diff --git a/blog-cse/2025-04-14-content.md b/blog-cse/2025-04-14-content.md new file mode 100644 index 0000000000..3ec2e823dc --- /dev/null +++ b/blog-cse/2025-04-14-content.md @@ -0,0 +1,81 @@ +--- +title: April 14, 2025 - Content Release +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - log mappers + - parsers + - rules +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +This content release includes: +- Additional data requirements for GitHub rules added to rule descriptions. +- Spelling corrections for AWS Lambda rules. +- New Slack Anomaly Event log mapper and supporting parsing changes: + - Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402). + - Requires parser be defined for passthrough detection. +- Updates to Sysdig parsing and mapping to support additional events. +- Support for Microsoft Windows Sysmon-29 event. +- Additional normalized field mappings for Microsoft Windows Sysmon events. +- New `user_phoneNumber` and `targetUser_phoneNumber` schema fields. + + +### Rules +- [Updated] MATCH-S00874 AWS Lambda Function Recon +- [Updated] MATCH-S00952 GitHub - Administrator Added or Invited +- [Updated] MATCH-S00953 GitHub - Audit Logging Modification +- [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub +- [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User +- [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API +- [Updated] MATCH-S00950 GitHub - Member Invitation or Addition +- [Updated] MATCH-S00955 GitHub - Member Permissions Modification +- [Updated] MATCH-S00956 GitHub - OAuth Application Activity +- [Updated] MATCH-S00957 GitHub - Organization Transfer +- [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User +- [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads +- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed +- [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion +- [Updated] MATCH-S00960 GitHub - Repository Transfer +- [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public +- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed +- [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo +- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity +- [Updated] MATCH-S00951 GitHub - Secret Scanning Alert +- [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled +- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization + +### Log Mappers +- [New] Slack Anomaly Event +- [New] Windows - Microsoft-Windows-Sysmon/Operational - 16 +- [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20 +- [New] Windows - Microsoft-Windows-Sysmon/Operational-29 +- [Updated] Sysdig Secure Packages +- [Updated] Sysdig Secure Vulnerability +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26 +- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27 + +### Parsers +- [New] /Parsers/System/Slack/Slack Enterprise Audit +- [Updated] /Parsers/System/Sysdig/Sysdig Secure + +### Schema +- [New] `targetUser_phoneNumber` +- [New] `user_phoneNumber` \ No newline at end of file