Skip to content

Commit dba5f10

Browse files
jc-sumojpipkin1
jc-sumo
and
jpipkin1
authored
Create 2025-10-10-content.md (#5909)
* Create 2025-10-10-content.md * Updates from review --------- Co-authored-by: John Pipkin <[email protected]>
1 parent b4df5cb commit dba5f10

File tree

1 file changed

+35
-0
lines changed

1 file changed

+35
-0
lines changed

blog-cse/2025-10-10-content.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
---
2+
title: October 10, 2025 - Content Release
3+
image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
4+
keywords:
5+
- log mappers
6+
hide_table_of_contents: true
7+
---
8+
9+
This content release includes:
10+
- New and updated rules.
11+
- Updated Threat Intelligence rules with match lists which can be populated with exclusions to prevent the generation of undesired signals.
12+
- Mapping update.
13+
14+
Changes are enumerated below.
15+
16+
## Rules
17+
- [New] CHAIN-S00023 Administrative Remote Interactive Brute Force Login
18+
<br/>This rule correlates a high number of failed authentication attempts with a successful remote interactive login (such as via RDP) coming from the same source IP address and user account.
19+
- [New] CHAIN-S00024 RDP Brute Force Login Attempt
20+
<br/>This rule correlates a high number of failed authentication attempts with repeated inbound connections over port 3389 (the default RDP port).
21+
- [New] MATCH-S01056 Administrative Remote Interactive Login
22+
<br/>This rule triggers on a successful remote interactive login (such as via RDP) of a privileged user.
23+
- [Updated] MATCH-S00139 Abnormal Parent-Child Process Combination
24+
<br/>Updated to reduce false positive matches for certain parent-child process combinations.
25+
- [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
26+
- [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
27+
- [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
28+
- [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
29+
- [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
30+
- [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
31+
- [Updated] MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP
32+
33+
## Log Mappers
34+
- [Updated] Slack Anomaly Event
35+
<br/>Updated to include `threat_name` mapping for improved context in alerts.

0 commit comments

Comments
 (0)