SumoLogic · jc-sumo · May 5, 2026 · May 4, 2026 · May 5, 2026 · May 5, 2026
@@ -0,0 +1,154 @@
+  ---
+title: May 4th, 2026 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - parsers
+  - schema
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+* This content release includes:
+    - Enhanced Fortinet field mappings with standardized severity normalization, session tracking, and device identification across 27 log mappers, plus removal of 3 redundant mappers
+    - Windows and Linux Sysmon mapper improvements ensuring normalizedAction and normalizedResource fields are consistently populated across all 44 event types for better query performance and standardization
+    - Citrix Cloud C2C parser and mapper updates adding session log support for monitoring user authentication, connection lifecycle, and session state transitions
+    - MITRE ATT&CK Tactics & Techniques updated to v19
+        - Rule updates corresponding to new and deprecated Tactics & Techniques.
+    - Changes are enumerated below
+
+## Rules
+- [Updated] MATCH-S00924 AWS Bedrock Guardrail Deleted
+- [Updated] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
+- [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
+- [Updated] MATCH-S00540 AWS CloudTrail Network Access Control List Deleted
+- [Updated] MATCH-S00664 AWS CloudWatch Alarm Actions Disabled
+- [Updated] MATCH-S00663 AWS CloudWatch Alarm Deletion
+- [Updated] MATCH-S00662 AWS CloudWatch Anomaly Detector Deletion
+- [Updated] MATCH-S00665 AWS CloudWatch Log Group Deletion
+- [Updated] MATCH-S00661 AWS CloudWatch Log Stream Deletion
+- [Updated] MATCH-S00671 AWS Config Recorder Deletion
+- [Updated] MATCH-S00672 AWS Config Recorder Stopped
+- [Updated] MATCH-S00670 AWS Config Service Tampering
+- [Updated] MATCH-S00677 AWS Route 53 Service Tampering
+- [Updated] MATCH-S00674 AWS WAF Access Control List Updated
+- [Updated] MATCH-S00676 AWS WAF Rule Group Updated
+- [Updated] MATCH-S00675 AWS WAF Rule Updated
+- [Updated] MATCH-S00673 AWS WAF Service Tampering
+- [Updated] MATCH-S00598 Alibaba ActionTrail Logging Configuration Change Observed
+- [Updated] MATCH-S00589 Alibaba ActionTrail Network Access Control List Deleted
+- [Updated] MATCH-S00516 Antivirus Ransomware Detection
+- [Updated] MATCH-S00415 Attempt to Clear Windows Event Logs Using Wevtutil
+- [Updated] MATCH-S00795 Azure - Diagnostic Setting Deleted
+- [Updated] MATCH-S00796 Azure - Diagnostic Setting Modified
+- [Updated] MATCH-S00797 Azure - Event Hub Deleted
+- [Updated] MATCH-S00864 Azure Firewall Rule Modified
+- [Updated] MATCH-S00373 BlueMashroom DLL Load
+- [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
+- [Updated] LEGACY-S00037 Fortinet Critical App-Risk
+- [Updated] LEGACY-S00038 Fortinet High App-Risk
+- [Updated] MATCH-S00620 GCP Audit Cloud SQL Database Modified
+- [Updated] MATCH-S00621 GCP Audit GCE Firewall Rule Modified
+- [Updated] MATCH-S00622 GCP Audit GCE Network Route Created or Modified
+- [Updated] MATCH-S00623 GCP Audit GCE VPC Network Modified
+- [Updated] MATCH-S00626 GCP Audit Logging Sink Modified
+- [Updated] MATCH-S00627 GCP Audit Pub/Sub Subscriber Modified
+- [Updated] MATCH-S00628 GCP Audit Pub/Sub Topic Deleted
+- [Updated] MATCH-S00953 GitHub - Audit Logging Modification
+- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+- [Updated] MATCH-S00288 NotPetya Ransomware Activity
+- [Updated] MATCH-S00831 Office 365 Unified Audit Logging Disabled
+- [Updated] THRESHOLD-S00048 Outbound Traffic to Countries Outside the United States
+- [Updated] MATCH-S00546 Potential Reconnaissance Obfuscation
+- [Updated] LEGACY-S00080 SSH Interesting Hostname Login
+- [Updated] LEGACY-S00170 The Audit Log was Cleared - 1102
+- [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
+- [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
+- [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
+- [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
+- [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
+- [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
+- [Updated] MATCH-S00531 Unload Sysmon Filter Driver
+- [Updated] MATCH-S00892 Value Added to Azure NSG Group
+- [Updated] MATCH-S00521 Windows - Critical Service Disabled via Command Line
+- [Updated] MATCH-S00549 Windows Disable Antispyware Registry
+- [Updated] MATCH-S00538 Windows Firewall Rule Added
+- [Updated] MATCH-S00537 Windows Firewall Rule Deleted
+- [Updated] MATCH-S00536 Windows Firewall Rule Modified
+- [Updated] MATCH-S00533 Windows Security Account Manager Stopped
+
+## Log Mappers
+- [Deleted] Fortinet DNS Query
+- [Deleted] Fortinet Traffic2
+- [Deleted] Fortinet dns Logs
+- [New] Citrix Cloud Session Logs
+- [Updated] Fortinet Anomaly Logs
+- [Updated] Fortinet Appctrl1
+- [Updated] Fortinet Appctrl2
+- [Updated] Fortinet Authentication
+- [Updated] Fortinet DLP Logs
+- [Updated] Fortinet DNS
+- [Updated] Fortinet Endpoint
+- [Updated] Fortinet Event Logs
+- [Updated] Fortinet FortiGate-200D Auth CEF
+- [Updated] Fortinet FortiGate-200D Endpoint CEF
+- [Updated] Fortinet FortiGate-200D Flow CEF
+- [Updated] Fortinet Traffic
+- [Updated] Fortinet UTM IDS1
+- [Updated] Fortinet VPN
+- [Updated] Fortinet Virus
+- [Updated] Fortinet ha Logs
+- [Updated] Fortinet perf-stats pba-close Systems Logs
+- [Updated] Fortinet security-rating Logs
+- [Updated] Fortinet ssl Logs
+- [Updated] Fortinet voip Logs
+- [Updated] Fortinet wad Logs
+- [Updated] Fortinet waf Logs
+- [Updated] Fortinet wireless Logs
+- [Updated] Linux-Sysmon/Operational - 1
+- [Updated] Linux-Sysmon/Operational - 10
+- [Updated] Linux-Sysmon/Operational - 15
+- [Updated] Linux-Sysmon/Operational - 16
+- [Updated] Linux-Sysmon/Operational - 17
+- [Updated] Linux-Sysmon/Operational - 18
+- [Updated] Linux-Sysmon/Operational - 2
+- [Updated] Linux-Sysmon/Operational - 23
+- [Updated] Linux-Sysmon/Operational - 3
+- [Updated] Linux-Sysmon/Operational - 4
+- [Updated] Linux-Sysmon/Operational - 5
+- [Updated] Linux-Sysmon/Operational - 6
+- [Updated] Linux-Sysmon/Operational - 7
+- [Updated] Linux-Sysmon/Operational - 8
+- [Updated] Linux-Sysmon/Operational - 9
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 1
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 10
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 12, 13, and 14
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 15
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 16
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 17
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 18
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 19|20
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 2
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 21
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 22
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 23
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 24
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 25
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 26
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 27
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 28
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 3
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 4
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 5
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 6
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 7
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 8
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational - 9
+- [Updated] Windows - Microsoft-Windows-Sysmon/Operational-29
+
+## Parsers
+- [Updated] /Parsers/System/Citrix/Citrix Cloud C2C
+
+## Schema
+Updated MITRE ATT&CK Tactics & Techniques to v19