Merge branch 'main' into threat-intel-ga

Author: jpipkin1

blog-cse/2024-09-19-content.md

@@ -0,0 +1,214 @@
+---
+title: September 19, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+* Updates to 111 rules to improve the user experience by removing often lengthy command lines from rule summary expressions (retained in record and signal).
+* Deletion of a low efficacy rule.
+* Mapping updates to better employ [normalized classification](/docs/cse/schema/cse-normalized-classification/) fields across data sources.
+* Adds alternate case handling for Windows Security Event Log error codes.
+* Updates to LastPass parsing and mapping to support Reporting and Failed Logon events.
+* Adds support for Thinkst Canary JSON logging.
+* Adjusts time handling for Thinkst Canary Syslog.
+
+Other changes are enumerated below.
+
+
+### Rules
+- [Deleted] LEGACY-S00180 DNS query for dynamic DNS provider
+- [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
+- [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container
+- [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
+- [Updated] MATCH-S00727 CPL File Executed from Temp Directory
+- [Updated] MATCH-S00412 Command Line Execution with Suspicious URL and AppData Strings
+- [Updated] MATCH-S00658 Container Management Utility in Container
+- [Updated] MATCH-S00410 Copy from Admin Share
+- [Updated] MATCH-S00443 Create Windows Share
+- [Updated] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
+- [Updated] MATCH-S00526 Credential Dumping Via Symlink To Shadow Copy
+- [Updated] MATCH-S00348 Curl Start Combination
+- [Updated] MATCH-S00385 DTRACK Process Creation
+- [Updated] MATCH-S00441 Delete Windows Share
+- [Updated] MATCH-S00543 Detect Psexec With Accepteula Flag
+- [Updated] MATCH-S00319 Dridex Process Pattern
+- [Updated] MATCH-S00590 Elise Backdoor
+- [Updated] MATCH-S00392 File or Folder Permissions Modifications
+- [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
+- [Updated] FIRST-S00059 First Seen esentutl command From User
+- [Updated] FIRST-S00041 First Seen networksetup Usage from User
+- [Updated] FIRST-S00058 First Seen vssadmin command From User
+- [Updated] FIRST-S00060 First Seen wbadmin command From User
+- [Updated] FIRST-S00008 First Seen whoami command From User
+- [Updated] MATCH-S00414 Grabbing Sensitive Hives via Reg Utility
+- [Updated] MATCH-S00325 Greenbug Campaign Indicators
+- [Updated] MATCH-S00367 Impacket Lateralization Detection
+- [Updated] MATCH-S00482 Impacket-Obfuscation SMBEXEC Utility
+- [Updated] MATCH-S00483 Impacket-Obfuscation WMIEXEC Utility
+- [Updated] MATCH-S00322 Judgement Panda Credential Access Activity
+- [Updated] MATCH-S00334 Judgement Panda Exfil Activity
+- [Updated] MATCH-S00651 Kubernetes CreateCronjob
+- [Updated] MATCH-S00652 Kubernetes DeleteCronjob
+- [Updated] MATCH-S00650 Kubernetes ListCronjobs
+- [Updated] MATCH-S00648 Kubernetes ListSecrets
+- [Updated] MATCH-S00647 Kubernetes Pod Deletion
+- [Updated] MATCH-S00649 Kubernetes Service Account Token File Accessed
+- [Updated] MATCH-S00461 LNKSmasher Utility Commands
+- [Updated] MATCH-S00746 Loadable Kernel Module Dependency Install
+- [Updated] MATCH-S00745 Loadable Kernel Module Enumeration
+- [Updated] MATCH-S00723 Loadable Kernel Module Modifications
+- [Updated] MATCH-S00352 MSHTA Suspicious Execution
+- [Updated] MATCH-S00534 MacOS - Re-Opened Applications
+- [Updated] MATCH-S00729 MacOS Gatekeeper Bypass
+- [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
+- [Updated] MATCH-S00161 Malicious PowerShell Get Commands
+- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
+- [Updated] MATCH-S00198 Malicious PowerShell Keywords
+- [Updated] MATCH-S00331 MavInject Process Injection
+- [Updated] MATCH-S00466 MsiExec Web Install
+- [Updated] MATCH-S00288 NotPetya Ransomware Activity
+- [Updated] MATCH-S00698 PATH Set to Current Directory
+- [Updated] MATCH-S00659 Package Management Utility in Container
+- [Updated] MATCH-S00697 Pkexec Privilege Escalation - CVE-2021-4034
+- [Updated] MATCH-S00149 PowerShell File Download
+- [Updated] MATCH-S00449 Powershell Execution Policy Bypass
+- [Updated] MATCH-S00427 Process Dump via Rundll32 and Comsvcs.dll
+- [Updated] MATCH-S00439 Psr.exe Capture Screenshots
+- [Updated] MATCH-S00167 Recon Using Common Windows Commands
+- [Updated] MATCH-S00346 Ryuk Ransomware Endpoint Indicator
+- [Updated] MATCH-S00506 SC Exe Manipulating Windows Services
+- [Updated] MATCH-S00153 Scheduled Task Created via PowerShell
+- [Updated] MATCH-S00529 Schtasks Scheduling Job On Remote System
+- [Updated] MATCH-S00530 Schtasks Used For Forcing A Reboot
+- [Updated] MATCH-S00359 Suspicious Certutil Command
+- [Updated] MATCH-S00356 Suspicious Compression Tool Parameters
+- [Updated] MATCH-S00362 Suspicious Curl File Upload
+- [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
+- [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution
+- [Updated] MATCH-S00191 Suspicious PowerShell Keywords
+- [Updated] MATCH-S00431 Suspicious Use of Procdump
+- [Updated] MATCH-S00477 Suspicious Use of Workflow Compiler for Payload Execution
+- [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
+- [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
+- [Updated] MATCH-S00531 Unload Sysmon Filter Driver
+- [Updated] MATCH-S00762 Unusual Staging Directory - PolicyDefinitions
+- [Updated] MATCH-S00761 Volume Shadow Copy Service Stopped
+- [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
+- [Updated] MATCH-S00760 WMI Ping Sweep
+- [Updated] MATCH-S00146 WMI Process Call Create
+- [Updated] MATCH-S00151 WMI Process Get Brief
+- [Updated] MATCH-S00379 WMIExec VBS Script
+- [Updated] MATCH-S00400 Web Download via Office Binaries
+- [Updated] MATCH-S00539 Web Servers Executing Suspicious Processes
+- [Updated] MATCH-S00174 Web Services Executing Common Web Shell Commands
+- [Updated] MATCH-S00284 Windows - Delete Windows Backup Catalog
+- [Updated] MATCH-S00181 Windows - Domain Trust Discovery
+- [Updated] MATCH-S00168 Windows - Local System executing whoami.exe
+- [Updated] MATCH-S00162 Windows - Network trace capture using netsh.exe
+- [Updated] MATCH-S00159 Windows - Permissions Group Discovery
+- [Updated] MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas
+- [Updated] MATCH-S00276 Windows - Possible Squiblydoo Technique Observed
+- [Updated] MATCH-S00281 Windows - PowerShell Process Discovery
+- [Updated] MATCH-S00171 Windows - Powershell Scheduled Task Creation from PowerSploit or Empire
+- [Updated] MATCH-S00185 Windows - Remote System Discovery
+- [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
+- [Updated] MATCH-S00170 Windows - Scheduled Task Creation
+- [Updated] MATCH-S00192 Windows - System Network Configuration Discovery
+- [Updated] MATCH-S00194 Windows - System Time Discovery
+- [Updated] MATCH-S00172 Windows - WiFi Credential Harvesting with netsh
+- [Updated] MATCH-S00532 Windows Adfind Exe
+- [Updated] MATCH-S00552 Windows Connhost Started Forcefully
+- [Updated] MATCH-S00398 Windows Defender Download Activity
+- [Updated] MATCH-S00179 Windows Network Sniffing
+- [Updated] MATCH-S00157 Windows Process Name Impersonation
+- [Updated] MATCH-S00178 Windows Query Registry
+- [Updated] MATCH-S00533 Windows Security Account Manager Stopped
+- [Updated] LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path
+- [Updated] MATCH-S00724 Windows Update Agent DLL Changed
+- [Updated] MATCH-S00382 Winnti Pipemon Characteristics
+- [Updated] MATCH-S00435 XSL Script Processing
+- [Updated] MATCH-S00726 macOS Kernel Extension Load
+
+### Log Mappers
+- [New] LastPass Failed Login Attempt
+- [New] LastPass Reporting
+- [Updated] Thinkst Canary Parser - Catch All
+    - Removed time handling from mapper to favor parser time handling
+- [Updated] 1Password Item Audit Actions
+- [Updated] 1Password Item Usage Actions
+- [Updated] AWS Config - Custom Parser
+- [Updated] AWS EKS - Custom Parser
+- [Updated] AWS Inspector - Custom Parser
+- [Updated] AWS Route 53 Logs
+- [Updated] AWS S3 Server Access Log - Custom Parser
+- [Updated] AWS Security Hub
+- [Updated] AWSGuardDuty - Audit Events
+- [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
+- [Updated] AWSGuardDuty - Reconnaissance and malicious activity detection
+- [Updated] AWSGuardDuty - Tor Client and Relay
+- [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
+- [Updated] AWSGuardDuty_Catch_All
+- [Updated] Adaxes - Custom Parser
+- [Updated] ApplicationGatewayAccessLog
+- [Updated] ApplicationGatewayFirewallLog
+- [Updated] Aqua Runtime Policy Match
+- [Updated] Azure Appplication Service Console Logs
+- [Updated] Azure AuditEvent logs
+- [Updated] Azure Event Hub - Windows Defender Logs
+- [Updated] Azure Firewall Application Rule
+- [Updated] Azure Firewall DNS Proxy
+- [Updated] Azure Firewall Network Rule
+- [Updated] Azure NSG Flows
+- [Updated] Azure Policy Logs
+- [Updated] AzureActivityLog
+- [Updated] AzureActivityLog 01
+- [Updated] AzureActivityLog AuditLogs
+- [Updated] AzureDevOpsAuditing
+- [Updated] Cato Networks Audits
+- [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
+- [Updated] Cyber Ark EPM AggregateEvent
+- [Updated] Druva Cyber Resilience - Catch All
+- [Updated] GCP App Engine Logs
+- [Updated] GCP Audit Logs
+- [Updated] GCP IDS
+- [Updated] GCP Parser - Load Balancer
+- [Updated] Google Security Command Center
+- [Updated] JumpCloud IdP - Catch All
+- [Updated] Kaltura Audits
+- [Updated] Microsoft Defender for Cloud - Security Alerts
+- [Updated] Microsoft Office 365 AzureActiveDirectory Events
+- [Updated] Microsoft Office 365 MicrosoftStream Events
+- [Updated] Microsoft Office 365 PowerApps Events
+- [Updated] Microsoft Office 365 Sway Events
+- [Updated] Microsoft Office 365 Teams Events
+- [Updated] Microsoft Office 365 Yammer Events
+- [Updated] MicrosoftGraphActivityLogs
+- [Updated] Office 365 - MicrosoftFlow
+- [Updated] Office 365 - Security Compliance Alerts
+- [Updated] Osquery Catchall
+- [Updated] Osquery FIM
+- [Updated] Osquery Process Auditing
+- [Updated] Osquery Socket Events
+- [Updated] Osquery Startup Items
+- [Updated] Palo Alto Config - Custom Parser
+- [Updated] Palo Alto Threat Spyware - Custom Parser
+- [Updated] RSA SecurID Runtime Authn Logout
+- [Updated] RSA SecurID Runtime Catchall
+- [Updated] UnauthorizedAccess_EC2_SSHBruteForce
+- [Updated] Windows - Security - 4625
+- [Updated] Windows - Security - 4634
+
+### Parsers
+- [New] /Parsers/System/Thinkst Canary/Thinkst Canary JSON
+- [Updated] /Parsers/System/LastPass/LastPass
+- [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
+    - Updated time handling to use `_messagetime` metadata

blog-service/2016/12-31.md

@@ -55,7 +55,7 @@ This is an archive of the 2016 Sumo Logic Service Release Notes. To view the ful
 
 **Sumo Logic App for Amazon RDS Metrics (Preview).** The Sumo Logic App for Amazon RDS Metrics provides visibility into your Amazon Relational Database Service (RDS) Metrics collected via a CloudWatch Metrics Source. The App’s Dashboards provide preconfigured searches and filters that allow you to monitor your RDS system's overview, CPU, memory, storage, network transmit and receive throughput, read and write operations, database connection count, disk queue depth, and more. For details, see [Amazon RDS Metrics](/docs/integrations/amazon-aws/rds). This is a Preview App.
 
-**Pause and Resume an S3 Source.** You can pause an S3 Source at any time to stop the Source from sending data from the Source to Sumo Logic. Locate the Source on the **Manage > Collection** page, and click **Pause**.** **Click the **Resume** link when you are ready for the Source to start sending data again. For details, see [Pause and Resume an S3 Source](/docs/send-data/collection/pause-resume-source).
+**Pause and Resume an S3 Source.** You can pause an S3 Source at any time to stop the Source from sending data from the Source to Sumo Logic. Locate the Source on the **Manage > Collection** page, and click **Pause**.Click the **Resume** link when you are ready for the Source to start sending data again. For details, see [Pause and Resume an S3 Source](/docs/send-data/collection/pause-resume-source).
 
 
 ### November 10, 2016
@@ -238,7 +238,7 @@ Downloading the configuration allows you to create scripts to configure multiple
 
 ### July 19, 2016
 
-**New UI for Users and Roles.** As the first step in introducing advanced Role Based Access Control (RBAC) to Sumo Logic, the UI for the **Manage > User **and **Manage > Roles** pages has been updated.  The new UI provides Sumo Logic administrators with an easy and intuitive way to create new roles based on business needs, define the capabilities the roles can access, assign users to roles, and manage the settings for users, roles, and capabilities. For complete details, see [Users and Roles](/docs/manage/users-roles).
+**New UI for Users and Roles.** As the first step in introducing advanced Role Based Access Control (RBAC) to Sumo Logic, the UI for the **Manage > User** and **Manage > Roles** pages has been updated.  The new UI provides Sumo Logic administrators with an easy and intuitive way to create new roles based on business needs, define the capabilities the roles can access, assign users to roles, and manage the settings for users, roles, and capabilities. For complete details, see [Users and Roles](/docs/manage/users-roles).
 
 
 ### July 15, 2016

blog-service/2017/12-31.md

@@ -373,7 +373,7 @@ The ability to save LogReduce results to a baseline has been deprecated.
 ---
 ## June 23, 2017
 
-**PCI Compliance for Amazon VPC Flow Log App. **The Sumo Logic App for [Payment Card Industry (PCI) Compliance for Amazon VPC Flow App](/docs/integrations/amazon-aws/vpc-flow-logs-pci-compliance) is now available. This app offers dashboards to help you monitor that network traffic, network activities, and network security are within your expected ranges. The PCI Compliance for Amazon VPC Flow App covers PCI requirements 01, 02 and 04.
+**PCI Compliance for Amazon VPC Flow Log App**. The Sumo Logic App for [Payment Card Industry (PCI) Compliance for Amazon VPC Flow App](/docs/integrations/amazon-aws/vpc-flow-logs-pci-compliance) is now available. This app offers dashboards to help you monitor that network traffic, network activities, and network security are within your expected ranges. The PCI Compliance for Amazon VPC Flow App covers PCI requirements 01, 02 and 04.
 
 <img src={useBaseUrl('img/release-notes/service/archive/6-23-17.png')} alt="releasenotes" />
 
@@ -391,8 +391,8 @@ Be aware of the following changes that come with these enhancements:
 * **Field counts may still be loading.**  Field counts load asynchronously, and may still be loading after the histogram renders.
 * **Receipt time still has 100k pause.** If your search uses receipt time, you will still see the 100k message limit.
 * **Oldest message sorts first when you reach 100k messages.** Although you can have more than 100k messages in the histogram, the oldest message that will be shown is the 100k message. To get around this issue and see the range you want on the histogram, you can:
-    ** Reduce the timerange and return the search.
-    ** Shift+click on the histogram bar to drilldown into a specific timerange.
+    * Reduce the timerange and return the search.
+    * Shift+click on the histogram bar to drilldown into a specific timerange.
 
 ---
 ## June 19, 2017
@@ -431,10 +431,10 @@ The Threat Intel for AWS App scans your AWS CloudTrail, AWS Elastic Load Balanci
 ---
 ## June 16, 2017
 
-**Custom timestamp formats. **You can now specify multiple custom timestamp formats per source, where to locate them in your log lines with regex, and test them to see if we can parse that format. We will still auto detect timestamps for you if your custom formats do not parse. See [Timestamps, Time Zones, Time Ranges, and Date Formats](/docs/send-data/reference-information/time-reference) and [Use JSON to Configure Sources](/docs/send-data/use-json-configure-sources)
+**Custom timestamp formats**. You can now specify multiple custom timestamp formats per source, where to locate them in your log lines with regex, and test them to see if we can parse that format. We will still auto detect timestamps for you if your custom formats do not parse. See [Timestamps, Time Zones, Time Ranges, and Date Formats](/docs/send-data/reference-information/time-reference) and [Use JSON to Configure Sources](/docs/send-data/use-json-configure-sources)
 
 
-**More epoch timestamp support. **You can now specify the epoch timestamp token, which will match against 10, 13, 16, or 19-digit epoch timestamps, with or without decimal points. See [Timestamps, Time Zones, Time Ranges, and Date Formats](/docs/send-data/reference-information/time-reference).
+**More epoch timestamp support**. You can now specify the epoch timestamp token, which will match against 10, 13, 16, or 19-digit epoch timestamps, with or without decimal points. See [Timestamps, Time Zones, Time Ranges, and Date Formats](/docs/send-data/reference-information/time-reference).
 
 ---
 ## June 12, 2017
@@ -459,7 +459,7 @@ If you're a current Sumo Logic user, you'll find that the navigation and some me
 
 **Apps**. The App Catalog has a new preview option. If you’re not sure what dashboards you’ll get with an app, you can click the
 
-**Preview Dashboards **link in the App Catalog to see a preview of the dashboards included with the app.
+**Preview Dashboards**. Link in the App Catalog to see a preview of the dashboards included with the app.
 
 **New tutorials**. We’ve updated our Quick Start tutorials to better reflect the different getting started experiences for setting up Sumo Logic and using Sumo Logic.
 
@@ -607,4 +607,4 @@ This capability is called quantization. The quantization interval aligns your ti
 
 **Webhook Connection for Microsoft Azure Functions**. You can trigger an Azure function directly from a Scheduled Search or metrics monitor by configuring a Webhook connection in Sumo Logic. For details, see [Webhook Connection for Microsoft Azure Functions](/docs/alerts/webhook-connections/microsoft-azure-functions).
 
-**Webhook Connection for AWS Lambda. **You can trigger an AWS Lambda function directly from a Scheduled Search or metrics monitor by configuring a Webhook connection in Sumo Logic. For details, see [Webhook Connection for AWS Lambda](/docs/alerts/webhook-connections/aws-lambda).
+**Webhook Connection for AWS Lambda**. You can trigger an AWS Lambda function directly from a Scheduled Search or metrics monitor by configuring a Webhook connection in Sumo Logic. For details, see [Webhook Connection for AWS Lambda](/docs/alerts/webhook-connections/aws-lambda).