From e995205d2ac90fa1780a9d2af3471040c9ca364f Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 2 Jan 2025 15:56:15 -0600 Subject: [PATCH 1/5] Archive 2024 Cloud SOAR release notes --- blog-csoar/2024-01-03-application-update.md | 35 -- blog-csoar/2024-01-08-content.md | 44 -- blog-csoar/2024-01-25-content.md | 41 -- blog-csoar/2024-01-30-application-update.md | 39 -- blog-csoar/2024-02-06-application-update.md | 27 - blog-csoar/2024-02-19-application-update.md | 35 -- blog-csoar/2024-02-27-content.md | 67 --- blog-csoar/2024-03-12-application-update.md | 29 - blog-csoar/2024-03-12-content.md | 66 --- blog-csoar/2024-03-21-content.md | 30 - blog-csoar/2024-03-26-application-update.md | 28 - blog-csoar/2024-04-09-application-update.md | 30 - blog-csoar/2024-04-18-content.md | 73 --- blog-csoar/2024-04-23-application-update.md | 30 - blog-csoar/2024-06-05-application-update.md | 38 -- blog-csoar/2024-06-05-content.md | 41 -- blog-csoar/2024-07-17-application-update.md | 27 - blog-csoar/2024-11-15-application-update.md | 39 -- blog-csoar/2024-11-20-content.md | 46 -- blog-csoar/2024-12-31-application-update.md | 20 - blog-csoar/2024/12-31.md | 605 ++++++++++++++++++++ 21 files changed, 605 insertions(+), 785 deletions(-) delete mode 100644 blog-csoar/2024-01-03-application-update.md delete mode 100644 blog-csoar/2024-01-08-content.md delete mode 100644 blog-csoar/2024-01-25-content.md delete mode 100644 blog-csoar/2024-01-30-application-update.md delete mode 100644 blog-csoar/2024-02-06-application-update.md delete mode 100644 blog-csoar/2024-02-19-application-update.md delete mode 100644 blog-csoar/2024-02-27-content.md delete mode 100644 blog-csoar/2024-03-12-application-update.md delete mode 100644 blog-csoar/2024-03-12-content.md delete mode 100644 blog-csoar/2024-03-21-content.md delete mode 100644 blog-csoar/2024-03-26-application-update.md delete mode 100644 blog-csoar/2024-04-09-application-update.md delete mode 100644 blog-csoar/2024-04-18-content.md delete mode 100644 blog-csoar/2024-04-23-application-update.md delete mode 100644 blog-csoar/2024-06-05-application-update.md delete mode 100644 blog-csoar/2024-06-05-content.md delete mode 100644 blog-csoar/2024-07-17-application-update.md delete mode 100644 blog-csoar/2024-11-15-application-update.md delete mode 100644 blog-csoar/2024-11-20-content.md delete mode 100644 blog-csoar/2024-12-31-application-update.md create mode 100644 blog-csoar/2024/12-31.md diff --git a/blog-csoar/2024-01-03-application-update.md b/blog-csoar/2024-01-03-application-update.md deleted file mode 100644 index b31a7bb9c9..0000000000 --- a/blog-csoar/2024-01-03-application-update.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: January 03, 2024 - Application Update -hide_table_of_contents: true -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -* Playbooks: UserChoice nodes can be handled now from Slack workspace (see [documentation](/docs/cloud-soar/automation#configure-slack-for-cloud-soar)). - -#### Cloud SOAR -* New privilege "Api Admin": Enabling this privilege in Log Analytics Platform will allow user to handle incident operations without being involved directly as investigator. - -### Bug fixes -* Fixed black screen when opening a Cloud SOAR or Automation Service URL with invalid session. -* Playbooks: - * Fixed: Parameters not being passed to nested playbooks. - * Fixed: Configuration loss after being installed from App Central. - * Placeholder TextArea with `<` and `>` that were converted in "spaces" in HTML. - -#### Cloud SOAR -* Groups: Fixed member removal that could result in broken requests. -* Playbooks: - * TextArea fixed placeholder view for Artifacts fields. - * Incident ID placeholder available in node configuration. - -#### Automation Service -* Playbooks: Start node parameters fixed by using a “.” or a "space" in parameter names that were converted into `_`. diff --git a/blog-csoar/2024-01-08-content.md b/blog-csoar/2024-01-08-content.md deleted file mode 100644 index a3f16ddc98..0000000000 --- a/blog-csoar/2024-01-08-content.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: January 8, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - - -This release introduces two new integrations, **ipdata** and **Google Alert Center**, as well as several updates. - -### Integrations - -* [New] ipdata -* [New] Google Alert Center -* [Updated] PowerShell Tools - * Updated the integration to address hostname resolution in Docker -* [Updated] Panda EDR - * Fixed Token Issue -* [Updated] IPinfo - * Enabled Incident Artifacts for IP Address field -* [Updated] CSE Tools - * Extended output mapping for Get Signal action -* [Updated] Sumo Logic - * Updated Search Sumo Logic Action -* [Updated] Have I Been Pwned - * Added new action: Get Latest Breach -* [Updated] Sumo Logic CSE - * Added new Action: Create Insight From Signals - * Updated Add Enrichment Insight, Add Enrichment Entity, and Add Enrichment Signal actions -* [Updated] Incident Tools - * Added new action: Get Incident -* [Updated] Lacework - * Added new action: Close Alert -* [Updated] Active Directory V2 - * Updated action: User Attributes -* [Updated] Active Directory - * Updated action: User Attributes V2 diff --git a/blog-csoar/2024-01-25-content.md b/blog-csoar/2024-01-25-content.md deleted file mode 100644 index e7d779cf8b..0000000000 --- a/blog-csoar/2024-01-25-content.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: January 25, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - - -This release introduces new integrations, as well as new Playbooks related to Cloud Infrastructure Security for AWS. - -### Integrations - -* [New] Axonius -* [New] OneTrust -* [New] AWS Network Firewall -* [Updated] Azure AD - * Added New Action: Get Member Groups -* [Updated] AWS IAM - * Added New Action: Update Access Key -* [Updated] Slack - * Updated action: Ask Question -* [Updated] AWS EC2 - * Updated action: Stop Instance -* [Updated] Atlassian Jira* - * Several changes have been made. This update introduces BREAKING CHANGES: both the Output Mapping and Input fields have been revised and updated. This version is specific to Jira Server and Data Center. - -* These integrations have been migrated and are now available in this release. - -### Playbooks - -* [New] 540 - EC2 instance accessed from malicious IP -* [New] 539 - Amazon GuardDuty InstanceCredentialExfiltration finding -* [New] 538 - Admin Privileges Granted -* [New] 537 - Amazon GuardDuty BruteForce finding diff --git a/blog-csoar/2024-01-30-application-update.md b/blog-csoar/2024-01-30-application-update.md deleted file mode 100644 index 04e5dfc186..0000000000 --- a/blog-csoar/2024-01-30-application-update.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: January 30, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -* Added public help document for supported integrations. See [Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/). -* Integrations: Added possibility to rename an integration keeping original reference in YAML. -* Playbooks: - * List view set as default. View changes are saved in user preferences. - * Deprecated Nested attribute. - * Added possibility to dynamically reference a resource in actions. -* Automation now tracks failed actions executions. - -#### Cloud SOAR -* Playbooks: Fixed insight execution for nested playbooks with more than 2 nesting levels. -* Rules: Added ability to change the Daemon Name or Integration Resource within an existing automation rule. - -### Bug fixes -* Email encoding a character to UTF8 for literal string fixed. -* Playbooks: - * Unable to use variable fields with quotes in text area fixed. - * Fixed playbook inputs not visible in TextArea placeholder. - * Resolved scheduled action execution issue with playbook status. - -#### Cloud SOAR -* Incidents: - * Fixed war room export for updated tasks. - * Fixed possibility to copy table contents in Notes description field. - * Incident creation: Fixed infinite spinner in Automation tab. diff --git a/blog-csoar/2024-02-06-application-update.md b/blog-csoar/2024-02-06-application-update.md deleted file mode 100644 index 84d3697d0c..0000000000 --- a/blog-csoar/2024-02-06-application-update.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: February 6, 2024 - Application Update -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### New Documentation for the Cloud SOAR SaaS version​ - -We are excited to announce the following new documentation for features in our Cloud SOAR SaaS version: -* Features: - * [Dashboards](/docs/cloud-soar/incidents-triage/#create-a-dashboard) - * [Create widgets for dashboards](/docs/cloud-soar/incidents-triage/#create-widgets) - * Directly manage User Choice actions within the playbooks from your [Slack workspace](/docs/cloud-soar/automation/#configure-slack-for-cloud-soar). - * Open Integration Framework: - * [Integration Builder](/docs/platform-services/automation-service/automation-service-integrations/#create-a-new-integration) allows you to build integrations without needing to provide code - * Integrations, and related action execution, can be done [in the cloud or through the Bridge](/docs/platform-services/automation-service/automation-service-integrations/#cloud-or-bridge-execution). Only certified integrations can be executed in the cloud. - * Certified integrations allow you to customize JSON and table output schema - * Actions configuration during playbook design is rearranged for easier use -* Architecture: - * Fully-functional in the Cloud (the Bridge is only required for custom integrations) - * User and profile management is in Sumo Logic core platform instead of Cloud SOAR - * Automatic scalability based on server load - * [Cloud SOAR APIs](/docs/api/cloud-soar/) are standardized to use the same infrastructure as APIs in the Sumo Logic core platform diff --git a/blog-csoar/2024-02-19-application-update.md b/blog-csoar/2024-02-19-application-update.md deleted file mode 100644 index 72a1ff74a9..0000000000 --- a/blog-csoar/2024-02-19-application-update.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: February 19, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -* Playbooks: - * Enabled [playbook testing](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook). With this improvement it is now possible to test a playbook configuration before publishing it, using Insight, Incident or custom JSON as input. - * Action configuration: Integration fields configuration now suggests default values, if present. - * UserChoice, answer by Email: Fixed Authorizer usage from previous nodes. -* AppCentral: Within the Integrations section, each integration card now contains a hyperlink to the related public documentation page [Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/). -* Integrations: It is now possible to send custom commands when an integration docker image is created. This feature is available for Not Certified integration only. - -#### Cloud SOAR -* Enabled a new reporting feature for case management and dashboards. - -### Bug fixes -* Integrations: - * Fixed Resource test issue. -* AppCentral: Fixed playbook preview when maximized view is used. - -#### Cloud SOAR -* Rules: Fixed scheduled execution. -* Tasks: Fixed creation if a required field is dismissed. -* Incidents: Fixed full screen view buttons for widgets. -* Notes: Fixed CSV export. diff --git a/blog-csoar/2024-02-27-content.md b/blog-csoar/2024-02-27-content.md deleted file mode 100644 index 07d3c05cf4..0000000000 --- a/blog-csoar/2024-02-27-content.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: February 27, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release contains several updates, including the introduction of new actions and the resolution of some issues. - -### Integrations - -* [Updated] Lacework - * New actions - * Get Alert Details - * Search Alerts - * Fixed endpoint in Close Alert action -* [Updated] Darktrace - * Resolved bug related to integration resource -* [Updated] IP Quality Score - * New actions - * Email Reputation - * URL Reputation - * Renamed action from "Get Credit Usage API" to "Get Credit Usage" - * Refined labels and hints - * Extended output mapping with examples -* [Updated] OneTrust - * New action: Create Organization -* [Updated] Sumo Logic CSE - * Fixed issue in the "Add Comment To Insight" action where line breaks in the "Insight Comment" field were removed upon submission -* [Updated] AWS IAM - * New action: Get Access Key Last Used - * Fixed bug in some actions -* [Updated] Incident Tools - * Fixed Typo -* [Updated] Atlassian Jira - * Enhanced "Create Issue" and "Update Issue" actions to support Jira custom fields -* [Updated] Screenshot Machine - * Screenshot Webpage Action: Updated with new Cloud SOAR API -* [Updated] Chronicle - * New actions: - * Get Event - * Get Events - * Get Log - * List Alerts - * UDM Search - * Fixed a bug related to the PageSize field in the List Alerts action - * Updated Alerts Daemon Chronicle - * Fixed a bug related to Last execution time - * Updated Output mappings -* [Updated] Zscaler - * Fixed an issue that prevented some actions from being executed -* [Updated] Mail Tools - * Updated Analyze MSG EML action with new Cloud SOAR API -* [Updated] Recorded Future - * Refactored Recorded Future Alerts Daemon - * Refactored Vulnerability Search Daemon - * Enabled Incident Artifacts feature flag for Get Alert Details action -* [Updated] GreyNoise - * New action: Context IP Lookup Community - * Other minor fixes diff --git a/blog-csoar/2024-03-12-application-update.md b/blog-csoar/2024-03-12-application-update.md deleted file mode 100644 index 0db59ed8d0..0000000000 --- a/blog-csoar/2024-03-12-application-update.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: March 12, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -* Python version updated. If you experience any issues, refer to our [content release note](/release-notes-csoar/2024/03/12/content/). - -#### Cloud SOAR -* Playbooks: Test feature now permits you to use internal Incident ID. - -### Bug fixes -* Playbooks: - * Fixed test playbook broken functionality. - * Fixed scheduled actions issue. -* Integrations: Fixed Docker Image build issue that resulted in an internal error. - -#### Cloud SOAR -* Incidents: Fixed column reordering causing the table to disappear. -* Triage: Fixed possibility to execute the same playbook more than two times. diff --git a/blog-csoar/2024-03-12-content.md b/blog-csoar/2024-03-12-content.md deleted file mode 100644 index e21b340dbb..0000000000 --- a/blog-csoar/2024-03-12-content.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: March 12, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -Our Cloud SOAR [application update](/release-notes-csoar/2024/03/12/application-update/) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards. - -The Python upgrade impacts a total of 38 integrations. These integrations will require updates to ensure compatibility with the new Python version. - -Please be aware that with this update, the output from certain actions may no longer be displayed as expected if they were customized in your current setup. This is an important consideration for your workflows, and we recommend reviewing any customizations you have in place. - -To facilitate a smooth transition, we have prepared a straightforward guide to assist you in updating your integrations. This guide outlines the steps you need to take to ensure your integrations work seamlessly with Python 3.12. Click here for the "Updating App Central Integrations" guide. - -Below is the full list of integrations that will be affected by the Python upgrade. Please review this list to determine which integrations in your environment will require attention. - -### Integrations - -* [Updated] AWS Security Hub -* [Updated] AlienVault USM Anywhere -* [Updated] Arbor -* [Updated] Arcsight ESM -* [Updated] Chronicle -* [Updated] Coralogix - Send Logs -* [Updated] Cortex XDR -* [Updated] CrowdStrike Falcon -* [Updated] CrowdStrike Falcon Intelligence -* [Updated] CylanceProtect -* [Updated] DarkOwl -* [Updated] Darktrace -* [Updated] Devo -* [Updated] Elastic Security -* [Updated] FortiAnalyzer -* [Updated] IMAP -* [Updated] Incident Tools -* [Updated] KnowBe4 PhishER -* [Updated] LogRhythm -* [Updated] MISP -* [Updated] Microsoft 365 Defender -* [Updated] Microsoft EWS -* [Updated] Microsoft EWS Daemon -* [Updated] Microsoft Teams -* [Updated] Mimecast -* [Updated] Netskope -* [Updated] ProtectOnce -* [Updated] RSA NetWitness -* [Updated] Recorded Future -* [Updated] SentinelOne -* [Updated] Sophos Central V3 -* [Updated] Sumo Logic -* [Updated] Sumo Logic CSE -* [Updated] Sumo Logic Notifications -* [Updated] VMware Carbon Black Cloud Endpoint Standard V2 -* [Updated] VMware Carbon Black Cloud Platform -* [Updated] VirusTotal -* [Updated] WithSecure Elements - -We strongly encourage all users to review the provided documentation and prepare for the upcoming changes. Our support team is available to assist with any questions or concerns regarding this release. diff --git a/blog-csoar/2024-03-21-content.md b/blog-csoar/2024-03-21-content.md deleted file mode 100644 index 6ee43f5236..0000000000 --- a/blog-csoar/2024-03-21-content.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: March 21, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release introduces three new integrations, as well as several updates. - -### Integrations - -* [New] [AWS Private Certificate Authority](/docs/platform-services/automation-service/app-central/integrations/aws-private-certificate-authority/) -* [New] [Criminal IP](/docs/platform-services/automation-service/app-central/integrations/criminal-ip/) -* [New] [Datto RMM](/docs/platform-services/automation-service/app-central/integrations/datto-rmm/) -* [Updated] [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam/) -* [Updated] [Joe Sandbox](/docs/platform-services/automation-service/app-central/integrations/joe-sandbox/)* -* [Updated] [Malwarebytes Nebula](/docs/platform-services/automation-service/app-central/integrations/malwarebytes-nebula/) -* [Updated] [OneLogin](/docs/platform-services/automation-service/app-central/integrations/onelogin/) -* [Updated] [SMTP V3](/docs/platform-services/automation-service/app-central/integrations/smtp-v3/) -* [Updated] [Zendesk](/docs/platform-services/automation-service/app-central/integrations/zendesk/) -* [Updated] [Zscaler](/docs/platform-services/automation-service/app-central/integrations/zscaler/) - -* These integrations have been migrated and are now available in this release. diff --git a/blog-csoar/2024-03-26-application-update.md b/blog-csoar/2024-03-26-application-update.md deleted file mode 100644 index af14513eb9..0000000000 --- a/blog-csoar/2024-03-26-application-update.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: March 26, 2024 - Application Update -keywords: - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Bug fixes -* Playbooks: - * Fixed execution with cartesian product disabled. - * Fixed condition node not working as expected when evaluating value `0 == any string`. -* Fixed date-time format settings. - -#### Cloud SOAR -* Triage: Fixed playbook graph view errors. -* Incidents: - * Fixed incidents navigation button disabled when inside an incident. - * Fixed modal to add user as investigator that returned an error. - * Fixed fields with '0' value displayed as empty in GUI. - * Fixed issue related to 'Prohibit duplicate naming' that was not enforced properly in case of incidents created from automation rule. - * Fixed duplicate incidents issue when created from webhooks (LAP scheduled search). - * Fixed incidents list with empty rows. diff --git a/blog-csoar/2024-04-09-application-update.md b/blog-csoar/2024-04-09-application-update.md deleted file mode 100644 index 5e20cc8153..0000000000 --- a/blog-csoar/2024-04-09-application-update.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: April 9, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -* Text area editor: HTML mode is disabled by default. -* Automation: In playbook list view now results are loaded after the user opens each action card. - -### Bug fixes -* App Central: Now when an integration is updated, user custom YAML output is automatically handled by the system and merged during the update process. -* Automation: Users can now contact Sumo support asking from which public IPs automations will be generated. -* Playbooks: - * Fixed playbook saving action that caused playbooks to be empty. - * Fixed issue related to multiple manual action execution in the same playbook. - * Fixed import issue. - -#### Cloud SOAR -* Entities: Fixed issue when creating new entity of type FILE. -* Rules: Now it is not possible to create two rules with the same name. -* Incidents: Fixed issue related to incident privileges. diff --git a/blog-csoar/2024-04-18-content.md b/blog-csoar/2024-04-18-content.md deleted file mode 100644 index fd15a516de..0000000000 --- a/blog-csoar/2024-04-18-content.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: April 18, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release introduces two new integrations and several updates to integrations and related playbooks. - -### Integrations - -* [New] [Atlassian Opsgenie](/docs/platform-services/automation-service/app-central/integrations/atlassian-opsgenie/) -* [New] [Druva](/docs/platform-services/automation-service/app-central/integrations/druva/) -* [Updated] [Atlassian Jira](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira/) -* [Updated] [Basic Tools](/docs/platform-services/automation-service/app-central/integrations/basic-tools/) -* [Updated] [Microsoft EWS Daemon](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews-daemon/) -* [Updated] [ServiceNow V2](/docs/platform-services/automation-service/app-central/integrations/servicenow-v2/) -* [Updated] [Slack](/docs/platform-services/automation-service/app-central/integrations/slack/) -* [Updated] [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/) -* [Updated] [Sumo Logic Cloud SIEM Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem-internal/) -* [Updated] [Sumo Logic Log Analytics](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics/) -* [Updated] [Sumo Logic Log Analytics Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics-internal/) -* [Updated] [VirusTotal](/docs/platform-services/automation-service/app-central/integrations/virustotal/) - -### Playbooks - -* [Updated] 501 - Send Insight AWS SNS Notification -* [Updated] 502 - Send Insight Email Notification -* [Updated] 503 - Enrich Entity with CrowdStrike Falcon Intelligence -* [Updated] 504 - Enrich Entity with DomainTools -* [Updated] 505 - Enrich IP with Geolocation from MaxMind -* [Updated] 506 - Recommend Insight Response -* [Updated] 507 - Create PagerDuty Incident for Insight -* [Updated] 508 - Enrich Entity with PowerShell GreyNoise -* [Updated] 509 - Enrich Entity with PowerShell SentinelOne -* [Updated] 510 - Enrich Entity with PowerShell User Query -* [Updated] 511 - Enrich Entity with PowerShell CrowdStrike -* [Updated] 512 - Enrich Entity with PowerShell CarbonBlack -* [Updated] 513 - Enrich Entity with PowerShell Whois -* [Updated] 514 - Enrich Entity with PowerShell nslookup -* [Updated] 515 - Enrich Entity with Recorded Future -* [Updated] 516 - Enrich Hash with SentinelOne -* [Updated] 517 - Create ServiceNow Ticket for Insight -* [Updated] 518 - Update ServiceNow Ticket for Insight -* [Updated] 519 - Send Insight Slack Notification -* [Updated] 520 - Enrich Entity with Log Search -* [Updated] 521 - Update Match List -* [Updated] 522 - Create Jira Issue for Insight -* [Updated] 523 - Update Jira Issue for Insight -* [Updated] 524 - Enrich IP Address with GreyNoise -* [Updated] 525 - Enrich Entity with Jamf -* [Updated] 526 - Send Insight Teams Notification -* [Updated] 527 - Enrich Entity with VirusTotal -* [Updated] 528 - Create ZenDesk Ticket for Insight -* [Updated] 529 - Update ZenDesk Ticket for Insight -* [Updated] 530 - Get Mitre Mitigations for Insight -* [Updated] 531 - Example Insight full Enrichment -* [Updated] 532 - Example Entity full Enrichment -* [Updated] 533 - Example Involved Entities full Enrichment -* [Updated] 534 - Enrich Entity with AlienVault OTX -* [Updated] 535 - Application Latency Playbook -* [Updated] 536 - Unresolved Alert Notification -* [Updated] 537 - Amazon GuardDuty BruteForce finding -* [Updated] 538 - Admin Privileges Granted -* [Updated] 539 - Amazon GuardDuty InstanceCredentialExfiltration finding -* [Updated] 540 - EC2 instance accessed from malicious IP diff --git a/blog-csoar/2024-04-23-application-update.md b/blog-csoar/2024-04-23-application-update.md deleted file mode 100644 index 681389d51b..0000000000 --- a/blog-csoar/2024-04-23-application-update.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: April 23, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -* Integrations: Basic Tools added CC in Send Mail Action. - -### Bug fixes -* Integrations: - * Fixed resource testing. - * Fixed internal integration update process. - * Fixed output fields containing a value of numerical "0" logged blanks instead of the actual number. -* Playbooks: - * Fixed playbook condition logic with AND, OR operators. - * Fixed textarea and regex parsing when HTML tags are enabled. - * Fixed issue related to multiple playbook revisions and user choice execution. - -#### Cloud SOAR -* Incident: Fixed issue with war room large content loading. -* API documentation updated. diff --git a/blog-csoar/2024-06-05-application-update.md b/blog-csoar/2024-06-05-application-update.md deleted file mode 100644 index f74911003c..0000000000 --- a/blog-csoar/2024-06-05-application-update.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: June 5, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -#### Cloud SOAR -* Incident list: Restored all bulk operations for select all option. - -### Bug fixes -* Playbooks: - * Fixed start node configuration issue. - * Fixed Input values not displayed correctly in Condition node. - * Fixed issue related to send email action when cc field is not populated. - * Fixed issue related to "Playbooks suddenly failing because of missing parameters". - * Fixed issue with unsupported special characters. -* Integrations: - * Fixed issue related to Internal Integration and output edit. - * Fixed issue related to Join and unique operator. -* Entities: Fixed table loading issue. -* Fixed issue related to trigger action, when APIs are involved. - -#### Cloud SOAR -* SecOps: Fixed issue when filtering cards with large number of Incidents or Triage events. -* Incidents: - * Fixed closing note permission. - * Fixed issue with old SOAR Incidents not loading. - * Fixed issue related to mandatory Incident closing note. -* Fixed issue with Trigger action Incident Close. diff --git a/blog-csoar/2024-06-05-content.md b/blog-csoar/2024-06-05-content.md deleted file mode 100644 index 5e790a4f98..0000000000 --- a/blog-csoar/2024-06-05-content.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: June 5, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release introduces new integrations, new playbooks, and several updates. - -### Integrations - -* [New] [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf) -* [New] [AWS EKS](/docs/platform-services/automation-service/app-central/integrations/aws-eks) -* [New] [Cyberint](/docs/platform-services/automation-service/app-central/integrations/cyberint) -* [Updated] [Okta](/docs/platform-services/automation-service/app-central/integrations/okta) -* [Updated] [Lacework](/docs/platform-services/automation-service/app-central/integrations/lacework) -* [Updated] [Microsoft EWS Daemon](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews-daemon) -* [Updated] [GreyNoise](/docs/platform-services/automation-service/app-central/integrations/greynoise) -* [Updated] [Chronicle](/docs/platform-services/automation-service/app-central/integrations/chronicle) -* [Updated] [Atlassian Jira V2](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-v2) -* [Updated] [AbuseIPDB](/docs/platform-services/automation-service/app-central/integrations/abuseipdb) -* [Updated] [Palo Alto Networks NGFW](/docs/platform-services/automation-service/app-central/integrations/palo-alto-networks-ngfw) -* [Updated] [Palo Alto Networks Panorama V2](/docs/platform-services/automation-service/app-central/integrations/palo-alto-networks-panorama-v2) -* [Updated] [ServiceNow V2](/docs/platform-services/automation-service/app-central/integrations/servicenow-v2) -* [Updated] [Incident Tools](/docs/platform-services/automation-service/app-central/integrations/incident-tools) - -### Playbooks - -* [New] 541 - Management of AWS EKS Insights -* [New] 542 - Resolution of AWS EKS Insights -* [New] 543 - Alert and Vulnerability detection with Sysdig Secure -* [New] 544 - Vulnerability Alert processing with Sysdig Secure -* [New] 545 - Resolution of Sysdig Alerts -* [New] 546 - Resolution of Sysdig Alerts - AWS EKS and AWS Nodes diff --git a/blog-csoar/2024-07-17-application-update.md b/blog-csoar/2024-07-17-application-update.md deleted file mode 100644 index f5cee42a68..0000000000 --- a/blog-csoar/2024-07-17-application-update.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: July 17, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements -* Automation Audit: Logs now contain information about action and section detail (for playbooks, rules, observables, triage, incidents, and so on). -* Playbooks: Added option “Split By” for Filter node. - -#### Cloud SOAR -* Playbooks: - * Added option to hide trigger action modal. - * Added option to remove additional information from the Slack message in User Choice node. - -### Bug fixes -* Playbooks: - * Fixed send mail action error with Unicode characters. - * Fixed export. diff --git a/blog-csoar/2024-11-15-application-update.md b/blog-csoar/2024-11-15-application-update.md deleted file mode 100644 index 4c273b948e..0000000000 --- a/blog-csoar/2024-11-15-application-update.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: November 15, 2024 - Application Update -keywords: - - sumo logic - - cloud soar - - automation service -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Changes and Enhancements - -#### Platform - -* Playbooks - * Improvement - Disabled Cartesian Product flag on all new nodes by default. - -#### Automation Bridge - -We are happy to announce a beta version of the [Automation Bridge](/docs/platform-services/automation-service/automation-service-bridge/) that includes the following: -* Support for new CentOS version - * The CentOS docker image version has been upgraded from CentOS 7 to CentOS 8. -* Security fixes - -### Bug Fixes - -* Playbooks - * Fixed Playbook nodes rendering issue on Safari browser. - * Fixed issue related to use of underscore within playbooks input fields. - * Fixed issue with using authorizer value from playbook input variables in user choice node. -* Integrations - * Resolved an issue where the 'Close Insight' trigger action was not functioning as expected. -* Incidents - * Improved Incident templates page load time. - * Fixed issues while trying to update Incident templates. \ No newline at end of file diff --git a/blog-csoar/2024-11-20-content.md b/blog-csoar/2024-11-20-content.md deleted file mode 100644 index cf718b82ae..0000000000 --- a/blog-csoar/2024-11-20-content.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: November 20, 2024 - Content Release -hide_table_of_contents: true -image: https://help.sumologic.com/img/sumo-square.png -keywords: - - automation service - - cloud soar - - soar ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release introduces new integrations, new playbooks, and several updates. - -### Integrations - -* [New] [Google Chat](/docs/platform-services/automation-service/app-central/integrations/google-chat) -* [New] [Malwarebytes Oneview](/docs/platform-services/automation-service/app-central/integrations/malwarebytes-oneview) -* [New] [Silent Push](/docs/platform-services/automation-service/app-central/integrations/silent-push) -* [New] [Sumo Logic Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools) -* [New] [VirusTotal V3](/docs/platform-services/automation-service/app-central/integrations/virustotal-v3) -* [Updated] [APIVoid](/docs/platform-services/automation-service/app-central/integrations/apivoid) -* [Updated] [Atlassian Jira V2](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-v2) -* [Updated] [Atlassian Opsgenie](/docs/platform-services/automation-service/app-central/integrations/atlassian-opsgenie) -* [Updated] [AWS EC2](/docs/platform-services/automation-service/app-central/integrations/aws-ec2) -* [Updated] [AWS EKS](/docs/platform-services/automation-service/app-central/integrations/aws-eks) -* [Updated] [Azure AD](/docs/platform-services/automation-service/app-central/integrations/azure-ad) -* [Updated] [Cloudflare](/docs/platform-services/automation-service/app-central/integrations/cloudflare) -* [Updated] [ConnectWise Manage](/docs/platform-services/automation-service/app-central/integrations/connectwise-manage) -* [Updated] [Cortex XDR](/docs/platform-services/automation-service/app-central/integrations/cortex-xdr) -* [Updated] [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon) -* [Updated] [Freshservice](/docs/platform-services/automation-service/app-central/integrations/freshservice) -* [Updated] [Gmail](/docs/platform-services/automation-service/app-central/integrations/gmail) -* [Updated] [HTTP Tools](/docs/platform-services/automation-service/app-central/integrations/http-tools) -* [Updated] [IBM X-Force Exchange](/docs/platform-services/automation-service/app-central/integrations/ibm-x-force-exchange) -* [Updated] [Microsoft EWS](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews) -* [Updated] [Microsoft OneDrive](/docs/platform-services/automation-service/app-central/integrations/microsoft-onedrive) -* [Updated] [Microsoft Sentinel](/docs/platform-services/automation-service/app-central/integrations/microsoft-sentinel) -* [Updated] [Netskope V2](/docs/platform-services/automation-service/app-central/integrations/netskope-v2) -* [Updated] [Slack](/docs/platform-services/automation-service/app-central/integrations/slack) -* [Updated] [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem) -* [Updated] [Sumo Logic Notifications by Gmail](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications-by-gmail) -* [Updated] [URLScan.io](/docs/platform-services/automation-service/app-central/integrations/urlscan.io) -* [Updated] [VirusTotal](/docs/platform-services/automation-service/app-central/integrations/virustotal) diff --git a/blog-csoar/2024-12-31-application-update.md b/blog-csoar/2024-12-31-application-update.md deleted file mode 100644 index 1cb0ce5413..0000000000 --- a/blog-csoar/2024-12-31-application-update.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: December 31, 2024 - Application Update -keywords: - - sumo logic - - cloud soar -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -### Sumo Logic On-Premises SOAR Solution End-of-Life - -Effective today, **December 31, 2024**, Sumo Logic’s on-premises SOAR solution has reached end-of-life and is obsolete. Beginning today, it no longer receives applicable support entitled by active support contracts or by applicable warranty terms and conditions. - -We [previously announced](/release-notes-csoar/2023/12/31/#november-1-2023---application-update) that as of November 15, 2023, Sumo Logic's on-premises SOAR solution no longer received updates, and Sumo Logic Engineering no longer developed, repaired, maintained, or tested the software as of that date. - -To upgrade to Sumo Logic’s [Cloud SOAR](https://help.sumologic.com/docs/cloud-soar/) offering, reach out to your Sumo Logic representative. \ No newline at end of file diff --git a/blog-csoar/2024/12-31.md b/blog-csoar/2024/12-31.md new file mode 100644 index 0000000000..6a910c4990 --- /dev/null +++ b/blog-csoar/2024/12-31.md @@ -0,0 +1,605 @@ +--- +title: 2024 Archive +keywords: + - sumo logic + - cloud soar + - automation service + - csoar +image: https://help.sumologic.com/img/sumo-square.png +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +This is an archive of 2024 Cloud SOAR Release Notes. To view the full archive, [click here](/release-notes-csoar/archive). + +--- +### December 31, 2024 - Application Update + +#### Sumo Logic On-Premises SOAR Solution End-of-Life + +Effective today, **December 31, 2024**, Sumo Logic’s on-premises SOAR solution has reached end-of-life and is obsolete. Beginning today, it no longer receives applicable support entitled by active support contracts or by applicable warranty terms and conditions. + +We [previously announced](/release-notes-csoar/2023/12/31/#november-1-2023---application-update) that as of November 15, 2023, Sumo Logic's on-premises SOAR solution no longer received updates, and Sumo Logic Engineering no longer developed, repaired, maintained, or tested the software as of that date. + +To upgrade to Sumo Logic’s [Cloud SOAR](https://help.sumologic.com/docs/cloud-soar/) offering, reach out to your Sumo Logic representative. + +--- +### November 20, 2024 - Content Release + +This release introduces new integrations, new playbooks, and several updates. + +#### Integrations + +* [New] [Google Chat](/docs/platform-services/automation-service/app-central/integrations/google-chat) +* [New] [Malwarebytes Oneview](/docs/platform-services/automation-service/app-central/integrations/malwarebytes-oneview) +* [New] [Silent Push](/docs/platform-services/automation-service/app-central/integrations/silent-push) +* [New] [Sumo Logic Automation Tools](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-automation-tools) +* [New] [VirusTotal V3](/docs/platform-services/automation-service/app-central/integrations/virustotal-v3) +* [Updated] [APIVoid](/docs/platform-services/automation-service/app-central/integrations/apivoid) +* [Updated] [Atlassian Jira V2](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-v2) +* [Updated] [Atlassian Opsgenie](/docs/platform-services/automation-service/app-central/integrations/atlassian-opsgenie) +* [Updated] [AWS EC2](/docs/platform-services/automation-service/app-central/integrations/aws-ec2) +* [Updated] [AWS EKS](/docs/platform-services/automation-service/app-central/integrations/aws-eks) +* [Updated] [Azure AD](/docs/platform-services/automation-service/app-central/integrations/azure-ad) +* [Updated] [Cloudflare](/docs/platform-services/automation-service/app-central/integrations/cloudflare) +* [Updated] [ConnectWise Manage](/docs/platform-services/automation-service/app-central/integrations/connectwise-manage) +* [Updated] [Cortex XDR](/docs/platform-services/automation-service/app-central/integrations/cortex-xdr) +* [Updated] [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon) +* [Updated] [Freshservice](/docs/platform-services/automation-service/app-central/integrations/freshservice) +* [Updated] [Gmail](/docs/platform-services/automation-service/app-central/integrations/gmail) +* [Updated] [HTTP Tools](/docs/platform-services/automation-service/app-central/integrations/http-tools) +* [Updated] [IBM X-Force Exchange](/docs/platform-services/automation-service/app-central/integrations/ibm-x-force-exchange) +* [Updated] [Microsoft EWS](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews) +* [Updated] [Microsoft OneDrive](/docs/platform-services/automation-service/app-central/integrations/microsoft-onedrive) +* [Updated] [Microsoft Sentinel](/docs/platform-services/automation-service/app-central/integrations/microsoft-sentinel) +* [Updated] [Netskope V2](/docs/platform-services/automation-service/app-central/integrations/netskope-v2) +* [Updated] [Slack](/docs/platform-services/automation-service/app-central/integrations/slack) +* [Updated] [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem) +* [Updated] [Sumo Logic Notifications by Gmail](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-notifications-by-gmail) +* [Updated] [URLScan.io](/docs/platform-services/automation-service/app-central/integrations/urlscan.io) +* [Updated] [VirusTotal](/docs/platform-services/automation-service/app-central/integrations/virustotal) + +--- +### November 15, 2024 - Application Update + +#### Changes and Enhancements + +##### Platform + +* Playbooks + * Improvement - Disabled Cartesian Product flag on all new nodes by default. + +##### Automation Bridge + +We are happy to announce a beta version of the [Automation Bridge](/docs/platform-services/automation-service/automation-service-bridge/) that includes the following: +* Support for new CentOS version + * The CentOS docker image version has been upgraded from CentOS 7 to CentOS 8. +* Security fixes + +#### Bug Fixes + +* Playbooks + * Fixed Playbook nodes rendering issue on Safari browser. + * Fixed issue related to use of underscore within playbooks input fields. + * Fixed issue with using authorizer value from playbook input variables in user choice node. +* Integrations + * Resolved an issue where the 'Close Insight' trigger action was not functioning as expected. +* Incidents + * Improved Incident templates page load time. + * Fixed issues while trying to update Incident templates. + +--- +### July 17, 2024 - Application Update + +#### Changes and Enhancements +* Automation Audit: Logs now contain information about action and section detail (for playbooks, rules, observables, triage, incidents, and so on). +* Playbooks: Added option “Split By” for Filter node. + +##### Cloud SOAR +* Playbooks: + * Added option to hide trigger action modal. + * Added option to remove additional information from the Slack message in User Choice node. + +#### Bug fixes +* Playbooks: + * Fixed send mail action error with Unicode characters. + * Fixed export. + +--- +### June 5, 2024 - Content Release + +This release introduces new integrations, new playbooks, and several updates. + +#### Integrations + +* [New] [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf) +* [New] [AWS EKS](/docs/platform-services/automation-service/app-central/integrations/aws-eks) +* [New] [Cyberint](/docs/platform-services/automation-service/app-central/integrations/cyberint) +* [Updated] [Okta](/docs/platform-services/automation-service/app-central/integrations/okta) +* [Updated] [Lacework](/docs/platform-services/automation-service/app-central/integrations/lacework) +* [Updated] [Microsoft EWS Daemon](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews-daemon) +* [Updated] [GreyNoise](/docs/platform-services/automation-service/app-central/integrations/greynoise) +* [Updated] [Chronicle](/docs/platform-services/automation-service/app-central/integrations/chronicle) +* [Updated] [Atlassian Jira V2](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira-v2) +* [Updated] [AbuseIPDB](/docs/platform-services/automation-service/app-central/integrations/abuseipdb) +* [Updated] [Palo Alto Networks NGFW](/docs/platform-services/automation-service/app-central/integrations/palo-alto-networks-ngfw) +* [Updated] [Palo Alto Networks Panorama V2](/docs/platform-services/automation-service/app-central/integrations/palo-alto-networks-panorama-v2) +* [Updated] [ServiceNow V2](/docs/platform-services/automation-service/app-central/integrations/servicenow-v2) +* [Updated] [Incident Tools](/docs/platform-services/automation-service/app-central/integrations/incident-tools) + +#### Playbooks + +* [New] 541 - Management of AWS EKS Insights +* [New] 542 - Resolution of AWS EKS Insights +* [New] 543 - Alert and Vulnerability detection with Sysdig Secure +* [New] 544 - Vulnerability Alert processing with Sysdig Secure +* [New] 545 - Resolution of Sysdig Alerts +* [New] 546 - Resolution of Sysdig Alerts - AWS EKS and AWS Nodes + +--- +### June 5, 2024 - Application Update + +#### Changes and Enhancements + +##### Cloud SOAR +* Incident list: Restored all bulk operations for select all option. + +#### Bug fixes +* Playbooks: + * Fixed start node configuration issue. + * Fixed Input values not displayed correctly in Condition node. + * Fixed issue related to send email action when cc field is not populated. + * Fixed issue related to "Playbooks suddenly failing because of missing parameters". + * Fixed issue with unsupported special characters. +* Integrations: + * Fixed issue related to Internal Integration and output edit. + * Fixed issue related to Join and unique operator. +* Entities: Fixed table loading issue. +* Fixed issue related to trigger action, when APIs are involved. + +##### Cloud SOAR +* SecOps: Fixed issue when filtering cards with large number of Incidents or Triage events. +* Incidents: + * Fixed closing note permission. + * Fixed issue with old SOAR Incidents not loading. + * Fixed issue related to mandatory Incident closing note. +* Fixed issue with Trigger action Incident Close. + +--- +### April 23, 2024 - Application Update + +#### Changes and Enhancements +* Integrations: Basic Tools added CC in Send Mail Action. + +#### Bug fixes +* Integrations: + * Fixed resource testing. + * Fixed internal integration update process. + * Fixed output fields containing a value of numerical "0" logged blanks instead of the actual number. +* Playbooks: + * Fixed playbook condition logic with AND, OR operators. + * Fixed textarea and regex parsing when HTML tags are enabled. + * Fixed issue related to multiple playbook revisions and user choice execution. + +##### Cloud SOAR +* Incident: Fixed issue with war room large content loading. +* API documentation updated. + +--- +### April 18, 2024 - Content Release + +This release introduces two new integrations and several updates to integrations and related playbooks. + +#### Integrations + +* [New] [Atlassian Opsgenie](/docs/platform-services/automation-service/app-central/integrations/atlassian-opsgenie/) +* [New] [Druva](/docs/platform-services/automation-service/app-central/integrations/druva/) +* [Updated] [Atlassian Jira](/docs/platform-services/automation-service/app-central/integrations/atlassian-jira/) +* [Updated] [Basic Tools](/docs/platform-services/automation-service/app-central/integrations/basic-tools/) +* [Updated] [Microsoft EWS Daemon](/docs/platform-services/automation-service/app-central/integrations/microsoft-ews-daemon/) +* [Updated] [ServiceNow V2](/docs/platform-services/automation-service/app-central/integrations/servicenow-v2/) +* [Updated] [Slack](/docs/platform-services/automation-service/app-central/integrations/slack/) +* [Updated] [Sumo Logic Cloud SIEM](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem/) +* [Updated] [Sumo Logic Cloud SIEM Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-cloud-siem-internal/) +* [Updated] [Sumo Logic Log Analytics](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics/) +* [Updated] [Sumo Logic Log Analytics Internal](/docs/platform-services/automation-service/app-central/integrations/sumo-logic-log-analytics-internal/) +* [Updated] [VirusTotal](/docs/platform-services/automation-service/app-central/integrations/virustotal/) + +#### Playbooks + +* [Updated] 501 - Send Insight AWS SNS Notification +* [Updated] 502 - Send Insight Email Notification +* [Updated] 503 - Enrich Entity with CrowdStrike Falcon Intelligence +* [Updated] 504 - Enrich Entity with DomainTools +* [Updated] 505 - Enrich IP with Geolocation from MaxMind +* [Updated] 506 - Recommend Insight Response +* [Updated] 507 - Create PagerDuty Incident for Insight +* [Updated] 508 - Enrich Entity with PowerShell GreyNoise +* [Updated] 509 - Enrich Entity with PowerShell SentinelOne +* [Updated] 510 - Enrich Entity with PowerShell User Query +* [Updated] 511 - Enrich Entity with PowerShell CrowdStrike +* [Updated] 512 - Enrich Entity with PowerShell CarbonBlack +* [Updated] 513 - Enrich Entity with PowerShell Whois +* [Updated] 514 - Enrich Entity with PowerShell nslookup +* [Updated] 515 - Enrich Entity with Recorded Future +* [Updated] 516 - Enrich Hash with SentinelOne +* [Updated] 517 - Create ServiceNow Ticket for Insight +* [Updated] 518 - Update ServiceNow Ticket for Insight +* [Updated] 519 - Send Insight Slack Notification +* [Updated] 520 - Enrich Entity with Log Search +* [Updated] 521 - Update Match List +* [Updated] 522 - Create Jira Issue for Insight +* [Updated] 523 - Update Jira Issue for Insight +* [Updated] 524 - Enrich IP Address with GreyNoise +* [Updated] 525 - Enrich Entity with Jamf +* [Updated] 526 - Send Insight Teams Notification +* [Updated] 527 - Enrich Entity with VirusTotal +* [Updated] 528 - Create ZenDesk Ticket for Insight +* [Updated] 529 - Update ZenDesk Ticket for Insight +* [Updated] 530 - Get Mitre Mitigations for Insight +* [Updated] 531 - Example Insight full Enrichment +* [Updated] 532 - Example Entity full Enrichment +* [Updated] 533 - Example Involved Entities full Enrichment +* [Updated] 534 - Enrich Entity with AlienVault OTX +* [Updated] 535 - Application Latency Playbook +* [Updated] 536 - Unresolved Alert Notification +* [Updated] 537 - Amazon GuardDuty BruteForce finding +* [Updated] 538 - Admin Privileges Granted +* [Updated] 539 - Amazon GuardDuty InstanceCredentialExfiltration finding +* [Updated] 540 - EC2 instance accessed from malicious IP + +--- +### April 9, 2024 - Application Update + +#### Changes and Enhancements +* Text area editor: HTML mode is disabled by default. +* Automation: In playbook list view now results are loaded after the user opens each action card. + +#### Bug fixes +* App Central: Now when an integration is updated, user custom YAML output is automatically handled by the system and merged during the update process. +* Automation: Users can now contact Sumo support asking from which public IPs automations will be generated. +* Playbooks: + * Fixed playbook saving action that caused playbooks to be empty. + * Fixed issue related to multiple manual action execution in the same playbook. + * Fixed import issue. + +##### Cloud SOAR +* Entities: Fixed issue when creating new entity of type FILE. +* Rules: Now it is not possible to create two rules with the same name. +* Incidents: Fixed issue related to incident privileges. + +--- +### March 26, 2024 - Application Update + +#### Bug fixes +* Playbooks: + * Fixed execution with cartesian product disabled. + * Fixed condition node not working as expected when evaluating value `0 == any string`. +* Fixed date-time format settings. + +##### Cloud SOAR +* Triage: Fixed playbook graph view errors. +* Incidents: + * Fixed incidents navigation button disabled when inside an incident. + * Fixed modal to add user as investigator that returned an error. + * Fixed fields with '0' value displayed as empty in GUI. + * Fixed issue related to 'Prohibit duplicate naming' that was not enforced properly in case of incidents created from automation rule. + * Fixed duplicate incidents issue when created from webhooks (LAP scheduled search). + * Fixed incidents list with empty rows. + +--- +### March 21, 2024 - Content Release + +This release introduces three new integrations, as well as several updates. + +#### Integrations + +* [New] [AWS Private Certificate Authority](/docs/platform-services/automation-service/app-central/integrations/aws-private-certificate-authority/) +* [New] [Criminal IP](/docs/platform-services/automation-service/app-central/integrations/criminal-ip/) +* [New] [Datto RMM](/docs/platform-services/automation-service/app-central/integrations/datto-rmm/) +* [Updated] [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam/) +* [Updated] [Joe Sandbox](/docs/platform-services/automation-service/app-central/integrations/joe-sandbox/)* +* [Updated] [Malwarebytes Nebula](/docs/platform-services/automation-service/app-central/integrations/malwarebytes-nebula/) +* [Updated] [OneLogin](/docs/platform-services/automation-service/app-central/integrations/onelogin/) +* [Updated] [SMTP V3](/docs/platform-services/automation-service/app-central/integrations/smtp-v3/) +* [Updated] [Zendesk](/docs/platform-services/automation-service/app-central/integrations/zendesk/) +* [Updated] [Zscaler](/docs/platform-services/automation-service/app-central/integrations/zscaler/) + +* These integrations have been migrated and are now available in this release. + +--- +### March 12, 2024 - Content Release + +Our Cloud SOAR [application update](/release-notes-csoar/2024/03/12/application-update/) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards. + +The Python upgrade impacts a total of 38 integrations. These integrations will require updates to ensure compatibility with the new Python version. + +Please be aware that with this update, the output from certain actions may no longer be displayed as expected if they were customized in your current setup. This is an important consideration for your workflows, and we recommend reviewing any customizations you have in place. + +To facilitate a smooth transition, we have prepared a straightforward guide to assist you in updating your integrations. This guide outlines the steps you need to take to ensure your integrations work seamlessly with Python 3.12. Click here for the "Updating App Central Integrations" guide. + +Below is the full list of integrations that will be affected by the Python upgrade. Please review this list to determine which integrations in your environment will require attention. + +#### Integrations + +* [Updated] AWS Security Hub +* [Updated] AlienVault USM Anywhere +* [Updated] Arbor +* [Updated] Arcsight ESM +* [Updated] Chronicle +* [Updated] Coralogix - Send Logs +* [Updated] Cortex XDR +* [Updated] CrowdStrike Falcon +* [Updated] CrowdStrike Falcon Intelligence +* [Updated] CylanceProtect +* [Updated] DarkOwl +* [Updated] Darktrace +* [Updated] Devo +* [Updated] Elastic Security +* [Updated] FortiAnalyzer +* [Updated] IMAP +* [Updated] Incident Tools +* [Updated] KnowBe4 PhishER +* [Updated] LogRhythm +* [Updated] MISP +* [Updated] Microsoft 365 Defender +* [Updated] Microsoft EWS +* [Updated] Microsoft EWS Daemon +* [Updated] Microsoft Teams +* [Updated] Mimecast +* [Updated] Netskope +* [Updated] ProtectOnce +* [Updated] RSA NetWitness +* [Updated] Recorded Future +* [Updated] SentinelOne +* [Updated] Sophos Central V3 +* [Updated] Sumo Logic +* [Updated] Sumo Logic CSE +* [Updated] Sumo Logic Notifications +* [Updated] VMware Carbon Black Cloud Endpoint Standard V2 +* [Updated] VMware Carbon Black Cloud Platform +* [Updated] VirusTotal +* [Updated] WithSecure Elements + +We strongly encourage all users to review the provided documentation and prepare for the upcoming changes. Our support team is available to assist with any questions or concerns regarding this release. + +--- +### March 12, 2024 - Application Update + +#### Changes and Enhancements +* Python version updated. If you experience any issues, refer to our [content release note](/release-notes-csoar/2024/03/12/content/). + +##### Cloud SOAR +* Playbooks: Test feature now permits you to use internal Incident ID. + +#### Bug fixes +* Playbooks: + * Fixed test playbook broken functionality. + * Fixed scheduled actions issue. +* Integrations: Fixed Docker Image build issue that resulted in an internal error. + +##### Cloud SOAR +* Incidents: Fixed column reordering causing the table to disappear. +* Triage: Fixed possibility to execute the same playbook more than two times. + +--- +### February 27, 2024 - Content Release + +This release contains several updates, including the introduction of new actions and the resolution of some issues. + +#### Integrations + +* [Updated] Lacework + * New actions + * Get Alert Details + * Search Alerts + * Fixed endpoint in Close Alert action +* [Updated] Darktrace + * Resolved bug related to integration resource +* [Updated] IP Quality Score + * New actions + * Email Reputation + * URL Reputation + * Renamed action from "Get Credit Usage API" to "Get Credit Usage" + * Refined labels and hints + * Extended output mapping with examples +* [Updated] OneTrust + * New action: Create Organization +* [Updated] Sumo Logic CSE + * Fixed issue in the "Add Comment To Insight" action where line breaks in the "Insight Comment" field were removed upon submission +* [Updated] AWS IAM + * New action: Get Access Key Last Used + * Fixed bug in some actions +* [Updated] Incident Tools + * Fixed Typo +* [Updated] Atlassian Jira + * Enhanced "Create Issue" and "Update Issue" actions to support Jira custom fields +* [Updated] Screenshot Machine + * Screenshot Webpage Action: Updated with new Cloud SOAR API +* [Updated] Chronicle + * New actions: + * Get Event + * Get Events + * Get Log + * List Alerts + * UDM Search + * Fixed a bug related to the PageSize field in the List Alerts action + * Updated Alerts Daemon Chronicle + * Fixed a bug related to Last execution time + * Updated Output mappings +* [Updated] Zscaler + * Fixed an issue that prevented some actions from being executed +* [Updated] Mail Tools + * Updated Analyze MSG EML action with new Cloud SOAR API +* [Updated] Recorded Future + * Refactored Recorded Future Alerts Daemon + * Refactored Vulnerability Search Daemon + * Enabled Incident Artifacts feature flag for Get Alert Details action +* [Updated] GreyNoise + * New action: Context IP Lookup Community + * Other minor fixes + +--- +### February 19, 2024 - Application Update + +#### Changes and Enhancements +* Playbooks: + * Enabled [playbook testing](/docs/platform-services/automation-service/automation-service-playbooks/#test-a-playbook). With this improvement it is now possible to test a playbook configuration before publishing it, using Insight, Incident or custom JSON as input. + * Action configuration: Integration fields configuration now suggests default values, if present. + * UserChoice, answer by Email: Fixed Authorizer usage from previous nodes. +* AppCentral: Within the Integrations section, each integration card now contains a hyperlink to the related public documentation page [Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/). +* Integrations: It is now possible to send custom commands when an integration docker image is created. This feature is available for Not Certified integration only. + +##### Cloud SOAR +* Enabled a new reporting feature for case management and dashboards. + +#### Bug fixes +* Integrations: + * Fixed Resource test issue. +* AppCentral: Fixed playbook preview when maximized view is used. + +##### Cloud SOAR +* Rules: Fixed scheduled execution. +* Tasks: Fixed creation if a required field is dismissed. +* Incidents: Fixed full screen view buttons for widgets. +* Notes: Fixed CSV export. + +--- +### February 6, 2024 - Application Update + +#### New Documentation for the Cloud SOAR SaaS version​ + +We are excited to announce the following new documentation for features in our Cloud SOAR SaaS version: +* Features: + * [Dashboards](/docs/cloud-soar/incidents-triage/#create-a-dashboard) + * [Create widgets for dashboards](/docs/cloud-soar/incidents-triage/#create-widgets) + * Directly manage User Choice actions within the playbooks from your [Slack workspace](/docs/cloud-soar/automation/#configure-slack-for-cloud-soar). + * Open Integration Framework: + * [Integration Builder](/docs/platform-services/automation-service/automation-service-integrations/#create-a-new-integration) allows you to build integrations without needing to provide code + * Integrations, and related action execution, can be done [in the cloud or through the Bridge](/docs/platform-services/automation-service/automation-service-integrations/#cloud-or-bridge-execution). Only certified integrations can be executed in the cloud. + * Certified integrations allow you to customize JSON and table output schema + * Actions configuration during playbook design is rearranged for easier use +* Architecture: + * Fully-functional in the Cloud (the Bridge is only required for custom integrations) + * User and profile management is in Sumo Logic core platform instead of Cloud SOAR + * Automatic scalability based on server load + * [Cloud SOAR APIs](/docs/api/cloud-soar/) are standardized to use the same infrastructure as APIs in the Sumo Logic core platform + +--- +### January 30, 2024 - Application Update + +#### Changes and Enhancements +* Added public help document for supported integrations. See [Integrations in App Central](/docs/platform-services/automation-service/app-central/integrations/). +* Integrations: Added possibility to rename an integration keeping original reference in YAML. +* Playbooks: + * List view set as default. View changes are saved in user preferences. + * Deprecated Nested attribute. + * Added possibility to dynamically reference a resource in actions. +* Automation now tracks failed actions executions. + +##### Cloud SOAR +* Playbooks: Fixed insight execution for nested playbooks with more than 2 nesting levels. +* Rules: Added ability to change the Daemon Name or Integration Resource within an existing automation rule. + +#### Bug fixes +* Email encoding a character to UTF8 for literal string fixed. +* Playbooks: + * Unable to use variable fields with quotes in text area fixed. + * Fixed playbook inputs not visible in TextArea placeholder. + * Resolved scheduled action execution issue with playbook status. + +##### Cloud SOAR +* Incidents: + * Fixed war room export for updated tasks. + * Fixed possibility to copy table contents in Notes description field. + * Incident creation: Fixed infinite spinner in Automation tab. + +--- +### January 25, 2024 - Content Release + +This release introduces new integrations, as well as new Playbooks related to Cloud Infrastructure Security for AWS. + +#### Integrations + +* [New] Axonius +* [New] OneTrust +* [New] AWS Network Firewall +* [Updated] Azure AD + * Added New Action: Get Member Groups +* [Updated] AWS IAM + * Added New Action: Update Access Key +* [Updated] Slack + * Updated action: Ask Question +* [Updated] AWS EC2 + * Updated action: Stop Instance +* [Updated] Atlassian Jira* + * Several changes have been made. This update introduces BREAKING CHANGES: both the Output Mapping and Input fields have been revised and updated. This version is specific to Jira Server and Data Center. + +* These integrations have been migrated and are now available in this release. + +#### Playbooks + +* [New] 540 - EC2 instance accessed from malicious IP +* [New] 539 - Amazon GuardDuty InstanceCredentialExfiltration finding +* [New] 538 - Admin Privileges Granted +* [New] 537 - Amazon GuardDuty BruteForce finding + +--- +### January 8, 2024 - Content Release + +This release introduces two new integrations, **ipdata** and **Google Alert Center**, as well as several updates. + +#### Integrations + +* [New] ipdata +* [New] Google Alert Center +* [Updated] PowerShell Tools + * Updated the integration to address hostname resolution in Docker +* [Updated] Panda EDR + * Fixed Token Issue +* [Updated] IPinfo + * Enabled Incident Artifacts for IP Address field +* [Updated] CSE Tools + * Extended output mapping for Get Signal action +* [Updated] Sumo Logic + * Updated Search Sumo Logic Action +* [Updated] Have I Been Pwned + * Added new action: Get Latest Breach +* [Updated] Sumo Logic CSE + * Added new Action: Create Insight From Signals + * Updated Add Enrichment Insight, Add Enrichment Entity, and Add Enrichment Signal actions +* [Updated] Incident Tools + * Added new action: Get Incident +* [Updated] Lacework + * Added new action: Close Alert +* [Updated] Active Directory V2 + * Updated action: User Attributes +* [Updated] Active Directory + * Updated action: User Attributes V2 + +--- +### January 03, 2024 - Application Update + +#### Changes and Enhancements +* Playbooks: UserChoice nodes can be handled now from Slack workspace (see [documentation](/docs/cloud-soar/automation#configure-slack-for-cloud-soar)). + +##### Cloud SOAR +* New privilege "Api Admin": Enabling this privilege in Log Analytics Platform will allow user to handle incident operations without being involved directly as investigator. + +#### Bug fixes +* Fixed black screen when opening a Cloud SOAR or Automation Service URL with invalid session. +* Playbooks: + * Fixed: Parameters not being passed to nested playbooks. + * Fixed: Configuration loss after being installed from App Central. + * Placeholder TextArea with `<` and `>` that were converted in "spaces" in HTML. + +##### Cloud SOAR +* Groups: Fixed member removal that could result in broken requests. +* Playbooks: + * TextArea fixed placeholder view for Artifacts fields. + * Incident ID placeholder available in node configuration. + +##### Automation Service +* Playbooks: Start node parameters fixed by using a “.” or a "space" in parameter names that were converted into `_`. From 8de6bb26d44b0aad7482ee9f6b57adeee904e616 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 2 Jan 2025 16:42:37 -0600 Subject: [PATCH 2/5] Archive Cloud SIEM release notes --- blog-cse/2022/12-31.md | 2 +- blog-cse/2023/12-31.md | 2 +- blog-cse/2024-01-12-content.md | 55 - blog-cse/2024-01-30-content.md | 23 - blog-cse/2024-02-02-content.md | 32 - blog-cse/2024-02-13-content.md | 27 - blog-cse/2024-02-19-application-update.md | 30 - blog-cse/2024-02-19-content.md | 27 - blog-cse/2024-02-23-content.md | 34 - blog-cse/2024-03-11-content.md | 36 - blog-cse/2024-03-21-content.md | 43 - blog-cse/2024-03-22-application-update.md | 26 - blog-cse/2024-03-28-content.md | 39 - blog-cse/2024-04-05-content.md | 23 - blog-cse/2024-04-11-application-update.md | 41 - blog-cse/2024-05-02-content.md | 37 - blog-cse/2024-05-15-application-update.md | 34 - blog-cse/2024-05-15-content.md | 30 - blog-cse/2024-05-23-content.md | 50 - blog-cse/2024-05-30-application-update.md | 20 - blog-cse/2024-05-30-content.md | 106 -- blog-cse/2024-07-03-content.md | 57 - blog-cse/2024-07-16-content.md | 41 - blog-cse/2024-08-05-content.md | 94 -- blog-cse/2024-08-16-content.md | 80 - blog-cse/2024-08-23-content.md | 55 - blog-cse/2024-08-27-content.md | 22 - blog-cse/2024-09-19-content.md | 214 --- blog-cse/2024-10-04-content.md | 227 --- blog-cse/2024-10-31-content.md | 157 -- blog-cse/2024-11-07-content.md | 82 - blog-cse/2024-11-08-application-update.md | 13 - blog-cse/2024-11-22-content.md | 61 - blog-cse/2024-12-06-content.md | 99 -- blog-cse/2024-12-20-content.md | 58 - blog-cse/2024/12-31.md | 1680 +++++++++++++++++++++ blog-csoar/2023/12-31.md | 2 +- blog-csoar/2024/12-31.md | 2 +- 38 files changed, 1684 insertions(+), 1977 deletions(-) delete mode 100644 blog-cse/2024-01-12-content.md delete mode 100644 blog-cse/2024-01-30-content.md delete mode 100644 blog-cse/2024-02-02-content.md delete mode 100644 blog-cse/2024-02-13-content.md delete mode 100644 blog-cse/2024-02-19-application-update.md delete mode 100644 blog-cse/2024-02-19-content.md delete mode 100644 blog-cse/2024-02-23-content.md delete mode 100644 blog-cse/2024-03-11-content.md delete mode 100644 blog-cse/2024-03-21-content.md delete mode 100644 blog-cse/2024-03-22-application-update.md delete mode 100644 blog-cse/2024-03-28-content.md delete mode 100644 blog-cse/2024-04-05-content.md delete mode 100644 blog-cse/2024-04-11-application-update.md delete mode 100644 blog-cse/2024-05-02-content.md delete mode 100644 blog-cse/2024-05-15-application-update.md delete mode 100644 blog-cse/2024-05-15-content.md delete mode 100644 blog-cse/2024-05-23-content.md delete mode 100644 blog-cse/2024-05-30-application-update.md delete mode 100644 blog-cse/2024-05-30-content.md delete mode 100644 blog-cse/2024-07-03-content.md delete mode 100644 blog-cse/2024-07-16-content.md delete mode 100644 blog-cse/2024-08-05-content.md delete mode 100644 blog-cse/2024-08-16-content.md delete mode 100644 blog-cse/2024-08-23-content.md delete mode 100644 blog-cse/2024-08-27-content.md delete mode 100644 blog-cse/2024-09-19-content.md delete mode 100644 blog-cse/2024-10-04-content.md delete mode 100644 blog-cse/2024-10-31-content.md delete mode 100644 blog-cse/2024-11-07-content.md delete mode 100644 blog-cse/2024-11-08-application-update.md delete mode 100644 blog-cse/2024-11-22-content.md delete mode 100644 blog-cse/2024-12-06-content.md delete mode 100644 blog-cse/2024-12-20-content.md create mode 100644 blog-cse/2024/12-31.md diff --git a/blog-cse/2022/12-31.md b/blog-cse/2022/12-31.md index 7f267d4c30..b41c73ffd0 100644 --- a/blog-cse/2022/12-31.md +++ b/blog-cse/2022/12-31.md @@ -7,7 +7,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; icon -This is an archive of 2022 Cloud SIEM Release Notes. +This is an archive of 2022 Cloud SIEM release notes. To view the full archive, [click here](/release-notes-cse/archive). diff --git a/blog-cse/2023/12-31.md b/blog-cse/2023/12-31.md index ae43fc37c1..a458b74899 100644 --- a/blog-cse/2023/12-31.md +++ b/blog-cse/2023/12-31.md @@ -14,7 +14,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; icon -This is an archive of 2023 Cloud SIEM Release Notes. +This is an archive of 2023 Cloud SIEM release notes. To view the full archive, [click here](/release-notes-cse/archive). diff --git a/blog-cse/2024-01-12-content.md b/blog-cse/2024-01-12-content.md deleted file mode 100644 index 1bbfb3e20b..0000000000 --- a/blog-cse/2024-01-12-content.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: January 12, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers - - normalization schema -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags. - -#### Rules - -* [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event - * Updated name expression to reduce insight false positivity -* [Updated] MATCH-S00686 Base64 Decode in Command Line -* [Updated] MATCH-S00373 BlueMashroom DLL Load -* [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User -* [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User -* [Updated] FIRST-S00013 First Seen Driver Load - Global -* [Updated] FIRST-S00014 First Seen Driver Load - Host -* [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address -* [Updated] MATCH-S00705 Registry Modification - Authentication Package -* [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL -* [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached -* [Updated] MATCH-S00279 TAIDOOR RAT DLL Load -* [Updated] MATCH-S00379 WMIExec VBS Script -* [Updated] MATCH-S00570 WMIPRVSE Spawning Process - * Corrected expression to exclude OS SID from `user_userId`; prior expression was incorrectly referencing `SubjectLogonID` -* [Updated] MATCH-S00724 Windows Update Agent DLL Changed -* [Updated] MATCH-S00435 XSL Script Processing - -#### Log Mappers - -* [New] 1Password Item Audit Actions -* [New] 1Password Item Usage Actions -* [New] Zeek DNS Activity -* [New] Zeek HTTP Activity -* [New] Zeek conn Activity - -#### Parsers - -* [New] /Parsers/System/1Password/1Password -* [New] /Parsers/System/1PasswordC2C/1PasswordC2C -* [New] /Parsers/System/Zeek/Zeek - -#### Schema -* [New] metadata_sourceBlockId - * The \_blockId of the original source log message (from Sumo Logic) diff --git a/blog-cse/2024-01-30-content.md b/blog-cse/2024-01-30-content.md deleted file mode 100644 index d3c3ded17d..0000000000 --- a/blog-cse/2024-01-30-content.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: January 30, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes updates to log mappers for Zeek fixing several bugs that were preventing fields from mapping properly. - -#### Log Mappers - -* [Updated] Zeek DNS Activity -* [Updated] Zeek HTTP Activity -* [Updated] Zeek conn Activity - -:::tip -For all the up-to-date Cloud SIEM content, see the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog). -::: diff --git a/blog-cse/2024-02-02-content.md b/blog-cse/2024-02-02-content.md deleted file mode 100644 index 1e19c97237..0000000000 --- a/blog-cse/2024-02-02-content.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: February 2, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release includes minor mapping adjustments to Duo and MS Graph Identify Protection Risk logs. Specific changes are enumerated below. - -#### Log Mappers - -* [Updated] Duo Security Admin API - Audit - * Added mappings for source host and source IP -* [Updated] Duo Security Admin API - Authentication - * Added mappings for source host and source IP -* [Updated] Duo Security Admin API - Non-User Audit Changes - * Added mappings for source host and source IP -* [Updated] Duo Security Admin API - Targeted User Audit Changes - * Added mappings for source host and source IP -* [Updated] Microsoft Graph Identity Protection API C2C - riskDetections - * Added principal as primary `user_username` key -* [Updated] Microsoft Graph Identity Protection API C2C - riskyUsers - * Added principal as primary `user_username` key - -:::tip -For all the up-to-date Cloud SIEM content, see the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog). -::: diff --git a/blog-cse/2024-02-13-content.md b/blog-cse/2024-02-13-content.md deleted file mode 100644 index 0355358d8e..0000000000 --- a/blog-cse/2024-02-13-content.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: February 13, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release includes new parsing and mapping support for C2C sources and mapping changes enumerated below. - -#### Log Mappers - -* [New] Trellix mVision ePO Threats -* [New] Zero Networks Segment Audit Activity -* [New] Zero Networks Segment Network Activity -* [Updated] AzureActivityLog 01 - * Remapped `Application` from `properties.clientAppUsed` to `properties.appDisplayName` for consistency - -#### Parsers - -* [New] /Parsers/System/Trellix/Trellix MVision EPO -* [New] /Parsers/System/Zero Networks/Zero Networks Segment diff --git a/blog-cse/2024-02-19-application-update.md b/blog-cse/2024-02-19-application-update.md deleted file mode 100644 index c3d7ea8598..0000000000 --- a/blog-cse/2024-02-19-application-update.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: February 19, 2024 - Application Update -keywords: - - cloud siem -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - - -### Minor changes and enhancements - -* [New] Continuing our work to better align the Cloud SIEM UI pages with Log Analytics UI pages to improve usability and provide a consistent user experience, the color palette has been adjusted slightly, some page decoration has been removed or altered, and some controls have been updated. -* [New] On the Entity list page, you can now filter by reputation indicator (i.e. Malicious, Suspicious or NotFlagged). -* [New] Users can now navigate directly from the Entity Activity panel on the HUD to the Entity List page, with the proper filter pre-applied. -* [Updated] The `Object Type` attribute has been added back to the Signal summary section, next to the timestamp, so that it is visible whether the Signal details are expanded or collapsed. -* [New] A user-editable **Description** field has been added to Rule Tuning Expressions. - -### Bug fixes - -* Sorting by value was not working properly on the Entities list page. -* Sometimes, if the target value was left blank (default), domain normalization would append a colon to the resulting value. -* Customers were experiencing rate limiting with VirusTotal due to a change to their API and constant retries due to resultant errors in Cloud SIEM. This has been resolved, as has an issue with enrichments for file hashes. -* Some Entities were not showing as being included in Entity Groups properly (even though attributes had been set correctly). -* The MITRE ATT&CK® `stage` attribute was missing from some Signals in the audit logs. -* Custom inventory sources were not included in the appropriate dropdown in Entity Group configuration. -* On the Entity Details page, if the only Signals that existed were in Prototype mode, they would not be visible. -* The reputation indicator on the Entity Details page was being rendered, then hidden. diff --git a/blog-cse/2024-02-19-content.md b/blog-cse/2024-02-19-content.md deleted file mode 100644 index ad25d35e06..0000000000 --- a/blog-cse/2024-02-19-content.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: February 19, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release includes new log mapping and parsing content for Druva Cyber Resilience: - -#### Log Mappers - -* [New] Druva Cyber Resilience - Admin Logon -* [New] Druva Cyber Resilience - Catch All - -#### Parsers - -* [New] /Parsers/System/Druva/Druva Cyber Resilience - -#### Bug Fixes - -* Recently, two rules, FIRST-S00052 and FIRST-S00049, were released to customers erroneously. Soon after, these rules started generating false positive Signals and Insights. We have removed those rules from all customer environments so they can be tuned properly and re-released after comprehensive testing. The process error that led to the release has been identified and corrected. Sumo Logic apologizes for the inadvertent Signals and Insights this error generated. If needed, please contact Support for assistance in closing the Insights. diff --git a/blog-cse/2024-02-23-content.md b/blog-cse/2024-02-23-content.md deleted file mode 100644 index e0a5afb12f..0000000000 --- a/blog-cse/2024-02-23-content.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: February 23, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - parsers - - C2C support ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes modifications and additions to Citrix Cloud C2C to handle additional event types and bring existing event mapping into line with new events, support for Code42 Incydr via C2C, Abnormal Security via C2C, and JumpCloud Directory Insights via C2C. - -#### Log Mappers - -* [Deleted] Citrix Cloud Client - * This mapping is replaced by new mappers for Citrix Cloud below -* [New] Abnormal Security Threats -* [New] Citrix Cloud Operation Logs -* [New] Citrix Cloud System Logs -* [New] Code42 Incydr Alerts C2C -* [New] Code42 Incydr Audits C2C -* [New] Code42 Incydr FileEvents C2C -* [New] JumpCloud Directory Insights - Admin Logon -* [New] JumpCloud Directory Insights - Catch All - -#### Parsers - -* [New] /Parsers/System/Abnormal Security/Abnormal Security -* [New] /Parsers/System/Code42/Code42 Incydr -* [New] /Parsers/System/JumpCloud/JumpCloud Directory Insights -* [Updated] /Parsers/System/Citrix/Citrix Cloud C2C diff --git a/blog-cse/2024-03-11-content.md b/blog-cse/2024-03-11-content.md deleted file mode 100644 index 63e0fd0c39..0000000000 --- a/blog-cse/2024-03-11-content.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: March 11, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below. - -#### Rules - -* [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line - * Updated rule expression to reduce false positivity. -* [Updated] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event - * Updated Severity from 4 to 1. -* [Updated] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event - * Fixed description and summary transposition and lowered severity from 3 to 1. - -#### Log Mappers - -Added userAgent mapping to Okta. -* [New] Kaltura Audits -* [Updated] Okta Authentication - auth_via_mfa -* [Updated] Okta Authentication Events -* [Updated] Okta Catch All - -#### Parsers - -* [New] /Parsers/System/Kaltura/Kaltura diff --git a/blog-cse/2024-03-21-content.md b/blog-cse/2024-03-21-content.md deleted file mode 100644 index 930f68d67c..0000000000 --- a/blog-cse/2024-03-21-content.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: March 21, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below. - -#### Rules - -* [Updated] MATCH-S00610 PSExec Named Pipe Created by Non-PsExec Process - * Expression Key updated -* [Updated] MATCH-S00159 Windows - Permissions Group Discovery - * Removed FirstSeen language in the match rule - -#### Log Mappers - -* [New] Cato Networks Security Events - Catch All -* [New] Windows - Security - 5156 -* [Updated] 1Password Item Audit Actions - * Updated event id pattern -* [Updated] 1Password Item Usage Actions - * Updated event id pattern -* [Updated] Azure Application Service Console Logs - * Azure Custom Parser Normalized Severity key update -* [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents - * Azure Custom Parser Normalized Severity key update -* [Updated] Azure Risky Users - * Azure Custom Parser Normalized Severity key update -* [Updated] Azure User Risk Events - * Azure Custom Parser Normalized Severity key update -* [Updated] Microsoft Defender for Cloud - Security Alerts - * Azure Custom Parser Normalized Severity key update -* [Updated] Okta Authentication - sso - * Application key updated diff --git a/blog-cse/2024-03-22-application-update.md b/blog-cse/2024-03-22-application-update.md deleted file mode 100644 index b016ac7183..0000000000 --- a/blog-cse/2024-03-22-application-update.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: March 22, 2024 - Application Update -keywords: - - cloud siem - - MITRE -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - - -### Minor changes and enhancements - -* Two enhancements have been implemented for the MITRE ATT&CK® Threat Coverage Explorer: - * The current tactic, technique and sub-technique metrics for the (default) Theoretical and Historical views are now written to the `sumologic_system_events` audit logs daily. This data can be used in dashboards to track coverage and events over time. - * It is now possible, using the `/mitre-attack/json` endpoint, to extract the MITRE Explorer-formatted JSON via API. (This works the same as the **Export** button in the UI.) -* On the Insight details page, on the Entities tab, the default view is now the Graph view instead of the List view. -* Threat reputation icons/labels are now visible in a number of additional places throughout the UI. These can be set via enrichment. - -### Bug fixes - -* In some cases, events that are supposed to occur automatically after an Insight is opened were not executing, or were severely delayed. -* If an Insight comment included a long URL, text wrapping was not behaving correctly and some text was being clipped from view. Also, newline characters were not always being honored properly in comments. diff --git a/blog-cse/2024-03-28-content.md b/blog-cse/2024-03-28-content.md deleted file mode 100644 index f9998e273e..0000000000 --- a/blog-cse/2024-03-28-content.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: March 28, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes updated log mappers for Windows Sysmon as enumerated below. - -#### Log Mappers - -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8 -* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9 diff --git a/blog-cse/2024-04-05-content.md b/blog-cse/2024-04-05-content.md deleted file mode 100644 index 1fa345c156..0000000000 --- a/blog-cse/2024-04-05-content.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: April 5, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes a corrective update to a match rule summary expression and a log mapping bug fix. Changes are enumerated below. - -* Rules - * [Updated] MATCH-S00137 Office Application or Browser Launching Shell - * Fix typo in summary expression key - * Keys updated: `summary_expression`, `normalized_summary` -* Log Mappers - * [Updated] Microsoft Office 365 Active Directory Authentication Events - * Office_365 Mapping Correction - * Keys updated: `user_userId` diff --git a/blog-cse/2024-04-11-application-update.md b/blog-cse/2024-04-11-application-update.md deleted file mode 100644 index d7cc744469..0000000000 --- a/blog-cse/2024-04-11-application-update.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: April 11, 2024 - Application Update -keywords: - - cloud siem - - mitre - - light mode - - dark mode -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - - -### MITRE ATT&CK® Coverage Enhancements - -We're excited to announce multiple enhancements to our MITRE ATT&CK Threat Coverage Explorer. - -* **Rules Filtering** - You can now easily filter the coverage visualization based on rules, including out-of-the-box and user-created rules, as well as enabled, disabled, production and prototype rules. -* **All Community Activity** - This view now defaults to show only the vendor and product logs that are being sent to Cloud SIEM from your data sources. This gives you a better comparison between what your theoretical and historical coverage shows and what other customers of Cloud SIEM using those same log sources are seeing. You can still change the filter to display other (or all) log sources. -* **Customizable Colors** - You can now customize the tile colors to your own scheme.
Custom MITRE ATT&CK Explorer Color Palette - -For full details, see the [MITRE ATT&CK Coverage documentation](/docs/cse/administration/mitre-coverage/). - -### New UI Themes for Cloud SIEM - -We are also excited to announce that Cloud SIEM now supports two different UI themes: the default "dark" theme, and a new "light" theme: - -Light and Dark theme examples in Cloud SIEM - -The theme is set per user, and can be changed on the Sumo Logic user preferences page: - -Option to change UI theme - -Note that the setting currently only affects Cloud SIEM and the Automation Service, but in the future this setting will also affect other pages in the Sumo Logic UI. - -### Bug fixes - -* Terraform no longer times out while waiting for match lists to be updated. diff --git a/blog-cse/2024-05-02-content.md b/blog-cse/2024-05-02-content.md deleted file mode 100644 index 279069bdb5..0000000000 --- a/blog-cse/2024-05-02-content.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: May 2, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes seventeen new rules and two updated rules. Details are enumerated below. - -* Rules - * [NEW] MATCH-S00896 Azure Authentication Policy Change - * [NEW] MATCH-S00895 NinjaCopy Usage Detected - * [NEW] MATCH-S00906 Okta - Application Created - * [NEW] MATCH-S00903 Okta - Device Added To User - * [NEW] MATCH-S00904 Okta - Device Removed From User - * [NEW] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon - * [NEW] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs) - * [NEW] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems) - * [NEW] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents) - * [NEW] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded - * [NEW] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration - * [NEW] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded - * [NEW] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded - * [NEW] MATCH-S00706 Registry Modification - Time Providers - * [NEW] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load - * [NEW] MATCH-S00899 Suspicious Active Directory Certificate Modification - * [NEW] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent - * [Updated] MATCH-S00706 Registry Modification - Time Providers - * Improved logic expression - * [Updated] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load - * Clarified Summary diff --git a/blog-cse/2024-05-15-application-update.md b/blog-cse/2024-05-15-application-update.md deleted file mode 100644 index d4af30df3d..0000000000 --- a/blog-cse/2024-05-15-application-update.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: May 15, 2024 - Application Update -keywords: - - cloud siem - - rule level signal suppression - - MITRE explorer -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - - -#### Rule-Based Signal Suppression - -We've added an advanced rule feature that allows users to override the global signal suppression period. This is most useful for individual rules that require much shorter (or no) suppression, such as rules that pass alerts through from external data sources such as endpoint detection systems. - -This setting can be accessed from the rule details page: - -Rule-Level Signal Suppression Settings in Cloud SIEM - -The setting is in the "Show Advanced" section. You can specify a suppression period for the rule between 0 and 168 hours (if you set it to 0, suppression is completely disabled for the rule). - -#### Minor Changes and Enhancements - -* Users can now view the MITRE ATT&CK® Threat Coverage Explorer with only the View Rules permission; previously users had to have the Manage Rules permission to access the Explorer. - -#### Bug Fixes - -* Some system events that automatically occur after an Insight is created (such as enrichment, automation service calls, and so on) were not consistently executing. -* Some system events that automatically occur just before rule processing (such as adding Geo IP and ASN data, checking match lists, and so on) were not consistently executing. -* Users were unable to duplicate rules due to an internal error. diff --git a/blog-cse/2024-05-15-content.md b/blog-cse/2024-05-15-content.md deleted file mode 100644 index 4894b3f7cf..0000000000 --- a/blog-cse/2024-05-15-content.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: May 15, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes an updated log mapper, and two updated parsers. Details are enumerated below. - -Additionally, MATCH-S00408 has been decommissioned because it was not functioning as intended. - -#### Rules - -* [Deleted] MATCH-S00408 Fake Windows Processes - -#### Log Mappers - -* [Updated] SentinelOne Logs - C2C threats - -#### Parsers - -* [Updated] /Parsers/System/Dell/Dell SonicWall -* [Updated] /Parsers/System/Okta/Okta diff --git a/blog-cse/2024-05-23-content.md b/blog-cse/2024-05-23-content.md deleted file mode 100644 index 7705c151ec..0000000000 --- a/blog-cse/2024-05-23-content.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: May 23, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release includes new Cloud SIEM detection rules, and updates to existing rules to correct summary and description expressions. All changes are enumerated below. - -#### Rules - -* [New] FIRST-S00061 First Seen USB device in use on Windows host - * This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. If the device name is unexpected and not authorized to be used in the environment, investigate the alert further and look for file creation events to the drive in question. The `fields["EventData.DeviceDescription"]` field contains the device name. -* [New] FIRST-S00059 First Seen esentutl command From User - * Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. Esentutl can also be utilized to download files from a remote share or URL. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. -* [New] FIRST-S00058 First Seen vssadmin command From User - * Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. If this activity is performed as part of normal system maintenance, the rule can be tuned to exclude these groups of users. -* [New] FIRST-S00060 First Seen wbadmin command From User - * Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. -* [New] MATCH-S00908 Okta - MFA Request Denied by User - * This signal will trigger when a user denies an MFA request within the Okta authenticator application. Examine other authentication attempts for this particular user, and undertake confirmation efforts to ensure that this activity is expected and valid. -* [New] MATCH-S00907 Okta - Policy Rule Added - * This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. Check the Okta administrator portal for more details regarding the application in question such as scopes and access levels. The field `fields["target.1.alternateId"]` contains the name of the application that was created -* [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint - * This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta users API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. A full list of functionality for this endpoint can be found in the Okta documentation [here](https://developer.okta.com/docs/reference/api/users/). The `\u201cSuccess\u201d` field will indicate whether this API request was successful or not, and the `\u201cDescription\u201d` field will contain the event that was generated by the API request. Both failed and successful requests should be investigated. Ensure that this request was performed for legitimate purposes such as developer workflows or other automation mechanisms. Consider adding a match list exclusion with authorized accounts who perform requests to this Okta API endpoint via programmatic methods if this signal is triggering false positives. -* [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method - * This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates. Investigation of the host is recommended to identify the behavior leading to and around the execution of this PowerShell process. -* [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution - * Detects the use of PowerShell for Application Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling. Investigation into the host and user to identify the process executing the PowerShell function. See [here](https://www.ired.team/offensive-security/enumeration-and-discovery/t1010-application-window-discovery) for reference. -* [New] MATCH-S00918 Suspicious cat of PAM common-password policy - * The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users. The common-password file defines behavior of password use in Linux subsystems. This detection looks for use of cat to display the contents of the common-password file, which should not be a common occurrence on systems. It is recommended to investigate the host upon which this detection occurs to understand the exposure of the password policies for the system. -* [New] MATCH-S00919 chage command use on host - * The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the `-l` flag to determine when the user's password or account is due to expire. It is recommended to investigate the system and account the command has been executed on, to assess the intent of this execution. Additionally, looking at the command line and parent process is helpful in identifying valid automated processes executing this command that would benefit from tuning out via Rule Tuning. -* [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User -* [Updated] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User -* [Updated] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address -* [Updated] FIRST-S00032 First Seen Kubectl Command From User -* [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User -* [Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP -* [Updated] MATCH-S00906 Okta - Application Created -* [Updated] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs) -* [Updated] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents) -* [Updated] MATCH-S00865 Potential Docker Escape via Command Line -* [Updated] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication -* [Updated] MATCH-S00883 macOS - Keychain Enumeration diff --git a/blog-cse/2024-05-30-application-update.md b/blog-cse/2024-05-30-application-update.md deleted file mode 100644 index 3b4316e71e..0000000000 --- a/blog-cse/2024-05-30-application-update.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: May 30, 2024 - Application Update -keywords: - - cloud siem -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - - -#### Minor Changes and Enhancements - -* [New] To help facilitate investigations and audits, a list of the sourceMessageIds for each of the records that contributed to a Threshold, Chain, or Aggregation Signal are now included in that Signal's record in the `sec_signal` index, in the new `aggregatedMessageIds` field. - -#### Bug Fixes - -* The Community view on the MITRE ATT&CK® Threat Coverage Explorer was not filtering by default properly. diff --git a/blog-cse/2024-05-30-content.md b/blog-cse/2024-05-30-content.md deleted file mode 100644 index 6bb0c860fb..0000000000 --- a/blog-cse/2024-05-30-content.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: May 30, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes several new and multiple updated log mappers, plus several updated parsers. Details are enumerated below: - -#### Log Mappers -* [New] Cisco Meraki Firewall - Custom Parser - * Minor changes in cisco meraki mapper -* [New] Jamf Parser - Alert - * Removed wrong field -* [New] Jamf Parser - Network - * Removed wrong field -* [Updated] AWS GuardDuty Alerts from Sumo CIP - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWS S3 Server Access Log - Custom Parser - * Map bytesIn/bytesOut in AWS CloudTrail Data Events - * Keys updated: bytesIn, bytesOut -* [Updated] AWSGuardDuty_Backdoor - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Behavior - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Catch_All - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_CryptoCurrency - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Discovery - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Exfiltration - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_PenTest - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Persistence - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Policy - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_ResourceConsumption - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Stealth - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] AWSGuardDuty_Trojan - * Added region field in all the events - * Keys updated: cloud_region -* Updated] AwsServiceEvent-AWS API Call via CloudTrail - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] BlueCat DHCP Parser - Catch All - * Changed mac address field in mapper - * Keys updated: device_mac, timestamp -* [Updated] Code42 Incydr FileEvents C2C - * Mapper adjustments - * Keys updated: event_id_pattern, user_username, file_path, severity, normalizedSeverity, threat_name -* [Updated] Recon_EC2_PortProbeUnprotectedPort - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] Recon_EC2_Portscan - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] Recon_IAMUser - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] UnauthorizedAccess_EC2_SSHBruteForce - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] UnauthorizedAccess_EC2_TorClient - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] UnauthorizedAccess_EC2_TorIPCaller - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] UnauthorizedAccess_EC2_TorRelay - * Added region field in all the events - * Keys updated: cloud_region -* [Updated] UnauthorizedAccess_IAMUser - * Added region field in all the events - * Keys updated: cloud_region - -#### Parsers -* [Updated] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog -* [Updated] /Parsers/System/Cisco/Cisco Meraki -* [Updated] /Parsers/System/Code42/Code42 Incydr -* [Updated] /Parsers/System/Jamf/Jamf -* [Updated] /Parsers/System/Microsoft/Shared/Syslog Headers Microsoft -* [Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers -* [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security diff --git a/blog-cse/2024-07-03-content.md b/blog-cse/2024-07-03-content.md deleted file mode 100644 index 48e8a796d9..0000000000 --- a/blog-cse/2024-07-03-content.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: July 3, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes new and updated rules, log mappers, and parsers. Details are enumerated below. - -#### Rules - -* [Updated] MATCH-S00139 Abnormal Parent-Child Process Combination - * Removed leading backslash from like matches - -#### Log Mappers - -* [New] ApplicationGatewayAccessLog -* [New] ApplicationGatewayFirewallLog -* [New] Citrix NetScaler - TCP-CONN_TERMINATE -* [New] Google G Suite - login - password_change/recovery_info_change -* [New] Google G Suite - login-blocked_sender_change -* [New] JFrog Artifactory - Access logs -* [New] JFrog Artifactory - Login Access logs -* [New] JFrog Artifactory - Request Logs -* [New] Synergis Genetec - all -* [Updated] AWS EKS - Custom Parser - * Keys updated: `'srcDevice_ip'`, `'http_response_statusCode'`, `'http_url'`, `'http_userAgent'`, `'user_username'`, `'user_userId'`, `'action'`, `'device_k8s_namespace'` -* [Updated] Abnormal Security Threats - * Keys updated: `'threat_referenceUrl'`, `'email_subject'`, `'resource'`, `'email_sender'`, `'user_email'`, `'user_username'`, `'targetUser_email'`, `'action'`, `'threat_identifier'`, `'user_authDomain'`, `'srcDevice_ip'`, `'email_messageId'`, `'srcDevice_hostname'`, `'threat_name'`, `'threat_category'`, `'timestamp'` -* [Updated] Cisco ASA 305011-12 JSON - * Keys updated: `'user_authDomain'`, `'user_username'` -* [Updated] GitHub JSON - * Keys updated: `'user_username'`, `'user_role'`, `'user_userId'`, `'description'`, `'http_url'`, `'device_hostname'` -* [Updated] SentinelOne Logs - Syslog Custom Parser - * Keys updated: `'srcDevice_osName'` - -#### Parsers - -* [New] /Parsers/System/Atlassian/Atlassian Jira -* [New] /Parsers/System/Genetec/Genetec Synergis -* [New] /Parsers/System/Github/Github -* [New] /Parsers/System/JFrog/JFrog Artifactory -* [Updated] /Parsers/System/AWS/AWS EKS -* [Updated] /Parsers/System/Abnormal Security/Abnormal Security -* [Updated] /Parsers/System/Cisco/Cisco ASA -* [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog -* [Updated] /Parsers/System/Cylance/Cylance Syslog -* [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON -* [Updated] /Parsers/System/Orca Security/Orca Security -* [Updated] /Parsers/System/SentinelOne/SentinelOne CEF diff --git a/blog-cse/2024-07-16-content.md b/blog-cse/2024-07-16-content.md deleted file mode 100644 index 416d321e53..0000000000 --- a/blog-cse/2024-07-16-content.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: July 16, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes rule and parser bug fixes, and parsing and mapping support for new log sources. Changes are enumerated below. - -#### Rules - -* [Updated] MATCH-S00419 Multiple File Extensions - * Fixed bug in summary expression causing baseImage to appear as null -* [Updated] MATCH-S00755 Outlook Form Creation - * Fixed bug in rule expression where baseImage had incorrect case - -#### Log mappers - -* [New] CrowdStrike Spotlight - Vulnerability -* [New] JumpCloud IdP - Catch All -* [New] JumpCloud IdP Authentication -* [New] Kaspersky Endpoint Security Catch All -* [New] Linux OS Syslog - sshd - Command Execution -* [New] Linux OS Syslog - sshd - connection - -#### Parsers - -* [New] /Parsers/System/CrowdStrike/CrowdStrike Spotlight -* [New] /Parsers/System/JumpCloud/JumpCloud IdP -* [New] /Parsers/System/Kaspersky/Kaspersky Endpoint Security -* [Updated] /Parsers/System/Cisco/Cisco ISE - * Bug fix for variation in syslog headers -* [Updated] /Parsers/System/Linux/Linux OS Syslog - * Added support for additional variations in SSHD and CRON logs diff --git a/blog-cse/2024-08-05-content.md b/blog-cse/2024-08-05-content.md deleted file mode 100644 index a756871294..0000000000 --- a/blog-cse/2024-08-05-content.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: August 05, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -* A new Cloud SIEM First Seen rule -* Consolidation of AWSGuardDuty log mappers -* CrowdStrike FDR mapping modifications by adding `aid` as a value for `device_hostname` as primary or alternate -* Mapping update to Windows PowerShell operational events to facilitate a JSON data set from the legacy Windows format -* Several new log mappers, parsers, and multiple updated parsers - -Release specifics are enumerated below. - -#### Rules - -* NEW FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process - * This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process. - -#### Log Mappers - -* [Deleted] AWS GuardDuty Alerts from Sumo CIP -* [Deleted] AWSGuardDuty_Backdoor -* [Deleted] AWSGuardDuty_Behavior -* [Deleted] AWSGuardDuty_Catch_All -* [Deleted] AWSGuardDuty_CryptoCurrency -* [Deleted] AWSGuardDuty_Discovery -* [Deleted] AWSGuardDuty_Exfiltration -* [Deleted] AWSGuardDuty_PenTest -* [Deleted] AWSGuardDuty_Persistence -* [Deleted] AWSGuardDuty_Policy -* [Deleted] AWSGuardDuty_ResourceConsumption -* [Deleted] AWSGuardDuty_Stealth -* [Deleted] AWSGuardDuty_Trojan -* [Retired] AwsServiceEvent-AWS API Call via CloudTrail -* [Deleted] Recon_EC2_PortProbeUnprotectedPort -* [Deleted] Recon_EC2_Portscan -* [Deleted] Recon_IAMUser -* [Deleted] UnauthorizedAccess_EC2_SSHBruteForce -* [Deleted] UnauthorizedAccess_EC2_TorClient -* [Deleted] UnauthorizedAccess_EC2_TorIPCaller -* [Deleted] UnauthorizedAccess_EC2_TorRelay -* [Deleted] UnauthorizedAccess_IAMUser -* [Updated] AWS GuardDuty Alerts from Sumo CIP -* [New] AWS Redshift - ACTIVITY_LOG -* [New] AWS Redshift - Authentication Log -* [New] AWS Redshift - Connection Log -* [New] AWS Redshift - USER_LOG -* [New] AWSGuardDuty - Audit Events -* [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail -* [New] AWSGuardDuty - Reconnaissance and malicious activity detection -* [Updated] AWSGuardDuty - Tor Client and Relay -* [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller -* [Updated] AWSGuardDuty_Catch_All -* [New] Forescout CounterACT - NAC Policy Log -* [New] PingFederate - Authentication Event -* [New] Symantec Endpoint Security - All -* [Updated] UnauthorizedAccess_EC2_SSHBruteForce -* [New] VMware NSX - Firewall -* [Updated] CloudTrail Default Mapping - * Added alternate values for `userIdentity.arn`, and `requestParameters.sourceIdentity` applied to `user_role`. Additional mappings for `bytesIn`, and `bytesOut`. -* [Updated] CrowdStrike FDR - Catch All -* [Updated] CrowdStrike FDR - CriticalFileAccessed -* [Updated] CrowdStrike FDR - NetworkConnectIP4 -* [Updated] CrowdStrike FDR - NetworkConnectIP6 -* [Updated] CrowdStrike FDR - ProcessRollup2 -* [Updated] CrowdStrike FDR - SuspiciousDnsRequest -* [Updated] PingFederate Event - * Narrowed the lookup scope where success is true. -* [Updated] Windows - Microsoft-Windows-PowerShell/Operational Events - 4103 through 4105 - * Updated keys for: `user_userId`, `user_username`, `commandLine`, `baseImage`, `file_path`, and `severity`. - -#### Parsers - -* [New] /Parsers/System/AWS/AWS Redshift -* [Updated] /Parsers/System/Forescout/Forescout CounterACT - * Updated the start time field. -* [New] /Parsers/System/Symantec/Symantec Endpoint Security -* [New] /Parsers/System/VMware/VMware NSX -* [Updated] /Parsers/System/Cisco/Cisco Meraki - * Added support for URLS new format. -* [Updated] /Parsers/System/PingIdentity/PingFederate - * Added support of new log format. -* [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON - * Dropped the redundant message field. diff --git a/blog-cse/2024-08-16-content.md b/blog-cse/2024-08-16-content.md deleted file mode 100644 index d9d4fbf6e2..0000000000 --- a/blog-cse/2024-08-16-content.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: August 16, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -* Updates to Azure rules to reflect a name change in the Company Administrator role to Global Administrator. -* New Linux OS Syslog mappers. -* Addition of sessionId mapping to Okta mappers. - -Individual changes are enumerated below. - -#### Rules -- [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role -- [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM -- [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role -- [Renamed] FIRST-S00088 First Seen User Performing NTLM Authentication to Host -> First Seen NTLM Authentication to Host (User) - -#### Log Mappers -- [New] Linux OS Syslog - Process sudo - Authentication Failure -- [New] Linux OS Syslog - Systemd-user Session Open|Closed -- [New] Linux OS Syslog - sshd - Postponed publickey -- [New] Linux OS Syslog - sshd - User not allowed -- [New] MicrosoftGraphActivityLogs -- [Updated] AWS Redshift - Authentication Log - - Added normalizedAction mapping for logon and a success boolean lookup on event_name -- [Updated] Aruba ClearPass Guest Access - - Added normalizedAction mapping for logon and a success boolean lookup on error codes -- [Updated] Check Point Failed Log In - - Updated record type to Authentication and adjusted normalizedAction mapping to logon -- [Updated] CloudTrail - signin.amazonaws.com - CheckMfa - - Added logon normalizedAction and mapped success boolean to checkMfa -- [Updated] Infoblox NIOS - DNS - - Updated mapping for dns_query to fix dns enrichments -- [Updated] JumpCloud IdP Authentication - - Adds logon normalizedAction to mapper -- [Updated] Linux OS Syslog - Cron - Session Opened - - Adds mappings for targetUser_username, targetUser_userId, user_userId -- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password - - Adds "check pass" to event ID pattern -- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth - - Added description mapping -- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect - - Updated mapper name, and added "sshd-disconnect" to event ID pattern. Adds mappings for srcDevice_ip, description, action. -- [Updated] Linux OS Syslog - Process sshd - SSH Session Opened - - Adds mapping for srcDevice_ip -- [Updated] Linux OS Syslog - Process sshd - SSH Session Starting - - Adds mappings for srcDevice_ip, srcPort -- [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution - - Adds mapping for description -- [Updated] PingFederate - Authentication Event - - Added logon normalizedAction to mapper -- [Updated] Pulse Secure Custom Parser - AUT24326 - - Added logon normalizedAction to mapper -- [Updated] Windows - Security - 4648 - - Adds logon normalizedAction mapping -- [Updated] Okta Authentication - auth_via_AD_agent -- [Updated] Okta Authentication - auth_via_mfa -- [Updated] Okta Authentication - auth_via_radius -- [Updated] Okta Authentication - sso -- [Updated] Okta Authentication Events -- [Updated] Okta Catch All -- [Updated] Okta Security Threat Events - -#### Parsers -- [Updated] /Parsers/System/Linux/Linux OS Syslog - - Adds new parsing patterns for cron, sshd, sudo, and systemd. Adjusts existing sshd parsing patterns. - -#### Schema -- [New] repository - - The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts. diff --git a/blog-cse/2024-08-23-content.md b/blog-cse/2024-08-23-content.md deleted file mode 100644 index 47f59502e8..0000000000 --- a/blog-cse/2024-08-23-content.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: August 23, 2024 - Content Release -hide_table_of_contents: true -keywords: - - rules - - log mappers - - parsers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -* Updates to rules to improve the user experience -* Specific updates are enumerated and summarized below - -:::note -Rule DNS query for dynamic DNS provider (LEGACY-S00180) is slated for removal the week of 2024-09-02. The rule is being removed from global content due to the untenable nature of maintaining the list of dynamic DNS providers within the rule expression. To retain this rule, it must be duplicated prior to the date of removal. -::: - -### Rules -- [Updated] MATCH-S00816 Interactive Logon to Domain Controller - - Updated expression match list to use new `domain_controllers_hostnames` instead of `domain_controllers` which was generating false positives due to IP dependency. -- [Updated] LEGACY-S00105 Suspicious DC Logon - - Updated expression match list to use new `domain_controllers_hostnames` instead of `domain_controllers` which was generating false positives due to IP dependency. - -#### srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid `null` values for the following rules: -- [Updated] MATCH-S00874 AWS Lambda Function Recon -- [Updated] MATCH-S00825 AWS Secrets Manager Enumeration -- [Updated] MATCH-S00513 Critical Severity Intrusion Signature -- [Updated] THRESHOLD-S00085 Excessive Outbound Firewall Blocks -- [Updated] MATCH-S00666 High Severity Intrusion Signature -- [Updated] MATCH-S00669 Informational Severity Intrusion Signature -- [Updated] MATCH-S00668 Low Severity Intrusion Signature -- [Updated] MATCH-S00667 Medium Severity Intrusion Signature -- [Updated] THRESHOLD-S00095 Password Attack - -#### Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules: -- [Updated] MATCH-S00429 LSASS Memory Dumping + -- [Updated] MATCH-S00161 Malicious PowerShell Get Commands + -- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands + -- [Updated] MATCH-S00198 Malicious PowerShell Keywords + -- [Updated] MATCH-S00191 Suspicious PowerShell Keywords + -- [Updated] MATCH-S00431 Suspicious Use of Procdump + -- [Updated] MATCH-S00583 WCE wceaux.dll Access + -- [Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected + -- [Updated] MATCH-S00291 Windows Credential Editor (WCE) in use + - -#### Added exclusion to match expression for `OneDrive` to reduce false positives and removed fields producing nulls in the signal summary for the following rules: -- [Updated] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP -- [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User -- [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded -- [Updated] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents diff --git a/blog-cse/2024-08-27-content.md b/blog-cse/2024-08-27-content.md deleted file mode 100644 index 464c9e01d9..0000000000 --- a/blog-cse/2024-08-27-content.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: August 27, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This release reverts a change to our AWS CloudTrail default (catch all) mapper for how `user_username` is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some `AssumedRole` events. - -AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](/release-notes-cse/2024/08/05/content/) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives. - -AWS best practices suggest defining `sourceIdentity` to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor `sourceIdentity` if it is present in CloudTrail logs. If it is not present, then `userIdentity.arn` will be used and the `resource-id` will be mapped to `user_username`, creating potential for false positives from dynamic session identifiers. See [Viewing source identity in CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-ct) in the AWS documentation for more information. - -Alternatively, known service accounts which generate dynamic sessions identifers can be tuned out from signals using rule tuning expressions, Field Extraction Rules (FERs), or at the CloudTrail parser to reduce potential for false positive signals. - -### Log Mappers -- [Updated] CloudTrail Default Mapping diff --git a/blog-cse/2024-09-19-content.md b/blog-cse/2024-09-19-content.md deleted file mode 100644 index 5b0dffc2b6..0000000000 --- a/blog-cse/2024-09-19-content.md +++ /dev/null @@ -1,214 +0,0 @@ ---- -title: September 19, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - log parsers - - detection rules -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -* Updates to 111 rules to improve the user experience by removing often lengthy command lines from rule summary expressions (retained in record and signal). -* Deletion of a low efficacy rule. -* Mapping updates to better employ [normalized classification](/docs/cse/schema/cse-normalized-classification/) fields across data sources. -* Adds alternate case handling for Windows Security Event Log error codes. -* Updates to LastPass parsing and mapping to support Reporting and Failed Logon events. -* Adds support for Thinkst Canary JSON logging. -* Adjusts time handling for Thinkst Canary Syslog. - -Other changes are enumerated below. - - -### Rules -- [Deleted] LEGACY-S00180 DNS query for dynamic DNS provider -- [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190 -- [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container -- [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments -- [Updated] MATCH-S00727 CPL File Executed from Temp Directory -- [Updated] MATCH-S00412 Command Line Execution with Suspicious URL and AppData Strings -- [Updated] MATCH-S00658 Container Management Utility in Container -- [Updated] MATCH-S00410 Copy from Admin Share -- [Updated] MATCH-S00443 Create Windows Share -- [Updated] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy -- [Updated] MATCH-S00526 Credential Dumping Via Symlink To Shadow Copy -- [Updated] MATCH-S00348 Curl Start Combination -- [Updated] MATCH-S00385 DTRACK Process Creation -- [Updated] MATCH-S00441 Delete Windows Share -- [Updated] MATCH-S00543 Detect Psexec With Accepteula Flag -- [Updated] MATCH-S00319 Dridex Process Pattern -- [Updated] MATCH-S00590 Elise Backdoor -- [Updated] MATCH-S00392 File or Folder Permissions Modifications -- [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User -- [Updated] FIRST-S00059 First Seen esentutl command From User -- [Updated] FIRST-S00041 First Seen networksetup Usage from User -- [Updated] FIRST-S00058 First Seen vssadmin command From User -- [Updated] FIRST-S00060 First Seen wbadmin command From User -- [Updated] FIRST-S00008 First Seen whoami command From User -- [Updated] MATCH-S00414 Grabbing Sensitive Hives via Reg Utility -- [Updated] MATCH-S00325 Greenbug Campaign Indicators -- [Updated] MATCH-S00367 Impacket Lateralization Detection -- [Updated] MATCH-S00482 Impacket-Obfuscation SMBEXEC Utility -- [Updated] MATCH-S00483 Impacket-Obfuscation WMIEXEC Utility -- [Updated] MATCH-S00322 Judgement Panda Credential Access Activity -- [Updated] MATCH-S00334 Judgement Panda Exfil Activity -- [Updated] MATCH-S00651 Kubernetes CreateCronjob -- [Updated] MATCH-S00652 Kubernetes DeleteCronjob -- [Updated] MATCH-S00650 Kubernetes ListCronjobs -- [Updated] MATCH-S00648 Kubernetes ListSecrets -- [Updated] MATCH-S00647 Kubernetes Pod Deletion -- [Updated] MATCH-S00649 Kubernetes Service Account Token File Accessed -- [Updated] MATCH-S00461 LNKSmasher Utility Commands -- [Updated] MATCH-S00746 Loadable Kernel Module Dependency Install -- [Updated] MATCH-S00745 Loadable Kernel Module Enumeration -- [Updated] MATCH-S00723 Loadable Kernel Module Modifications -- [Updated] MATCH-S00352 MSHTA Suspicious Execution -- [Updated] MATCH-S00534 MacOS - Re-Opened Applications -- [Updated] MATCH-S00729 MacOS Gatekeeper Bypass -- [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled -- [Updated] MATCH-S00161 Malicious PowerShell Get Commands -- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands -- [Updated] MATCH-S00198 Malicious PowerShell Keywords -- [Updated] MATCH-S00331 MavInject Process Injection -- [Updated] MATCH-S00466 MsiExec Web Install -- [Updated] MATCH-S00288 NotPetya Ransomware Activity -- [Updated] MATCH-S00698 PATH Set to Current Directory -- [Updated] MATCH-S00659 Package Management Utility in Container -- [Updated] MATCH-S00697 Pkexec Privilege Escalation - CVE-2021-4034 -- [Updated] MATCH-S00149 PowerShell File Download -- [Updated] MATCH-S00449 Powershell Execution Policy Bypass -- [Updated] MATCH-S00427 Process Dump via Rundll32 and Comsvcs.dll -- [Updated] MATCH-S00439 Psr.exe Capture Screenshots -- [Updated] MATCH-S00167 Recon Using Common Windows Commands -- [Updated] MATCH-S00346 Ryuk Ransomware Endpoint Indicator -- [Updated] MATCH-S00506 SC Exe Manipulating Windows Services -- [Updated] MATCH-S00153 Scheduled Task Created via PowerShell -- [Updated] MATCH-S00529 Schtasks Scheduling Job On Remote System -- [Updated] MATCH-S00530 Schtasks Used For Forcing A Reboot -- [Updated] MATCH-S00359 Suspicious Certutil Command -- [Updated] MATCH-S00356 Suspicious Compression Tool Parameters -- [Updated] MATCH-S00362 Suspicious Curl File Upload -- [Updated] MATCH-S00476 Suspicious Execution of Search Indexer -- [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution -- [Updated] MATCH-S00191 Suspicious PowerShell Keywords -- [Updated] MATCH-S00431 Suspicious Use of Procdump -- [Updated] MATCH-S00477 Suspicious Use of Workflow Compiler for Payload Execution -- [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher -- [Updated] MATCH-S00279 TAIDOOR RAT DLL Load -- [Updated] MATCH-S00531 Unload Sysmon Filter Driver -- [Updated] MATCH-S00762 Unusual Staging Directory - PolicyDefinitions -- [Updated] MATCH-S00761 Volume Shadow Copy Service Stopped -- [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution -- [Updated] MATCH-S00760 WMI Ping Sweep -- [Updated] MATCH-S00146 WMI Process Call Create -- [Updated] MATCH-S00151 WMI Process Get Brief -- [Updated] MATCH-S00379 WMIExec VBS Script -- [Updated] MATCH-S00400 Web Download via Office Binaries -- [Updated] MATCH-S00539 Web Servers Executing Suspicious Processes -- [Updated] MATCH-S00174 Web Services Executing Common Web Shell Commands -- [Updated] MATCH-S00284 Windows - Delete Windows Backup Catalog -- [Updated] MATCH-S00181 Windows - Domain Trust Discovery -- [Updated] MATCH-S00168 Windows - Local System executing whoami.exe -- [Updated] MATCH-S00162 Windows - Network trace capture using netsh.exe -- [Updated] MATCH-S00159 Windows - Permissions Group Discovery -- [Updated] MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas -- [Updated] MATCH-S00276 Windows - Possible Squiblydoo Technique Observed -- [Updated] MATCH-S00281 Windows - PowerShell Process Discovery -- [Updated] MATCH-S00171 Windows - Powershell Scheduled Task Creation from PowerSploit or Empire -- [Updated] MATCH-S00185 Windows - Remote System Discovery -- [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow -- [Updated] MATCH-S00170 Windows - Scheduled Task Creation -- [Updated] MATCH-S00192 Windows - System Network Configuration Discovery -- [Updated] MATCH-S00194 Windows - System Time Discovery -- [Updated] MATCH-S00172 Windows - WiFi Credential Harvesting with netsh -- [Updated] MATCH-S00532 Windows Adfind Exe -- [Updated] MATCH-S00552 Windows Connhost Started Forcefully -- [Updated] MATCH-S00398 Windows Defender Download Activity -- [Updated] MATCH-S00179 Windows Network Sniffing -- [Updated] MATCH-S00157 Windows Process Name Impersonation -- [Updated] MATCH-S00178 Windows Query Registry -- [Updated] MATCH-S00533 Windows Security Account Manager Stopped -- [Updated] LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path -- [Updated] MATCH-S00724 Windows Update Agent DLL Changed -- [Updated] MATCH-S00382 Winnti Pipemon Characteristics -- [Updated] MATCH-S00435 XSL Script Processing -- [Updated] MATCH-S00726 macOS Kernel Extension Load - -### Log Mappers -- [New] LastPass Failed Login Attempt -- [New] LastPass Reporting -- [Updated] Thinkst Canary Parser - Catch All - - Removed time handling from mapper to favor parser time handling -- [Updated] 1Password Item Audit Actions -- [Updated] 1Password Item Usage Actions -- [Updated] AWS Config - Custom Parser -- [Updated] AWS EKS - Custom Parser -- [Updated] AWS Inspector - Custom Parser -- [Updated] AWS Route 53 Logs -- [Updated] AWS S3 Server Access Log - Custom Parser -- [Updated] AWS Security Hub -- [Updated] AWSGuardDuty - Audit Events -- [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail -- [Updated] AWSGuardDuty - Reconnaissance and malicious activity detection -- [Updated] AWSGuardDuty - Tor Client and Relay -- [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller -- [Updated] AWSGuardDuty_Catch_All -- [Updated] Adaxes - Custom Parser -- [Updated] ApplicationGatewayAccessLog -- [Updated] ApplicationGatewayFirewallLog -- [Updated] Aqua Runtime Policy Match -- [Updated] Azure Appplication Service Console Logs -- [Updated] Azure AuditEvent logs -- [Updated] Azure Event Hub - Windows Defender Logs -- [Updated] Azure Firewall Application Rule -- [Updated] Azure Firewall DNS Proxy -- [Updated] Azure Firewall Network Rule -- [Updated] Azure NSG Flows -- [Updated] Azure Policy Logs -- [Updated] AzureActivityLog -- [Updated] AzureActivityLog 01 -- [Updated] AzureActivityLog AuditLogs -- [Updated] AzureDevOpsAuditing -- [Updated] Cato Networks Audits -- [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail -- [Updated] Cyber Ark EPM AggregateEvent -- [Updated] Druva Cyber Resilience - Catch All -- [Updated] GCP App Engine Logs -- [Updated] GCP Audit Logs -- [Updated] GCP IDS -- [Updated] GCP Parser - Load Balancer -- [Updated] Google Security Command Center -- [Updated] JumpCloud IdP - Catch All -- [Updated] Kaltura Audits -- [Updated] Microsoft Defender for Cloud - Security Alerts -- [Updated] Microsoft Office 365 AzureActiveDirectory Events -- [Updated] Microsoft Office 365 MicrosoftStream Events -- [Updated] Microsoft Office 365 PowerApps Events -- [Updated] Microsoft Office 365 Sway Events -- [Updated] Microsoft Office 365 Teams Events -- [Updated] Microsoft Office 365 Yammer Events -- [Updated] MicrosoftGraphActivityLogs -- [Updated] Office 365 - MicrosoftFlow -- [Updated] Office 365 - Security Compliance Alerts -- [Updated] Osquery Catchall -- [Updated] Osquery FIM -- [Updated] Osquery Process Auditing -- [Updated] Osquery Socket Events -- [Updated] Osquery Startup Items -- [Updated] Palo Alto Config - Custom Parser -- [Updated] Palo Alto Threat Spyware - Custom Parser -- [Updated] RSA SecurID Runtime Authn Logout -- [Updated] RSA SecurID Runtime Catchall -- [Updated] UnauthorizedAccess_EC2_SSHBruteForce -- [Updated] Windows - Security - 4625 -- [Updated] Windows - Security - 4634 - -### Parsers -- [New] /Parsers/System/Thinkst Canary/Thinkst Canary JSON -- [Updated] /Parsers/System/LastPass/LastPass -- [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary - - Updated time handling to use `_messagetime` metadata \ No newline at end of file diff --git a/blog-cse/2024-10-04-content.md b/blog-cse/2024-10-04-content.md deleted file mode 100644 index 25cfbe033b..0000000000 --- a/blog-cse/2024-10-04-content.md +++ /dev/null @@ -1,227 +0,0 @@ ---- -title: October 04, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - log parsers - - detection rules -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -* Detection rules centered around Amazon Bedrock activities. -* Consolidation of AWS CloudTrail mappers to replicate current mapper behavior with fewer distinct mappers. -* New support for GitHub Enterprise Audit (parsing and mapping). -* New support for Honeywell Pro-Watch (parsing and mapping). -* New support for Citrix Zendesk (parsing and mapping). -* Further mapping updates to better employ [Normalized Classification](/docs/cse/schema/cse-normalized-classification) fields across data sources. -* Removal of some duplicate mapped fields. -* Other changes enumerated below. - -## Rules -- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed - - An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment. -- [New] MATCH-S00922 AWS Bedrock Agent Created - - This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment. -- [New] MATCH-S00924 AWS Bedrock Guardrail Deleted - - AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. Look at other activity from this user account, focusing on the Bedrock service and pivoting from there if the event is deemed suspicious. -- [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User - - A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. However, it could also be a malicious attempt at running a particular model via AWS Bedrock. Take a look at the username, IP address, role type, role and model via the "requestParameters.modelId" field. -- [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User - - A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. Ensure this model is authorized to be utilized in the environment and that the user requesting access to the model is authorized to perform these actions. -- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models - - A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed. -- [New] FIRST-S00084 - First Seen AWS Bedrock API Call from User - - This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. Look at the "action" field to determine what API calls are being made and whether this activity is expected. -- [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent - - An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment. -- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification - - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value. -- [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template - - AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives. -- [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User - - An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression. -- [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User - - An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression. -- [New] OUTLIER-S00024 - AWS DynamoDB Outlier in GetItem Events from User - - An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. Consider excluding authorized users from this signal or tweaking the minimum count value if this signal is triggering too often. Data events from DynamoDB are required in order for this signal to function. -- [New] OUTLIER-S00025 - AWS S3 Outlier in PutObject Denied Events - - This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. Denied PutObject access events can stem from IAM policies or bucket policies. Look at the user, role, IP address from the events to determine whether this activity is expected. In certain cases, access denied events to S3 can also result in unexpected AWS charges. -- [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected - - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value. - - -### Log Mappers -### New Event/Source Support -- [New] Fortinet utm-ssl Logs -- [New] GitHub Enterprise Audit - Access Events -- [New] GitHub Enterprise Audit - Authentication Events -- [New] GitHub Enterprise Audit - Create Events -- [New] GitHub Enterprise Audit - Modify Events -- [New] GitHub Enterprise Audit - Remove Events -- [New] GitHub Enterprise Audit - Restore Events -- [New] GitHub Enterprise Audit - Transfer Events -- [New] GitHub Enterprise Audit Catch All -- [New] Honeywell Pro-Watch Catch All -- [New] Zendesk Catch All - -### Extended Normalized Classification Support -- [Updated] Azure Event Hub - Windows Defender Logs -- [Updated] Azure ManagedIdentitySignInLogs -- [Updated] Azure NonInteractiveUserSignInLogs -- [Updated] Azure ServicePrincipalSignInLogs -- [Updated] Azure Write and Delete Logs -- [Updated] AzureActivityLog 01 -- [Updated] Carbon Black Cloud - Observation event -- [Updated] Carbon Black Cloud Script Load -- [Updated] Cisco ASA 109005-8 JSON -- [Updated] Cisco ASA 113005 -- [Updated] Cisco ASA 113005 JSON -- [Updated] Cisco ASA 113012-17 JSON -- [Updated] Cisco ASA 716039 JSON -- [Updated] Cisco ASA 719022-3 JSON -- [Updated] Cisco ASA 751011 JSON -- [Updated] Citrix NetScaler - AAA-LOGIN_FAILED -- [Updated] CrowdStrike FDR - CriticalFileAccessed -- [Updated] CylancePROTECT Threats -- [Updated] Fortinet Event Logs -- [Updated] Fortinet Virus Logs -- [Updated] Kaspersky Endpoint Security Catch All -- [Updated] Lacework Alert -- [Updated] Linux OS Syslog - Cron - Session Closed -- [Updated] Linux OS Syslog - Cron - Session Opened -- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password -- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User -- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String -- [Updated] Linux OS Syslog - Process sshd - SSH Public Key Not Allowed -- [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution -- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start -- [Updated] McAfee WebGateway - CEF - User Login Failed -- [Updated] Microsoft Defender for Cloud - Security Alerts -- [Updated] Microsoft Office 365 Active Directory Authentication Events -- [Updated] Microsoft Office 365 Threat Intelligence Atp Content Events -- [Updated] OSSEC Alert -- [Updated] OpenVPN Authentication Attempt -- [Updated] OpenVPN Logon Attempt -- [Updated] Osquery Process Auditing -- [Updated] Palo Alto Traps - Custom Parser -- [Updated] RSA SecurID SinglePoint Authentication -- [Updated] Snowflake Login -- [Updated] Symantec Agent Behavior Logs -- [Updated] Symantec Agent Risk Logs -- [Updated] Symantec Agent Risk SONAR Logs -- [Updated] Symantec Agent Scan Logs -- [Updated] Sysdig Kubernetes JSON -- [Updated] Tanium IOC Event - CEF Custom Parser -- [Updated] Windows - Security - 4625 -### Added 'Cause' mapping and added 'null' as a skipped value -- [Updated] Okta Authentication - auth_via_AD_agent -- [Updated] Okta Authentication - auth_via_mfa -- [Updated] Okta Authentication - auth_via_radius -- [Updated] Okta Authentication - sso -- [Updated] Okta Authentication Events -- [Updated] Okta Catch All -- [Updated] Okta Security Threat Events - -### Consolidated CloudTrail Mappings -- [Deleted] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail -- [Deleted] CloudTrail - cloudtrail.amazonaws.com - StartLogging -- [Deleted] CloudTrail - cloudtrail.amazonaws.com - StopLogging -- [Deleted] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail -- [Deleted] CloudTrail - ec2.amazonaws.com - AttachInternetGateway -- [Deleted] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress -- [Deleted] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway -- [Deleted] CloudTrail - ec2.amazonaws.com - CreateInternetGateway -- [Deleted] CloudTrail - ec2.amazonaws.com - CreateKeyPair -- [Deleted] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry -- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway -- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway -- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteKeyPair -- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl -- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry -- [Deleted] CloudTrail - ec2.amazonaws.com - DetachInternetGateway -- [Deleted] CloudTrail - ec2.amazonaws.com - ImportKeyPair -- [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation -- [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry -- [Deleted] CloudTrail - iam.amazonaws.com - AttachGroupPolicy -- [Deleted] CloudTrail - iam.amazonaws.com - AttachRolePolicy -- [Deleted] CloudTrail - iam.amazonaws.com - AttachUserPolicy -- [Deleted] CloudTrail - iam.amazonaws.com - CreateAccessKey -- [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicy -- [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicyVersion -- [Deleted] CloudTrail - iam.amazonaws.com - CreateUser -- [Deleted] CloudTrail - iam.amazonaws.com - DeletePolicy -- [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary -- [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePolicy -- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUser -- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary -- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPolicy -- [Deleted] CloudTrail - iam.amazonaws.com - DetachGroupPolicy -- [Deleted] CloudTrail - iam.amazonaws.com - DetachRolePolicy -- [Deleted] CloudTrail - iam.amazonaws.com - DetachUserPolicy -- [Deleted] CloudTrail - iam.amazonaws.com - PutGroupPolicy -- [Deleted] CloudTrail - iam.amazonaws.com - PutRolePolicy -- [Deleted] CloudTrail - iam.amazonaws.com - PutUserPolicy -- [Deleted] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy -- [Deleted] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion -- [Deleted] CloudTrail - lambda.amazonaws.com - AddPermission -- [Deleted] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping -- [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunction -- [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig -- [Deleted] CloudTrail - lambda.amazonaws.com - DeleteFunction -- [Deleted] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping -- [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration -- [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig -- [Deleted] CloudTrail - lambda.amazonaws.com - PublishLayerVersion -- [Deleted] CloudTrail - lambda.amazonaws.com - RemovePermission -- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping -- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode -- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration -- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig -- [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogGroup -- [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogStream -- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketCors -- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle -- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy -- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketAcl -- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketCors -- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketLifecycle -- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketPolicy -- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketReplication -- [Deleted] CloudTrail - secretsmanager.amazonaws.com - RotationStarted -- [Deleted] CloudTrail - signin.amazonaws.com - CheckMfa -- [Deleted] CloudTrail - signin.amazonaws.com - ExitRole -- [Deleted] CloudTrail - signin.amazonaws.com - RenewRole -- [Deleted] CloudTrail - signin.amazonaws.com - SwitchRole -- [Deleted] CloudTrail - sso.amazonaws.com - ListProfilesForApplication -- [Updated] CloudTrail - cloudtrail.amazonaws.com - Trail Change|Logging -- [Updated] CloudTrail - ec2.amazonaws.com - All Network Events -- [Updated] CloudTrail - iam.amazonaws.com - Policy Change -- [Updated] CloudTrail - kms.amazonaws.com - DisableKey|ScheduleKeyDeletion -- [Updated] CloudTrail - lambda.amazonaws.com - Audit Change -- [Updated] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping|DeleteFunction -- [Updated] CloudTrail - lambda.amazonaws.com - GetPolicy|GetLayerVersionPolicy -- [Updated] CloudTrail - lambda.amazonaws.com - Resource Access -- [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination|DeleteLogGroup|DeleteLogStream -- [Updated] CloudTrail - s3.amazonaws.com - Bucket Change -- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded|RotationStarted -- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events -- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication - - -## Parsers -- [New] /Parsers/System/Github/GitHub Enterprise Audit -- [New] /Parsers/System/Honeywell/Honeywell Pro-Watch -- [New] /Parsers/System/Zendesk/Zendesk -- [Updated] /Parsers/System/AWS/AWS ALB - - Extends AWS ALB parser to handle additional `conn_trace_id` field -- [Updated] /Parsers/System/Citrix/Citrix Cloud C2C - - Modifies time handling and drops logs without security value -- [Updated] /Parsers/System/Dell/Dell SonicWall - - Minor regex fix for port and protocol handling -- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV - - Additional TRAFFIC log format handling diff --git a/blog-cse/2024-10-31-content.md b/blog-cse/2024-10-31-content.md deleted file mode 100644 index 3e2e7e42b7..0000000000 --- a/blog-cse/2024-10-31-content.md +++ /dev/null @@ -1,157 +0,0 @@ ---- -title: October 31, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - log parsers - - detection rules -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -- New Detection rules for Github Enterprise Audit. -- New Detection rules for Okta identity and access management. -- Updated parser and mappers for Cisco Meraki firewall, and Cisco Meraki Flows: - - Updated the pattern lookup for: action, normalized action, and success. -- Updated log mappers for Github Enterprise Audit: - - Updated the name of the product and the internal ID that corresponds to it. -- Updated parser for Github Enterprise Audit time handling. -- New parsers and mappers for Apache HTTP server and Kandji EDR. -- Other changes enumerated below. - -Please be advised that rule FIRST-S00031 (First Seen IP Address Associated with User for a Successful Azure AD Sign In Event) is not performing as intended and will be decommissioned in a forthcoming release. Please use FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) which provides an accurate and less sensitive detection point. - -## Rules - -- [New] MATCH-S00922 AWS Bedrock Agent Created. - - This rule detects when an AWS Bedrock Agent has been created in the environment. - Bedrock Agents can be configured with various parameters to build AI applications. -- [New] MATCH-S00924 AWS Bedrock Guardrail Deleted. - - AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. -- [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User. - - A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. -- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed. - - An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. -- [New] OUTLIER-S00024 AWS DynamoDB Outlier in GetItem Events from User. - - An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. -- [New] OUTLIER-S00025 AWS S3 Outlier in PutObject Denied Events - - This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. -- [New] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe - - Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. -Audit Object Access (success and failure) must be enabled for this rule to function. -- [New] MATCH-S00896 Azure Authentication Policy Change - - Various authentication related policy configurations exist within Azure. These are tenant-wide policy changes that affect aspects such as enabling of number matching, changing of which authentication methods users are allowed to use, or the exclusion of certain groups from various authentication methods. -- [New] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy - - This rule detects credential dumping using copy command from a shadow copy. -- [New] FIRST-S00084 First Seen AWS Bedrock API Call from User - - This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. -- [New] FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process - - This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process. This can be indictive of enumeration of certificate templates which can potentially lead to forged certificates and privilege escalation avenues. -- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification - - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. -- [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User - - A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. -- [New] FIRST-S00088 First Seen NTLM Authentication to Host (User) - - A user has performed NTLM authentication to a host on the network for the first time since the baseline period has been established. -- [New] FIRST-S00076 First Seen Net Command Use on Host -- [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent - - An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. -- [New] FIRST-S00061 First Seen USB device in use on Windows host - - This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. -- [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template - - AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. -- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models - - A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. -- [New] FIRST-S00059 First Seen esentutl command From User - - Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. -- [New] FIRST-S00058 First Seen vssadmin command From User - - Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. -- [New] FIRST-S00060 First Seen wbadmin command From User - - Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. -- [New] MATCH-S00429 LSASS Memory Dumping - - Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. -- [New] MATCH-S00161 Malicious PowerShell Get Commands - - This rule detects commandlets from common PowerShell exploitation frameworks. -- [New] MATCH-S00895 NinjaCopy Usage Detected - - NinjaCopy is a legacy PowerShell tool that can copy files from an NTFS volume in a manner that bypasses SACL auditing as well as DACL controls such as only allowing SYSTEM to open a file. -- [New] MATCH-S00906 Okta - Application Created - - This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. -- [New] MATCH-S00903 Okta - Device Added To User - - An Okta device was added to a user. This activity may occur as part of normal user operations such as lost device. -- [New] MATCH-S00904 Okta - Device Removed From User - - An Okta device was removed from a user. It is recommended that the user performing the action be cross-referenced to a list of approved Okta administrators. -- [New] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon - - This signal looks for a single user explicitly denying at least two (2) multi factor authentication prompts, followed by a successful Okta login via multi factor authentication within a twenty-five (25) minute window. This logic is designed to catch successful MFA fatigue type attacks. -- [New] MATCH-S00908 Okta - MFA Request Denied by User - - This signal will trigger when a user denies an MFA request within the Okta authenticator application. -- [New] MATCH-S00907 Okta - Policy Rule Added - - An Okta policy rule has been added through the Okta admin application. -- [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint - - This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta “users” API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. -- [New] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs) - - This rule detects when a user has utilized multiple distinct ASNs when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. -- [New] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents) - - This rule detects when a user has utilized multiple distinct User Agents when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. -- [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User - - An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. -- [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User - - An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. -- [New] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded - - This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows domain users full control over the certificate -- [New] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration - - This alert looks for two events in a particular order, the first event involves a certificate template being loaded with a certificate request agent application policy. -- [New] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded - - This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows all domain users the ability to enroll the template. -- [New] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded - - This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows the enrolee to supply a subject and allows all domain users to enroll. -- [New] MATCH-S00899 Suspicious Active Directory Certificate Modification - - This alert looks for an Active Directory certificate being modified with the "Any Purpose" OID. -- [New] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent - - This alert looks for an Active Directory certificate being modified with an Enrollment Agent value that allows an Active Directory principal to enroll a certificate on behalf of another user. -- [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method - - This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates. -- [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution - - Detects the use of PowerShell for Applicaiton Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling. -- [New] MATCH-S00918 Suspicious cat of PAM common-password policy - - The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users. -- [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected - - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. -- [New] MATCH-S00583 WCE wceaux.dll Access - - Obvserves for access of wceaux.dll, which may be indicative of credential access. -- [New] MATCH-S00159 Windows - Permissions Group Discovery - - Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the use net.exe related commands on a system related to these discovery tactics. -- [New] THRESHOLD-S00067 ZeroLogon Privilege Escalation Behavior - - An attack against CVE-2020-1472 may create thousands of NetrServerReqChallenge and NetrServerAuthenticate3 requests in a short amount of time. -- [New] MATCH-S00919 chage command use on host - - The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the -l flag to determine when the user’s password or account is due to expire. - - -## Log Mappers -- [New] Apache HTTP Server - Access log -- [New] Kandji EDR - catch all -- [Updated] Cisco Meraki Firewall - Custom Parser -- [Updated] Cisco Meraki Flows - Custom Parser -- [Updated] GitHub Enterprise Audit - Access Events -- [Updated] GitHub Enterprise Audit - Authentication Events -- [Updated] GitHub Enterprise Audit - Create Events -- [Updated] GitHub Enterprise Audit - Modify Events -- [Updated] GitHub Enterprise Audit - Remove Events -- [Updated] GitHub Enterprise Audit - Restore Events -- [Updated] GitHub Enterprise Audit - Transfer Events -- [Updated] GitHub Enterprise Audit Catch All - -## Parsers -- [New] /Parsers/System/Apache/Apache HTTP Server -- [New] /Parsers/System/Kandji/Kandji EDR -- [Updated] /Parsers/System/Cisco/Cisco Meraki - - Corrected parser to address incorrect mapping leading to alert errors. -- [Updated] /Parsers/System/Github/GitHub Enterprise Audit - - Parser modification to the MAPPER:product from Github Enterpries to Github Enterprise Audit -- [Updated] /Parsers/System/Kemp/Kemp LoadMaster Syslog - - Corrected parser transform for the log-entry format of the Process_Syslog_Header -- [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON - - Corrected the JSON parser for MAPPER:event_id to facilitiate proper mapping processing \ No newline at end of file diff --git a/blog-cse/2024-11-07-content.md b/blog-cse/2024-11-07-content.md deleted file mode 100644 index 2f912b8e17..0000000000 --- a/blog-cse/2024-11-07-content.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: November 7, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - log parsers - - detection rules - - tag schemas -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -- New detection rules. -- Updates to existing detection rules to correct rule logic and reduce false positives. -- New parsing and mapping support for Automox, WatchGuard Firewall, and Digital Guardian ARC. -- Update to existing AWS Application Load Balancer parsing and mapping to support Connection logs. -- Update to MITRE ATT&CK tag schema to support ATT&CK v16.0. - -Changes are enumerated below. - -### Rules -- [New] CHAIN-S00018 Autorun file created after USB disk mount on host - - This signal looks for a USB drive being mounted on a Windows host followed by a file creation event with the file name of "autorun.inf" within a 5-minute time frame. This activity could be indicative of an attempt at lateral movement or initial access avenues through a USB device. Ensure that the machine in question is authorized to use USB devices and look for other file creation events from this host around the same time frame. -- [New] FIRST-S00071 First Seen AWS ConsoleLogin by User - - First observance of a user logging on to the Amazon AWS console. This could be indicative of new administrator onboarding, or an unauthorized access to the AWS console. Recommended to investigate the nature of the user account and the login. -- [New] FIRST-S00080 First Seen Azure Portal access by User - - First observance of a user logging on to the Microsoft Azure Portal. This could be indicative of new user onboarding, or an unauthorized access to the Azure portal. Recommended to investigate the nature of the user account and the login. -- [New] FIRST-S00073 First Seen Get-ADDefaultDomainPasswordPolicy - - The first observed execution of the PowerShell CMDLet Get-ADDefaultDomainPasswordPolicy on this host. This CMDLet can be used in the discovery of Windows Domain Password Policies by threat actors. Investigating the host and active users for additional activity around the time of execution is recommended. -- [New] FIRST-S00072 First Seen Group Policy Discovery Operation - - This detection is a first observed execution of Windows process or PowerShell commands that can be run by users or administrators in order to gather password policy and other types of system information in an enterprise environment. The detections in this signal are based off variations found in Atomic Red Team test cases. Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md. Look at the command line and parent process details of the signal in order to determine if this execution is legitimate or part of system provisioning or systems administration operations. -- [New] FIRST-S00076 First Seen Net Command Use on Host - - Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the first observance of a Net related command on a system related to these discovery tactics. It is recommended to investigate the host and user to determine if this is authorized admin activity or needs further inspection. -- [New] FIRST-S00065 First Seen Successful Authentication From Unexpected Country - - First Seen rule which triggers when there are at least two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives, such as known VPN addresses.(If degradation issues occur it is recommendation implementing tuning around your expected network.) -- [New] FIRST-S00074 First Seen driverquery execution on host - - First observed execution of the driverquery command on the following device host: `{{device_hostname}}`. Driverquery is a useful command for an attacker to enumerate local device drivers to determine next steps in the attack. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution. -- [New] FIRST-S00079 First Seen gpresult execution on host - - This detection is first observed execution of gpresult on a host. This command may be used by attackers to access detailed password policy information in an enterprise environment. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution. -- [New] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant - - This signal looks for a new Client ID value ( mapped to the `user_username` field ) and ASN combination being issued an OIDC token, excluding the Okta Browser Plugin and Okta Dashboard. Use the Okta admin portal and look at the "Applications" section to cross-reference the Client ID value. Ensure that the IP address that is requesting the token is known and that this operation is expected and authorized. -- [New] FIRST-S00068 Okta - First Seen User Accessing Admin Application - - A user not seen since the baseline period has accessed the Okta admin application. Ensure that this user is expected to perform Okta administrative activities. If this user is expected and authroized, consider adding the user to the "Okta_Admins" match list to exclude the user from this signal. -- [New] FIRST-S00066 Okta - First Seen User Requesting Report - - This signal looks for a first seen user requesting an export of an Okta report. The various Okta report types can be found in the “Reports” section of the Okta administrative portal and can include various report types such as application password help, MFA usage, and reports around user access. During the October 2023 Okta incident, threat actors downloaded reports from Okta portals to extract information regarding user contact information. Ensure that the user that is requesting such reports is authorized and that this activity is expected. If a suspicious report generation event occurs, look at the “target” element within the event to gain more detailed information as to the type of report being generated and exported. -- [New] OUTLIER-S00018 Okta - Outlier in ASNs Used to Access Applications - - This signal looks for an outlier in the number of distinct autonomous system numbers (ASNs) that a particular user utilizes to access Okta resources within an hour time period. This is designed to alert on various forms of token or credential theft as well as general Okta session anomalies. -- [New] OUTLIER-S00017 Okta - Outlier in MFA Attempts Denied by User - - This signal builds an hourly baseline of MFA denied events per user and triggers when an outlier in the number of denied attempts is detected. This signal is designed to trigger on MFA-fatigue type attacks. If false positives are detected, consider excluding certain users from the alerting logic or raise the minimum count value within the rule configuration. -- [New] OUTLIER-S00016 Okta - Outlier in OIDC token request failures - - This signal looks for an outlier in the number of OpenID Connect (OIDC) token request failures for an Okta client application. Use the Okta admin portal to correlate the Client ID (mapped to `user_username`) to determine what application is being targeted. Pivot off the Client ID and IP address values to examine the raw Okta events in order to ensure that this activity is planned and expected. This activity can occur during setup and development of Okta applications and integrations. -- [New] OUTLIER-S00013 Outlier in Data Outbound Per Day by Admin or Sensitive Device - - A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule. -- [New] OUTLIER-S00015 Outlier in Data Outbound Per Hour by Admin or Sensitive Device - - A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule. -- [Updated] THRESHOLD-S00095 Password Attack - - Added NULL exclusion to rule expression to prevent false-positives stemming from NULL IP or hostnames. -- [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port - - Added missing parenthesis to match expression. - -### Log Mappers -- [New] AWS - Application Load Balancer - Connection -- [New] Automox - Audit logs -- [New] Automox - Audit logs - Logon -- [New] Automox - Event logs -- [New] Digital Guardian ARC - Audit Events -- [New] Digital Guardian ARC - Mail -- [New] Digital Guardian ARC - Network -- [New] Digital Guardian ARC - User Login|Logoff -- [New] Watchguard Fireware - Firewall -- [New] Watchguard Fireware - http/https-proxy - -### Parsers -- [New] /Parsers/System/Automox/Automox -- [New] /Parsers/System/Digital Guardian/Digital Guardian ARC -- [New] /Parsers/System/WatchGuard/WatchGuard Fireware -- [Updated] /Parsers/System/AWS/AWS ALB - - Updated parser to support AWS Application Load Balancer Connection logs diff --git a/blog-cse/2024-11-08-application-update.md b/blog-cse/2024-11-08-application-update.md deleted file mode 100644 index 1096ee5a65..0000000000 --- a/blog-cse/2024-11-08-application-update.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: November 8, 2024 - Application Update -keywords: - - cloud siem -image: https://help.sumologic.com/img/sumo-square.png -hide_table_of_contents: true ---- - -### Cloud SIEM network sensor end-of-life - -The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/sensors/ingest-zeek-logs/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network. - -Learn more [here](/docs/cse/sensors/network-sensor-end-of-life/). \ No newline at end of file diff --git a/blog-cse/2024-11-22-content.md b/blog-cse/2024-11-22-content.md deleted file mode 100644 index 23073e59db..0000000000 --- a/blog-cse/2024-11-22-content.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: November 22, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - log parsers - - detection rules - - tag schemas -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -* New mapping support for: Qumulo Core, and Teramind Teraserver. -* Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta. -* Updates to the existing Okta log mappings to support a new HTTP source log formatting. -* Updates to Code42 Incydr Alerts C2C mapping to support new alert log format. - -Changes are enumerated below. - -### Rules -* [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event - * Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place. -* [New] THRESHOLD-S00116 Password Attack from IP - * This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping. -* [Updated] FIRST-S00095 Password Attack from Host - * Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity. -* [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application - * Baseline retention window size increased from 35 days to the standard 90 day retention. - * Modified the summary description to read as follows: "User: `{{user_username}}` has successfully accessed the Okta Admin Application". - -### Log Mappers -* [New] Palo Alto Threat DLP non File - Custom Parser - * Mapping support added for event id pattern: threat-dlp-non-file. -* [New] Qumulo Core - Catch All -* [New] Qumulo Core - Login -* [New] Teramind Authentication -* [New] Teramind Catch All -* [New] Teramind Email -* [Updated] Code42 Incydr Alerts C2C -* [Updated] Okta Authentication - auth_via_AD_agent -* [Updated] Okta Authentication - auth_via_mfa -* [Updated] Okta Authentication - auth_via_radius -* [Updated] Okta Authentication - sso -* [Updated] Okta Authentication Events -* [Updated] Okta Catch All -* [Updated] Okta Security Threat Events - -### Parsers -* [New] /Parsers/System/Qumulo/Qumulo Core -* [New] /Parsers/System/Salesforce/Salesforce -* [New] /Parsers/System/Teramind/Teramind Teraserver -* [Updated] /Parsers/System/Code42/Code42 Incydr - * Transform update for a new alert log format for tenantId. -* [Updated] /Parsers/System/Okta/Okta - * Modified event_id from eventType to event_type. -* [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV - * Additional parsing support for a new Palo Alto Threat event format. \ No newline at end of file diff --git a/blog-cse/2024-12-06-content.md b/blog-cse/2024-12-06-content.md deleted file mode 100644 index a6088d3afd..0000000000 --- a/blog-cse/2024-12-06-content.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: December 6, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - log parsers - - detection rules - - tag schemas -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release: -- Introduces new Cloud SIEM detection rules for monitoring activity and alerts from GitHub Enterprise. -- New and updated log parsing and mapping support for: - - AWS VPC Transit Gateways Flow Logs - - Alert Logic - - Google G Suite Alert Center - - Microsoft Defender Advanced Hunting - - Azure Provisioning, Alert, ResourceHealth, and ServiceHealth events - -Changes are enumerated below. - -:::note -First Seen Successful Authentication From Unexpected Country (FIRST-S00029), which is disabled by default, has been replaced by a rule of the same name (FIRST-S00065) which is enabled by default. FIRST-S00029 will be removed in a subsequent release in 2 weeks (week of December 16). Any tuning expressions applied to FIRST-S00029 will need to be migrated to FIRST-S00065 to continue functioning. -::: - -### Rules -- [New] MATCH-S00952 GitHub - Administrator Added or Invited - - Detects additions or invitations of GitHub Administrators. Illegitimate addition of administrative users could be an indication of privilege escalation or persistence by adversaries. -- [New] MATCH-S00953 GitHub - Audit Logging Modification - - Detects modifications to the GitHub Enterprise Audit Log. Modifications and deletions have the potential to reduce visibility of malicious activity. -- [New] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub - - Observes for GitHub staff manually revoking copilot access for a user. This action is likely to be rare and may be indicative of a user violating the [acceptable use policy for GitHub](https://docs.github.com/en/site-policy/acceptable-use-policies). -- [New] FIRST-S00091 GitHub - First Seen Activity From Country for User - - Detects GitHub user activity from a new country. User account compromises can be detected through unusual geolocation in some cases. To lower possible false positives, a tuning expression for expected country names or codes can be added,. -- [New] FIRST-S00090 GitHub - First Seen Application Interacting with API - - Detects new application usage of the GitHub API. New applications utilizing the API may be routine, however this may also reveal malicious applications utilizing the API. -- [New] MATCH-S00950 GitHub - Member Invitation or Addition - - Detects new user additions or invitations to the business or organization GitHub. New user additions/invitations should be monitored as they could be a vector for malicious actors to establish access or persistence. -- [New] MATCH-S00955 GitHub - Member Permissions Modification - - Detects modifications of GitHub user permissions. Added permissions for a user should be monitored for potential privilege escalation by an adversary. -- [New] MATCH-S00956 GitHub - OAuth Application Activity - - Detects OAuth application activities within GitHub. OAuth application management and access activity should be monitored for potential abuse by potential malicious actors, either by creating malicious access paths within GitHub, or destruction of GitHub infrastructure. -- [New] MATCH-S00957 GitHub - Organization Transfer - - Detects transfers of an organization to another enterprise This is a sensitive activity that should be monitored to ensure organizations and their repositories are not being transferred without proper authorization. -- [New] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User - - Detects an outlier in the number of distinct user agent strings for a GitHub user. Unusual user agent strings for a user account could indicate account takeover. -- [New] OUTLIER-S00028 GitHub - Outlier in Removal Actions by User - - Detects a higher than usual number of removal actions undertaken by a user. This detection has a broad scope to detect any unusual number of destroy, delete, or remove actions undertaken by a user to help detect a range of different potential destructive activities in GitHub. -- [New] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads - - Detects an unusual number of repository clones for a user. Unusual repository cloning could indicate data exfiltration or discovery. -- [New] MATCH-S00958 GitHub - PR Review Requirement Removed - - Detects GitHub pull request review requirements being removed from a repository either via branch protection rule or ruleset. -- [New] MATCH-S00959 GitHub - Repository Public Key Deletion - - Detects deletions of SSH keys in GitHub. Unusual deletions could represent an adversary attempting to disrupt normal operations by denying access. -- [New] MATCH-S00960 GitHub - Repository Transfer - - Detects transfers of a repository to another organization or user. This is a sensitive activity that GitHub places in the "Danger Zone" of repository setting and should be monitored to ensure no unauthorized transfers are taking place. -- [New] MATCH-S00961 GitHub - Repository Visibility Changed to Public - - Detects a user making a repository public. This action should be closely monitored and mitigative actions taken even if the published repository is deleted, or reverted to private. Reference: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github -- [New] MATCH-S00962 GitHub - Repository Visibility Permissions Changed - - Detects repository visibility permissions being changed to allow members of an organization to change the visibility of repositories. This activity introduces the potential for data leakage if a private or internal repository is changed to public and should be monitored to ensure no inadvertent or malicious publication of a repository. -- [New] MATCH-S00963 GitHub - SSH Key Created for Private Repo - - Detects the creation of an SSH key for a private GitHub repository. Performed maliciously, creating an SSH key could create a parallel access path for an attacker. -- [New] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity - - Detects activities accessing SSO recovery codes. SSO recovery codes can enable a user to bypass normal more stringent authentication routes. -- [New] MATCH-S00951 GitHub - Secret Scanning Alert - - Observes for secret scanning alerts from GitHub. Secrets detected by GitHub Enterprise Cloud undergo validation by GitHub automatically, to determine whether they are actively in use, this is not surfaced in the audit log, and will require separate inspection. For more information see [Evaluating alerts from secret scanning](https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts). -- [New] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled - - Detects actions which disable or modify secret scanning policies for an organization or repository. Modifying or disabling secret scanning may lead to inadvertent leaking of credentials. -- [New] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization - - Observes for two-factor authentication being disabled for a GitHub organization. Removing two-factor authentication requirements significantly degrades the security of the GitHub organization by permitting password only authentication. -- [Updated] THRESHOLD-S00095 Password Attack from Host - - Modified the rule expression to remove the `srcDevice_ip` entity selector and the `isNull` from the rule expression for entities from the existing rule, and creates a new rule for those entities so that there are 2 versions of the rule's intent. - -### Log Mappers -- [New] AWS VPC Transit Gateways Flow Logs -- [New] Alert Logic Catch All -- [New] Azure ResourceHealth and ServiceHealth -- [New] Google G Suite Alert Center - User Changes -- [New] Microsoft Defender Advanced Hunting - Alert -- [New] Microsoft Defender Advanced Hunting - Audit -- [New] Microsoft Defender Advanced Hunting - Email events -- [New] Microsoft Defender Advanced Hunting - Logon -- [New] Microsoft Defender Advanced Hunting - Network -- [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert - - Adds support for additional event types and field mappings. -- [Updated] Trend Micro Vision One Custom Parser - - Supports additional field names. - -### Parsers -- [New] /Parsers/System/AWS/AWS VPC Transit Gateways Flow Logs -- [New] /Parsers/System/Alert Logic/Alert Logic -- [New] /Parsers/System/Microsoft/Microsoft Defender Advanced Hunting -- [Updated] /Parsers/System/Trend Micro/Trend Micro Vision One - - Parser updated to support additional event format. diff --git a/blog-cse/2024-12-20-content.md b/blog-cse/2024-12-20-content.md deleted file mode 100644 index 932c83074e..0000000000 --- a/blog-cse/2024-12-20-content.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: December 20, 2024 - Content Release -hide_table_of_contents: true -keywords: - - log mappers - - log parsers - - detection rules -image: https://help.sumologic.com/img/sumo-square.png ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -icon - -This content release includes: -- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management). -- AWS Cloudtrail updates. - - Adds alternate mapping for `user_userId` in anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/). -- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower. -- Rule updates. - -Changes are are enumerated below. - -## Rules -- [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country - - Rule has been replaced by FIRST-S00065 as this version was not enabled by default. -- [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User - - Updated "First Seen" value from ClientInfoString to Client to reduce false positives. -- [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country - - Replaces FIRST-S00029. - -## Log Mappers -- [New] Dragos Catch All -- [New] Mindpoint Group Keeper Authentication -- [New] Mindpoint Group Keeper Catch All -- [New] Trust Login Authentication -- [New] Trust Login Catch All -- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications -- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events -- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication -- [Updated] CloudTrail Default Mapping -- [Updated] Firepower Catch All - - Additional new field mappings to support Firepower events and improve records classification. -- [Updated] Palo Alto Config - Custom Parser - - Adds alternate field mappings. -- [Updated] Palo Alto System - Custom Parser - - Adds alternate field mappings. -- [Updated] Palo Alto System Auth - Custom Parser - - Support additional panorama-auth-success and alternate fields for mapped fields. - -## Parsers -- [New] /Parsers/System/Dragos/Dragos -- [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper -- [New] /Parsers/System/Trust Login/Trust Login -- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog - - Adds support for FTD 430002 and 430003 events. -- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF - - Adds support for 'panorama-auth-success' events and improves timestamp handling. \ No newline at end of file diff --git a/blog-cse/2024/12-31.md b/blog-cse/2024/12-31.md new file mode 100644 index 0000000000..4fa900d2e2 --- /dev/null +++ b/blog-cse/2024/12-31.md @@ -0,0 +1,1680 @@ +--- +title: 2024 Archive +keywords: + - rules + - signals + - schema + - log mappers + - parsers + - cloud siem +image: https://help.sumologic.com/img/sumo-square.png +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +This is an archive of 2024 Cloud SIEM release notes. To view the full archive, [click here](/release-notes-cse/archive). + +--- +### December 20, 2024 - Content Release + +This content release includes: +- New product support for Dragos WorldView Threat Intelligence, Mindpoint Proactive Security Services, and Trust IAM (Identity and Access Management). +- AWS Cloudtrail updates. + - Adds alternate mapping for `user_userId` in anticipation of AWS Identity Center CloudTrail logging change. For more information on the change, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/). +- Parsing and mapping updates for Palo Alto Firewall and Cisco Firepower. +- Rule updates. + +Changes are are enumerated below. + +#### Rules +- [Deleted] FIRST-S00029 First Seen Successful Authentication From Unexpected Country + - Rule has been replaced by FIRST-S00065 as this version was not enabled by default. +- [Updated] FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User + - Updated "First Seen" value from ClientInfoString to Client to reduce false positives. +- [Updated] FIRST-S00065 First Seen Successful Authentication From Unexpected Country + - Replaces FIRST-S00029. + +#### Log Mappers +- [New] Dragos Catch All +- [New] Mindpoint Group Keeper Authentication +- [New] Mindpoint Group Keeper Catch All +- [New] Trust Login Authentication +- [New] Trust Login Catch All +- [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications +- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events +- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication +- [Updated] CloudTrail Default Mapping +- [Updated] Firepower Catch All + - Additional new field mappings to support Firepower events and improve records classification. +- [Updated] Palo Alto Config - Custom Parser + - Adds alternate field mappings. +- [Updated] Palo Alto System - Custom Parser + - Adds alternate field mappings. +- [Updated] Palo Alto System Auth - Custom Parser + - Support additional panorama-auth-success and alternate fields for mapped fields. + +#### Parsers +- [New] /Parsers/System/Dragos/Dragos +- [New] /Parsers/System/Mindpoint Group/Mindpoint Group Keeper +- [New] /Parsers/System/Trust Login/Trust Login +- [Updated] /Parsers/System/Cisco/Cisco Firepower Syslog + - Adds support for FTD 430002 and 430003 events. +- [Updated] /Parsers/System/Palo Alto/PAN Firewall LEEF + - Adds support for 'panorama-auth-success' events and improves timestamp handling. + +--- +### December 6, 2024 - Content Release + +This content release: +- Introduces new Cloud SIEM detection rules for monitoring activity and alerts from GitHub Enterprise. +- New and updated log parsing and mapping support for: + - AWS VPC Transit Gateways Flow Logs + - Alert Logic + - Google G Suite Alert Center + - Microsoft Defender Advanced Hunting + - Azure Provisioning, Alert, ResourceHealth, and ServiceHealth events + +Changes are enumerated below. + +:::note +First Seen Successful Authentication From Unexpected Country (FIRST-S00029), which is disabled by default, has been replaced by a rule of the same name (FIRST-S00065) which is enabled by default. FIRST-S00029 will be removed in a subsequent release in 2 weeks (week of December 16). Any tuning expressions applied to FIRST-S00029 will need to be migrated to FIRST-S00065 to continue functioning. +::: + +#### Rules +- [New] MATCH-S00952 GitHub - Administrator Added or Invited + - Detects additions or invitations of GitHub Administrators. Illegitimate addition of administrative users could be an indication of privilege escalation or persistence by adversaries. +- [New] MATCH-S00953 GitHub - Audit Logging Modification + - Detects modifications to the GitHub Enterprise Audit Log. Modifications and deletions have the potential to reduce visibility of malicious activity. +- [New] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub + - Observes for GitHub staff manually revoking copilot access for a user. This action is likely to be rare and may be indicative of a user violating the [acceptable use policy for GitHub](https://docs.github.com/en/site-policy/acceptable-use-policies). +- [New] FIRST-S00091 GitHub - First Seen Activity From Country for User + - Detects GitHub user activity from a new country. User account compromises can be detected through unusual geolocation in some cases. To lower possible false positives, a tuning expression for expected country names or codes can be added,. +- [New] FIRST-S00090 GitHub - First Seen Application Interacting with API + - Detects new application usage of the GitHub API. New applications utilizing the API may be routine, however this may also reveal malicious applications utilizing the API. +- [New] MATCH-S00950 GitHub - Member Invitation or Addition + - Detects new user additions or invitations to the business or organization GitHub. New user additions/invitations should be monitored as they could be a vector for malicious actors to establish access or persistence. +- [New] MATCH-S00955 GitHub - Member Permissions Modification + - Detects modifications of GitHub user permissions. Added permissions for a user should be monitored for potential privilege escalation by an adversary. +- [New] MATCH-S00956 GitHub - OAuth Application Activity + - Detects OAuth application activities within GitHub. OAuth application management and access activity should be monitored for potential abuse by potential malicious actors, either by creating malicious access paths within GitHub, or destruction of GitHub infrastructure. +- [New] MATCH-S00957 GitHub - Organization Transfer + - Detects transfers of an organization to another enterprise This is a sensitive activity that should be monitored to ensure organizations and their repositories are not being transferred without proper authorization. +- [New] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User + - Detects an outlier in the number of distinct user agent strings for a GitHub user. Unusual user agent strings for a user account could indicate account takeover. +- [New] OUTLIER-S00028 GitHub - Outlier in Removal Actions by User + - Detects a higher than usual number of removal actions undertaken by a user. This detection has a broad scope to detect any unusual number of destroy, delete, or remove actions undertaken by a user to help detect a range of different potential destructive activities in GitHub. +- [New] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads + - Detects an unusual number of repository clones for a user. Unusual repository cloning could indicate data exfiltration or discovery. +- [New] MATCH-S00958 GitHub - PR Review Requirement Removed + - Detects GitHub pull request review requirements being removed from a repository either via branch protection rule or ruleset. +- [New] MATCH-S00959 GitHub - Repository Public Key Deletion + - Detects deletions of SSH keys in GitHub. Unusual deletions could represent an adversary attempting to disrupt normal operations by denying access. +- [New] MATCH-S00960 GitHub - Repository Transfer + - Detects transfers of a repository to another organization or user. This is a sensitive activity that GitHub places in the "Danger Zone" of repository setting and should be monitored to ensure no unauthorized transfers are taking place. +- [New] MATCH-S00961 GitHub - Repository Visibility Changed to Public + - Detects a user making a repository public. This action should be closely monitored and mitigative actions taken even if the published repository is deleted, or reverted to private. Reference: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github +- [New] MATCH-S00962 GitHub - Repository Visibility Permissions Changed + - Detects repository visibility permissions being changed to allow members of an organization to change the visibility of repositories. This activity introduces the potential for data leakage if a private or internal repository is changed to public and should be monitored to ensure no inadvertent or malicious publication of a repository. +- [New] MATCH-S00963 GitHub - SSH Key Created for Private Repo + - Detects the creation of an SSH key for a private GitHub repository. Performed maliciously, creating an SSH key could create a parallel access path for an attacker. +- [New] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity + - Detects activities accessing SSO recovery codes. SSO recovery codes can enable a user to bypass normal more stringent authentication routes. +- [New] MATCH-S00951 GitHub - Secret Scanning Alert + - Observes for secret scanning alerts from GitHub. Secrets detected by GitHub Enterprise Cloud undergo validation by GitHub automatically, to determine whether they are actively in use, this is not surfaced in the audit log, and will require separate inspection. For more information see [Evaluating alerts from secret scanning](https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning/evaluating-alerts). +- [New] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled + - Detects actions which disable or modify secret scanning policies for an organization or repository. Modifying or disabling secret scanning may lead to inadvertent leaking of credentials. +- [New] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization + - Observes for two-factor authentication being disabled for a GitHub organization. Removing two-factor authentication requirements significantly degrades the security of the GitHub organization by permitting password only authentication. +- [Updated] THRESHOLD-S00095 Password Attack from Host + - Modified the rule expression to remove the `srcDevice_ip` entity selector and the `isNull` from the rule expression for entities from the existing rule, and creates a new rule for those entities so that there are 2 versions of the rule's intent. + +#### Log Mappers +- [New] AWS VPC Transit Gateways Flow Logs +- [New] Alert Logic Catch All +- [New] Azure ResourceHealth and ServiceHealth +- [New] Google G Suite Alert Center - User Changes +- [New] Microsoft Defender Advanced Hunting - Alert +- [New] Microsoft Defender Advanced Hunting - Audit +- [New] Microsoft Defender Advanced Hunting - Email events +- [New] Microsoft Defender Advanced Hunting - Logon +- [New] Microsoft Defender Advanced Hunting - Network +- [Updated] Azure Event Hub - Windows Defender Logs and Azure Alert + - Adds support for additional event types and field mappings. +- [Updated] Trend Micro Vision One Custom Parser + - Supports additional field names. + +#### Parsers +- [New] /Parsers/System/AWS/AWS VPC Transit Gateways Flow Logs +- [New] /Parsers/System/Alert Logic/Alert Logic +- [New] /Parsers/System/Microsoft/Microsoft Defender Advanced Hunting +- [Updated] /Parsers/System/Trend Micro/Trend Micro Vision One + - Parser updated to support additional event format. + +--- +### November 22, 2024 - Content Release + +This content release includes: +* New mapping support for: Qumulo Core, and Teramind Teraserver. +* Updates to existing parsers for: Code42 Incydr, Palo Alto, and Okta. +* Updates to the existing Okta log mappings to support a new HTTP source log formatting. +* Updates to Code42 Incydr Alerts C2C mapping to support new alert log format. + +Changes are enumerated below. + +#### Rules +* [Deleted] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event + * Consider using FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) in its place. +* [New] THRESHOLD-S00116 Password Attack from IP + * This is a fork of THRESHOLD-S00095 Password Attack to address a bug with null values causing backend issues with detection rules. Rule has been forked to ensure no null values are considered in the entity grouping. +* [Updated] FIRST-S00095 Password Attack from Host + * Updates rule to remove IP entity (now handled in THRESHOLD-S00116) and ensure no null values are considered for the host entity. +* [Updated] FIRST-S00068 Okta - First Seen User Accessing Admin Application + * Baseline retention window size increased from 35 days to the standard 90 day retention. + * Modified the summary description to read as follows: "User: `{{user_username}}` has successfully accessed the Okta Admin Application". + +#### Log Mappers +* [New] Palo Alto Threat DLP non File - Custom Parser + * Mapping support added for event id pattern: threat-dlp-non-file. +* [New] Qumulo Core - Catch All +* [New] Qumulo Core - Login +* [New] Teramind Authentication +* [New] Teramind Catch All +* [New] Teramind Email +* [Updated] Code42 Incydr Alerts C2C +* [Updated] Okta Authentication - auth_via_AD_agent +* [Updated] Okta Authentication - auth_via_mfa +* [Updated] Okta Authentication - auth_via_radius +* [Updated] Okta Authentication - sso +* [Updated] Okta Authentication Events +* [Updated] Okta Catch All +* [Updated] Okta Security Threat Events + +#### Parsers +* [New] /Parsers/System/Qumulo/Qumulo Core +* [New] /Parsers/System/Salesforce/Salesforce +* [New] /Parsers/System/Teramind/Teramind Teraserver +* [Updated] /Parsers/System/Code42/Code42 Incydr + * Transform update for a new alert log format for tenantId. +* [Updated] /Parsers/System/Okta/Okta + * Modified event_id from eventType to event_type. +* [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV + * Additional parsing support for a new Palo Alto Threat event format. + +--- +### November 8, 2024 - Application Update + +#### Cloud SIEM network sensor end-of-life + +The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed [Zeek network sensor](/docs/cse/sensors/ingest-zeek-logs/) as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network. + +Learn more [here](/docs/cse/sensors/network-sensor-end-of-life/). + +--- +### November 7, 2024 - Content Release + +This content release includes: +- New detection rules. +- Updates to existing detection rules to correct rule logic and reduce false positives. +- New parsing and mapping support for Automox, WatchGuard Firewall, and Digital Guardian ARC. +- Update to existing AWS Application Load Balancer parsing and mapping to support Connection logs. +- Update to MITRE ATT&CK tag schema to support ATT&CK v16.0. + +Changes are enumerated below. + +#### Rules +- [New] CHAIN-S00018 Autorun file created after USB disk mount on host + - This signal looks for a USB drive being mounted on a Windows host followed by a file creation event with the file name of "autorun.inf" within a 5-minute time frame. This activity could be indicative of an attempt at lateral movement or initial access avenues through a USB device. Ensure that the machine in question is authorized to use USB devices and look for other file creation events from this host around the same time frame. +- [New] FIRST-S00071 First Seen AWS ConsoleLogin by User + - First observance of a user logging on to the Amazon AWS console. This could be indicative of new administrator onboarding, or an unauthorized access to the AWS console. Recommended to investigate the nature of the user account and the login. +- [New] FIRST-S00080 First Seen Azure Portal access by User + - First observance of a user logging on to the Microsoft Azure Portal. This could be indicative of new user onboarding, or an unauthorized access to the Azure portal. Recommended to investigate the nature of the user account and the login. +- [New] FIRST-S00073 First Seen Get-ADDefaultDomainPasswordPolicy + - The first observed execution of the PowerShell CMDLet Get-ADDefaultDomainPasswordPolicy on this host. This CMDLet can be used in the discovery of Windows Domain Password Policies by threat actors. Investigating the host and active users for additional activity around the time of execution is recommended. +- [New] FIRST-S00072 First Seen Group Policy Discovery Operation + - This detection is a first observed execution of Windows process or PowerShell commands that can be run by users or administrators in order to gather password policy and other types of system information in an enterprise environment. The detections in this signal are based off variations found in Atomic Red Team test cases. Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md. Look at the command line and parent process details of the signal in order to determine if this execution is legitimate or part of system provisioning or systems administration operations. +- [New] FIRST-S00076 First Seen Net Command Use on Host + - Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the first observance of a Net related command on a system related to these discovery tactics. It is recommended to investigate the host and user to determine if this is authorized admin activity or needs further inspection. +- [New] FIRST-S00065 First Seen Successful Authentication From Unexpected Country + - First Seen rule which triggers when there are at least two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives, such as known VPN addresses.(If degradation issues occur it is recommendation implementing tuning around your expected network.) +- [New] FIRST-S00074 First Seen driverquery execution on host + - First observed execution of the driverquery command on the following device host: `{{device_hostname}}`. Driverquery is a useful command for an attacker to enumerate local device drivers to determine next steps in the attack. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution. +- [New] FIRST-S00079 First Seen gpresult execution on host + - This detection is first observed execution of gpresult on a host. This command may be used by attackers to access detailed password policy information in an enterprise environment. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution. +- [New] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant + - This signal looks for a new Client ID value ( mapped to the `user_username` field ) and ASN combination being issued an OIDC token, excluding the Okta Browser Plugin and Okta Dashboard. Use the Okta admin portal and look at the "Applications" section to cross-reference the Client ID value. Ensure that the IP address that is requesting the token is known and that this operation is expected and authorized. +- [New] FIRST-S00068 Okta - First Seen User Accessing Admin Application + - A user not seen since the baseline period has accessed the Okta admin application. Ensure that this user is expected to perform Okta administrative activities. If this user is expected and authroized, consider adding the user to the "Okta_Admins" match list to exclude the user from this signal. +- [New] FIRST-S00066 Okta - First Seen User Requesting Report + - This signal looks for a first seen user requesting an export of an Okta report. The various Okta report types can be found in the “Reports” section of the Okta administrative portal and can include various report types such as application password help, MFA usage, and reports around user access. During the October 2023 Okta incident, threat actors downloaded reports from Okta portals to extract information regarding user contact information. Ensure that the user that is requesting such reports is authorized and that this activity is expected. If a suspicious report generation event occurs, look at the “target” element within the event to gain more detailed information as to the type of report being generated and exported. +- [New] OUTLIER-S00018 Okta - Outlier in ASNs Used to Access Applications + - This signal looks for an outlier in the number of distinct autonomous system numbers (ASNs) that a particular user utilizes to access Okta resources within an hour time period. This is designed to alert on various forms of token or credential theft as well as general Okta session anomalies. +- [New] OUTLIER-S00017 Okta - Outlier in MFA Attempts Denied by User + - This signal builds an hourly baseline of MFA denied events per user and triggers when an outlier in the number of denied attempts is detected. This signal is designed to trigger on MFA-fatigue type attacks. If false positives are detected, consider excluding certain users from the alerting logic or raise the minimum count value within the rule configuration. +- [New] OUTLIER-S00016 Okta - Outlier in OIDC token request failures + - This signal looks for an outlier in the number of OpenID Connect (OIDC) token request failures for an Okta client application. Use the Okta admin portal to correlate the Client ID (mapped to `user_username`) to determine what application is being targeted. Pivot off the Client ID and IP address values to examine the raw Okta events in order to ensure that this activity is planned and expected. This activity can occur during setup and development of Okta applications and integrations. +- [New] OUTLIER-S00013 Outlier in Data Outbound Per Day by Admin or Sensitive Device + - A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule. +- [New] OUTLIER-S00015 Outlier in Data Outbound Per Hour by Admin or Sensitive Device + - A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule. +- [Updated] THRESHOLD-S00095 Password Attack + - Added NULL exclusion to rule expression to prevent false-positives stemming from NULL IP or hostnames. +- [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port + - Added missing parenthesis to match expression. + +#### Log Mappers +- [New] AWS - Application Load Balancer - Connection +- [New] Automox - Audit logs +- [New] Automox - Audit logs - Logon +- [New] Automox - Event logs +- [New] Digital Guardian ARC - Audit Events +- [New] Digital Guardian ARC - Mail +- [New] Digital Guardian ARC - Network +- [New] Digital Guardian ARC - User Login|Logoff +- [New] Watchguard Fireware - Firewall +- [New] Watchguard Fireware - http/https-proxy + +#### Parsers +- [New] /Parsers/System/Automox/Automox +- [New] /Parsers/System/Digital Guardian/Digital Guardian ARC +- [New] /Parsers/System/WatchGuard/WatchGuard Fireware +- [Updated] /Parsers/System/AWS/AWS ALB + - Updated parser to support AWS Application Load Balancer Connection logs + +--- +### October 31, 2024 - Content Release + +This content release includes: +- New Detection rules for Github Enterprise Audit. +- New Detection rules for Okta identity and access management. +- Updated parser and mappers for Cisco Meraki firewall, and Cisco Meraki Flows: + - Updated the pattern lookup for: action, normalized action, and success. +- Updated log mappers for Github Enterprise Audit: + - Updated the name of the product and the internal ID that corresponds to it. +- Updated parser for Github Enterprise Audit time handling. +- New parsers and mappers for Apache HTTP server and Kandji EDR. +- Other changes enumerated below. + +Please be advised that rule FIRST-S00031 (First Seen IP Address Associated with User for a Successful Azure AD Sign In Event) is not performing as intended and will be decommissioned in a forthcoming release. Please use FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) which provides an accurate and less sensitive detection point. + +#### Rules + +- [New] MATCH-S00922 AWS Bedrock Agent Created. + - This rule detects when an AWS Bedrock Agent has been created in the environment. + Bedrock Agents can be configured with various parameters to build AI applications. +- [New] MATCH-S00924 AWS Bedrock Guardrail Deleted. + - AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. +- [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User. + - A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. +- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed. + - An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. +- [New] OUTLIER-S00024 AWS DynamoDB Outlier in GetItem Events from User. + - An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. +- [New] OUTLIER-S00025 AWS S3 Outlier in PutObject Denied Events + - This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. +- [New] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe + - Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. +Audit Object Access (success and failure) must be enabled for this rule to function. +- [New] MATCH-S00896 Azure Authentication Policy Change + - Various authentication related policy configurations exist within Azure. These are tenant-wide policy changes that affect aspects such as enabling of number matching, changing of which authentication methods users are allowed to use, or the exclusion of certain groups from various authentication methods. +- [New] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy + - This rule detects credential dumping using copy command from a shadow copy. +- [New] FIRST-S00084 First Seen AWS Bedrock API Call from User + - This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. +- [New] FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process + - This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process. This can be indictive of enumeration of certificate templates which can potentially lead to forged certificates and privilege escalation avenues. +- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification + - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. +- [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User + - A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. +- [New] FIRST-S00088 First Seen NTLM Authentication to Host (User) + - A user has performed NTLM authentication to a host on the network for the first time since the baseline period has been established. +- [New] FIRST-S00076 First Seen Net Command Use on Host +- [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent + - An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. +- [New] FIRST-S00061 First Seen USB device in use on Windows host + - This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. +- [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template + - AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. +- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models + - A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. +- [New] FIRST-S00059 First Seen esentutl command From User + - Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. +- [New] FIRST-S00058 First Seen vssadmin command From User + - Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. +- [New] FIRST-S00060 First Seen wbadmin command From User + - Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. +- [New] MATCH-S00429 LSASS Memory Dumping + - Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. +- [New] MATCH-S00161 Malicious PowerShell Get Commands + - This rule detects commandlets from common PowerShell exploitation frameworks. +- [New] MATCH-S00895 NinjaCopy Usage Detected + - NinjaCopy is a legacy PowerShell tool that can copy files from an NTFS volume in a manner that bypasses SACL auditing as well as DACL controls such as only allowing SYSTEM to open a file. +- [New] MATCH-S00906 Okta - Application Created + - This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. +- [New] MATCH-S00903 Okta - Device Added To User + - An Okta device was added to a user. This activity may occur as part of normal user operations such as lost device. +- [New] MATCH-S00904 Okta - Device Removed From User + - An Okta device was removed from a user. It is recommended that the user performing the action be cross-referenced to a list of approved Okta administrators. +- [New] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon + - This signal looks for a single user explicitly denying at least two (2) multi factor authentication prompts, followed by a successful Okta login via multi factor authentication within a twenty-five (25) minute window. This logic is designed to catch successful MFA fatigue type attacks. +- [New] MATCH-S00908 Okta - MFA Request Denied by User + - This signal will trigger when a user denies an MFA request within the Okta authenticator application. +- [New] MATCH-S00907 Okta - Policy Rule Added + - An Okta policy rule has been added through the Okta admin application. +- [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint + - This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta “users” API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. +- [New] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs) + - This rule detects when a user has utilized multiple distinct ASNs when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. +- [New] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents) + - This rule detects when a user has utilized multiple distinct User Agents when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. +- [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User + - An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. +- [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User + - An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. +- [New] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded + - This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows domain users full control over the certificate +- [New] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration + - This alert looks for two events in a particular order, the first event involves a certificate template being loaded with a certificate request agent application policy. +- [New] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded + - This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows all domain users the ability to enroll the template. +- [New] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded + - This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows the enrolee to supply a subject and allows all domain users to enroll. +- [New] MATCH-S00899 Suspicious Active Directory Certificate Modification + - This alert looks for an Active Directory certificate being modified with the "Any Purpose" OID. +- [New] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent + - This alert looks for an Active Directory certificate being modified with an Enrollment Agent value that allows an Active Directory principal to enroll a certificate on behalf of another user. +- [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method + - This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates. +- [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution + - Detects the use of PowerShell for Applicaiton Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling. +- [New] MATCH-S00918 Suspicious cat of PAM common-password policy + - The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users. +- [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected + - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. +- [New] MATCH-S00583 WCE wceaux.dll Access + - Obvserves for access of wceaux.dll, which may be indicative of credential access. +- [New] MATCH-S00159 Windows - Permissions Group Discovery + - Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the use net.exe related commands on a system related to these discovery tactics. +- [New] THRESHOLD-S00067 ZeroLogon Privilege Escalation Behavior + - An attack against CVE-2020-1472 may create thousands of NetrServerReqChallenge and NetrServerAuthenticate3 requests in a short amount of time. +- [New] MATCH-S00919 chage command use on host + - The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the -l flag to determine when the user’s password or account is due to expire. + +#### Log Mappers +- [New] Apache HTTP Server - Access log +- [New] Kandji EDR - catch all +- [Updated] Cisco Meraki Firewall - Custom Parser +- [Updated] Cisco Meraki Flows - Custom Parser +- [Updated] GitHub Enterprise Audit - Access Events +- [Updated] GitHub Enterprise Audit - Authentication Events +- [Updated] GitHub Enterprise Audit - Create Events +- [Updated] GitHub Enterprise Audit - Modify Events +- [Updated] GitHub Enterprise Audit - Remove Events +- [Updated] GitHub Enterprise Audit - Restore Events +- [Updated] GitHub Enterprise Audit - Transfer Events +- [Updated] GitHub Enterprise Audit Catch All + +#### Parsers +- [New] /Parsers/System/Apache/Apache HTTP Server +- [New] /Parsers/System/Kandji/Kandji EDR +- [Updated] /Parsers/System/Cisco/Cisco Meraki + - Corrected parser to address incorrect mapping leading to alert errors. +- [Updated] /Parsers/System/Github/GitHub Enterprise Audit + - Parser modification to the MAPPER:product from Github Enterpries to Github Enterprise Audit +- [Updated] /Parsers/System/Kemp/Kemp LoadMaster Syslog + - Corrected parser transform for the log-entry format of the Process_Syslog_Header +- [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON + - Corrected the JSON parser for MAPPER:event_id to facilitiate proper mapping processing + +--- +### October 04, 2024 - Content Release + +This content release includes: +* Detection rules centered around Amazon Bedrock activities. +* Consolidation of AWS CloudTrail mappers to replicate current mapper behavior with fewer distinct mappers. +* New support for GitHub Enterprise Audit (parsing and mapping). +* New support for Honeywell Pro-Watch (parsing and mapping). +* New support for Citrix Zendesk (parsing and mapping). +* Further mapping updates to better employ [Normalized Classification](/docs/cse/schema/cse-normalized-classification) fields across data sources. +* Removal of some duplicate mapped fields. +* Other changes enumerated below. + +#### Rules +- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed + - An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment. +- [New] MATCH-S00922 AWS Bedrock Agent Created + - This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment. +- [New] MATCH-S00924 AWS Bedrock Guardrail Deleted + - AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. Look at other activity from this user account, focusing on the Bedrock service and pivoting from there if the event is deemed suspicious. +- [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User + - A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. However, it could also be a malicious attempt at running a particular model via AWS Bedrock. Take a look at the username, IP address, role type, role and model via the "requestParameters.modelId" field. +- [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User + - A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. Ensure this model is authorized to be utilized in the environment and that the user requesting access to the model is authorized to perform these actions. +- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models + - A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed. +- [New] FIRST-S00084 - First Seen AWS Bedrock API Call from User + - This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. Look at the "action" field to determine what API calls are being made and whether this activity is expected. +- [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent + - An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment. +- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification + - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value. +- [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template + - AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives. +- [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User + - An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression. +- [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User + - An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression. +- [New] OUTLIER-S00024 - AWS DynamoDB Outlier in GetItem Events from User + - An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. Consider excluding authorized users from this signal or tweaking the minimum count value if this signal is triggering too often. Data events from DynamoDB are required in order for this signal to function. +- [New] OUTLIER-S00025 - AWS S3 Outlier in PutObject Denied Events + - This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. Denied PutObject access events can stem from IAM policies or bucket policies. Look at the user, role, IP address from the events to determine whether this activity is expected. In certain cases, access denied events to S3 can also result in unexpected AWS charges. +- [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected + - Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value. + +#### Log Mappers +##### New Event/Source Support +- [New] Fortinet utm-ssl Logs +- [New] GitHub Enterprise Audit - Access Events +- [New] GitHub Enterprise Audit - Authentication Events +- [New] GitHub Enterprise Audit - Create Events +- [New] GitHub Enterprise Audit - Modify Events +- [New] GitHub Enterprise Audit - Remove Events +- [New] GitHub Enterprise Audit - Restore Events +- [New] GitHub Enterprise Audit - Transfer Events +- [New] GitHub Enterprise Audit Catch All +- [New] Honeywell Pro-Watch Catch All +- [New] Zendesk Catch All + +##### Extended Normalized Classification Support +- [Updated] Azure Event Hub - Windows Defender Logs +- [Updated] Azure ManagedIdentitySignInLogs +- [Updated] Azure NonInteractiveUserSignInLogs +- [Updated] Azure ServicePrincipalSignInLogs +- [Updated] Azure Write and Delete Logs +- [Updated] AzureActivityLog 01 +- [Updated] Carbon Black Cloud - Observation event +- [Updated] Carbon Black Cloud Script Load +- [Updated] Cisco ASA 109005-8 JSON +- [Updated] Cisco ASA 113005 +- [Updated] Cisco ASA 113005 JSON +- [Updated] Cisco ASA 113012-17 JSON +- [Updated] Cisco ASA 716039 JSON +- [Updated] Cisco ASA 719022-3 JSON +- [Updated] Cisco ASA 751011 JSON +- [Updated] Citrix NetScaler - AAA-LOGIN_FAILED +- [Updated] CrowdStrike FDR - CriticalFileAccessed +- [Updated] CylancePROTECT Threats +- [Updated] Fortinet Event Logs +- [Updated] Fortinet Virus Logs +- [Updated] Kaspersky Endpoint Security Catch All +- [Updated] Lacework Alert +- [Updated] Linux OS Syslog - Cron - Session Closed +- [Updated] Linux OS Syslog - Cron - Session Opened +- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password +- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User +- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String +- [Updated] Linux OS Syslog - Process sshd - SSH Public Key Not Allowed +- [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution +- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start +- [Updated] McAfee WebGateway - CEF - User Login Failed +- [Updated] Microsoft Defender for Cloud - Security Alerts +- [Updated] Microsoft Office 365 Active Directory Authentication Events +- [Updated] Microsoft Office 365 Threat Intelligence Atp Content Events +- [Updated] OSSEC Alert +- [Updated] OpenVPN Authentication Attempt +- [Updated] OpenVPN Logon Attempt +- [Updated] Osquery Process Auditing +- [Updated] Palo Alto Traps - Custom Parser +- [Updated] RSA SecurID SinglePoint Authentication +- [Updated] Snowflake Login +- [Updated] Symantec Agent Behavior Logs +- [Updated] Symantec Agent Risk Logs +- [Updated] Symantec Agent Risk SONAR Logs +- [Updated] Symantec Agent Scan Logs +- [Updated] Sysdig Kubernetes JSON +- [Updated] Tanium IOC Event - CEF Custom Parser +- [Updated] Windows - Security - 4625 +##### Added 'Cause' mapping and added 'null' as a skipped value +- [Updated] Okta Authentication - auth_via_AD_agent +- [Updated] Okta Authentication - auth_via_mfa +- [Updated] Okta Authentication - auth_via_radius +- [Updated] Okta Authentication - sso +- [Updated] Okta Authentication Events +- [Updated] Okta Catch All +- [Updated] Okta Security Threat Events + +##### Consolidated CloudTrail Mappings +- [Deleted] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail +- [Deleted] CloudTrail - cloudtrail.amazonaws.com - StartLogging +- [Deleted] CloudTrail - cloudtrail.amazonaws.com - StopLogging +- [Deleted] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail +- [Deleted] CloudTrail - ec2.amazonaws.com - AttachInternetGateway +- [Deleted] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress +- [Deleted] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway +- [Deleted] CloudTrail - ec2.amazonaws.com - CreateInternetGateway +- [Deleted] CloudTrail - ec2.amazonaws.com - CreateKeyPair +- [Deleted] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry +- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway +- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway +- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteKeyPair +- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl +- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry +- [Deleted] CloudTrail - ec2.amazonaws.com - DetachInternetGateway +- [Deleted] CloudTrail - ec2.amazonaws.com - ImportKeyPair +- [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation +- [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry +- [Deleted] CloudTrail - iam.amazonaws.com - AttachGroupPolicy +- [Deleted] CloudTrail - iam.amazonaws.com - AttachRolePolicy +- [Deleted] CloudTrail - iam.amazonaws.com - AttachUserPolicy +- [Deleted] CloudTrail - iam.amazonaws.com - CreateAccessKey +- [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicy +- [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicyVersion +- [Deleted] CloudTrail - iam.amazonaws.com - CreateUser +- [Deleted] CloudTrail - iam.amazonaws.com - DeletePolicy +- [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary +- [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePolicy +- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUser +- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary +- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPolicy +- [Deleted] CloudTrail - iam.amazonaws.com - DetachGroupPolicy +- [Deleted] CloudTrail - iam.amazonaws.com - DetachRolePolicy +- [Deleted] CloudTrail - iam.amazonaws.com - DetachUserPolicy +- [Deleted] CloudTrail - iam.amazonaws.com - PutGroupPolicy +- [Deleted] CloudTrail - iam.amazonaws.com - PutRolePolicy +- [Deleted] CloudTrail - iam.amazonaws.com - PutUserPolicy +- [Deleted] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy +- [Deleted] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion +- [Deleted] CloudTrail - lambda.amazonaws.com - AddPermission +- [Deleted] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping +- [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunction +- [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig +- [Deleted] CloudTrail - lambda.amazonaws.com - DeleteFunction +- [Deleted] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping +- [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration +- [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig +- [Deleted] CloudTrail - lambda.amazonaws.com - PublishLayerVersion +- [Deleted] CloudTrail - lambda.amazonaws.com - RemovePermission +- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping +- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode +- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration +- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig +- [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogGroup +- [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogStream +- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketCors +- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle +- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy +- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketAcl +- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketCors +- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketLifecycle +- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketPolicy +- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketReplication +- [Deleted] CloudTrail - secretsmanager.amazonaws.com - RotationStarted +- [Deleted] CloudTrail - signin.amazonaws.com - CheckMfa +- [Deleted] CloudTrail - signin.amazonaws.com - ExitRole +- [Deleted] CloudTrail - signin.amazonaws.com - RenewRole +- [Deleted] CloudTrail - signin.amazonaws.com - SwitchRole +- [Deleted] CloudTrail - sso.amazonaws.com - ListProfilesForApplication +- [Updated] CloudTrail - cloudtrail.amazonaws.com - Trail Change|Logging +- [Updated] CloudTrail - ec2.amazonaws.com - All Network Events +- [Updated] CloudTrail - iam.amazonaws.com - Policy Change +- [Updated] CloudTrail - kms.amazonaws.com - DisableKey|ScheduleKeyDeletion +- [Updated] CloudTrail - lambda.amazonaws.com - Audit Change +- [Updated] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping|DeleteFunction +- [Updated] CloudTrail - lambda.amazonaws.com - GetPolicy|GetLayerVersionPolicy +- [Updated] CloudTrail - lambda.amazonaws.com - Resource Access +- [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination|DeleteLogGroup|DeleteLogStream +- [Updated] CloudTrail - s3.amazonaws.com - Bucket Change +- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded|RotationStarted +- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events +- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication + +#### Parsers +- [New] /Parsers/System/Github/GitHub Enterprise Audit +- [New] /Parsers/System/Honeywell/Honeywell Pro-Watch +- [New] /Parsers/System/Zendesk/Zendesk +- [Updated] /Parsers/System/AWS/AWS ALB + - Extends AWS ALB parser to handle additional `conn_trace_id` field +- [Updated] /Parsers/System/Citrix/Citrix Cloud C2C + - Modifies time handling and drops logs without security value +- [Updated] /Parsers/System/Dell/Dell SonicWall + - Minor regex fix for port and protocol handling +- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV + - Additional TRAFFIC log format handling + +--- +### September 19, 2024 - Content Release + +This content release includes: +* Updates to 111 rules to improve the user experience by removing often lengthy command lines from rule summary expressions (retained in record and signal). +* Deletion of a low efficacy rule. +* Mapping updates to better employ [normalized classification](/docs/cse/schema/cse-normalized-classification/) fields across data sources. +* Adds alternate case handling for Windows Security Event Log error codes. +* Updates to LastPass parsing and mapping to support Reporting and Failed Logon events. +* Adds support for Thinkst Canary JSON logging. +* Adjusts time handling for Thinkst Canary Syslog. + +Other changes are enumerated below. + + +#### Rules +- [Deleted] LEGACY-S00180 DNS query for dynamic DNS provider +- [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190 +- [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container +- [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments +- [Updated] MATCH-S00727 CPL File Executed from Temp Directory +- [Updated] MATCH-S00412 Command Line Execution with Suspicious URL and AppData Strings +- [Updated] MATCH-S00658 Container Management Utility in Container +- [Updated] MATCH-S00410 Copy from Admin Share +- [Updated] MATCH-S00443 Create Windows Share +- [Updated] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy +- [Updated] MATCH-S00526 Credential Dumping Via Symlink To Shadow Copy +- [Updated] MATCH-S00348 Curl Start Combination +- [Updated] MATCH-S00385 DTRACK Process Creation +- [Updated] MATCH-S00441 Delete Windows Share +- [Updated] MATCH-S00543 Detect Psexec With Accepteula Flag +- [Updated] MATCH-S00319 Dridex Process Pattern +- [Updated] MATCH-S00590 Elise Backdoor +- [Updated] MATCH-S00392 File or Folder Permissions Modifications +- [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User +- [Updated] FIRST-S00059 First Seen esentutl command From User +- [Updated] FIRST-S00041 First Seen networksetup Usage from User +- [Updated] FIRST-S00058 First Seen vssadmin command From User +- [Updated] FIRST-S00060 First Seen wbadmin command From User +- [Updated] FIRST-S00008 First Seen whoami command From User +- [Updated] MATCH-S00414 Grabbing Sensitive Hives via Reg Utility +- [Updated] MATCH-S00325 Greenbug Campaign Indicators +- [Updated] MATCH-S00367 Impacket Lateralization Detection +- [Updated] MATCH-S00482 Impacket-Obfuscation SMBEXEC Utility +- [Updated] MATCH-S00483 Impacket-Obfuscation WMIEXEC Utility +- [Updated] MATCH-S00322 Judgement Panda Credential Access Activity +- [Updated] MATCH-S00334 Judgement Panda Exfil Activity +- [Updated] MATCH-S00651 Kubernetes CreateCronjob +- [Updated] MATCH-S00652 Kubernetes DeleteCronjob +- [Updated] MATCH-S00650 Kubernetes ListCronjobs +- [Updated] MATCH-S00648 Kubernetes ListSecrets +- [Updated] MATCH-S00647 Kubernetes Pod Deletion +- [Updated] MATCH-S00649 Kubernetes Service Account Token File Accessed +- [Updated] MATCH-S00461 LNKSmasher Utility Commands +- [Updated] MATCH-S00746 Loadable Kernel Module Dependency Install +- [Updated] MATCH-S00745 Loadable Kernel Module Enumeration +- [Updated] MATCH-S00723 Loadable Kernel Module Modifications +- [Updated] MATCH-S00352 MSHTA Suspicious Execution +- [Updated] MATCH-S00534 MacOS - Re-Opened Applications +- [Updated] MATCH-S00729 MacOS Gatekeeper Bypass +- [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled +- [Updated] MATCH-S00161 Malicious PowerShell Get Commands +- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands +- [Updated] MATCH-S00198 Malicious PowerShell Keywords +- [Updated] MATCH-S00331 MavInject Process Injection +- [Updated] MATCH-S00466 MsiExec Web Install +- [Updated] MATCH-S00288 NotPetya Ransomware Activity +- [Updated] MATCH-S00698 PATH Set to Current Directory +- [Updated] MATCH-S00659 Package Management Utility in Container +- [Updated] MATCH-S00697 Pkexec Privilege Escalation - CVE-2021-4034 +- [Updated] MATCH-S00149 PowerShell File Download +- [Updated] MATCH-S00449 Powershell Execution Policy Bypass +- [Updated] MATCH-S00427 Process Dump via Rundll32 and Comsvcs.dll +- [Updated] MATCH-S00439 Psr.exe Capture Screenshots +- [Updated] MATCH-S00167 Recon Using Common Windows Commands +- [Updated] MATCH-S00346 Ryuk Ransomware Endpoint Indicator +- [Updated] MATCH-S00506 SC Exe Manipulating Windows Services +- [Updated] MATCH-S00153 Scheduled Task Created via PowerShell +- [Updated] MATCH-S00529 Schtasks Scheduling Job On Remote System +- [Updated] MATCH-S00530 Schtasks Used For Forcing A Reboot +- [Updated] MATCH-S00359 Suspicious Certutil Command +- [Updated] MATCH-S00356 Suspicious Compression Tool Parameters +- [Updated] MATCH-S00362 Suspicious Curl File Upload +- [Updated] MATCH-S00476 Suspicious Execution of Search Indexer +- [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution +- [Updated] MATCH-S00191 Suspicious PowerShell Keywords +- [Updated] MATCH-S00431 Suspicious Use of Procdump +- [Updated] MATCH-S00477 Suspicious Use of Workflow Compiler for Payload Execution +- [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher +- [Updated] MATCH-S00279 TAIDOOR RAT DLL Load +- [Updated] MATCH-S00531 Unload Sysmon Filter Driver +- [Updated] MATCH-S00762 Unusual Staging Directory - PolicyDefinitions +- [Updated] MATCH-S00761 Volume Shadow Copy Service Stopped +- [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution +- [Updated] MATCH-S00760 WMI Ping Sweep +- [Updated] MATCH-S00146 WMI Process Call Create +- [Updated] MATCH-S00151 WMI Process Get Brief +- [Updated] MATCH-S00379 WMIExec VBS Script +- [Updated] MATCH-S00400 Web Download via Office Binaries +- [Updated] MATCH-S00539 Web Servers Executing Suspicious Processes +- [Updated] MATCH-S00174 Web Services Executing Common Web Shell Commands +- [Updated] MATCH-S00284 Windows - Delete Windows Backup Catalog +- [Updated] MATCH-S00181 Windows - Domain Trust Discovery +- [Updated] MATCH-S00168 Windows - Local System executing whoami.exe +- [Updated] MATCH-S00162 Windows - Network trace capture using netsh.exe +- [Updated] MATCH-S00159 Windows - Permissions Group Discovery +- [Updated] MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas +- [Updated] MATCH-S00276 Windows - Possible Squiblydoo Technique Observed +- [Updated] MATCH-S00281 Windows - PowerShell Process Discovery +- [Updated] MATCH-S00171 Windows - Powershell Scheduled Task Creation from PowerSploit or Empire +- [Updated] MATCH-S00185 Windows - Remote System Discovery +- [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow +- [Updated] MATCH-S00170 Windows - Scheduled Task Creation +- [Updated] MATCH-S00192 Windows - System Network Configuration Discovery +- [Updated] MATCH-S00194 Windows - System Time Discovery +- [Updated] MATCH-S00172 Windows - WiFi Credential Harvesting with netsh +- [Updated] MATCH-S00532 Windows Adfind Exe +- [Updated] MATCH-S00552 Windows Connhost Started Forcefully +- [Updated] MATCH-S00398 Windows Defender Download Activity +- [Updated] MATCH-S00179 Windows Network Sniffing +- [Updated] MATCH-S00157 Windows Process Name Impersonation +- [Updated] MATCH-S00178 Windows Query Registry +- [Updated] MATCH-S00533 Windows Security Account Manager Stopped +- [Updated] LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path +- [Updated] MATCH-S00724 Windows Update Agent DLL Changed +- [Updated] MATCH-S00382 Winnti Pipemon Characteristics +- [Updated] MATCH-S00435 XSL Script Processing +- [Updated] MATCH-S00726 macOS Kernel Extension Load + +#### Log Mappers +- [New] LastPass Failed Login Attempt +- [New] LastPass Reporting +- [Updated] Thinkst Canary Parser - Catch All + - Removed time handling from mapper to favor parser time handling +- [Updated] 1Password Item Audit Actions +- [Updated] 1Password Item Usage Actions +- [Updated] AWS Config - Custom Parser +- [Updated] AWS EKS - Custom Parser +- [Updated] AWS Inspector - Custom Parser +- [Updated] AWS Route 53 Logs +- [Updated] AWS S3 Server Access Log - Custom Parser +- [Updated] AWS Security Hub +- [Updated] AWSGuardDuty - Audit Events +- [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail +- [Updated] AWSGuardDuty - Reconnaissance and malicious activity detection +- [Updated] AWSGuardDuty - Tor Client and Relay +- [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller +- [Updated] AWSGuardDuty_Catch_All +- [Updated] Adaxes - Custom Parser +- [Updated] ApplicationGatewayAccessLog +- [Updated] ApplicationGatewayFirewallLog +- [Updated] Aqua Runtime Policy Match +- [Updated] Azure Appplication Service Console Logs +- [Updated] Azure AuditEvent logs +- [Updated] Azure Event Hub - Windows Defender Logs +- [Updated] Azure Firewall Application Rule +- [Updated] Azure Firewall DNS Proxy +- [Updated] Azure Firewall Network Rule +- [Updated] Azure NSG Flows +- [Updated] Azure Policy Logs +- [Updated] AzureActivityLog +- [Updated] AzureActivityLog 01 +- [Updated] AzureActivityLog AuditLogs +- [Updated] AzureDevOpsAuditing +- [Updated] Cato Networks Audits +- [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail +- [Updated] Cyber Ark EPM AggregateEvent +- [Updated] Druva Cyber Resilience - Catch All +- [Updated] GCP App Engine Logs +- [Updated] GCP Audit Logs +- [Updated] GCP IDS +- [Updated] GCP Parser - Load Balancer +- [Updated] Google Security Command Center +- [Updated] JumpCloud IdP - Catch All +- [Updated] Kaltura Audits +- [Updated] Microsoft Defender for Cloud - Security Alerts +- [Updated] Microsoft Office 365 AzureActiveDirectory Events +- [Updated] Microsoft Office 365 MicrosoftStream Events +- [Updated] Microsoft Office 365 PowerApps Events +- [Updated] Microsoft Office 365 Sway Events +- [Updated] Microsoft Office 365 Teams Events +- [Updated] Microsoft Office 365 Yammer Events +- [Updated] MicrosoftGraphActivityLogs +- [Updated] Office 365 - MicrosoftFlow +- [Updated] Office 365 - Security Compliance Alerts +- [Updated] Osquery Catchall +- [Updated] Osquery FIM +- [Updated] Osquery Process Auditing +- [Updated] Osquery Socket Events +- [Updated] Osquery Startup Items +- [Updated] Palo Alto Config - Custom Parser +- [Updated] Palo Alto Threat Spyware - Custom Parser +- [Updated] RSA SecurID Runtime Authn Logout +- [Updated] RSA SecurID Runtime Catchall +- [Updated] UnauthorizedAccess_EC2_SSHBruteForce +- [Updated] Windows - Security - 4625 +- [Updated] Windows - Security - 4634 + +#### Parsers +- [New] /Parsers/System/Thinkst Canary/Thinkst Canary JSON +- [Updated] /Parsers/System/LastPass/LastPass +- [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary + - Updated time handling to use `_messagetime` metadata + +--- +### August 27, 2024 - Content Release + +This release reverts a change to our AWS CloudTrail default (catch all) mapper for how `user_username` is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some `AssumedRole` events. + +AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](/release-notes-cse/2024/08/05/content/) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives. + +AWS best practices suggest defining `sourceIdentity` to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor `sourceIdentity` if it is present in CloudTrail logs. If it is not present, then `userIdentity.arn` will be used and the `resource-id` will be mapped to `user_username`, creating potential for false positives from dynamic session identifiers. See [Viewing source identity in CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-ct) in the AWS documentation for more information. + +Alternatively, known service accounts which generate dynamic sessions identifers can be tuned out from signals using rule tuning expressions, Field Extraction Rules (FERs), or at the CloudTrail parser to reduce potential for false positive signals. + +#### Log Mappers +- [Updated] CloudTrail Default Mapping + +--- +### August 23, 2024 - Content Release + +This content release includes: +* Updates to rules to improve the user experience +* Specific updates are enumerated and summarized below + +:::note +Rule DNS query for dynamic DNS provider (LEGACY-S00180) is slated for removal the week of 2024-09-02. The rule is being removed from global content due to the untenable nature of maintaining the list of dynamic DNS providers within the rule expression. To retain this rule, it must be duplicated prior to the date of removal. +::: + +#### Rules +- [Updated] MATCH-S00816 Interactive Logon to Domain Controller + - Updated expression match list to use new `domain_controllers_hostnames` instead of `domain_controllers` which was generating false positives due to IP dependency. +- [Updated] LEGACY-S00105 Suspicious DC Logon + - Updated expression match list to use new `domain_controllers_hostnames` instead of `domain_controllers` which was generating false positives due to IP dependency. + +##### srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid `null` values for the following rules: +- [Updated] MATCH-S00874 AWS Lambda Function Recon +- [Updated] MATCH-S00825 AWS Secrets Manager Enumeration +- [Updated] MATCH-S00513 Critical Severity Intrusion Signature +- [Updated] THRESHOLD-S00085 Excessive Outbound Firewall Blocks +- [Updated] MATCH-S00666 High Severity Intrusion Signature +- [Updated] MATCH-S00669 Informational Severity Intrusion Signature +- [Updated] MATCH-S00668 Low Severity Intrusion Signature +- [Updated] MATCH-S00667 Medium Severity Intrusion Signature +- [Updated] THRESHOLD-S00095 Password Attack + +##### Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules: +- [Updated] MATCH-S00429 LSASS Memory Dumping + +- [Updated] MATCH-S00161 Malicious PowerShell Get Commands + +- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands + +- [Updated] MATCH-S00198 Malicious PowerShell Keywords + +- [Updated] MATCH-S00191 Suspicious PowerShell Keywords + +- [Updated] MATCH-S00431 Suspicious Use of Procdump + +- [Updated] MATCH-S00583 WCE wceaux.dll Access + +- [Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected + +- [Updated] MATCH-S00291 Windows Credential Editor (WCE) in use + + +##### Added exclusion to match expression for `OneDrive` to reduce false positives and removed fields producing nulls in the signal summary for the following rules: +- [Updated] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP +- [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User +- [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded +- [Updated] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents + +--- +### August 16, 2024 - Content Release + +This content release includes: +* Updates to Azure rules to reflect a name change in the Company Administrator role to Global Administrator. +* New Linux OS Syslog mappers. +* Addition of sessionId mapping to Okta mappers. + +Individual changes are enumerated below. + +#### Rules +- [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role +- [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM +- [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role +- [Renamed] FIRST-S00088 First Seen User Performing NTLM Authentication to Host -> First Seen NTLM Authentication to Host (User) + +#### Log Mappers +- [New] Linux OS Syslog - Process sudo - Authentication Failure +- [New] Linux OS Syslog - Systemd-user Session Open|Closed +- [New] Linux OS Syslog - sshd - Postponed publickey +- [New] Linux OS Syslog - sshd - User not allowed +- [New] MicrosoftGraphActivityLogs +- [Updated] AWS Redshift - Authentication Log + - Added normalizedAction mapping for logon and a success boolean lookup on event_name +- [Updated] Aruba ClearPass Guest Access + - Added normalizedAction mapping for logon and a success boolean lookup on error codes +- [Updated] Check Point Failed Log In + - Updated record type to Authentication and adjusted normalizedAction mapping to logon +- [Updated] CloudTrail - signin.amazonaws.com - CheckMfa + - Added logon normalizedAction and mapped success boolean to checkMfa +- [Updated] Infoblox NIOS - DNS + - Updated mapping for dns_query to fix dns enrichments +- [Updated] JumpCloud IdP Authentication + - Adds logon normalizedAction to mapper +- [Updated] Linux OS Syslog - Cron - Session Opened + - Adds mappings for targetUser_username, targetUser_userId, user_userId +- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password + - Adds "check pass" to event ID pattern +- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth + - Added description mapping +- [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect + - Updated mapper name, and added "sshd-disconnect" to event ID pattern. Adds mappings for srcDevice_ip, description, action. +- [Updated] Linux OS Syslog - Process sshd - SSH Session Opened + - Adds mapping for srcDevice_ip +- [Updated] Linux OS Syslog - Process sshd - SSH Session Starting + - Adds mappings for srcDevice_ip, srcPort +- [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution + - Adds mapping for description +- [Updated] PingFederate - Authentication Event + - Added logon normalizedAction to mapper +- [Updated] Pulse Secure Custom Parser - AUT24326 + - Added logon normalizedAction to mapper +- [Updated] Windows - Security - 4648 + - Adds logon normalizedAction mapping +- [Updated] Okta Authentication - auth_via_AD_agent +- [Updated] Okta Authentication - auth_via_mfa +- [Updated] Okta Authentication - auth_via_radius +- [Updated] Okta Authentication - sso +- [Updated] Okta Authentication Events +- [Updated] Okta Catch All +- [Updated] Okta Security Threat Events + +#### Parsers +- [Updated] /Parsers/System/Linux/Linux OS Syslog + - Adds new parsing patterns for cron, sshd, sudo, and systemd. Adjusts existing sshd parsing patterns. + +#### Schema +- [New] repository + - The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts. + +--- +### August 05, 2024 - Content Release + +This content release includes: +* A new Cloud SIEM First Seen rule +* Consolidation of AWSGuardDuty log mappers +* CrowdStrike FDR mapping modifications by adding `aid` as a value for `device_hostname` as primary or alternate +* Mapping update to Windows PowerShell operational events to facilitate a JSON data set from the legacy Windows format +* Several new log mappers, parsers, and multiple updated parsers + +Release specifics are enumerated below. + +#### Rules + +* NEW FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process + * This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process. + +#### Log Mappers + +* [Deleted] AWS GuardDuty Alerts from Sumo CIP +* [Deleted] AWSGuardDuty_Backdoor +* [Deleted] AWSGuardDuty_Behavior +* [Deleted] AWSGuardDuty_Catch_All +* [Deleted] AWSGuardDuty_CryptoCurrency +* [Deleted] AWSGuardDuty_Discovery +* [Deleted] AWSGuardDuty_Exfiltration +* [Deleted] AWSGuardDuty_PenTest +* [Deleted] AWSGuardDuty_Persistence +* [Deleted] AWSGuardDuty_Policy +* [Deleted] AWSGuardDuty_ResourceConsumption +* [Deleted] AWSGuardDuty_Stealth +* [Deleted] AWSGuardDuty_Trojan +* [Retired] AwsServiceEvent-AWS API Call via CloudTrail +* [Deleted] Recon_EC2_PortProbeUnprotectedPort +* [Deleted] Recon_EC2_Portscan +* [Deleted] Recon_IAMUser +* [Deleted] UnauthorizedAccess_EC2_SSHBruteForce +* [Deleted] UnauthorizedAccess_EC2_TorClient +* [Deleted] UnauthorizedAccess_EC2_TorIPCaller +* [Deleted] UnauthorizedAccess_EC2_TorRelay +* [Deleted] UnauthorizedAccess_IAMUser +* [Updated] AWS GuardDuty Alerts from Sumo CIP +* [New] AWS Redshift - ACTIVITY_LOG +* [New] AWS Redshift - Authentication Log +* [New] AWS Redshift - Connection Log +* [New] AWS Redshift - USER_LOG +* [New] AWSGuardDuty - Audit Events +* [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail +* [New] AWSGuardDuty - Reconnaissance and malicious activity detection +* [Updated] AWSGuardDuty - Tor Client and Relay +* [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller +* [Updated] AWSGuardDuty_Catch_All +* [New] Forescout CounterACT - NAC Policy Log +* [New] PingFederate - Authentication Event +* [New] Symantec Endpoint Security - All +* [Updated] UnauthorizedAccess_EC2_SSHBruteForce +* [New] VMware NSX - Firewall +* [Updated] CloudTrail Default Mapping + * Added alternate values for `userIdentity.arn`, and `requestParameters.sourceIdentity` applied to `user_role`. Additional mappings for `bytesIn`, and `bytesOut`. +* [Updated] CrowdStrike FDR - Catch All +* [Updated] CrowdStrike FDR - CriticalFileAccessed +* [Updated] CrowdStrike FDR - NetworkConnectIP4 +* [Updated] CrowdStrike FDR - NetworkConnectIP6 +* [Updated] CrowdStrike FDR - ProcessRollup2 +* [Updated] CrowdStrike FDR - SuspiciousDnsRequest +* [Updated] PingFederate Event + * Narrowed the lookup scope where success is true. +* [Updated] Windows - Microsoft-Windows-PowerShell/Operational Events - 4103 through 4105 + * Updated keys for: `user_userId`, `user_username`, `commandLine`, `baseImage`, `file_path`, and `severity`. + +#### Parsers + +* [New] /Parsers/System/AWS/AWS Redshift +* [Updated] /Parsers/System/Forescout/Forescout CounterACT + * Updated the start time field. +* [New] /Parsers/System/Symantec/Symantec Endpoint Security +* [New] /Parsers/System/VMware/VMware NSX +* [Updated] /Parsers/System/Cisco/Cisco Meraki + * Added support for URLS new format. +* [Updated] /Parsers/System/PingIdentity/PingFederate + * Added support of new log format. +* [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON + * Dropped the redundant message field. + +--- +### July 16, 2024 - Content Release + +This content release includes rule and parser bug fixes, and parsing and mapping support for new log sources. Changes are enumerated below. + +#### Rules + +* [Updated] MATCH-S00419 Multiple File Extensions + * Fixed bug in summary expression causing baseImage to appear as null +* [Updated] MATCH-S00755 Outlook Form Creation + * Fixed bug in rule expression where baseImage had incorrect case + +#### Log mappers + +* [New] CrowdStrike Spotlight - Vulnerability +* [New] JumpCloud IdP - Catch All +* [New] JumpCloud IdP Authentication +* [New] Kaspersky Endpoint Security Catch All +* [New] Linux OS Syslog - sshd - Command Execution +* [New] Linux OS Syslog - sshd - connection + +#### Parsers + +* [New] /Parsers/System/CrowdStrike/CrowdStrike Spotlight +* [New] /Parsers/System/JumpCloud/JumpCloud IdP +* [New] /Parsers/System/Kaspersky/Kaspersky Endpoint Security +* [Updated] /Parsers/System/Cisco/Cisco ISE + * Bug fix for variation in syslog headers +* [Updated] /Parsers/System/Linux/Linux OS Syslog + * Added support for additional variations in SSHD and CRON logs + +--- +### July 3, 2024 - Content Release + +This content release includes new and updated rules, log mappers, and parsers. Details are enumerated below. + +#### Rules + +* [Updated] MATCH-S00139 Abnormal Parent-Child Process Combination + * Removed leading backslash from like matches + +#### Log Mappers + +* [New] ApplicationGatewayAccessLog +* [New] ApplicationGatewayFirewallLog +* [New] Citrix NetScaler - TCP-CONN_TERMINATE +* [New] Google G Suite - login - password_change/recovery_info_change +* [New] Google G Suite - login-blocked_sender_change +* [New] JFrog Artifactory - Access logs +* [New] JFrog Artifactory - Login Access logs +* [New] JFrog Artifactory - Request Logs +* [New] Synergis Genetec - all +* [Updated] AWS EKS - Custom Parser + * Keys updated: `'srcDevice_ip'`, `'http_response_statusCode'`, `'http_url'`, `'http_userAgent'`, `'user_username'`, `'user_userId'`, `'action'`, `'device_k8s_namespace'` +* [Updated] Abnormal Security Threats + * Keys updated: `'threat_referenceUrl'`, `'email_subject'`, `'resource'`, `'email_sender'`, `'user_email'`, `'user_username'`, `'targetUser_email'`, `'action'`, `'threat_identifier'`, `'user_authDomain'`, `'srcDevice_ip'`, `'email_messageId'`, `'srcDevice_hostname'`, `'threat_name'`, `'threat_category'`, `'timestamp'` +* [Updated] Cisco ASA 305011-12 JSON + * Keys updated: `'user_authDomain'`, `'user_username'` +* [Updated] GitHub JSON + * Keys updated: `'user_username'`, `'user_role'`, `'user_userId'`, `'description'`, `'http_url'`, `'device_hostname'` +* [Updated] SentinelOne Logs - Syslog Custom Parser + * Keys updated: `'srcDevice_osName'` + +#### Parsers + +* [New] /Parsers/System/Atlassian/Atlassian Jira +* [New] /Parsers/System/Genetec/Genetec Synergis +* [New] /Parsers/System/Github/Github +* [New] /Parsers/System/JFrog/JFrog Artifactory +* [Updated] /Parsers/System/AWS/AWS EKS +* [Updated] /Parsers/System/Abnormal Security/Abnormal Security +* [Updated] /Parsers/System/Cisco/Cisco ASA +* [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog +* [Updated] /Parsers/System/Cylance/Cylance Syslog +* [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON +* [Updated] /Parsers/System/Orca Security/Orca Security +* [Updated] /Parsers/System/SentinelOne/SentinelOne CEF + +--- +### May 30, 2024 - Content Release + +This content release includes several new and multiple updated log mappers, plus several updated parsers. Details are enumerated below: + +#### Log Mappers +* [New] Cisco Meraki Firewall - Custom Parser + * Minor changes in cisco meraki mapper +* [New] Jamf Parser - Alert + * Removed wrong field +* [New] Jamf Parser - Network + * Removed wrong field +* [Updated] AWS GuardDuty Alerts from Sumo CIP + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWS S3 Server Access Log - Custom Parser + * Map bytesIn/bytesOut in AWS CloudTrail Data Events + * Keys updated: bytesIn, bytesOut +* [Updated] AWSGuardDuty_Backdoor + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Behavior + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Catch_All + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_CryptoCurrency + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Discovery + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Exfiltration + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_PenTest + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Persistence + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Policy + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_ResourceConsumption + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Stealth + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] AWSGuardDuty_Trojan + * Added region field in all the events + * Keys updated: cloud_region +* Updated] AwsServiceEvent-AWS API Call via CloudTrail + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] BlueCat DHCP Parser - Catch All + * Changed mac address field in mapper + * Keys updated: device_mac, timestamp +* [Updated] Code42 Incydr FileEvents C2C + * Mapper adjustments + * Keys updated: event_id_pattern, user_username, file_path, severity, normalizedSeverity, threat_name +* [Updated] Recon_EC2_PortProbeUnprotectedPort + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] Recon_EC2_Portscan + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] Recon_IAMUser + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] UnauthorizedAccess_EC2_SSHBruteForce + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] UnauthorizedAccess_EC2_TorClient + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] UnauthorizedAccess_EC2_TorIPCaller + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] UnauthorizedAccess_EC2_TorRelay + * Added region field in all the events + * Keys updated: cloud_region +* [Updated] UnauthorizedAccess_IAMUser + * Added region field in all the events + * Keys updated: cloud_region + +#### Parsers +* [Updated] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog +* [Updated] /Parsers/System/Cisco/Cisco Meraki +* [Updated] /Parsers/System/Code42/Code42 Incydr +* [Updated] /Parsers/System/Jamf/Jamf +* [Updated] /Parsers/System/Microsoft/Shared/Syslog Headers Microsoft +* [Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers +* [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security + +--- +### May 30, 2024 - Application Update + + +#### Minor Changes and Enhancements + +* [New] To help facilitate investigations and audits, a list of the sourceMessageIds for each of the records that contributed to a Threshold, Chain, or Aggregation Signal are now included in that Signal's record in the `sec_signal` index, in the new `aggregatedMessageIds` field. + +#### Bug Fixes + +* The Community view on the MITRE ATT&CK® Threat Coverage Explorer was not filtering by default properly. + +--- +### May 23, 2024 - Content Release + +This release includes new Cloud SIEM detection rules, and updates to existing rules to correct summary and description expressions. All changes are enumerated below. + +#### Rules + +* [New] FIRST-S00061 First Seen USB device in use on Windows host + * This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. If the device name is unexpected and not authorized to be used in the environment, investigate the alert further and look for file creation events to the drive in question. The `fields["EventData.DeviceDescription"]` field contains the device name. +* [New] FIRST-S00059 First Seen esentutl command From User + * Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. Esentutl can also be utilized to download files from a remote share or URL. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. +* [New] FIRST-S00058 First Seen vssadmin command From User + * Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. If this activity is performed as part of normal system maintenance, the rule can be tuned to exclude these groups of users. +* [New] FIRST-S00060 First Seen wbadmin command From User + * Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. +* [New] MATCH-S00908 Okta - MFA Request Denied by User + * This signal will trigger when a user denies an MFA request within the Okta authenticator application. Examine other authentication attempts for this particular user, and undertake confirmation efforts to ensure that this activity is expected and valid. +* [New] MATCH-S00907 Okta - Policy Rule Added + * This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. Check the Okta administrator portal for more details regarding the application in question such as scopes and access levels. The field `fields["target.1.alternateId"]` contains the name of the application that was created +* [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint + * This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta users API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. A full list of functionality for this endpoint can be found in the Okta documentation [here](https://developer.okta.com/docs/reference/api/users/). The `\u201cSuccess\u201d` field will indicate whether this API request was successful or not, and the `\u201cDescription\u201d` field will contain the event that was generated by the API request. Both failed and successful requests should be investigated. Ensure that this request was performed for legitimate purposes such as developer workflows or other automation mechanisms. Consider adding a match list exclusion with authorized accounts who perform requests to this Okta API endpoint via programmatic methods if this signal is triggering false positives. +* [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method + * This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates. Investigation of the host is recommended to identify the behavior leading to and around the execution of this PowerShell process. +* [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution + * Detects the use of PowerShell for Application Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling. Investigation into the host and user to identify the process executing the PowerShell function. See [here](https://www.ired.team/offensive-security/enumeration-and-discovery/t1010-application-window-discovery) for reference. +* [New] MATCH-S00918 Suspicious cat of PAM common-password policy + * The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users. The common-password file defines behavior of password use in Linux subsystems. This detection looks for use of cat to display the contents of the common-password file, which should not be a common occurrence on systems. It is recommended to investigate the host upon which this detection occurs to understand the exposure of the password policies for the system. +* [New] MATCH-S00919 chage command use on host + * The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the `-l` flag to determine when the user's password or account is due to expire. It is recommended to investigate the system and account the command has been executed on, to assess the intent of this execution. Additionally, looking at the command line and parent process is helpful in identifying valid automated processes executing this command that would benefit from tuning out via Rule Tuning. +* [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User +* [Updated] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User +* [Updated] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address +* [Updated] FIRST-S00032 First Seen Kubectl Command From User +* [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User +* [Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP +* [Updated] MATCH-S00906 Okta - Application Created +* [Updated] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs) +* [Updated] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents) +* [Updated] MATCH-S00865 Potential Docker Escape via Command Line +* [Updated] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication +* [Updated] MATCH-S00883 macOS - Keychain Enumeration + +--- +### May 15, 2024 - Content Release + +This content release includes an updated log mapper, and two updated parsers. Details are enumerated below. + +Additionally, MATCH-S00408 has been decommissioned because it was not functioning as intended. + +#### Rules + +* [Deleted] MATCH-S00408 Fake Windows Processes + +#### Log Mappers + +* [Updated] SentinelOne Logs - C2C threats + +#### Parsers + +* [Updated] /Parsers/System/Dell/Dell SonicWall +* [Updated] /Parsers/System/Okta/Okta + +--- +### May 15, 2024 - Application Update + +#### Rule-Based Signal Suppression + +We've added an advanced rule feature that allows users to override the global signal suppression period. This is most useful for individual rules that require much shorter (or no) suppression, such as rules that pass alerts through from external data sources such as endpoint detection systems. + +This setting can be accessed from the rule details page: + +Rule-Level Signal Suppression Settings in Cloud SIEM + +The setting is in the "Show Advanced" section. You can specify a suppression period for the rule between 0 and 168 hours (if you set it to 0, suppression is completely disabled for the rule). + +#### Minor Changes and Enhancements + +* Users can now view the MITRE ATT&CK® Threat Coverage Explorer with only the View Rules permission; previously users had to have the Manage Rules permission to access the Explorer. + +#### Bug Fixes + +* Some system events that automatically occur after an Insight is created (such as enrichment, automation service calls, and so on) were not consistently executing. +* Some system events that automatically occur just before rule processing (such as adding Geo IP and ASN data, checking match lists, and so on) were not consistently executing. +* Users were unable to duplicate rules due to an internal error. + +--- +### May 2, 2024 - Content Release + +This content release includes seventeen new rules and two updated rules. Details are enumerated below. + +#### Rules + * [NEW] MATCH-S00896 Azure Authentication Policy Change + * [NEW] MATCH-S00895 NinjaCopy Usage Detected + * [NEW] MATCH-S00906 Okta - Application Created + * [NEW] MATCH-S00903 Okta - Device Added To User + * [NEW] MATCH-S00904 Okta - Device Removed From User + * [NEW] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon + * [NEW] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs) + * [NEW] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems) + * [NEW] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents) + * [NEW] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded + * [NEW] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration + * [NEW] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded + * [NEW] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded + * [NEW] MATCH-S00706 Registry Modification - Time Providers + * [NEW] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load + * [NEW] MATCH-S00899 Suspicious Active Directory Certificate Modification + * [NEW] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent + * [Updated] MATCH-S00706 Registry Modification - Time Providers + * Improved logic expression + * [Updated] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load + * Clarified Summary + +--- +### April 11, 2024 - Application Update + +#### MITRE ATT&CK® Coverage Enhancements + +We're excited to announce multiple enhancements to our MITRE ATT&CK Threat Coverage Explorer. + +* **Rules Filtering** - You can now easily filter the coverage visualization based on rules, including out-of-the-box and user-created rules, as well as enabled, disabled, production and prototype rules. +* **All Community Activity** - This view now defaults to show only the vendor and product logs that are being sent to Cloud SIEM from your data sources. This gives you a better comparison between what your theoretical and historical coverage shows and what other customers of Cloud SIEM using those same log sources are seeing. You can still change the filter to display other (or all) log sources. +* **Customizable Colors** - You can now customize the tile colors to your own scheme.
Custom MITRE ATT&CK Explorer Color Palette + +For full details, see the [MITRE ATT&CK Coverage documentation](/docs/cse/administration/mitre-coverage/). + +#### New UI Themes for Cloud SIEM + +We are also excited to announce that Cloud SIEM now supports two different UI themes: the default "dark" theme, and a new "light" theme: + +Light and Dark theme examples in Cloud SIEM + +The theme is set per user, and can be changed on the Sumo Logic user preferences page: + +Option to change UI theme + +Note that the setting currently only affects Cloud SIEM and the Automation Service, but in the future this setting will also affect other pages in the Sumo Logic UI. + +#### Bug fixes + +* Terraform no longer times out while waiting for match lists to be updated. + +--- +### April 5, 2024 - Content Release + +This content release includes a corrective update to a match rule summary expression and a log mapping bug fix. Changes are enumerated below. + +* Rules + * [Updated] MATCH-S00137 Office Application or Browser Launching Shell + * Fix typo in summary expression key + * Keys updated: `summary_expression`, `normalized_summary` +* Log Mappers + * [Updated] Microsoft Office 365 Active Directory Authentication Events + * Office_365 Mapping Correction + * Keys updated: `user_userId` + + +--- +### March 28, 2024 - Content Release + +This content release includes updated log mappers for Windows Sysmon as enumerated below. + +#### Log Mappers + +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8 +* [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9 + +--- +### March 22, 2024 - Application Update + + +#### Minor changes and enhancements + +* Two enhancements have been implemented for the MITRE ATT&CK® Threat Coverage Explorer: + * The current tactic, technique and sub-technique metrics for the (default) Theoretical and Historical views are now written to the `sumologic_system_events` audit logs daily. This data can be used in dashboards to track coverage and events over time. + * It is now possible, using the `/mitre-attack/json` endpoint, to extract the MITRE Explorer-formatted JSON via API. (This works the same as the **Export** button in the UI.) +* On the Insight details page, on the Entities tab, the default view is now the Graph view instead of the List view. +* Threat reputation icons/labels are now visible in a number of additional places throughout the UI. These can be set via enrichment. + +#### Bug fixes + +* In some cases, events that are supposed to occur automatically after an Insight is opened were not executing, or were severely delayed. +* If an Insight comment included a long URL, text wrapping was not behaving correctly and some text was being clipped from view. Also, newline characters were not always being honored properly in comments. + +--- +### March 21, 2024 - Content Release + +This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below. + +#### Rules + +* [Updated] MATCH-S00610 PSExec Named Pipe Created by Non-PsExec Process + * Expression Key updated +* [Updated] MATCH-S00159 Windows - Permissions Group Discovery + * Removed FirstSeen language in the match rule + +#### Log Mappers + +* [New] Cato Networks Security Events - Catch All +* [New] Windows - Security - 5156 +* [Updated] 1Password Item Audit Actions + * Updated event id pattern +* [Updated] 1Password Item Usage Actions + * Updated event id pattern +* [Updated] Azure Application Service Console Logs + * Azure Custom Parser Normalized Severity key update +* [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents + * Azure Custom Parser Normalized Severity key update +* [Updated] Azure Risky Users + * Azure Custom Parser Normalized Severity key update +* [Updated] Azure User Risk Events + * Azure Custom Parser Normalized Severity key update +* [Updated] Microsoft Defender for Cloud - Security Alerts + * Azure Custom Parser Normalized Severity key update +* [Updated] Okta Authentication - sso + * Application key updated + +--- +### March 11, 2024 - Content Release + +This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below. + +#### Rules + +* [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line + * Updated rule expression to reduce false positivity. +* [Updated] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event + * Updated Severity from 4 to 1. +* [Updated] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event + * Fixed description and summary transposition and lowered severity from 3 to 1. + +#### Log Mappers + +Added userAgent mapping to Okta. +* [New] Kaltura Audits +* [Updated] Okta Authentication - auth_via_mfa +* [Updated] Okta Authentication Events +* [Updated] Okta Catch All + +#### Parsers + +* [New] /Parsers/System/Kaltura/Kaltura + +--- +### February 23, 2024 - Content Release + +This content release includes modifications and additions to Citrix Cloud C2C to handle additional event types and bring existing event mapping into line with new events, support for Code42 Incydr via C2C, Abnormal Security via C2C, and JumpCloud Directory Insights via C2C. + +#### Log Mappers + +* [Deleted] Citrix Cloud Client + * This mapping is replaced by new mappers for Citrix Cloud below +* [New] Abnormal Security Threats +* [New] Citrix Cloud Operation Logs +* [New] Citrix Cloud System Logs +* [New] Code42 Incydr Alerts C2C +* [New] Code42 Incydr Audits C2C +* [New] Code42 Incydr FileEvents C2C +* [New] JumpCloud Directory Insights - Admin Logon +* [New] JumpCloud Directory Insights - Catch All + +#### Parsers + +* [New] /Parsers/System/Abnormal Security/Abnormal Security +* [New] /Parsers/System/Code42/Code42 Incydr +* [New] /Parsers/System/JumpCloud/JumpCloud Directory Insights +* [Updated] /Parsers/System/Citrix/Citrix Cloud C2C + +--- +### February 19, 2024 - Content Release + +This release includes new log mapping and parsing content for Druva Cyber Resilience: + +#### Log Mappers + +* [New] Druva Cyber Resilience - Admin Logon +* [New] Druva Cyber Resilience - Catch All + +#### Parsers + +* [New] /Parsers/System/Druva/Druva Cyber Resilience + +#### Bug Fixes + +* Recently, two rules, FIRST-S00052 and FIRST-S00049, were released to customers erroneously. Soon after, these rules started generating false positive Signals and Insights. We have removed those rules from all customer environments so they can be tuned properly and re-released after comprehensive testing. The process error that led to the release has been identified and corrected. Sumo Logic apologizes for the inadvertent Signals and Insights this error generated. If needed, please contact Support for assistance in closing the Insights. + +--- +### February 19, 2024 - Application Update + +#### Minor changes and enhancements + +* [New] Continuing our work to better align the Cloud SIEM UI pages with Log Analytics UI pages to improve usability and provide a consistent user experience, the color palette has been adjusted slightly, some page decoration has been removed or altered, and some controls have been updated. +* [New] On the Entity list page, you can now filter by reputation indicator (i.e. Malicious, Suspicious or NotFlagged). +* [New] Users can now navigate directly from the Entity Activity panel on the HUD to the Entity List page, with the proper filter pre-applied. +* [Updated] The `Object Type` attribute has been added back to the Signal summary section, next to the timestamp, so that it is visible whether the Signal details are expanded or collapsed. +* [New] A user-editable **Description** field has been added to Rule Tuning Expressions. + +#### Bug fixes + +* Sorting by value was not working properly on the Entities list page. +* Sometimes, if the target value was left blank (default), domain normalization would append a colon to the resulting value. +* Customers were experiencing rate limiting with VirusTotal due to a change to their API and constant retries due to resultant errors in Cloud SIEM. This has been resolved, as has an issue with enrichments for file hashes. +* Some Entities were not showing as being included in Entity Groups properly (even though attributes had been set correctly). +* The MITRE ATT&CK® `stage` attribute was missing from some Signals in the audit logs. +* Custom inventory sources were not included in the appropriate dropdown in Entity Group configuration. +* On the Entity Details page, if the only Signals that existed were in Prototype mode, they would not be visible. +* The reputation indicator on the Entity Details page was being rendered, then hidden. + +--- +### February 13, 2024 - Content Release + +This release includes new parsing and mapping support for C2C sources and mapping changes enumerated below. + +#### Log Mappers + +* [New] Trellix mVision ePO Threats +* [New] Zero Networks Segment Audit Activity +* [New] Zero Networks Segment Network Activity +* [Updated] AzureActivityLog 01 + * Remapped `Application` from `properties.clientAppUsed` to `properties.appDisplayName` for consistency + +#### Parsers + +* [New] /Parsers/System/Trellix/Trellix MVision EPO +* [New] /Parsers/System/Zero Networks/Zero Networks Segment + +--- +### February 2, 2024 - Content Release + +This release includes minor mapping adjustments to Duo and MS Graph Identify Protection Risk logs. Specific changes are enumerated below. + +#### Log Mappers + +* [Updated] Duo Security Admin API - Audit + * Added mappings for source host and source IP +* [Updated] Duo Security Admin API - Authentication + * Added mappings for source host and source IP +* [Updated] Duo Security Admin API - Non-User Audit Changes + * Added mappings for source host and source IP +* [Updated] Duo Security Admin API - Targeted User Audit Changes + * Added mappings for source host and source IP +* [Updated] Microsoft Graph Identity Protection API C2C - riskDetections + * Added principal as primary `user_username` key +* [Updated] Microsoft Graph Identity Protection API C2C - riskyUsers + * Added principal as primary `user_username` key + +:::tip +For all the up-to-date Cloud SIEM content, see the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog). +::: + + +--- +### January 30, 2024 - Content Release + +This content release includes updates to log mappers for Zeek fixing several bugs that were preventing fields from mapping properly. + +#### Log Mappers + +* [Updated] Zeek DNS Activity +* [Updated] Zeek HTTP Activity +* [Updated] Zeek conn Activity + +:::tip +For all the up-to-date Cloud SIEM content, see the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog). +::: + + +--- +### January 12, 2024 - Content Release + +This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags. + +#### Rules + +* [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event + * Updated name expression to reduce insight false positivity +* [Updated] MATCH-S00686 Base64 Decode in Command Line +* [Updated] MATCH-S00373 BlueMashroom DLL Load +* [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User +* [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User +* [Updated] FIRST-S00013 First Seen Driver Load - Global +* [Updated] FIRST-S00014 First Seen Driver Load - Host +* [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address +* [Updated] MATCH-S00705 Registry Modification - Authentication Package +* [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL +* [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached +* [Updated] MATCH-S00279 TAIDOOR RAT DLL Load +* [Updated] MATCH-S00379 WMIExec VBS Script +* [Updated] MATCH-S00570 WMIPRVSE Spawning Process + * Corrected expression to exclude OS SID from `user_userId`; prior expression was incorrectly referencing `SubjectLogonID` +* [Updated] MATCH-S00724 Windows Update Agent DLL Changed +* [Updated] MATCH-S00435 XSL Script Processing + +#### Log Mappers + +* [New] 1Password Item Audit Actions +* [New] 1Password Item Usage Actions +* [New] Zeek DNS Activity +* [New] Zeek HTTP Activity +* [New] Zeek conn Activity + +#### Parsers + +* [New] /Parsers/System/1Password/1Password +* [New] /Parsers/System/1PasswordC2C/1PasswordC2C +* [New] /Parsers/System/Zeek/Zeek + +#### Schema +* [New] metadata_sourceBlockId + * The \_blockId of the original source log message (from Sumo Logic) diff --git a/blog-csoar/2023/12-31.md b/blog-csoar/2023/12-31.md index 91a29ebb10..e2dd6836b7 100644 --- a/blog-csoar/2023/12-31.md +++ b/blog-csoar/2023/12-31.md @@ -12,7 +12,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; icon -This is an archive of 2023 Cloud SOAR Release Notes. To view the full archive, [click here](/release-notes-csoar/archive). +This is an archive of 2023 Cloud SOAR release notes. To view the full archive, [click here](/release-notes-csoar/archive). diff --git a/blog-csoar/2024/12-31.md b/blog-csoar/2024/12-31.md index 6a910c4990..523e3bf1fa 100644 --- a/blog-csoar/2024/12-31.md +++ b/blog-csoar/2024/12-31.md @@ -12,7 +12,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; icon -This is an archive of 2024 Cloud SOAR Release Notes. To view the full archive, [click here](/release-notes-csoar/archive). +This is an archive of 2024 Cloud SOAR release notes. To view the full archive, [click here](/release-notes-csoar/archive). --- ### December 31, 2024 - Application Update From 9434693ed4e48983c7e69579ff564f82cb47f1b9 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 2 Jan 2025 17:01:59 -0600 Subject: [PATCH 3/5] Fix broken links --- blog-cse/2024/12-31.md | 4 ++-- blog-csoar/2024/12-31.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/blog-cse/2024/12-31.md b/blog-cse/2024/12-31.md index 4fa900d2e2..f021709160 100644 --- a/blog-cse/2024/12-31.md +++ b/blog-cse/2024/12-31.md @@ -852,7 +852,7 @@ Other changes are enumerated below. This release reverts a change to our AWS CloudTrail default (catch all) mapper for how `user_username` is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some `AssumedRole` events. -AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](/release-notes-cse/2024/08/05/content/) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives. +AWS `AssumedRole` events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the [August 5th, 2024 content release](/release-notes-cse/#august-5-2024---content-release) to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives. AWS best practices suggest defining `sourceIdentity` to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor `sourceIdentity` if it is present in CloudTrail logs. If it is not present, then `userIdentity.arn` will be used and the `resource-id` will be mapped to `user_username`, creating potential for false positives from dynamic session identifiers. See [Viewing source identity in CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-ct) in the AWS documentation for more information. @@ -977,7 +977,7 @@ Individual changes are enumerated below. - The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts. --- -### August 05, 2024 - Content Release +### August 5, 2024 - Content Release This content release includes: * A new Cloud SIEM First Seen rule diff --git a/blog-csoar/2024/12-31.md b/blog-csoar/2024/12-31.md index 523e3bf1fa..ba273b40b7 100644 --- a/blog-csoar/2024/12-31.md +++ b/blog-csoar/2024/12-31.md @@ -312,7 +312,7 @@ This release introduces three new integrations, as well as several updates. --- ### March 12, 2024 - Content Release -Our Cloud SOAR [application update](/release-notes-csoar/2024/03/12/application-update/) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards. +Our Cloud SOAR [application update](/release-notes-csoar/#march-12-2024---application-update) features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards. The Python upgrade impacts a total of 38 integrations. These integrations will require updates to ensure compatibility with the new Python version. @@ -369,7 +369,7 @@ We strongly encourage all users to review the provided documentation and prepare ### March 12, 2024 - Application Update #### Changes and Enhancements -* Python version updated. If you experience any issues, refer to our [content release note](/release-notes-csoar/2024/03/12/content/). +* Python version updated. If you experience any issues, refer to our [content release note](/release-notes-csoar/#march-12-2024---content-release). ##### Cloud SOAR * Playbooks: Test feature now permits you to use internal Incident ID. From 735e8a8d73f287eb6b87c333092205e060a7ba88 Mon Sep 17 00:00:00 2001 From: "John Pipkin (Sumo Logic)" Date: Fri, 3 Jan 2025 09:10:04 -0600 Subject: [PATCH 4/5] Update blog-cse/2024/12-31.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- blog-cse/2024/12-31.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-cse/2024/12-31.md b/blog-cse/2024/12-31.md index f021709160..abfcabdab0 100644 --- a/blog-cse/2024/12-31.md +++ b/blog-cse/2024/12-31.md @@ -429,7 +429,7 @@ Audit Object Access (success and failure) must be enabled for this rule to funct - Corrected the JSON parser for MAPPER:event_id to facilitiate proper mapping processing --- -### October 04, 2024 - Content Release +### October 4, 2024 - Content Release This content release includes: * Detection rules centered around Amazon Bedrock activities. From 81b42caf1d16a94448efe76bd1cfe060935d017d Mon Sep 17 00:00:00 2001 From: "John Pipkin (Sumo Logic)" Date: Fri, 3 Jan 2025 09:10:13 -0600 Subject: [PATCH 5/5] Update blog-csoar/2024/12-31.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- blog-csoar/2024/12-31.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-csoar/2024/12-31.md b/blog-csoar/2024/12-31.md index ba273b40b7..9f04962f67 100644 --- a/blog-csoar/2024/12-31.md +++ b/blog-csoar/2024/12-31.md @@ -580,7 +580,7 @@ This release introduces two new integrations, **ipdata** and **Google Alert Cent * Updated action: User Attributes V2 --- -### January 03, 2024 - Application Update +### January 3, 2024 - Application Update #### Changes and Enhancements * Playbooks: UserChoice nodes can be handled now from Slack workspace (see [documentation](/docs/cloud-soar/automation#configure-slack-for-cloud-soar)).