Skip to main content

June 2022 Archive

Archive of June 2022 Cloud SIEM Release Notes.

June 24, 2022 Announcement

Beginning July 15, 2022, Signals generated by Cloud SIEM Enterprise will be automatically saved in a new sec_signals index. This index/special partition will be similar to the existing secrecord indices in that, unlike data retained using the older Signal Forwarding feature, it will be saved in proper JSON supporting keyword search and nested attributes.

The new index will be automatically generated and retained for a period of 2 years at no additional cost for all CSE customers.

As a result, the optional Signal Forwarding feature in CSE will be deprecated on September 15, 2022. Existing data will not be deleted but new Signals generated after that date will no longer be forwarded and the option will no longer be available in CSE.

Customers leveraging Signal Forwarding data to generate dashboards (or for other use cases) will need to modify those applications to use the new sec_signals index before September 15.

If you have any questions or concerns, please contact Sumo Logic customer support.

June 24, 2022 - Application Update

Minor Changes and Enhancements

  • [New] On the Insight details pages, if the user has selected the Show Related Signals option, the related Signals will appear on the Signals Timeline graph.

Resolved Issues

  • The /sec/v1/insights/{}/tags API endpoint was returning a 500/INTERNAL_SERVER_ERROR.

June 21, 2022 - Content Release

Log Mappers

  • [Updated] McAfee Avecto Defendpoint

Parsers

  • [Updated] /Parsers/System/Cisco/Cisco ASA
  • [Updated] /Parsers/System/McAfee/McAfee EPO XML

June 15, 2022 - Content Release

Rules

  • [Updated] MATCH-S00400 Web Download via Office Binaries

Log Mappers

  • [New] GCP Parser - Load Balancer

Parsers

  • [Updated] /Parsers/System/Google/GCP
  • [Updated] /Parsers/System/Orca Security/Orca Security
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

June 13, 2022 Application Update

Minor Changes and Enhancements

  • [Updated] List filters have been updated to better support custom Entity types; users no longer have to specify the Entity type in order to filter by Entity value (i.e. name). (Old bookmark will continue to work.)
  • [Updated] On the Insight Details pages, the sort order for Signals has been reverted to oldest first. As always, the user can change the sort order and in an upcoming release, the UI will be updated to retain the user's selected sort order across sessions.
  • [Deleted] The standalone Suppressed Entities list page has been removed from the UI as it was confusing to users. To retrieve a list of suppressed Entities, users should filter the Entities list page.

Resolved Issues

  • CSV upload for Network Blocks was not working unless the (optional) "label" field was provided.
  • Then filtering lists by date, the "include current" checkbox was not working consistently.

June 9, 2022 - Content Release

Rules

  • [New] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
  • [Updated] MATCH-S00687 Linux Security Tool Usage
  • [Updated] MATCH-S00555 Threat Intel - Inbound Traffic Context

Log Mappers

  • [Updated] Cyber Ark Vault JSON

Parsers

  • [New] /Parsers/System/Cyber-Ark/Cyber-Ark Vault - CEF
  • [Updated] /Parsers/System/AWS/AWS ELB
  • [Updated] /Parsers/System/AWS/AWS WAF

June 7, 2022 - Content Release 2022-06-07

Rules

  • [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution

Log Mappers

  • [New] Bitdefender - avc
  • [New] Bitdefender - fw
  • [New] Bitdefender - hd
  • [New] Bitdefender - network-monitor
  • [New] Bitdefender - new-incident
  • [New] Linux OS Syslog - Cron - Generic
  • [New] Linux OS Syslog - sshd - session timeout
  • [Updated] Bitdefender Catch All
  • [Updated] SonicWall Firewall - Custom Parser

Parsers

  • [Updated] /Parsers/System/Dell/Dell SonicWall
  • [Updated] /Parsers/System/Linux/Linux OS Syslog

June 3, 2022 - Content Release

Rules

  • [New] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [New] MATCH-S00813 Microsoft Support Diagnostic Tool Invoking PowerShell - CVE-2022-30190
  • [New] MATCH-S00812 Microsoft Support Diagnostic Tool with BrowseForFile - CVE-2022-30190
  • [Updated] THRESHOLD-S00080 Internal Port Scan
  • [Updated] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190

Log Mappers

  • [New] Google G Suite - logout
  • [New] McAfee Mvision ENS incidents - Parser
  • [New] McAfee Mvision ENS threats - Parser
  • [New] Okta Authentication - auth_via_AD_agent
  • [New] Okta Authentication - auth_via_mfa
  • [New] Okta Authentication - auth_via_radius
  • [New] Okta Authentication - sso
  • [Updated] Google G Suite - login.login
  • [Updated] Okta Authentication Events
  • [Updated] Salesforce LoginAs Mapping

Parsers

  • [New] /Parsers/System/McAfee/McAfee Mvision ENS

Schema

  • [Updated] device_ip_asnNumber
  • [Updated] device_ip_asnOrg
  • [Updated] device_ip_city
  • [Updated] device_ip_countryCode
  • [Updated] device_ip_countryName
  • [Updated] device_ip_isp
  • [Updated] device_ip_latitude
  • [Updated] device_ip_longitude
  • [Updated] device_ip_region
  • [Updated] device_natIp_asnNumber
  • [Updated] device_natIp_asnOrg
  • [Updated] device_natIp_city
  • [Updated] device_natIp_countryCode
  • [Updated] device_natIp_countryName
  • [Updated] device_natIp_isp
  • [Updated] device_natIp_latitude
  • [Updated] device_natIp_longitude
  • [Updated] device_natIp_region
  • [Updated] dns_replyIp_asnNumber
  • [Updated] dns_replyIp_asnOrg
  • [Updated] dns_replyIp_city
  • [Updated] dns_replyIp_countryCode
  • [Updated] dns_replyIp_countryName
  • [Updated] dns_replyIp_isp
  • [Updated] dns_replyIp_latitude
  • [Updated] dns_replyIp_longitude
  • [Updated] dns_replyIp_region
  • [Updated] dstDevice_ip_asnNumber
  • [Updated] dstDevice_ip_asnOrg
  • [Updated] dstDevice_ip_city
  • [Updated] dstDevice_ip_countryCode
  • [Updated] dstDevice_ip_countryName
  • [Updated] dstDevice_ip_isp
  • [Updated] dstDevice_ip_latitude
  • [Updated] dstDevice_ip_longitude
  • [Updated] dstDevice_ip_region
  • [Updated] srcDevice_ip_asnNumber
  • [Updated] srcDevice_ip_asnOrg
  • [Updated] srcDevice_ip_city
  • [Updated] srcDevice_ip_countryCode
  • [Updated] srcDevice_ip_countryName
  • [Updated] srcDevice_ip_isp
  • [Updated] srcDevice_ip_latitude
  • [Updated] srcDevice_ip_longitude
  • [Updated] srcDevice_ip_region

June 1, 2022 - Announcement

Geographical Data for IP Addresses

  • As previously announced, CSE has switched to a new provider for geographical data for IP addresses. One consequence of this change is that the various _isp enrichment fields (listed below) are no longer being populated. However, that data is available in the equivalent _asnOrg fields (such as device_ip_asnOrg). If you have any rules that leverage the _isp fields, please switch to the _asnOrg fields as soon as possible.
  • Because these fields will no longer be populated, they will be removed on June 7, 2022:
    • device_ip_isp
    • device_natIp_isp
    • device_replyIp_isp
    • dstDevice_ip_isp
    • dstDevice_natIp_isp
    • srcDevice_ip_isp
    • srcDevice_natIp_isp

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.