Skip to main content

September 19, 2024 - Content Release

icon

This content release includes:

  • Updates to 111 rules to improve the user experience by removing often lengthy command lines from rule summary expressions (retained in record and signal).
  • Deletion of a low efficacy rule.
  • Mapping updates to better employ normalized classification fields across data sources.
  • Adds alternate case handling for Windows Security Event Log error codes.
  • Updates to LastPass parsing and mapping to support Reporting and Failed Logon events.
  • Adds support for Thinkst Canary JSON logging.
  • Adjusts time handling for Thinkst Canary Syslog.

Other changes are enumerated below.

Rules​

  • [Deleted] LEGACY-S00180 DNS query for dynamic DNS provider
  • [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
  • [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container
  • [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
  • [Updated] MATCH-S00727 CPL File Executed from Temp Directory
  • [Updated] MATCH-S00412 Command Line Execution with Suspicious URL and AppData Strings
  • [Updated] MATCH-S00658 Container Management Utility in Container
  • [Updated] MATCH-S00410 Copy from Admin Share
  • [Updated] MATCH-S00443 Create Windows Share
  • [Updated] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
  • [Updated] MATCH-S00526 Credential Dumping Via Symlink To Shadow Copy
  • [Updated] MATCH-S00348 Curl Start Combination
  • [Updated] MATCH-S00385 DTRACK Process Creation
  • [Updated] MATCH-S00441 Delete Windows Share
  • [Updated] MATCH-S00543 Detect Psexec With Accepteula Flag
  • [Updated] MATCH-S00319 Dridex Process Pattern
  • [Updated] MATCH-S00590 Elise Backdoor
  • [Updated] MATCH-S00392 File or Folder Permissions Modifications
  • [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
  • [Updated] FIRST-S00059 First Seen esentutl command From User
  • [Updated] FIRST-S00041 First Seen networksetup Usage from User
  • [Updated] FIRST-S00058 First Seen vssadmin command From User
  • [Updated] FIRST-S00060 First Seen wbadmin command From User
  • [Updated] FIRST-S00008 First Seen whoami command From User
  • [Updated] MATCH-S00414 Grabbing Sensitive Hives via Reg Utility
  • [Updated] MATCH-S00325 Greenbug Campaign Indicators
  • [Updated] MATCH-S00367 Impacket Lateralization Detection
  • [Updated] MATCH-S00482 Impacket-Obfuscation SMBEXEC Utility
  • [Updated] MATCH-S00483 Impacket-Obfuscation WMIEXEC Utility
  • [Updated] MATCH-S00322 Judgement Panda Credential Access Activity
  • [Updated] MATCH-S00334 Judgement Panda Exfil Activity
  • [Updated] MATCH-S00651 Kubernetes CreateCronjob
  • [Updated] MATCH-S00652 Kubernetes DeleteCronjob
  • [Updated] MATCH-S00650 Kubernetes ListCronjobs
  • [Updated] MATCH-S00648 Kubernetes ListSecrets
  • [Updated] MATCH-S00647 Kubernetes Pod Deletion
  • [Updated] MATCH-S00649 Kubernetes Service Account Token File Accessed
  • [Updated] MATCH-S00461 LNKSmasher Utility Commands
  • [Updated] MATCH-S00746 Loadable Kernel Module Dependency Install
  • [Updated] MATCH-S00745 Loadable Kernel Module Enumeration
  • [Updated] MATCH-S00723 Loadable Kernel Module Modifications
  • [Updated] MATCH-S00352 MSHTA Suspicious Execution
  • [Updated] MATCH-S00534 MacOS - Re-Opened Applications
  • [Updated] MATCH-S00729 MacOS Gatekeeper Bypass
  • [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
  • [Updated] MATCH-S00161 Malicious PowerShell Get Commands
  • [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
  • [Updated] MATCH-S00198 Malicious PowerShell Keywords
  • [Updated] MATCH-S00331 MavInject Process Injection
  • [Updated] MATCH-S00466 MsiExec Web Install
  • [Updated] MATCH-S00288 NotPetya Ransomware Activity
  • [Updated] MATCH-S00698 PATH Set to Current Directory
  • [Updated] MATCH-S00659 Package Management Utility in Container
  • [Updated] MATCH-S00697 Pkexec Privilege Escalation - CVE-2021-4034
  • [Updated] MATCH-S00149 PowerShell File Download
  • [Updated] MATCH-S00449 Powershell Execution Policy Bypass
  • [Updated] MATCH-S00427 Process Dump via Rundll32 and Comsvcs.dll
  • [Updated] MATCH-S00439 Psr.exe Capture Screenshots
  • [Updated] MATCH-S00167 Recon Using Common Windows Commands
  • [Updated] MATCH-S00346 Ryuk Ransomware Endpoint Indicator
  • [Updated] MATCH-S00506 SC Exe Manipulating Windows Services
  • [Updated] MATCH-S00153 Scheduled Task Created via PowerShell
  • [Updated] MATCH-S00529 Schtasks Scheduling Job On Remote System
  • [Updated] MATCH-S00530 Schtasks Used For Forcing A Reboot
  • [Updated] MATCH-S00359 Suspicious Certutil Command
  • [Updated] MATCH-S00356 Suspicious Compression Tool Parameters
  • [Updated] MATCH-S00362 Suspicious Curl File Upload
  • [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
  • [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution
  • [Updated] MATCH-S00191 Suspicious PowerShell Keywords
  • [Updated] MATCH-S00431 Suspicious Use of Procdump
  • [Updated] MATCH-S00477 Suspicious Use of Workflow Compiler for Payload Execution
  • [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
  • [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
  • [Updated] MATCH-S00531 Unload Sysmon Filter Driver
  • [Updated] MATCH-S00762 Unusual Staging Directory - PolicyDefinitions
  • [Updated] MATCH-S00761 Volume Shadow Copy Service Stopped
  • [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
  • [Updated] MATCH-S00760 WMI Ping Sweep
  • [Updated] MATCH-S00146 WMI Process Call Create
  • [Updated] MATCH-S00151 WMI Process Get Brief
  • [Updated] MATCH-S00379 WMIExec VBS Script
  • [Updated] MATCH-S00400 Web Download via Office Binaries
  • [Updated] MATCH-S00539 Web Servers Executing Suspicious Processes
  • [Updated] MATCH-S00174 Web Services Executing Common Web Shell Commands
  • [Updated] MATCH-S00284 Windows - Delete Windows Backup Catalog
  • [Updated] MATCH-S00181 Windows - Domain Trust Discovery
  • [Updated] MATCH-S00168 Windows - Local System executing whoami.exe
  • [Updated] MATCH-S00162 Windows - Network trace capture using netsh.exe
  • [Updated] MATCH-S00159 Windows - Permissions Group Discovery
  • [Updated] MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas
  • [Updated] MATCH-S00276 Windows - Possible Squiblydoo Technique Observed
  • [Updated] MATCH-S00281 Windows - PowerShell Process Discovery
  • [Updated] MATCH-S00171 Windows - Powershell Scheduled Task Creation from PowerSploit or Empire
  • [Updated] MATCH-S00185 Windows - Remote System Discovery
  • [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
  • [Updated] MATCH-S00170 Windows - Scheduled Task Creation
  • [Updated] MATCH-S00192 Windows - System Network Configuration Discovery
  • [Updated] MATCH-S00194 Windows - System Time Discovery
  • [Updated] MATCH-S00172 Windows - WiFi Credential Harvesting with netsh
  • [Updated] MATCH-S00532 Windows Adfind Exe
  • [Updated] MATCH-S00552 Windows Connhost Started Forcefully
  • [Updated] MATCH-S00398 Windows Defender Download Activity
  • [Updated] MATCH-S00179 Windows Network Sniffing
  • [Updated] MATCH-S00157 Windows Process Name Impersonation
  • [Updated] MATCH-S00178 Windows Query Registry
  • [Updated] MATCH-S00533 Windows Security Account Manager Stopped
  • [Updated] LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path
  • [Updated] MATCH-S00724 Windows Update Agent DLL Changed
  • [Updated] MATCH-S00382 Winnti Pipemon Characteristics
  • [Updated] MATCH-S00435 XSL Script Processing
  • [Updated] MATCH-S00726 macOS Kernel Extension Load

Log Mappers​

  • [New] LastPass Failed Login Attempt
  • [New] LastPass Reporting
  • [Updated] Thinkst Canary Parser - Catch All
    • Removed time handling from mapper to favor parser time handling
  • [Updated] 1Password Item Audit Actions
  • [Updated] 1Password Item Usage Actions
  • [Updated] AWS Config - Custom Parser
  • [Updated] AWS EKS - Custom Parser
  • [Updated] AWS Inspector - Custom Parser
  • [Updated] AWS Route 53 Logs
  • [Updated] AWS S3 Server Access Log - Custom Parser
  • [Updated] AWS Security Hub
  • [Updated] AWSGuardDuty - Audit Events
  • [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
  • [Updated] AWSGuardDuty - Reconnaissance and malicious activity detection
  • [Updated] AWSGuardDuty - Tor Client and Relay
  • [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
  • [Updated] AWSGuardDuty_Catch_All
  • [Updated] Adaxes - Custom Parser
  • [Updated] ApplicationGatewayAccessLog
  • [Updated] ApplicationGatewayFirewallLog
  • [Updated] Aqua Runtime Policy Match
  • [Updated] Azure Appplication Service Console Logs
  • [Updated] Azure AuditEvent logs
  • [Updated] Azure Event Hub - Windows Defender Logs
  • [Updated] Azure Firewall Application Rule
  • [Updated] Azure Firewall DNS Proxy
  • [Updated] Azure Firewall Network Rule
  • [Updated] Azure NSG Flows
  • [Updated] Azure Policy Logs
  • [Updated] AzureActivityLog
  • [Updated] AzureActivityLog 01
  • [Updated] AzureActivityLog AuditLogs
  • [Updated] AzureDevOpsAuditing
  • [Updated] Cato Networks Audits
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] Cyber Ark EPM AggregateEvent
  • [Updated] Druva Cyber Resilience - Catch All
  • [Updated] GCP App Engine Logs
  • [Updated] GCP Audit Logs
  • [Updated] GCP IDS
  • [Updated] GCP Parser - Load Balancer
  • [Updated] Google Security Command Center
  • [Updated] JumpCloud IdP - Catch All
  • [Updated] Kaltura Audits
  • [Updated] Microsoft Defender for Cloud - Security Alerts
  • [Updated] Microsoft Office 365 AzureActiveDirectory Events
  • [Updated] Microsoft Office 365 MicrosoftStream Events
  • [Updated] Microsoft Office 365 PowerApps Events
  • [Updated] Microsoft Office 365 Sway Events
  • [Updated] Microsoft Office 365 Teams Events
  • [Updated] Microsoft Office 365 Yammer Events
  • [Updated] MicrosoftGraphActivityLogs
  • [Updated] Office 365 - MicrosoftFlow
  • [Updated] Office 365 - Security Compliance Alerts
  • [Updated] Osquery Catchall
  • [Updated] Osquery FIM
  • [Updated] Osquery Process Auditing
  • [Updated] Osquery Socket Events
  • [Updated] Osquery Startup Items
  • [Updated] Palo Alto Config - Custom Parser
  • [Updated] Palo Alto Threat Spyware - Custom Parser
  • [Updated] RSA SecurID Runtime Authn Logout
  • [Updated] RSA SecurID Runtime Catchall
  • [Updated] UnauthorizedAccess_EC2_SSHBruteForce
  • [Updated] Windows - Security - 4625
  • [Updated] Windows - Security - 4634

Parsers​

  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary JSON
  • [Updated] /Parsers/System/LastPass/LastPass
  • [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
    • Updated time handling to use _messagetime metadata
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.