Skip to content

Create 2025-10-10-content.md #5909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 10, 2025
Merged

Create 2025-10-10-content.md #5909

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3c06a56
Create 2025-10-10-content.md
jc-sumo Oct 10, 2025
791a350
Updates from review
jpipkin1 Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions blog-cse/2025-10-10-content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
title: October 10, 2025 - Content Release
image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
keywords:
- log mappers
hide_table_of_contents: true
---

This content release includes:
- New and updated rules.
- Updated Threat Intelligence rules with match lists which can be populated with exclusions to prevent the generation of undesired signals.
- Mapping update.

Changes are enumerated below.

## Rules
- [New] CHAIN-S00023 Administrative Remote Interactive Brute Force Login
<br/>This rule correlates a high number of failed authentication attempts with a successful remote interactive login (such as via RDP) coming from the same source IP address and user account.
- [New] CHAIN-S00024 RDP Brute Force Login Attempt
<br/>This rule correlates a high number of failed authentication attempts with repeated inbound connections over port 3389 (the default RDP port).
- [New] MATCH-S01056 Administrative Remote Interactive Login
<br/>This rule triggers on a successful remote interactive login (such as via RDP) of a privileged user.
- [Updated] MATCH-S00139 Abnormal Parent-Child Process Combination
<br/>Updated to reduce false positive matches for certain parent-child process combinations.
- [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
- [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
- [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
- [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
- [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
- [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
- [Updated] MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

## Log Mappers
- [Updated] Slack Anomaly Event
<br/>Updated to include `threat_name` mapping for improved context in alerts.