Skip to main content

January 13, 2023 - Content Release

Rules

  • [New] MATCH-S00825 AWS Secrets Manager Enumeration
  • [New] MATCH-S00827 Exposed AWS SNS Topic Created
  • [New] MATCH-S00823 Exposed AWS SQS Queue Created
  • [New] MATCH-S00828 Office 365 Exchange Transport Rule Created
  • [New] MATCH-S00829 Office 365 Exchange Transport Rule Enabled
  • [New] MATCH-S00830 Office 365 Forwarding Rule Created
  • [New] MATCH-S00833 Office 365 Inbox Rule Created
  • [New] MATCH-S00832 Office 365 Inbox Rule Updated
  • [New] MATCH-S00831 Office 365 Unified Audit Logging Disabled
  • [New] MATCH-S00824 Potential XMRig Execution with Traffic
  • [New] MATCH-S00826 SSH Keys Added to EC2 Instance
  • [New] MATCH-S00834 Sensitive Registry Key (WDigest) Edit
  • [Updated] MATCH-S00480 Solarwinds Suspicious Child Processes
  • [Updated] MATCH-S00504 User Added to Local Administrators

Log Mappers

  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 22
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 23
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 24
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 25
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 26
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 27
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 28
  • [Updated] Cloudflare - Logpush
  • [Updated] Microsoft Office 365 AzureActiveDirectory Events
  • [Updated] Microsoft Office 365 Exchange Mailbox Audit Events
  • [Updated] Microsoft Office 365 Exchange Mailbox Authentication Events
  • [Updated] Microsoft Office 365 ExchangeItem Events
  • [Updated] Microsoft Office 365 ExchangeItemGroup Events
  • [Updated] Microsoft Office 365 RecordType 105
  • [Updated] Microsoft Office 365 RecordType 37
  • [Updated] Microsoft Office 365 RecordType 57
  • [Updated] Office 365 - Exchange Admin Events

Parsers

  • [New] /Parsers/System/Microsoft/Windows-Syslog WinCollect

Schema

  • [Updated] device_k8s_normalizedDeploymentName
  • [Updated] device_k8s_normalizedPodName
  • [Updated] device_k8s_normalizedReplicaSetName
  • [Updated] dstDevice_k8s_normalizedDeploymentName
  • [Updated] dstDevice_k8s_normalizedPodName
  • [Updated] dstDevice_k8s_normalizedReplicaSetName
  • [Updated] srcDevice_k8s_normalizedDeploymentName
  • [Updated] srcDevice_k8s_normalizedPodName
  • [Updated] srcDevice_k8s_normalizedReplicaSetName
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.