Cloud SIEM network sensor end-of-life​

The Sumo Logic Product Team is discontinuing our on-premise network sensor feature for Sumo Logic Cloud SIEM. The feature will no longer receive updates as of November 8, 2024, and support ends as of April 30, 2025. We fully support a customer or partner managed Zeek network sensor as a data source for our Cloud SIEM product that will provide equivalent monitoring of your network.

Learn more here.

This content release includes:

• New detection rules.
• Updates to existing detection rules to correct rule logic and reduce false positives.
• New parsing and mapping support for Automox, WatchGuard Firewall, and Digital Guardian ARC.
• Update to existing AWS Application Load Balancer parsing and mapping to support Connection logs.
• Update to MITRE ATT&CK tag schema to support ATT&CK v16.0.

Changes are enumerated below.

Rules​

• [New] CHAIN-S00018 Autorun file created after USB disk mount on host
  • This signal looks for a USB drive being mounted on a Windows host followed by a file creation event with the file name of "autorun.inf" within a 5-minute time frame. This activity could be indicative of an attempt at lateral movement or initial access avenues through a USB device. Ensure that the machine in question is authorized to use USB devices and look for other file creation events from this host around the same time frame.
• [New] FIRST-S00071 First Seen AWS ConsoleLogin by User
  • First observance of a user logging on to the Amazon AWS console. This could be indicative of new administrator onboarding, or an unauthorized access to the AWS console. Recommended to investigate the nature of the user account and the login.
• [New] FIRST-S00080 First Seen Azure Portal access by User
  • First observance of a user logging on to the Microsoft Azure Portal. This could be indicative of new user onboarding, or an unauthorized access to the Azure portal. Recommended to investigate the nature of the user account and the login.
• [New] FIRST-S00073 First Seen Get-ADDefaultDomainPasswordPolicy
  • The first observed execution of the PowerShell CMDLet Get-ADDefaultDomainPasswordPolicy on this host. This CMDLet can be used in the discovery of Windows Domain Password Policies by threat actors. Investigating the host and active users for additional activity around the time of execution is recommended.
• [New] FIRST-S00072 First Seen Group Policy Discovery Operation
  • This detection is a first observed execution of Windows process or PowerShell commands that can be run by users or administrators in order to gather password policy and other types of system information in an enterprise environment. The detections in this signal are based off variations found in Atomic Red Team test cases. Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md. Look at the command line and parent process details of the signal in order to determine if this execution is legitimate or part of system provisioning or systems administration operations.
• [New] FIRST-S00076 First Seen Net Command Use on Host
  • Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the first observance of a Net related command on a system related to these discovery tactics. It is recommended to investigate the host and user to determine if this is authorized admin activity or needs further inspection.
• [New] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
  • First Seen rule which triggers when there are at least two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives, such as known VPN addresses.(If degradation issues occur it is recommendation implementing tuning around your expected network.)
• [New] FIRST-S00074 First Seen driverquery execution on host
  • First observed execution of the driverquery command on the following device host: {{device_hostname}}. Driverquery is a useful command for an attacker to enumerate local device drivers to determine next steps in the attack. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
• [New] FIRST-S00079 First Seen gpresult execution on host
  • This detection is first observed execution of gpresult on a host. This command may be used by attackers to access detailed password policy information in an enterprise environment. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
• [New] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
  • This signal looks for a new Client ID value ( mapped to the user_username field ) and ASN combination being issued an OIDC token, excluding the Okta Browser Plugin and Okta Dashboard. Use the Okta admin portal and look at the "Applications" section to cross-reference the Client ID value. Ensure that the IP address that is requesting the token is known and that this operation is expected and authorized.
• [New] FIRST-S00068 Okta - First Seen User Accessing Admin Application
  • A user not seen since the baseline period has accessed the Okta admin application. Ensure that this user is expected to perform Okta administrative activities. If this user is expected and authroized, consider adding the user to the "Okta_Admins" match list to exclude the user from this signal.
• [New] FIRST-S00066 Okta - First Seen User Requesting Report
  • This signal looks for a first seen user requesting an export of an Okta report. The various Okta report types can be found in the “Reports” section of the Okta administrative portal and can include various report types such as application password help, MFA usage, and reports around user access. During the October 2023 Okta incident, threat actors downloaded reports from Okta portals to extract information regarding user contact information. Ensure that the user that is requesting such reports is authorized and that this activity is expected. If a suspicious report generation event occurs, look at the “target” element within the event to gain more detailed information as to the type of report being generated and exported.
• [New] OUTLIER-S00018 Okta - Outlier in ASNs Used to Access Applications
  • This signal looks for an outlier in the number of distinct autonomous system numbers (ASNs) that a particular user utilizes to access Okta resources within an hour time period. This is designed to alert on various forms of token or credential theft as well as general Okta session anomalies.
• [New] OUTLIER-S00017 Okta - Outlier in MFA Attempts Denied by User
  • This signal builds an hourly baseline of MFA denied events per user and triggers when an outlier in the number of denied attempts is detected. This signal is designed to trigger on MFA-fatigue type attacks. If false positives are detected, consider excluding certain users from the alerting logic or raise the minimum count value within the rule configuration.
• [New] OUTLIER-S00016 Okta - Outlier in OIDC token request failures
  • This signal looks for an outlier in the number of OpenID Connect (OIDC) token request failures for an Okta client application. Use the Okta admin portal to correlate the Client ID (mapped to user_username) to determine what application is being targeted. Pivot off the Client ID and IP address values to examine the raw Okta events in order to ensure that this activity is planned and expected. This activity can occur during setup and development of Okta applications and integrations.
• [New] OUTLIER-S00013 Outlier in Data Outbound Per Day by Admin or Sensitive Device
  • A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
• [New] OUTLIER-S00015 Outlier in Data Outbound Per Hour by Admin or Sensitive Device
  • A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
• [Updated] THRESHOLD-S00095 Password Attack
  • Added NULL exclusion to rule expression to prevent false-positives stemming from NULL IP or hostnames.
• [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port
  • Added missing parenthesis to match expression.

Log Mappers​

• [New] AWS - Application Load Balancer - Connection
• [New] Automox - Audit logs
• [New] Automox - Audit logs - Logon
• [New] Automox - Event logs
• [New] Digital Guardian ARC - Audit Events
• [New] Digital Guardian ARC - Mail
• [New] Digital Guardian ARC - Network
• [New] Digital Guardian ARC - User Login|Logoff
• [New] Watchguard Fireware - Firewall
• [New] Watchguard Fireware - http/https-proxy

Parsers​

• [New] /Parsers/System/Automox/Automox
• [New] /Parsers/System/Digital Guardian/Digital Guardian ARC
• [New] /Parsers/System/WatchGuard/WatchGuard Fireware
• [Updated] /Parsers/System/AWS/AWS ALB
  • Updated parser to support AWS Application Load Balancer Connection logs

This content release includes:

• New Detection rules for Github Enterprise Audit.
• New Detection rules for Okta identity and access management.
• Updated parser and mappers for Cisco Meraki firewall, and Cisco Meraki Flows:
  • Updated the pattern lookup for: action, normalized action, and success.
• Updated log mappers for Github Enterprise Audit:
  • Updated the name of the product and the internal ID that corresponds to it.
• Updated parser for Github Enterprise Audit time handling.
• New parsers and mappers for Apache HTTP server and Kandji EDR.
• Other changes enumerated below.

Please be advised that rule FIRST-S00031 (First Seen IP Address Associated with User for a Successful Azure AD Sign In Event) is not performing as intended and will be decommissioned in a forthcoming release. Please use FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) which provides an accurate and less sensitive detection point.

Rules​

• [New] MATCH-S00922 AWS Bedrock Agent Created.
  • This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications.
• [New] MATCH-S00924 AWS Bedrock Guardrail Deleted.
  • AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change.
• [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User.
  • A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock.
• [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed.
  • An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized.
• [New] OUTLIER-S00024 AWS DynamoDB Outlier in GetItem Events from User.
  • An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances.
• [New] OUTLIER-S00025 AWS S3 Outlier in PutObject Denied Events
  • This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function.
• [New] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe
  • Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. Audit Object Access (success and failure) must be enabled for this rule to function.
• [New] MATCH-S00896 Azure Authentication Policy Change
  • Various authentication related policy configurations exist within Azure. These are tenant-wide policy changes that affect aspects such as enabling of number matching, changing of which authentication methods users are allowed to use, or the exclusion of certain groups from various authentication methods.
• [New] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
  • This rule detects credential dumping using copy command from a shadow copy.
• [New] FIRST-S00084 First Seen AWS Bedrock API Call from User
  • This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services.
• [New] FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
  • This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process. This can be indictive of enumeration of certificate templates which can potentially lead to forged certificates and privilege escalation avenues.
• [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
  • Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period.
• [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
  • A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model.
• [New] FIRST-S00088 First Seen NTLM Authentication to Host (User)
  • A user has performed NTLM authentication to a host on the network for the first time since the baseline period has been established.
• [New] FIRST-S00076 First Seen Net Command Use on Host
• [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
  • An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation.
• [New] FIRST-S00061 First Seen USB device in use on Windows host
  • This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics.
• [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
  • AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM.
• [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
  • A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock.
• [New] FIRST-S00059 First Seen esentutl command From User
  • Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
• [New] FIRST-S00058 First Seen vssadmin command From User
  • Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
• [New] FIRST-S00060 First Seen wbadmin command From User
  • Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
• [New] MATCH-S00429 LSASS Memory Dumping
  • Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
• [New] MATCH-S00161 Malicious PowerShell Get Commands
  • This rule detects commandlets from common PowerShell exploitation frameworks.
• [New] MATCH-S00895 NinjaCopy Usage Detected
  • NinjaCopy is a legacy PowerShell tool that can copy files from an NTFS volume in a manner that bypasses SACL auditing as well as DACL controls such as only allowing SYSTEM to open a file.
• [New] MATCH-S00906 Okta - Application Created
  • This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications.
• [New] MATCH-S00903 Okta - Device Added To User
  • An Okta device was added to a user. This activity may occur as part of normal user operations such as lost device.
• [New] MATCH-S00904 Okta - Device Removed From User
  • An Okta device was removed from a user. It is recommended that the user performing the action be cross-referenced to a list of approved Okta administrators.
• [New] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon
  • This signal looks for a single user explicitly denying at least two (2) multi factor authentication prompts, followed by a successful Okta login via multi factor authentication within a twenty-five (25) minute window. This logic is designed to catch successful MFA fatigue type attacks.
• [New] MATCH-S00908 Okta - MFA Request Denied by User
  • This signal will trigger when a user denies an MFA request within the Okta authenticator application.
• [New] MATCH-S00907 Okta - Policy Rule Added
  • An Okta policy rule has been added through the Okta admin application.
• [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint
  • This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta “users” API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks.
• [New] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
  • This rule detects when a user has utilized multiple distinct ASNs when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly.
• [New] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
  • This rule detects when a user has utilized multiple distinct User Agents when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly.
• [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
  • An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts.
• [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
  • An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts.
• [New] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded
  • This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows domain users full control over the certificate
• [New] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration
  • This alert looks for two events in a particular order, the first event involves a certificate template being loaded with a certificate request agent application policy.
• [New] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded
  • This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows all domain users the ability to enroll the template.
• [New] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded
  • This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows the enrolee to supply a subject and allows all domain users to enroll.
• [New] MATCH-S00899 Suspicious Active Directory Certificate Modification
  • This alert looks for an Active Directory certificate being modified with the "Any Purpose" OID.
• [New] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent
  • This alert looks for an Active Directory certificate being modified with an Enrollment Agent value that allows an Active Directory principal to enroll a certificate on behalf of another user.
• [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method
  • This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates.
• [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution
  • Detects the use of PowerShell for Applicaiton Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling.
• [New] MATCH-S00918 Suspicious cat of PAM common-password policy
  • The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users.
• [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
  • Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call.
• [New] MATCH-S00583 WCE wceaux.dll Access
  • Obvserves for access of wceaux.dll, which may be indicative of credential access.
• [New] MATCH-S00159 Windows - Permissions Group Discovery
  • Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the use net.exe related commands on a system related to these discovery tactics.
• [New] THRESHOLD-S00067 ZeroLogon Privilege Escalation Behavior
  • An attack against CVE-2020-1472 may create thousands of NetrServerReqChallenge and NetrServerAuthenticate3 requests in a short amount of time.
• [New] MATCH-S00919 chage command use on host
  • The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the -l flag to determine when the user’s password or account is due to expire.

Log Mappers​

• [New] Apache HTTP Server - Access log
• [New] Kandji EDR - catch all
• [Updated] Cisco Meraki Firewall - Custom Parser
• [Updated] Cisco Meraki Flows - Custom Parser
• [Updated] GitHub Enterprise Audit - Access Events
• [Updated] GitHub Enterprise Audit - Authentication Events
• [Updated] GitHub Enterprise Audit - Create Events
• [Updated] GitHub Enterprise Audit - Modify Events
• [Updated] GitHub Enterprise Audit - Remove Events
• [Updated] GitHub Enterprise Audit - Restore Events
• [Updated] GitHub Enterprise Audit - Transfer Events
• [Updated] GitHub Enterprise Audit Catch All

Parsers​

• [New] /Parsers/System/Apache/Apache HTTP Server
• [New] /Parsers/System/Kandji/Kandji EDR
• [Updated] /Parsers/System/Cisco/Cisco Meraki
  • Corrected parser to address incorrect mapping leading to alert errors.
• [Updated] /Parsers/System/Github/GitHub Enterprise Audit
  • Parser modification to the MAPPER:product from Github Enterpries to Github Enterprise Audit
• [Updated] /Parsers/System/Kemp/Kemp LoadMaster Syslog
  • Corrected parser transform for the log-entry format of the Process_Syslog_Header
• [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON
  • Corrected the JSON parser for MAPPER:event_id to facilitiate proper mapping processing

This content release includes:

• Detection rules centered around Amazon Bedrock activities.
• Consolidation of AWS CloudTrail mappers to replicate current mapper behavior with fewer distinct mappers.
• New support for GitHub Enterprise Audit (parsing and mapping).
• New support for Honeywell Pro-Watch (parsing and mapping).
• New support for Citrix Zendesk (parsing and mapping).
• Further mapping updates to better employ Normalized Classification fields across data sources.
• Removal of some duplicate mapped fields.
• Other changes enumerated below.

Rules​

• [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
  • An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment.
• [New] MATCH-S00922 AWS Bedrock Agent Created
  • This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
• [New] MATCH-S00924 AWS Bedrock Guardrail Deleted
  • AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. Look at other activity from this user account, focusing on the Bedrock service and pivoting from there if the event is deemed suspicious.
• [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User
  • A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. However, it could also be a malicious attempt at running a particular model via AWS Bedrock. Take a look at the username, IP address, role type, role and model via the "requestParameters.modelId" field.
• [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
  • A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. Ensure this model is authorized to be utilized in the environment and that the user requesting access to the model is authorized to perform these actions.
• [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
  • A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed.
• [New] FIRST-S00084 - First Seen AWS Bedrock API Call from User
  • This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. Look at the "action" field to determine what API calls are being made and whether this activity is expected.
• [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
  • An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
• [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
  • Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
• [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
  • AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives.
• [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
  • An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
• [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
  • An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
• [New] OUTLIER-S00024 - AWS DynamoDB Outlier in GetItem Events from User
  • An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. Consider excluding authorized users from this signal or tweaking the minimum count value if this signal is triggering too often. Data events from DynamoDB are required in order for this signal to function.
• [New] OUTLIER-S00025 - AWS S3 Outlier in PutObject Denied Events
  • This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. Denied PutObject access events can stem from IAM policies or bucket policies. Look at the user, role, IP address from the events to determine whether this activity is expected. In certain cases, access denied events to S3 can also result in unexpected AWS charges.
• [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
  • Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.

Log Mappers​

New Event/Source Support​

• [New] Fortinet utm-ssl Logs
• [New] GitHub Enterprise Audit - Access Events
• [New] GitHub Enterprise Audit - Authentication Events
• [New] GitHub Enterprise Audit - Create Events
• [New] GitHub Enterprise Audit - Modify Events
• [New] GitHub Enterprise Audit - Remove Events
• [New] GitHub Enterprise Audit - Restore Events
• [New] GitHub Enterprise Audit - Transfer Events
• [New] GitHub Enterprise Audit Catch All
• [New] Honeywell Pro-Watch Catch All
• [New] Zendesk Catch All

Extended Normalized Classification Support​

• [Updated] Azure Event Hub - Windows Defender Logs
• [Updated] Azure ManagedIdentitySignInLogs
• [Updated] Azure NonInteractiveUserSignInLogs
• [Updated] Azure ServicePrincipalSignInLogs
• [Updated] Azure Write and Delete Logs
• [Updated] AzureActivityLog 01
• [Updated] Carbon Black Cloud - Observation event
• [Updated] Carbon Black Cloud Script Load
• [Updated] Cisco ASA 109005-8 JSON
• [Updated] Cisco ASA 113005
• [Updated] Cisco ASA 113005 JSON
• [Updated] Cisco ASA 113012-17 JSON
• [Updated] Cisco ASA 716039 JSON
• [Updated] Cisco ASA 719022-3 JSON
• [Updated] Cisco ASA 751011 JSON
• [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
• [Updated] CrowdStrike FDR - CriticalFileAccessed
• [Updated] CylancePROTECT Threats
• [Updated] Fortinet Event Logs
• [Updated] Fortinet Virus Logs
• [Updated] Kaspersky Endpoint Security Catch All
• [Updated] Lacework Alert
• [Updated] Linux OS Syslog - Cron - Session Closed
• [Updated] Linux OS Syslog - Cron - Session Opened
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
• [Updated] Linux OS Syslog - Process sshd - SSH Public Key Not Allowed
• [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
• [Updated] Linux OS Syslog - Process systemd - Systemd Session Start
• [Updated] McAfee WebGateway - CEF - User Login Failed
• [Updated] Microsoft Defender for Cloud - Security Alerts
• [Updated] Microsoft Office 365 Active Directory Authentication Events
• [Updated] Microsoft Office 365 Threat Intelligence Atp Content Events
• [Updated] OSSEC Alert
• [Updated] OpenVPN Authentication Attempt
• [Updated] OpenVPN Logon Attempt
• [Updated] Osquery Process Auditing
• [Updated] Palo Alto Traps - Custom Parser
• [Updated] RSA SecurID SinglePoint Authentication
• [Updated] Snowflake Login
• [Updated] Symantec Agent Behavior Logs
• [Updated] Symantec Agent Risk Logs
• [Updated] Symantec Agent Risk SONAR Logs
• [Updated] Symantec Agent Scan Logs
• [Updated] Sysdig Kubernetes JSON
• [Updated] Tanium IOC Event - CEF Custom Parser
• [Updated] Windows - Security - 4625

Added 'Cause' mapping and added 'null' as a skipped value​

• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events

Consolidated CloudTrail Mappings​

• [Deleted] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
• [Deleted] CloudTrail - cloudtrail.amazonaws.com - StartLogging
• [Deleted] CloudTrail - cloudtrail.amazonaws.com - StopLogging
• [Deleted] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
• [Deleted] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
• [Deleted] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
• [Deleted] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
• [Deleted] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
• [Deleted] CloudTrail - ec2.amazonaws.com - CreateKeyPair
• [Deleted] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
• [Deleted] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
• [Deleted] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
• [Deleted] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
• [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
• [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
• [Deleted] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
• [Deleted] CloudTrail - ec2.amazonaws.com - ImportKeyPair
• [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
• [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
• [Deleted] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
• [Deleted] CloudTrail - iam.amazonaws.com - AttachRolePolicy
• [Deleted] CloudTrail - iam.amazonaws.com - AttachUserPolicy
• [Deleted] CloudTrail - iam.amazonaws.com - CreateAccessKey
• [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicy
• [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
• [Deleted] CloudTrail - iam.amazonaws.com - CreateUser
• [Deleted] CloudTrail - iam.amazonaws.com - DeletePolicy
• [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
• [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
• [Deleted] CloudTrail - iam.amazonaws.com - DeleteUser
• [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
• [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
• [Deleted] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
• [Deleted] CloudTrail - iam.amazonaws.com - DetachRolePolicy
• [Deleted] CloudTrail - iam.amazonaws.com - DetachUserPolicy
• [Deleted] CloudTrail - iam.amazonaws.com - PutGroupPolicy
• [Deleted] CloudTrail - iam.amazonaws.com - PutRolePolicy
• [Deleted] CloudTrail - iam.amazonaws.com - PutUserPolicy
• [Deleted] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
• [Deleted] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
• [Deleted] CloudTrail - lambda.amazonaws.com - AddPermission
• [Deleted] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping
• [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunction
• [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig
• [Deleted] CloudTrail - lambda.amazonaws.com - DeleteFunction
• [Deleted] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping
• [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration
• [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig
• [Deleted] CloudTrail - lambda.amazonaws.com - PublishLayerVersion
• [Deleted] CloudTrail - lambda.amazonaws.com - RemovePermission
• [Deleted] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping
• [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode
• [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration
• [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig
• [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogGroup
• [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogStream
• [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketCors
• [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
• [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
• [Deleted] CloudTrail - s3.amazonaws.com - PutBucketAcl
• [Deleted] CloudTrail - s3.amazonaws.com - PutBucketCors
• [Deleted] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
• [Deleted] CloudTrail - s3.amazonaws.com - PutBucketPolicy
• [Deleted] CloudTrail - s3.amazonaws.com - PutBucketReplication
• [Deleted] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
• [Deleted] CloudTrail - signin.amazonaws.com - CheckMfa
• [Deleted] CloudTrail - signin.amazonaws.com - ExitRole
• [Deleted] CloudTrail - signin.amazonaws.com - RenewRole
• [Deleted] CloudTrail - signin.amazonaws.com - SwitchRole
• [Deleted] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
• [Updated] CloudTrail - cloudtrail.amazonaws.com - Trail Change|Logging
• [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
• [Updated] CloudTrail - iam.amazonaws.com - Policy Change
• [Updated] CloudTrail - kms.amazonaws.com - DisableKey|ScheduleKeyDeletion
• [Updated] CloudTrail - lambda.amazonaws.com - Audit Change
• [Updated] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping|DeleteFunction
• [Updated] CloudTrail - lambda.amazonaws.com - GetPolicy|GetLayerVersionPolicy
• [Updated] CloudTrail - lambda.amazonaws.com - Resource Access
• [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination|DeleteLogGroup|DeleteLogStream
• [Updated] CloudTrail - s3.amazonaws.com - Bucket Change
• [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded|RotationStarted
• [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
• [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication

Parsers​

• [New] /Parsers/System/Github/GitHub Enterprise Audit
• [New] /Parsers/System/Honeywell/Honeywell Pro-Watch
• [New] /Parsers/System/Zendesk/Zendesk
• [Updated] /Parsers/System/AWS/AWS ALB
  • Extends AWS ALB parser to handle additional conn_trace_id field
• [Updated] /Parsers/System/Citrix/Citrix Cloud C2C
  • Modifies time handling and drops logs without security value
• [Updated] /Parsers/System/Dell/Dell SonicWall
  • Minor regex fix for port and protocol handling
• [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • Additional TRAFFIC log format handling

This content release includes:

• Updates to 111 rules to improve the user experience by removing often lengthy command lines from rule summary expressions (retained in record and signal).
• Deletion of a low efficacy rule.
• Mapping updates to better employ normalized classification fields across data sources.
• Adds alternate case handling for Windows Security Event Log error codes.
• Updates to LastPass parsing and mapping to support Reporting and Failed Logon events.
• Adds support for Thinkst Canary JSON logging.
• Adjusts time handling for Thinkst Canary Syslog.

Other changes are enumerated below.

Rules​

• [Deleted] LEGACY-S00180 DNS query for dynamic DNS provider
• [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
• [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container
• [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
• [Updated] MATCH-S00727 CPL File Executed from Temp Directory
• [Updated] MATCH-S00412 Command Line Execution with Suspicious URL and AppData Strings
• [Updated] MATCH-S00658 Container Management Utility in Container
• [Updated] MATCH-S00410 Copy from Admin Share
• [Updated] MATCH-S00443 Create Windows Share
• [Updated] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
• [Updated] MATCH-S00526 Credential Dumping Via Symlink To Shadow Copy
• [Updated] MATCH-S00348 Curl Start Combination
• [Updated] MATCH-S00385 DTRACK Process Creation
• [Updated] MATCH-S00441 Delete Windows Share
• [Updated] MATCH-S00543 Detect Psexec With Accepteula Flag
• [Updated] MATCH-S00319 Dridex Process Pattern
• [Updated] MATCH-S00590 Elise Backdoor
• [Updated] MATCH-S00392 File or Folder Permissions Modifications
• [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
• [Updated] FIRST-S00059 First Seen esentutl command From User
• [Updated] FIRST-S00041 First Seen networksetup Usage from User
• [Updated] FIRST-S00058 First Seen vssadmin command From User
• [Updated] FIRST-S00060 First Seen wbadmin command From User
• [Updated] FIRST-S00008 First Seen whoami command From User
• [Updated] MATCH-S00414 Grabbing Sensitive Hives via Reg Utility
• [Updated] MATCH-S00325 Greenbug Campaign Indicators
• [Updated] MATCH-S00367 Impacket Lateralization Detection
• [Updated] MATCH-S00482 Impacket-Obfuscation SMBEXEC Utility
• [Updated] MATCH-S00483 Impacket-Obfuscation WMIEXEC Utility
• [Updated] MATCH-S00322 Judgement Panda Credential Access Activity
• [Updated] MATCH-S00334 Judgement Panda Exfil Activity
• [Updated] MATCH-S00651 Kubernetes CreateCronjob
• [Updated] MATCH-S00652 Kubernetes DeleteCronjob
• [Updated] MATCH-S00650 Kubernetes ListCronjobs
• [Updated] MATCH-S00648 Kubernetes ListSecrets
• [Updated] MATCH-S00647 Kubernetes Pod Deletion
• [Updated] MATCH-S00649 Kubernetes Service Account Token File Accessed
• [Updated] MATCH-S00461 LNKSmasher Utility Commands
• [Updated] MATCH-S00746 Loadable Kernel Module Dependency Install
• [Updated] MATCH-S00745 Loadable Kernel Module Enumeration
• [Updated] MATCH-S00723 Loadable Kernel Module Modifications
• [Updated] MATCH-S00352 MSHTA Suspicious Execution
• [Updated] MATCH-S00534 MacOS - Re-Opened Applications
• [Updated] MATCH-S00729 MacOS Gatekeeper Bypass
• [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
• [Updated] MATCH-S00161 Malicious PowerShell Get Commands
• [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
• [Updated] MATCH-S00198 Malicious PowerShell Keywords
• [Updated] MATCH-S00331 MavInject Process Injection
• [Updated] MATCH-S00466 MsiExec Web Install
• [Updated] MATCH-S00288 NotPetya Ransomware Activity
• [Updated] MATCH-S00698 PATH Set to Current Directory
• [Updated] MATCH-S00659 Package Management Utility in Container
• [Updated] MATCH-S00697 Pkexec Privilege Escalation - CVE-2021-4034
• [Updated] MATCH-S00149 PowerShell File Download
• [Updated] MATCH-S00449 Powershell Execution Policy Bypass
• [Updated] MATCH-S00427 Process Dump via Rundll32 and Comsvcs.dll
• [Updated] MATCH-S00439 Psr.exe Capture Screenshots
• [Updated] MATCH-S00167 Recon Using Common Windows Commands
• [Updated] MATCH-S00346 Ryuk Ransomware Endpoint Indicator
• [Updated] MATCH-S00506 SC Exe Manipulating Windows Services
• [Updated] MATCH-S00153 Scheduled Task Created via PowerShell
• [Updated] MATCH-S00529 Schtasks Scheduling Job On Remote System
• [Updated] MATCH-S00530 Schtasks Used For Forcing A Reboot
• [Updated] MATCH-S00359 Suspicious Certutil Command
• [Updated] MATCH-S00356 Suspicious Compression Tool Parameters
• [Updated] MATCH-S00362 Suspicious Curl File Upload
• [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
• [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution
• [Updated] MATCH-S00191 Suspicious PowerShell Keywords
• [Updated] MATCH-S00431 Suspicious Use of Procdump
• [Updated] MATCH-S00477 Suspicious Use of Workflow Compiler for Payload Execution
• [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
• [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
• [Updated] MATCH-S00531 Unload Sysmon Filter Driver
• [Updated] MATCH-S00762 Unusual Staging Directory - PolicyDefinitions
• [Updated] MATCH-S00761 Volume Shadow Copy Service Stopped
• [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
• [Updated] MATCH-S00760 WMI Ping Sweep
• [Updated] MATCH-S00146 WMI Process Call Create
• [Updated] MATCH-S00151 WMI Process Get Brief
• [Updated] MATCH-S00379 WMIExec VBS Script
• [Updated] MATCH-S00400 Web Download via Office Binaries
• [Updated] MATCH-S00539 Web Servers Executing Suspicious Processes
• [Updated] MATCH-S00174 Web Services Executing Common Web Shell Commands
• [Updated] MATCH-S00284 Windows - Delete Windows Backup Catalog
• [Updated] MATCH-S00181 Windows - Domain Trust Discovery
• [Updated] MATCH-S00168 Windows - Local System executing whoami.exe
• [Updated] MATCH-S00162 Windows - Network trace capture using netsh.exe
• [Updated] MATCH-S00159 Windows - Permissions Group Discovery
• [Updated] MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas
• [Updated] MATCH-S00276 Windows - Possible Squiblydoo Technique Observed
• [Updated] MATCH-S00281 Windows - PowerShell Process Discovery
• [Updated] MATCH-S00171 Windows - Powershell Scheduled Task Creation from PowerSploit or Empire
• [Updated] MATCH-S00185 Windows - Remote System Discovery
• [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
• [Updated] MATCH-S00170 Windows - Scheduled Task Creation
• [Updated] MATCH-S00192 Windows - System Network Configuration Discovery
• [Updated] MATCH-S00194 Windows - System Time Discovery
• [Updated] MATCH-S00172 Windows - WiFi Credential Harvesting with netsh
• [Updated] MATCH-S00532 Windows Adfind Exe
• [Updated] MATCH-S00552 Windows Connhost Started Forcefully
• [Updated] MATCH-S00398 Windows Defender Download Activity
• [Updated] MATCH-S00179 Windows Network Sniffing
• [Updated] MATCH-S00157 Windows Process Name Impersonation
• [Updated] MATCH-S00178 Windows Query Registry
• [Updated] MATCH-S00533 Windows Security Account Manager Stopped
• [Updated] LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path
• [Updated] MATCH-S00724 Windows Update Agent DLL Changed
• [Updated] MATCH-S00382 Winnti Pipemon Characteristics
• [Updated] MATCH-S00435 XSL Script Processing
• [Updated] MATCH-S00726 macOS Kernel Extension Load

Log Mappers​

• [New] LastPass Failed Login Attempt
• [New] LastPass Reporting
• [Updated] Thinkst Canary Parser - Catch All
  • Removed time handling from mapper to favor parser time handling
• [Updated] 1Password Item Audit Actions
• [Updated] 1Password Item Usage Actions
• [Updated] AWS Config - Custom Parser
• [Updated] AWS EKS - Custom Parser
• [Updated] AWS Inspector - Custom Parser
• [Updated] AWS Route 53 Logs
• [Updated] AWS S3 Server Access Log - Custom Parser
• [Updated] AWS Security Hub
• [Updated] AWSGuardDuty - Audit Events
• [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
• [Updated] AWSGuardDuty - Reconnaissance and malicious activity detection
• [Updated] AWSGuardDuty - Tor Client and Relay
• [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
• [Updated] AWSGuardDuty_Catch_All
• [Updated] Adaxes - Custom Parser
• [Updated] ApplicationGatewayAccessLog
• [Updated] ApplicationGatewayFirewallLog
• [Updated] Aqua Runtime Policy Match
• [Updated] Azure Appplication Service Console Logs
• [Updated] Azure AuditEvent logs
• [Updated] Azure Event Hub - Windows Defender Logs
• [Updated] Azure Firewall Application Rule
• [Updated] Azure Firewall DNS Proxy
• [Updated] Azure Firewall Network Rule
• [Updated] Azure NSG Flows
• [Updated] Azure Policy Logs
• [Updated] AzureActivityLog
• [Updated] AzureActivityLog 01
• [Updated] AzureActivityLog AuditLogs
• [Updated] AzureDevOpsAuditing
• [Updated] Cato Networks Audits
• [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
• [Updated] Cyber Ark EPM AggregateEvent
• [Updated] Druva Cyber Resilience - Catch All
• [Updated] GCP App Engine Logs
• [Updated] GCP Audit Logs
• [Updated] GCP IDS
• [Updated] GCP Parser - Load Balancer
• [Updated] Google Security Command Center
• [Updated] JumpCloud IdP - Catch All
• [Updated] Kaltura Audits
• [Updated] Microsoft Defender for Cloud - Security Alerts
• [Updated] Microsoft Office 365 AzureActiveDirectory Events
• [Updated] Microsoft Office 365 MicrosoftStream Events
• [Updated] Microsoft Office 365 PowerApps Events
• [Updated] Microsoft Office 365 Sway Events
• [Updated] Microsoft Office 365 Teams Events
• [Updated] Microsoft Office 365 Yammer Events
• [Updated] MicrosoftGraphActivityLogs
• [Updated] Office 365 - MicrosoftFlow
• [Updated] Office 365 - Security Compliance Alerts
• [Updated] Osquery Catchall
• [Updated] Osquery FIM
• [Updated] Osquery Process Auditing
• [Updated] Osquery Socket Events
• [Updated] Osquery Startup Items
• [Updated] Palo Alto Config - Custom Parser
• [Updated] Palo Alto Threat Spyware - Custom Parser
• [Updated] RSA SecurID Runtime Authn Logout
• [Updated] RSA SecurID Runtime Catchall
• [Updated] UnauthorizedAccess_EC2_SSHBruteForce
• [Updated] Windows - Security - 4625
• [Updated] Windows - Security - 4634

Parsers​

• [New] /Parsers/System/Thinkst Canary/Thinkst Canary JSON
• [Updated] /Parsers/System/LastPass/LastPass
• [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
  • Updated time handling to use _messagetime metadata

This release reverts a change to our AWS CloudTrail default (catch all) mapper for how user_username is mapped. This is being reverted due to reports of breaking rule tuning and missing user context for some AssumedRole events.

AWS AssumedRole events can contain service and user role assumptions. Oftentimes service role assumptions will contain a dynamic session identifier instead of a static user identifer which contains the originating identity. Prior to the change we are now reverting, this was causing certain services to generate user entities from these sessions, creating false positives. This behavior changed with the August 5th, 2024 content release to handle role assumptions to instead map the role as user to prevent false positives from dynamic service sessions. While this decreased the number of false positives from dynamic service sessions, it also eliminated visibility into user role assumptions, creating potential for false negatives.

AWS best practices suggest defining sourceIdentity to allow for the originating user for a role assumption to be identifiable. This is the best path to avoid false positive generation, as our mapper will favor sourceIdentity if it is present in CloudTrail logs. If it is not present, then userIdentity.arn will be used and the resource-id will be mapped to user_username, creating potential for false positives from dynamic session identifiers. See Viewing source identity in CloudTrail in the AWS documentation for more information.

Alternatively, known service accounts which generate dynamic sessions identifers can be tuned out from signals using rule tuning expressions, Field Extraction Rules (FERs), or at the CloudTrail parser to reduce potential for false positive signals.

Log Mappers​

• [Updated] CloudTrail Default Mapping

This content release includes:

• Updates to rules to improve the user experience
• Specific updates are enumerated and summarized below

Rules​

• [Updated] MATCH-S00816 Interactive Logon to Domain Controller
  • Updated expression match list to use new domain_controllers_hostnames instead of domain_controllers which was generating false positives due to IP dependency.
• [Updated] LEGACY-S00105 Suspicious DC Logon
  • Updated expression match list to use new domain_controllers_hostnames instead of domain_controllers which was generating false positives due to IP dependency.

srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid null values for the following rules:​

• [Updated] MATCH-S00874 AWS Lambda Function Recon
• [Updated] MATCH-S00825 AWS Secrets Manager Enumeration
• [Updated] MATCH-S00513 Critical Severity Intrusion Signature
• [Updated] THRESHOLD-S00085 Excessive Outbound Firewall Blocks
• [Updated] MATCH-S00666 High Severity Intrusion Signature
• [Updated] MATCH-S00669 Informational Severity Intrusion Signature
• [Updated] MATCH-S00668 Low Severity Intrusion Signature
• [Updated] MATCH-S00667 Medium Severity Intrusion Signature
• [Updated] THRESHOLD-S00095 Password Attack

Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules:​

• [Updated] MATCH-S00429 LSASS Memory Dumping +
• [Updated] MATCH-S00161 Malicious PowerShell Get Commands +
• [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands +
• [Updated] MATCH-S00198 Malicious PowerShell Keywords +
• [Updated] MATCH-S00191 Suspicious PowerShell Keywords +
• [Updated] MATCH-S00431 Suspicious Use of Procdump +
• [Updated] MATCH-S00583 WCE wceaux.dll Access +
• [Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected +
• [Updated] MATCH-S00291 Windows Credential Editor (WCE) in use +

Added exclusion to match expression for OneDrive to reduce false positives and removed fields producing nulls in the signal summary for the following rules:​

• [Updated] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
• [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User
• [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
• [Updated] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents

This content release includes:

• Updates to Azure rules to reflect a name change in the Company Administrator role to Global Administrator.
• New Linux OS Syslog mappers.
• Addition of sessionId mapping to Okta mappers.

Individual changes are enumerated below.

Rules​

• [Updated] MATCH-S00231 Azure - Member Added to Global Administrator Role
• [Updated] MATCH-S00233 Azure - Member Added to Global Administrator Role Non-PIM
• [Updated] MATCH-S00229 Azure - Member Added to Non-Global Administrator Role
• [Renamed] FIRST-S00088 First Seen User Performing NTLM Authentication to Host -> First Seen NTLM Authentication to Host (User)

Log Mappers​

• [New] Linux OS Syslog - Process sudo - Authentication Failure
• [New] Linux OS Syslog - Systemd-user Session Open|Closed
• [New] Linux OS Syslog - sshd - Postponed publickey
• [New] Linux OS Syslog - sshd - User not allowed
• [New] MicrosoftGraphActivityLogs
• [Updated] AWS Redshift - Authentication Log
  • Added normalizedAction mapping for logon and a success boolean lookup on event_name
• [Updated] Aruba ClearPass Guest Access
  • Added normalizedAction mapping for logon and a success boolean lookup on error codes
• [Updated] Check Point Failed Log In
  • Updated record type to Authentication and adjusted normalizedAction mapping to logon
• [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • Added logon normalizedAction and mapped success boolean to checkMfa
• [Updated] Infoblox NIOS - DNS
  • Updated mapping for dns_query to fix dns enrichments
• [Updated] JumpCloud IdP Authentication
  • Adds logon normalizedAction to mapper
• [Updated] Linux OS Syslog - Cron - Session Opened
  • Adds mappings for targetUser_username, targetUser_userId, user_userId
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
  • Adds "check pass" to event ID pattern
• [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
  • Added description mapping
• [Updated] Linux OS Syslog - Process sshd - SSH Session Closed|disconnect
  • Updated mapper name, and added "sshd-disconnect" to event ID pattern. Adds mappings for srcDevice_ip, description, action.
• [Updated] Linux OS Syslog - Process sshd - SSH Session Opened
  • Adds mapping for srcDevice_ip
• [Updated] Linux OS Syslog - Process sshd - SSH Session Starting
  • Adds mappings for srcDevice_ip, srcPort
• [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
  • Adds mapping for description
• [Updated] PingFederate - Authentication Event
  • Added logon normalizedAction to mapper
• [Updated] Pulse Secure Custom Parser - AUT24326
  • Added logon normalizedAction to mapper
• [Updated] Windows - Security - 4648
  • Adds logon normalizedAction mapping
• [Updated] Okta Authentication - auth_via_AD_agent
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication - auth_via_radius
• [Updated] Okta Authentication - sso
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All
• [Updated] Okta Security Threat Events

Parsers​

• [Updated] /Parsers/System/Linux/Linux OS Syslog
  • Adds new parsing patterns for cron, sshd, sudo, and systemd. Adjusts existing sshd parsing patterns.

Schema​

• [New] repository
  • The name or path of a centrally managed object storage location, such as a Git repository, a container repository, or similar concepts.

This content release includes:

• A new Cloud SIEM First Seen rule
• Consolidation of AWSGuardDuty log mappers
• CrowdStrike FDR mapping modifications by adding aid as a value for device_hostname as primary or alternate
• Mapping update to Windows PowerShell operational events to facilitate a JSON data set from the legacy Windows format
• Several new log mappers, parsers, and multiple updated parsers

Release specifics are enumerated below.

Rules​

• NEW FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
  • This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process.

Log Mappers​

• [Deleted] AWS GuardDuty Alerts from Sumo CIP
• [Deleted] AWSGuardDuty_Backdoor
• [Deleted] AWSGuardDuty_Behavior
• [Deleted] AWSGuardDuty_Catch_All
• [Deleted] AWSGuardDuty_CryptoCurrency
• [Deleted] AWSGuardDuty_Discovery
• [Deleted] AWSGuardDuty_Exfiltration
• [Deleted] AWSGuardDuty_PenTest
• [Deleted] AWSGuardDuty_Persistence
• [Deleted] AWSGuardDuty_Policy
• [Deleted] AWSGuardDuty_ResourceConsumption
• [Deleted] AWSGuardDuty_Stealth
• [Deleted] AWSGuardDuty_Trojan
• [Retired] AwsServiceEvent-AWS API Call via CloudTrail
• [Deleted] Recon_EC2_PortProbeUnprotectedPort
• [Deleted] Recon_EC2_Portscan
• [Deleted] Recon_IAMUser
• [Deleted] UnauthorizedAccess_EC2_SSHBruteForce
• [Deleted] UnauthorizedAccess_EC2_TorClient
• [Deleted] UnauthorizedAccess_EC2_TorIPCaller
• [Deleted] UnauthorizedAccess_EC2_TorRelay
• [Deleted] UnauthorizedAccess_IAMUser
• [Updated] AWS GuardDuty Alerts from Sumo CIP
• [New] AWS Redshift - ACTIVITY_LOG
• [New] AWS Redshift - Authentication Log
• [New] AWS Redshift - Connection Log
• [New] AWS Redshift - USER_LOG
• [New] AWSGuardDuty - Audit Events
• [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
• [New] AWSGuardDuty - Reconnaissance and malicious activity detection
• [Updated] AWSGuardDuty - Tor Client and Relay
• [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
• [Updated] AWSGuardDuty_Catch_All
• [New] Forescout CounterACT - NAC Policy Log
• [New] PingFederate - Authentication Event
• [New] Symantec Endpoint Security - All
• [Updated] UnauthorizedAccess_EC2_SSHBruteForce
• [New] VMware NSX - Firewall
• [Updated] CloudTrail Default Mapping
  • Added alternate values for userIdentity.arn, and requestParameters.sourceIdentity applied to user_role. Additional mappings for bytesIn, and bytesOut.
• [Updated] CrowdStrike FDR - Catch All
• [Updated] CrowdStrike FDR - CriticalFileAccessed
• [Updated] CrowdStrike FDR - NetworkConnectIP4
• [Updated] CrowdStrike FDR - NetworkConnectIP6
• [Updated] CrowdStrike FDR - ProcessRollup2
• [Updated] CrowdStrike FDR - SuspiciousDnsRequest
• [Updated] PingFederate Event
  • Narrowed the lookup scope where success is true.
• [Updated] Windows - Microsoft-Windows-PowerShell/Operational Events - 4103 through 4105
  • Updated keys for: user_userId, user_username, commandLine, baseImage, file_path, and severity.

Parsers​

• [New] /Parsers/System/AWS/AWS Redshift
• [Updated] /Parsers/System/Forescout/Forescout CounterACT
  • Updated the start time field.
• [New] /Parsers/System/Symantec/Symantec Endpoint Security
• [New] /Parsers/System/VMware/VMware NSX
• [Updated] /Parsers/System/Cisco/Cisco Meraki
  • Added support for URLS new format.
• [Updated] /Parsers/System/PingIdentity/PingFederate
  • Added support of new log format.
• [Updated] /Parsers/System/Microsoft/Windows PowerShell-JSON
  • Dropped the redundant message field.

This content release includes rule and parser bug fixes, and parsing and mapping support for new log sources. Changes are enumerated below.

Rules​

• [Updated] MATCH-S00419 Multiple File Extensions
  • Fixed bug in summary expression causing baseImage to appear as null
• [Updated] MATCH-S00755 Outlook Form Creation
  • Fixed bug in rule expression where baseImage had incorrect case

Log mappers​

• [New] CrowdStrike Spotlight - Vulnerability
• [New] JumpCloud IdP - Catch All
• [New] JumpCloud IdP Authentication
• [New] Kaspersky Endpoint Security Catch All
• [New] Linux OS Syslog - sshd - Command Execution
• [New] Linux OS Syslog - sshd - connection

Parsers​

• [New] /Parsers/System/CrowdStrike/CrowdStrike Spotlight
• [New] /Parsers/System/JumpCloud/JumpCloud IdP
• [New] /Parsers/System/Kaspersky/Kaspersky Endpoint Security
• [Updated] /Parsers/System/Cisco/Cisco ISE
  • Bug fix for variation in syslog headers
• [Updated] /Parsers/System/Linux/Linux OS Syslog
  • Added support for additional variations in SSHD and CRON logs

This content release includes new and updated rules, log mappers, and parsers. Details are enumerated below.

Rules​

• [Updated] MATCH-S00139 Abnormal Parent-Child Process Combination
  • Removed leading backslash from like matches

Log Mappers​

• [New] ApplicationGatewayAccessLog
• [New] ApplicationGatewayFirewallLog
• [New] Citrix NetScaler - TCP-CONN_TERMINATE
• [New] Google G Suite - login - password_change/recovery_info_change
• [New] Google G Suite - login-blocked_sender_change
• [New] JFrog Artifactory - Access logs
• [New] JFrog Artifactory - Login Access logs
• [New] JFrog Artifactory - Request Logs
• [New] Synergis Genetec - all
• [Updated] AWS EKS - Custom Parser
  • Keys updated: 'srcDevice_ip', 'http_response_statusCode', 'http_url', 'http_userAgent', 'user_username', 'user_userId', 'action', 'device_k8s_namespace'
• [Updated] Abnormal Security Threats
  • Keys updated: 'threat_referenceUrl', 'email_subject', 'resource', 'email_sender', 'user_email', 'user_username', 'targetUser_email', 'action', 'threat_identifier', 'user_authDomain', 'srcDevice_ip', 'email_messageId', 'srcDevice_hostname', 'threat_name', 'threat_category', 'timestamp'
• [Updated] Cisco ASA 305011-12 JSON
  • Keys updated: 'user_authDomain', 'user_username'
• [Updated] GitHub JSON
  • Keys updated: 'user_username', 'user_role', 'user_userId', 'description', 'http_url', 'device_hostname'
• [Updated] SentinelOne Logs - Syslog Custom Parser
  • Keys updated: 'srcDevice_osName'

Parsers​

• [New] /Parsers/System/Atlassian/Atlassian Jira
• [New] /Parsers/System/Genetec/Genetec Synergis
• [New] /Parsers/System/Github/Github
• [New] /Parsers/System/JFrog/JFrog Artifactory
• [Updated] /Parsers/System/AWS/AWS EKS
• [Updated] /Parsers/System/Abnormal Security/Abnormal Security
• [Updated] /Parsers/System/Cisco/Cisco ASA
• [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
• [Updated] /Parsers/System/Cylance/Cylance Syslog
• [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
• [Updated] /Parsers/System/Orca Security/Orca Security
• [Updated] /Parsers/System/SentinelOne/SentinelOne CEF

Minor Changes and Enhancements​

• [New] To help facilitate investigations and audits, a list of the sourceMessageIds for each of the records that contributed to a Threshold, Chain, or Aggregation Signal are now included in that Signal's record in the sec_signal index, in the new aggregatedMessageIds field.

Bug Fixes​

• The Community view on the MITRE ATT&CK® Threat Coverage Explorer was not filtering by default properly.

This content release includes several new and multiple updated log mappers, plus several updated parsers. Details are enumerated below:

Log Mappers​

• [New] Cisco Meraki Firewall - Custom Parser
  • Minor changes in cisco meraki mapper
• [New] Jamf Parser - Alert
  • Removed wrong field
• [New] Jamf Parser - Network
  • Removed wrong field
• [Updated] AWS GuardDuty Alerts from Sumo CIP
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWS S3 Server Access Log - Custom Parser
  • Map bytesIn/bytesOut in AWS CloudTrail Data Events
  • Keys updated: bytesIn, bytesOut
• [Updated] AWSGuardDuty_Backdoor
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Behavior
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Catch_All
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_CryptoCurrency
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Discovery
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Exfiltration
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_PenTest
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Persistence
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Policy
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_ResourceConsumption
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Stealth
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] AWSGuardDuty_Trojan
  • Added region field in all the events
  • Keys updated: cloud_region
• Updated] AwsServiceEvent-AWS API Call via CloudTrail
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] BlueCat DHCP Parser - Catch All
  • Changed mac address field in mapper
  • Keys updated: device_mac, timestamp
• [Updated] Code42 Incydr FileEvents C2C
  • Mapper adjustments
  • Keys updated: event_id_pattern, user_username, file_path, severity, normalizedSeverity, threat_name
• [Updated] Recon_EC2_PortProbeUnprotectedPort
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] Recon_EC2_Portscan
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] Recon_IAMUser
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] UnauthorizedAccess_EC2_TorClient
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] UnauthorizedAccess_EC2_TorIPCaller
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] UnauthorizedAccess_EC2_TorRelay
  • Added region field in all the events
  • Keys updated: cloud_region
• [Updated] UnauthorizedAccess_IAMUser
  • Added region field in all the events
  • Keys updated: cloud_region

Parsers​

• [Updated] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
• [Updated] /Parsers/System/Cisco/Cisco Meraki
• [Updated] /Parsers/System/Code42/Code42 Incydr
• [Updated] /Parsers/System/Jamf/Jamf
• [Updated] /Parsers/System/Microsoft/Shared/Syslog Headers Microsoft
• [Updated] /Parsers/System/Microsoft/Shared/Windows Forwarding Headers
• [Updated] /Parsers/System/Microsoft/Shared/Windows Text Transforms - Security

This release includes new Cloud SIEM detection rules, and updates to existing rules to correct summary and description expressions. All changes are enumerated below.

Rules​

• [New] FIRST-S00061 First Seen USB device in use on Windows host
  • This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. If the device name is unexpected and not authorized to be used in the environment, investigate the alert further and look for file creation events to the drive in question. The fields["EventData.DeviceDescription"] field contains the device name.
• [New] FIRST-S00059 First Seen esentutl command From User
  • Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. Esentutl can also be utilized to download files from a remote share or URL. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance.
• [New] FIRST-S00058 First Seen vssadmin command From User
  • Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. If this activity is performed as part of normal system maintenance, the rule can be tuned to exclude these groups of users.
• [New] FIRST-S00060 First Seen wbadmin command From User
  • Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance.
• [New] MATCH-S00908 Okta - MFA Request Denied by User
  • This signal will trigger when a user denies an MFA request within the Okta authenticator application. Examine other authentication attempts for this particular user, and undertake confirmation efforts to ensure that this activity is expected and valid.
• [New] MATCH-S00907 Okta - Policy Rule Added
  • This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. Check the Okta administrator portal for more details regarding the application in question such as scopes and access levels. The field fields["target.1.alternateId"] contains the name of the application that was created
• [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint
  • This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta users API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. A full list of functionality for this endpoint can be found in the Okta documentation here. The \u201cSuccess\u201d field will indicate whether this API request was successful or not, and the \u201cDescription\u201d field will contain the event that was generated by the API request. Both failed and successful requests should be investigated. Ensure that this request was performed for legitimate purposes such as developer workflows or other automation mechanisms. Consider adding a match list exclusion with authorized accounts who perform requests to this Okta API endpoint via programmatic methods if this signal is triggering false positives.
• [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method
  • This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates. Investigation of the host is recommended to identify the behavior leading to and around the execution of this PowerShell process.
• [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution
  • Detects the use of PowerShell for Application Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling. Investigation into the host and user to identify the process executing the PowerShell function. See here for reference.
• [New] MATCH-S00918 Suspicious cat of PAM common-password policy
  • The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users. The common-password file defines behavior of password use in Linux subsystems. This detection looks for use of cat to display the contents of the common-password file, which should not be a common occurrence on systems. It is recommended to investigate the host upon which this detection occurs to understand the exposure of the password policies for the system.
• [New] MATCH-S00919 chage command use on host
  • The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the -l flag to determine when the user's password or account is due to expire. It is recommended to investigate the system and account the command has been executed on, to assess the intent of this execution. Additionally, looking at the command line and parent process is helpful in identifying valid automated processes executing this command that would benefit from tuning out via Rule Tuning.
• [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User
• [Updated] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User
• [Updated] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address
• [Updated] FIRST-S00032 First Seen Kubectl Command From User
• [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
• [Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP
• [Updated] MATCH-S00906 Okta - Application Created
• [Updated] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
• [Updated] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
• [Updated] MATCH-S00865 Potential Docker Escape via Command Line
• [Updated] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
• [Updated] MATCH-S00883 macOS - Keychain Enumeration

Rule-Based Signal Suppression​

We've added an advanced rule feature that allows users to override the global signal suppression period. This is most useful for individual rules that require much shorter (or no) suppression, such as rules that pass alerts through from external data sources such as endpoint detection systems.

This setting can be accessed from the rule details page:

The setting is in the "Show Advanced" section. You can specify a suppression period for the rule between 0 and 168 hours (if you set it to 0, suppression is completely disabled for the rule).

Minor Changes and Enhancements​

• Users can now view the MITRE ATT&CK® Threat Coverage Explorer with only the View Rules permission; previously users had to have the Manage Rules permission to access the Explorer.

Bug Fixes​

• Some system events that automatically occur after an Insight is created (such as enrichment, automation service calls, and so on) were not consistently executing.
• Some system events that automatically occur just before rule processing (such as adding Geo IP and ASN data, checking match lists, and so on) were not consistently executing.
• Users were unable to duplicate rules due to an internal error.

This content release includes an updated log mapper, and two updated parsers. Details are enumerated below.

Additionally, MATCH-S00408 has been decommissioned because it was not functioning as intended.

Rules​

• [Deleted] MATCH-S00408 Fake Windows Processes

Log Mappers​

• [Updated] SentinelOne Logs - C2C threats

Parsers​

• [Updated] /Parsers/System/Dell/Dell SonicWall
• [Updated] /Parsers/System/Okta/Okta

This content release includes seventeen new rules and two updated rules. Details are enumerated below.

• Rules
  • [NEW] MATCH-S00896 Azure Authentication Policy Change
  • [NEW] MATCH-S00895 NinjaCopy Usage Detected
  • [NEW] MATCH-S00906 Okta - Application Created
  • [NEW] MATCH-S00903 Okta - Device Added To User
  • [NEW] MATCH-S00904 Okta - Device Removed From User
  • [NEW] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon
  • [NEW] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
  • [NEW] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
  • [NEW] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
  • [NEW] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded
  • [NEW] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration
  • [NEW] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded
  • [NEW] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded
  • [NEW] MATCH-S00706 Registry Modification - Time Providers
  • [NEW] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load
  • [NEW] MATCH-S00899 Suspicious Active Directory Certificate Modification
  • [NEW] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent
  • [Updated] MATCH-S00706 Registry Modification - Time Providers
    • Improved logic expression
  • [Updated] MATCH-S00690 Rundll32.exe Load from TEMP Directory with By Ordinal Load
    • Clarified Summary

MITRE ATT&CK® Coverage Enhancements​

We're excited to announce multiple enhancements to our MITRE ATT&CK Threat Coverage Explorer.

• Rules Filtering - You can now easily filter the coverage visualization based on rules, including out-of-the-box and user-created rules, as well as enabled, disabled, production and prototype rules.
• All Community Activity - This view now defaults to show only the vendor and product logs that are being sent to Cloud SIEM from your data sources. This gives you a better comparison between what your theoretical and historical coverage shows and what other customers of Cloud SIEM using those same log sources are seeing. You can still change the filter to display other (or all) log sources.
• Customizable Colors - You can now customize the tile colors to your own scheme.
  

For full details, see the MITRE ATT&CK Coverage documentation.

New UI Themes for Cloud SIEM​

We are also excited to announce that Cloud SIEM now supports two different UI themes: the default "dark" theme, and a new "light" theme:

The theme is set per user, and can be changed on the Sumo Logic user preferences page:

Note that the setting currently only affects Cloud SIEM and the Automation Service, but in the future this setting will also affect other pages in the Sumo Logic UI.

Bug fixes​

• Terraform no longer times out while waiting for match lists to be updated.

This content release includes a corrective update to a match rule summary expression and a log mapping bug fix. Changes are enumerated below.

• Rules
  • [Updated] MATCH-S00137 Office Application or Browser Launching Shell
    • Fix typo in summary expression key
    • Keys updated: summary_expression, normalized_summary
• Log Mappers
  • [Updated] Microsoft Office 365 Active Directory Authentication Events
    • Office_365 Mapping Correction
    • Keys updated: user_userId

This content release includes updated log mappers for Windows Sysmon as enumerated below.

Log Mappers​

• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
• [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9

Minor changes and enhancements​

• Two enhancements have been implemented for the MITRE ATT&CK® Threat Coverage Explorer:
  • The current tactic, technique and sub-technique metrics for the (default) Theoretical and Historical views are now written to the sumologic_system_events audit logs daily. This data can be used in dashboards to track coverage and events over time.
  • It is now possible, using the /mitre-attack/json endpoint, to extract the MITRE Explorer-formatted JSON via API. (This works the same as the Export button in the UI.)
• On the Insight details page, on the Entities tab, the default view is now the Graph view instead of the List view.
• Threat reputation icons/labels are now visible in a number of additional places throughout the UI. These can be set via enrichment.

Bug fixes​

• In some cases, events that are supposed to occur automatically after an Insight is opened were not executing, or were severely delayed.
• If an Insight comment included a long URL, text wrapping was not behaving correctly and some text was being clipped from view. Also, newline characters were not always being honored properly in comments.

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules​

• [Updated] MATCH-S00610 PSExec Named Pipe Created by Non-PsExec Process
  • Expression Key updated
• [Updated] MATCH-S00159 Windows - Permissions Group Discovery
  • Removed FirstSeen language in the match rule

Log Mappers​

• [New] Cato Networks Security Events - Catch All
• [New] Windows - Security - 5156
• [Updated] 1Password Item Audit Actions
  • Updated event id pattern
• [Updated] 1Password Item Usage Actions
  • Updated event id pattern
• [Updated] Azure Application Service Console Logs
  • Azure Custom Parser Normalized Severity key update
• [Updated] Azure Event Hub - Windows Defender Logs - DeviceAlertEvents
  • Azure Custom Parser Normalized Severity key update
• [Updated] Azure Risky Users
  • Azure Custom Parser Normalized Severity key update
• [Updated] Azure User Risk Events
  • Azure Custom Parser Normalized Severity key update
• [Updated] Microsoft Defender for Cloud - Security Alerts
  • Azure Custom Parser Normalized Severity key update
• [Updated] Okta Authentication - sso
  • Application key updated

This release includes new rule, mapping, parsing, and content updates. Changes are enumerated below.

Rules​

• [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
  • Updated rule expression to reduce false positivity.
• [Updated] FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event
  • Updated Severity from 4 to 1.
• [Updated] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event
  • Fixed description and summary transposition and lowered severity from 3 to 1.

Log Mappers​

Added userAgent mapping to Okta.

• [New] Kaltura Audits
• [Updated] Okta Authentication - auth_via_mfa
• [Updated] Okta Authentication Events
• [Updated] Okta Catch All

Parsers​

• [New] /Parsers/System/Kaltura/Kaltura

This content release includes modifications and additions to Citrix Cloud C2C to handle additional event types and bring existing event mapping into line with new events, support for Code42 Incydr via C2C, Abnormal Security via C2C, and JumpCloud Directory Insights via C2C.

Log Mappers​

• [Deleted] Citrix Cloud Client
  • This mapping is replaced by new mappers for Citrix Cloud below
• [New] Abnormal Security Threats
• [New] Citrix Cloud Operation Logs
• [New] Citrix Cloud System Logs
• [New] Code42 Incydr Alerts C2C
• [New] Code42 Incydr Audits C2C
• [New] Code42 Incydr FileEvents C2C
• [New] JumpCloud Directory Insights - Admin Logon
• [New] JumpCloud Directory Insights - Catch All

Parsers​

• [New] /Parsers/System/Abnormal Security/Abnormal Security
• [New] /Parsers/System/Code42/Code42 Incydr
• [New] /Parsers/System/JumpCloud/JumpCloud Directory Insights
• [Updated] /Parsers/System/Citrix/Citrix Cloud C2C

Minor changes and enhancements​

• [New] Continuing our work to better align the Cloud SIEM UI pages with Log Analytics UI pages to improve usability and provide a consistent user experience, the color palette has been adjusted slightly, some page decoration has been removed or altered, and some controls have been updated.
• [New] On the Entity list page, you can now filter by reputation indicator (i.e. Malicious, Suspicious or NotFlagged).
• [New] Users can now navigate directly from the Entity Activity panel on the HUD to the Entity List page, with the proper filter pre-applied.
• [Updated] The Object Type attribute has been added back to the Signal summary section, next to the timestamp, so that it is visible whether the Signal details are expanded or collapsed.
• [New] A user-editable Description field has been added to Rule Tuning Expressions.

Bug fixes​

• Sorting by value was not working properly on the Entities list page.
• Sometimes, if the target value was left blank (default), domain normalization would append a colon to the resulting value.
• Customers were experiencing rate limiting with VirusTotal due to a change to their API and constant retries due to resultant errors in Cloud SIEM. This has been resolved, as has an issue with enrichments for file hashes.
• Some Entities were not showing as being included in Entity Groups properly (even though attributes had been set correctly).
• The MITRE ATT&CK® stage attribute was missing from some Signals in the audit logs.
• Custom inventory sources were not included in the appropriate dropdown in Entity Group configuration.
• On the Entity Details page, if the only Signals that existed were in Prototype mode, they would not be visible.
• The reputation indicator on the Entity Details page was being rendered, then hidden.

This release includes new log mapping and parsing content for Druva Cyber Resilience:

Log Mappers​

• [New] Druva Cyber Resilience - Admin Logon
• [New] Druva Cyber Resilience - Catch All

Parsers​

• [New] /Parsers/System/Druva/Druva Cyber Resilience

Bug Fixes​

• Recently, two rules, FIRST-S00052 and FIRST-S00049, were released to customers erroneously. Soon after, these rules started generating false positive Signals and Insights. We have removed those rules from all customer environments so they can be tuned properly and re-released after comprehensive testing. The process error that led to the release has been identified and corrected. Sumo Logic apologizes for the inadvertent Signals and Insights this error generated. If needed, please contact Support for assistance in closing the Insights.

This release includes new parsing and mapping support for C2C sources and mapping changes enumerated below.

Log Mappers​

• [New] Trellix mVision ePO Threats
• [New] Zero Networks Segment Audit Activity
• [New] Zero Networks Segment Network Activity
• [Updated] AzureActivityLog 01
  • Remapped Application from properties.clientAppUsed to properties.appDisplayName for consistency

Parsers​

• [New] /Parsers/System/Trellix/Trellix MVision EPO
• [New] /Parsers/System/Zero Networks/Zero Networks Segment

This release includes minor mapping adjustments to Duo and MS Graph Identify Protection Risk logs. Specific changes are enumerated below.

Log Mappers​

• [Updated] Duo Security Admin API - Audit
  • Added mappings for source host and source IP
• [Updated] Duo Security Admin API - Authentication
  • Added mappings for source host and source IP
• [Updated] Duo Security Admin API - Non-User Audit Changes
  • Added mappings for source host and source IP
• [Updated] Duo Security Admin API - Targeted User Audit Changes
  • Added mappings for source host and source IP
• [Updated] Microsoft Graph Identity Protection API C2C - riskDetections
  • Added principal as primary user_username key
• [Updated] Microsoft Graph Identity Protection API C2C - riskyUsers
  • Added principal as primary user_username key

This content release includes updates to log mappers for Zeek fixing several bugs that were preventing fields from mapping properly.

Log Mappers​

• [Updated] Zeek DNS Activity
• [Updated] Zeek HTTP Activity
• [Updated] Zeek conn Activity

This content release includes updates to Cloud SIEM rules, new log mappers, new parsers, and the addition of normalization schema metadata. Specific updates are enumerated below. In addition, a number of rules were updated to include more accurate MITRE ATT&K® tactic and technique tags.

Rules​

• [Updated] MATCH-S00213 AWS CloudTrail - Reconnaissance related event
  • Updated name expression to reduce insight false positivity
• [Updated] MATCH-S00686 Base64 Decode in Command Line
• [Updated] MATCH-S00373 BlueMashroom DLL Load
• [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
• [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
• [Updated] FIRST-S00013 First Seen Driver Load - Global
• [Updated] FIRST-S00014 First Seen Driver Load - Host
• [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
• [Updated] MATCH-S00705 Registry Modification - Authentication Package
• [Updated] MATCH-S00707 Registry Modification - Winlogon Helper DLL
• [Updated] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
• [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
• [Updated] MATCH-S00379 WMIExec VBS Script
• [Updated] MATCH-S00570 WMIPRVSE Spawning Process
  • Corrected expression to exclude OS SID from user_userId; prior expression was incorrectly referencing SubjectLogonID
• [Updated] MATCH-S00724 Windows Update Agent DLL Changed
• [Updated] MATCH-S00435 XSL Script Processing

Log Mappers​

• [New] 1Password Item Audit Actions
• [New] 1Password Item Usage Actions
• [New] Zeek DNS Activity
• [New] Zeek HTTP Activity
• [New] Zeek conn Activity

Parsers​

• [New] /Parsers/System/1Password/1Password
• [New] /Parsers/System/1PasswordC2C/1PasswordC2C
• [New] /Parsers/System/Zeek/Zeek

Schema​

• [New] metadata_sourceBlockId
  • The _blockId of the original source log message (from Sumo Logic)

This is an archive of 2023 Cloud SIEM Release Notes.

This is an archive of 2022 Cloud SIEM Release Notes.