Skip to main content

May 2022 Archive

Archive of May 2022 Cloud SIEM Release Notes.


May 31, 2022 - Content Release

Rules

  • [New] MATCH-S00811 MS Office Product Spawning Msdt.exe - CVE-2022-30190
  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] MATCH-S00766 Okta MFA Deactivated for User
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Aruba ClearPass User Authentication Failed
  • [New] Aruba ClearPass User Authentication Successful
  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] McAfee Network Security Parser - Catch All
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Orca Security Parser - Catch All
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] CloudTrail - application-insights.amazonaws.com - ListApplications
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StartLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - StopLogging
  • [Updated] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
  • [Updated] CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
  • [Updated] CloudTrail - controltower.amazonaws.com - CreateManagedAccount
  • [Updated] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
  • [Updated] CloudTrail - ec2.amazonaws.com - BidEvictedEvent
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
  • [Updated] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
  • [Updated] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
  • [Updated] CloudTrail - ec2.amazonaws.com - ImportKeyPair
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
  • [Updated] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
  • [Updated] CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
  • [Updated] CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
  • [Updated] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - AttachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreateAccessKey
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
  • [Updated] CloudTrail - iam.amazonaws.com - CreateUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeletePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUser
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
  • [Updated] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - DetachUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutGroupPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutRolePolicy
  • [Updated] CloudTrail - iam.amazonaws.com - PutUserPolicy
  • [Updated] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
  • [Updated] CloudTrail - kms.amazonaws.com - DisableKey
  • [Updated] CloudTrail - kms.amazonaws.com - RotateKey
  • [Updated] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogGroup
  • [Updated] CloudTrail - logs.amazonaws.com - DeleteLogStream
  • [Updated] CloudTrail - organizations.amazonaws.com - CreateAccountResult
  • [Updated] CloudTrail - s3.amazonaws.com - CreateBucket
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketAcl
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketCors
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketPolicy
  • [Updated] CloudTrail - s3.amazonaws.com - PutBucketReplication
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
  • [Updated] CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
  • [Updated] CloudTrail - signin.amazonaws.com - CheckMfa
  • [Updated] CloudTrail - signin.amazonaws.com - ConsoleLogin
  • [Updated] CloudTrail - signin.amazonaws.com - ExitRole
  • [Updated] CloudTrail - signin.amazonaws.com - RenewRole
  • [Updated] CloudTrail - signin.amazonaws.com - SwitchRole
  • [Updated] CloudTrail - sso.amazonaws.com - Federate
  • [Updated] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
  • [Updated] CloudTrail Default Mapping
  • [Updated] Cloudflare - Logpush
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change
  • [Updated] Okta Authentication Events
  • [Updated] Okta Catch All
  • [Updated] Okta Security Threat Events
  • [Updated] Windows - Security - 4688

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/McAfee/McAfee Network Security
  • [New] /Parsers/System/Orca Security/Orca Security
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/HP/Aruba ClearPass - Syslog
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/F5/F5 Syslog
  • [Updated] /Parsers/System/Linux/Linux OS Syslog
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
  • [Updated] /Parsers/System/Shared/Syslog Headers
  • [Updated] /Parsers/System/Twistlock/Twistlock

May 27, 2022 - Application Update

Upcoming Changes

  • [Updated] Starting later next week, the severity attribute in audit log records for Insights (such as InsightCreated) will be changing. Instead of a number (represented as a string) from 1 to 4, the value will be a human-readable string matching the values in the UI (LOW, MEDIUM, HIGH, CRITICAL). Please update any dashboards or other consumers of this data.
  • [Deleted] Later next week, the Content > Suppressed Entities page will be removed from the UI to simplify the application. Instead, users can use a filter on the Content > Entities page to retrieve the list of suppressed Entities.

Minor Changes and Enhancements

  • [Updated] On the Insight Details pages, Signals are now sorted in order of the most recent Signal first by default. (As always, the user can change the sort order.)
  • [New] When creating a copy of a Rule, users are now given then option to apply the Rule Tuning Expression(s) that are applied on the original rule to the copy as well.
  • [New] In the CSE UI, timestamps now explicitly include the time zone.
  • [New] Users can now specify a maximum look-back window (in days) for TAXII feeds.
  • [New] The current status (enabled/disabled) for each feed is now displayed on the Threat Intelligence list page.

Resolved Issues

  • If a user had defined a high number of favorite fields, the system would show the first 50.
  • When specifying tags, the auto-complete feature was not working properly in some instances.

May 26, 2022 - Content Release

Rules

  • [Updated] MATCH-S00612 GCP Audit Secrets Manager Activity
  • [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed
  • [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded

Log Mappers

  • [New] Cisco Secure Email Parser - Catch All
  • [New] Exabeam Parser - Catch All
  • [New] Jamf Parser - Catch All
  • [New] Juniper SRX Series Firewall - Parser
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft 365 Defender
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft IPC
  • [New] Microsoft Graph Security API C2C - Dynamic Vendor/Product - Microsoft Office 365 Security and Compliance
  • [New] Squid Proxy - Parser
  • [New] Thinkst Canary Parser - Catch All
  • [New] Zscaler Workload Segmentation Catch All - Parser
  • [Updated] Egnyte DLP Parser - Catch All
  • [Updated] Linux OS Syslog - Process kernel - Promiscuous Mode Change

Parsers

  • [New] /Parsers/System/Cisco/Cisco Secure Email
  • [New] /Parsers/System/Exabeam/Exabeam Security Management Platform (SMP) Syslog
  • [New] /Parsers/System/Jamf/Jamf
  • [New] /Parsers/System/Juniper/Juniper SRX Series Firewall Syslog
  • [New] /Parsers/System/Squid/Squid Proxy Syslog
  • [New] /Parsers/System/Thinkst Canary/Thinkst Canary
  • [New] /Parsers/System/Zscaler/Zscaler Workload Segmentation/Zscaler Workload Segmentation JSON
  • [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
  • [Updated] /Parsers/System/Egnyte/Egnyte DLP
  • [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV

May 17, 2022 - Application Update

Minor Changes and Enhancements

  • [Updated] The _sourceName and _sourceHost values in records ingested by CSE will now reflect the original values defined when ingested into the Sumo Logic platform.
  • [Updated] The "Board" list view for Insights has been updated to include the resolution:board-view

Resolved Issues

  • In the new Entities tab in Insights, duplicate Entities were sometimes listed if the raw and normalized names didn't match. Also, the cards will now respond better to very low screen/browser widths.
  • When viewing some verbose content (like Record properties), mousing over the content would cause it to reflow.
  • When creating match list items via Terraform, the process was occasionally timing out.
  • Email-based actions were not functioning properly on instances with domains ending in jask.ai.

May 12, 2022 - Content Release

Rules

  • [Updated] LEGACY-S00078 SQL Injection Victim

Log Mappers

  • [New] Check Point Application Control
  • [New] Check Point SmartDefense
  • [New] Check Point URL Filtering
  • [Updated] Check Point Block

Parsers

  • [Updated] /Parsers/System/Check Point/Check Point Firewall JSON
  • [Updated] /Parsers/System/Check Point/Check Point Firewall Syslog
  • [Updated] /Parsers/System/Microsoft/Office 365

May 10, 2022 - Content Release

Rules

  • [Deleted] MATCH-S00258 Authentication Brute Force Attempt
  • [Updated] MATCH-S00176 RDP Login from Localhost

Log Mappers

  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4103 - CIP
  • [Deleted] Windows - Microsoft-Windows-PowerShell/Operational - 4104 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 1 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 10 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 11 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 15 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 2 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 3 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 4 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 5 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 6 - CIP
  • [Deleted] Windows - Microsoft-Windows-Sysmon/Operational - 8 - CIP
  • [Deleted] Windows - Security - 1100 - CIP
  • [Deleted] Windows - Security - 1102 - CIP
  • [Deleted] Windows - Security - 4624 - CIP
  • [Deleted] Windows - Security - 4625 - CIP
  • [Deleted] Windows - Security - 4634 - CIP
  • [Deleted] Windows - Security - 4648 - CIP
  • [Deleted] Windows - Security - 4649 - CIP
  • [Deleted] Windows - Security - 4656 - CIP
  • [Deleted] Windows - Security - 4658 - CIP
  • [Deleted] Windows - Security - 4661 - CIP
  • [Deleted] Windows - Security - 4662 - CIP
  • [Deleted] Windows - Security - 4663 - CIP
  • [Deleted] Windows - Security - 4672 - CIP
  • [Deleted] Windows - Security - 4674 - CIP
  • [Deleted] Windows - Security - 4688 - CIP
  • [Deleted] Windows - Security - 4689 - CIP
  • [Deleted] Windows - Security - 4697 - CIP
  • [Deleted] Windows - Security - 4698 - CIP
  • [Deleted] Windows - Security - 4702 - CIP
  • [Deleted] Windows - Security - 4704 - CIP
  • [Deleted] Windows - Security - 4720 - CIP
  • [Deleted] Windows - Security - 4726 - CIP
  • [Deleted] Windows - Security - 4728 - CIP
  • [Deleted] Windows - Security - 4732 - CIP
  • [Deleted] Windows - Security - 4740 - CIP
  • [Deleted] Windows - Security - 4742 - CIP
  • [Deleted] Windows - Security - 4754 - CIP
  • [Deleted] Windows - Security - 4755 - CIP
  • [Deleted] Windows - Security - 4756 - CIP
  • [Deleted] Windows - Security - 4768 - CIP
  • [Deleted] Windows - Security - 4769 - CIP
  • [Deleted] Windows - Security - 4770 - CIP
  • [Deleted] Windows - Security - 4771 - CIP
  • [Deleted] Windows - Security - 4776 - CIP
  • [Deleted] Windows - Security - 4778 - CIP
  • [Deleted] Windows - Security - 4779 - CIP
  • [Deleted] Windows - Security - 4780 - CIP
  • [Deleted] Windows - Security - 4793 - CIP
  • [Deleted] Windows - Security - 4798 - CIP
  • [Deleted] Windows - Security - 4799 - CIP
  • [Deleted] Windows - Security - 5038 - CIP
  • [Deleted] Windows - Security - 5058 - CIP
  • [Deleted] Windows - Security - 5059 - CIP
  • [Deleted] Windows - Security - 5061 - CIP
  • [Deleted] Windows - Security - 5140 - CIP
  • [Deleted] Windows - Security - 5379 - CIP
  • [Deleted] Windows - Security - 5805 - CIP
  • [Deleted] Windows - Security - 6272 - CIP
  • [Deleted] Windows - Security - 6273 - CIP
  • [Deleted] Windows - Security - 6275 - CIP
  • [Deleted] Windows - Security - 6278 - CIP
  • [Deleted] Windows - Security - 6416 - CIP
  • [Deleted] Windows - Security - 6423 - CIP
  • [Deleted] Windows - Security - 6424 - CIP
  • [Deleted] Windows - System - 5138 - CIP
  • [Deleted] Windows - System - 6005 - CIP
  • [Deleted] Windows - System - 6006 - CIP
  • [Deleted] Windows - System - 7045 - CIP
  • [New] BlueCat DNS Parser - Catch All
  • [Updated] AWS WAF Allow Logs
  • [Updated] AWS WAF Block Logs
  • [Updated] Firepower Catch All
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Preauth
  • [Updated] Linux OS Syslog - Process sshd - SSH Auth Success

Parsers

  • [Deleted] /Parsers/System/BlueCat/BlueCat DHCP Syslog
  • [New] /Parsers/System/BlueCat/BlueCat DHCP-DNS Syslog
  • [New] /Parsers/System/Cisco/Cisco Firepower JSON
  • [Updated] /Parsers/System/AWS/AWS WAF
  • [Updated] /Parsers/System/Zscaler/Zscaler Nanolog Streaming Service/Zscaler Nanolog Streaming Service-JSON

In the Cloud SIEM Enterprise release notes, you'll find information about new and enhanced features, updated content (like rules, log mappers and parsers), bug fixes, and other important announcements.

To view release notes from previous years, check the archive.

RSS Feed
Sumo Logic YouTubeSumo Logic Twitter
Legal
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.