Skip to main content

9 posts tagged with "cloud siem release notes"

View All Tags

Entity Relationship Graph

We are excited to announce the new Entity Relationship Graph. With this feature, you can now see a graphical visualization of all related Entities in an Insight, as well as additional relationships beyond the Insight. This enables you to more quickly understand relationships among Entities and the larger context behind a potential security threat.

note

This feature is available to all customers but is currently in Beta. If you encounter any issues with this feature, report them to Sumo Logic Support. We appreciate your feedback.

The Entity Relationship Graph (and the Related Entities list) displays all Entities involved in the Insight (those referred to in a record in a Signal in the Insight) as well as additional Entity relationships (for example, if CSE detects an IP address may also have had a specific hostname at the time the Insight was generated).

However, unlike the Related Entities list, the graph can visualize additional Entity relationships that existed outside of the Insight during a specified time frame.

Both the list and this new graph are available on the Entities tab of the Insight details page:

The Entity Relationship Graph UI

You can toggle between the list view and the graph view using the control in the upper-right corner of the main panel.

Each node in the graph represents a single Entity. The graph also displays the relationship types and any Indicators. Hovering over an Entity will highlight it and all of its relationships to other Entities, and when an Entity is selected, details about the Entity are displayed on the right.

The graph also includes a number of controls for zoom, full screen mode, filtering by Entity type, and adjusting the time frame for relationship detection.

For more information about how to use the Entity Relationship Graph, see the online documentation. You will also see an introduction to the feature the first time you visit an Insight details page.

Minor Changes and Enhancements

  • [New] First Seen Rules now support the use of non-normalized record fields.
  • [New] When a file is attached to a Signal, it is now available via API (previously it would only be available if part of a Yara Signal or Threat Intel match). The endpoint is /api/v1/extracted-file?filename=
  • [Update] The default time frame on the Entity Timeline is now 3 days instead of 24 hours.
  • [Update] The http v2 Insight Action payload now includes a numeric severity value (1-4) in addition to the human-readable severity name (LOW, MEDIUM, HIGH, CRITICAL).
  • [Update] On the new Active Entities panel on the HUD, if the Entity is a Username, you can now navigate directly to that Entity’s Timeline by hovering over the Entity name and clicking the link.

Bug Fixes

  • In some cases, CSE was unable to properly extract the user name from an AWS ARN.
  • A recent change caused checkboxes to malfunction in Firefox.
  • On the Entity Timeline record details, the timestamp wasn’t displaying properly.

First Seen Rules

Sumo Logic is pleased to announce new features in Cloud SIEM Enterprise (CSE) that deliver enhanced User and Entity Behavioral Analytics (UEBA) capabilities. These new UEBA capabilities enable additional methods to detect and investigate anomalous or unexpected behavior that may signify a security threat.

The first feature is called a First Seen Rule. With this new rule type, CSE can detect events such as “the first time a user logs in from a new location” without having to define a rule expression that is unique to each user in your environment (and the location(s) from which he/she usually logs in). Other examples include detecting the unusual granting of administrative privileges, Windows recon command, AWS Secrets Manager API calls, API gateway enumeration, and more.

First Seen Rules are defined like any other rule type, through the Content menu in CSE.

A First Seen Rule definition

First Seen Rules operate based on a baseline. During this period of time - typically between 7 and 30 days - the system will learn what normal and expected behavior looks like. After the baseline is established, CSE will begin generating Signals when unusual behavior is detected compared to that baseline. Baselines can be per-entity or global. (Note that the longer the baseline, the more accurate the model will be.)

CSE will include a set of more than twenty First Seen Rules out of the box. These rules can be tuned and customized like any other rule type, and custom First Seen Rules can also be created.

For more information about how to use First Seen Rules, see the online documentation. You can also see an introduction to the feature by navigating to a new First Seen Rule in the CSE UI.

Entity Timeline

Another new feature that will help analysts investigate unusual activity with user accounts is the Entity Timeline:

The Entity Timeline

This feature visualizes all activity for a user – including all normalized records – in an easy-to-read timeline, eliminating the need to perform manual record searches.

Related actions are grouped together and Signals and Insights generated on that user are also displayed in the timeline with the relevant record(s). Actions can be clicked on to see a more detailed set of information, and full details can be easily opened in a new tab.

The feature can be found on the new Timeline tab on each Username Entity’s Detail page with quick links from Signal and Insight detail pages (located with the Entity summaries). It is only available for the Username Entity type at this time.

For more information about how to use the Entity Timeline, see the online documentation.

Minor Changes and Enhancements

  • [Updated] Entities listed in the Signals index (sec_signal) now include criticality and suppressed attributes (which reflect the state of those Entities when the Signal was generated).
  • [New] The CSE API now supports searching the Threat Intelligence data by sourceName.
  • [Updated] The Threat Intelligence API GetThreatIntelIndicators endpoint now supports data sets of more than 10,000 indicators.
  • [Updated] The Insights API now supports searching (filtering) by confidence score.
  • [Updated] CSE now supports up to 1000 inventory-based Entity Groups (the previous limit was 50).
  • [Updated] When viewing an Insight, a label is displayed that indicates the source. When an Insight is generated by a Custom Insight, it will now say Custom Insight (Rule) (instead of Rule) and Custom Insight (Signal) (instead of Signal) to reduce confusion with Insights generated by the Insight Algorithm through standard Rules and Signals.
  • [New] Entity Groups can now be managed in bulk by uploading CSV files from the Entity Groups list page.

Bug Fixes

  • The consolidated Insight ‘board’ view was not displaying properly in some instances.
  • An improper error message was displayed when attempting to create a rule with the same name as one that already existed.
  • The Insight Updates section on the HUD was displaying incorrectly if there were no recent updates.
  • The Insight creation source label was not positioned properly when scrolling an Insight Details page.
  • Entity notes could not be deleted.

Rules

  • [New] FIRST-S00001 First Seen Administrative Privileges Granted for User
  • [New] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
  • [New] FIRST-S00004 First Seen Local Group Addition by User
  • [New] FIRST-S00005 First Seen User Creation From User
  • [New] FIRST-S00006 First Seen Weak Kerberos Encryption from User
  • [New] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [New] FIRST-S00008 First Seen whoami command From User
  • [New] FIRST-S00009 First Seen RDP From User
  • [New] FIRST-S00010 First Seen PowerShell Execution from Computer
  • [New] FIRST-S00011 First Seen Sysmon IMPHASH - Global
  • [New] FIRST-S00012 First Seen Sysmon IMPHASH - Host
  • [New] FIRST-S00013 First Seen Driver Load - Global
  • [New] FIRST-S00014 First Seen Driver Load - Host
  • [New] FIRST-S00015 First Seen Macro Execution from User
  • [New] FIRST-S00016 First Seen Non-Network Logon from User
  • [New] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
  • [New] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
  • [New] FIRST-S00019 First Seen Azure Member Addition to Group from User
  • [New] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
  • [New] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [New] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [New] FIRST-S00023 First Seen AWS API Gateway Enumeration By User
  • [New] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [New] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [New] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [New] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
  • [New] FIRST-S00028 First Seen Common Windows Recon Commands From User
  • [Updated] MATCH-S00534 MacOS - Re-Opened Applications

Log Mappers

  • [New] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand

Active Entities Panel

To assist analysts detect potential security issues as early as possible, a new panel has been added to the Heads Up Display (HUD):

Screenshot of the new Active Entities panel in CSE

This panel lists the top five most active entities, ranked by Signal Severity Total. This metric, which was introduced with the Related Entities enhancement last year, is the total sum of the severities of all unique Signals the Entity appears in during the current Insight detection window (typically, the past 14 days).

The count of Active Signals (Signals within the detection window that have not been included in an Insight) is also listed.

When hovering over the Entity value, the Entity’s type will be displayed. The Entity value is a link to that Entity’s details page.

Analysts can use this tool to investigate what appears to be risky activity and potentially proactively security issues before they are raised to the level of an Insight.

Minor Changes and Enhancements

  • [New] When looking at Signals in the new sec_signal index, attributes and values in array fields are now properly supported by auto-parsing, syntax like count by, and features like right-click > filter selected value.
  • [New] An attribute attackStage has been added to the new sec_signal index. This attribute summarizes the Mitre attack stage represented by the rule which triggered the signal. The value is defined the same way as the attack_stage attribute included in the older Signal forwarding feature.
  • [Updated] The subResolution attribute is now included in the Insight payload for http v2 actions.
  • [Updated] The way Release Notes are listed in the CSE UI is changing. There is no longer a “bell” item on the top menu; it has been replaced with a link to the Release Notes page in the Help menu. In addition, Release Notes are now directly visible in the UI when they are published.
  • [New] When executing a context action on a Signal, fields will now be passed to the context action if they are available based on the record(s) in context.

Bug Fixes

  • The “Radar” graph of records, Signals and Insights on the HUD has been updated so that the discontinuity at the top of the Signals section of the graph has been removed.
  • When viewing the raw log message corresponding to a normalized record, the wrong message was displayed.
  • The Network Block(s) associated with an Entity were not listed on the Entity details page.
  • When testing Rule expressions, sometimes the selected Tuning expression was not included.
  • Changes to entity tags or Criticality were not being listed on the History section of the Entity.
  • Entity Criticality was sometimes not displaying properly on the Insight details page.

Minor Changes and Enhancements

  • [Updated] On the HUD, the Insight Activity widget has been updated. When selecting the Insight to display, the HUD will now choose based on this order of preference: In “New”, Unassigned, Highest GIS Confidence Score, Highest Severity, Newest. In addition, the design has been updated to improve readability.
  • [New] Users who wish to substitute custom Insight status(es) for the built-in “In Progress” status can now do so. After creating and organizing the custom statu(es), the user can now disable the “In Progress” status. (It cannot be deleted.) Note that it can be disabled only if there are no Insights currently set to “In Progress.”
  • Changes to Entity tags and criticality now appear in the Entity’s change history list.
  • The Sumo Terraform provider now includes support for custom columns in match lists.
  • Kubernetes (k8s) attribute fields are now normalized to include the namespace. The normalized fields are: normalizedPodName, normalizedDeploymentName, and normalizedReplicaSetName.

Resolved Issues

  • Some Insights could not be closed via the UI (though they could via API).
  • In the consolidated (parent/child) Insight view, in “Board” mode, scrolling was not working properly. In addition, links to other orgs had an error in the URL (a duplicate “/sec”).

New Entity Types

Eight new predefined Entity types have been added to CSE. This will enable customers to more accurately associate Signals and Insights with security threats. They are listed below long with the related normalized record schema attributes (which can be specified in Rule definitions):

Entity TypeSchema Attributes
CommandcommandLine
Domainhttp_referer_fqdn, http_url_fqdn
EmailtargetUser_email, user_email
Filefile_path, file_basename
Hashfile_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_sha1, file_hash_sha256, file_hash_ssdeep
ProcessbaseImage, parentBaseImage
URLhttp_url
User Agenthttp_userAgent

If you already had a custom Entity type with the same or similar name, it will not be affected and will not be automatically migrated to the corresponding standard Entity type.

Entity Notes

Similar to the functionality on Insights, users can now attach notes to Entities:

Screenshot of Entity Notes user interface

These notes are retained permanently on the associated Entity and are visible to all users who can view the Entity.

Custom Time Windows for Rules

Threshold, Aggregation and Chain Rules now support custom time windows. Previously, when writing a Rule, a time window had to be chosen from a list of predefined options. With this new enhancement, users can define any time window defined in minutes, hours, or days, with a minimum of 1 minute and a maximum of 5 days (120 hours):

Screenshot of Custom Time Window for Rules user interface

Inventory Favorite Fields

Where inventory data is shown for an Entity, such as the Entity details page or the Insight details page, users can now “favorite” the inventory fields that should be shown in the summary list.

To do this, simply expand the Full Details view, hover to the left of the field, and click the star icon that appears. To remove the favorite selection, simply unclick the star icon. The field selections are applied across all users and retained across sessions. (This behavior is the same as for favorite fields on Records.)

Screenshot of Inventory Favorite Fields user interface

Minor Changes and Enhancements

  • [Updated] The previously announced migration of our out-of-the-box rules from standard match lists to Entity tags has been postponed. New dates for this migration will be announced in the near future.
  • [New] Service providers using the Consolidated Insight List can now see Insights from client organizations across deployments.
  • [Updated] The usability of filters for list views when searching for an object that includes a specific tag schema has been enhanced.
  • [Removed] The link to download the Insight Enrichment Service has been removed from the Enrichment page. The link is specified in the installation instructions online.
  • [New] Users can now filter Records by Sensor Zone.

Resolved Issues

  • Importing data from CSV files via the UI was not working properly.
  • The http_url field was not being concatenated properly in some mapper scenarios.
  • Entity domain normalization was not working properly.
  • The Copy Expression feature in the UI did not copy Boolean values to the clipboard properly.
  • The Rule Tuning Expression list page was not auto-refreshing correctly.
  • Users were unable to filter the Signals list based on severity.
  • IP addresses in the 198.18.0.0/15 and 169.254.0.0/15 ranges were not being marked as private subnets per RFC1918.
  • Users without the proper permissions were able to add comments and Signals to Insights.
  • Regular expressions ending with an asterisk * were not working properly in search/list filters.

Support for Custom Inventory Sources

Cloud SIEM Enterprise now supports custom sources of inventory data. Now, if you want to ingest inventory data from a source that Sumo Logic does not provide a pre-built connnector for, you can use this new feature. See the new document Configure a Custom Inventory Source for details.

Standard Match Lists

As a reminder, the migration for our out-of-the-box rules content from standard match lists to tags for Entities has begun. The system is now automatically setting the appropriate tags for any Entities appearing in any of the standard match lists called out in the previous announcement. This will continue until January 20, 2023, when the migration will be complete.

Minor Changes and Enhancements

  • [New] API endpoints have been creeated enabling users to upload attribute changes (such as tags or criticality) for multiple Entities in a single call, rather than having to do so one at a time. The new endpoints are /entities/bulk-add-tags, /entities/bulk-update-tags, /entities/bulk-remove-tags, /entities/bulk-update-suppressed, and /entities/bulk-update-criticality. Note that these API endpoints have a limit of 1000 entries per call. More details are available via the API Documentation link in Cloud SIEM Enterprise.
  • [Updated] Previously, a new feature was added to the Enrichments tab that enabled you to hide any attribute-value pair with an "empty" value for clarity. This included values like "0" or "N/A". However, some of those values are often useful to the analyst (for example, number_of_threat_reports="0"). Starting with this release, this feature will only hide attributes with truly empty values (i.e., attribute="").

Resolved Issues

  • The CSV file upload method for updating Entity attributes did not support sensor zones or normalized entity names properly.
  • CSE has switched providers of lists of public dynamic DNS domains, which has resolved an issue with rules utilizing these lists.

Announcement: Standard Match Lists Migration to Entity Tags

Currently, CSE defines a set of standard Match Lists as a way to allow users to specify lists of Entities and other indicators that should affect whether or not Rules create Signals. However, starting next week, the Rules included with CSE will begin transitioning to leverage Entity tags for this purpose instead. Tags on Entities are more flexible and can also provide context to analysts during the investigation phase.

Next week, a new set of standard tag schemas will be introduced in CSE. These tag schemas will correspond to the existing standard Match Lists:

KeyAllowed ValuesEquivalent Match List
_deviceGroupadminadmin_ips
awsAdminAWS_admin_ips
businessbusiness_ips
gcpAdminGCP_admin_ips
googleWorkspaceAdminGoogle_Workspace_admin_ips
salesforceAdminsalesforce_admin_ips
sandboxsandbox_ips
scanTargetscanner_targets
_deviceServicednsdns_servers
dns_servers_dst
dns_servers_src
ftpftp_servers
smtpsmtp_servers
sqlsql_servers
sshssh_servers
telnettelnet_servers
_deviceTypeauthServerauth_servers
auth_servers_dst
auth_servers_src
lanScannerlan_scanner_exception_ips
nmsnms_ips
paloAltoSinkholepalo_alto_sinkhole_ips
proxyServerproxy_servers
proxy_servers_dst
proxy_servers_src
vpnServervpn_servers
vulnerabilityScannervuln_scanners
webServerhttp_servers
_networkTypeguestguest_networks
natnat_ips
vpnvpn_networks
_userGroupawsAdminAWS_admin_users
dsReplicationds_replication_authorized_users
gcpAdminGCP_admin_users
googleWorkspaceAdminGoogle_Workspace_admin_users
kerberosDowngradedowngrade_krb5_etype_authorized_users
salesforceAdminsalesforce_admin_users

(There are five standard match lists not affected by this change, as they do not contain Entities. These include: business_asns, business_domains, business_hostnames, threat, and verified_uri_paths.)

Beginning Thursday, October 20, the contents of the standard match lists listed above will automatically be copied to tags set on the individual entities. So, for example, if an Entity 1.2.3.4 is in match list sql_servers, a tag _deviceService:sql will be set on it. CSE will continue to automatically create these tags from the standard match lists for a period of 3 months, until January 20, 2023. During this period, pre-defined rules will be updated to reference these tags instead of the standard match lists, so by the end of this period all rules will be updated and CSE will no longer automatically create these tags.

Please update any process you use to maintain the members of standard match lists by January 20, 2023 to maintain standard Entity tags instead (or in addition). We highly recommend you take advantage of Entity Groups to set Entity tags rather than individually setting tags. Entity Groups enable the automatic application of attributes like tags based on the Entity's value, IP address range, or inventory group.

Note that you cannot extend the standard tag schemas (for example, you cannot add a value azureAdmin to _userGroup). (The underscore prefix in the schema name means it's a system-defined schema.) Instead, create a different tag schema (such as customUserGroup) with such extended values.

You can refer to Entity tags in Rule expressions. For example, if you've attached the tag _deviceService:sql to an Entity, this statement will return "true" if that Entity is listed in a Record's srcDevice_ip field:

array_contains(fieldTags["srcDevice_ip"], "_deviceService:sql")

Additional information about the standard tag schema, match lists, Entity groups, and using these features with Rules is available in the Cloud SIEM Documentation.

Minor Changes and Enhancements

  • [New] Users can now filter object lists based on tag schema. The list results will include all objects that have a tag that are part of that schema. For example, if you search for _networkType (from the note above) the list results will include any object that has a tag of _networkType:guest, _networkType:nat, and/or _networkType:vpn.

Resolved Issues

  • Entity relationships were not taking sensor zones into account properly.
  • Entity details pages were only briefly displaying the proper Criticality.
  • The Entities Count links on the Entity Criticality list pages were pointing at the wrong URLs.

Welcome to the Sumo Logic Cloud SIEM Release Notes on our new docs site! We're now open source and encourage you to contribute. We welcome all contributions, from minor typo fixes to brand new docs. Your expertise and sharing can help fellow users learn and expand their knowledge of Sumo Logic.


Here you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements for Cloud SIEM Enterprise.

To view Release Notes from previous years, check the archive.

Click here to subscribe
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.