First Seen Rules
Sumo Logic is pleased to announce new features in Cloud SIEM Enterprise (CSE) that deliver enhanced User and Entity Behavioral Analytics (UEBA) capabilities. These new UEBA capabilities enable additional methods to detect and investigate anomalous or unexpected behavior that may signify a security threat.
The first feature is called a First Seen Rule. With this new rule type, CSE can detect events such as “the first time a user logs in from a new location” without having to define a rule expression that is unique to each user in your environment (and the location(s) from which he/she usually logs in). Other examples include detecting the unusual granting of administrative privileges, Windows recon command, AWS Secrets Manager API calls, API gateway enumeration, and more.
First Seen Rules are defined like any other rule type, through the Content menu in CSE.
First Seen Rules operate based on a baseline. During this period of time - typically between 7 and 30 days - the system will learn what normal and expected behavior looks like. After the baseline is established, CSE will begin generating Signals when unusual behavior is detected compared to that baseline. Baselines can be per-entity or global. (Note that the longer the baseline, the more accurate the model will be.)
CSE will include a set of more than twenty First Seen Rules out of the box. These rules can be tuned and customized like any other rule type, and custom First Seen Rules can also be created.
For more information about how to use First Seen Rules, see the online documentation. You can also see an introduction to the feature by navigating to a new First Seen Rule in the CSE UI.
Entity Timeline
Another new feature that will help analysts investigate unusual activity with user accounts is the Entity Timeline:
This feature visualizes all activity for a user – including all normalized records – in an easy-to-read timeline, eliminating the need to perform manual record searches.
Related actions are grouped together and Signals and Insights generated on that user are also displayed in the timeline with the relevant record(s). Actions can be clicked on to see a more detailed set of information, and full details can be easily opened in a new tab.
The feature can be found on the new Timeline tab on each Username Entity’s Detail page with quick links from Signal and Insight detail pages (located with the Entity summaries). It is only available for the Username Entity type at this time.
For more information about how to use the Entity Timeline, see the online documentation.
Minor Changes and Enhancements
- [Updated] Entities listed in the Signals index (
sec_signal) now includecriticalityandsuppressedattributes (which reflect the state of those Entities when the Signal was generated). - [New] The CSE API now supports searching the Threat Intelligence data by
sourceName. - [Updated] The Threat Intelligence API
GetThreatIntelIndicatorsendpoint now supports data sets of more than 10,000 indicators. - [Updated] The Insights API now supports searching (filtering) by confidence score.
- [Updated] CSE now supports up to 1000 inventory-based Entity Groups (the previous limit was 50).
- [Updated] When viewing an Insight, a label is displayed that indicates the source. When an Insight is generated by a Custom Insight, it will now say Custom Insight (Rule) (instead of Rule) and Custom Insight (Signal) (instead of Signal) to reduce confusion with Insights generated by the Insight Algorithm through standard Rules and Signals.
- [New] Entity Groups can now be managed in bulk by uploading CSV files from the Entity Groups list page.
Bug Fixes
- The consolidated Insight ‘board’ view was not displaying properly in some instances.
- An improper error message was displayed when attempting to create a rule with the same name as one that already existed.
- The Insight Updates section on the HUD was displaying incorrectly if there were no recent updates.
- The Insight creation source label was not positioned properly when scrolling an Insight Details page.
- Entity notes could not be deleted.