Skip to main content

April 2022 Archive

Archive of April 2022 Cloud SIEM Release Notes.

April 29, 2022 - Application Update

[New] The Cloud SIEM Enterprise team is excited to announce a newly enhanced feature: Related Entities. Although Insights and the Signals they contain are focused on a single Entity (a user, or host for example), there are often a number of additional Entities referenced in the Records/Signals contained in the Insight. In addition, CSE can detect relationships between Entities (for example, determining that an IP address was associated with a given hostname during the Insight detection window).

To provide an easy way for analysts to explore all of these Related Entities, a new tab has been added to the Insight Details page:

The Entities tab contains a list of all of the Entities detected in the Insight’s Signals and Records. The Primary Entity is listed first, and then the other Related Entities are listed in descending order of appearance. Where CSE has determined a relationship between entities, that is called out (for example, 192.168.1.101 may also be hostname ‘na’).

Details listed with each entity include tags, the number of Signals the Entity was seen in, the number of recent Insights and Signals that featured that Entity, and the total sum of the Severities for those Signals.

As each Entity is selected by the user, the right column changes to show more details, such as a link to the full Entity Details page, inventory and other metadata, a Signal timeline, and a list of the recent Signals and Insights (containing links to those individual details pages).

This new feature should help users understand the context of security events more quickly by providing this data at a glance, reducing the amount of time it would have previously taken to gather that same information.

More information can be found in the online documentation.

Minor Changes and Enhancements

[Update] For Signals generated by Threshold, Aggregation and Chain Rules, there is a feature called Queried Records that enables users to find additional records that also apply to the Signal beyond those that were needed to meet the conditions for the Rule.The page that lists these Queried Records now explicitly shows the search query and time window that is being checked. If a user clicks on the query, it will open a Log Search window with the query and time window pre-filled for deeper investigation.

related-entities

April 29, 2022 - Content Release

Rules

  • [Updated] THRESHOLD-S00051 AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
  • [Updated] THRESHOLD-S00093 AWS Route 53 Reconnaissance
  • [Updated] THRESHOLD-S00092 AWS WAF Reconnaissance
  • [Updated] THRESHOLD-S00044 DNS DGA Lookup Behavior - NXDOMAIN Responses
  • [Updated] THRESHOLD-S00088 GCP Audit Reconnaissance Activity
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] CHAIN-S00004 Lateral Movement Using the Windows Hidden Admin Share
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
  • [Updated] THRESHOLD-S00040 Possible DNS over TLS (DoT) Activity
  • [Updated] THRESHOLD-S00031 RDP Brute Force Attempt
  • [Updated] THRESHOLD-S00034 SSH Authentication Failures

Log Mappers

  • [New] BlueCat DHCP Parser - Catch All
  • [New] Microsoft Exchange Catch All
  • [New] Microsoft Exchange HTTP Error
  • [New] Microsoft Exchange IIS
  • [New] Varonis DatAlert - Parser
  • [Updated] Varonis DatAdvantage - CEF

Parsers

  • [New] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/Microsoft/Exchange
  • [New] /Parsers/System/Varonis/Varonis DatAlert Syslog
  • [Updated] /Parsers/System/F5/F5 Syslog

April 26, 2022 - Content Release

Rules

  • [New] MATCH-S00808 Azure - Container Instance Creation/Modification
  • [New] MATCH-S00809 Azure - Container Start
  • [New] MATCH-S00807 Azure - Image Created/Modified
  • [New] MATCH-S00810 Azure - Image Deleted

Log Mappers

  • [New] Darktrace Parser Events
  • [Updated] Zscaler - Nanolog Streaming Service - JSON

Parsers

  • [New] /Parsers/System/Darktrace/Darktrace Syslog
  • [New] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

April 20, 2022 - Content Release

Rules

  • [New] MATCH-S00798 Azure - Anonymous Blob Access
  • [New] MATCH-S00805 Azure - Bastion Host Created/Modified
  • [New] MATCH-S00806 Azure - Bastion Host Deleted
  • [New] MATCH-S00795 Azure - Diagnostic Setting Deleted
  • [New] MATCH-S00796 Azure - Diagnostic Setting Modified
  • [New] MATCH-S00797 Azure - Event Hub Deleted
  • [New] THRESHOLD-S00109 Azure - Excessive Key Vault Get Requests
  • [New] MATCH-S00788 Azure - Key Deletion
  • [New] MATCH-S00789 Azure - Key Purged
  • [New] MATCH-S00792 Azure - Key Vault Deleted
  • [New] MATCH-S00787 Azure - Protected Item Deletion Attempt
  • [New] MATCH-S00794 Azure - Secret Backup
  • [New] MATCH-S00791 Azure - Secret Deleted
  • [New] MATCH-S00790 Azure - Secret Purged
  • [New] MATCH-S00800 Azure - Storage Deletion
  • [New] MATCH-S00799 Azure - Storage Modification
  • [New] MATCH-S00803 Azure - Virtual Machine Creation/Modification
  • [New] MATCH-S00804 Azure - Virtual Machine Deleted
  • [New] MATCH-S00801 Azure - Virtual Machine Started
  • [New] MATCH-S00802 Azure - Virtual Machine Stopped
  • [Updated] MATCH-S00246 AWS CloudTrail - GetSecretValue from non Amazon IP
  • [Updated] MATCH-S00494 Backdoor.HTTP.BEACON.[Yelp Request]
  • [Updated] MATCH-S00492 Backdoor.HTTP.GORAT.[SID1]
  • [Updated] LEGACY-S00047 High risk file extension download without hostname and referrer
  • [Updated] MATCH-S00445 Known Ransomware File Extensions

Log Mappers

  • [New] Dropbox - Authentication
  • [New] Dropbox - Catch All
  • [Updated] Azure AuditEvent logs

Parsers

  • [Updated] /Parsers/System/AWS/GuardDuty

April 19, 2022 - Announcement

We will be consolidating Authentication Brute Force Attempt MATCH-S00258 on Tuesday May 10 into the normalized intrusion rule set. For more information on the normalized intrusion rule set, please visit the help page.

April 18, 2022 - Application Update

Minor Changes and Enhancements

  • [New] API endpoints are now available to add or remove a given Signal to/from a given Insight, PUT "/insights/<insightId>/signals" and DELETE "/insights/<insightId>/signals" respectively. (For both endpoints, the request body is a list containing signal ID(s) to add or remove from the insight as the request body, the response is the updated Insight.)
  • [Update] The way CSE displays group membership in Active Directory inventory objects is changing. Previously, it was displayed in LDAP form (i.e., cn=groupname,dc=something,dc=domain,dc=com); now it will just show the group name.

Resolved Issues

  • Signal and Insight timestamps in the Cloud SIEM Enterprise UI were not always displayed in the user’s preferred time zone.

April 15, 2022 - Announcements

  • Because it can now be connected via more standardized TAXII feeds, the integration between Cloud SIEM Enterprise and Anomali ThreatStream has been deprecated as of April 15, 2022. If you are using this integration, be sure to convert to a TAXII feed. To set up a feed, first follow Anomali’s documentation for Setting up a TAXII feed for ThreatStream then Sumo Logic’s documentation for Integrating CSE with a TAXII Feed.
  • The Entity API has been updated to include a new field IsSuppressed. This field replaces IsWhitelisted which has been deprecated as of April 15, 2022. If you were previously using IsWhitelisted please ensure you have switched to the new field.

April 14, 2022 - Content Release

Rules

  • [New] MATCH-S00785 Azure - Blob Container Deletion
  • [New] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00243 Azure - High Risk Sign-In (Aggregate)
  • [Updated] MATCH-S00245 Azure - High Risk Sign-In (Real Time)
  • [Updated] MATCH-S00224 Azure - Risky User State : User Confirmed Compromised
  • [Updated] MATCH-S00250 Azure - Suspicious User Risk State Associated with Login
  • [Updated] LEGACY-S00066 PowerShell Remote Administration
  • [Updated] LEGACY-S00105 Suspicious DC Logon
  • [Updated] THRESHOLD-S00075 Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)

Log Mappers

  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Microsoft Graph AD Reporting API C2C - DirectoryAudits
  • [Updated] Microsoft Graph AD Reporting API C2C - Provisioning
  • [Updated] Microsoft Graph AD Reporting API C2C - Signin
  • [Updated] Trend Micro CEF logs

Parsers

  • [New] /Parsers/System/Trend Micro/Trend Micro Deep Security - CEF

April 12, 2022 - Content Release

Rules

  • [New] MATCH-S00784 Linux Host Entered Promiscuous Mode

Log Mappers

  • [Deleted] AWS VPC Flow Logs - Custom Format 1
  • [Deleted] Adaxes Execute Event
  • [Deleted] Adaxes Modify Event
  • [Deleted] Adaxes Run PowerShell Event
  • [Deleted] Aruba Error Logs
  • [Deleted] Aruba ICMP Logs
  • [Deleted] Aruba LDAP Server Logs
  • [Deleted] Aruba PoniUnwired HTTPD CGID Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Error Samples
  • [Deleted] Aruba PoniUnwired HTTPD Core Warn Samples
  • [Deleted] Aruba PoniUnwired HTTPD ssl error Samples
  • [Deleted] Aruba PoniUnwired Warn Samples
  • [Deleted] BIND DNS Query
  • [Deleted] BIND DNS Update Zone
  • [Deleted] BIND DNS Update Zone Failed
  • [Deleted] BIOC Credential Access logs
  • [Deleted] BIOC Dropper logs
  • [Deleted] BIOC Evasion Variation 2 logs
  • [Deleted] BIOC Evasion logs
  • [Deleted] BIOC Infiltration logs
  • [Deleted] BIOC Persistence and Execution logs
  • [Deleted] BIOC Privilege logs
  • [Deleted] BIOC Reconnaissance logs
  • [Deleted] BIOC Reconnaissance logs Variation 2
  • [Deleted] BIOC Tampering logs
  • [Deleted] BIOC create and write logs
  • [Deleted] Bandura Domain Logs
  • [Deleted] Bandura Packet Logs
  • [Deleted] Barracuda Proxy
  • [Deleted] Bind DHCP Full
  • [Deleted] Bind DHCP On
  • [Deleted] Bind DHCP Short
  • [Deleted] Bind DNS log 1
  • [Deleted] Bind DNS log 10
  • [Deleted] Bind DNS log 2
  • [Deleted] Bind DNS log 3
  • [Deleted] Bind DNS log 4
  • [Deleted] Bind DNS log 5
  • [Deleted] Bind DNS log 6
  • [Deleted] Bind DNS log 7
  • [Deleted] Bind DNS log 8
  • [Deleted] Bind DNS log 9
  • [Deleted] Bind9 DNS
  • [Deleted] Blue Coat Proxy 2
  • [Deleted] Blue Coat Proxy 4
  • [Deleted] Blue Coat Proxy 5
  • [Deleted] Blue Coat Proxy 6
  • [Deleted] Blue Coat Proxy 7
  • [Deleted] Blue Coat Proxy Logs
  • [Deleted] BlueCat DHCP Bootrequest
  • [Deleted] BlueCat DHCP Decline
  • [Deleted] BlueCat DHCP INFORM Logs
  • [Deleted] BlueCat DHCP Offer Logs
  • [Deleted] BlueCat DHCP Reuse Lease
  • [Deleted] BlueCat DHCP failover
  • [Deleted] BlueCat DNS
  • [Deleted] BlueCat DNS with Key
  • [Deleted] CB Protection
  • [Deleted] CB Protection Username
  • [Deleted] CB Response Server 1
  • [Deleted] CB Response Server 10
  • [Deleted] CB Response Server 11
  • [Deleted] CB Response Server 13
  • [Deleted] CB Response Server 14
  • [Deleted] CB Response Server 15
  • [Deleted] CB Response Server 17
  • [Deleted] CB Response Server 2
  • [Deleted] CB Response Server 20
  • [Deleted] CB Response Server 3
  • [Deleted] CB Response Server 4
  • [Deleted] CB Response Server 5
  • [Deleted] CB Response Server 6
  • [Deleted] CB Response Server 7
  • [Deleted] CB Response Server 9
  • [Deleted] CB Response Severity 1
  • [Deleted] CB Response Severity 2
  • [Deleted] CB Response Severity 3
  • [Deleted] CICSCOFW434002
  • [Deleted] Check Point ACCEPT Grok
  • [Deleted] Check Point DROP
  • [Deleted] Check Point VPN
  • [Deleted] Check Point encrypt/decrypt
  • [Deleted] Check Point key install
  • [Deleted] Cisco ACS FAILED-ATTEMPT
  • [Deleted] Cisco ACS FAILED-AUTHENTICATION
  • [Deleted] Cisco ACS Passed-Authentication
  • [Deleted] Cisco ACS Tacacs-Accounting
  • [Deleted] Cisco ASA 106002
  • [Deleted] Cisco ASA 106012
  • [Deleted] Cisco ASA 106013
  • [Deleted] Cisco ASA 106018
  • [Deleted] Cisco ASA 106022
  • [Deleted] Cisco ASA 113039
  • [Deleted] Cisco ASA 716037
  • [Deleted] Cisco ASA 716038
  • [Deleted] Cisco ASA 716039
  • [Deleted] Cisco ASA 722056
  • [Deleted] Cisco ASA 725012
  • [Deleted] Cisco ASA 725017
  • [Deleted] Cisco ASA 734003
  • [Deleted] Cisco ASA 746012
  • [Deleted] Cisco AnyConnect NAT RULES Logs
  • [Deleted] Cisco Authentication Message 01
  • [Deleted] Cisco Authentication Message 02
  • [Deleted] Cisco Authentication Message 03
  • [Deleted] Cisco Authentication Message 04
  • [Deleted] Cisco Authentication Message 05
  • [Deleted] Cisco Authentication Message 06
  • [Deleted] Cisco Authentication Message 07
  • [Deleted] Cisco Authentication Message 08
  • [Deleted] Cisco Authentication Message 09
  • [Deleted] Cisco Authentication Message 10
  • [Deleted] Cisco Authentication Message 11
  • [Deleted] Cisco Authentication Message 12
  • [Deleted] Cisco Authentication Message 13
  • [Deleted] Cisco Authentication Message 14
  • [Deleted] Cisco Authentication Message 15
  • [Deleted] Cisco IOS Message
  • [Deleted] Cisco IOS Queue Full
  • [Deleted] Cisco Ironport WSA
  • [Deleted] Cisco Ironport WSA NOHD
  • [Deleted] Cisco Ironport WSA NOHD 01
  • [Deleted] Cisco Ironport WSA NOHD 03
  • [Deleted] Cisco Meraki IDS-Alerts
  • [Deleted] Cisco Meraki Security Event
  • [Deleted] Cisco Meraki Security Filtering Disposition Change
  • [Deleted] Cisco Umbrella IP Logs Custom
  • [Deleted] Citrix NetScaler AAA Message
  • [Deleted] Citrix NetScaler API CMD EXECUTED
  • [Deleted] Citrix NetScaler Delinked Message
  • [Deleted] Citrix NetScaler Delinked Message 01
  • [Deleted] Citrix NetScaler TCP Connection Terminated
  • [Deleted] DNS_Additions
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EXABEAM
  • [Deleted] F5 HTTPd Audit
  • [Deleted] F5 SSHD Samples
  • [Deleted] F5 SSL Request
  • [Deleted] Firepower Access Control
  • [Deleted] Firepower Access Control 2
  • [Deleted] Firepower Access Control 3
  • [Deleted] Firepower Access Control 4
  • [Deleted] Firepower Access Control 5
  • [Deleted] Firepower Alerts
  • [Deleted] Forcepoint NEW
  • [Deleted] Huawei SNMP LOGS
  • [Deleted] IBM WebSpheredatadevice error 1
  • [Deleted] IBM WebSpheredatadevice error 2
  • [Deleted] IBM WebSpheredatadevice error 3
  • [Deleted] IBM WebSpheredatadevice error 4
  • [Deleted] IBM WebSpheredatadevice error 5
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS
  • [Deleted] INFOBLOX_DNS_QUERIES LOGS - NIOS
  • [Deleted] Infoblox DHCP Updater 1
  • [Deleted] Infoblox DHCP Updater 2
  • [Deleted] Infoblox DHCP Updater 3
  • [Deleted] Infoblox DHCP Updater 4
  • [Deleted] Infoblox DHCP Updater 5
  • [Deleted] Infoblox DHCPACK RENEW Samples
  • [Deleted] Infoblox DHCPACK v2 Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples
  • [Deleted] Infoblox DHCPDISCOVER Samples 2
  • [Deleted] Infoblox DHCPDISCOVER Unknown network Sample
  • [Deleted] Infoblox DHCPEXPIRE Samples
  • [Deleted] Infoblox DHCPNAK Samples
  • [Deleted] Infoblox DHCPOFFER UID Samples
  • [Deleted] Infoblox DHCPRELEASE Samples
  • [Deleted] Infoblox DNS Request AXRF Ended
  • [Deleted] Infoblox DNS Request AXRF Started
  • [Deleted] Infoblox DNS Response
  • [Deleted] Infoblox DNS Zone Update 1
  • [Deleted] Infoblox DNS Zone Update 2
  • [Deleted] Infoblox DNS Zone Update 3
  • [Deleted] Infoblox DNS Zone Update 4
  • [Deleted] Infoblox DNS Zone Update 5
  • [Deleted] Infoblox DNS Zone Update 6
  • [Deleted] Infoblox Domain Notified
  • [Deleted] Invalid Login
  • [Deleted] IronPort Quarantined MID
  • [Deleted] IronPort Quarantined TO
  • [Deleted] Ironport DCID Message
  • [Deleted] Ironport DKIM
  • [Deleted] Ironport ICID Message
  • [Deleted] Ironport Info IC
  • [Deleted] Ironport Info IC and Msg
  • [Deleted] Ironport Info ISQ or RPC
  • [Deleted] Ironport Info Message
  • [Deleted] Ironport Info Mid Info
  • [Deleted] Ironport WSA SFIMS Protocol 1
  • [Deleted] Ironport WSA SFIMS Protocol 2
  • [Deleted] Ironport WSA SFIMS Protocol 3
  • [Deleted] Ironport WSA SFIMS Protocol 4
  • [Deleted] Ironport Warn Message
  • [Deleted] Ironport Warning Connection Error
  • [Deleted] Ironport Warning Full
  • [Deleted] Ironport Warning Invalid DNS FULL
  • [Deleted] Ironport Warning LIMIT
  • [Deleted] Juniper Flow Reassemble Logs
  • [Deleted] Juniper Session Error Logs
  • [Deleted] LINUX User Auth with Hostname
  • [Deleted] Linux Laravel Activity Logs
  • [Deleted] Linux Laravel Activity Logs 01
  • [Deleted] Linux Laravel Login Logs
  • [Deleted] LinuxServer Audit Logs 01
  • [Deleted] LinuxServer Audit Logs 02
  • [Deleted] LinuxServer Log 1
  • [Deleted] LinuxServer Log 11
  • [Deleted] LinuxServer Log 2
  • [Deleted] LinuxServer Log 3
  • [Deleted] LinuxServer Log 4
  • [Deleted] LinuxServer Log 5
  • [Deleted] LinuxServer Log 6
  • [Deleted] LinuxServer Log 7
  • [Deleted] Mcafee MVISION CASB Log
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] Network Management Logs
  • [Deleted] Oauth Logs
  • [Deleted] Ossec Group Addition Logs
  • [Deleted] Ossec Insecure Connection Logs
  • [Deleted] Ossec Integrity checksum Logs
  • [Deleted] Ossec Root Login Refused Logs
  • [Deleted] Ossec ssh server Logs
  • [Deleted] Palo Alto Traps Analytics
  • [Deleted] Palo Alto Traps Analytics - Cloud
  • [Deleted] Palo Alto Traps Config - Cloud
  • [Deleted] Palo Alto Traps Event
  • [Deleted] Palo Alto Traps Events Updated
  • [Deleted] Palo Alto Traps Misc - Cloud
  • [Deleted] Palo Alto Traps System - Cloud
  • [Deleted] Pulse Secure Endpoint
  • [Deleted] Pulse Secure Logs
  • [Deleted] Renew Logs
  • [Deleted] Shibboleth DUO
  • [Deleted] Shibboleth HTTP Redirect EDU
  • [Deleted] Shibboleth HTTP Redirect Email
  • [Deleted] Shibboleth LDAP
  • [Deleted] Shibboleth LDAP Email
  • [Deleted] Snare AgentHeartBeat Logs
  • [Deleted] Snare Windows DHCP Logs
  • [Deleted] SonicWall Bad FTP Protocol
  • [Deleted] SonicWall Block Dropped Events
  • [Deleted] SonicWall Flood Attack
  • [Deleted] SonicWall IPS
  • [Deleted] SonicWall Port Scan
  • [Deleted] SonicWall URL Filter
  • [Deleted] Successful Login
  • [Deleted] Successful Logins
  • [Deleted] Successful SSH Login
  • [Deleted] Suricata HTTP Logs
  • [Deleted] Suricata LogStash
  • [Deleted] Suricata Logstash Custom
  • [Deleted] Suricata Threat Logs
  • [Deleted] Symantec SEP AntiVirus
  • [Deleted] Symantec SEP Potential Risk Found 01
  • [Deleted] Symantec SEP Potential Risk Found 2
  • [Deleted] Symantec SEP Potential Risk Found 3
  • [Deleted] Symantec SEP SONAR
  • [Deleted] Symantec SEP Security Risk Found
  • [Deleted] Symantec SEP Sonar Detection
  • [Deleted] Symantec SEP USB Drive
  • [Deleted] Tanium S24 Logs
  • [Deleted] VLT Vault Extra
  • [Deleted] VMware Logs 1
  • [Deleted] VMware Logs 2
  • [Deleted] VMware Logs 3
  • [Deleted] VMware Logs 4
  • [Deleted] VMware Logs 5
  • [Deleted] VMware Logs 6
  • [Deleted] VMware Logs 7
  • [Deleted] VMware Logs 8
  • [Deleted] VPN Messages
  • [Deleted] VPN Messages 2
  • [Deleted] VPN Messages 3
  • [Deleted] VPN Messages 4
  • [Deleted] VPN Messages 5
  • [Deleted] WatchGuard flow log
  • [Deleted] WatchGuard flow log 2
  • [Deleted] Windows DHCP
  • [Deleted] Windows Defender Unstructured
  • [Deleted] Windows QUICK FIX
  • [Deleted] Zscaler Firewall Grok
  • [Deleted] cisco17
  • [Deleted] cisco20
  • [Deleted] ePO Threat Event
  • [New] AWS EKS - Custom Parser
  • [New] Azure Storage Analytics
  • [New] Citrix NetScaler - SSL Handshake Success
  • [Updated] Azure Administrative logs
  • [Updated] Azure Write and Delete Logs
  • [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
  • [Updated] Citrix NetScaler - Command Executed
  • [Updated] Citrix NetScaler - SSLVPN-HTTPREQUEST
  • [Updated] Citrix NetScaler - SSLVPN-ICA Events
  • [Updated] Citrix NetScaler - SSLVPN-LOGIN
  • [Updated] Citrix NetScaler - SSLVPN-LOGOUT
  • [Updated] Citrix NetScaler - SSLVPN-TCPCONNSTAT

Parsers

  • [New] /Parsers/System/AWS/AWS EKS
  • [New] /Parsers/System/Microsoft/Azure Storage Analytics
  • [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog

Legacy Parsers

  • [Deleted] 4624
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CGID_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_CORE_WARN_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_HTTPD_SSL_ERROR_SAMPLES
  • [Deleted] ARUBA_PONIUNWIRED_WARN_SAMPLES
  • [Deleted] ASA_106002
  • [Deleted] ASA_106013
  • [Deleted] ASA_106018
  • [Deleted] ASA_106022
  • [Deleted] ASA_113039
  • [Deleted] ASA_5_746012
  • [Deleted] ASA_6_106012
  • [Deleted] ASA_716037
  • [Deleted] ASA_716038
  • [Deleted] ASA_716039
  • [Deleted] ASA_722056
  • [Deleted] ASA_7_725012
  • [Deleted] ASA_7_725017
  • [Deleted] ASA_7_734003
  • [Deleted] AWS_VPC_FLOW_CUSTOM_1
  • [Deleted] Adaxes_Execute_Event
  • [Deleted] Adaxes_Modify_Event
  • [Deleted] Adaxes_Run_PowerShell_Event
  • [Deleted] Aruba_Error_Logs
  • [Deleted] Aruba_ICMP_Logs
  • [Deleted] Aruba_LDAP_Server_Logs
  • [Deleted] BANDURA_DOMAIN_LOGS
  • [Deleted] BANDURA_PACKET_LOGS
  • [Deleted] BARRACUDA_PROXY
  • [Deleted] BIND9
  • [Deleted] BIND_DHCP_FOR_FULL
  • [Deleted] BIND_DHCP_FOR_SHORT
  • [Deleted] BIND_DHCP_ON
  • [Deleted] BIND_Query
  • [Deleted] BIND_Update_Zone
  • [Deleted] BIND_Update_Zone_Failure
  • [Deleted] BIOC_CREATE_AND_WRITE
  • [Deleted] BIOC_CREDENTIAL_ACCESS
  • [Deleted] BIOC_DROPPER
  • [Deleted] BIOC_EVASION
  • [Deleted] BIOC_EVASION_VARIATION_2
  • [Deleted] BIOC_INFILTRATION
  • [Deleted] BIOC_PERSISTENCE_EXECUTION
  • [Deleted] BIOC_PRIVILEGE
  • [Deleted] BIOC_RECONNAISSANCE
  • [Deleted] BIOC_RECONNAISSANCE_VARIATION_2
  • [Deleted] BIOC_TAMPERING
  • [Deleted] BLUECAT_DHCP_BOOTREQUEST
  • [Deleted] BLUECAT_DHCP_DECLINE
  • [Deleted] BLUECAT_DHCP_INFORM
  • [Deleted] BLUECAT_DHCP_OFFER
  • [Deleted] BLUECAT_DHCP_failover
  • [Deleted] BLUECAT_DHCP_reuse_lease
  • [Deleted] BLUECAT_DNS_NO_KEY
  • [Deleted] BLUECAT_DNS_WITH_KEY
  • [Deleted] BLUECOAT_PROXY
  • [Deleted] BLUECOAT_PROXY_2
  • [Deleted] BLUECOAT_PROXY_4
  • [Deleted] BLUECOAT_PROXY_5
  • [Deleted] BLUECOAT_PROXY_6
  • [Deleted] BLUECOAT_PROXY_7
  • [Deleted] Bind_DNS_log_1
  • [Deleted] Bind_DNS_log_10
  • [Deleted] Bind_DNS_log_2
  • [Deleted] Bind_DNS_log_3
  • [Deleted] Bind_DNS_log_4
  • [Deleted] Bind_DNS_log_5
  • [Deleted] Bind_DNS_log_6
  • [Deleted] Bind_DNS_log_7
  • [Deleted] Bind_DNS_log_8
  • [Deleted] Bind_DNS_log_9
  • [Deleted] CB_PROTECT
  • [Deleted] CB_PROTECT_USERNAME
  • [Deleted] CB_RESPONSE_SERVER_1
  • [Deleted] CB_RESPONSE_SERVER_10
  • [Deleted] CB_RESPONSE_SERVER_11
  • [Deleted] CB_RESPONSE_SERVER_13
  • [Deleted] CB_RESPONSE_SERVER_14
  • [Deleted] CB_RESPONSE_SERVER_15
  • [Deleted] CB_RESPONSE_SERVER_17
  • [Deleted] CB_RESPONSE_SERVER_2
  • [Deleted] CB_RESPONSE_SERVER_20
  • [Deleted] CB_RESPONSE_SERVER_3
  • [Deleted] CB_RESPONSE_SERVER_4
  • [Deleted] CB_RESPONSE_SERVER_5
  • [Deleted] CB_RESPONSE_SERVER_6
  • [Deleted] CB_RESPONSE_SERVER_7
  • [Deleted] CB_RESPONSE_SERVER_9
  • [Deleted] CB_RESPONSE_SEVERITY_1
  • [Deleted] CB_RESPONSE_SEVERITY_2
  • [Deleted] CB_RESPONSE_SEVERITY_3
  • [Deleted] CHECKPOINT_ACCEPT
  • [Deleted] CHECKPOINT_CRYPT
  • [Deleted] CHECKPOINT_DROP
  • [Deleted] CHECKPOINT_KEY_INSTALL
  • [Deleted] CHECKPOINT_VPN_ROUTE
  • [Deleted] CICSCOFW434002
  • [Deleted] CISCOFW321001
  • [Deleted] CISCOFW419001
  • [Deleted] CISCO_ACS_FAILED_ATTEMPT
  • [Deleted] CISCO_ACS_FAILED_AUTHENTICATION
  • [Deleted] CISCO_ACS_PASSED_AUTHENTICATION
  • [Deleted] CISCO_ACS_TACACS_ACCOUNTING
  • [Deleted] CISCO_MERAKI_IDS_ALERTS
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT
  • [Deleted] CISCO_MERAKI_SECURITY_EVENT_SECURITY_FILTERING_DISPOSITION_CHANGE
  • [Deleted] CRM_VODLOG
  • [Deleted] Cisco_Umbrella_IP_Logs
  • [Deleted] Dns_Update
  • [Deleted] EPO_THREATS_AV
  • [Deleted] EPO_THREAT_EVENT
  • [Deleted] EXABEAM
  • [Deleted] F5_HTTPD_AUDIT
  • [Deleted] F5_SSHD_SAMPLES
  • [Deleted] F5_SSL_REQUEST
  • [Deleted] FLOW_REASSEMBLE
  • [Deleted] FORCEPOINT_NEW_AND_IMPROVED
  • [Deleted] Failed_Logon
  • [Deleted] Firepower_ALERT_IDS
  • [Deleted] Firepower_Access_Control
  • [Deleted] Firepower_Access_Control_2
  • [Deleted] Firepower_Access_Control_3
  • [Deleted] Firepower_Access_Control_4
  • [Deleted] Firepower_Access_Control_5
  • [Deleted] IBM_WebSpheredatadevice_error_1
  • [Deleted] IBM_WebSpheredatadevice_error_2
  • [Deleted] IBM_WebSpheredatadevice_error_3
  • [Deleted] IBM_WebSpheredatadevice_error_4
  • [Deleted] IBM_WebSpheredatadevice_error_5
  • [Deleted] INFLOBLOX_DNS_MESSAGE
  • [Deleted] INFOBLOX_DHCPACK_RENEW_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES
  • [Deleted] INFOBLOX_DHCPDISCOVER_SAMPLES_2
  • [Deleted] INFOBLOX_DHCPDISCOVER_UNKNOWN_NETWORK_SAMPLE
  • [Deleted] INFOBLOX_DHCPEXPIRE_SAMPLES
  • [Deleted] INFOBLOX_DHCPNAK_SAMPLES
  • [Deleted] INFOBLOX_DHCPOFFER_UID_SAMPLES
  • [Deleted] INFOBLOX_DHCPRELEASE_SAMPLES
  • [Deleted] INFOBLOX_DHCP_UPDATER_1
  • [Deleted] INFOBLOX_DHCP_UPDATER_2
  • [Deleted] INFOBLOX_DHCP_UPDATER_3
  • [Deleted] INFOBLOX_DHCP_UPDATER_4
  • [Deleted] INFOBLOX_DHCP_UPDATER_5
  • [Deleted] INFOBLOX_DHCP_V2_SAMPLES
  • [Deleted] INFOBLOX_DNS_QUERIES
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_ENDED
  • [Deleted] INFOBLOX_DNS_REQUEST_AXFR_STARTED
  • [Deleted] INFOBLOX_DNS_RESPONSE
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_1
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_2
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_3
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_4
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_5
  • [Deleted] INFOBLOX_DNS_ZONE_UPDATE_6
  • [Deleted] INFOBLOX_DOMAIN_NOTIFIED
  • [Deleted] IRONPORT_QUARANTINE_MID
  • [Deleted] IRONPORT_QUARANTINE_TO
  • [Deleted] IRON_PORT_CONNECTION
  • [Deleted] IRON_PORT_DCID_MSG
  • [Deleted] IRON_PORT_DKIM
  • [Deleted] IRON_PORT_ICID_MSG
  • [Deleted] IRON_PORT_INFO_ICID
  • [Deleted] IRON_PORT_INFO_MID
  • [Deleted] IRON_PORT_INFO_MID_ICID
  • [Deleted] IRON_PORT_INFO_MSG
  • [Deleted] IRON_PORT_ISQ_RPC
  • [Deleted] IRON_PORT_WARN_FULL
  • [Deleted] IRON_PORT_WARN_INVALID_DNS_FULL
  • [Deleted] IRON_PORT_WARN_LIMIT
  • [Deleted] IRON_PORT_WARN_MSG
  • [Deleted] IRON_PORT_WSA
  • [Deleted] IRON_PORT_WSA_NOHD
  • [Deleted] IRON_PORT_WSA_NOHD_01
  • [Deleted] IRON_PORT_WSA_NOHD_03
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_1
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_2
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_3
  • [Deleted] IRON_PORT_WSA_SFIMS_PROTOCOL_4
  • [Deleted] Internal_Auth_Logs
  • [Deleted] LINUXSERVER_AUDIT_LOGS_1
  • [Deleted] LINUXSERVER_AUDIT_LOGS_2
  • [Deleted] LINUXSERVER_LOG_1
  • [Deleted] LINUXSERVER_LOG_11
  • [Deleted] LINUXSERVER_LOG_2
  • [Deleted] LINUXSERVER_LOG_3
  • [Deleted] LINUXSERVER_LOG_4
  • [Deleted] LINUXSERVER_LOG_5
  • [Deleted] LINUXSERVER_LOG_6
  • [Deleted] LINUXSERVER_LOG_7
  • [Deleted] LINUX_USER_AND_HOSTNAME
  • [Deleted] Linux_Laravel_Logs1
  • [Deleted] Linux_Laravel_Logs2
  • [Deleted] Linux_Laravel_Logs3
  • [Deleted] MVISION_CASB
  • [Deleted] NAT_RULES_MATCH
  • [Deleted] NMS_LOGS
  • [Deleted] NSM_THREAT_IPS
  • [Deleted] OAUTH_LOG
  • [Deleted] Ossec_Logs_01
  • [Deleted] Ossec_Logs_02
  • [Deleted] Ossec_Logs_03
  • [Deleted] Ossec_Logs_04
  • [Deleted] Ossec_Logs_06
  • [Deleted] PALO_ALTO_TRAPS
  • [Deleted] PALO_TRAPS_EXTRA
  • [Deleted] PAN_TRAPS_ANALYTICS
  • [Deleted] PAN_TRAPS_ANALYTICS_CLOUD
  • [Deleted] PAN_TRAPS_CONFIG_CLOUD
  • [Deleted] PAN_TRAPS_MISC_CLOUD
  • [Deleted] PAN_TRAPS_SYSTEM_CLOUD
  • [Deleted] PULSESECURE_LOGS
  • [Deleted] PULSESECURE_LOGS2
  • [Deleted] Renew_Logs
  • [Deleted] SESSION_ERROR
  • [Deleted] SHIBBOLETH_DUO
  • [Deleted] SHIBBOLETH_HTTP_EDU
  • [Deleted] SHIBBOLETH_HTTP_MAIL
  • [Deleted] SHIBBOLETH_LDAP
  • [Deleted] SHIBBOLETH_LDAP_EMAIL
  • [Deleted] SNARE_AGENTHEARTBEAT_LOGS
  • [Deleted] SNARE_WINDOWS_DHCP_LOGS
  • [Deleted] SNMP_LOGS
  • [Deleted] SURICATA_HTTP_LOGS
  • [Deleted] SURICATA_LOGSTASH
  • [Deleted] SURICATA_LOGSTASH_CUSTOM
  • [Deleted] SURICATA_THREAT_LOGS
  • [Deleted] SYMANTEC_SEP_Anti_Virus
  • [Deleted] SYMANTEC_SEP_PRF_01
  • [Deleted] SYMANTEC_SEP_PRF_02
  • [Deleted] SYMANTEC_SEP_PRF_03
  • [Deleted] SYMANTEC_SEP_SDN
  • [Deleted] SYMANTEC_SEP_SONAR
  • [Deleted] SYMANTEC_SEP_SRF
  • [Deleted] SYMANTEC_SEP_USB_1
  • [Deleted] SonicWall_Bad_FTP_Protocol
  • [Deleted] SonicWall_Block_Dropped_Events
  • [Deleted] SonicWall_Flood_Attack
  • [Deleted] SonicWall_IPS
  • [Deleted] SonicWall_Port_Scan
  • [Deleted] SonicWall_URL_Filter
  • [Deleted] Successful_Logon
  • [Deleted] TANIUM_S24_TYPE_LOGS
  • [Deleted] VAR_LOG_SECURE_SUCCESSFUL_LOGIN
  • [Deleted] VDM_LOG_EXTRA
  • [Deleted] VDM_MESSAGES_CONNECT
  • [Deleted] VDM_MESSAGES_DIRECTORY
  • [Deleted] VDM_MESSAGES_FROM
  • [Deleted] VDM_MESSAGES_FTP
  • [Deleted] VDM_MESSAGES_WARN
  • [Deleted] VLT_VAULT_EXTRA
  • [Deleted] VPN_Message_2
  • [Deleted] VPN_Message_3
  • [Deleted] VPN_Message_4
  • [Deleted] VPN_Message_5
  • [Deleted] VPN_Messages
  • [Deleted] Vmware_Logs_1
  • [Deleted] Vmware_Logs_2
  • [Deleted] Vmware_Logs_3
  • [Deleted] Vmware_Logs_4
  • [Deleted] Vmware_Logs_5
  • [Deleted] Vmware_Logs_6
  • [Deleted] Vmware_Logs_7
  • [Deleted] Vmware_Logs_8
  • [Deleted] WATCHGUARD_FLOW_LOG
  • [Deleted] WATCHGUARD_FLOW_LOG_2
  • [Deleted] WINDOWS_DHCP_LOG
  • [Deleted] WINDOWS_QUICK_FIX
  • [Deleted] Zscaler_Firewall
  • [Deleted] cisco_authentication_01
  • [Deleted] cisco_authentication_02
  • [Deleted] cisco_authentication_03
  • [Deleted] cisco_authentication_04
  • [Deleted] cisco_authentication_05
  • [Deleted] cisco_authentication_06
  • [Deleted] cisco_authentication_07
  • [Deleted] cisco_authentication_08
  • [Deleted] cisco_authentication_09
  • [Deleted] cisco_authentication_10
  • [Deleted] cisco_authentication_11
  • [Deleted] cisco_authentication_12
  • [Deleted] cisco_authentication_13
  • [Deleted] cisco_authentication_14
  • [Deleted] cisco_authentication_15
  • [Deleted] cisco_ios_system_log_message
  • [Deleted] cisco_ios_system_log_message_queue_full
  • [Deleted] citrix_netscaler_AAA_Messsage
  • [Deleted] citrix_netscaler_API_CMD_EXECUTED
  • [Deleted] citrix_netscaler_TCP_connection_terminated
  • [Deleted] citrix_netscaler_delinked_message
  • [Deleted] citrix_netscaler_delinked_message_01
  • [Deleted] windows_defender

Schema

  • [New] _cipSourceHost
  • [New] _cipSourceName

April 7, 2022 - Announcement

On April 21, 2022 we will be removing the following legacy log mappers related to the CIP Windows collector from the CSE platform. These log mappers are in use with only a small portion of our customer base and we are working with our technical account teams to reach out directly to those impacted and migrate to our newer Sumo parsers.

No loss of out-of-the-box functionality will occur and no out-of-the-box rules are impacted as the Sumo parsers map all of the same information. Please be sure to check any custom rules that leverage Windows logging for compatibility with the new parsing and mapping, particularly where the "fields" field is referenced.

  • Windows - Security - 1100 - CIP
  • Windows - Security - 1102 - CIP
  • Windows - Security - 4625 - CIP
  • Windows - Security - 4624 - CIP
  • Windows - Security - 4634 - CIP
  • Windows - Security - 4648 - CIP
  • Windows - Security - 4649 - CIP
  • Windows - Security - 4672 - CIP
  • Windows - Security - 4688 - CIP
  • Windows - Security - 4697 - CIP
  • Windows - Security - 4698 - CIP
  • Windows - Security - 4702 - CIP
  • Windows - Security - 4720 - CIP
  • Windows - Security - 4726 - CIP
  • Windows - Security - 4740 - CIP
  • Windows - Security - 4742 - CIP
  • Windows - Security - 5805 - CIP
  • Windows - Security - 4768 - CIP
  • Windows - Security - 4769 - CIP
  • Windows - Security - 4770 - CIP
  • Windows - Security - 4771 - CIP
  • Windows - Security - 4776 - CIP
  • Windows - Security - 4778 - CIP
  • Windows - Security - 4779 - CIP
  • Windows - Security - 5140 - CIP
  • Windows - Security - 4728 - CIP
  • Windows - Security - 4732 - CIP
  • Windows - Security - 4756 - CIP
  • Windows - Security - 4661 - CIP
  • Windows - Security - 4704 - CIP
  • Windows - Security - 4754 - CIP
  • Windows - Security - 4780 - CIP
  • Windows - Security - 4793 - CIP
  • Windows - Security - 5038 - CIP
  • Windows - Security - 6272 - CIP
  • Windows - Security - 6273 - CIP
  • Windows - Security - 6275 - CIP
  • Windows - Security - 6278 - CIP
  • Windows - Security - 4662 - CIP
  • Windows - Security - 4755 - CIP
  • Windows - Security - 4689 - CIP
  • Windows - Security - 4798 - CIP
  • Windows - Security - 6416 - CIP
  • Windows - Security - 6423 - CIP
  • Windows - Security - 6424 - CIP
  • Windows - Security - 4656 - CIP
  • Windows - Security - 4663 - CIP
  • Windows - Security - 4658 - CIP
  • Windows - Security - 4674 - CIP
  • Windows - Security - 4799 - CIP
  • Windows - Security - 5058 - CIP
  • Windows - Security - 5059 - CIP
  • Windows - Security - 5061 - CIP
  • Windows - Security - 5379 - CIP
  • Windows - System - 5138 - CIP
  • Windows - System - 6005 - CIP
  • Windows - System - 6006 - CIP
  • Windows - System - 7045 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP

April 7, 2022 - Content Release

Rules

  • [Updated] MATCH-S00599 Alibaba ActionTrail Root Login
  • [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
  • [Updated] MATCH-S00570 WMIPRVSE Spawning Process
  • [Updated] MATCH-S00168 Windows - Local System executing whoami.exe

Log Mappers

  • [New] Cisco ASA 313004 JSON
  • [New] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • [Updated] /Parsers/System/SentinelOne/SentinelOne Syslog

April 6, 2022 - Announcement

Upcoming Removal of Unused Content

On Tuesday, April 12th, unused legacy grok parsers and their corresponding log mappers will be removed from CSE.

This update is part of a longer transition as we begin decommissioning legacy grok parsers in favor of our current parser set. Sumo Logic has confirmed customers are NOT actively using any of the legacy grok parsers or log mappers we plan to remove in this future update.

It's important to note that this future content update does NOT remove or change existing legacy grok parsers or associated log mappers still used by customers today. We do not expect this update to cause any operational changes.

April 1, 2022 - Content Release

Spring4Shell Exploitation

A new Rule is being deployed designed to detect attempts to exploit Spring4Shell (MATCH-S00783). This Rule does not necessarily indicate whether the exploitation was successful, but CSE already includes a number of Rules that provide extensive coverage of common post exploitation activities, notably:

  • MATCH-S00348 Curl Start Combination
  • MATCH-S00362 Suspicious Curl File Upload
  • LEGACY-S00044 HTTP Shell Script Download Disguised as a Common Web File
  • MATCH-S00149 PowerShell File Download
  • MATCH-S00164 Suspicious Shells Spawned by Web Servers
  • MATCH-S00174 Web Services Executing Common Web Shell Commands

Rules

  • [New] MATCH-S00783 Spring4Shell Exploitation - URL
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [New] Netskope - WebTx Events
  • [New] Tenable.io Authentication
  • [New] Tenable.io Catch All
  • [Updated] AWS CloudFront
  • [Updated] AWS WAF Block Logs
  • [Updated] Microsoft Office 365 Active Directory Authentication Events
  • [Updated] Tenable.io Vulnerability

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.