Skip to main content

February 17, 2023 - Content Release

Rules

  • [New] MATCH-S00842 Suspicious Azure CLI Keys Access on Linux Host
  • [New] MATCH-S00843 Suspicious GCP CLI Keys Access on Linux Host

Note that the following updates do not change detection capabilities and are only updates to descriptions and other metadata.

  • [Updated] MATCH-S00308 AWS CloudTrail - OpsWorks Describe Permissions Event
  • [Updated] MATCH-S00210 AWS CloudTrail - SQS List Queues Event
  • [Updated] MATCH-S00238 AWS CloudTrail - sensitive activity in KMS
  • [Updated] MATCH-S00594 Alibaba ActionTrail KMS Activity
  • [Updated] MATCH-S00417 Attrib.exe use to Hide Files and Folders
  • [Updated] MATCH-S00786 Azure - SQL Database Export
  • [Updated] MATCH-S00304 External Device Installation Denied
  • [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [Updated] MATCH-S00614 GCP Audit KMS Activity
  • [Updated] MATCH-S00466 MsiExec Web Install
  • [Updated] MATCH-S00288 NotPetya Ransomware Activity
  • [Updated] MATCH-S00634 Okta Admin App Access Attempt Failed
  • [Updated] MATCH-S00633 Okta Admin App Accessed
  • [Updated] MATCH-S00756 Outlook Homepage Modification
  • [Updated] MATCH-S00465 PXELoot Utility
  • [Updated] MATCH-S00200 Potential Pass the Hash Activity
  • [Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
  • [Updated] MATCH-S00265 QuarksPwDump Dump File Observed
  • [Updated] MATCH-S00747 Registry Modification - Active Setup
  • [Updated] MATCH-S00754 Registry Modification - Microsoft Office Test Function Registry Entry
  • [Updated] MATCH-S00422 Spaces Before File Extension
  • [Updated] MATCH-S00196 Successful Overpass the Hash Attempt
  • [Updated] MATCH-S00293 Suspicious External Device Installation
  • [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load

Log Mappers

  • [Deleted] Sysdig Monitor C2C
  • [New] CloudTrail - s3.amazonaws.com - GetBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] Fortinet App Control Logs
  • [Updated] Fortinet DLP Logs
  • [Updated] Fortinet DNS Logs
  • [Updated] Fortinet Event Logs
  • [Updated] Fortinet IPS Logs
  • [Updated] Fortinet Traffic Logs
  • [Updated] Fortinet VOIP Logs
  • [Updated] Fortinet Virus Logs
  • [Updated] Fortinet Webfilter Logs

Parsers

  • [Deleted] /Parsers/System/Sysdig/Sysdig Monitor C2C
  • [Updated] /Parsers/System/Fortinet/Fortigate/Fortigate-Syslog
  • [Updated] /Parsers/System/Pulse Secure/Pulse Secure Appliance
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.