Skip to main content

April 7, 2023 - Content Release

This release includes bug fixes for several rules using match lists using the "column" field in the rule expression.


  • [New] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address; External connections over the internet to port 445 could be indictative of hash leak attempts, including exploitation attempts for vulnerabilities such as CVE-2023-2397. This alert looks at a source IP address making a connection to a new external destination IP address since the baseline period.
  • [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country; Added additional logic to help reduce false positives
  • [Updated] THRESHOLD-S00096 Brute Force Attempt
  • [Updated] MATCH-S00565 Direct Outbound DNS Traffic
  • [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
  • [Updated] THRESHOLD-S00102 Domain Password Attack
  • [Updated] THRESHOLD-S00095 Password Attack
  • [Updated] CHAIN-S00008 Successful Brute Force

Log Mappers

  • [New] OpenVPN Logon Attempt
  • [New] OpenVPN Network Event
  • [New] Snowflake Catch All
  • [New] Snowflake Login
  • [New] Windows Defender ATP Alert
  • [Updated] Netskope - Audit Authentication Events - Logoff; Made eventID match more permissive


  • [New] /Parsers/System/Snowflake/Snowflake
  • [New] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON
  • [Updated] /Parsers/System/Cisco/Cisco ASA; Build/Teardown parsing bug fix
  • [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog; Added support for additional format
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.