Merge branch 'main' into CrowdStrike-Falcon-FileVantage-App

Author: jpipkin1

blog-cse/2024-12-06-content.md

@@ -0,0 +1,99 @@
+---
+title: December 6, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+  - tag schemas
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release:
+-   Introduces new Cloud SIEM detection rules for monitoring activity and alerts from GitHub Enterprise.
+-   New and updated log parsing and mapping support for:
+    - AWS VPC Transit Gateways Flow Logs 
+    - Alert Logic 
+    - Google G Suite Alert Center 
+    - Microsoft Defender Advanced Hunting
+    - Azure Provisioning, Alert, ResourceHealth, and ServiceHealth events
+
+Changes are enumerated below.
+
+:::note
+First Seen Successful Authentication From Unexpected Country (FIRST-S00029), which is disabled by default, has been replaced by a rule of the same name (FIRST-S00065) which is enabled by default. FIRST-S00029 will be removed in a subsequent release in 2 weeks (week of December 16). Any tuning expressions applied to FIRST-S00029 will need to be migrated to FIRST-S00065 to continue functioning.
+:::
+
+### Rules
+- [New] MATCH-S00952 GitHub - Administrator Added or Invited
+    - Detects additions or invitations of GitHub Administrators. Illegitimate addition of administrative users could be an indication of privilege escalation or persistence by adversaries.
+- [New] MATCH-S00953 GitHub - Audit Logging Modification
+    - Detects modifications to the GitHub Enterprise Audit Log. Modifications and deletions have the potential to reduce visibility of malicious activity.
+- [New] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
+    - Observes for GitHub staff manually revoking copilot access for a user. This action is likely to be rare and may be indicative of a user violating the [acceptable use policy for GitHub](https://docs.github.com/en/site-policy/acceptable-use-policies).
+- [New] FIRST-S00091 GitHub - First Seen Activity From Country for User
+    - Detects GitHub user activity from a new country. User account compromises can be detected through unusual geolocation in some cases. To lower possible false positives, a tuning expression for expected country names or codes can be added,.
+- [New] FIRST-S00090 GitHub - First Seen Application Interacting with API
+    - Detects new application usage of the GitHub API. New applications utilizing the API may be routine, however this may also reveal malicious applications utilizing the API.
+- [New] MATCH-S00950 GitHub - Member Invitation or Addition
+    - Detects new user additions or invitations to the business or organization GitHub. New user additions/invitations should be monitored as they could be a vector for malicious actors to establish access or persistence.
+- [New] MATCH-S00955 GitHub - Member Permissions Modification
+    - Detects modifications of GitHub user permissions. Added permissions for a user should be monitored for potential privilege escalation by an adversary.
+- [New] MATCH-S00956 GitHub - OAuth Application Activity
+    - Detects OAuth application activities within GitHub. OAuth application management and access activity should be monitored for potential abuse by potential malicious actors, either by creating malicious access paths within GitHub, or destruction of GitHub infrastructure.
+- [New] MATCH-S00957 GitHub - Organization Transfer
+    - Detects transfers of an organization to another enterprise This is a sensitive activity that should be monitored to ensure organizations and their repositories are not being transferred without proper authorization.
+- [New] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
+    - Detects an outlier in the number of distinct user agent strings for a GitHub user. Unusual user agent strings for a user account could indicate account takeover.
+- [New] OUTLIER-S00028 GitHub - Outlier in Removal Actions by User
+    - Detects a higher than usual number of removal actions undertaken by a user. This detection has a broad scope to detect any unusual number of destroy, delete, or remove actions undertaken by a user to help detect a range of different potential destructive activities in GitHub.
+- [New] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
+    - Detects an unusual number of repository clones for a user. Unusual repository cloning could indicate data exfiltration or discovery.
+- [New] MATCH-S00958 GitHub - PR Review Requirement Removed
+    - Detects GitHub pull request review requirements being removed from a repository either via branch protection rule or ruleset.
+- [New] MATCH-S00959 GitHub - Repository Public Key Deletion
+    - Detects deletions of SSH keys in GitHub. Unusual deletions could represent an adversary attempting to disrupt normal operations by denying access.
+- [New] MATCH-S00960 GitHub - Repository Transfer
+    - Detects transfers of a repository to another organization or user. This is a sensitive activity that GitHub places in the "Danger Zone" of repository setting and should be monitored to ensure no unauthorized transfers are taking place.
+- [New] MATCH-S00961 GitHub - Repository Visibility Changed to Public
+    - Detects a user making a repository public. This action should be closely monitored and mitigative actions taken even if the published repository is deleted, or reverted to private. Reference: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
+- [New] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+    - Detects repository visibility permissions being changed to allow members of an organization to change the visibility of repositories. This activity introduces the potential for data leakage if a private or internal repository is changed to public and should be monitored to ensure no inadvertent or malicious publication of a repository.
+- [New] MATCH-S00963 GitHub - SSH Key Created for Private Repo
+    - Detects the creation of an SSH key for a private GitHub repository.  Performed maliciously, creating an SSH key could create a parallel access path for an attacker.
+- [New] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+    - Detects activities accessing SSO recovery codes. SSO recovery codes can enable a user to bypass normal more stringent authentication routes.
+- [New] MATCH-S00951 GitHub - Secret Scanning Alert
+    - Observes for secret scanning alerts from GitHub. Secrets detected by GitHub Enterprise Cloud undergo validation by GitHub automatically, to determine whether they are actively in use, this is not surfaced in the audit log, and will require separate inspection. For more information see [Evaluating alerts from secret scanning](https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts).
+- [New] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
+    - Detects actions which disable or modify secret scanning policies for an organization or repository. Modifying or disabling secret scanning may lead to inadvertent leaking of credentials.
+- [New] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+    - Observes for two-factor authentication being disabled for a GitHub organization. Removing two-factor authentication requirements significantly degrades the security of the GitHub organization by permitting password only authentication.
+- [Updated] THRESHOLD-S00095 Password Attack from Host
+    - Modified the rule expression to remove the `srcDevice_ip` entity selector and the `isNull` from the rule expression for entities from the existing rule, and creates a new rule for those entities so that there are 2 versions of the rule's intent.
+
+### Log Mappers
+- [New] AWS VPC Transit Gateways Flow Logs
+- [New] Alert Logic Catch All
+- [New] Azure ResourceHealth and ServiceHealth
+- [New] Google G Suite Alert Center - User Changes
+- [New] Microsoft Defender Advanced Hunting - Alert
+- [New] Microsoft Defender Advanced Hunting - Audit
+- [New] Microsoft Defender Advanced Hunting - Email events
+- [New] Microsoft Defender Advanced Hunting - Logon
+- [New] Microsoft Defender Advanced Hunting - Network
+- [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert
+    - Adds support for additional event types and field mappings.
+- [Updated] Trend Micro Vision One Custom Parser
+    - Supports additional field names.
+
+### Parsers
+- [New] /Parsers/System/AWS/AWS VPC Transit Gateways Flow Logs
+- [New] /Parsers/System/Alert Logic/Alert Logic
+- [New] /Parsers/System/Microsoft/Microsoft Defender Advanced Hunting
+- [Updated] /Parsers/System/Trend Micro/Trend Micro Vision One
+     - Parser updated to support additional event format.

blog-service/2024-12-09-search.md

@@ -0,0 +1,16 @@
+---
+title: compareCIDRPrefix and getCIDRPrefix Operators Behavior Change (Search)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - compareCIDRPrefix
+  - getCIDRPrefix
+  - search-operator
+  - log-search
+hide_table_of_contents: true  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We are happy to announce the behavioural change for the [`compareCIDRPrefix`](/docs/search/search-query-language/search-operators/cidr/#comparecidrprefix) and [`getCIDRPrefix`](/docs/search/search-query-language/search-operators/cidr/#getcidrprefix) operators. Previously, these operators would fail if there were trailing or leading spaces around the IP address. With this update, the `compareCIDRPrefix` and `getCIDRPrefix` operators have become more flexible and can do trimming, which means the operators will not fail even if there are trailing or leading spaces around the IP address.

docs/integrations/sumo-apps/data-volume.md

@@ -11,24 +11,6 @@ import useBaseUrl from '@docusaurus/useBaseUrl';
 
 The Data Volume App provides you with a summary and detailed views of your account's data usage volume by data type, tier, category, collector, source name, and hosts via predefined searches and dashboards.
 
-Before you can install and use the Data Volume app, an administrator must first enable the feature. For more information, see [Enable the Data Volume Index](#enable-the-data-volume-index) below.
-
-The Data Volume Index gathers volume data as soon as it is enabled. It will not gather data from legacy versions or backfill data.
-
-
-## Enable the Data Volume Index
-
-The Data Volume Index must be enabled by an administrator.
-
-To enable the Data Volume Index:
-
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Account > Data Management**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account** select **Data Management**. You can also click the **Go To...** menu at the top of the screen and select **Data Management**.
-1. Under **Data Volume**, select **Enable**.
-
-<img src={useBaseUrl('img/manage/ingestion-volume/data_volume_check_box.png')} alt="Enable Data Volume Index" style={{border: '1px solid gray'}} width="800"/>
-
-A message confirms that the feature is enabled.
-
 ## Installing the Data Volume app
 
 import AppInstallNoDataSourceV2 from '../../reuse/apps/app-install-index-apps-v2.md';

docs/manage/security/audit-indexes/search-audit-index.md

@@ -59,7 +59,7 @@ The following table provides details on the fields returned by the index:
 | `content_identifier` | The ID of the content item that triggered the search query. |
 | `content_name` | The name of the content item that triggered the search query. |
 | `data_retreived_bytes` | Amount of data retrieved by the search query. This represents the approximate size of messages that match the source expression of the query and are retrieved from scanning. |
-| `data_scanned_bytes` | Amount of data scanned by the search query. This value is an approximation, as the scanned message bytes are captured at intermittent time intervals and then averaged over the query time range. It is important to note that this value may be less than the retrieved bytes in some cases due to the approximation. Additionally, if a query contains a `timecompare` or `subquery` operator, the `data_scanned_byte` attribute in the audit log will include the sum of both the parent and child queries. |
+| `data_scanned_bytes` | Displays the total sum of scanned bytes for charged (Flex and Infrequent bytes) and non-charged metering types (Continuous and Frequent bytes). This value can be different from what users see in scan estimates on UI. Additionally, if a query contains a `timecompare` or `subquery` operator, the `data_scanned_byte` attribute in the audit log will include the sum of both the parent and child queries. |
 | `execution_duration_ms` | Time taken to complete the search. |
 | `is_aggregate` | The boolean variable that indicates if the corresponding search query was an aggregate query. The aggregate operator’s list can be found in [Group or Aggregate Operators](/docs/search/search-query-language/group-aggregate-operators). |
 | `query` | The query text string run by the user. |
@@ -74,6 +74,7 @@ The following table provides details on the fields returned by the index:
 | `session_id` | An identifier for every search run within the account. This is the same SESSION number displayed in the UI in the search tab. |
 | `status_message` | Gives the status of the search. The values include: **Finished successfully**, **Query failed**, and **Query canceled**. |
 | `user_name` | The email of the user that ran the search. |
+| `scanned_bytes_breakdown_by_metering_type` | Displays breakdown of the total amount of data scanned by a search query based on the metering type. It includes both charged metering types (Flex and Infrequent bytes) and non-charged metering types (Continuous and Frequent bytes). |
 
 ## Query type field values 
 

docs/metrics/metrics-dpm.md

@@ -7,7 +7,7 @@ description: Metrics Data Ingestion allows you to view metrics ingest volumes ac
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-You can view your metrics data ingestion volume on the **Metrics Data Ingestion** page. This page provides a granular breakdown of your metrics ingestion and credits used. You can track consumption by individual metric names, or by specific dimensions and sources. With this data, you can see which sources and metrics contribute most to your credit consumption, and take necessary action. 
+You can view your metrics data ingestion volume on the **Metrics Data Ingestion** page. This page provides a granular breakdown of your metrics ingestion. You can track consumption by individual metric names, or by specific dimensions and sources. With this data, you can see which sources and metrics contribute most to your credit consumption, and take necessary action. 
 
 Understanding the volume of metrics that you are ingesting is important because when you exceed the credit limit, data is cached on the host and the source is throttled, reducing query performance and accuracy. For more information, see [Data Limits for Metrics](/docs/metrics/manage-metric-volume/data-limits-for-metrics/).
 

docs/search/search-query-language/search-operators/cidr.md

@@ -4,7 +4,7 @@ title: cidr Search Operator
 sidebar_label: CIDR
 ---
 
-Sumo Logic's three CIDR operators work with CIDR (Classless Inter-Domain Routing, sometimes pronounced "cider") notation to narrow the analysis of IPv4 networks to specific subnets. CIDR notations specify the routing prefix of IP addresses.
+Sumo Logic's three CIDR operators work with CIDR (Classless Inter-Domain Routing, sometimes pronounced "cider") notation to narrow the analysis of IPv4 networks to specific subnets. CIDR notations specify the routing prefix of IP addresses. Input data will be trimmed, making these operators more flexible, which allows you to set your expectations accordingly.
 
 Using the CIDR operators, you can determine the amount of traffic between network segments, review events from hosts within a specified network segment, or even use a not operator to find addresses that didn't originate from a particular network segment. CIDR operators can be used to compare the network segment of two IPv4 addresses, or just identify the network segment involved in particular messages.