Skip to main content

One post tagged with "announcement"

View All Tags

Announcement: Standard Match Lists Migration to Entity Tags

Currently, CSE defines a set of standard Match Lists as a way to allow users to specify lists of Entities and other indicators that should affect whether or not Rules create Signals. However, starting next week, the Rules included with CSE will begin transitioning to leverage Entity tags for this purpose instead. Tags on Entities are more flexible and can also provide context to analysts during the investigation phase.

Next week, a new set of standard tag schemas will be introduced in CSE. These tag schemas will correspond to the existing standard Match Lists:

KeyAllowed ValuesEquivalent Match List
_deviceGroupadminadmin_ips
awsAdminAWS_admin_ips
businessbusiness_ips
gcpAdminGCP_admin_ips
googleWorkspaceAdminGoogle_Workspace_admin_ips
salesforceAdminsalesforce_admin_ips
sandboxsandbox_ips
scanTargetscanner_targets
_deviceServicednsdns_servers
dns_servers_dst
dns_servers_src
ftpftp_servers
smtpsmtp_servers
sqlsql_servers
sshssh_servers
telnettelnet_servers
_deviceTypeauthServerauth_servers
auth_servers_dst
auth_servers_src
lanScannerlan_scanner_exception_ips
nmsnms_ips
paloAltoSinkholepalo_alto_sinkhole_ips
proxyServerproxy_servers
proxy_servers_dst
proxy_servers_src
vpnServervpn_servers
vulnerabilityScannervuln_scanners
webServerhttp_servers
_networkTypeguestguest_networks
natnat_ips
vpnvpn_networks
_userGroupawsAdminAWS_admin_users
dsReplicationds_replication_authorized_users
gcpAdminGCP_admin_users
googleWorkspaceAdminGoogle_Workspace_admin_users
kerberosDowngradedowngrade_krb5_etype_authorized_users
salesforceAdminsalesforce_admin_users

(There are five standard match lists not affected by this change, as they do not contain Entities. These include: business_asns, business_domains, business_hostnames, threat, and verified_uri_paths.)

Beginning Thursday, October 20, the contents of the standard match lists listed above will automatically be copied to tags set on the individual entities. So, for example, if an Entity 1.2.3.4 is in match list sql_servers, a tag _deviceService:sql will be set on it. CSE will continue to automatically create these tags from the standard match lists for a period of 3 months, until January 20, 2023. During this period, pre-defined rules will be updated to reference these tags instead of the standard match lists, so by the end of this period all rules will be updated and CSE will no longer automatically create these tags.

Please update any process you use to maintain the members of standard match lists by January 20, 2023 to maintain standard Entity tags instead (or in addition). We highly recommend you take advantage of Entity Groups to set Entity tags rather than individually setting tags. Entity Groups enable the automatic application of attributes like tags based on the Entity's value, IP address range, or inventory group.

Note that you cannot extend the standard tag schemas (for example, you cannot add a value azureAdmin to _userGroup). (The underscore prefix in the schema name means it's a system-defined schema.) Instead, create a different tag schema (such as customUserGroup) with such extended values.

You can refer to Entity tags in Rule expressions. For example, if you've attached the tag _deviceService:sql to an Entity, this statement will return "true" if that Entity is listed in a Record's srcDevice_ip field:

array_contains(fieldTags["srcDevice_ip"], "_deviceService:sql")

Additional information about the standard tag schema, match lists, Entity groups, and using these features with Rules is available in the Cloud SIEM Documentation.

Minor Changes and Enhancements

  • [New] Users can now filter object lists based on tag schema. The list results will include all objects that have a tag that are part of that schema. For example, if you search for _networkType (from the note above) the list results will include any object that has a tag of _networkType:guest, _networkType:nat, and/or _networkType:vpn.

Resolved Issues

  • Entity relationships were not taking sensor zones into account properly.
  • Entity details pages were only briefly displaying the proper Criticality.
  • The Entities Count links on the Entity Criticality list pages were pointing at the wrong URLs.
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.