Skip to main content

April 14, 2025 - Content Release

This content release includes:

  • Additional data requirements for GitHub rules added to rule descriptions.
  • Spelling corrections for AWS Lambda rules.
  • New Slack Anomaly Event log mapper and supporting parsing changes:
    • Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
    • Requires parser be defined for passthrough detection.
  • Updates to Sysdig parsing and mapping to support additional events.
  • Support for Microsoft Windows Sysmon-29 event.
  • Additional normalized field mappings for Microsoft Windows Sysmon events.
  • New user_phoneNumber and targetUser_phoneNumber schema fields.

Rules​

  • [Updated] MATCH-S00874 AWS Lambda Function Recon
  • [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
  • [Updated] MATCH-S00953 GitHub - Audit Logging Modification
  • [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
  • [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
  • [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
  • [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
  • [Updated] MATCH-S00955 GitHub - Member Permissions Modification
  • [Updated] MATCH-S00956 GitHub - OAuth Application Activity
  • [Updated] MATCH-S00957 GitHub - Organization Transfer
  • [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
  • [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
  • [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
  • [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
  • [Updated] MATCH-S00960 GitHub - Repository Transfer
  • [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
  • [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
  • [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
  • [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
  • [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
  • [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
  • [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization

Log Mappers​

  • [New] Slack Anomaly Event
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
  • [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
  • [New] Windows - Microsoft-Windows-Sysmon/Operational-29
  • [Updated] Sysdig Secure Packages
  • [Updated] Sysdig Secure Vulnerability
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
  • [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27

Parsers​

  • [New] /Parsers/System/Slack/Slack Enterprise Audit
  • [Updated] /Parsers/System/Sysdig/Sysdig Secure

Schema​

  • [New] targetUser_phoneNumber
  • [New] user_phoneNumber
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.