This content release includes:

• New log mappers for Crowdstrike Falcon to support eppDetectionSummary events from multiple ingest methods.
• New parsers and log mappers for Databricks Audit logs and Varonis Alerts.

Log Mappers​

• [New] CrowdStrike Falcon - EppDetectionSummaryEvents (CNC)
• [New] DataBricks Audit Catch All
• [New] DataBricks Authentication
• [New] Varonis Alerts Catch All

Parsers​

• [New] /Parsers/System/Databricks/Databricks Audit
• [New] /Parsers/System/Varonis/Varonis Alert JSON

This content release includes:

• New mappers for Crowdstrike Falcon events.
• Updates to existing mappers for Crowdstrike Falcon, F5, and Okta events to support additional fields and events.
• Updates to F5 Networks and Okta SSO parsers.

This new and updated content is effective as of October 22, 2025. Changes are enumerated below.

Log Mappers​

• [New] CrowdStrike Falcon Host API IdpDetectionSummaryEvent
• [New] CrowdStrike Falcon Identity Protection
• [Updated] CrowdStrike UserActivity Logs
• [Updated] F5 Authentication Catch All
• [Updated] F5 HTTPd Audit - Custom Parser
• [Updated] F5 Session and adfs proxy - Custom Parser
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events

Parsers​

• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Okta/Okta

This content release includes:

• New and updated rules.
• Updated Threat Intelligence rules with match lists which can be populated with exclusions to prevent the generation of undesired signals.
• Mapping update.

Changes are enumerated below.

Rules​

• [New] CHAIN-S00023 Administrative Remote Interactive Brute Force Login
  This rule correlates a high number of failed authentication attempts with a successful remote interactive login (such as via RDP) coming from the same source IP address and user account.
• [New] CHAIN-S00024 RDP Brute Force Login Attempt
  This rule correlates a high number of failed authentication attempts with repeated inbound connections over port 3389 (the default RDP port).
• [New] MATCH-S01056 Administrative Remote Interactive Login
  This rule triggers on a successful remote interactive login (such as via RDP) of a privileged user.
• [Updated] MATCH-S00139 Abnormal Parent-Child Process Combination
  Updated to reduce false positive matches for certain parent-child process combinations.
• [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
• [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
• [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
• [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
• [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
• [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
• [Updated] MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

Log Mappers​

• [Updated] Slack Anomaly Event
  Updated to include threat_name mapping for improved context in alerts.

This content release includes:

• Support for CrowdStrike Falcon EppDetectionSummaryEvents.
• Updates to Barracuda CloudGen log mappers and parser to fix unmatching logs and expand coverage.
• Enhancements to Check Point Avanan log mapper to support passthrough signals.
• Updates to Sophos Masters log mappers for improved IP address mapping.

Log Mappers​

• [New] CrowdStrike Falcon - EppDetectionSummaryEvents
• [Updated] Barracuda CloudGen Authenticaton Events
• [Updated] Barracuda CloudGen Network Events
• [Updated] Check Point Avanan
• [Updated] Sophos - Masters
• [Updated] Sophos - Masters - Threat Events

Parsers​

• [Updated] /Parsers/System/Barracuda/Barracuda CloudGen

Insight summary​

We’re excited to announce the new insight summary pane, an AI-generated synopsis for each insight that describes the threat incidents that led to its creation. This helps security teams understand incidents faster and accelerate response time. The summary is generated by Sumo Logic's Summary Agent, an agentic AI tool.

Learn more.

This content release includes:

• New rules for passing through OCSF Findings, such as those generated by AWS Security Hub.
• Updates to rules for impossible travel to exclude local system accounts.
• New log mappers for Cisco Meraki Traffic Events, OCI Authentication Events, and TippingPoint TPS Cloud.
• Updates to existing log mappers to support new event IDs and enhance functionality.
• New parser for TippingPoint TPS Cloud.
• Updates to existing parsers for Cisco ASA, Cisco Meraki C2C, Kaspersky Endpoint Security, and Oracle Cloud Infrastructure to support new events.
• Schema update to include ocsf as an enforced value for threat_ruleType.

Changes are enumerated below.

Rules​

• [New] MATCH-S01053 OCSF Compliance Finding
  Passes through compliance findings from OCSF sources.
• [New] MATCH-S01054 OCSF Detection Finding
  Passes through detection findings from OCSF sources.
• [New] MATCH-S01055 OCSF Vulnerability Finding
  Passes through vulnerability findings from OCSF sources.
• [Updated] THRESHOLD-S00097 Impossible Travel - Successful
  Exclude local system accounts from the rule.
• [Updated] THRESHOLD-S00098 Impossible Travel - Unsuccessful
  Exclude local system accounts from the rule.

Log Mappers​

• [New] Cisco Meraki Traffic Events
• [New] OCI Catch Authentication events
• [New] TippingPoint TPS Cloud Catch All
• [Updated] AWS GuardDuty - OCSF Finding Events
  Modified to support dedicated OCSF finding rules.
• [Updated] AWS Inspector - OCSF Finding Events
  Modified to support dedicated OCSF finding rules.
• [Updated] AWS Security Hub - OCSF Finding Events
  Modified to support dedicated OCSF finding rules.
• [Updated] AWS Security Hub Coverage - OCSF Finding Events
  Modified to support dedicated OCSF finding rules.
• [Updated] AWS Security Hub Exposure Detection - OCSF Finding Events
  Modified to support dedicated OCSF finding rules.
• [Updated] Cisco ASA 109201|109207|113022
• [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041|722011
• [Updated] Kaspersky Endpoint Security Catch All
• [Updated] Oracle Cloud Infrastructure Audit Catch All
• [Updated] Windows - Security - 4624
  Added user_role field to identify admin users
• [Updated] Windows - Security - 4648
  Added user_role field to identify admin users.

Parsers​

• [New] /Parsers/System/TippingPoint/TippingPoint TPS Cloud
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Cisco/Cisco Meraki C2C
• [Updated] /Parsers/System/Kaspersky/Kaspersky Endpoint Security
• [Updated] /Parsers/System/Oracle/Oracle Cloud Infrastructure Schema
• [Updated] threat_ruleType
  Updated enforced values to include ocsf as an option for mappers representing Findings records as categorized in the Open Cybersecurity Schema Framework (OCSF).

This content release includes:

• New mappers and parsing support for additional Cisco ASA events and updates to existing Cisco ASA mappers to support additional fields.
• Updates to AWS Security Hub OCSF Findings mappers to handle username alternate mappings.
• Updates to McAfee Web Gateway CSV parser and mapper to support additional fields.
• Fix to Sysdig Policy Detection JSON mapper to correctly map threat signal name and summary.

Changes are enumerated below.

Log Mappers​

• [New] Cisco ASA 109201|109207|113022
• [New] Cisco ASA 317077|317078
• [New] Cisco ASA 725016|771002
• [Updated] AWS GuardDuty - OCSF Finding Events
• [Updated] AWS Inspector - OCSF Finding Events
• [Updated] AWS Security Hub - OCSF Finding Events
• [Updated] AWS Security Hub Coverage - OCSF Finding Events
• [Updated] AWS Security Hub Exposure Detection - OCSF Finding Events
• [Updated] Cisco ASA 113008 JSON
• [Updated] Cisco ASA 302010 JSON
• [Updated] Cisco ASA 303002 JSON
• [Updated] Cisco ASA 313001 JSON
• [Updated] Cisco ASA 50000(4|3) JSON
• [Updated] Cisco ASA 602303-4|602101
• [Updated] Cisco ASA 710005|716058
• [Updated] Cisco ASA 713nnn JSON
• [Updated] Cisco ASA 722034
• [Updated] Cisco ASA 722051|722022|722023|722028|722032|722033|722036|722037|722041 JSON
• [Updated] Cisco ASA 733100|734001|737005|737017|737036|737029|746014|746015|746016 JSON
• [Updated] Cisco ASA 751023|725001|725002|725003|725006|725007|750001|750003|750006|750007|751022 JSON
• [Updated] Cisco ASA Network events
• [Updated] McAfee WebGateway - Parser
• [Updated] Sysdig Policy Detection JSON

Parsers​

• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/McAfee/McAfee Web Gateway CSV

This content release includes new log mappers to cover additional security finding sources collected via AWS Security Hub.

Log Mappers​

• [New] AWS GuardDuty - OCSF Finding Events
• [New] AWS Inspector - OCSF Finding Events
• [New] AWS Security Hub Coverage - OCSF Finding Events
• [New] AWS Security Hub Exposure Detection - OCSF Finding Events

New TAXII 2 Threat Intelligence Sources​

We're excited to announce the following new threat intelligence sources that allow you to collect TAXII feeds with greater ease. These sources are based on the underlying code of our STIX/TAXII 2 Client Source, but are tailored for each of the vendors to facilitate setup:

• CISA TAXII Client
• Dragos TAXII Client
• Nozomi TAXII Client
• Recorded Future TAXII Client
• Unit42 TAXII Client

When you set up a source, search for "taxii" and select the tile for the source you want to install:

Learn more.

This content release includes:

• New product support for Vectra AI.
• Updated parsers and log mappers for Azure Event Hub, Barracuda CloudGen Firewall, Microsoft IIS, and Surepass.
• Updated Surepass to the correct vendor name.

Changes are enumerated below.

Log Mappers​

• [New] Vectra AI Catch All
• [New] Vectra AI User Login
• [Updated] Azure Event Hub - Windows Defender Logs
  • Updated field mappings to include new fields.
• [Updated] Barracuda CloudGen Firewall Activity
  • Updated event_id criteria to handle abridged event types in some logs.
• [Updated] Microsoft IIS Parser - Catch All
  • Updated to support http_url and downstream enrichment.
• [Updated] Surepass Authentication
• [Updated] Surepass Catch All
• [Updated] Surepass Network Event

Parsers​

• [New] /Parsers/System/Vectra/Vectra AI
• [Updated] /Parsers/System/Barracuda/Barracuda CloudGen
  • Updated event_id criteria to handle abridged event types in some logs and to support additional log formats.
• [Updated] /Parsers/System/Cylance/Cylance Syslog
  • Updated timestamp parsing.
• [Updated] /Parsers/System/DocuSign/DocuSign Monitor
  • Updated timestamp parsing.
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
  • Updated parser to parse additional nested fields.
• [Updated] /Parsers/System/Microsoft/Microsoft IIS
  • Updated to form http_url for downstream enrichment.

This content release includes:

• New rules to assist in detection of the ToolShell exploit against Microsoft SharePoint Server (CVE-2025-53770, CVE-2025-53771) and other web shell attack activity.
• Updates to rules.
• Parsing support for Open Cybersecurity Schema Framework (OCSF) logging.
  • Designed to support AWS Security Hub Findings via OCSF, but broadly compatible with other OCSF data sources.
• Mapping support for AWS Security Hub Findings via OCSF.
  • AWS Security Hub via OCSF mapping support includes mappers which can be easily cloned and repurposed to support additional sources of data which use OCSF. Not all OCSF categories and classes are necessarily pertinent to AWS Security Hub data produced at this time.
  • Additional mappers for OCSF data sources will be added in future releases.
• Updates to AWS Security Hub (non-OCSF) mapper to reduce signal volume by using a less granular field for threat_signalName and to map general resources into resource field.
• New mappers for Citrix NetScaler and Palo Alto Firewall events.
• Updates to existing mappers/parsers for AWS, Azure, Citrix NetScaler, Linux Sysmon, Windows Sysmon, and Zscaler to support additional events and field mappings.
• Allows resource to be used as an entity in rules.

Other changes are enumerated below.

Rules​

• [New] MATCH-S01050 IIS - Executable File Added to Directory
  • Executable files added to Microsoft Internet Information Server (IIS) directories can indicate the installation of a web shell by an attacker. For example, the ToolShell exploit (CVE-2025-53770, CVE-2025-53771) included the installation of spinstall10.aspx in an executable directory.
• [New] MATCH-S01051 SharePoint Server ToolShell Exploitation (CVE-2025-53770, CVE-2025-53771)
  • Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
• [New] MATCH-S01052 SharePoint Server ToolShell Web Shell Interaction (CVE-2025-53771)
  • Exploits against two vulnerabilities in Microsoft SharePoint server, CVE-2025-53770 and CVE-2025-53771, are combined to execute code on Microsoft SharePoint without authentication. This attack has been nicknamed "ToolShell".
• [Updated] MATCH-S00402 Normalized Security Signal
  • Adjusted summary to remove {{device_hostname}} to avoid null values for blank hostnames.
  • Added resource to entity selector
• [Updated] MATCH-S00061 Zscaler - Allowed Elevated Risk Score Events
  • Updated rule expression and severity score to use normalized fields.

Log Mappers​

• [New] AWS Security Hub - OCSF Finding Events
• [New] AWS Security Hub - Application Activity *
• [New] AWS Security Hub - Authentication Event*
• [New] AWS Security Hub - DHCP Activity*
• [New] AWS Security Hub - DNS Activity*
• [New] AWS Security Hub - Discovery Event*
• [New] AWS Security Hub - Email Activity*
• [New] AWS Security Hub - File System events*
• [New] AWS Security Hub - HTTP Activity*
• [New] AWS Security Hub - IAM Account change|Authorize Session|Entity Management|User Access Management|Group Management*
• [New] AWS Security Hub - Kernel Extension Activity|Kernel Activity|Memory Activity|Module Activity|Scheduled Job Activity|Process Activity|Event Log Activity|Script Activity*
• [New] AWS Security Hub - Network Activity|RDP Activity|SMB Activity|SMB Activity|SSH Activity|FTP Activity|NTP Activity|Tunnel Activity|Network Remediation Activity*
• [New] AWS Security Hub - Remediation Activity|Process Remediation Activity*
• [New] AWS Security Hub - Unmanned Systems*
• [New] Citrix NetScaler - AAA-AUTH-REQ
• [New] Palo Alto Audit Authentication logs
• [New] Palo Alto Audit Catch All
• [Updated] AWS Security Hub
• [Updated] Azure Event Hub - Windows Defender Audit file events
• [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
• [Updated] Citrix NetScaler - Command Executed
• [Updated] Citrix NetScaler - MESSAGE
• [Updated] Citrix NetScaler - SSL Handshake Success
• [Updated] Citrix NetScaler - SSLVPN-LOGIN
• [Updated] Keeper Authentication
• [Updated] Keeper Catch All
• [Updated] Mimecast AV Event
• [Updated] Mimecast Email logs
• [Updated] Linux-Sysmon/Operational - 11
  • Added more normalized fields
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
  • Added more normalized fields.
• [Updated] Zscaler - Nanolog Streaming Service - JSON
  • Added normalizedAction for allow/deny actions and alternate values for IPs.

* Security Hub via OCSF is currently limited to the OCSF Findings category. Additional mappers are in place to support potential future Security Hub events that utilize other OCSF categories and classes. These can be cloned and repurposed to support additional sources of data which use OCSF.

Parsers​

• [Deleted] /Parsers/System/Mindpoint Group/Mindpoint SurePass
  • Updated erroneous vendor name in parser.
  • Any existing references to this parser path will need to be updated to the new parser path.
• [New] /Parsers/System/Keeper/Keeper
  • New parser for Keeper with correct vendor name.
• [New] /Parsers/System/OCSF/OCSF
• [New] /Parsers/System/SurePass/SurePass
  • New parser path for Surepass to reflect correct vendor name.
• [Updated] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper
  • Updated parser to point to new parser path with correct vendor name.
• [Updated] /Parsers/System/Microsoft/Office 365
  • Updated to fix issue with normalizedLogon field not being populated correctly.
• [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
  • Updated header regex, added support for new events, and added new time format.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • Updated to handle new log formats and fields.

Schema​

• [Updated] resource
  • Enables resource as an entity.

This release includes:

• Rule bug fix.
• New device support for Aruba WAP, Oracle Cloud Infrastructure, and Mindpoint SurePass.
• Updated mapper alternate values for Cloudflare Logpush.

Rules​

• [Updated] LEGACY-S00005 Possible Black Energy Command and Control
  • Corrected rule expression for rootDomain to use correct schema field name.

Log Mappers​

• [New] Aruba WAP
• [New] Oracle Cloud Infrastructure Audit Catch All
• [New] Surepass Authentication
• [New] Surepass Cath All
• [New] Surepass Network Event
• [Updated] Cloudflare - Logpush

Parsers​

• [New] /Parsers/System/HP/Aruba WAP
• [New] /Parsers/System/Mindpoint Group/Mindpoint SurePass
• [New] /Parsers/System/Oracle/Oracle Cloud Infrastructure

This content release includes:

• Device support for AWS VPN and VMware Avi Load Balancer.
• Updates to Cisco ASA and Umbrella parsers to support additional log pattern variations.
• Bug fix for year timestamp parsing with the potential of creating incorrect timestamps around the new year for records.

Log Mappers​

• [New] AWS VPN
• [New] VMware Avi Load Balancer Catch All

Parsers​

• [New] /Parsers/System/AWS/AWS VPN
• [New] /Parsers/System/VMware/VMware Avi Load Balancer
• [Updated] /Parsers/System/Atlassian/Atlassian Audit Events
• [Updated] /Parsers/System/Microsoft/Azure Storage Analytics
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
• [Updated] /Parsers/System/Cylance/Cylance Syslog
• [Updated] /Parsers/System/Cylance/Cylance Threat JSON
• [Updated] /Parsers/System/JumpCloud/JumpCloud Directory Insights
• [Updated] /Parsers/System/Miro/Miro Audit C2C
• [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
• [Updated] /Parsers/System/Pulse Secure/Pulse Secure Appliance
• [Updated] /Parsers/System/RSA/RSA SecurID SinglePoint
• [Updated] /Parsers/System/Symantec/Symantec Endpoint Protection/Symantec Endpoint Protection-Syslog
• [Updated] /Parsers/System/Tanium/Tanium CEF
• [Updated] /Parsers/System/Trellix/Trellix MVision EPO
• [Updated] /Parsers/System/Twistlock/Twistlock
• [Updated] /Parsers/System/Zeek/Zeek
• [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-CEF
• [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON
• [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-LEEF

This content release includes:

• New detection rules for browser extension persistence, Kerberos certificate authentication, GitHub vulnerability alerts, Okta application access monitoring, and threat intelligence email matching.
• New product support for Atlassian audit and login events.
• Enhanced Azure Event Hub Windows Defender integration with new threat event mapping for passthrough alerts.
• Cisco ASA updates with new network event support and NAT IP handling improvements.
• Citrix NetScaler mapping updates to support additional events.
• Update to Auth0 successful/unsuccessful login mappings to properly classify each.
• CrowdStrike NextGen SIEM Alert event support.
• Mimecast security event mapping improvements across several event types.
• AWS CloudTrail network event enhancements with event success/failure handling and protocol support.
• Parser updates to support additional event formats for multiple platforms.

Changes are enumerated below.

Rules​

• [New] MATCH-S00897 Chromium Extension Installed
  • Threat actors may install browser extensions as a form of persistence on victim systems. Look up the 32 character extension ID in order to ensure that the extension is valid and expected to be installed as part of normal business operations. This extension ID can be found in the following values: file_path and/or changeTarget depending on the source of the telemetry. This rule logic utilizes Sysmon file creation events, which need to be enabled and configured on relevant assets.
• [New] FIRST-S00064 First Seen Certificate Thumbprint in Successful Kerberos Authentication
  • This alert looks for a first seen certificate thumbprint being used to authenticate to an Active Directory environment, resulting in a Kerberos ticket being successfully issued. This alert is designed to catch Active Directory Certificate Services related attacks, ensure the certificate thumprint is valid, correlate the thumbprint ID with other Certificate Services events, particularly looking for recently issued templates.
• [New] MATCH-S00949 GitHub - Vulnerability Alerts
  • Detects vulnerability alerts created for a GitHub repository.
• [New] FIRST-S00070 Okta - First Seen Application Accessed by User
  • This signal looks for a user that is accessing an application behind Okta SSO that is first seen since the baseline period. Ensure that access of this application is expected and authorized, look for other Okta events around the user account in question to determine whether access to this application is expected and authorized.
• [New] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
  • This rule detects when a user has utilized multiple distinct operating systems when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. Examine other Okta related events surrounding the time period for this signal, pivoting off the username value to examine if any other suspicious activity has taken place. If this rule is generating false positives, adjust the threshold value and consider excluding certain user accounts via tuning expression or a match list.
• [New] MATCH-S01020 Threat Intel - Matched Target Email
  • Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
• [New] MATCH-S01019 Threat Intel - Matched User Email
  • Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
• [Updated] MATCH-S00170 Windows - Scheduled Task Creation
  • Fixed spelling error.

Log Mappers​

• [New] Altassian audit events
• [New] Altassian login events
• [New] Azure Event Hub - Windows Defender Azure Alert
• [New] Cisco ASA 4180(18|19|44)
• [New] Cisco ASA 713nnn JSON
• [New] Cisco ASA Network events
• [New] Citrix NetScaler - SSL Handshake Failure
• [New] CrowdStrike NextGen SIEM
• [Updated] Auth0 Failed Authentication
• [Updated] Auth0 Successful Authentication
• [Updated] Azure Event Hub - Windows Defender Logs
• [Updated] Cisco ASA 106010 JSON
• [Updated] Cisco ASA 20900(4|5) JSON
• [Updated] Cisco ASA 50000(4|3) JSON
• [Updated] Citrix NetScaler - TCP Connection
• [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
• [Updated] F5 HTTP Request
• [Updated] Mimecast AV Event
• [Updated] Mimecast Audit Authentication Logs
• [Updated] Mimecast Audit Hold Messages
• [Updated] Mimecast Audit Logs
• [Updated] Mimecast DLP Logs
• [Updated] Mimecast Email logs
• [Updated] Mimecast Impersonation Event
• [Updated] Mimecast Spam Event
• [Updated] Mimecast Targeted Threat Protection Logs

Parsers​

• [New] /Parsers/System/Atlassian/Atlassian Audit Events
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
• [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
• [Updated] /Parsers/System/AWS/CloudTrail
• [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

New method for building baselines​

We're happy to announce that now when you create or update a first seen or outlier rule, the baseline starts building immediately using existing system data. Typically, the baseline is ready within minutes. You no longer need to wait days for a baseline learning period to complete before it becomes usable. This change enables you to gain insights faster and iterate on your first seen and outlier rules rapidly, reducing tuning time from weeks to minutes.

To learn more, see our information about baselines for first seen rules and outlier rules.

This content release includes:

• Rule updates.
• New log parsers and mappers to support Akamai CPC and Contrast Security ADR.
• New and updated log mappers for Azure Event Hub - Windows Defender logs, Cisco ISE, Microsoft Office 365, and Snowflake.
• Modifications to existing parsers for Microsoft Azure JSON, Nginx Syslog, and Snowflake to support additional formats and events.

Changes are enumerated below.

Rules​

• [Updated] MATCH-S00068 O365 - Users Password Changed
  • Updated entity selectors to include both user_username and targetUser_username
• [Updated] MATCH-S00069 O365 - Users Password Reset
  • Updated entity selectors to include both user_username and targetUser_username

Log Mappers​

• [New] Akamai CPC
• [New] Azure Event Hub - Windows Defender Audit events
• [New] Azure Event Hub - Windows Defender Audit file events
• [New] Azure Event Hub - Windows Defender Authentication events
• [New] Azure Event Hub - Windows Defender Email events
• [New] Azure Event Hub - Windows Defender Endpoint Process events
• [New] Azure Event Hub - Windows Defender Network events
• [New] Contrast Security ADR Default Mapping
• [New] Snowflake Query History
• [New] Snowflake Session
• [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
• [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
• [Updated] Cisco ISE Catch All
• [Updated] Microsoft Office 365 Active Directory Authentication Events
• [Updated] Snowflake Catch All
• [Updated] Snowflake Login

Parsers​

• [New] /Parsers/System/Akamai/Akamai CPC
• [New] /Parsers/System/Contrast Security/Contrast ADR
• [Updated] /Parsers/System/Cisco/Cisco ISE
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Nginx/Nginx Syslog
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Snowflake/Snowflake
• [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
• [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry

This content release includes:

• Rule update
• New support for CommScope Ruckus SmartZone
• Additional mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
• Updates for existing mappers for CrowdStrike FDR, Google G Suite (Workspace), and Windows PowerShell
  • Added normalizedAction and action fields to Windows PowerShell mappers
• Changes to Windows PowerShell JSON parsing to support additional log formats

Changes are enumerated below.

Rules​

• [Updated] MATCH-S00068 O365 - Users Password Changed
  • Updated to use targetUser_username

Log mappers​

• [New] CommScope Ruckus SmartZone Default
• [New] CrowdStrike FDR - DNSRequest
• [New] Google G Suite - login - risky_sensitive_action_allowed
• [New] Google G Suite - login challange
• [New] Windows - Windows PowerShell
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
  • Added alternate field for threat_name
• [Updated] CrowdStrike Falcon Host API IdpDetectionSummaryEvent (CNC)
  • Added alternate field for threat_name
• [Updated] Google G Suite - login - password_change/recovery_info_change
  • Added additional mapped fields
• [Updated] Google G Suite - login.login
  • Added additional mapped fields
• [Updated] Google G Suite - logout
  • Added additional mapped fields
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4103
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4104
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4105
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational - 4106

Parsers​

• [New] /Parsers/System/CommScope/CommScope Ruckus SmartZone
• [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON

This release includes:

• New rules for monitoring AWS services (see below for tuning guidance).
• Updated rules for Microsoft O365 and Powershell.
• Updates to Cisco ASA mappers to add normalizedAction and normalizedSeverity.
• Updates to Cisco Umbrella mappers to add user_username.
• Updates to SentinelOne mappers to drop null values.
• New parsers for Azure Virtual Network and SentinelOne MGMT API.
• Updates to existing parsers for Abnormal Security, Cisco ASA, Cisco ISE, Cisco Umbrella CSV, Cylance Syslog, and KnowBe4 KMSAT C2C.

Changes are enumerated below.

Rules​

• [New] OUTLIER-S00033 AWS DynamoDB Outlier in PutItem Events from User
  • [Disabled by Default] This rule detects an unusual amount of PutItem events to a DynamoDB resource within an hour time period (DynamoDB data events are required). Verify the user is authorized to modify the DynamoDB tables and instances. This rule is disabled by default due to potential volume of signals, before enabling consider excluding authorized users via match lists, and adjust floor value and model sensitivity as needed.
• [New] FIRST-S00100 First Seen User Enumerating Custom AWS Bedrock Models
  • [Disabled by Default] Detection of a user account's first enumeration of custom AWS Bedrock models via ListCustomModels API. Verify the user is authorized for AWS Bedrock access. The http_userAgent field indicates whether a browser or CLI tool was used. This rule is disabled by default due to potential high volume of alerts, particularly from service accounts. Before enabling, consider excluding authorized users and service accounts (such as CNAPP monitoring accounts with timestamp-based usernames) through rule tuning expressions.
• [New] OUTLIER-S00032 Outlier in Data Transferred from an S3 Bucket by User
  • [Disabled by Default] This rule detects an unusual amount of data transferred outbound from an S3 bucket (requires AWS Data events are required). Verify if the user, role and IP address associated with this activity are authorized. This rule is disabled by default due to potential signal volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
• [New] OUTLIER-S00031 Outlier in Data Transferred into an S3 Bucket by User
  • [Disabled by Default] Detects unusual amounts of inbound data transfers to S3 buckets (requires AWS Data events). Verify if the user, role, and IP address associated with this activity are authorized. This rule is disabled by default due to potential alert volume. Before enabling, consider excluding authorized users with regular large transfers via match lists, and adjust floor value and model sensitivity as needed.
• [Updated] MATCH-S00069 O365 - Users Password Reset
  • Changed Entity and Summary, replacing user_username with targetUser_username.
• [Updated] MATCH-S00449 Powershell Execution Policy Bypass
  • Fixed camel case in commandLine field.

Log Mappers​

• [New] Azure Virtual Network Flow logs
• [Updated] Abnormal Security Threats
• [Updated] Cisco ASA 103001 JSON
• [Updated] Cisco ASA 103004 JSON
• [Updated] Cisco ASA 106001 JSON
• [Updated] Cisco ASA 106002 JSON
• [Updated] Cisco ASA 106006 JSON
• [Updated] Cisco ASA 106007 JSON
• [Updated] Cisco ASA 106010 JSON
• [Updated] Cisco ASA 106012 JSON
• [Updated] Cisco ASA 106014 JSON
• [Updated] Cisco ASA 106015 JSON
• [Updated] Cisco ASA 106021 JSON
• [Updated] Cisco ASA 106023 JSON
• [Updated] Cisco ASA 106027 JSON
• [Updated] Cisco ASA 106100 JSON
• [Updated] Cisco ASA 106102-3 JSON
• [Updated] Cisco ASA 109005-8 JSON
• [Updated] Cisco ASA 110002 JSON
• [Updated] Cisco ASA 111008-9 JSON
• [Updated] Cisco ASA 111010 JSON
• [Updated] Cisco ASA 113003 JSON
• [Updated] Cisco ASA 113004 JSON
• [Updated] Cisco ASA 113005 JSON
• [Updated] Cisco ASA 113006 JSON
• [Updated] Cisco ASA 113007 JSON
• [Updated] Cisco ASA 113008 JSON
• [Updated] Cisco ASA 113009 JSON
• [Updated] Cisco ASA 113012-17 JSON
• [Updated] Cisco ASA 113019 JSON
• [Updated] Cisco ASA 113021 JSON
• [Updated] Cisco ASA 113039 JSON
• [Updated] Cisco ASA 209004 JSON
• [Updated] Cisco ASA 302010 JSON
• [Updated] Cisco ASA 302020-1 JSON
• [Updated] Cisco ASA 303002 JSON
• [Updated] Cisco ASA 304001 JSON
• [Updated] Cisco ASA 304002 JSON
• [Updated] Cisco ASA 305011-12 JSON
• [Updated] Cisco ASA 313001 JSON
• [Updated] Cisco ASA 313004 JSON
• [Updated] Cisco ASA 313005 JSON
• [Updated] Cisco ASA 314003 JSON
• [Updated] Cisco ASA 315011 JSON
• [Updated] Cisco ASA 322001 JSON
• [Updated] Cisco ASA 322003 JSON
• [Updated] Cisco ASA 338001-8+338201-4 JSON
• [Updated] Cisco ASA 4000nn JSON
• [Updated] Cisco ASA 402117 JSON
• [Updated] Cisco ASA 402119 JSON
• [Updated] Cisco ASA 405001 JSON
• [Updated] Cisco ASA 405002 JSON
• [Updated] Cisco ASA 406001 JSON
• [Updated] Cisco ASA 406002 JSON
• [Updated] Cisco ASA 419001 JSON
• [Updated] Cisco ASA 419002 JSON
• [Updated] Cisco ASA 500004 JSON
• [Updated] Cisco ASA 502101-2 JSON
• [Updated] Cisco ASA 502103 JSON
• [Updated] Cisco ASA 602303-4 JSON
• [Updated] Cisco ASA 605004-5 JSON
• [Updated] Cisco ASA 609002 JSON
• [Updated] Cisco ASA 611101-2 JSON
• [Updated] Cisco ASA 611103 JSON
• [Updated] Cisco ASA 710002-3 JSON
• [Updated] Cisco ASA 710005 JSON
• [Updated] Cisco ASA 713052 JSON
• [Updated] Cisco ASA 713172 JSON
• [Updated] Cisco ASA 713228 JSON
• [Updated] Cisco ASA 716014-7-8 JSON
• [Updated] Cisco ASA 716038 JSON
• [Updated] Cisco ASA 716039 JSON
• [Updated] Cisco ASA 716059 JSON
• [Updated] Cisco ASA 719022-3 JSON
• [Updated] Cisco ASA 721016-8 JSON
• [Updated] Cisco ASA 722034 JSON
• [Updated] Cisco ASA 722051 JSON
• [Updated] Cisco ASA 722055 JSON
• [Updated] Cisco ASA 733100 JSON
• [Updated] Cisco ASA 751011 JSON
• [Updated] Cisco ASA 751023 JSON
• [Updated] Cisco ASA 751025 JSON
• [Updated] Cisco ASA tcp_udp_sctp_builds JSON
• [Updated] Cisco ASA tcp_udp_sctp_teardowns JSON
• [Updated] Cisco Umbrella DNS Logs
• [Updated] Cisco Umbrella IP Logs
• [Updated] Cisco Umbrella Proxy Logs
• [Updated] SentinelOne Logs - C2C activities
• [Updated] SentinelOne Logs - C2C agents
• [Updated] SentinelOne Logs - C2C alerts
• [Updated] SentinelOne Logs - C2C threats
• [Updated] SentinelOne Logs - C2C users
• [Updated] SentinelOne Logs - Syslog Custom Parser

Parsers​

• [New] /Parsers/System/Microsoft/Azure Virtual Network
• [New] /Parsers/System/SentinelOne/SentinelOne MGMT API
• [Updated] /Parsers/System/Abnormal Security/Abnormal Security
  • Updated the parser to support new events.
• [Updated] /Parsers/System/Cisco/Cisco ASA
  • Updated regex to fix ASA-6-721016 events.
• [Updated] /Parsers/System/Cisco/Cisco ISE
  • Updated parser to drop certain non-actionable logs.
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
  • Updated parser to support additional event format variations.
• [Updated] /Parsers/System/Cylance/Cylance Syslog
  • Updated parser to support new events.
• [Updated] /Parsers/System/KnowBe4/KnowBe4 KMSAT C2C
  • Updated parser to drop phishing test events.

This content release includes:

• Fixes for Threat Intelligence rules to correct match expression syntax for hash and HTTP referrer.
• Parsing and mapping updates for Microsoft Office 365 to improve target user visibility.

Rules​

• [Updated] MATCH-S01009 Threat Intel - HTTP Referrer
• [Updated] MATCH-S01012 Threat Intel - HTTP Referrer Root Domain
• [Updated] MATCH-S00999 Threat Intel - IMPHASH Match
• [Updated] MATCH-S01000 Threat Intel - MD5 Match
• [Updated] MATCH-S01001 Threat Intel - PEHASH Match
• [Updated] MATCH-S01003 Threat Intel - SHA1 Match
• [Updated] MATCH-S01004 Threat Intel - SHA256 Match
• [Updated] MATCH-S01002 Threat Intel - SSDEEP Match

Log Mappers​

• [Updated] Microsoft Office 365 Active Directory Authentication Events
• [Updated] Microsoft Office 365 AzureActiveDirectory Events

Parsers​

• [Updated] /Parsers/System/Microsoft/Office 365

This content release includes:

• Additional data requirements for GitHub rules added to rule descriptions.
• Spelling corrections for AWS Lambda rules.
• New Slack Anomaly Event log mapper and supporting parsing changes:
  • Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
  • Requires parser be defined for passthrough detection.
• Updates to Sysdig parsing and mapping to support additional events.
• Support for Microsoft Windows Sysmon-29 event.
• Additional normalized field mappings for Microsoft Windows Sysmon events.
• New user_phoneNumber and targetUser_phoneNumber schema fields.

Rules​

• [Updated] MATCH-S00874 AWS Lambda Function Recon
• [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
• [Updated] MATCH-S00953 GitHub - Audit Logging Modification
• [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
• [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
• [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
• [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
• [Updated] MATCH-S00955 GitHub - Member Permissions Modification
• [Updated] MATCH-S00956 GitHub - OAuth Application Activity
• [Updated] MATCH-S00957 GitHub - Organization Transfer
• [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
• [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
• [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
• [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
• [Updated] MATCH-S00960 GitHub - Repository Transfer
• [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
• [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
• [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
• [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
• [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
• [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
• [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization

Log Mappers​

• [New] Slack Anomaly Event
• [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
• [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
• [New] Windows - Microsoft-Windows-Sysmon/Operational-29
• [Updated] Sysdig Secure Packages
• [Updated] Sysdig Secure Vulnerability
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27

Parsers​

• [New] /Parsers/System/Slack/Slack Enterprise Audit
• [Updated] /Parsers/System/Sysdig/Sysdig Secure

Schema​

• [New] targetUser_phoneNumber
• [New] user_phoneNumber

New Threat Intelligence Source​

We’re excited to announce a new default source for Sumo Logic Threat Intelligence incorporating Indicators of Compromise (IoC) from Intel 471.

For more information, see our release note in the Service release notes section.

This content release includes new and updated log mappers and parsers for Bitwarden, CommScope, Mimecast, and Sysdig Secure. Updates to Mimecast mappers are to support additional fields and events with new log parser.

Log Mappers​

• [New] Bitwarden Authentication
• [New] Bitwarden Catch All
• [New] CommScope Authentication Event
• [New] CommScope STP and DHCPC Event
• [New] CommScope System|Security
• [New] Sysdig Secure Packages
• [New] Sysdig Secure Vulnerability
• [Updated] Mimecast AV Event
• [Updated] Mimecast Audit Authentication Logs
• [Updated] Mimecast Audit Hold Messages
• [Updated] Mimecast Audit Logs
• [Updated] Mimecast DLP Logs
• [Updated] Mimecast Email logs
• [Updated] Mimecast Impersonation Event
• [Updated] Mimecast Spam Event
• [Updated] Mimecast Targeted Threat Protection Logs

Parsers​

• [New] /Parsers/System/Bitwarden/Bitwarden
• [New] /Parsers/System/CommScope/CommScope
• [New] /Parsers/System/Mimecast/Mimecast
• [New] /Parsers/System/Sysdig/Sysdig Secure

This content release includes Threat Intelligence match rules that use the new hasThreatMatch operator to support both global and custom threat intelligence feeds.

To reduce initial signal volume, basic inbound and outbound IP address threat match rules with a low or medium confidence level are disabled by default (see below). We highly recommend tuning these rules before enabling them to reduce signal volume, and therefore entity risk assignment, to manageable levels.

Rules​

• MATCH-S00999 Threat Intel - IMPHASH Match
• MATCH-S01000 Threat Intel - MD5 Match
• MATCH-S01001 Threat Intel - PEHASH Match
• MATCH-S01002 Threat Intel - SSDEEP Match
• MATCH-S01003 Threat Intel - SHA1 Match
• MATCH-S01004 Threat Intel - SHA256 Match
• MATCH-S01005 Threat Intel - Source Hostname
• MATCH-S01006 Threat Intel - Device Hostname
• MATCH-S01007 Threat Intel - Destination Device Hostname
• MATCH-S01008 Threat Intel - HTTP Hostname
• MATCH-S01009 Threat Intel - HTTP Referrer Hostname
• MATCH-S01010 Threat Intel - DNS Query Domain
• MATCH-S01011 Threat Intel - DNS Reply Domain
• MATCH-S01012 Threat Intel - HTTP Referrer Domain
• MATCH-S01013 Threat Intel - HTTP URL Root Domain
• MATCH-S01014 Threat Intel - HTTP URL FQDN
• MATCH-S01015 Threat Intel - HTTP URL
• MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence) - Disabled By Default
• MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence) - Disabled By Default
• MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence) - Disabled By Default
• MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence) - Disabled By Default
• MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
• MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
• MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

This release includes::

• Updates to parsing and mapping for Airtable and Windows Defender to support additional events and field mappings.
• New parsing and mapping for VMware ESXi.
• Updates to Baracuda Firewall and System Event mapping for normalizedSeverity lookup translation.

Changes are enumerated below.

Log Mappers​

• [New] Airtable Audit C2C Authentication
• [New] VMware ESXi Authentication
• [New] VMware ESXi Catch All
• [New] Windows Defender Catch All
• [Updated] Airtable Audit C2C Catch All
• [Updated] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
• [Updated] Barracuda System Event
• [Updated] Windows Defender ATP Alert
  • Enables additional passthrough alerts.

Parsers​

• [New] /Parsers/System/VMware/VMware ESXi
• [Updated] /Parsers/System/Airtable/Airtable Audit C2C
• [Updated] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON

This release includes:

• New detection rules for Azure DevOps to identify suspicious or sensitive activity in CI/CD pipelines
• New support for Barracuda WAF and CloudGen Firewall
• Support for CyberArk Audit events
• Updates to 1Password mappers to realign field mappings to reflect proper directionality
• Fix for normalizedActions in AWS CloudTrail Policy Change mapper
• Additions to CrowdStrike Audit and UserActivity log mappers to map additional fields and add alternate values
• Support for additional events from Kubernetes and Linux OS logs

Rules​

• [New] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
  • This detection monitors for the creation and deletion of Agent Pools within 5 days by the same user, with the intent of finding Agent Pools active for short durations.
• [New] MATCH-S00997 Azure DevOps - Browser Observed in Personal Access Token (PAT) Use
  • This detection monitors for the use of a PAT for authentication from a User Agent String indicating a web browser.
• [New] MATCH-S00995 Azure DevOps - Change Made to Administrator Group
  • This detection monitors for additions to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrators, Project Collection Build Administrators
• [New] FIRST-S00098 Azure DevOps - First Seen Pull Request Policy Bypassed
  • This detection monitors for when a user performs a pull request bypass for the first time.
• [New] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
  • This detection monitors for new users creating an agent pool. This user has not been observed creating agent pools during the baseline period and may be a new admin or involved in suspicious account activity.
• [New] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
  • This detection monitors for users creating a release pipeline for the first time after the baseline period (by default, 90 days).
• [New] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
  • This detection monitors for a user modifying a variable group for the first time.
• [New] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
  • This detection monitors for users modifying a release pipeline for the first time after the baseline period (by default, 90 days).
• [New] MATCH-S00998 Azure DevOps - Known Malicious Tooling Detected ADOKit
  • This is a simple detection matching on “ADOKit” at the start of the HTTP User Agent String (UAS). This detection effectively catches basic ADOKit use. It is brittle to attackers changing the User Agent String to another more innocuous browser to mask the traffic.
• [New] MATCH-S00994 Azure DevOps - Member Added to Sensitive Group
  • This detection monitors for changes to the following groups: Project Administrators, Project Collection Administrators, Project Collection Service Accounts, Build Administrator
• [New] FIRST-S00095 Azure DevOps - New Agent OS Added to Agent Pool
  • This detection monitors for the addition of an agent to an agent pool when the OS of the agent has not been observed in this pool during the baseline period.
• [New] FIRST-S00094 Azure DevOps - New Extension Installed
  • This detection monitors for new extensions installed organization-wide after a 30-day baseline, based on the user installing the new extension.
• [New] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
  • This detection identifies statistical outliers in user behavior for the number of pools deleted in an hourly window.
• [New] MATCH-S00996 Azure DevOps - Personal Access Token (PAT) Misuse Observed
  • This detection monitors for use of a Personal Access Token in conjunction with categories of action that aren’t normally associated with PAT authentication.
• [New] CHAIN-S00021 Azure DevOps - Pipeline Created and Deleted within a Short Period
  • This detection monitors for the creation and deletion of the same pipeline within a short period (by default, a day).
• [New] MATCH-S00993 Azure DevOps - Pipeline Retention Settings Reduced
  • This detection monitors for any reduction in the pipeline retention settings.

Log Mappers​

• [New] Barracuda Authentication
• [New] Barracuda Catch All
• [New] Barracuda CloudGen Auth Service dcclient and events
• [New] Barracuda CloudGen Firewall Activity
• [New] Barracuda CloudGen Settings DNS
• [New] Barracuda Network Firewall Event|Web Firewall Event|Access Firewall Event
• [New] Barracuda System Event
• [New] CyberArk Audit Authentication
• [New] CyberArk Audit Catch All
• [Updated] 1Password Item Audit Actions
• [Updated] 1Password Item Usage Actions
• [Updated] 1Password Item Usage C2C
• [Updated] 1Password Signin C2C
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] CrowdStrike Audit Logs
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent
• [Updated] CrowdStrike Falcon Host API DetectionSummaryEvent (CNC)
• [Updated] CrowdStrike UserActivity Logs
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
• [Updated] Linux OS Syslog - Process sshd - SSH Bind Listening and negotiate event

Parsers​

• [New] /Parsers/System/Barracuda/Barracuda CloudGen
• [New] /Parsers/System/Barracuda/Barracuda WAF
• [New] /Parsers/System/Cyber-Ark/CyberArk Audit
• [Updated] /Parsers/System/Kubernetes/Kubernetes
• [Updated] /Parsers/System/Linux/Linux OS Syslog

Strict signal configuration​

We're happy to announce that now when you create custom insights, you can select an option to generate insights only on those signals defined in your custom insight. Any additional signals related to the applicable entity are excluded. This allows you to generate insights for an immediate and targeted response.

Learn more.

Threat Intelligence​

We’re excited to introduce Sumo Logic Threat Intelligence, a powerful feature set that enables Cloud SIEM administrators to seamlessly import indicators of Compromise (IoC) files and feeds directly into Sumo Logic to aid in security analysis.

For more information, see our release note in the Service release notes section.

This content release includes updates to mapping and parsing to support additional AWS CloudTrail, F5 Firewall, and modify behavior in Microsoft Office 365 login events.

Changes are enumerated below.

Log Mappers​

• [New] CloudTrail Batch get Partition
• [New] F5 Tmm Audit and APMD Audit - Custom Parser
• [New] F5 Session and adfs proxy - Custom Parser
• [Updated] F5 SSHD and Apmd - Custom Parser
  • Expands scope of existing mapper to include Apmd events.
• [Updated] Microsoft Office 365 Active Directory Authentication Events
  • Adds exclusion for invalid user ID 00000000-0000-0000-0000-000000000000.

Parsers​

• [Updated] /Parsers/System/F5/F5 Syslog

This content release includes updates to Netskope Security Cloud log parsers and mappers to ensure anomaly events are properly mapped by adjusting parser logic to map event IDs from varying locations depending on event type.

Log Mappers​

• [Updated] Netskope - Anomaly - Bulk Download
• [Updated] Netskope - Anomaly - User Shared Credentials
• [Updated] Netskope - nspolicy

Parsers​

• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON

This content release includes:

• New and updated mappers and parsers for Carbon Black, Cisco ISE, Cisco Umbrella, PAN Firewall CSV and LEEF, and Signal Science (Fastly) WAF.
• ❤️

Changes are enumerated below.

Log Mappers​

• [New] Carbon Black Cloud - alert event
• [Updated] Cisco ISE Radius Diagnostics
  • Supports additional Radius Diagnostic messages.
• [Updated] Cisco Umbrella DNS Logs
  • Adds dstDevice_ip, normalizedAction, and user_email.
• [Updated] Cisco Umbrella IP Logs
  • Adds alternate value for dstDevice_ip and adds user_email.
• [Updated] Cisco Umbrella Proxy Logs
  • Adds user_email.

Parsers​

• [Updated] /Parsers/System/VMware/Carbon Black Cloud
  • Adds support for alert event event ID.
• [Updated] /Parsers/System/Cisco/Cisco ISE
  • Adds key value parsing for descriptions.
• [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
  • Adds a transform for capturing email addresses.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • Modifies parse_system_format_1 regular expression to support additional events.
• [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF
  • Normalizes parsing of subtype to have consistent case.
• [Updated] /Parsers/System/Signal Science/Signal Science WAF
  • Adds additional timestamp handling.

This content release includes:

• Removal and updates to Cloud SIEM rules.
• Parsing and mapping support for new products.
• Updates to existing parsing and mappers to support additional events and field mappings.

Changes are enumerated below.

Rules​

• [Deleted] MATCH-S00604 OneLogin - API Credentials - Key Used from Untrusted Location
• [Updated] FIRST-S00044 First Seen AppID Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".
• [Updated] FIRST-S00046 First Seen Client Generating MailItemsAccessed Event from User
  • Corrected typo in "MailItemsAccessed".

Log Mappers​

• [New] Crowdstrike FileVantage Catch All
• [New] Dragos Communication
• [New] Dragos Indicator
• [New] Dragos System|Asset
• [New] Extrahop JSON Catch All
• [New] F5 TMM Http Request|TMM Network|TMM Connection error
• [New] F5 TMSH - Custom Parser
• [New] Zendesk - Login events

Updated Field Mappings​

• [Updated] Code42 Incydr Alerts C2C
• [Updated] Cyber Ark EPM AggregateEvent
• [Updated] Google G Suite - meet
• [Updated] Palo Alto GlobalProtect - Custom Parser
• [Updated] Palo Alto GlobalProtect Auth - Custom Parser
• [Updated] Zendesk Catch All

Parsers​

• [New] /Parsers/System/CrowdStrike/CrowdStrike Filevantage
• [New] /Parsers/System/Extrahop/Extrahop JSON

Updated parsers to handle additional events and field parsing​

• [Updated] /Parsers/System/Code42/Code42 Incydr
• [Updated] /Parsers/System/Dragos/Dragos
• [Updated] /Parsers/System/F5/F5 Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Microsoft/Office 365
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

This content release includes:

• Fix to Azure DevOps Auditing mapper to ensure only Azure DevOps logs are mapped by it when ingested via Event Hubs C2C.
• Adds parsing and mapping support for additional OpenVPN events.
• Adds additional timestamp format handling to Azure JSON log parsing.

Log Mappers​

• [Updated] Azure DevOps Auditing Catch All
• [Updated] OpenVPN Audit Event
• [Updated] OpenVPN Network Event

Parsers​

• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog

This content release includes:

• Parsing and mapping support for Azure DevOps Auditing via EventHubs, and Pfsense Firewall.
• Parsing and mapping additions and updates for Cisco ISE, Cloudflare, Check Point Firewall, and Linux OS Syslog.

Log Mappers​

• [New] Azure DevOps Auditing Catch All
• [New] Check Point Application Control URL Filtering
• [New] Cisco ISE Radius Diagnostics
• [New] Linux OS Syslog - KRB5 Child - Authentication Failure
• [New] Linux OS Syslog - Process systemd - Systemd Session
• [New] Linux OS Syslog - Process systemd - Systemd Session Scope
• [New] Linux OS Syslog - Process systemd - session logout
• [New] Pfsense Firewall filterlog
• [New] Pfsense Firewall nginx
• [New] Pfsense Firewall openvpn Authentication
• [New] Pfsense Firewall openvpn_peer_info|openvpn_error|php_log|sshguard|sshd_log
• [New] Pfsense Firewall openvpn_server_connected|openvpn_server_disconnected|cron_log
• [Updated] Cisco ISE Authentication Failure
  • Adds normalizedSeverity mapping
• [Updated] Cisco ISE Authentication Success
  • Adds normalizedSeverity mapping
• [Updated] Cloudflare - Logpush
  • Adds mapping for dns_query, http_hostname, http_response_contentLength, http_response_contentType, and an alternative value for ipProtocol.
• [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
  • Adds mapping for normalizedAction
• [Updated] Linux OS Syslog - Process systemd - Systemd Session Start and Systemd File Configuration
  • Added support for additional events and mapping of file_path

Parsers​

• [New] /Parsers/System/Pfsense/Pfsense Firewall
• [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
• [Updated] /Parsers/System/Cisco/Cisco ISE
• [Updated] /Parsers/System/Cloudflare/Cloudflare Logpush
• [Updated] /Parsers/System/Linux/Linux OS Syslog
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
• [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers

This is an archive of 2024 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2023 Cloud SIEM release notes. To view the full archive, click here.

This is an archive of 2022 Cloud SIEM release notes. To view the full archive, click here.