3 posts tagged with "application update"

MITRE ATT&CK® Coverage Enhancements​

We're excited to announce multiple enhancements to our MITRE ATT&CK Threat Coverage Explorer.

• Rules Filtering - You can now easily filter the coverage visualization based on rules, including out-of-the-box and user-created rules, as well as enabled, disabled, production and prototype rules.
• All Community Activity - This view now defaults to show only the vendor and product logs that are being sent to Cloud SIEM from your data sources. This gives you a better comparison between what your theoretical and historical coverage shows and what other customers of Cloud SIEM using those same log sources are seeing. You can still change the filter to display other (or all) log sources.
• Customizable Colors - You can now customize the tile colors to your own scheme.
  

For full details, see the MITRE ATT&CK Coverage documentation.

New UI Themes for Cloud SIEM​

We are also excited to announce that Cloud SIEM now supports two different UI themes: the default "dark" theme, and a new "light" theme:

The theme is set per user, and can be changed on the Sumo Logic user preferences page:

Note that the setting currently only affects Cloud SIEM and the Automation Service, but in the future this setting will also affect other pages in the Sumo Logic UI.

Bug fixes​

• Terraform no longer times out while waiting for match lists to be updated.

Minor changes and enhancements​

• Two enhancements have been implemented for the MITRE ATT&CK® Threat Coverage Explorer:
  • The current tactic, technique and sub-technique metrics for the (default) Theoretical and Historical views are now written to the sumologic_system_events audit logs daily. This data can be used in dashboards to track coverage and events over time.
  • It is now possible, using the /mitre-attack/json endpoint, to extract the MITRE Explorer-formatted JSON via API. (This works the same as the Export button in the UI.)
• On the Insight details page, on the Entities tab, the default view is now the Graph view instead of the List view.
• Threat reputation icons/labels are now visible in a number of additional places throughout the UI. These can be set via enrichment.

Bug fixes​

• In some cases, events that are supposed to occur automatically after an Insight is opened were not executing, or were severely delayed.
• If an Insight comment included a long URL, text wrapping was not behaving correctly and some text was being clipped from view. Also, newline characters were not always being honored properly in comments.

Minor changes and enhancements​

• [New] Continuing our work to better align the Cloud SIEM UI pages with Log Analytics UI pages to improve usability and provide a consistent user experience, the color palette has been adjusted slightly, some page decoration has been removed or altered, and some controls have been updated.
• [New] On the Entity list page, you can now filter by reputation indicator (i.e. Malicious, Suspicious or NotFlagged).
• [New] Users can now navigate directly from the Entity Activity panel on the HUD to the Entity List page, with the proper filter pre-applied.
• [Updated] The Object Type attribute has been added back to the Signal summary section, next to the timestamp, so that it is visible whether the Signal details are expanded or collapsed.
• [New] A user-editable Description field has been added to Rule Tuning Expressions.

Bug fixes​

• Sorting by value was not working properly on the Entities list page.
• Sometimes, if the target value was left blank (default), domain normalization would append a colon to the resulting value.
• Customers were experiencing rate limiting with VirusTotal due to a change to their API and constant retries due to resultant errors in Cloud SIEM. This has been resolved, as has an issue with enrichments for file hashes.
• Some Entities were not showing as being included in Entity Groups properly (even though attributes had been set correctly).
• The MITRE ATT&CK® stage attribute was missing from some Signals in the audit logs.
• Custom inventory sources were not included in the appropriate dropdown in Entity Group configuration.
• On the Entity Details page, if the only Signals that existed were in Prototype mode, they would not be visible.
• The reputation indicator on the Entity Details page was being rendered, then hidden.