single call, rather than having to do so one at a time. The new endpoints are /entities/bulk-add-tags, /entities/bulk-update-tags, /entities/bulk-remove-tags, /entities/bulk-update-suppressed, and /entities/bulk-update-criticality. Note that these API endpoints have a limit of 1000 entries per call. More details are available via the API Documentation link in Cloud SIEM Enterprise.
  • [Updated] Previously, a new feature was added to the Enrichments tab that enabled you to hide any attribute-value pair with an "empty" value for clarity. This included values like "0" or "N/A". However, some of those values are often useful to the analyst (for example, number_of_threat_reports="0"). Starting with this release, this feature will only hide attributes with truly empty values (i.e., attribute="").

Resolved Issues

  • The CSV file upload method for updating Entity attributes did not support sensor zones or normalized entity names properly.
  • CSE has switched providers of lists of public dynamic DNS domains, which has resolved an issue with rules utilizing these lists.

Rules

  • [Updated] MATCH-S00640 Kubernetes Pod Created in Kube Namespace
  • [Updated] MATCH-S00642 Kubernetes Service Account Created in Kube Namespace

Log Mappers

  • [New] Juniper SSC Series Firewall - Audit Messaging
  • [New] Juniper SSC Series Firewall - Traffic Messaging
  • [New] Linux-Sysmon/Operational - 1
  • [New] Linux-Sysmon/Operational - 10
  • [New] Linux-Sysmon/Operational - 11
  • [New] Linux-Sysmon/Operational - 15
  • [New] Linux-Sysmon/Operational - 16
  • [New] Linux-Sysmon/Operational - 17
  • [New] Linux-Sysmon/Operational - 18
  • [New] Linux-Sysmon/Operational - 2
  • [New] Linux-Sysmon/Operational - 23
  • [New] Linux-Sysmon/Operational - 3
  • [New] Linux-Sysmon/Operational - 4
  • [New] Linux-Sysmon/Operational - 5
  • [New] Linux-Sysmon/Operational - 6
  • [New] Linux-Sysmon/Operational - 7
  • [New] Linux-Sysmon/Operational - 8
  • [New] Linux-Sysmon/Operational - 9
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Azure Advanced Threat Protection
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Defender for Cloud Apps
  • [Updated] Kubernetes
  • [Updated] Microsoft Office 365 Threat Intelligence Events

Parsers

  • [New] /Parsers/System/Juniper/Juniper SSC Series Firewall Syslog
  • [New] /Parsers/System/Linux/Linux Sysmon XML

Schema

  • [New] device_k8s_deployment
  • [New] device_k8s_namespace
  • [New] device_k8s_normalizedPodName
  • [New] device_k8s_pod
  • [New] device_k8s_replicaSet
  • [New] dstDevice_k8s_deployment
  • [New] dstDevice_k8s_namespace
  • [New] dstDevice_k8s_normalizedPodName
  • [New] dstDevice_k8s_pod
  • [New] dstDevice_k8s_replicaSet
  • [New] srcDevice_k8s_deployment
  • [New] srcDevice_k8s_namespace
  • [New] srcDevice_k8s_normalizedPodName
  • [New] srcDevice_k8s_pod
  • [New] srcDevice_k8s_replicaSet
  • [Updated] device_container_runtime

Announcement: Standard Match Lists Migration to Entity Tags

Currently, CSE defines a set of standard Match Lists as a way to allow users to specify lists of Entities and other indicators that should affect whether or not Rules create Signals. However, starting next week, the Rules included with CSE will begin transitioning to leverage Entity tags for this purpose instead. Tags on Entities are more flexible and can also provide context to analysts during the investigation phase.

Next week, a new set of standard tag schemas will be introduced in CSE. These tag schemas will correspond to the existing standard Match Lists:

KeyAllowed ValuesEquivalent Match List
_deviceGroupadminadmin_ips
awsAdminAWS_admin_ips
businessbusiness_ips
gcpAdminGCP_admin_ips
googleWorkspaceAdminGoogle_Workspace_admin_ips
salesforceAdminsalesforce_admin_ips
sandboxsandbox_ips
scanTargetscanner_targets
_deviceServicednsdns_servers
dns_servers_dst
dns_servers_src
ftpftp_servers
smtpsmtp_servers
sqlsql_servers
sshssh_servers
telnettelnet_servers
_deviceTypeauthServerauth_servers
auth_servers_dst
auth_servers_src
lanScannerlan_scanner_exception_ips
nmsnms_ips
paloAltoSinkholepalo_alto_sinkhole_ips
proxyServerproxy_servers
proxy_servers_dst
proxy_servers_src
vpnServervpn_servers
vulnerabilityScannervuln_scanners
webServerhttp_servers
_networkTypeguestguest_networks
natnat_ips
vpnvpn_networks
_userGroupawsAdminAWS_admin_users
dsReplicationds_replication_authorized_users
gcpAdminGCP_admin_users
googleWorkspaceAdminGoogle_Workspace_admin_users
kerberosDowngradedowngrade_krb5_etype_authorized_users
salesforceAdminsalesforce_admin_users

(There are five standard match lists not affected by this change, as they do not contain Entities. These include: business_asns, business_domains, business_hostnames, threat, and verified_uri_paths.)

Beginning Thursday, October 20, the contents of the standard match lists listed above will automatically be copied to tags set on the individual entities. So, for example, if an Entity 1.2.3.4 is in match list sql_servers, a tag _deviceService:sql will be set on it. CSE will continue to automatically create these tags from the standard match lists for a period of 3 months, until January 20, 2023. During this period, pre-defined rules will be updated to reference these tags instead of the standard match lists, so by the end of this period all rules will be updated and CSE will no longer automatically create these tags.

Please update any process you use to maintain the members of standard match lists by January 20, 2023 to maintain standard Entity tags instead (or in addition). We highly recommend you take advantage of Entity Groups to set Entity tags rather than individually setting tags. Entity Groups enable the automatic application of attributes like tags based on the Entity's value, IP address range, or inventory group.

Note that you cannot extend the standard tag schemas (for example, you cannot add a value azureAdmin to _userGroup). (The underscore prefix in the schema name means it's a system-defined schema.) Instead, create a different tag schema (such as customUserGroup) with such extended values.

You can refer to Entity tags in Rule expressions. For example, if you've attached the tag _deviceService:sql to an Entity, this statement will return "true" if that Entity is listed in a Record's srcDevice_ip field:

array_contains(fieldTags["srcDevice_ip"], "_deviceService:sql")

Additional information about the standard tag schema, match lists, Entity groups, and using these features with Rules is available in the Cloud SIEM Documentation.

Minor Changes and Enhancements

  • [New] Users can now filter object lists based on tag schema. The list results will include all objects that have a tag that are part of that schema. For example, if you search for _networkType (from the note above) the list results will include any object that has a tag of _networkType:guest, _networkType:nat, and/or _networkType:vpn.

Resolved Issues

  • Entity relationships were not taking sensor zones into account properly.
  • Entity details pages were only briefly displaying the proper Criticality.
  • The Entities Count links on the Entity Criticality list pages were pointing at the wrong URLs.

Welcome to the Sumo Logic Cloud SIEM Release Notes on our new docs site! We're now open source and encourage you to contribute. We welcome all contributions, from minor typo fixes to brand new docs. Your expertise and sharing can help fellow users learn and expand their knowledge of Sumo Logic.

Here you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM Enterprise.

To view Release Notes from previous years, check the archive.

Click here to subscribe

Application Update: Minor Changes and Enhancements

  • [Updated] Dynamic severity in rules has been enhanced. Users can now specify ranges of values to match to a specific severity. There are now multiple options, and these options can be combined (the first rule that matches is used; if none match then the default is used):
    • Equal to Exact string or mathematical match ("Equal to 4" will match "4" and 4.0 but not 4.01)
    • Greater than and Less than Mathematical only, not inclusive ("Less than 5" will match 4.9 but not 5)
    • Between Mathematical only, inclusive ("Between 5 and 10" will match 5 or 7 but not 10.1)
    • Not in the record Will match when the attribute is not listed in the record. (if there is no "broirc_value" attribute then this rule will match; if "bro_irc_value" exists but is empty/null, this does _not match)
  • [New] Users can now filter the Signals list based on the type of Rule that generated the Signal (Match, Chain, Aggregation, etc.)
  • [New] Users can now perform negative keyword searches ("not:aws" would return all objects that do not include the keyword "aws")
  • [New] Entity domain normalization can now be managed via Terraform
  • [New] Users can now configure the Email Action to send emails in plain text in addition to the previously supported multipart HTML5/text format
  • [New] Changes to the Insight Threshold are now noted in the Audit Log
  • [Deleted] As previously announced, the IBM Resilient and Sensor actions have been removed from CSE

Resolved Issues

  • Match list items were not matching properly in some instances, such as after deletion
  • Keyword searches did not properly support values (such as hostnames) with embedded dashes
  • Changes to prototype state were not visible in the rule history
  • In some cases, the system was parsing domain names/TLDs incorrectly

Content Release

Log Mappers

  • [New] Azure Application Service Console Logs
  • [New] Google G Suite Alert Center - Sensitive Admin Action
  • [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents

Parsers

  • [Updated] /Parsers/System/Google/G Suite Alert Center

Legacy Parsers

  • [Updated] CISCO_MERAKI_SECURITY_FILTERING_FILE_SCANNED
  • [Updated] CISCO_MERAKI_URLS
  • [Updated] Twistlock_Logs

Rules

  • [Deleted] MATCH-S00070 Checkpoint Firewall

Log Mappers

  • [New] Cyber Ark EPM AggregateEvent
  • [New] Cyber Ark EPM AuditAdmin
  • [New] Cyber Ark EPM GetComputer
  • [New] Cyber Ark EPM Policy
  • [New] Cyber Ark EPM RawDetails
  • [New] Cyber Ark EPM RawEvents

Parsers

  • [New] /Parsers/System/Cyber-Ark/CyberArk EPM JSON
  • [Updated] /Parsers/System/Auth0/Auth0

Rules

  • [Deleted] CHAIN-S00009 Proofpoint TAP Click Permitted Followed by Successful Request

Log Mappers

  • [New] Wiz Catch All
  • [Updated] Orca Security Parser - Catch All

Schema

  • [New] cloud_provider
  • [New] cloud_region
  • [New] cloud_service
  • [New] cloud_zone
  • [New] device_container_id
  • [New] device_container_name
  • [New] device_container_runtime
  • [New] device_image
  • [New] device_type
  • [New] dstDevice_container_id
  • [New] dstDevice_container_name
  • [New] dstDevice_container_runtime
  • [New] dstDevice_image
  • [New] dstDevice_type
  • [New] resourceType
  • [New] srcDevice_container_id
  • [New] srcDevice_container_name
  • [New] srcDevice_container_runtime
  • [New] srcDevice_image
  • [New] srcDevice_type
  • [Updated] dstDevice_uniqueId

Insight Enrichment Server for Fed deployment

[Update] We’ve released a new version of the Insight Enrichment Server that runs on the Sumo Logic FedRAMP-compliant deployment. This makes Cloud SIEM Enterprise (CSE) on FedRAMP functionally equivalent to commercial deployments of CSE.

Minor Changes and Enhancements

  • [New] An API endpoint has been added which enables user to delete multiple entries in a match list in one operation: POST: /match-list-items/bulk-delete
  • [Updated] When inventory data for hosts includes both private and public IP addresses, that data will be attached to both Entities. Previously it was only attached to one of the IP address Entities.
  • [Updated] Previously we announced that the severity attribute for Insights in the Audit Logs would be switching from numbers (1-4) to text (LOW, MEDIUM, HIGH, etc). Instead, we have retained the existing numerical attribute and added a new attribute severityName containing the human-readable text.

Resolved Issues

  • In some Audit Log messages related to Insight comments, the insight_readable_id was not set correctly.
  • In some cases, manually adding or removing tags in an Insight was not being recorded in the Audit Logs properly.
  • For some customers, the bar chart on the Records list page was not rendering properly.
  • Time/date stamps were not being displayed consistently across the UI.
  • Some pages were returning intermittent 404 or internal errors.

In one week (2022-09-15), we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules

  • [Updated] MATCH-S00819 Chromium Process Started With Debugging Port

Log Mappers

  • [Updated] Aruba ClearPass Syslog

Parsers

  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/Microsoft/Microsoft IIS

Announcements

  • Starting October 1, 2022, _suppressed _Signals will be retained in CSE for 30 days (previously, they were retained for 90 days). All Signals are automatically stored in the Sumo sec_signals index for 2 years, so users searching for suppressed Signals more than 30 days old should search in that index instead of in the CSE UI.
    • Note also that in the past, Signals attached to Insights were searchable from the CSE Signals list page indefinitely. Starting on October 1, they will only be searchable for 365 days. (They will still be visible from the Insight details page beyond that period.)
  • As previously announced, the Sensor and IBM Resilient actions are no longer supported. They will be removed from CSE by the end of this month.

Minor Changes and Enhancements

  • [New] In the Audit Log, when an Insight is created, the sum of the included Signals' severity is now included with the insight in the risk_score field (i.e. if there were three Signals each with a severity of 4, the sum of 12 will be included).
  • [Updated] The "Copy Expression" mouse action for record fields can now be activated using Shift+Click. The Click action now brings up a "Copy Value" action instead.
  • [New] Users can now delete Match Lists from the list view (i.e. users no longer have to go into the details).
  • [New] On the Criticality list page, the number of Entity Groups associated with each Criticality is now listed on the cards.

Resolved Issues

  • In some cases where the Signals were relatively old, the Signals that contributed to an Insight were no longer visible in the Insight in the UI.
  • Time stamps were missing from Records in some views.

Content Release

In 2 weeks (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.

Rules

  • [New] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
  • [New] MATCH-S00821 Chromium Browser History Access by Non-Browser Process
  • [New] MATCH-S00819 Chromium Process Started With Debugging Port
  • [New] MATCH-S00820 Cloud Credential File Accessed
  • [New] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
  • [Updated] MATCH-S00235 Azure - Create User

Log Mappers

  • [New] Mimecast AV Event
  • [New] Mimecast Impersonation Event
  • [New] Mimecast Spam Event
  • [Updated] AzureActivityLog AuditLogs

Application Update

Cloud SIEM Enterprise App is now available

The CSE app gives you visibility into what’s going on in Cloud SIEM Enterprise. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by CSE. You can also get insight in CSE rules, including rule management activity, and which rules have fired.

This app is available to all licensed CSE customers in the Sumo Logic App Catalog. For more information, see CSE App.

Content Release

Rules

  • [Updated] MATCH-S00632 Okta Administrator Access Granted
  • [Updated] MATCH-S00683 Overly Permissive Chmod Command

Log Mappers

  • [New] Check Point Avanan
  • [New] Cisco ISE Authentication Failure
  • [New] Cisco ISE Authentication Success
  • [New] Cisco ISE Catch All
  • [New] FireEye Web MPS Event
  • [Updated] Microsoft Office 365 Threat Intelligence Events
  • [Updated] Windows Microsoft-Windows-Sysmon/Operational 3
  • [Updated] Windows Security 4688

Parsers

  • [New] /Parsers/System/Check Point/Check Point Avanan JSON
  • [New] /Parsers/System/Cisco/Cisco ISE
  • [New] /Parsers/System/FireEye/FireEye Web MPS JSON

Resolved Issues

  • Several issues were resolved related to the bulk upload of Entity attributes, including errors with CSV file parsing, editing uploaded attributes in the UI, and a lack of audit logging.
  • On the Entity details page, the criticality was not being displayed properly. Labels were not being created properly based on Network Blocks for a small number of customers.
  • InsightCommentCreated audit events did not include the readableId attribute.
  • For some record types, the Actions field was not being displayed if selected as a favorite field.

Archive of July 2022 Cloud SIEM Release Notes.

July 28, 2022 - Application Update

Read-Only User Capabilities for CSE

New user capabilities (permissions) have been created enabling read-only access to content and configuration features in CSE.

These can be used when defining roles in the Sumo Logic platform (at Administration > Users and Roles > Roles).

read-only roles

(For those with CSE instances in the jask.ai domain, these capabilities are accessed via the Configuration > Roles page in CSE.)

Users with these capabilities (without the corresponding Manage capabilities) will be able to view the corresponding pages but will not be able to make changes on those pages. (Previously, users without the Manage capabilities could not see the corresponding pages.)

These permissions also apply to CSE APIs, so View (only) capabilities can now be assigned if desired.

Minor Changes and Enhancements

  • [Updated] When Threat Intelligence polling fails, the corresponding event will now include more information about the specific error that occurred.
  • [Updated] The API endpoints that return information about Signals (GET /signals, GET /signals/<id>, and GET /signals/all) now include the summary field (previously only accessible via the UI).
  • [New] The Sumo Logic audit logs will now include events when a user adds or removes a Signal to/from an Insight, and when a user adds a comment to an Insight.

Resolved Issues

  • The GET /rules and GET /rules/<id> API endpoints did not require role capabilities for access; they now require either View Rules or Manage Rules.
  • Favorite Fields were not always being displayed on Signals generated by Threshold Rules.

July 14, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

  • In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.

Announcement Update

  • The new Signal Index (recently announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.

July 21 - Application Update

Entity Groups

There are a number of ways that the use of Entity attributes - tags, criticality and suppression - provide value to users of Cloud SIEM Enterprise: Investigations can be completed faster with more context, Insights can be better prioritized with the appropriate severity, and false positive signals from test instances can be prevented, for example. However, setting those attributes has been a manual process and keeping them in sync as new Entities are defined is difficult.

That's why we are pleased to announce a new feature called Entity Groups. By defining Entity Groups, attributes can be automatically applied (or removed) based on Entity value (name), IP address, or Inventory group membership. For example, all high-risk laptops will receive higher criticality -- even if such a laptop is added to your environment months later.

Entities can even be members of more than one Entity Group, so a high-risk laptop in the Austin office could both get a tag identifying its location and receive the higher criticality. And if you later reassigned it so that it was no longer in a high-risk group, the criticality would be automatically removed.

To create an Entity Group, a new configuration menu item has been added:

entity groups menu

On the Entity Groups page, click the Create button:

entity groups list

This will open the detail dialog:

create entity group

Here you can decide what attribute Group membership should be based on:

  • Group membership in your Inventory system (such as Active Directory)
  • Entity value (name) - prefix or suffix (such as "aus-" or "-public")
  • IP address range (for IP Address entities) defined using the CIDR format

Entity Groups also support sensor zones.

Then you can define what attribute(s) should be applied to member Entities - tags, criticality and/or suppression.

This release also includes API and Terraform support for Entity Groups.

More information about this exciting new feature and how to use it is in the documentation at Using Entity Groups.

Signal Index

Starting today, Signals generated by Cloud SIEM Enterprise will be automatically saved in a new secsignal index. This special partition is similar to the existing sec_record* indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index is automatically generated and retained for a period of 2 years at no additional cost for all CSE customers.

As a result, the optional Signal Forwarding feature will be deprecated on September 22, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in CSE.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signal index before September 22.

Note that because the new index is a special partition, a single query cannot be used to search both the sec_signal index and older forwarded Signal data simultaneously.

More information about using the special security indices is in the documentation at Searching for CSE Data in Sumo Logic.

Minor Changes and Enhancements

  • [Updated] The page used to configure the detection window and Insight threshold has moved. Where previously it was accessed from a button on the Custom Insights list page, it is now accessed via a new Workflow > Detection option in the Configuration menu:
threshold menu

Note the URL has also changed as a result; please update any bookmarks.

Resolved Issues

When navigating to a CSE page (with sumologic.com in the domain name), if the user had to login/authenticate first, they were not auto-forwarded to the appropriate CSE page after doing so (but instead was taken to the Continuous Intelligence Platform home page). This has now been resolved and users will be auto-forwarded correctly.

July 21, 2021 - Content Release

Rules

  • [Updated] MATCH-S00587 Empire PowerShell Launch Parameters
  • [Updated] MATCH-S00161 Malicious PowerShell Get Commands
  • [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
  • [Updated] MATCH-S00191 Suspicious PowerShell Keywords

Log Mappers

  • [New] OSSEC Alert

Parsers

  • [New] /Parsers/System/OSSEC/OSSEC JSON
  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
  • [Updated] /Parsers/System/Kubernetes/Kubernetes
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

July 14, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The text size has been adjusted in some areas on the Rules details page to improve readability.

Resolved Issues

  • In some instances, after uploading Network Blocks via .csv file, they would fail to appear in the UI.

Announcement Update

The new Signal Index (previously announced) has been delayed, and will be available starting next week. As a result, the deprecation of the old Signal Forwarding feature will be delayed until September 22, 2022.

July 14 - Content Release

Log Mappers

  • [New] Carbon Black Cloud Alert - Tuned Activity
  • [Updated] Cisco ASA 106001 JSON
  • [Updated] Cisco ASA 106002 JSON
  • [Updated] Cisco ASA 106006 JSON
  • [Updated] Cisco ASA 106007 JSON
  • [Updated] Cisco ASA 106010 JSON
  • [Updated] Cisco ASA 106012 JSON
  • [Updated] Cisco ASA 106014 JSON
  • [Updated] Cisco ASA 106015 JSON
  • [Updated] Cisco ASA 106021 JSON
  • [Updated] Cisco ASA 106027 JSON
  • [Updated] Cisco ASA 106100 JSON
  • [Updated] Cisco ASA 106102-3 JSON
  • [Updated] Cisco ASA 109005-8 JSON
  • [Updated] Cisco ASA 110002 JSON
  • [Updated] Cisco ASA 113004 JSON
  • [Updated] Cisco ASA 113005 JSON
  • [Updated] Cisco ASA 113012-17 JSON
  • [Updated] Cisco ASA 209004 JSON
  • [Updated] Cisco ASA 302020-1 JSON
  • [Updated] Cisco ASA 303002 JSON
  • [Updated] Cisco ASA 304001 JSON
  • [Updated] Cisco ASA 304002 JSON
  • [Updated] Cisco ASA 305011-12 JSON
  • [Updated] Cisco ASA 313001 JSON
  • [Updated] Cisco ASA 313004 JSON
  • [Updated] Cisco ASA 313005 JSON
  • [Updated] Cisco ASA 314003 JSON
  • [Updated] Cisco ASA 322001 JSON
  • [Updated] Cisco ASA 338001-8+338201-4 JSON
  • [Updated] Cisco ASA 4000nn JSON
  • [Updated] Cisco ASA 406001 JSON
  • [Updated] Cisco ASA 406002 JSON
  • [Updated] Cisco ASA 419001 JSON
  • [Updated] Cisco ASA 419002 JSON
  • [Updated] Cisco ASA 500004 JSON
  • [Updated] Cisco ASA 602303-4 JSON
  • [Updated] Cisco ASA 605004-5 JSON
  • [Updated] Cisco ASA 710002-3 JSON
  • [Updated] Cisco ASA 710005 JSON
  • [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON

Parsers

  • [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • [Updated] /Parsers/System/Cisco/Cisco ASA

July 8, 2022 - Application Update

Announcement

  • The built-in HipChat Action will be deprecated on August 25, 2022.

Minor Changes and Enhancements

  • [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.

Resolved Issues

  • In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.
  • Mapper field format_parameters was not populating.
  • Some of the links on the Related Entities tab of the Insight detail pages were malformed.

July 8, 2022 - Application Update

Announcement

The built-in HipChat Action will be deprecated on August 25, 2022.

Minor Changes and Enhancements

  • [Updated] An option has been added to the Enrichments tab which allows the user to hide any empty fields in the results.

Resolved Issues

In some cases, changes to Rule Tuning Expressions were not being written to the Audit Logs properly.

tags: application

July 7, 2022 - Content Release

Rules

  • [New] MATCH-S00816 Interactive Logon to Domain Controller

Log Mappers

  • [Updated] Palo Alto GlobalProtect - Custom Parser
  • Updated] Palo Alto GlobalProtect Auth - Custom Parser
  • [Updated] Windows - System - 7045
  • [Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Google/GCP
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery

July 5, 2022 - Content Release

Rules

  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00099 Long URL Containing SQL Commands
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force
  • [Updated] MATCH-S00185 Windows - Remote System Discovery

Log Mappers

  • [Updated] McAfee Endpoint Security Custom Parser
  • [Updated] Microsoft SQL Server Parser - Authentication

Parsers

  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML
  • [Updated] /Parsers/System/Microsoft/Microsoft SQL Server
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Twistlock/Twistlock

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed

Archive of June 2022 Cloud SIEM Release Notes.

June 24, 2022 Announcement

Beginning July 15, 2022, Signals generated by Cloud SIEM Enterprise will be automatically saved in a new sec_signals index. This index/special partition will be similar to the existing secrecord indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index will be automatically generated and retained for a period of 2 years at no additional cost for all CSE customers.

As a result, the optional Signal Forwarding feature in CSE will be deprecated on September 15, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in CSE.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signals index before September 15.

If you have any questions or concerns, please contact Sumo Logic customer support.

June 24, 2022 - Application Update

Minor Changes and Enhancements

  • [New] On the Insight details pages, if the user has selected the Show Related Signals option, the related Signals will appear on the Signals Timeline graph.

Resolved Issues

  • The /sec/v1/insights/{}/tags API endpoint was returning a 500/INTERNAL_SERVER_ERROR.

June 21, 2022 - Content Release

Log Mappers

  • [Updated] McAfee Avecto Defendpoint

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML

June 15, 2022 - Content Release

Rules

  • [Updated] MATCH-S00400 Web Download via Office Binaries

Log Mappers

  • [New] GCP Parser - Load Balancer

Parsers

  • [Updated] /Parsers/System/Google/GCP
  • [Updated] /Parsers/System/Orca Security/Orca Security
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

June 13, 2022 Application Update

Minor Changes and Enhancements

  • [Updated] List filters have been updated to better support custom Entity types; users no longer have to specify the Entity type in order to filter by Entity value (i.e. name). (Old bookmark will continue to work.)
  • [Updated] On the Insight Details pages, the sort order for Signals has been reverted to oldest first. As always, the user can change the sort order and in an upcoming release, the UI will be updated to retain the user's selected sort order across sessions.
  • [Deleted] The standalone Suppressed Entities list page has been removed from the UI as it was confusing to users. To retrieve a list of suppressed Entities, users should filter the Entities list page.

Resolved Issues

  • CSV upload for Network Blocks was not working unless the (optional) "label" field was provided.
  • Then filtering lists by date, the "include current" checkbox was not working consistently.

June 9, 2022 - Content Release

Rules

  • [New] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [Updated] Cyber Ark Vault JSON

Parsers

  • [New] /Parsers/System/Cyber-Ark/Cyber-Ark Vault - CEF
  • [Updated] /Parsers/System/AWS/AWS ELB
  • [Updated] /Parsers/System/AWS/AWS WAF

June 7, 2022 - Content Release 2022-06-07

Rules

  • [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution

Log Mappers

  • [New] Bitdefender - avc
  • [New] Bitdefender - fw
  • [New] Bitdefender - hd
  • [New] Bitdefender - network-monitor
  • [New] Bitdefender - new-incident
  • [New] Linux OS Syslog - Cron - Generic
  • [New] Linux OS Syslog - sshd - session timeout
  • [Updated] Bitdefender Catch All
  • [Updated] SonicWall Firewall - Custom Parser

Parsers

  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Linux/Linux OS Syslog

June 3, 2022 - Content Release

Rules

  • [New] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [New] MATCH-S00813 Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
  • [New] MATCH-S00812 Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
  • [Updated] THRESHOLD-S00080 Internal Port Scan
  • [Updated] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190

Log Mappers

  • [New] Google G Suite - logout
  • [New] McAfee Mvision ENS incidents - Parser
  • [New] McAfee Mvision ENS threats - Parser
  • [New] Okta Authentication - auth_via_AD_agent
  • [New] Okta Authentication - auth_via_mfa
  • [New] Okta Authentication - auth_via_radius
  • [New] Okta Authentication - sso
  • [Updated] Google G Suite - login.login
  • [Updated] Okta Authentication Events
  • [Updated] Salesforce LoginAs Mapping

Parsers

  • [New] /Parsers/System/McAfee/McAfee Mvision ENS

Schema

  • [Updated] device_ip_asnNumber
  • [Updated] device_ip_asnOrg
  • [Updated] device_ip_city
  • [Updated] device_ip_countryCode
  • [Updated] device_ip_countryName
  • [Updated] device_ip_isp
  • [Updated] device_ip_latitude
  • [Updated] device_ip_longitude
  • [Updated] device_ip_region
  • [Updated] device_natIp_asnNumber
  • [Updated] device_natIp_asnOrg
  • [Updated] device_natIp_city
  • [Updated] device_natIp_countryCode
  • [Updated] device_natIp_countryName
  • [Updated] device_natIp_isp
  • [Updated] device_natIp_latitude
  • [Updated] device_natIp_longitude
  • [Updated] device_natIp_region
  • [Updated] dns_replyIp_asnNumber
  • [Updated] dns_replyIp_asnOrg
  • [Updated] dns_replyIp_city
  • [Updated] dns_replyIp_countryCode
  • [Updated] dns_replyIp_countryName
  • [Updated] dns_replyIp_isp
  • [Updated] dns_replyIp_latitude
  • [Updated] dns_replyIp_longitude
  • [Updated] dns_replyIp_region
  • [Updated] dstDevice_ip_asnNumber
  • [Updated] dstDevice_ip_asnOrg
  • [Updated] dstDevice_ip_city
  • [Updated] dstDevice_ip_countryCode
  • [Updated] dstDevice_ip_countryName
  • [Updated] dstDevice_ip_isp
  • [Updated] dstDevice_ip_latitude
  • [Updated] dstDevice_ip_longitude
  • [Updated] dstDevice_ip_region
  • [Updated] srcDevice_ip_asnNumber
  • [Updated] srcDevice_ip_asnOrg
  • [Updated] srcDevice_ip_city
  • [Updated] srcDevice_ip_countryCode
  • [Updated] srcDevice_ip_countryName
  • [Updated] srcDevice_ip_isp
  • [Updated] srcDevice_ip_latitude
  • [Updated] srcDevice_ip_longitude
  • [Updated] srcDevice_ip_region

June 1, 2022 - Announcement

Geographical Data for IP Addresses

  • As previously announced, CSE has switched to a new provider for geographical data for IP addresses. One consequence of this change is that the various _isp enrichment fields (listed below) are no longer being populated. However, that data is available in the equivalent _asnOrg fields (such as device_ip_asnOrg). If you have any rules that leverage the _isp fields, please switch to the _asnOrg fields as soon as possible.
  • Because these fields will no longer be populated, they will be removed on June 7, 2022:
    • device_ip_isp
    • device_natIp_isp
    • device_replyIp_isp
    • dstDevice_ip_isp
    • dstDevice_natIp_isp
    • srcDevice_ip_isp
    • srcDevice_natIp_isp

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed

Archive of May 2022 Cloud SIEM Release Notes.

May 31, 2022 - Content Release

Rules

  • [New] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] MATCH-S00766 Okta MFA Deactivated for User
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Aruba ClearPass User Authentication Failed
  • [New] Aruba ClearPass User Authentication Successful
  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] McAfee Network Security Parser - Catch All
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Orca Security Parser - Catch All
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Cloudflare - Logpush
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All
  • [Updated] Okta Security Threat Events
  • [Updated] Windows - Security - 4688

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/McAfee/McAfee Network Security
  • [New] /Parsers/System/Orca Security/Orca Security
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Shared/Syslog Headers
  • [Updated] /Parsers/System/Twistlock/Twistlock

May 27, 2022 - Application Update

Upcoming Changes

  • [Updated] Starting later next week, the severity attribute in audit log records for Insights (such as InsightCreated) will be changing. Instead of a number (represented as a string) from 1 to 4, the value will be a human-readable string matching the values in the UI (LOW, MEDIUM, HIGH, CRITICAL). Please update any dashboards or other consumers of this data.
  • [Deleted] Later next week, the Content > Suppressed Entities page will be removed from the UI to simplify the application. Instead, users can use a filter on the Content > Entities page to retrieve the list of suppressed Entities.

Minor Changes and Enhancements

  • [Updated] On the Insight Details pages, Signals are now sorted in order of the most recent Signal first by default. (As always, the user can change the sort order.)
  • [New] When creating a copy of a Rule, users are now given then option to apply the Rule Tuning Expression(s) that are applied on the original rule to the copy as well.
  • [New] In the CSE UI, timestamps now explicitly include the time zone.
  • [New] Users can now specify a maximum look-back window (in days) for TAXII feeds.
  • [New] The current status (enabled/disabled) for each feed is now displayed on the Threat Intelligence list page.

Resolved Issues

  • If a user had defined a high number of favorite fields, the system would show the first 50.
  • When specifying tags, the auto-complete feature was not working properly in some instances.

May 26, 2022 - Content Release

Rules

  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

May 17, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The _sourceName and _sourceHost values in records ingested by CSE will now reflect the original values defined when ingested into the Sumo Logic platform.
  • [Updated] The "Board" list view for Insights has been updated to include the resolution:board-view

Resolved Issues

  • In the new Entities tab in Insights, duplicate Entities were sometimes listed if the raw and normalized names didn't match. Also, the cards will now respond better to very low screen/browser widths.
  • When viewing some verbose content (like Record properties), mousing over the content would cause it to reflow.
  • When creating match list items via Terraform, the process was occasionally timing out.
  • Email-based actions were not functioning properly on instances with domains ending in jask.ai.

May 12, 2022 - Content Release

Rules

  • [Updated] LEGACY-S00078 SQL Injection Victim

Log Mappers

  • [New] Check Point Application Control
  • [New] Check Point SmartDefense
  • [New] Check Point URL Filtering
  • [Updated] Check Point Block

Parsers

  • [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
  • [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
  • [Updated] /Parsers/System/Microsoft/Office 365

May 10, 2022 - Content Release

Rules

  • [Deleted] MATCH-S00258 Authentication Brute Force Attempt
  • [Updated] MATCH-S00176 RDP Login from Localhost

Log Mappers

  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • [Deleted] Windows - Security - 1100 - CIP
  • [Deleted] Windows - Security - 1102 - CIP
  • [Deleted] Windows - Security - 4624 - CIP
  • [Deleted] Windows - Security - 4625 - CIP
  • [Deleted] Windows - Security - 4634 - CIP
  • [Deleted] Windows - Security - 4648 - CIP
  • [Deleted] Windows - Security - 4649 - CIP
  • [Deleted] Windows - Security - 4656 - CIP
  • [Deleted] Windows - Security - 4658 - CIP
  • [Deleted] Windows - Security - 4661 - CIP
  • [Deleted] Windows - Security - 4662 - CIP
  • [Deleted] Windows - Security - 4663 - CIP
  • [Deleted] Windows - Security - 4672 - CIP
  • [Deleted] Windows - Security - 4674 - CIP
  • [Deleted] Windows - Security - 4688 - CIP
  • [Deleted] Windows - Security - 4689 - CIP
  • [Deleted] Windows - Security - 4697 - CIP
  • [Deleted] Windows - Security - 4698 - CIP
  • [Deleted] Windows - Security - 4702 - CIP
  • [Deleted] Windows - Security - 4704 - CIP
  • [Deleted] Windows - Security - 4720 - CIP
  • [Deleted] Windows - Security - 4726 - CIP
  • [Deleted] Windows - Security - 4728 - CIP
  • [Deleted] Windows - Security - 4732 - CIP
  • [Deleted] Windows - Security - 4740 - CIP
  • [Deleted] Windows - Security - 4742 - CIP
  • [Deleted] Windows - Security - 4754 - CIP
  • [Deleted] Windows - Security - 4755 - CIP
  • [Deleted] Windows - Security - 4756 - CIP
  • [Deleted] Windows - Security - 4768 - CIP
  • [Deleted] Windows - Security - 4769 - CIP
  • [Deleted] Windows - Security - 4770 - CIP
  • [Deleted] Windows - Security - 4771 - CIP
  • [Deleted] Windows - Security - 4776 - CIP
  • [Deleted] Windows - Security - 4778 - CIP
  • [Deleted] Windows - Security - 4779 - CIP
  • [Deleted] Windows - Security - 4780 - CIP
  • [Deleted] Windows - Security - 4793 - CIP
  • [Deleted] Windows - Security - 4798 - CIP
  • [Deleted] Windows - Security - 4799 - CIP
  • [Deleted] Windows - Security - 5038 - CIP
  • [Deleted] Windows - Security - 5058 - CIP
  • [Deleted] Windows - Security - 5059 - CIP
  • [Deleted] Windows - Security - 5061 - CIP
  • [Deleted] Windows - Security - 5140 - CIP
  • [Deleted] Windows - Security - 5379 - CIP
  • [Deleted] Windows - Security - 5805 - CIP
  • [Deleted] Windows - Security - 6272 - CIP
  • [Deleted] Windows - Security - 6273 - CIP
  • [Deleted] Windows - Security - 6275 - CIP
  • [Deleted] Windows - Security - 6278 - CIP
  • [Deleted] Windows - Security - 6416 - CIP
  • [Deleted] Windows - Security - 6423 - CIP
  • [Deleted] Windows - Security - 6424 - CIP
  • [Deleted] Windows - System - 5138 - CIP
  • [Deleted] Windows - System - 6005 - CIP
  • [Deleted] Windows - System - 6006 - CIP
  • [Deleted] Windows - System - 7045 - CIP
  • [New] BlueCat DNS Parser - Catch All
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] Firepower Catch All
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Success

Parsers

  • [Deleted] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
  • [New] /Parsers/System/Cisco/Cisco Firepower JSON
  • [Updated] /Parsers/System/AWS/AWS WAF
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed

Archive of April 2022 Cloud SIEM Release Notes.

April 29, 2022 - Application Update

[New] The Cloud SIEM Enterprise team is excited to announce a newly enhanced feature: Related Entities. Although Insights and the Signals they contain are focused on a single Entity (a user, or host for example), there are often a number of additional Entities referenced in the Records/Signals contained in the Insight. In addition, CSE can detect relationships between Entities (for example, determining that an IP address was associated with a given hostname during the Insight detection window).

To provide an easy way for analysts to explore all of these Related Entities, a new tab has been added to the Insight Details page:

The Entities tab contains a list of all of the Entities detected in the Insight’s Signals and Records. The Primary Entity is listed first, and then the other Related Entities are listed in descending order of appearance. Where CSE has determined a relationship between entities, that is called out (for example, 192.168.1.101 may also be hostname ‘na’).

Details listed with each entity include tags, the number of Signals the Entity was seen in, the number of recent Insights and Signals that featured that Entity, and the total sum of the Severities for those Signals.

As each Entity is selected by the user, the right column changes to show more details, such as a link to the full Entity Details page, inventory and other metadata, a Signal timeline, and a list of the recent Signals and Insights (containing links to those individual details pages).

This new feature should help users understand the context of security events more quickly by providing this data at a glance, reducing the amount of time it would have previously taken to gather that same information.

More information can be found in the online documentation.

Minor Changes and Enhancements

[Update] For Signals generated by Threshold, Aggregation and Chain Rules, there is a feature called Queried Records that enables users to find additional records that also apply to the Signal beyond those that were needed to meet the conditions for the Rule.The page that lists these Queried Records now explicitly shows the search query and time window that is being checked. If a user clicks on the query, it will open a Log Search window with the query and time window pre-filled for deeper investigation.

related-entities

April 29, 2022 - Content Release

Rules

  • [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
  • [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
  • [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
  • [Updated] THRESHOLD-S00044 DNS DGA Lookup Behavior - NXDOMAIN Responses
  • [Updated] THRESHOLD-S00088 GCP Audit Reconnaissance Activity
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] CHAIN-S00004 Lateral Movement Using the Windows Hidden Admin Share
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
  • [Updated] THRESHOLD-S00040 Possible DNS over TLS (DoT) Activity
  • [Updated] THRESHOLD-S00031 RDP Brute Force Attempt
  • [Updated] THRESHOLD-S00034 SSH Authentication Failures

Log Mappers

  • [New] BlueCat DHCP Parser - Catch All
  • [New] Microsoft Exchange Catch All
  • [New] Microsoft Exchange HTTP Error
  • [New] Microsoft Exchange IIS
  • [New] Varonis DatAlert - Parser
  • [Updated] Varonis DatAdvantage - CEF

Parsers

  • [New] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/Microsoft/Exchange
  • [New] /Parsers/System/Varonis/Varonis DatAlert Syslog
  • [Updated] /Parsers/System/F5/F5 Syslog

April 26, 2022 - Content Release

Rules

  • [New] MATCH-S00808 Azure - Container Instance Creation/Modification
  • [New] MATCH-S00809 Azure - Container Start
  • [New] MATCH-S00807 Azure - Image Created/Modified
  • [New] MATCH-S00810 Azure - Image Deleted

Log Mappers

  • [New] Darktrace Parser Events
  • [Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

  • [New] /Parsers/System/Darktrace/Darktrace Syslog
  • [New] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

April 20, 2022 - Content Release

Rules

  • [New] MATCH-S00798 Azure - Anonymous Blob Access
  • [New] MATCH-S00805 Azure - Bastion Host Created/Modified
  • [New] MATCH-S00806 Azure - Bastion Host Deleted
  • [New] MATCH-S00795 Azure - Diagnostic Setting Deleted
  • [New] MATCH-S00796 Azure - Diagnostic Setting Modified
  • [New] MATCH-S00797 Azure - Event Hub Deleted
  • [New] THRESHOLD-S00109 Azure - Excessive Key Vault Get Requests
  • [New] MATCH-S00788 Azure - Key Deletion
  • [New] MATCH-S00789 Azure - Key Purged
  • [New] MATCH-S00792 Azure - Key Vault Deleted
  • [New] MATCH-S00787 Azure - Protected Item Deletion Attempt
  • [New] MATCH-S00794 Azure - Secret Backup
  • [New] MATCH-S00791 Azure - Secret Deleted
  • [New] MATCH-S00790 Azure - Secret Purged
  • [New] MATCH-S00800 Azure - Storage Deletion
  • [New] MATCH-S00799 Azure - Storage Modification
  • [New] MATCH-S00803 Azure - Virtual Machine Creation/Modification
  • [New] MATCH-S00804 Azure - Virtual Machine Deleted
  • [New] MATCH-S00801 Azure - Virtual Machine Started
  • [New] MATCH-S00802 Azure - Virtual Machine Stopped
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] MATCH-S00494 Backdoor.HTTP.BEACON.[Yelp Request]
  • [Updated] MATCH-S00492 Backdoor.HTTP.GORAT.[SID1]
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] MATCH-S00445 Known Ransomware File Extensions

Log Mappers

  • [New] Dropbox - Authentication
  • [New] Dropbox - Catch All
  • [Updated] Azure AuditEvent logs

Parsers

  • [Updated] /Parsers/System/AWS/GuardDuty

April 19, 2022 - Announcement

We will be consolidating Authentication Brute Force Attempt MATCH-S00258 on Tuesday May 10 into the normalized intrusion rule set. For more information on the normalized intrusion rule set, please visit the help page.

April 18, 2022 - Application Update

Minor Changes and Enhancements

  • [New] API endpoints are now available to add or remove a given Signal to/from a given Insight, PUT "/insights/<insightId>/signals" and DELETE "/insights/<insightId>/signals" respectively. (For both endpoints, the request body is a list containing signal ID(s) to add or remove from the insight as the request body, the response is the updated Insight.)
  • [Update] The way CSE displays group membership in Active Directory inventory objects is changing. Previously, it was displayed in LDAP form (i.e., cn=groupname,dc=something,dc=domain,dc=com); now it will just show the group name.

Resolved Issues

  • Signal and Insight timestamps in the Cloud SIEM Enterprise UI were not always displayed in the user’s preferred time zone.

April 15, 2022 - Announcements

  • Because it can now be connected via more standardized TAXII feeds, the integration between Cloud SIEM Enterprise and Anomali ThreatStream has been deprecated as of April 15, 2022. If you are using this integration, be sure to convert to a TAXII feed. To set up a feed, first follow Anomali’s documentation for Setting up a TAXII feed for ThreatStream then Sumo Logic’s documentation for Integrating CSE with a TAXII Feed.
  • The Entity API has been updated to include a new field IsSuppressed. This field replaces IsWhitelisted which has been deprecated as of April 15, 2022. If you were previously using IsWhitelisted please ensure you have switched to the new field.

April 14, 2022 - Content Release

Rules

  • [New] MATCH-S00785 Azure - Blob Container Deletion
  • [New] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00243 Azure - High Risk Sign-In (Aggregate)
  • [Updated] MATCH-S00245 Azure - High Risk Sign-In (Real Time)
  • [Updated] MATCH-S00224 Azure - Risky User State : User Confirmed Compromised
  • [Updated] MATCH-S00250 Azure - Suspicious User Risk State Associated with Login
  • [Updated] LEGACY-S00066 PowerShell Remote Administration
  • [Updated] LEGACY-S00105 Suspicious DC Logon
  • [Updated] THRESHOLD-S00075 Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)

Log Mappers

  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Microsoft Graph AD Reporting API C2C - DirectoryAudits
  • [Updated] Microsoft Graph AD Reporting API C2C - Provisioning
  • [Updated] Microsoft Graph AD Reporting API C2C - Signin
  • [Updated] Trend Micro CEF logs

Parsers

  • [New] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF

April 12, 2022 - Content Release

Rules

  • [New] MATCH-S00784 Linux Host Entered Promiscuous Mode

Log Mappers

  • [Deleted] AWS VPC Flow Logs - Custom Format 1
  • [Deleted] Adaxes Execute Event
  • [Deleted] Adaxes Modify Event
  • [Deleted] Adaxes Run PowerShell Event
  • [Deleted] Aruba Error Logs
  • [Deleted] Aruba ICMP Logs
  • [Deleted] Aruba LDAP Server Logs
  • [Deleted] Aruba PoniUnwired HTTPD CGID Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Error Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Warn Samples
  • [Deleted] Aruba PoniUnwired HTTPD ssl error Samples
  • [Deleted] Aruba PoniUnwired Warn Samples
  • [Deleted] BIND DNS Query
  • [Deleted] BIND DNS Update Zone
  • [Deleted] BIND DNS Update Zone Failed
  • [Deleted] BIOC Credential Access logs
  • [Deleted] BIOC Dropper logs
  • [Deleted] BIOC Evasion Variation 2 logs
  • [Deleted] BIOC Evasion logs
  • [Deleted] BIOC Infiltration logs
  • [Deleted] BIOC Persistence and Execution logs
  • [Deleted] BIOC Privilege logs
  • [Deleted] BIOC Reconnaissance logs
  • [Deleted] BIOC Reconnaissance logs Variation 2
  • [Deleted] BIOC Tampering logs
  • [Deleted] BIOC create and write logs
  • [Deleted] Bandura Domain Logs
  • [Deleted] Bandura Packet Logs
  • [Deleted] Barracuda Proxy
  • [Deleted] Bind DHCP Full
  • [Deleted] Bind DHCP On
  • [Deleted] Bind DHCP Short
  • [Deleted] Bind DNS log 1
  • [Deleted] Bind DNS log 10
  • [Deleted] Bind DNS log 2
  • [Deleted] Bind DNS log 3
  • [Deleted] Bind DNS log 4
  • [Deleted] Bind DNS log 5
  • [Deleted] Bind DNS log 6
  • [Deleted] Bind DNS log 7
  • [Deleted] Bind DNS log 8
  • [Deleted] Bind DNS log 9
  • [Deleted] Bind9 DNS
  • [Deleted] Blue Coat Proxy 2
  • [Deleted] Blue Coat Proxy 4
  • [Deleted] Blue Coat Proxy 5
  • [Deleted] Blue Coat Proxy 6
  • [Deleted] Blue Coat Proxy 7
  • [Deleted] Blue Coat Proxy Logs
  • [Deleted] BlueCat DHCP Bootrequest
  • [Deleted] BlueCat DHCP Decline
  • [Deleted] BlueCat DHCP INFORM Logs
  • [Deleted] BlueCat DHCP Offer Logs
  • [Deleted] BlueCat DHCP Reuse Lease
  • [Deleted] BlueCat DHCP failover
  • [Deleted] BlueCat DNS
  • [Deleted] BlueCat DNS with Key
  • [Deleted] CB Protection
  • [Deleted] CB Protection Username
  • [Deleted] CB Response Server 1
  • [Deleted] CB Response Server 10
  • [Deleted] CB Response Server 11
  • [Deleted] CB Response Server 13
  • [Deleted] CB Response Server 14
  • [Deleted] CB Response Server 15
  • [Deleted] CB Response Server 17
  • [Deleted] CB Response Server 2
  • [Deleted] CB Response Server 20
  • [Deleted] CB Response Server 3
  • [Deleted] CB Response Server 4
  • [Deleted] CB Response Server 5
  • [Deleted] CB Response Server 6
  • [Deleted] CB Response Server 7
  • [Deleted] CB Response Server 9
  • [Deleted] CB Response Severity 1
  • [Deleted] CB Response Severity 2
  • [Deleted] CB Response Severity 3
  • [Deleted] CICSCOFW434002
  • [Deleted] Check Point ACCEPT Grok
  • [Deleted] Check Point DROP
  • [Deleted] Check Point VPN
  • [Deleted] Check Point encrypt/decrypt
  • [Deleted] Check Point key install
  • [Deleted] Cisco ACS FAILED-ATTEMPT
  • [Deleted] Cisco ACS FAILED-AUTHENTICATION
  • [Deleted] Cisco ACS Passed-Authentication
  • [Deleted] Cisco ACS Tacacs-Accounting
  • [Deleted] Cisco ASA 106002
  • [Deleted] Cisco ASA 106012
  • [Deleted] Cisco ASA 106013
  • [Deleted] Cisco ASA 106018
  • [Deleted] Cisco ASA 106022
  • [Deleted] Cisco ASA 113039
  • [Deleted] Cisco ASA 716037
  • [Deleted] Cisco ASA 716038
  • [Deleted] Cisco ASA 716039
  • [Deleted] Cisco ASA 722056
  • [Deleted] Cisco ASA 725012
  • [Deleted] Cisco ASA 725017
  • [Deleted] Cisco ASA 734003
  • [Deleted] Cisco ASA 746012
  • [Deleted] Cisco AnyConnect NAT RULES Logs
  • [Deleted] Cisco Authentication Message 01
  • [Deleted] Cisco Authentication Message 02
  • [Deleted] Cisco Authentication Message 03
  • [Deleted] Cisco Authentication Message 04
  • [Deleted] Cisco Authentication Message 05
  • [Deleted] Cisco Authentication Message 06
  • [Deleted] Cisco Authentication Message 07
  • [Deleted] Cisco Authentication Message 08
  • [Deleted] Cisco Authentication Message 09
  • [Deleted] Cisco Authentication Message 10
  • [Deleted] Cisco Authentication Message 11
  • [Deleted] Cisco Authentication Message 12
  • [Deleted] Cisco Authentication Message 13
  • [Deleted] Cisco Authentication Message 14
  • [Deleted] Cisco Authentication Message 15
  • [Deleted] Cisco IOS Message
  • [Deleted] Cisco IOS Queue Full
  • [Deleted] Cisco Ironport WSA
  • [Deleted] Cisco Ironport WSA NOHD
  • [Deleted] Cisco Ironport WSA NOHD 01
  • [Deleted] Cisco Ironport WSA NOHD 03
  • [Deleted] Cisco Meraki IDS-Alerts
  • [Deleted] Cisco Meraki Security Event
  • [Deleted] Cisco Meraki Security Filtering Disposition Change
  • [Deleted] Cisco Umbrella IP Logs Custom
  • [Deleted] Citrix NetScaler AAA Message
  • [Deleted] Citrix NetScaler API CMD EXECUTED
  • [Deleted] Citrix NetScaler Delinked Message
  • [Deleted] Citrix NetScaler Delinked Message 01
  • [Deleted] Citrix NetScaler TCP Connection Terminated
  • [Deleted] DNS_Additions
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EXABEAM
  • [Deleted] F5 HTTPd Audit
  • [Deleted] F5 SSHD Samples
  • [Deleted] F5 SSL Request
  • [Deleted] Firepower Access Control
  • [Deleted] Firepower Access Control 2
  • [Deleted] Firepower Access Control 3
  • [Deleted] Firepower Access Control 4
  • [Deleted] Firepower Access Control 5
  • [Deleted] Firepower Alerts
  • [Deleted] Forcepoint NEW
  • [Deleted] Huawei SNMP LOGS
  • [Deleted] IBM WebSpheredatadevice error 1
  • [Deleted] IBM WebSpheredatadevice error 2
  • [Deleted] IBM WebSpheredatadevice error 3
  • [Deleted] IBM WebSpheredatadevice error 4
  • [Deleted] IBM WebSpheredatadevice error 5
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS - NIOS
  • [Deleted] Infoblox DHCP Updater 1
  • [Deleted] Infoblox DHCP Updater 2
  • [Deleted] Infoblox DHCP Updater 3
  • [Deleted] Infoblox DHCP Updater 4
  • [Deleted] Infoblox DHCP Updater 5
  • [Deleted] Infoblox DHCPACK RENEW Samples
  • [Deleted] Infoblox DHCPACK v2 Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples 2
  • [Deleted] Infoblox DHCPDISCOVER Unknown network Sample
  • [Deleted] Infoblox DHCPEXPIRE Samples
  • [Deleted] Infoblox DHCPNAK Samples
  • [Deleted] Infoblox DHCPOFFER UID Samples
  • [Deleted] Infoblox DHCPRELEASE Samples
  • [Deleted] Infoblox DNS Request AXRF Ended
  • [Deleted] Infoblox DNS Request AXRF Started
  • [Deleted] Infoblox DNS Response
  • [Deleted] Infoblox DNS Zone Update 1
  • [Deleted] Infoblox DNS Zone Update 2
  • [Deleted] Infoblox DNS Zone Update 3
  • [Deleted] Infoblox DNS Zone Update 4
  • [Deleted] Infoblox DNS Zone Update 5
  • [Deleted] Infoblox DNS Zone Update 6
  • [Deleted] Infoblox Domain Notified
  • [Deleted] Invalid Login
  • [Deleted] IronPort Quarantined MID
  • [Deleted] IronPort Quarantined TO
  • [Deleted] Ironport DCID Message
  • [Deleted] Ironport DKIM
  • [Deleted] Ironport ICID Message
  • [Deleted] Ironport Info IC
  • [Deleted] Ironport Info IC and Msg
  • [Deleted] Ironport Info ISQ or RPC
  • [Deleted] Ironport Info Message
  • [Deleted] Ironport Info Mid Info
  • [Deleted] Ironport WSA SFIMS Protocol 1
  • [Deleted] Ironport WSA SFIMS Protocol 2
  • [Deleted] Ironport WSA SFIMS Protocol 3
  • [Deleted] Ironport WSA SFIMS Protocol 4
  • [Deleted] Ironport Warn Message
  • [Deleted] Ironport Warning Connection Error
  • [Deleted] Ironport Warning Full
  • [Deleted] Ironport Warning Invalid DNS FULL
  • [Deleted] Ironport Warning LIMIT
  • [Deleted] Juniper Flow Reassemble Logs
  • [Deleted] Juniper Session Error Logs
  • [Deleted] LINUX User Auth with Hostname
  • [Deleted] Linux Laravel Activity Logs
  • [Deleted] Linux Laravel Activity Logs 01
  • [Deleted] Linux Laravel Login Logs
  • [Deleted] LinuxServer Audit Logs 01
  • [Deleted] LinuxServer Audit Logs 02
  • [Deleted] LinuxServer Log 1
  • [Deleted] LinuxServer Log 11
  • [Deleted] LinuxServer Log 2
  • [Deleted] LinuxServer Log 3
  • [Deleted] LinuxServer Log 4
  • [Deleted] LinuxServer Log 5
  • [Deleted] LinuxServer Log 6
  • [Deleted] LinuxServer Log 7
  • [Deleted] Mcafee MVISION CASB Log
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] Network Management Logs
  • [Deleted] Oauth Logs
  • [Deleted] Ossec Group Addition Logs
  • [Deleted] Ossec Insecure Connection Logs
  • [Deleted] Ossec Integrity checksum Logs
  • [Deleted] Ossec Root Login Refused Logs
  • [Deleted] Ossec ssh server Logs
  • [Deleted] Palo Alto Traps Analytics
  • [Deleted] Palo Alto Traps Analytics - Cloud
  • [Deleted] Palo Alto Traps Config - Cloud
  • [Deleted] Palo Alto Traps Event
  • [Deleted] Palo Alto Traps Events Updated
  • [Deleted] Palo Alto Traps Misc - Cloud
  • [Deleted] Palo Alto Traps System - Cloud
  • [Deleted] Pulse Secure Endpoint
  • [Deleted] Pulse Secure Logs
  • [Deleted] Renew Logs
  • [Deleted] Shibboleth DUO
  • [Deleted] Shibboleth HTTP Redirect EDU
  • [Deleted] Shibboleth HTTP Redirect Email
  • [Deleted] Shibboleth LDAP
  • [Deleted] Shibboleth LDAP Email
  • [Deleted] Snare AgentHeartBeat Logs
  • [Deleted] Snare Windows DHCP Logs
  • [Deleted] SonicWall Bad FTP Protocol
  • [Deleted] SonicWall Block Dropped Events
  • [Deleted] SonicWall Flood Attack
  • [Deleted] SonicWall IPS
  • [Deleted] SonicWall Port Scan
  • [Deleted] SonicWall URL Filter
  • [Deleted] Successful Login
  • [Deleted] Successful Logins
  • [Deleted] Successful SSH Login
  • [Deleted] Suricata HTTP Logs
  • [Deleted] Suricata LogStash
  • [Deleted] Suricata Logstash Custom
  • [Deleted] Suricata Threat Logs
  • [Deleted] Symantec SEP AntiVirus
  • [Deleted] Symantec SEP Potential Risk Found 01
  • [Deleted] Symantec SEP Potential Risk Found 2
  • [Deleted] Symantec SEP Potential Risk Found 3
  • [Deleted] Symantec SEP SONAR
  • [Deleted] Symantec SEP Security Risk Found
  • [Deleted] Symantec SEP Sonar Detection
  • [Deleted] Symantec SEP USB Drive
  • [Deleted] Tanium S24 Logs
  • [Deleted] VLT Vault Extra
  • [Deleted] VMware Logs 1
  • [Deleted] VMware Logs 2
  • [Deleted] VMware Logs 3
  • [Deleted] VMware Logs 4
  • [Deleted] VMware Logs 5
  • [Deleted] VMware Logs 6
  • [Deleted] VMware Logs 7
  • [Deleted] VMware Logs 8
  • [Deleted] VPN Messages
  • [Deleted] VPN Messages 2
  • [Deleted] VPN Messages 3
  • [Deleted] VPN Messages 4
  • [Deleted] VPN Messages 5
  • [Deleted] WatchGuard flow log
  • [Deleted] WatchGuard flow log 2
  • [Deleted] Windows DHCP
  • [Deleted] Windows Defender Unstructured
  • [Deleted] Windows QUICK FIX
  • [Deleted] Zscaler Firewall Grok
  • [Deleted] cisco17
  • [Deleted] cisco20
  • [Deleted] ePO Threat Event
  • [New] AWS EKS - Custom Parser
  • [New] Azure Storage Analytics
  • [New] Citrix NetScaler - SSL Handshake Success
  • [Updated] Azure Administrative logs
  • [Updated] Azure Write and Delete Logs
  • [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
  • [Updated] Citrix NetScaler - Command Executed
  • [Updated] Citrix NetScaler - SSLVPN-HTTPREQUEST
  • [Updated] Citrix NetScaler - SSLVPN-ICA Events
  • [Updated] Citrix NetScaler - SSLVPN-LOGIN
  • [Updated] Citrix NetScaler - SSLVPN-LOGOUT
  • [Updated] Citrix NetScaler - SSLVPN-TCPCONNSTAT

Parsers

  • [New] /Parsers/System/AWS/AWS EKS
  • [New] /Parsers/System/Microsoft/Azure Storage Analytics
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog

Legacy Parsers

  • [Deleted] 4624
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CGID_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_WARN_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_SSL_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_WARN_SAMPLES
  • [Deleted] ASA_106002
  • [Deleted] ASA_106013
  • [Deleted] ASA_106018
  • [Deleted] ASA_106022
  • [Deleted] ASA_113039
  • [Deleted] ASA_5_746012
  • [Deleted] ASA_6_106012
  • [Deleted] ASA_716037
  • [Deleted] ASA_716038
  • [Deleted] ASA_716039
  • [Deleted] ASA_722056
  • [Deleted] ASA_7_725012
  • [Deleted] ASA_7_725017
  • [Deleted] ASA_7_734003
  • [Deleted] AWS_VPC_FLOW_CUSTOM_1
  • [Deleted] Adaxes_Execute_Event
  • [Deleted] Adaxes_Modify_Event
  • [Deleted] Adaxes_Run_PowerShell_Event
  • [Deleted] Aruba_Error_Logs
  • [Deleted] Aruba_ICMP_Logs
  • [Deleted] Aruba_LDAP_Server_Logs
  • [Deleted] BANDURA_DOMAIN_LOGS
  • [Deleted] BANDURA_PACKET_LOGS
  • [Deleted] BARRACUDA_PROXY
  • [Deleted] BIND9
  • [Deleted] BIND_DHCP_FOR_FULL
  • [Deleted] BIND_DHCP_FOR_SHORT
  • [Deleted] BIND_DHCP_ON
  • [Deleted] BIND_Query
  • [Deleted] BIND_Update_Zone
  • [Deleted] BIND_Update_Zone_Failure
  • [Deleted] BIOC_CREATE_AND_WRITE
  • [Deleted] BIOC_CREDENTIAL_ACCESS
  • [Deleted] BIOC_DROPPER
  • [Deleted] BIOC_EVASION
  • [Deleted] BIOC_EVASION_VARIATION_2
  • [Deleted] BIOC_INFILTRATION
  • [Deleted] BIOC_PERSISTENCE_EXECUTION
  • [Deleted] BIOC_PRIVILEGE
  • [Deleted] BIOC_RECONNAISSANCE
  • [Deleted] BIOC_RECONNAISSANCE_VARIATION_2
  • [Deleted] BIOC_TAMPERING
  • [Deleted] BLUECAT_DHCP_BOOTREQUEST
  • [Deleted] BLUECAT_DHCP_DECLINE
  • [Deleted] BLUECAT_DHCP_INFORM
  • [Deleted] BLUECAT_DHCP_OFFER
  • [Deleted] BLUECAT_DHCP_failover
  • [Deleted] BLUECAT_DHCP_reuse_lease
  • [Deleted] BLUECAT_DNS_NO_KEY
  • [Deleted] BLUECAT_DNS_WITH_KEY
  • [Deleted] BLUECOAT_PROXY
  • [Deleted] BLUECOAT_PROXY_2
  • [Deleted] BLUECOAT_PROXY_4
  • [Deleted] BLUECOAT_PROXY_5
  • [Deleted] BLUECOAT_PROXY_6
  • [Deleted] BLUECOAT_PROXY_7
  • [Deleted] Bind_DNS_log_1
  • [Deleted] Bind_DNS_log_10
  • [Deleted] Bind_DNS_log_2
  • [Deleted] Bind_DNS_log_3
  • [Deleted] Bind_DNS_log_4
  • [Deleted] Bind_DNS_log_5
  • [Deleted] Bind_DNS_log_6
  • [Deleted] Bind_DNS_log_7
  • [Deleted] Bind_DNS_log_8
  • [Deleted] Bind_DNS_log_9
  • [Deleted] CB_PROTECT
  • [Deleted] CB_PROTECT_USERNAME
  • [Deleted] CB_RESPONSE_SERVER_1
  • [Deleted] CB_RESPONSE_SERVER_10
  • [Deleted] CB_RESPONSE_SERVER_11
  • [Deleted] CB_RESPONSE_SERVER_13
  • [Deleted] CB_RESPONSE_SERVER_14
  • [Deleted] CB_RESPONSE_SERVER_15
  • [Deleted] CB_RESPONSE_SERVER_17
  • [Deleted] CB_RESPONSE_SERVER_2
  • [Deleted] CB_RESPONSE_SERVER_20
  • [Deleted] CB_RESPONSE_SERVER_3
  • [Deleted] CB_RESPONSE_SERVER_4
  • [Deleted] CB_RESPONSE_SERVER_5
  • [Deleted] CB_RESPONSE_SERVER_6
  • [Deleted] CB_RESPONSE_SERVER_7
  • [Deleted] CB_RESPONSE_SERVER_9
  • [Deleted] CB_RESPONSE_SEVERITY_1
  • [Deleted] CB_RESPONSE_SEVERITY_2
  • [Deleted] CB_RESPONSE_SEVERITY_3
  • [Deleted] CHECKPOINT_ACCEPT
  • [Deleted] CHECKPOINT_CRYPT
  • [Deleted] CHECKPOINT_DROP
  • [Deleted] CHECKPOINT_KEY_INSTALL
  • [Deleted] CHECKPOINT_VPN_ROUTE
  • [Deleted] CICSCOFW434002
  • [Deleted] CISCOFW321001
  • [Deleted] CISCOFW419001
  • [Deleted] CISCO_ACS_FAILED_ATTEMPT
  • [Deleted] CISCO_ACS_FAILED_AUTHENTICATION
  • [Deleted] CISCO_ACS_PASSED_AUTHENTICATION
  • [Deleted] CISCO_ACS_TACACS_ACCOUNTING
  • [Deleted] CISCO_MERAKI_IDS_ALERTS
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT_SECURITY_FILTERING_DISPOSITION_CHANGE
  • [Deleted] CRM_VODLOG
  • [Deleted] Cisco_Umbrella_IP_Logs
  • [Deleted] Dns_Update
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EPO_THREAT_EVENT
  • [Deleted] EXABEAM
  • [Deleted] F5_HTTPD_AUDIT
  • [Deleted] F5_SSHD_SAMPLES
  • [Deleted] F5_SSL_REQUEST
  • [Deleted] FLOW_REASSEMBLE
  • [Deleted] FORCEPOINT_NEW_AND_IMPROVED
  • [Deleted] Failed_Logon
  • [Deleted] Firepower_ALERT_IDS
  • [Deleted] Firepower_Access_Control
  • [Deleted] Firepower_Access_Control_2
  • [Deleted] Firepower_Access_Control_3
  • [Deleted] Firepower_Access_Control_4
  • [Deleted] Firepower_Access_Control_5
  • [Deleted] IBM_WebSpheredatadevice_error_1
  • [Deleted] IBM_WebSpheredatadevice_error_2
  • [Deleted] IBM_WebSpheredatadevice_error_3
  • [Deleted] IBM_WebSpheredatadevice_error_4
  • [Deleted] IBM_WebSpheredatadevice_error_5
  • [Deleted] INFLOBLOX_DNS_MESSAGE
  • [Deleted] INFOBLOX_DHCPACK_RENEW_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES_2
  • [Deleted] INFOBLOX_DHCPDISCOVER_UNKNOWN_NETWORK_SAMPLE
  • [Deleted] INFOBLOX_DHCPEXPIRE_SAMPLES
  • [Deleted] INFOBLOX_DHCPNAK_SAMPLES
  • [Deleted] INFOBLOX_DHCPOFFER_UID_SAMPLES
  • [Deleted] INFOBLOX_DHCPRELEASE_SAMPLES
  • [Deleted] INFOBLOX_DHCP_UPDATER_1
  • [Deleted] INFOBLOX_DHCP_UPDATER_2
  • [Deleted] INFOBLOX_DHCP_UPDATER_3
  • [Deleted] INFOBLOX_DHCP_UPDATER_4
  • [Deleted] INFOBLOX_DHCP_UPDATER_5
  • [Deleted] INFOBLOX_DHCP_V2_SAMPLES
  • [Deleted] INFOBLOX_DNS_QUERIES
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_ENDED
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_STARTED
  • [Deleted] INFOBLOX_DNS_RESPONSE
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_1
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_2
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_3
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_4
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_5
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_6
  • [Deleted] INFOBLOX_DOMAIN_NOTIFIED
  • [Deleted] IRONPORT_QUARANTINE_MID
  • [Deleted] IRONPORT_QUARANTINE_TO
  • [Deleted] IRON_PORT_CONNECTION
  • [Deleted] IRON_PORT_DCID_MSG
  • [Deleted] IRON_PORT_DKIM
  • [Deleted] IRON_PORT_ICID_MSG
  • [Deleted] IRON_PORT_INFO_ICID
  • [Deleted] IRON_PORT_INFO_MID
  • [Deleted] IRON_PORT_INFO_MID_ICID
  • [Deleted] IRON_PORT_INFO_MSG
  • [Deleted] IRON_PORT_ISQ_RPC
  • [Deleted] IRON_PORT_WARN_FULL
  • [Deleted] IRON_PORT_WARN_INVALID_DNS_FULL
  • [Deleted] IRON_PORT_WARN_LIMIT
  • [Deleted] IRON_PORT_WARN_MSG
  • [Deleted] IRON_PORT_WSA
  • [Deleted] IRON_PORT_WSA_NOHD
  • [Deleted] IRON_PORT_WSA_NOHD_01
  • [Deleted] IRON_PORT_WSA_NOHD_03
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_1
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_2
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_3
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_4
  • [Deleted] Internal_Auth_Logs
  • [Deleted] LINUXSERVER_AUDIT_LOGS_1
  • [Deleted] LINUXSERVER_AUDIT_LOGS_2
  • [Deleted] LINUXSERVER_LOG_1
  • [Deleted] LINUXSERVER_LOG_11
  • [Deleted] LINUXSERVER_LOG_2
  • [Deleted] LINUXSERVER_LOG_3
  • [Deleted] LINUXSERVER_LOG_4
  • [Deleted] LINUXSERVER_LOG_5
  • [Deleted] LINUXSERVER_LOG_6
  • [Deleted] LINUXSERVER_LOG_7
  • [Deleted] LINUX_USER_AND_HOSTNAME
  • [Deleted] Linux_Laravel_Logs1
  • [Deleted] Linux_Laravel_Logs2
  • [Deleted] Linux_Laravel_Logs3
  • [Deleted] MVISION_CASB
  • [Deleted] NAT_RULES_MATCH
  • [Deleted] NMS_LOGS
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] OAUTH_LOG
  • [Deleted] Ossec_Logs_01
  • [Deleted] Ossec_Logs_02
  • [Deleted] Ossec_Logs_03
  • [Deleted] Ossec_Logs_04
  • [Deleted] Ossec_Logs_06
  • [Deleted] PALO_ALTO_TRAPS
  • [Deleted] PALO_TRAPS_EXTRA
  • [Deleted] PAN_TRAPS_ANALYTICS
  • [Deleted] PAN_TRAPS_ANALYTICS_CLOUD
  • [Deleted] PAN_TRAPS_CONFIG_CLOUD
  • [Deleted] PAN_TRAPS_MISC_CLOUD
  • [Deleted] PAN_TRAPS_SYSTEM_CLOUD
  • [Deleted] PULSESECURE_LOGS
  • [Deleted] PULSESECURE_LOGS2
  • [Deleted] Renew_Logs
  • [Deleted] SESSION_ERROR
  • [Deleted] SHIBBOLETH_DUO
  • [Deleted] SHIBBOLETH_HTTP_EDU
  • [Deleted] SHIBBOLETH_HTTP_MAIL
  • [Deleted] SHIBBOLETH_LDAP
  • [Deleted] SHIBBOLETH_LDAP_EMAIL
  • [Deleted] SNARE_AGENTHEARTBEAT_LOGS
  • [Deleted] SNARE_WINDOWS_DHCP_LOGS
  • [Deleted] SNMP_LOGS
  • [Deleted] SURICATA_HTTP_LOGS
  • [Deleted] SURICATA_LOGSTASH
  • [Deleted] SURICATA_LOGSTASH_CUSTOM
  • [Deleted] SURICATA_THREAT_LOGS
  • [Deleted] SYMANTEC_SEP_Anti_Virus
  • [Deleted] SYMANTEC_SEP_PRF_01
  • [Deleted] SYMANTEC_SEP_PRF_02
  • [Deleted] SYMANTEC_SEP_PRF_03
  • [Deleted] SYMANTEC_SEP_SDN
  • [Deleted] SYMANTEC_SEP_SONAR
  • [Deleted] SYMANTEC_SEP_SRF
  • [Deleted] SYMANTEC_SEP_USB_1
  • [Deleted] SonicWall_Bad_FTP_Protocol
  • [Deleted] SonicWall_Block_Dropped_Events
  • [Deleted] SonicWall_Flood_Attack
  • [Deleted] SonicWall_IPS
  • [Deleted] SonicWall_Port_Scan
  • [Deleted] SonicWall_URL_Filter
  • [Deleted] Successful_Logon
  • [Deleted] TANIUM_S24_TYPE_LOGS
  • [Deleted] VAR_LOG_SECURE_SUCCESSFUL_LOGIN
  • [Deleted] VDM_LOG_EXTRA
  • [Deleted] VDM_MESSAGES_CONNECT
  • [Deleted] VDM_MESSAGES_DIRECTORY
  • [Deleted] VDM_MESSAGES_FROM
  • [Deleted] VDM_MESSAGES_FTP
  • [Deleted] VDM_MESSAGES_WARN
  • [Deleted] VLT_VAULT_EXTRA
  • [Deleted] VPN_Message_2
  • [Deleted] VPN_Message_3
  • [Deleted] VPN_Message_4
  • [Deleted] VPN_Message_5
  • [Deleted] VPN_Messages
  • [Deleted] Vmware_Logs_1
  • [Deleted] Vmware_Logs_2
  • [Deleted] Vmware_Logs_3
  • [Deleted] Vmware_Logs_4
  • [Deleted] Vmware_Logs_5
  • [Deleted] Vmware_Logs_6
  • [Deleted] Vmware_Logs_7
  • [Deleted] Vmware_Logs_8
  • [Deleted] WATCHGUARD_FLOW_LOG
  • [Deleted] WATCHGUARD_FLOW_LOG_2
  • [Deleted] WINDOWS_DHCP_LOG
  • [Deleted] WINDOWS_QUICK_FIX
  • [Deleted] Zscaler_Firewall
  • [Deleted] cisco_authentication_01
  • [Deleted] cisco_authentication_02
  • [Deleted] cisco_authentication_03
  • [Deleted] cisco_authentication_04
  • [Deleted] cisco_authentication_05
  • [Deleted] cisco_authentication_06
  • [Deleted] cisco_authentication_07
  • [Deleted] cisco_authentication_08
  • [Deleted] cisco_authentication_09
  • [Deleted] cisco_authentication_10
  • [Deleted] cisco_authentication_11
  • [Deleted] cisco_authentication_12
  • [Deleted] cisco_authentication_13
  • [Deleted] cisco_authentication_14
  • [Deleted] cisco_authentication_15
  • [Deleted] cisco_ios_system_log_message
  • [Deleted] cisco_ios_system_log_message_queue_full
  • [Deleted] citrix_netscaler_AAA_Messsage
  • [Deleted] citrix_netscaler_API_CMD_EXECUTED
  • [Deleted] citrix_netscaler_TCP_connection_terminated
  • [Deleted] citrix_netscaler_delinked_message
  • [Deleted] citrix_netscaler_delinked_message_01
  • [Deleted] windows_defender

Schema

  • [New] _cipSourceHost
  • [New] _cipSourceName

April 7, 2022 - Announcement

On April 21, 2022 we will be removing the following legacy log mappers related to the CIP Windows collector from the CSE platform. These log mappers are in use with only a small portion of our customer base and we are working with our technical account teams to reach out directly to those impacted and migrate to our newer Sumo parsers.

No loss of out-of-the-box functionality will occur and no out-of-the-box rules are impacted as the Sumo parsers map all of the same information. Please be sure to check any custom rules that leverage Windows logging for compatibility with the new parsing and mapping, particularly where the "fields" field is referenced.

  • Windows - Security - 1100 - CIP
  • Windows - Security - 1102 - CIP
  • Windows - Security - 4625 - CIP
  • Windows - Security - 4624 - CIP
  • Windows - Security - 4634 - CIP
  • Windows - Security - 4648 - CIP
  • Windows - Security - 4649 - CIP
  • Windows - Security - 4672 - CIP
  • Windows - Security - 4688 - CIP
  • Windows - Security - 4697 - CIP
  • Windows - Security - 4698 - CIP
  • Windows - Security - 4702 - CIP
  • Windows - Security - 4720 - CIP
  • Windows - Security - 4726 - CIP
  • Windows - Security - 4740 - CIP
  • Windows - Security - 4742 - CIP
  • Windows - Security - 5805 - CIP
  • Windows - Security - 4768 - CIP
  • Windows - Security - 4769 - CIP
  • Windows - Security - 4770 - CIP
  • Windows - Security - 4771 - CIP
  • Windows - Security - 4776 - CIP
  • Windows - Security - 4778 - CIP
  • Windows - Security - 4779 - CIP
  • Windows - Security - 5140 - CIP
  • Windows - Security - 4728 - CIP
  • Windows - Security - 4732 - CIP
  • Windows - Security - 4756 - CIP
  • Windows - Security - 4661 - CIP
  • Windows - Security - 4704 - CIP
  • Windows - Security - 4754 - CIP
  • Windows - Security - 4780 - CIP
  • Windows - Security - 4793 - CIP
  • Windows - Security - 5038 - CIP
  • Windows - Security - 6272 - CIP
  • Windows - Security - 6273 - CIP
  • Windows - Security - 6275 - CIP
  • Windows - Security - 6278 - CIP
  • Windows - Security - 4662 - CIP
  • Windows - Security - 4755 - CIP
  • Windows - Security - 4689 - CIP
  • Windows - Security - 4798 - CIP
  • Windows - Security - 6416 - CIP
  • Windows - Security - 6423 - CIP
  • Windows - Security - 6424 - CIP
  • Windows - Security - 4656 - CIP
  • Windows - Security - 4663 - CIP
  • Windows - Security - 4658 - CIP
  • Windows - Security - 4674 - CIP
  • Windows - Security - 4799 - CIP
  • Windows - Security - 5058 - CIP
  • Windows - Security - 5059 - CIP
  • Windows - Security - 5061 - CIP
  • Windows - Security - 5379 - CIP
  • Windows - System - 5138 - CIP
  • Windows - System - 6005 - CIP
  • Windows - System - 6006 - CIP
  • Windows - System - 7045 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP

April 7, 2022 - Content Release

Rules

  • [Updated] MATCH-S00599 Alibaba ActionTrail Root Login
  • [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
  • [Updated] MATCH-S00168 Windows - Local System executing whoami.exe

Log Mappers

  • [New] Cisco ASA 313004 JSON
  • [New] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/SentinelOne/SentinelOne Syslog

April 6, 2022 - Announcement

Upcoming Removal of Unused Content

On Tuesday, April 12th, unused legacy grok parsers and their corresponding log mappers will be removed from CSE.

This update is part of a longer transition as we begin decommissioning legacy grok parsers in favor of our current parser set. Sumo Logic has confirmed customers are NOT actively using any of the legacy grok parsers or log mappers we plan to remove in this future update.

It's important to note that this future content update does NOT remove or change existing legacy grok parsers or associated log mappers still used by customers today. We do not expect this update to cause any operational changes.

April 1, 2022 - Content Release

Spring4Shell Exploitation

A new Rule is being deployed designed to detect attempts to exploit Spring4Shell (MATCH-S00783). This Rule does not necessarily indicate whether the exploitation was successful, but CSE already includes a number of Rules that provide extensive coverage of common post exploitation activities, notably:

  • MATCH-S00348 Curl Start Combination
  • MATCH-S00362 Suspicious Curl File Upload
  • LEGACY-S00044 HTTP Shell Script Download Disguised as a Common Web File
  • MATCH-S00149 PowerShell File Download
  • MATCH-S00164 Suspicious Shells Spawned by Web Servers
  • MATCH-S00174 Web Services Executing Common Web Shell Commands

Rules

  • [New] MATCH-S00783 Spring4Shell Exploitation - URL
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [New] Netskope - WebTx Events
  • [New] Tenable.io Authentication
  • [New] Tenable.io Catch All
  • [Updated] AWS CloudFront
  • [Updated] AWS WAF Block Logs
  • [Updated] Microsoft Office 365 Active Directory Authentication Events
  • [Updated] Tenable.io Vulnerability

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.