Announcements
- Starting October 1, 2022, _suppressed _Signals will be retained in CSE for 30 days (previously, they were retained for 90 days). All Signals are automatically stored in the Sumo sec_signals index for 2 years, so users searching for suppressed Signals more than 30 days old should search in that index instead of in the CSE UI.
- Note also that in the past, Signals attached to Insights were searchable from the CSE Signals list page indefinitely. Starting on October 1, they will only be searchable for 365 days. (They will still be visible from the Insight details page beyond that period.)
- As previously announced, the Sensor and IBM Resilient actions are no longer supported. They will be removed from CSE by the end of this month.
Minor Changes and Enhancements
- [New] In the Audit Log, when an Insight is created, the sum of the included Signals' severity is now included with the insight in the
risk_score
field (i.e. if there were three Signals each with a severity of 4, the sum of 12 will be included). - [Updated] The "Copy Expression" mouse action for record fields can now be activated using Shift+Click. The Click action now brings up a "Copy Value" action instead.
- [New] Users can now delete Match Lists from the list view (i.e. users no longer have to go into the details).
- [New] On the Criticality list page, the number of Entity Groups associated with each Criticality is now listed on the cards.
Resolved Issues
- In some cases where the Signals were relatively old, the Signals that contributed to an Insight were no longer visible in the Insight in the UI.
- Time stamps were missing from Records in some views.
Content Release
In 2 weeks (2022-09-15) we will be removing CHAIN-S00009 - 'Proofpoint TAP Click Permitted Followed by Successful Request' rule to consolidate Proofpoint TAP rules while providing equivalent detection value.
Rules
- [New] MATCH-S00818 Azure PRT Token Issued via Non Interactive Login
- [New] MATCH-S00821 Chromium Browser History Access by Non-Browser Process
- [New] MATCH-S00819 Chromium Process Started With Debugging Port
- [New] MATCH-S00820 Cloud Credential File Accessed
- [New] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
- [Updated] MATCH-S00235 Azure - Create User
Log Mappers
- [New] Mimecast AV Event
- [New] Mimecast Impersonation Event
- [New] Mimecast Spam Event
- [Updated] AzureActivityLog AuditLogs