Merge branch 'main' into kandji-app-docs

Author: jpipkin1

blog-cse/2024-11-07-content.md

@@ -0,0 +1,82 @@
+---
+title: November 7, 2024 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - log parsers
+  - detection rules
+  - tag schemas
+image: https://help.sumologic.com/img/sumo-square.png  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-cse/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+This content release includes:
+- New detection rules.
+- Updates to existing detection rules to correct rule logic and reduce false positives.
+- New parsing and mapping support for Automox, WatchGuard Firewall, and Digital Guardian ARC.
+- Update to existing AWS Application Load Balancer parsing and mapping to support Connection logs.
+- Update to MITRE ATT&CK tag schema to support ATT&CK v16.0.
+
+Changes are enumerated below.
+
+### Rules
+- [New] CHAIN-S00018 Autorun file created after USB disk mount on host
+    - This signal looks for a USB drive being mounted on a Windows host followed by a file creation event with the file name of "autorun.inf" within a 5-minute time frame. This activity could be indicative of an attempt at lateral movement or initial access avenues through a USB device. Ensure that the machine in question is authorized to use USB devices and look for other file creation events from this host around the same time frame.
+- [New] FIRST-S00071 First Seen AWS ConsoleLogin by User
+    - First observance of a user logging on to the Amazon AWS console. This could be indicative of new administrator onboarding, or an unauthorized access to the AWS console. Recommended to investigate the nature of the user account and the login.
+- [New] FIRST-S00080 First Seen Azure Portal access by User
+    - First observance of a user logging on to the Microsoft Azure Portal. This could be indicative of new user onboarding, or an unauthorized access to the Azure portal. Recommended to investigate the nature of the user account and the login.
+- [New] FIRST-S00073 First Seen Get-ADDefaultDomainPasswordPolicy
+    - The first observed execution of the PowerShell CMDLet Get-ADDefaultDomainPasswordPolicy on this host. This CMDLet can be used in the discovery of Windows Domain Password Policies by threat actors. Investigating the host and active users for additional activity around the time of execution is recommended.
+- [New] FIRST-S00072 First Seen Group Policy Discovery Operation
+    - This detection is a first observed execution of Windows process or PowerShell commands that can be run by users or administrators in order to gather password policy and other types of system information in an enterprise environment. The detections in this signal are based off variations found in Atomic Red Team test cases. Reference:  https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md. Look at the command line and parent process details of the signal in order to determine if this execution is legitimate or part of system provisioning or systems administration operations.
+- [New] FIRST-S00076 First Seen Net Command Use on Host
+    - Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the first observance of a Net related command on a system related to these discovery tactics. It is recommended to investigate the host and user to determine if this is authorized admin activity or needs further inspection.
+- [New] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
+    - First Seen rule which triggers when there are at least two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives, such as known VPN addresses.(If degradation issues occur it is recommendation implementing tuning around your expected network.)
+- [New] FIRST-S00074 First Seen driverquery execution on host
+    - First observed execution of the driverquery command on the following device host: `{{device_hostname}}`. Driverquery is a useful command for an attacker to enumerate local device drivers to determine next steps in the attack. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
+- [New] FIRST-S00079 First Seen gpresult execution on host
+    - This detection is first observed execution of gpresult on a host. This command may be used by attackers to access detailed password policy information in an enterprise environment. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
+- [New] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
+    - This signal looks for a new Client ID value ( mapped to the `user_username` field ) and ASN combination being issued an OIDC token, excluding the Okta Browser Plugin and Okta Dashboard. Use the Okta admin portal and look at the "Applications" section to cross-reference the Client ID value. Ensure that the IP address that is requesting the token is known and that this operation is expected and authorized.
+- [New] FIRST-S00068 Okta - First Seen User Accessing Admin Application
+    - A user not seen since the baseline period has accessed the Okta admin application. Ensure that this user is expected to perform Okta administrative activities. If this user is expected and authroized, consider adding the user to the "Okta_Admins" match list to exclude the user from this signal.
+- [New] FIRST-S00066 Okta - First Seen User Requesting Report
+    - This signal looks for a first seen user requesting an export of an Okta report. The various Okta report types can be found in the “Reports” section of the Okta administrative portal and can include various report types such as application password help, MFA usage, and reports around user access. During the October 2023 Okta incident, threat actors downloaded reports from Okta portals to extract information regarding user contact information. Ensure that the user that is requesting such reports is authorized and that this activity is expected. If a suspicious report generation event occurs, look at the “target” element within the event to gain more detailed information as to the type of report being generated and exported.
+- [New] OUTLIER-S00018 Okta - Outlier in ASNs Used to Access Applications
+    - This signal looks for an outlier in the number of distinct autonomous system numbers (ASNs) that a particular user utilizes to access Okta resources within an hour time period. This is designed to alert on various forms of token or credential theft as well as general Okta session anomalies.
+- [New] OUTLIER-S00017 Okta - Outlier in MFA Attempts Denied by User
+    - This signal builds an hourly baseline of MFA denied events per user and triggers when an outlier in the number of denied attempts is detected. This signal is designed to trigger on MFA-fatigue type attacks. If false positives are detected, consider excluding certain users from the alerting logic or raise the minimum count value within the rule configuration.
+- [New] OUTLIER-S00016 Okta - Outlier in OIDC token request failures
+    - This signal looks for an outlier in the number of OpenID Connect (OIDC) token request failures for an Okta client application. Use the Okta admin portal to correlate the Client ID (mapped to `user_username`) to determine what application is being targeted. Pivot off the Client ID and IP address values to examine the raw Okta events in order to ensure that this activity is planned and expected. This activity can occur during setup and development of Okta applications and integrations.
+- [New] OUTLIER-S00013 Outlier in Data Outbound Per Day by Admin or Sensitive Device
+    - A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
+- [New] OUTLIER-S00015 Outlier in Data Outbound Per Hour by Admin or Sensitive Device
+    - A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
+- [Updated] THRESHOLD-S00095 Password Attack
+    - Added NULL exclusion to rule expression to prevent false-positives stemming from NULL IP or hostnames.
+- [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port
+    - Added missing parenthesis to match expression.
+
+### Log Mappers
+- [New] AWS - Application Load Balancer - Connection
+- [New] Automox - Audit logs
+- [New] Automox - Audit logs - Logon
+- [New] Automox - Event logs
+- [New] Digital Guardian ARC - Audit Events
+- [New] Digital Guardian ARC - Mail
+- [New] Digital Guardian ARC - Network
+- [New] Digital Guardian ARC - User Login|Logoff
+- [New] Watchguard Fireware - Firewall
+- [New] Watchguard Fireware - http/https-proxy
+
+### Parsers
+- [New] /Parsers/System/Automox/Automox
+- [New] /Parsers/System/Digital Guardian/Digital Guardian ARC
+- [New] /Parsers/System/WatchGuard/WatchGuard Fireware
+- [Updated] /Parsers/System/AWS/AWS ALB
+    - Updated parser to support AWS Application Load Balancer Connection logs

blog-cse/2024-11-08-application-update.md

@@ -0,0 +1,13 @@
+---
+title: November 8, 2024 - Application Update
+keywords:
+  - cloud siem
+image: https://help.sumologic.com/img/sumo-square.png
+hide_table_of_contents: true  
+---
+
+### Cloud SIEM network sensor end-of-life
+
+The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/sensors/ingest-zeek-logs/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.
+
+Learn more [here](/docs/cse/sensors/network-sensor-end-of-life/).

blog-service/2024-11-08-search.md

@@ -0,0 +1,16 @@
+---
+title: Deprecation of Classic Visualization (Search)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - classic-visualization
+  - search
+hide_table_of_contents: true  
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+In May 2024, we introduced [new visualization charts](/docs/search/get-started-with-search/search-basics/chart-search-results/#new-visualization) for all the Log Search queries, with which you can customize each chart by modifying the available settings and obtain a unified experience across the Sumo Logic platforms.
+
+**Effective November 22, 2024**, the **Switch to Classic Visualization** button will be removed, and the Classic Visualization view will no longer be available. By default, all your charts will automatically display in the New Visualization style.

docs/api/getting-started.md

@@ -38,6 +38,10 @@ Sumo Logic supports the following options for API authentication:
 
 See [Access Keys](/docs/manage/security/access-keys) to learn how to generate an access key. Make sure to copy the key you create, because it is displayed only once.
 
+:::info
+Because access keys use the permissions of the user running the key, ensure that the user utilizing a key has the [role capabilities](/docs/manage/users-roles/roles/role-capabilities) needed to execute the tasks the key is needed for. 
+:::
+
 ### Access ID and Access Key
 
 When you have an `accessId` and `accessKey`, you can execute requests like the following:

docs/cse/administration/save-inventory-data-lookup-table.md

@@ -18,7 +18,7 @@ Although the Scheduled Search feature does support an **Alert Type** of “Save
 
 ## Prerequisites 
 
-In order to create an inventory Lookup Table you need to have one or more sources of inventory data. One of the most common sources of inventory data in Sumo Logic is the Windows Active Directory Inventory source running on an Installed Collector. We recommend you collect AD logs every 12 hours, and that you do not collect logs more frequently than every 8 hours.
+In order to create an inventory Lookup Table, you need to have one or more sources of inventory data. One of the most common sources of inventory data in Sumo Logic is the [Windows Active Directory Inventory source](/docs/send-data/installed-collectors/sources/windows-active-directory-inventory-source/) running on an Installed Collector. We recommend you collect AD logs every 12 hours, and that you do not collect logs more frequently than every 8 hours.
 
 Any inventory source–or any log source, for that matter–can be used to populate Lookup Tables. Sumo Logic also has a variety of inventory sources that run on Hosted Collectors, including the Okta and Carbon Black sources.
 
@@ -39,14 +39,14 @@ To create the Lookup Table schema:
 
 1. Go to the Sumo Logic Library.
 1. Navigate to the folder where you want to create the Lookup Table.
-1. Click **Add New** and then select **New Lookup**. <br/><img src={useBaseUrl('img/cse/new-lookup.png')} alt="New lookup link" width="600"/>
-1. The **Create Lookup Table** page appears. <br/><img src={useBaseUrl('img/cse/create-in-cip.png')} alt="Create lookup table" width="600"/>
+1. Click **Add New** and then select **New Lookup**. <br/><img src={useBaseUrl('img/cse/new-lookup.png')} alt="New lookup link" style={{border: '1px solid gray'}} width="600"/>
+1. The **Create Lookup Table** page appears. <br/><img src={useBaseUrl('img/cse/create-in-cip.png')} alt="Create lookup table" style={{border: '1px solid gray'}} width="600"/>
 1. **Name**. Enter a name for the Lookup Table.
 1. **Description**. (Optional)
 1. **Set a TTL (Time to Live) for table entries**? Click **No**.
 1. **Choose a size limit handling option**. This option controls how additions to the Lookup table will be handled when it reaches its size limit (100 MB). Click **Delete Old Data.**
 1. **Create Lookup Table** Click **Create Schema only**.
-1. The page displays a **Schema** section. (The screenshot below shows the schema settings for our example filled in.) <br/><img src={useBaseUrl('img/cse/schema.png')} alt="Schema settings" width="600"/>
+1. The page displays a **Schema** section. (The screenshot below shows the schema settings for our example filled in.) <br/><img src={useBaseUrl('img/cse/schema.png')} alt="Schema settings" style={{border: '1px solid gray'}} width="600"/>
 1. For the first column, enter:
    * **Fields**. Enter *mail*.
    * **Value Type**. Leave the default, *string*, selected.
@@ -75,7 +75,7 @@ Where:
 * `_collector` identifies the collector where the Active Directory source runs. 
 * `PATH` is the path of the lookup table, in this format:   `path://"/Library/Admin Recommended/userIdToUsername"` You can copy the path to the Lookup Table in the Sumo Logic Library. Hover over the row for the table in the Library, and select **Copy path to clipboard** from the three-dot kebab menu.
 
-   <img src={useBaseUrl('img/cse/tree-dot.png')} alt="Kebab menu button" width="600"/>
+   <img src={useBaseUrl('img/cse/tree-dot.png')} alt="Kebab menu button" style={{border: '1px solid gray'}} width="600"/>
 
 ## Step 3: Save and schedule the search
 
@@ -85,21 +85,21 @@ Be sure to choose “Email” as the **Alert type**. (*Don’t* select **Save to
 
 To save and schedule the search:
 
-1. In the log search tab where you’ve run your query, choose **Save as** from the three-dot kebab menu in the query area. <br/><img src={useBaseUrl('img/cse/save-as.png')} alt="Save as on dropdown list" width="600"/>
+1. In the log search tab where you’ve run your query, choose **Save as** from the three-dot kebab menu in the query area. <br/><img src={useBaseUrl('img/cse/save-as.png')} alt="Save as on dropdown list" style={{border: '1px solid gray'}} width="600"/>
 1. On the **Save Item** popup:
    * **Name**. Enter a name for the query.
    * **Time range**. Select a time range for the query.
    * **Search By**. Select *Receipt Time*.  
    * **Location to save to**. Choose a folder location.
-   * Click **Schedule this search**.     <br/><img src={useBaseUrl('img/cse/save-item.png')} alt="Save item dialog" width="400"/>
+   * Click **Schedule this search**.     <br/><img src={useBaseUrl('img/cse/save-item.png')} alt="Save item dialog" style={{border: '1px solid gray'}} width="400"/>
 1. On the **Save Item** popup:
    * **Run frequency**. Select *Daily*, unless you have another preference.
    * **Send Notification**. Choose *If the following condition is met*.
    * **Alert condition**. Select *Less than \<*.
    * **Alert type**. Select *Email*.
    * **Number of results**. Enter *5*, or another value if you prefer.
    * **Recipients.** Enter the email addresses of one or more users to receive email alerts.
-   * **Include in email**. Select *Search Query* and *Histogram*, unless you have another preference.  <br/><img src={useBaseUrl('img/cse/save-item-2.png')} alt="Save item dialog" width="400"/>
+   * **Include in email**. Select *Search Query* and *Histogram*, unless you have another preference.  <br/><img src={useBaseUrl('img/cse/save-item-2.png')} alt="Save item dialog" style={{border: '1px solid gray'}} width="400"/>
 1. Click **Save.**
 
 ## Step 4: Configure the Lookup Table in Cloud SIEM

docs/cse/ingestion/ingestion-sources-for-cloud-siem/corelight-zeek.md

@@ -11,11 +11,6 @@ This section has instructions for collecting Corelight Zeek log messages and sen
 
 These instructions are for Corelight Zeek logs sent as JSON over syslog.
 
-:::note
-The [Cloud SIEM Network Sensor](/docs/cse/sensors/network-sensor-deployment-guide/) also utilizes Zeek, so If you're using the sensor, using Corelight Zeek would be redundant.
-:::
-
-
 ## Step 1: Configure collection
 
 In this step, you configure a Syslog Source to collect Corelight Zeek log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to [Configure a Syslog Source](#configure-a-syslog-source) below. Otherwise, create a new collector as described in [Configure an Installed Collector](#configure-an-installed-collector) below, and then create the Syslog Source on the collector.