SumoLogic · jc-sumo · Jun 4, 2026 · kimsauce · Jun 5, 2026 · kimsauce
@@ -0,0 +1,106 @@
+---
+title: June 4th, 2026 - Content Release
+hide_table_of_contents: true
+keywords:
+  - log mappers
+  - parsers
+  - schema
-  - log mappers
-  - parsers
-  - schema
+  - rules
-  - log mappers
-  - parsers
-  - schema
+  - rules
+image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+* This content release includes:
+    - Updated MITRE ATT&CK tactic and technique tags across 89 rules to align with the MITRE ATT&CK v19 framework update, which reorganized the former Defense Evasion tactic into Stealth and the new Defense Impairment tactic
+    - Affected rules now reference the correct successor techniques and tactic identifiers, ensuring accurate threat classification in detection workflows
+    - Additional changes are enumerated below
-* This content release includes:
-    - Updated MITRE ATT&CK tactic and technique tags across 89 rules to align with the MITRE ATT&CK v19 framework update, which reorganized the former Defense Evasion tactic into Stealth and the new Defense Impairment tactic
-    - Affected rules now reference the correct successor techniques and tactic identifiers, ensuring accurate threat classification in detection workflows
-    - Additional changes are enumerated below
+This content release includes:
+- Updated MITRE ATT&CK tactic and technique tags across 89 rules to align with the MITRE ATT&CK v19 framework update, which reorganized the former Defense Evasion tactic into Stealth and the new Defense Impairment tactic
+- Affected rules now reference the correct successor techniques and tactic identifiers, ensuring accurate threat classification in detection workflows
+- Additional changes are enumerated below
-* This content release includes:
-    - Updated MITRE ATT&CK tactic and technique tags across 89 rules to align with the MITRE ATT&CK v19 framework update, which reorganized the former Defense Evasion tactic into Stealth and the new Defense Impairment tactic
-    - Affected rules now reference the correct successor techniques and tactic identifiers, ensuring accurate threat classification in detection workflows
-    - Additional changes are enumerated below
+This content release includes:
+- Updated MITRE ATT&CK tactic and technique tags across 89 rules to align with the MITRE ATT&CK v19 framework update, which reorganized the former Defense Evasion tactic into Stealth and the new Defense Impairment tactic
+- Affected rules now reference the correct successor techniques and tactic identifiers, ensuring accurate threat classification in detection workflows
+- Additional changes are enumerated below
+
+## Rules
+- [Updated] MATCH-S00307 AWS - Excessive OAuth Application Permissions Scope
+- [Updated] MATCH-S00306 AWS - New UserPoolClient Created
+- [Updated] MATCH-S00261 AWS CloudTrail - Database Snapshot Created
+- [Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
+- [Updated] MATCH-S00654 AWS ECS Cluster Deleted
+- [Updated] MATCH-S00719 AWS Instance Creation
+- [Updated] MATCH-S00720 AWS Instance Deletion
+- [Updated] MATCH-S00721 AWS Instance Modification
+- [Updated] MATCH-S00598 Alibaba ActionTrail Logging Configuration Change Observed
+- [Updated] MATCH-S00516 Antivirus Ransomware Detection
+- [Updated] MATCH-S00510 Attempt to Add Certificate to Store
+- [Updated] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe
+- [Updated] MATCH-S00805 Azure - Bastion Host Created/Modified
+- [Updated] MATCH-S00806 Azure - Bastion Host Deleted
+- [Updated] MATCH-S00808 Azure - Container Instance Creation/Modification
+- [Updated] MATCH-S00809 Azure - Container Start
+- [Updated] MATCH-S00786 Azure - SQL Database Export
+- [Updated] MATCH-S00303 Azure - Unauthorized OAuth Application
+- [Updated] MATCH-S00803 Azure - Virtual Machine Creation/Modification
+- [Updated] MATCH-S00804 Azure - Virtual Machine Deleted
+- [Updated] MATCH-S00801 Azure - Virtual Machine Started
+- [Updated] MATCH-S00802 Azure - Virtual Machine Stopped
+- [Updated] MATCH-S00896 Azure Authentication Policy Change
+- [Updated] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
+- [Updated] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
+- [Updated] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
+- [Updated] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
+- [Updated] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
+- [Updated] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
+- [Updated] MATCH-S00891 Azure OAUTH Application Consent from User
+- [Updated] MATCH-S00373 BlueMashroom DLL Load
+- [Updated] MATCH-S01155 Claude Compliance API Logging Disabled
+- [Updated] MATCH-S01157 Claude Organization IP Restriction Deleted
+- [Updated] MATCH-S00758 CrashControl Registry Modification
+- [Updated] MATCH-S00544 Disabling Remote User Account Control
+- [Updated] MATCH-S00319 Dridex Process Pattern
+- [Updated] MATCH-S00392 File or Folder Permissions Modifications
+- [Updated] FIRST-S00037 First Seen AWS EKS Admission Controller Created by IP Address
+- [Updated] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
+- [Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
+- [Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP
+- [Updated] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
+- [Updated] MATCH-S00712 GCP Instance Creation
+- [Updated] MATCH-S00713 GCP Instance Deletion
+- [Updated] MATCH-S00714 GCP Instance Modification
+- [Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
+- [Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
+- [Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
+- [Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
+- [Updated] MATCH-S00301 Google Workspace - Excessive OAuth Application Permissions Scope
+- [Updated] MATCH-S00227 Google Workspace - Unauthorized OAuth Application
+- [Updated] MATCH-S00894 HAR file creation observed on host
+- [Updated] MATCH-S00850 LastPass - Policy Added
+- [Updated] MATCH-S00851 LastPass - Policy Deleted
+- [Updated] MATCH-S00852 LastPass - Shared Folder Created
+- [Updated] MATCH-S00578 Lsass Registry Key Modified
+- [Updated] MATCH-S00534 MacOS - Re-Opened Applications
+- [Updated] MATCH-S00729 MacOS Gatekeeper Bypass
+- [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
+- [Updated] MATCH-S00397 Mimikatz Loaded Images Detected
+- [Updated] MATCH-S00404 Mimikatz via Powershell and EventID 4703
+- [Updated] MATCH-S00655 New Container Uploaded to AWS ECR
+- [Updated] MATCH-S00906 Okta - Application Created
+- [Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
+- [Updated] MATCH-S00683 Overly Permissive Chmod Command
+- [Updated] MATCH-S00698 PATH Set to Current Directory
+- [Updated] MATCH-S00704 Persistence Registry Key Modification
+- [Updated] MATCH-S00200 Potential Pass the Hash Activity
+- [Updated] MATCH-S00545 Registry Keys For Creating Shim Databases
+- [Updated] MATCH-S00705 Registry Modification - Authentication Package
+- [Updated] MATCH-S00730 Registry Modification - Code Signing
+- [Updated] MATCH-S00735 Registry Modification - SIP or Trust Provider
+- [Updated] MATCH-S00569 Registry Persistence Mechanisms
+- [Updated] MATCH-S00328 Rubeus Hack Tool
+- [Updated] MATCH-S00498 Rubeus Hack Tool Logon Process Name
+- [Updated] LEGACY-S00094 Self-signed Certificates
+- [Updated] MATCH-S00834 Sensitive Registry Key (WDigest) Edit
+- [Updated] MATCH-S00196 Successful Overpass the Hash Attempt
+- [Updated] LEGACY-S00182 Suspicious HTTP User-Agent
+- [Updated] MATCH-S00135 Suspicious Registry Key Modification
+- [Updated] MATCH-S00886 Suspicious chmod Execution
+- [Updated] MATCH-S00567 Ursnif Malware Registry Key
+- [Updated] MATCH-S00316 WannaCry Ransomware
+- [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
+- [Updated] MATCH-S00107 Windows - User Adds Self to Security Group
+- [Updated] LEGACY-S00169 Windows Account Added To Privileged Security Group
+- [Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected
+- [Updated] MATCH-S00880 macOS - Entitlement Enumeration via Xattr