Skip to content

Create 2025-04-14-content.md #5281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jpipkin1 merged 3 commits into from
Apr 15, 2025
Merged

Create 2025-04-14-content.md #5281

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ee5cb37
Create 2025-04-14-content.md
jc-sumo Apr 15, 2025
06f1bea
Update blog-cse/2025-04-14-content.md
jpipkin1 Apr 15, 2025
8b37b87
Updates from review
jpipkin1 Apr 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions blog-cse/2025-04-14-content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
---
title: April 14, 2025 - Content Release
image: https://help.sumologic.com/img/sumo-square.png
keywords:
- log mappers
- parsers
- rules
hide_table_of_contents: true
---

import useBaseUrl from '@docusaurus/useBaseUrl';

This content release includes:
- Additional data requirements for GitHub rules added to rule descriptions.
- Spelling corrections for AWS Lambda rules.
- New Slack Anomaly Event log mapper and supporting parsing changes:
- Enables passthrough detection of Slack Anomaly Events using Normalized Security Signal (MATCH-S00402).
- Requires parser be defined for passthrough detection.
- Updates to Sysdig parsing and mapping to support additional events.
- Support for Microsoft Windows Sysmon-29 event.
- Additional normalized field mappings for Microsoft Windows Sysmon events.
- New `user_phoneNumber` and `targetUser_phoneNumber` schema fields.


### Rules
- [Updated] MATCH-S00874 AWS Lambda Function Recon
- [Updated] MATCH-S00952 GitHub - Administrator Added or Invited
- [Updated] MATCH-S00953 GitHub - Audit Logging Modification
- [Updated] MATCH-S00954 GitHub - Copilot Seat Cancelled by GitHub
- [Updated] FIRST-S00091 GitHub - First Seen Activity From Country for User
- [Updated] FIRST-S00090 GitHub - First Seen Application Interacting with API
- [Updated] MATCH-S00950 GitHub - Member Invitation or Addition
- [Updated] MATCH-S00955 GitHub - Member Permissions Modification
- [Updated] MATCH-S00956 GitHub - OAuth Application Activity
- [Updated] MATCH-S00957 GitHub - Organization Transfer
- [Updated] OUTLIER-S00026 GitHub - Outlier in Distinct User Agent Strings by User
- [Updated] OUTLIER-S00027 GitHub - Outlier in Repository Cloning or Downloads
- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
- [Updated] MATCH-S00959 GitHub - Repository Public Key Deletion
- [Updated] MATCH-S00960 GitHub - Repository Transfer
- [Updated] MATCH-S00961 GitHub - Repository Visibility Changed to Public
- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
- [Updated] MATCH-S00963 GitHub - SSH Key Created for Private Repo
- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
- [Updated] MATCH-S00951 GitHub - Secret Scanning Alert
- [Updated] MATCH-S00965 GitHub - Secret Scanning Potentially Disabled
- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization

### Log Mappers
- [New] Slack Anomaly Event
- [New] Windows - Microsoft-Windows-Sysmon/Operational - 16
- [New] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
- [New] Windows - Microsoft-Windows-Sysmon/Operational-29
- [Updated] Sysdig Secure Packages
- [Updated] Sysdig Secure Vulnerability
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 11
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27

### Parsers
- [New] /Parsers/System/Slack/Slack Enterprise Audit
- [Updated] /Parsers/System/Sysdig/Sysdig Secure

### Schema
- [New] `targetUser_phoneNumber`
- [New] `user_phoneNumber`