Download - SNYPR 6.4 Release Notes
SNYPR 6.4
Release Notes
Date Published: 8/12/2021
Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any
third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and
reference.
Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional
warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without
the written permission of Securonix.
Copyright © 2021 Securonix. All rights reserved.
Contact Information
Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649
SNYPR Release Notes 2
Table of Contents
Introduction 4
What's New in this Release 5
Improvements 12
Bug Fixes 22
New and Improved Content 32
New Content 32Improved Content 58Decommissioned Content 71
Known Issues 148
SNYPR Release Notes 3
Introduction
IntroductionThe Release Notes include the new features, improvements, bug fixes, and contentupdates for the SNYPR Jupiter release (6.4).
Note: You can check if your ticket is fixed in this release by referring to the
Summary section. The Summary section includes a description and customer logged
ticket number, if applicable.
Access to SNYPR 6.4
The Securonix team provides an access to the SNYPR 6.4 application. You have toinstall the RIN application from https://downloads.securonix.com for data ingestion.
Note: For information on how to install RIN, refer to the RIN Installation Guide.
SNYPR Release Notes 4
What's New in this Release
What's New in this ReleaseThis section offers a brief summary of the following new and improved features for theSNYPR 6.4 release:
SNYPR Services New and Improved Features
Analytics
l Content Management
l Data Dictionary
l Phishing Analyzer
l Publish Content Updates to Tenants (Multi-tenant)
l Policy Enhancements
Detection and Response
l EDR Playbook Response Actions
l Response Management
l Incident Assignee Chain
l On-Demand Incident
l Sandbox Widget
Hunting
l Live Channel
l Tabular View
l Timedifference Function
Ingestionl Autodiscovery of Datasources
l Ingestion Improvements
Sharedl Activity Monitor
l Data Masking for Multi-Tenant
For more information about each feature, see the SNYPR6.4 What's New Guide.
SNYPR Release Notes 5
What's New in this Release
Content Management
The Content Management feature introduces the ability to seamlessly deploy andmanage content maintained by the Securonix content team. This feature gives youaccess to the most up-to-date threat content so you can maintain the highest level ofsecurity detection.
For more details about this feature, see the Content Management section in the
What's New Guide.
Data Dictionary
The Data Dictionary feature provides an ability to create your own labels for dataingested by SNYPR from datasources. These labels simplifies the ingestion, analytics,and hunting processes by providing consistent and easy to understand labels for data.
Content developers can use these mapped labels to perform data ingestion and createpolicies, and security analysts can use these labels to search Spotter.
For more details about this feature, see the Data Dictionary section in the What's
New Guide.
Phishing Analyzer Technique
The Phishing Analyzer detection technique allows the customer's content team and
security analysts team to create policies to detect phishing attacks. Using this policy,you can check email senders against comparators and detect emails pretending to befrom reputable companies.
For more details about this feature, see the Phishing Analyzer section in the What's
New Guide.
SNYPR Release Notes 6
What's New in this Release
Publish Content Updates to Tenants
A new capability has been added that allows detection engineers to publish parsersand enrichment changes to other tenants instantly. This capability provides scalabilityand saves detection engineers time by avoiding manual updates for each tenant.
For more details about this feature, see the Publish Content Updates to Tenants
section in the What's New Guide.
Policy Enhancements
The release includes the following key enhancements to analytics:
l Policy Labels: Includes the capability to tag policies so that security analysts can
build reports, create dashboard, and search violations using specific labels.
l Risk Score Aggregation for all Entities: Provides aggregate risk scores for all entit-ies so that security analysts can have a unified view and a better risk profile foreach entity.
For more details about this feature, see the Policy Enhancements section in the
What's New Guide.
EDR Playbook Response Actions
CrowdStrike playbook response actions are now offered as part of the SNYPR nativeresponse actions. The CrowdStrike and Cylance playbook response actions areconfigured and run from the SNYPR user interface for single or multiple RemoteIngestion Nodes (RINs).
For more details about this feature, see the CrowdStrike Playbook Response Actions
section in the What's New Guide.
SNYPR Release Notes 7
What's New in this Release
Response Management
The Response Management feature provides a new, centralized user interface UI toconfigure third-party automated response connections and manage playbook accessper tenant. In addition to the new centralized UI configurations, administrators havethe flexibility to manage separate connections for each tenant, while isolatingplaybooks per tenant.
For more details about this feature, see the Response Management section in the
What's New Guide.
Incident Assignee Chain
The Incident Assignee Chain controls incident visibility across specific users. Onlyusers listed on the Incident Assignee Chain have access to discuss, contribute,coordinate, and download incident information. This is especially helpful for largerenterprises and multi-tenant deployments that manage multiple incidents acrossdifferent teams.
For more details about this feature, see the Incident Assignee Chain section in the
What's New Guide.
On-Demand Incident
The On-Demand Incident feature allows analysts and threat hunters to create new
incidents and add context around those incidents from various locations in the SNYPRUI. Analysts and threat hunters can now create a new incident using a new global UIicon, add events to new or existing incidents from the Spotter Search Results view, andmanage activity from the Incident Management dashboard to better manage emergingthreats that might previously have gone unnoticed.
For more details about this feature, see the On-Demand Incident section in the
What's New Guide.
SNYPR Release Notes 8
What's New in this Release
Sandbox Widget
The Sandbox widget enables security analysts to test policy violations in an isolatedenvironment to identify issues before making them public. With the ability to runthreat models in Sandbox at scale, the Sandbox widget significantly reduces alertnoise, improving detection time and enabling more focus for analysts.
For more details about this feature, see the Sandbox Widget section in the What's
New Guide.
Live Channel
Live Channel is a new detection mechanism that enables search and detection of newthreats, and provides the ability to search via regex across data sources and channels.
For more details about this feature, see the Live Channel section in the What's New
Guide.
Tabular View
Tabular View provides an easy-to-use UI for arranging and viewing event attributes,improving investigation and search efficiency.
For more details about this feature, see the Tabular View section in the What's New
Guide.
Timedifference Function
The Timedifference function calculates the difference between two time fields in ahuman readable format. With this new feature, you'll simply provide two time fields inSpotter, and the Timedifference function will quickly calculate and return the result asa time value.
For more details about this feature, see the Timedifference section in the What's
New Guide.
SNYPR Release Notes 9
What's New in this Release
Autodiscovery of Datasources
SNYPR 6.4 provides auto-discovery of syslog based datasources that simplifies andautomates the onboarding process. This new workflow improves the time to value foronboarding datasources. Once you have configured your datasource to send events tothe RIN, SNYPR discovers those events and suggests a parser for it.
For more details about this feature, see the Ingestion 2.0 section in the What's New
Guide.
Ingestion Improvements
The release includes the following key enhancements to ingestion:
l Improved Activity Import: Provides an improved and intuitive User interface (UI).The new visual layout of Activity Import consists of an updated color pallet, gridview, font, and information design.
l Simplified Lookup Table Management for Multi-Tenant: Allows contentdevelopers to create a single policy that can be applied to all tenants without theneed to duplicate the policy and customize it for each tenant.
For more details on other improvement, see the Ingestion Improvements section in
the What's New Guide.
Activity Monitor
The Activity Monitor tool provides a crucial, real-time view of events ingested bySNYPR. Administrators can see ingestion trends by datasources to identify suddenincreases in number of events or ingestion delays.
For more details on other improvement, see the Activity Monitor section in the
What's New Guide.
SNYPR Release Notes 10
What's New in this Release
Data Masking for Multi-Tenant
The Data Masking feature allows MSSPs to secure Personally Identifiable Information(PII) for users and entities. You can mask all activity account names, IP addresses,resource names, and event attributes for all datasources available for a tenant.
For more details on other improvement, see the Activity Monitor section in the
What's New Guide.
SNYPR Release Notes 11
Improvements
ImprovementsThe following table describes the improvements that were made in this release:
Note: An INC number represents a ticket that was previously logged by a customer,
and is now improved in the current release.
Component Summary
Activity importImproved the performance of data enrichment for eventcategorization.
AlgorithmImplemented a new Domain Generation Algorithm (DGA)algorithm.
AnalyticsAdded support for static baselines and daily threshold to
Enumeration Behavior and Volume Spike Behavior.
Analytics Added a new analytic technique called Phishing Analyzer.
AnalyticsIncluded a list of enabled or disabled policies and threats for
policies. (INC-223929)
AnalyticsUpdated the default values for the BEACONING_DELETE_CONFIG configuration.
AnalyticsImproved the Landspeed analytics to increase the accuracy ofdetection.
Analytics Optimized the policy deletion process.
Analytics Added additional criteria for threat intelligence checks.
AnalyticsAdded an option to filter policies based on the policy category
from the Policy Management screen.
AnalyticsUpdated the Policy Name field to include square brackets. (INC-228027)
AnalyticsEnhanced the Threat Model screen to allow users to add
violators to an active list.
SNYPR Release Notes 12
Improvements
Component Summary
Analytics
Improved the Behavior Profile screen by:
l Adding a search box to search behavior profiles.
l Displaying the profile names in an alphabetical order.
AnalyticsAdded an ability to provide labels for policies. These labels allowanalysts to build reports, dashboards, and search violations usingspecific labels.
Analytics
Added a warning message to alert users when any violation entityattribute (accountname, resourcename, ipaddress) is not mapped.The risk scores are not calculated correctly when violationentities are not mapped.
AnalyticsAdded an ability to provide aggregate risk scores for a machine
(resource) across datasources.
AnalyticsImproved the tool tip message for Violation Entity on the PolicyViolations screen.
AnalyticsImproved Event Attributes on the Create a Rule screen todisplay attributes alphabetically.
AnalyticsAdded data validation to check for special characters in attributesto fix an error that occurs while configuring violation.
AnalyticsAdded description for the Amount of Data field for creating AEEbased policies.
AnalyticsImproved user experience by sorting the values for the Edit filterdropdown in the Policy Configuration screen.
Analytics for Multi-Tenant
Enabled threat models for all tenants. (INC-229117)
Analytics for Multi-Tenant
Added an option to select tenants for functionality based
policies.
AuditingEnhanced auditing to include SAML assertion fields in auditing
logs when user logs in using SAML.
SNYPR Release Notes 13
Improvements
Component Summary
AuthenticationAdded check to restrict users from using any of the last fivepasswords as the new password.
Authentication/AccessControl
Implemented checks to validate the email addresses of users andgroups.
Authorization/RBACAdded the ability to restrict an analyst's access to Users or TPISpotter indexes based on tenant or user.
Authorization/RBAC
for Multi-Tenant
Improved the Available Tenant filtering on the Security
Command Center to only display information for the selected
tenant.
Authorization/RBACfor Multi-Tenant
Restricted the group view by tenant. (INC-229347)
Authentication/SingleSign-On (SSO)
Added two new flags in the SAML Assertion for the following
scenarios:
l New users logging to SNYPR application for the first time:
Assign default group when the group information is not in
SAML assertion.
l Existing Users logging to SNYPR application: Retain the
group already assigned to the user. For example, if a user is
a member of any group other than default group, the group
information will not change. (INC-229021)
Authentication/SSOAdded a message to indicate that the user has successfully loggedoff from the SNYPR application. (INC-226076)
Authentication/SSO
Included an option to set the time-period after which the
SNYPR application logs off the user automatically. This option
must be set to automatically log off the user after the specified
time -period. (INC-223283)
Authentication/SSOIncluded an option to set the number of concurrent SNYPRsessions a user can have. (INC-226779)
Authentication/SSOIncluded a check for users to change their temporary passwordswhen they log into SNYPR for the first time.
SNYPR Release Notes 14
Improvements
Component Summary
Authentication/SSOImplemented user authorization using SAML/ Sign-On (SSO)
when SSO is enabled.
Authentication/SSO Added support for NTLM authentication for SMTP.
Automated Response
Added an error message to the Connection Type drop-down
that displays when a connection already exists for a particular
connection type for a tenant.
Behavior/ActivityOutlier
Improved the clustering algorithm and performance for peerbehavior and all account behavior policies.
Case Management
Added a Violation Summary tab to the Incident Management
screen that includes a Threat Model violation view by stages
and a list of policies.
CaseManagement/IncidentManagement
Improved the alert email to include a link to access the incidentonce the incident is created.
ConnectorUpdated the AWS SQS S3 connector to send data from
multiple accounts to a single account.
Connector Updated the parsing technique for the Azure Storage connector.
Connector
Improved the AWS Cloudwatch connector to support the
authentication for cross-account access for Cloudwatch
resources.
Connector
Updated the AWS GuardDuty connector to support the
authentication for cross-account access for the GuardDuty
detectors.
ConnectorAdded functionality to support the ingestion of raw event data forCrowdstrike Falcon data replicator module.
ConnectorsEnhanced the ProofPoint connector to extract file extensions
separately.
SNYPR Release Notes 15
Improvements
Component Summary
Data ImportEnhanced the conditional enrichment process to support the
Classless Inter-Domain Routing (CIDR) range.
Encryption/Masking
Improved the GDPR unmasking approval workflow:
l Sec_users in different sec_groups can belong to a single-step
or zero-step unmasking workflow.
l Workflows are configured according to the roles assigned
to sec_groups.
Event Enrichment
Added a new Spark job called Pipeline Orchestration that
prioritizes event data collections and manages congestion
during the ingestion process.
Event ParsingAdded a Windows XML parser to parse native Windows data in
XML format.
Incident Management
Added a table view on the Incident Management screen that
displays contextual information about all the events that are
added to an existing case from Spotter.
Incident
Management
Improved the archival/data retention policy in Incident
Management to ensure that events attached from Spotter
remain available during investigation, even if the data is
archived or deleted.
Incident Management Added an option to edit the criticality of an incident.
Incident ManagementModified the location of Playbook button for better user
experience.
Incident ManagementAdded functionality to run playbooks from the IncidentManagement screen.
Incident ManagementImproved user experience by adding a notification message onthe top of the screen.
Ingestion Improved parsing for CrowdStrike.
Ingestion Improved parsing for Microsoft O365 Azure.
SNYPR Release Notes 16
Improvements
Component Summary
IngestionModified the Activity Import screen to use the Data Dictionaryfeature.
IngestionEnhanced SNYPR to manage multiple RINs from SNYPR userinterface.
IngestionEnhanced SNYPR to manage multiple RINs from SNYPR userinterface.
Ingestion - ActivityImport
Added an ability for users to assign custom names to action
filters.
Ingestion - EventsImproved the lookup data import process from AWS S3 to
support filtering by the folder path available in AWS S3.
Ingestion -Geolocation
Improved the geolocation import by adding enrichment for
destination address and source address attributes.
Ingestion -Geolocation
Improved the geolocation import by supporting enrichment of
IPV6 address with geolocation details. (INC-235616)
Ingestion - Third-Party Intelligence
Added an option to concatenate two or more attributes that areseparated by delimiter into one field.
Ingestion - TPI
Improved the enrichment process for activity data by including
the context for hash, URL, IP, vulnerability, and hash type
attributes for Recorded Future TPI. (INC-229276)
Lookup DataAdded RBAC controls for individual Watchlists and Lookup
tables.
NotificationFramework
Improved the Notification module so that analysts can filternotifications by types, date range, or both. Role based accesscontrol makes it easy for an analyst to configure the notificationsthey can see by default.
NotificationFramework
Implemented an option to send notification emails to end users
using REST API.
SNYPR Release Notes 17
Improvements
Component Summary
Policy ConfigurationImproved the user experience by displaying the number of timesa particular condition is added for Risk Boosters while creating apolicy.
Policy ConfigurationAdded a new option to view all enabled and disabled policies inthe Policy Management screen.
Policy ConfigurationAdded a check to remove white space before and after the policyname. (CLOUD-2112)
Policy EngineEnhanced the policy creation process for functionalities byallowing users to create policies that can apply to multiplefunctionalities.
Policy EngineAdded an option for users to save and commit the policy to thecontent repository from the Policy Creation screen.
Policy Engine Improved the performance of the policy engine.
Policy EngineAdded a warning note when the account name is blank whilecreating a policy.
Policy EngineAdded the Check Against Named List option to create a new ruleby checking values against named lists.
Reporting Added the ability to email a Data Insights dashboard as a report.
ReportingAdded the ability to sort on the DateTime field for the TABLE
operator.
ReportingCreated a new report template with predefined attributesselected by default.
Reporting
Framework/Spotter
Console
Added the ability to quickly select attributes in the Run
Spotter Report view of Spotter to reduce the time spent on
exporting data from Spotter or creating reports.
Response/Notification Added functionality to integrate with Cherwell.
ResponseOrchestration
Enhanced integration with ServiceNow by adding more
metadata during incident creation (threat indicator and
category).
SNYPR Release Notes 18
Improvements
Component Summary
ResponseOrchestration
Modified the connector to integrate with Phantom multi-tenantenvironment for case management. (INC-212561)
ResponseOrchestration
Added playbook information for an incident in Action History
for added context.
Response
Orchestration/SOAR
Added the ability to enable/disable the visibility of the
playbook action button according to the role provided to the
user.
ResponseOrchestration/SOAR
Added the ability for users to select one or multiple RINs while
taking response actions for a playbook.
Response
Orchestration/SOAR
Removed the ability to configure ingesters for RSA playbooks
on the Policy Violations and Threat Modeler screen as RSA
playbooks are not supported.
REST API
Improved the Watchlist REST API:
l The listWatchlist web service now provides the name and
count of entities in a Watchlist.
l Each Watchlist name includes a list of existing entities in
that Watchlist.
l When given a list of entities, a list will return stating which
Watchlist the entity belongs to.
l The Check if a entity exists in a watchlist web service now
accepts watchlistname as an optional parameter.
l The Add entity to a single watchlist web service now
allows you to add up to five entities per API call.
By default, entities in a Watchlist are sorted by the day the
entity was created.
REST APIAdded the ability to pull activity information from cases in
Incident Management.
SNYPR Release Notes 19
Improvements
Component Summary
REST APIAdded information on the parent case for REST APIs within the
Incident Management category.
REST API
Improved the platform security by implementing:
l Token based authentication for all web services.
l Session Timeout for web services after user specified time
period.
REST API for Multi-Tenant
Improved Incident Management REST APIs to include tenant
name when querying SNYPR for activity and violation. If the
user has not specified the tenant name, the REST API retrieves
information only for the tenant the user has access to.
RINImproved RIN installation process by providing silent installer andprerequisite validation framework.
RINImproved the RIN monitoring capabilities to provide alerts for
disk usage and certificate expiration.
Role-based AccessControl
Ability to enable or disable policies can be controlled by a new
role privilege.
Security Command
Center
Added an ability to launch Spotter for top violators from EntityData in SCC.
Security Command
Center
Improved the calculation of risk score by consolidating
anomalies for the Resource and IP address entity type,
regardless of which data-feed generates the anomaly.
Security CommandCenter/Views
Added filter and sort functionalities for custom widgets createdusing SNYPR.
Spotter Added OrderBy filter to sort the Spotter search results.
SpotterImproved the performance of the IN and NOT IN queries whenthere are more than 10 values for a parameter.
SNYPR Release Notes 20
Improvements
Component Summary
Spotter
Added a message on the Search Results view of Spotter to
inform users that the results are not ordered by eventtime
when a query is executed for an archival event.
SpotterImproved the WHERE operator to filter based on range,
aggregation, and field created at the time of search.
Spotter
Added the option to select all or multiple attributes at once
when you export Spotter results, rather than individually
selecting the attributes you want to be included in your Spotter
report.
Spotter
Improved the Spotter search to query archived data using
resource group, resource type, or rg_functionality. In addition,
the Spotter search uses the tenant name to query archived data
for a multi-tenant deployment.
Third-Party
Intelligence
Added the ability to perform TPI enrichment on multiple
attributes from the same event.
Third-PartyIntelligence
Added the ability to import TPI data from the RIN file.
Threat ModelerAdded a Do you want to generate incident for threat model
violators? toggle on the Threat Model screen.
User PreferencesAdded the ability to sort by the Enabled column when
searching for a threat model.
Workflow Added an option to whitelist while creating a new workflow.
SNYPR Release Notes 21
Bug Fixes
Bug FixesThe following table describes the bug fixes that are included in this release:
Component Summary
Activity ImportFixed the Sync Content button on the last step of the
Activity Import screen to properly sync information.
Activity Import
Fixed an issue on the last step of the Activity Import screen
so that policies save when the Save Template button is
clicked.
Activity Import
Fixed the naming convention for the correlation rule to
ensure the rule name remains the same when the user has
not edited the rule. (INC- 228743)
Activity ImportFixed an issue so that correct values are generated for the
lookup and watchlist action filters during Activity Import.
AnalyticsFixed the issue to automatically delete incidents when
corresponding violations are deleted. (INC-212318)
AnalyticsFixed an issue where policies were not getting created whenthe Response Bot was enabled.
AnalyticsFixed an issue for TPI based policies where the violation
summary attributes displayed blank values.
AnalyticsFixed the DGA algorithm to correctly calculate the prediction
score.
Analytics
Fixed an issue where the violation events query was
removing double spacing from a policy name, resulting in an
incorrect query.
AnalyticsFixed the last step of Activity Import to allow users to enable
or disable policies. (INC-229409)
AnalyticsFixed an issue where users were unable to delete threat
models.
SNYPR Release Notes 22
Bug Fixes
Component Summary
Analytics
Fixed the Create New Watchlist screen to display only one
drop-down list for the Watch List Criticality and Select
Tenant fields.
AnalyticsFixed an issue where the check against TPI was not flagging
violations.
Analytics for Multi-tenant
Fixed the Check Against TPI (Third Party Intelligence) policy
to flag correct violators from the same tenant.
AnalyticsFixed an issue where the check against lookup did not flag
event rarity policies.
AnalyticsFixed an issue where the conditions for filtering criteria were
not displaying on the UI.
AnalyticsFixed an issue so that Risk Boosters are saved for a policy.
(INC-229089)
AnalyticsFixed an issue so that user can whitelist accounts. (INC-
229114)
AnalyticsFixed violation summary to display the correct number of
violations. (INC-229046)
Analytics Fixed the loading issue for the policy screen.
AnalyticsFixed an issue where the violation summary used default
values for any out-of-the-box policies.
AnalyticsFixed an issue with policy configurations where a condition is
created even though there are no conditions provided.
AnalyticsFixed the issue of violations not displaying in the Top
Violations widget. (INC-228867)
Analytics
Fixed the UI to choose a single RIN as a default (from a list of
multiple RINs) for a policy so that the auto-playbook actions
for a Threat Model can be enabled and used.
SNYPR Release Notes 23
Bug Fixes
Component Summary
AnalyticsFixed the Activity Import Summary screen to display
policies with multiple functionalities.
AnalyticsFixed an issue so that a validation message is displayed when
a normal category is added with the Sandbox category.
AnalyticsFixed an issue so that the correct risk score is calculated forphishing based policies.
AnalyticsFixed the Cluster Information section so that it displays thecorrect text message.
AnalyticsFixed an issue so that all threat model stages are deleted whena user deletes the last configured stage.
AnalyticsFixed the Threat Model for Threat screen so that it display
selected watchlists under Add watchlist Filter.
Analytics Improved performance for threshold detection use cases.
AnalyticsFixed an issue where new policies are disabled by default
while onboarding.
AnalyticsFixed Role Based Access Control (RBAC) to show correct
threat models on the Activity Import screen.
Analytics
Fixed an issue so that correct count of enabled and disabled
threat models are displayed when RBAC is applied for threat
models.
AnalyticsFixed the Send Notification toggle button of the Policy
Configuration screen. (INC-235266)
AnalyticsFixed an issue so that filter criteria conditions are saved
while editing IEE policies.
Analytics Fixed Views > Users to display behavior profiles.
Analytics Fixed an issue so that threat models are saved correctly.
AnalyticsFixed an issue where the Check Against Lookup Table did
not flag event rarity policies.
SNYPR Release Notes 24
Bug Fixes
Component Summary
Analytics
Service/Response
Service
Fixed the Edit Threat Indicator pop-up accessed from Policy
Violations and Threat Model to display tenants and
playbooks based on the Role Based Access Control (RBAC) of
the analyst.
Analytics/Hunting
Fixed the Do you want to re-calculate entity score based on
Sandbox violations toggle to include a validation message
when set to NO. This message informs the user that the
violations and incidents associated with the policy will be
removed.
Analytics/HuntingFixed the parameter for URL Visited by Visitors. (INC-
228706)
Analytics/SpotterFixed an issue so that the violation events query returns the
correct results for policies with double spaces. (INC-229409)
Auditing Fixed the Token Generated audit message.
Authorization/RBAC
Fixed the Password Change Required setting so that when it
is enabled, the application requires users to change their
passwords when they login for the first time.
Authorization/RBACFixed the Access Control screen. to display the MinimumReuse Count setting for password.
Authorization/RBACFixed an issue so that the Kill Chain Analysis widget displays allviolations when Show only Correlated Data flag is enabled inGranular Access Control.
Authentication/SSOThe context file does not save the login URL when you enterthe Single Sign On login details from the Application Settingsscreen.
Behavior/ActivityOutliers
Fixed an issue to display correct baseline graph for historical
violations.
Behavior/ActivityOutliers
Fixed the behavior based policies to display outlier andviolation events in the same time zone.
SNYPR Release Notes 25
Bug Fixes
Component Summary
Case ManagementFixed the status of an On-Demand Incident to display in the
Incidents by Status graph within Incident Management.
Case
Management/Security
Command Center
Fixed Activity Stream on the Security Command Center to
display only the incidents that are assigned to the logged in
analyst.
Data InsightsFixed the Data Insights drop-down option to fully display whenyou save a Spotter query as dashboard.
Data InsightsFixed an issue with the Data Insights dashboard when tenant
access is revoked from a non-admin user.
Incident Management
Fixed an issue on the Security Command Center that caused
incident IDs to not populate when incidents were created
through Auto Incident.
Incident ManagementFixed an issue during workflow creation that caused the
Show input form toggle to only be set to enabled.
Ingestion - EntityMetadata
Fixed the Job Monitor screen to display the number of recordsingested during entity metadata import using database.
Ingestion - SaveTemplate
Fixed the Save Template feature to publish changes made in
action filter.
Lookup TableFixed the preview of the look up table for AWS S3. (INC-230847)
Multi-Tenant - SettingsIncreased the length of the Customer ID field accessed fromAdmin > Settings > Hadoop.
Multi-Tenant - ThreatModeller
Added an option to assign tenant while importing threat models.
Policy Configuration Fixed the cloning issue of Sandbox policies.
Policy EngineFixed an issue to allow users to add policy violators to an
active list.
SNYPR Release Notes 26
Bug Fixes
Component Summary
Policy EngineFixed the graph for rare behavior policy to display correct
information from Views > Users.
Policy EngineFixed an issue that caused the signatureid to replicate when
a use case was cloned.
Policy EngineFixed the Policy Category drop-down list to display the correctcategories.
Policy Engine Fixed the data deletion feature for the event rarity policy.
Policy EngineResolved an issue to display the correct TPI source name in theViolation Summary screen.
Policy EngineRemoved the extra icon for the rare behavior policies from theViolation Summary screen.
Policy EngineRemoved the Would you like to Aggregate Risk Score on EachRun? flag from the default identitypolicies packaged with the SNYPR application.
Policy Engine Fixed the traffic analyzer job for the event rarity policy.
Policy EngineResolved an issue where NULL conditions are saved for IEEpolicies.
Policy EngineRemoved unused operators such as greater than and less thanfrom the risk booster lookup table.
Policy Engine The account name for the lookup table is no longer duplicated.
Policy Engine The SCC screen displays the correct date for watchlists.
Policy Engine
When the Sandbox policy is published to production and the
recalculate risk score is set to no, the corresponding
incidents are deleted.
Policy EngineResolved an issue to display the Move to Production option forall Sandbox policies.
Policy EngineFixed the message to display the time when auto run is enabledfor a playbook.
SNYPR Release Notes 27
Bug Fixes
Component Summary
Policy Engine/Behaviorand Activity Outlier
Fixed the user screen to display behavior profiles when a userwith non-admin rights accesses the SNYPR application.
Policy Violation
Notifications
Fixed an issue where Landspeed violations were not saving
violation information as expected.
ReportsFixed the header and footer of the KPI, SOC, Top Violator, andIncident reports to display the correct date and time.
REST APIFixed an issue where the Threat Model details were not
displaying in the reason section of the GET response.
Response OrchestrationFixed an issue so that playbooks are executed correctly for
threat models.
Response Orchestration Updated the payload format for Demisto.
RINThe Remote Ingester works as expected when the proxy isconfigured to communicate with SNYPR console. (INC 230017)
Security Command
Center
Fixed a user interface issue in the Top Violators widget that
caused text to appear close together when the policy name
was too long.
Security Command
Center
Fixed an issue on the Security Command Center that caused
violations to not load on the Violation Summary screen for a
policy or threat.
Security Command
Center
Fixed an issue on the Violation Summary screen that caused
icons to display inconsistently.
Security CommandCenter
Fixed the search filter for the Top Violator widget in theViolation Summary screen.
Security CommandCenter
Fixed an issue so that the incident number and Take Actionbutton for auto created incidents are now visible.
Spotter
Fixed an issue in the Search Results view of Spotter that
caused no returned results when the STATS query was used.
(INC-238031)
SNYPR Release Notes 28
Bug Fixes
Component Summary
SpotterFixed an issue for queries with not equal to (!=) and
parenthesis. (INC-229647)
Spotter
Fixed an issue to ensure that violation events query returns
the correct results for policies with double spaces. (INC-
229538)
Spotter
Fixed Spotter to run the queries successfully when there are
more than 27 values with the NOT IN operator. (INC-
212549)
Spotter
Fixed an issue in Spotter that caused the Search Results to
fail when the ORDERBY operator was used with any visual
operator, such as charts and graphs.
Spotter
Fixed in issue that caused the following ORDERBY queries to
run, even though they are not supported:
l Geolink
l Geomap
l Heatmap
l timechart
SpotterFixed the Show Raw Events option in Spotter to display thecorrect value when raw events are retrieved by the query.
SpotterFixed an issue that caused queries with a wild card to only workwith the activity and violation index.
SpotterFixed the total record count beside the page navigation when aquery is run for an archived datasource and a time period isselected from the timeline.
SpotterFixed the Producer - Consumer Ratio (PCR) operator to work asexpected.
SNYPR Release Notes 29
Bug Fixes
Component Summary
Spotter
Fixed an issue that caused SNYPR to not send an email when
you export the CSV report with more than 70,000 records in
Spotter.
SpotterFixed the Data Insight report to display correct data when youselect a filter for any widget and generate the report.
SpotterFixed the total record count when a Spotter query is run withaggregation operators (such as stats and table) and when a usernavigates between pages.
Spotter
Fixed an issue where the CONTAINS and NOT CONTAINS
operators were not working on raw event attributes when
the raw event indexing was enabled. (INC-229689 )
Threat Hunting
Fixed an issue in the Search Results view of Spotter that
caused the search results to fail when quotation marks were
not present in the index = archive query.
Threat HuntingFixed an issue that caused the SNYPR application to only be
accessible when the Tomcat application server was restarted.
Threat Hunting
Fixed an issue in the configuration settings for Data Insights
that prevented the widget from loading when the REX
operator was used in a custom query.
Threat ManagementFixed an issue to display the Action History for policies andthreat models when the violator is a user.
Threat ModelerFixed an issue so that users can enable the Add WatchlistFilters setting from the Threat Modeler screen.
Threat ModelerFixed an issue with the exponential risk scoring scheme todisplay a message when the weight value is set to zero.
Watchlist Fixed the edit functionality to edit the watchlist name correctly.
WhitelistFixed an issue so that the global whitelisted entities can not beflagged by any policy.
SNYPR Release Notes 30
Bug Fixes
Component Summary
WhitelistFixed an issue that caused a default expiry date to display
when the Expiry Date setting was disabled. (INC-229079)
WhitelistFixed the search filter to display the whitelist correctly inViews > Whitelist.
WhitelistFixed an issue to recalculate the risk score when an entity isglobally whitelisted.
SNYPR Release Notes 31
New and Improved Content
New and Improved ContentSNYPR 6.4 includes new and updates to content. This section includes the followinginformation:
l New Content
l Improved Content
l Decommissioned Content
New ContentThis sections contains all the new parsers, connectors, and threat detection contentincluded in this release.
New Connectors and Parsers
The following table contains the connectors and parsers that were added in this
release:
VendorFunctionality
DeviceType
CollectionMethod
ActivIdentity / HIDGlobal
PhysicalSecurity /Badging
ActivIdentityHID Global
Collection Method: Syslog
Format: JSON
Amazon IncCloud Services/ Applications
AWS CloudTrail
Collection Method:awssqss3
Format: JSON
Amazon IncCloud Services/ Applications
AWSCloudwatch
Collection Method:awssqss3
Format: REGEX
SNYPR Release Notes 32
New and Improved Content
VendorFunctionality
DeviceType
CollectionMethod
AnaplanCloudApplicationAudit
Anaplan AuditCollection Method: anaplan
Format: JSON
AtlassianCorporation Plc
IT ServiceManagement
JiraCollection Method: Jira
Format: JSON
Bitglass
CloudApplicationSecurityBroker
Bitglass CASB- Admin
Collection Method: bitglass
Format: JSON
Bitglass
CloudApplicationSecurityBroker
Bitglass CASB-Access
Collection Method: bitglass
Format: JSON
Bitglass
CloudApplicationSecurityBroker
Bitglass CASBAudit
Collection Method: bitglass
Format: JSON
BrivoPhysicalSecurity /Badging
Brivo OnAir -Access
Collection Method:brivoonair
Format: JSON
Carbon Black,IncEndpointManagementSystems
Carbon BlackDefense - V2
Collection Method:carbonblack
Format: JSON
Carbon Black,IncEndpointManagementSystems
Carbon BlackDefence- Alert
Collection Method:carbonblack
Format: JSON
Cisco SystemsNetworkAccess Control/ NAC
Cisco IdentityServiceEngine - ISE
Collection Method: ciscoise
Format: Key Value Pair
SNYPR Release Notes 33
New and Improved Content
VendorFunctionality
DeviceType
CollectionMethod
Cisco SystemsNetworkAccess Control/ NAC
Cisco IdentityServiceEngine
Collection Method: ciscoise
Format: Key Value Pair
Cloudflare Firewall Cloudflare
Collection Method:cloudflarefirewall
Format: JSON
CloudKnoxAccess /IdentityManagement
CloudKnoxAlerts
Collection Method:cloudknox
Format: JSON
CloudKnoxAccess /PrivilegedUser
CloudKnoxActivities
Collection Method:cloudknox
Format: JSON
Code 42Data LossPrevention /Endpoint DLP
Code 42 - FileEvents
Collection Method: code42
Format: JSON
CloudApplicationSecurityBroker
Google GCP
Collection Method:googlereport2
Format: JSON
GoogleIdentity AccessManagement
UsersAccounts
Collection Method:googlereport2
Format: JSON
GoogleBusinessCollaborationPlatforms
Google Chat
Collection Method:googlereport2
Format: JSON
Authentication/ SSO/ Single Sign-On
Google Token
Collection Method:googlereport2
Format: JSON
SNYPR Release Notes 34
New and Improved Content
VendorFunctionality
DeviceType
CollectionMethod
GoogleAccess /PrivilegedUser
AccessTransparency
Collection Method:googlereport2
Format: JSON
GoogleMobile DeviceManagement
GoogleMobile
Collection Method:googlereport2
Format: JSON
GoogleBusinessCollaborationPlatforms
GoogleCalendar
Collection Method:googlereport2
Format: JSON
GoogleAccess /IdentityManagement
GoogleGroupsEnterprise
Collection Method:googlereport2
Format: JSON
GoogleAccess /IdentityManagement
GoogleGroups
Collection Method:googlereport2
Format: JSON
GoogleBusinessCollaborationPlatforms
Google G-Plus
Collection Method:googlereport2
Format: JSON
CloudAuthentication/ SSO / SingleSign-On
Google SAML
Collection Method:googlereport2
Format: JSON
GoogleData LossPrevention /Network DLP
Google rules
Collection Method:googlereport2
Format: JSON
InformaticaAuthentication/ SSO / SingleSign-On
Informatica
Authentication
Collection Method:informatica
Format: JSON
SNYPR Release Notes 35
New and Improved Content
VendorFunctionality
DeviceType
CollectionMethod
MicrosoftCorporation
Cloud Services/ Applications
Azure ActiveDirectorySign In
Collection Method:azurereport
Format: Key Value Pair
OS QueryEndpointManagementSystems
OS QueryLogs
Collection Method: Syslog
Format: JSON
Pager DutyITInfrastructureMonitoring
Pager Duty
Collection Method:pagerdutyincidents
Format: JSON
Palo Alto NetworksPrisma CloudSecurity
Prisma Access
Collection Method:prismacloud
Format: JSON
Proofpoint Inc.Email / EmailSecurity
ProofpointTRAP
Collection Method:proofpointtrap
Format: JSON
Proofpoint Inc.Cloud Email /Email Security
ProofpointEmailIsolation
Collection Method:proofpointisolation
Format: JSON
Proofpoint Inc.ApplicationAudit
ProofpointSecurityAwarenessTraining
Collection Method:proofpointsat
Format: JSON
SecurityScorecard,Inc.
SecurityAnalyticsPlatform
SecurityScorecard -CompanyGrade
Collection Method:securityscorecard
Format: JSON
SecurityScorecard,Inc.
SecurityAnalyticsPlatform
SecurityScorecard -Company riskcategoryscore
Collection Method:securityscorecard
Format: JSON
SNYPR Release Notes 36
New and Improved Content
VendorFunctionality
DeviceType
CollectionMethod
Symantec /Blue Coat Systems
Web ProxyWeb SecurityService
Collection Method:symantecwss
Format: REGEX
Symantec /Blue Coat Systems
Antivirus /Malware / EDR
SymantecEndpointProtection
Collection Method:symantecendpoint
Format: JSON
TenableVulnerabilityScanners
TenableResponse
Collection Method: tenable
Format: JSON
Threat Stack
Cloud IPS /IDS / UTM /ThreatDetection
Threat Stack -Alerts
Collection Method:threadstack
Format: JSON
Trend MicroInc.
Data LossPrevention /Endpoint DLP
TrendMicroSecurityRisk
Collection Method:trendmicrocas
Format: JSON
Workday Inc.
CloudAuthentication/ SSO / SingleSign-On
WorkAccount Sign-on
Collection Method:workdayidentitymanagement
Format: JSON
Workday Inc.
CloudAuthentication/ SSO / SingleSign-On
UnidentifiedSign-on
Collection Method:workdayidentitymanagement
Format: JSON
Workday Inc.Access /IdentityManagement
WorkdayAudit
Collection Method:workday
Format: Key Value Pair
SNYPR Release Notes 37
New and Improved Content
New Threat Detection Content
The following table contains the threat detection content that was added in thisrelease:
Functionality Signature ID Policy Name
Access / IdentityManagement
ACI-ALL-800-ERR User changing Job detection
Access / IdentityManagement
ACI-ALL-801-BPAbnormal number ofinactivate Organizationactivity
Access / IdentityManagement
ACI-ALL-802-ERRBusiness Process definitionEdited
Access / IdentityManagement
ACI-ALL-803-ERR Rare User assigning roles
Access / IdentityManagement
ACI-ALL-804-PORare User assigning rolescompared to peers
Access / IdentityManagement
ACI-ALL-805-ERRRare user assigning user-based security groups forperson
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-747-TA
Successful logon of adminaccount from rare countrycompared to rest of theorganization
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-750-RUSuccessful login following aspike in failed logins for anAdmin account
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-752-LSLandspeed anomalydetected for an account
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-846-BPAbnormal number of failedlogons from Admin accounts
SNYPR Release Notes 38
New and Improved Content
Functionality Signature ID Policy Name
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-745-TA
Successful logon detectedfor a Non-admin accountfrom rare country comparedto rest of the organization
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-848-BPAbnormal number of logonfailures from Non-adminaccounts
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-751-DBAccount logging in frommultiple countries in a day
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-755-ERRRare application accessingSalesForceCom API
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-886-BPAbnormal number of loginFailures
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-887-BPAbnormal number of AdminLogin Failures
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-888-DBPassword spraying attemptfrom an IP on multipleaccounts
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-789-TARobotic pattern observedfrom an IP - failed login
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-790-ERRSuccessful logon detectedfrom rare country comparedto rest of the organization
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-792-ERR
Successful logon detectedfrom for an admin account ina rare country compared torest of the organization
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-893-LSLandspeed anomalydetected for an adminaccount
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-794-RUUser changing email to non-business email
SNYPR Release Notes 39
New and Improved Content
Functionality Signature ID Policy Name
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-795-DBRecently activated accountdeactivated within a shortduration of time
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-726-BPAbnormal number ofAccount Lockout events
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-723-TARobotic pattern observed -failed login
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-847-BAAbnormal volume of filedownloads from Salesforce
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-727-ERRRare User Agent Used ForLog In
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-725-ERAuthentication from raregeolocation
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-748-BAAbnormal volume of dataegressed using REST APIrequests
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-728-BPPossible User EnumerationObserved from anIPAddress
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-724-DB-SIEMHigh number of failed loginattempts - SIEM
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-749-BAAbnormal volume of dataegressed via Visualforcerequests
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-734-BPAnomalous number ofReports Exported
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-750-DBLarge number of targetaccounts used for delegatedlogin
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-722-LS Landspeed Anomaly
SNYPR Release Notes 40
New and Improved Content
Functionality Signature ID Policy Name
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-719-DBHigh Number of ReportsExported
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-729-DB-SIEMMultiple number of Failurefollowed by Success - SIEM
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-754-BPAbnormal number of targetaccounts used for delegatedlogin
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-845-ERRRare user performingdelegated logon
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-846-ERRInstallation of rareunmanaged packagedetected across organization
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-721-RULogin as activity wasobserved with access ofother User
Cloud Application Audit CAAU-SF-740-RU Account Impersonation
Cloud Application Audit CAAU-SF-741-DBHuge Number Of PasswordChange
Cloud Application Audit CAAU-SF-738-RUAccount activated trackingpolicy
Cloud Application Audit CAAU-SF-739-RURecently activated accountde-activated within a shortduration of time
Cloud Application Audit CAAU-SF-744-RUUser changing email topersonal email
Cloud Application Audit CAAU-SF-743-RUUser changing email to non-business email
Cloud Application Audit CAAU-SF-759-RUUser changing email to non-internal email
Cloud Application Audit CAAU-SF-746-RUUser changing email to adisposable email address
SNYPR Release Notes 41
New and Improved Content
Functionality Signature ID Policy Name
Cloud Application Audit CAAU-SF-792-BPAbnormal frequency oftarget accounts logged in as
Cloud Application Audit CAAU-SF-742-RUNon admin account loggingin as admin account
Cloud Application Audit CAAU-SF-791-TAPhone number registeredfor multiple users
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-852-ERR
Rare combination ofCountry and State observedfor user authenticating tomultifactor device
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-808-DBAbnormal amount of loginattempt detected on DuoMFA
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-812-RUAuthentication anomaly-Country Mismatch
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-811-RUAuthentication anomaly-State Mismatch
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-851-ERR
Rare combination ofCountry and State observedfor user authenticating toaccess device
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-809-LSLandspeed Anomalydetected
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-827-ERR Logon from a rare country
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-853-ERR
Authentication to accessdevice observed from rarecountry across theorganization
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-854-ERRAuthentication to MFAdevice observed from rarecountry for user
SNYPR Release Notes 42
New and Improved Content
Functionality Signature ID Policy Name
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-855-ERR
Authentication to MFAdevice observed from rarecountry across theorganization
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-856-RUSuccessful inline enrollmenton Duo by uncorrelatedaccount
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-857-ERR
User performing inlineenrollment on Duo fromrare country compared toentire organization
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-858-TASuccessful inline enrollmentof multiple accounts on asingle device
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-859-ERR
Successful login using bypasscode from rare locationcompared to rest oforganization
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-860-RUFailed authenticationattempt marked as fraud byaccount
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-861-DBMultiple failedAuthentication attemptsmarked as fraud by account
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-850-RUUser enrolling from acountry different from worklocation
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-885-BPPassword spraying attemptsfor one account on multipleapplications
SNYPR Release Notes 43
New and Improved Content
Functionality Signature ID Policy Name
Cloud Authentication / SSO/ Single Sign-On
CSSO-DUO-831-RU
Successful passwordspraying attempt from oneaccount to multipleapplications
Cloud Authentication / SSO/ Single Sign-On
CSSO-SF-776-RUSuccessful login following aspike in failed logins for aNon-admin account
Endpoint ManagementSystems
EDR-ALL-29-ERPotential WMI LateralMovement - Rare processspawnned
Endpoint ManagementSystems
EDR-ALL-161-RU
Possible EgregorRansomware Rclone ToSvchost LOL RenameAnalytic
Endpoint ManagementSystems
EDR-ALL-162-RUPossible MaliciousCertificate Export Analytic
Endpoint ManagementSystems
EDR-ALL-163-RUPossible SUNSPOT VariantDropped Artifact Analytic
Endpoint ManagementSystems
EDR-ALL-164-RU
Possible Qakbot-EgregorInitial Access BrokerRansomware DeploymentAnalytic
Endpoint ManagementSystems
EDR-ALL-165-RUPossible Qakbot-EgregorEsentutl Usage Analytic
Endpoint ManagementSystems
EDR-ALL-166-RUPossible Qakbot-EgregorRundll Load Analytic
Endpoint ManagementSystems
EDR-ALL-87-RUPotential evasion attemptthrough disabling of EventTrace monitoring in dotnet
Microsoft WindowsPowershell
PSH-ALL-115-RUPossible GoldenSAMLCertificate Export EventsAnalytic
SNYPR Release Notes 44
New and Improved Content
Functionality Signature ID Policy Name
Microsoft Windows WEL-ALL-850-DBPossible Hexacorn-styleShellcode ExecutionAnalytic
Endpoint ManagementSystems
EDR-ALL-880-ERRRare child process spawnedby WMI Provider Hostprocess
Microsoft WindowsPowershell
PSH-ALL-106-RUUse of Powershellencodedcommandparameter on host
Microsoft WindowsPowershell
PSH-ALL-108-RUUse of Powershell Invoke-Expression cmdlet on host
Microsoft WindowsPowershell
PSH-ALL-109-RUPowershell Execution Policymodified on host
Microsoft Windows WEL-ALL-905-RUSuspicious Account Activity- Potential pass-the-hash -Key Length Analytic
Microsoft Windows WEL-ALL-711-ERRare regsvr32 process andcommand execution
Microsoft Windows WOS-202-BPAbnormal number of logonfailures
Microsoft Windows WOS-290-BPAbnormal number ofkerberos pre authenticationfailures
Network Traffic Analytics NTA-ALL-880-BAAbnormal amount of dataaggregated from SMB ports -NTA
Network Traffic Analytics NTA-ALL-881-BAAbnormal amount of datatransmitted from DNS ports- NTA
Network Traffic Analytics NTA-ALL-882-BAAbnormal amount of datatransmitted from SMTPports - NTA
SNYPR Release Notes 45
New and Improved Content
Functionality Signature ID Policy Name
Network Traffic Analytics NTA-ALL-883-BAAbnormal amount of datatransmitted over covertchannels - NTA
Network Traffic Analytics NTA-ALL-884-BPPossible host enumerationover system ports - Internal- NTA
Network Traffic Analytics NTA-ALL-885-DBPossible host enumerationover system ports - External- NTA
Network Traffic Analytics NTA-ALL-886-DBPossible port scan fromexternal IP Address - NTA
Network Traffic Analytics NTA-ALL-887-DBPossible port scan frominternal IP Address - NTA
Web Application Firewall IFW-ALL-820-ER Possible LFI Detection
Web Application Firewall IFW-ALL-821-DB Unusual URL Redirection
Web Application Firewall IFW-ALL-822-RUSuspicious processObserved Over URL
Web Application Firewall IFW-ALL-823-RURemote CommandExecution
Web Application Firewall IFW-ALL-824-RUCommunication to MalwareOR Trojan Suspicious Port
Web Application Firewall IFW-ALL-825-ERRare Content TypeObserved
Web Application Firewall IFW-ALL-826-DBCircumvention over URLResponse Code
Web Application Firewall IFW-ALL-827-ER Unusual web requests
Web Application Firewall IFW-ALL-828-DBPossible Server Outage byMultiple Request
Web Application Firewall IFW-ALL-829-DBMultiple Allowed AttackDetection Over InsecureHTTP Version
SNYPR Release Notes 46
New and Improved Content
New Policy/Threat Content
The following table contains the policy and threat content added in this release:
Functionality Signature ID Policy Name
Access /Privileged User
ACP-ALL-808-ERRGoogle InitiatedReview - Access detectedfrom a rare geolocation
Access /Privileged User
ACP-ALL-807-RUGoogle InitiatedService Detected - GoogleAccess Transparency
Access /Privileged User
ACP-ALL-806-RU
Customer initiatedaccess by Google torespond to a third party datarequest - Google AccessTransparency
Access /Privileged User
ACP-ALL-809-BPGoogle InitiatedReview - Account accessingmultiple resources
Authentication/ WiFi
AWI-AMN-802-ERRUsage of switchportmode access detected
Authentication/ WiFi
AWI-AMN-801-ERRSSH ConnectionDetected from a RareAccount
BusinessCollaboration Platforms
BCP-ALL-802-DBAbnormal number offiles uploaded to the chat -Gsuite
BusinessCollaboration Platforms
BCP-ALL-801-DBAbnormal number offiles downloaded from thechat - Gsuite
CloudApplication Audit
CAAU-ALL-818-ERRRare account adding anew connection
SNYPR Release Notes 47
New and Improved Content
Functionality Signature ID Policy Name
CloudApplication Audit
CAAU-ALL-817-DBRole creationfollowed by deletion withina short period
CloudApplication Audit
CAAU-ALL-814-ERRRare accountdisabling audit logstreaming
CloudApplication Audit
CAAU-ALL-823-ERRRare account updatingdelegated admin password
CloudApplication Audit
CAAU-ALL-813-ERRRare account deletingAPI policy
CloudApplication Audit
CAAU-ALL-820-ERRRare account updatingpub Sub topic
CloudApplication Audit
CAAU-ALL-812-RUAccount was observeddisabling multifactorauthentication
CloudApplication Audit
CAAU-ALL-810-BPAbnormal number ofdistinct recipes stopped byan account
CloudApplication Audit
CAAU-ALL-815-LSImpossible TravelAlert Detected
CloudApplication Audit
CAAU-ALL-809-ERRLogin from a Raregeolocation
CloudApplication Audit
CAAU-ALL-824-ERRConnectionDisconnected by a RareAccount
CloudApplication Audit
CAAU-ALL-808-BPAbnormal number oflogin failures detected
CloudApplication Audit
CAAU-ALL-816-ERRRare accountdelegating admin accountaccess
SNYPR Release Notes 48
New and Improved Content
Functionality Signature ID Policy Name
CloudApplication Audit
CAAU-ALL-822-DB
Delegated adminaddition followed bydeletion within a shortperiod
CloudApplication Audit
CAAU-ALL-819-DBAccount deletingmultiple folders within ashort period
CloudApplication Audit
CAAU-ALL-821-ERRRare account creatingpub Sub topic
CloudApplication Audit
CAAU-ALL-811-BPAbnormal number ofdistinct recipe deleted byan account
CloudServices / Applications
CSA-ALL-860-ERRUnusual number of KeyVault operations
CloudServices / Applications
CSA-AWS-712-DBRecon ActivityDetected on CloudComputing Resource
CloudServices / Applications
CSA-ALL-861-ERRRare country for SAMLToken authentication
CloudServices / Applications
CSA-ALL-863-ERRResource launchedwith rare Instance type orImage ID
CloudServices / Applications
CSA-ALL-859-RUCustomer master keysDisabled or Scheduled forDeletion
CloudServices / Applications
CSA-ALL-884-ERRCritical Key vaultOperation performed byaccount
CloudServices / Applications
CSA-ALL-883-ERRRare account list allCloud accounts in theregion
SNYPR Release Notes 49
New and Improved Content
Functionality Signature ID Policy Name
CloudServices / Applications
CSA-ALL-882-ERRRare accountattempting to update rolepermissions
CloudServices / Applications
CSA-ALL-864-ERRCloud storageaccessed from RareGeolocation
CloudServices / Applications
CSA-ALL-865-ERRRare cloud storagediscovery activity fromAccount
CloudServices / Applications
CSA-ALL-880-ERIAM Role deleted byrare account
CloudServices / Applications
CSA-ALL-848-BPAbnormal number ofdistinct Pods accessed -Kubernetes
CloudServices / Applications
CSA-ALL-877-BPSpike in deniedtransactions on cloudresources by account
CloudServices / Applications
CSA-ALL-879-ERRRare implant or listcontainer image by account
CloudServices / Applications
CSA-ALL-878-ERRRare identity deletedcloud compute resources
CloudServices / Applications
CSA-ALL-870-RUSSH or RDP or DB portauthorized on securitygroup
CloudServices / Applications
CSA-ALL-875-ERRRare account deletedcloud storage resources
CloudServices / Applications
CSA-ALL-866-ERRRare IAM policyactivity from account
CloudServices / Applications
CSA-ALL-867-ERRCloud storageoperation from rare Role
SNYPR Release Notes 50
New and Improved Content
Functionality Signature ID Policy Name
CloudServices / Applications
CSA-ALL-876-ERRRare account creatingSnapshot or Volume
CloudServices / Applications
CSA-ALL-869-ERRRare account creatingSecurity group or computeFirewall
CloudServices / Applications
CSA-ALL-881-ERIAM Role Created byrare account
CloudServices / Applications
CSA-ALL-868-ERRRare accountgenerating Key Pair
CloudServices / Applications
CSA-ALL-755-RUNew Account CreationDetected
CloudServices / Applications
CSA-ALL-871-ERRRare security groupchanges on cloudinfrastructure by account
CloudServices / Applications
CSA-ALL-872-ERRRare privilegeescalation through IAMinstance profile
CloudServices / Applications
CSA-ALL-873-ERRRare AccountManipulating CustomerManaged IAM Policy
CloudServices / Applications
CSA-ALL-874-ERR
Rare CredentialHarvesting Activity onCloud Infrastructure byaccount
CloudServices / Applications
CSA-ALL-862-RUCloud Storageobserved with public access
ContentManagement System
CMS-ALL-831-BPAbnormal number offiles downloaded -CMS
EndpointManagement Systems
EDR-ALL-226-RU
Hijack Execution Flowmsmpeng executable DLLSideload File CreationAnalytic
SNYPR Release Notes 51
New and Improved Content
Functionality Signature ID Policy Name
EndpointManagement Systems
EDR-ALL-64-ERR
Rare Unsigned DLLLoad For Process PotentialDLL Hijacking Side-LoadingAnalytic
EndpointManagement Systems
EDR-ALL-105-ERR
Possible ProcessHollowing HerpaderpingRare Image TamperingAnalytic
EndpointManagement Systems
EDR-ALL-221-ERR
PossibleCVE-2021-34527Exploitation AttemptUnusual Child ProcessAnalytic
EndpointManagement Systems
EDR-ALL-114-RUPossible TEARDROPMalicious Payload VariantAnalytic
EndpointManagement Systems
EDR-ALL-179-RUPotential DarkSideShadow Copy DeletionAnalytic
EndpointManagement Systems
EDR-ALL-40-BPPossible tokenenumeration - Peak processtoken access analytic
EndpointManagement Systems
EDR-ALL-183-RUPotentialExfiltration MegaSyncProcess Analytic
EndpointManagement Systems
EDR-ALL-182-RUPotential MegaSync orMegaCmd Exfiltration DNSQuery Analytic
EndpointManagement Systems
EDR-ALL-101-BPPossible MeterpreterProcess EnumerationAnalytic
SNYPR Release Notes 52
New and Improved Content
Functionality Signature ID Policy Name
EndpointManagement Systems
EDR-ALL-01-RUDecoding PE or DLLFrom b64 Via CertutilAnalytic
EndpointManagement Systems
EDR-ALL-61-RUMalicious Named PipesAnalytic
EndpointManagement Systems
EDR-ALL-118-ERRPossible CobaltStrike Beacon NamedPipeUse Artifact Analytic
EndpointManagement Systems
EDR-ALL-42-ERRInternetExplorerApplication DLL LoadingInjection Analytic
EndpointManagement Systems
EDR-ALL-114-ERR
Possible ADFSDumpMalicious CertificateExtraction Named PipeAnalytic
EndpointManagement Systems
EDR-ALL-230-RUHijack Execution Flowmsmpeng executable DLLSideload Analytic
EndpointManagement Systems
EDR-ALL-116-RUPossible SUNBURSTImplant Activity Analytic
EndpointManagement Systems
EDR-ALL-91-ERR
Potential CLRinjection Rare combinationof Image and loaded DLLdetected for Account
EndpointManagement Systems
EDR-ALL-119-ERR
Watching the Watchers- Possible Trojaned VendorExecutable Named PipeDiscrepancy Analytic
EndpointManagement Systems
EDR-ALL-117-ERRPossible RAINDROPVariant Artifact Analytic
SNYPR Release Notes 53
New and Improved Content
Functionality Signature ID Policy Name
EndpointManagement Systems
EDR-ALL-65-ERR
Rare Signed DLL LoadFor Process Potential DLLHijacking Side LoadingAnalytic
EndpointManagement Systems
EDR-ALL-124-RUPotential Usage OfArchiving SoftwareCommand Line Analytics
EndpointManagement Systems
EDR-ALL-184-RUPotentialExfiltration MEGAcmdShellProcess Analytic
EndpointManagement Systems
EDR-ALL-115-RURule InternetExplorer Application DLLLoading Injection Analytic
IdentityAccess Management
IAM-ALL-801-DBPassword sprayingattempts from an IP
IdentityAccess Management
IAM-ALL-810-RUAdvance protectiondisabled for an account
IdentityAccess Management
IAM-ALL-811-DBAbnormal number ofpassword change attempts
IdentityAccess Management
IAM-ALL-802-RUSuccessful Passwordspraying attack from an IP
IdentityAccess Management
IAM-ALL-807-RU
Successfulauthentication following anabnormal frequency ofauthentication failures
IdentityAccess Management
IAM-ALL-806-ERRAccountauthenticating to Azure ADfrom rare country
IdentityAccess Management
IAM-ALL-809-RUAccount RecoveryInformation Changed
SNYPR Release Notes 54
New and Improved Content
Functionality Signature ID Policy Name
IdentityAccess Management
IAM-ALL-803-BPAbnormal frequency ofauthentication failures foran account
IdentityAccess Management
IAM-ALL-808-RUMulti FactorAuthentication Disabled
IdentityAccess Management
IAM-ALL-804-ERR
Accountauthenticating to Azure ADfrom rare country acrossthe organization
IdentityAccess Management
IAM-ALL-805-LSLandspeed anomalydetected on Azure AD
MicrosoftWindows
WEL-ALL-859-BPPossible remoteinteractive logonenumeration
MicrosoftWindows
WEL-ALL-862-RUPossible Zerologonattack using tools
MicrosoftWindows
WEL-ALL-13-DBTicket Encryption andTicket Options Analytic
MicrosoftWindows
WEL-ALL-221-ERR
PossibleCVE-2021-34527Exploitation AttemptUnusual Child ProcessAnalytic - Windows
MicrosoftWindows
WEL-ALL-15-BPPeak Distinct AccountChange For Source UserAnalytic
MicrosoftWindows
WEL-ALL-976-ERR
Use of explicitcredentials by a rareaccount - Account sharing orPassword misuse
MicrosoftWindows
WEL-ALL-298-ERPotential Metasploitor Hash Passing Analytic
SNYPR Release Notes 55
New and Improved Content
Functionality Signature ID Policy Name
MicrosoftWindows
WEL-ALL-299-BPAbnormal frequency ofNetlogon access errors
MicrosoftWindows
WEL-ALL-30-BPPeakLsaRegisterLogonProcessIncrease Analytic
MicrosoftWindows Powershell
PSH-ALL-25-RU
PotentialPrintNightmare MaliciousPowershell ImplantExploitation AttemptAnalytic
MicrosoftWindows Powershell
PSH-ALL-7-RUPossible ReflectionAssembly WeaponizationActivity Analytic
NetworkTraffic Analytics
NTA-ALL-853-LSLandspeed anomaly onVPN - NTA
PhysicalSecurity / Badging
PHY-ALL-810-ERRRare account makingchanges to the physicalsecurity device
PhysicalSecurity / Badging
PHY-ALL-808-RUFailed access attemptdetected from an user tothe facility
PhysicalSecurity / Badging
PHY-ALL-809-RUHigh number of failedentry attempts detectedfrom the user
PhysicalSecurity / Badging
PHY-ALL-803-BPMultiple physicalaccess within short time
PhysicalSecurity / Badging
PHY-ALL-811-RUBoard CommunicationFailure Cleared
PhysicalSecurity / Badging
PHY-ALL-812-DBUser had unauthorizedattempts across multiplelocations
SNYPR Release Notes 56
New and Improved Content
Functionality Signature ID Policy Name
Unix / Linux/ AIX
UNX-ALL-825-BPAbnormal use ofprivileged super usercommand
Virtualization/ Containers
VIR-ALL-803-DBHigh CPU usage onESXi hosts during Non-Business hours - vCenter
Virtualization/ Containers
VIR-ALL-804-DBHigh number ofSnapshots created -vCenter
Virtualization/ Containers
VIR-ALL-811-BPHost enumerationattempt detected from anaccount
Virtualization/ Containers
VIR-ALL-810-BPAbnormal number ofvirtual machines deleted -vCenter
Virtualization/ Containers
VIR-ALL-808-ERRNew account createdon virtual machine
Virtualization/ Containers
VIR-ALL-807-DBHigh number ofVirtual Machines cloned -vCenter
Virtualization/ Containers
VIR-ALL-809-BP
Multiple VirtualMachine ImagesDownloaded by an Account- vCenter
Virtualization/ Containers
VIR-ALL-806-DB
VM Snapshot creationfollowed by SnapshotMemory file or State filedownload - vCenter
Virtualization/ Containers
VIR-ALL-805-DBBruteForce attemptson user account of VM orESxi or vCenter
SNYPR Release Notes 57
New and Improved Content
Functionality Signature ID Policy Name
Virtualization/ Containers
VIR-ALL-802-DBHigh number ofvirtual machines deleted -vCenter
Virtualization/ Containers
VIR-ALL-801-DBMultiple virtualmachines shutdown -vCenter
Improved ContentThis sections lists all improved parsers, connectors, and threat content.
Updated Connectors
Vendor Functionality Device Type Collection Method
Amazon Inc Database Audit AWS Redshift
Collection Method:splunkraw
Format: Regex
Amazon IncIDS / IPS / UTM /Threat Detection
AWS GuardDuty
Collection Method:
splunkraw
Format: JSON
BIND DNS DNS / DHCP BIND DNS
Collection Method:syslog
Format: Regex
Cisco SystemsNext GenerationFirewall
Cisco ASA
Collection Method:syslog
Format: CEF
Cisco SystemsNext GenerationFirewall
Cisco ASA
Collection Method:syslog
Format: Regex
SNYPR Release Notes 58
New and Improved Content
Vendor Functionality Device Type Collection Method
Cisco SystemsNetwork AccessControl / NAC
Cisco IdentityService Engine
Collection Method:syslog
Format: Regex
Cisco Systems Web Proxy Cisco ScanSafe
Collection Method:syslog
Format: Regex
Cisco SystemsNetwork AccessControl / NAC
Cisco Router andSwitch
Collection Method:syslog
Format: Regex
Cisco SystemsNetwork AccessControl / NAC
Cisco RouterCollection Method: file
Format: JSON
Cisco SystemsNetwork AccessControl / NAC
Cisco WirelessLANController TRAP
Collection Method:syslog
Format: Regex
Cisco Systems Web ProxyIronPort WebSecurityAppliance
Collection Method:syslog
Format: Regex
Cisco SystemsNext GenerationFirewall
Cisco ASA
Collection Method:splunkraw
Format: Regex
Cisco SystemsNext GenerationFirewall
Cisco FTD
Collection Method:syslog
Format: Regex
Cisco Systems DNS / DHCP Cisco Umbrella
Collection Method:syslog
Format: JSON
Cisco Systems DNS / DHCP Cisco Umbrella
Collection Method:splunkraw
Format: JSON
SNYPR Release Notes 59
New and Improved Content
Vendor Functionality Device Type Collection Method
Cisco Systems DNS / DHCP Cisco Umbrella
Collection Method:ciscoumbrella
Format: JSON
Cisco SystemsNext GenerationFirewall
Cisco MerakiFirewall
Collection Method:syslog
Format: Regex
Cisco Systems IP TelephonyCisco UnifiedCommunications
Collection Method:syslog
Format: Regex
CofenseEmail / EmailSecurity
O365 Cofense
Collection Method:office365phishingmailbox
Format: JSON
CrowdStrikeCloud Antivirus /Malware / EDR
CrowdstrikeAlertsQuery
Collection Method:crowdstrikequery
Format: JSON
CrowdStrikeEndpointManagementSystems
CrowdstrikeFalcon
Collection Method:awssqss3
Format: JSON
Dell /SonicWall Inc.
Next GenerationFirewall
SonicWall GlobalManagementSystem
Collection Method:syslog
Format: Key Value Pair
Diamond IP /BT
DNS / DHCP Diamond IPAM
Collection Method:syslog
Format: Regex
F5 Networks Traffic ManagerF5 BigIP LoadBalancer
Collection Method:syslog
Format: Regex
SNYPR Release Notes 60
New and Improved Content
Vendor Functionality Device Type Collection Method
FortinetNext GenerationFirewall
Fortigate
Collection Method:syslog
Format: Key Value Pair
HAProxy Web Proxy HA Proxy
Collection Method:syslog
Format: Delimited-space
Infoblox DNS / DHCP Infoblox
Collection Method:syslog
Format: Regex
Intel Security/ McAfee Inc.
Web ProxyMcAfee WebGateway
Collection Method:syslog
Format: CEF
JuniperNetworks
Authentication /VPN
Juniper JunosPulseVPN
Collection Method:syslog
Format: Regex
JuniperNetworks
Authentication /VPN
Juniper SecureAccessVPN
Collection Method:syslog
Format: Regex
JuniperNetworks
FirewallJuniper JunosPulseFirewall
Collection Method:syslog
Format: Regex
JuniperNetworks
Authentication /VPN
JuniperNetscreen HVDVPN
Collection Method:syslog
Format: Regex
MicrosoftCorporation
Email / EmailSecurity
MicrosoftExchangeServer
Collection Method:syslog
Format: Regex
SNYPR Release Notes 61
New and Improved Content
Vendor Functionality Device Type Collection Method
MicrosoftCorporation
MicrosoftWindows
MicrosoftWindowsSNARE
Collection Method:syslog
Format: snare
MicrosoftCorporation
MicrosoftWindows
MicrosoftWindowsPSLOGLIST
Collection Method:syslog
Format: PSLOGLIST
MicrosoftCorporation
MicrosoftWindows
MicrosoftWindowsWINEVENT
Collection Method:syslog
Format: WINEVENT
MicrosoftCorporation
MicrosoftWindows
MicrosoftWindows
Collection Method:syslog
Format: WINDOWSRSA
MicrosoftCorporation
DNS / DHCP Microsoft DHCP
Collection Method:syslog
Format: Delimited-
comma
MicrosoftCorporation
MicrosoftWindows
MicrosoftWindowsSNARE
Collection Method:splunkraw
Format: snare
MicrosoftCorporation
MicrosoftWindows
MicrosoftWindowsWINEVENT
Collection Method:splunkraw
Format: WINEVENT
OracleCorporation
Database Audit Oracle SysDB
Collection Method:syslog
Format: CEF
Palo AltoNetworks
Next GenerationFirewall
Palo AltoNext-GenerationFirewall
Collection Method:splunkraw
Format: Regex
SNYPR Release Notes 62
New and Improved Content
Vendor Functionality Device Type Collection Method
Palo AltoNetworks
Next GenerationFirewall
Palo AltoNext-GenerationFirewall
Collection Method:syslog
Format: Regex
Palo AltoNetworks
Cloud Antivirus /Malware / EDR
PA Cortex
Collection Method:syslog
Format: CEF
Rapid 7VulnerabilityScanners
NexposeVulnerabilityScanner
Collection Method:syslog
Format: Regex
RSA SolutionsAuthentication /SSO/ Single Sign-On
RSA SecurIDAuthenticationManager
Collection Method: file
Format: Regex
RSA SolutionsAuthentication /SSO/ Single Sign-On
RSA SecurIDAuthenticationManager
Collection Method:splunkraw
Format: Regex
Symantec /Blue CoatSystems
Web Proxy Bluecoat Proxy
Collection Method:syslog
Format: Regex
TenableVulnerabilityScanners
NessusVulnerabilityScanner
Collection Method:syslog
Format: JSON
Trend MicroInc.
IDS / IPS / UTM /Threat Detection
TippingPoint IPS
Collection Method:syslog
Format: Regex
Unix / Red HatLinux / OracleLinux / AIX / BSD
Unix / Linux / AIX Unix
Collection Method:syslog
Format: Regex
VMwareVirtualization /Containers
VMware NSX-T
Collection Method:syslog
Format: Regex
SNYPR Release Notes 63
New and Improved Content
Vendor Functionality Device Type Collection Method
ZoomBusinessCollaborationPlatforms
Zoom APICollection Method: zoom
Format: JSON
Zscaler Web Proxy Zscaler Proxy
Collection Method:syslog
Format: CEF
Updated Functionality
The following table contains the functionality that was updated in this release:
Resource Type Previous Functionality New Functionality
Aruba Clear Pass Network Access ControlNetwork Access Control /NAC
AWS CloudTrailAWS - Cloud Services /Applications
Cloud Services /Applications
AWS EKS Audit AWS KubernetesCloud Services /Applications
AWS EKS Authenticator AWS KubernetesCloud Services /Applications
AWS EKS ControllerManager
AWS KubernetesCloud Services /Applications
AWS foundryAWS - Cloud Services /Applications
Cloud Services /Applications
Bro Network Security Netflow / Sinkhole Flow
Cisco NXOS Operating SystemsNetwork Access Control /NAC
Cisco Umbrella Next Generation Firewall DNS / DHCP
DAMDatabase AccessMonitoring
Database Monitoring
SNYPR Release Notes 64
New and Improved Content
Resource Type Previous Functionality New Functionality
Gigya Audit Application Audit
Imperva Database Security Database Audit
Mcafee Web Gateway Web Gateway Proxy Web Proxy
RedHat OpenShift CaaS Containers As A Service Virtualization / Containers
SVN Application Audit Source Code Repository
TaniumTanium/ WorkStationManagement Systems
Endpoint ManagementSystems
Tanium DetectEndpoint ManagementSystems
Antivirus / Malware / EDR
Tanium EndpointTanium/ WorkStationManagement Systems
Endpoint ManagementSystems
Improved Threat Detection Content
The following table contains the threat detection content that was improved in this
release:
Functionality Signature ID Policy Name
Antivirus /Malware / EDR
EDR-ALL-729-ERPotential WMI Lateral Movement -Rare process spawnned - AVEDR
Cloud Antivirus /Malware / EDR
CEDR-ALL-29-ERPotential WMI Lateral Movement -Rare process spawnned - Cloud EDR
Cloud ApplicationSecurity Broker
CASB-ALL-818-RUUser visting stegnography sites -SIEM - CASB
Cloud ApplicationAudit
CAAU-ALL-800-RUPotential account compromise -Exchange
Cloud ContentManagementSystem
CCMS-ALL-805-BPAbnormal number of files sharedwith Competitor email address
SNYPR Release Notes 65
New and Improved Content
Functionality Signature ID Policy Name
Cloud ContentManagementSystem
CCMS-ALL-800-DBFile manipulation followed byegress
Cloud ContentManagementSystem
CCMS-ALL-802-ERRAccount Activity detected from RareCountry
Cloud ContentManagementSystem
CCMS-ALL-804-BPAbnormal number of files sharedwith personal account
Cloud ContentManagementSystem
CCMS-ALL-810-BPAbnormal number of filesdownloaded by an account
Cloud ContentManagementSystem
CCMS-ALL-807-RUFile activity performed byterminated user
Cloud ContentManagementSystem
CCMS-ALL-801-ERSuspicious Modification ofPrivileges for Documents
Cloud ContentManagementSystem
CCMS-ALL-816-BPAbnormal number of files deletedby an account
Cloud ContentManagementSystem
CCMS-ALL-812-ERRare Operation performed by anUser
Cloud ContentManagementSystem
CCMS-ALL-814-BPAbnormal Number of files Printedcompared to past behavior
Cloud ContentManagementSystem
CCMS-ALL-815-DBRecovering Files along with DataEgress
SNYPR Release Notes 66
New and Improved Content
Functionality Signature ID Policy Name
Cloud ContentManagementSystem
CCMS-ALL-809-ERRAccount accessing file path neveraccessed before
Cloud ContentManagementSystem
CCMS-ALL-806-BPAbnormal number of files sharedwith Non Business account
Cloud ContentManagementSystem
CCMS-ALL-803-BPAbnormal number of documentpermission changes observed
Cloud ContentManagementSystem
CCMS-ALL-811-LSLandspeed Anomaly - Cloud ContentManagement System
Cloud ContentManagementSystem
CCMS-ALL-813-RUFile shared with Non businessaccount
Cloud ContentManagementSystem
CCMS-ALL-835-BPAbnormal number of filesdownloaded compared to peers
Cloud ContentManagementSystem
CCMS-ALL-836-BP Abnormal number of files uploaded
Cloud ContentManagementSystem
CCMS-ALL-820-DBMultiple Files shared with NonBusiness Accounts
Cloud ContentManagementSystem
CCMS-ALL-837-RU File shared with personal account
Cloud ContentManagementSystem
CCMS-ALL-821-DBMultiple Files shared with Accounthaving competitor domain
SNYPR Release Notes 67
New and Improved Content
Functionality Signature ID Policy Name
Cloud ContentManagementSystem
CCMS-ALL-822-RUCritical files shared with externalAccount
Cloud ContentManagementSystem
CCMS-ALL-823-RU Corporate documents made public
Cloud ContentManagementSystem
CCMS-ALL-838-BPAbnormal Number of Corporatedocuments made public
Cloud ContentManagementSystem
CCMS-ALL-824-DBExternal account accessing multiplecritical files
Cloud ContentManagementSystem
CCMS-ALL-825-DBExternal account downloading highnumber of files
Cloud ContentManagementSystem
CCMS-ALL-839-BPExternal account downloadingabnormally high number of files
Cloud ContentManagementSystem
CCMS-ALL-826-RUActivity from personal accountbelonging to company employee
Cloud ContentManagementSystem
CCMS-ALL-827-DBAccount activity from multiplecountries in a day
Cloud ContentManagementSystem
CCMS-ALL-828-ERRAccount activity from a country rareto the organization
Cloud ContentManagementSystem
CCMS-ALL-829-ERRAccount activity from a countryrare for the user
SNYPR Release Notes 68
New and Improved Content
Functionality Signature ID Policy Name
Cloud ContentManagementSystem
CCMS-ALL-830-LSLandspeed anomaly detected foraccount
Cloud ContentManagementSystem
CCMS-ALL-831-RU Activity from suspicious IP
Cloud ContentManagementSystem
CCMS-ALL-832-RUUser Changing Document Visibilityto Anyone with a link-240
Cloud ContentManagementSystem
CCMS-ALL-808-ERUser performing unusual activitycompared to peers
Cloud ContentManagementSystem
CCMS-ALL-803-BPAbnormal number of documentpermission changes observed
Cloud ContentManagementSystem
CCMS-ALL-800-DBFile manipulation followed byegress
Email / EmailSecurity
EML-ALL-816-RUFlight Risk Behavior Exhibited InEmails
EndpointManagementSystems
EDR-ALL-880-ERRRare child process spawned by WMIProvider Host process
EndpointManagementSystems
EDR-ALL-79-ERSuspicious use of cradle - rare childprocess spawned from scriptinterpreter
EndpointManagementSystems
EDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic
EndpointManagementSystems
EDR-ALL-109-RUPossible use of renamed LOL helpertool payload by malware -executable and hash tracking
SNYPR Release Notes 69
New and Improved Content
Functionality Signature ID Policy Name
EndpointManagementSystems
EDR-ALL-110-RUPossible use of renamed LOL helpertool payload by malware - renamedpayload executed
EndpointManagementSystems
EDR-ALL-111-ERProxied execution of potentiallysuspicious process via binariessigned by trusted entities
MicrosoftWindows
WOS-214-BPAbnormal number of network shareobject access
MicrosoftWindows
WOS-290-BPAbnormal number of kerberos preauthentication failures
MicrosoftWindowsPowershell
PSH-ALL-26-RU
Suspicious Process Activity -Targeted - Potential PowershellPhanthom Event Log ThreadTermination Covertness Analytic -A2B
MicrosoftWindows
WEL-ALL-906-BP
Suspicious Account Activity - PeakCredential Validation FailureIncrease For HostAnalytic
Next GenerationFirewall
IFW-ALL-904-RURDP Access allowed from theinternet - SIEM
Next GenerationFirewall
IFW-ALL-919-BP Remote Database Scanner - SIEM
Next GenerationFirewall
IFW-ALL-905-TPInbound Traffic from C2 Domainsand IP addresses - SIEM
Next GenerationFirewall
IFW-ALL-901-TPOutbound Traffic to C2 Domains andIP addresses - SIEM
Next GenerationFirewall
NGF-733Abnormal amount of datatransmitted from DNS ports - NextGen Firewall
SNYPR Release Notes 70
New and Improved Content
Functionality Signature ID Policy Name
Next GenerationFirewall
NGF-768Possible host enumeration oversystem ports - Internal - Next GenFirewall
Unix / Linux / AIX UNX-ALL-801-DBBrute Force Followed By aSuccessful Login from internal -SIEM
Unix / Linux / AIX UNX-ALL-814-DBAccount was created and actedsuspiciously - SIEM
MicrosoftWindowsPowershell
PSH-ALL-26-RU
Suspicious Process Activity -Targeted - Potential PowershellPhanthom Event Log ThreadTermination Covertness Analytic -A2B
VulnerabilityScanners
SCN-ALL-803-RU Unpatched Vulnerability
VulnerabilityScanners
SCN-ALL-802-RU Target Attack on vulnerable asset
Web Proxy PXY-ALL-864-TATraffic to randomly generateddomains
Decommissioned ContentThe following table contains the formats that are no longer supported in this release:
Vendor Functionality Device TypeCollectionMethod
Amazon IncAWS - CloudServices/ Applications
AWS CloudTrail
Collection Method:
awssqss3
Format: JSON
SNYPR Release Notes 71
New and Improved Content
Vendor Functionality Device TypeCollectionMethod
Amazon Inc Firewall AWS VPC Flow
Collection Method:
awscloudwatch
Format: Delimited-
space
DUO Security
CloudAuthentication/ SSO / SingleSign-On
Duo SecurityAuthentication
Collection Method:
duo
Format: JSON
Intel Security /McAfee Inc. / IronMail
Email / EmailSecurity
Mcafee IronMailEmailGateway
Collection Method:file
Format: Regex
Raytheon / Websense/ ForcePoint Inc
Web Proxy Websense Proxy
Collection Method:
syslog
Format: CEF
TaniumAntivirus /Malware /EDR
Tanium Detect
Collection Method:syslog
Format: CEF
Policy Name Signature ID Signature Comments
Access /
Privileged
User
Possible sabotage -
Rare action performed
by account
N/A
Removed the policy as
it flagged low level
events.
Access /
Privileged
User
Abnormal number of
distinct accounts
accessed compared to
past behavior
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 72
New and Improved Content
Policy Name Signature ID Signature Comments
Access /
Privileged
User
Possible sabotage -
Abnormal number of
Cyberark files deleted
N/ARemoved the policy as itflagged low level events.
Access /
Privileged
User
Rare action performed
on safe not performed
by peers
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Abnormal amount of
data copied to
removable media - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Abnormal number of
failed login attempts -
EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Abnormal number of
files transferred to
removable media - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Abnormal number of
files with High Value
Extensions via
removable media - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Abnormal Number of
Processes Terminated -
EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Admin user logging in
via clear text - EDRN/A
Removed the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Beaconing traffic to
rare domains on web
activity - EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 73
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Flight risk behavior via
removable media - EDRN/A
Removed the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Flight risk behavior via
removable media - EDRN/A
Removed the policy as itflagged low level events.
Antivirus /
Malware /
EDR
IOS Buffer Overflow -
EDRN/A
Removed the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Job exiting behavior
exhibited in removable
media - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Malicious Outbound
Redirect - Allowed -
EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Malicious Outbound
Redirect - Blocked -
EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Malicious Software
Detected - EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Network connections to
rare systems - EDRN/A
Removed the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Rare dll process and
path on the network -
EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Rare dll used by a
process on the network
- Cloud EDR - EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 74
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Rare function used by a
dll on the network -
EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Rare parent process
spawning a child
process on the network
- EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Rare process and path
detected on the
network - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Rare process and path
for high severity
endpoint alerts - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Rare use of critical
keywords in
commandline for Linux
- EDR - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Network
Activity - Peak
Powershell LDAP
Connection For Host
Analytic - A2B - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- Explorer - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- LSAAS - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 75
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- LSM - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- Rundll32 - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- Services - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- SMSS - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- SVCHost - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- WinInit - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Potential
Injection - Unusual
Crossproc Analytic -
EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 76
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Suspicious Process
Activity - WMI Lateral
Movement - Unusual
WMI Child Process
Analytic -A2B - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Known
Threat Intel Malicious
Process Execution
Analytic - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Peak Rare
Process Spike For
Organization Analytic -
EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Potential
Phishing Sequence III -
Rare Office Child
Process Analytic - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Potential
Phishing Sequence III -
Targeted - Suspicious
Office Child Process
Executable Analytic -
EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 77
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare
CreateRemoteThread
Invocation Potential
BYOL-C Execute-
Assembly Analytics-
A2B - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare DLL
Invocation Via
Rundll32 For Host
Analytic - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare Parent-
Child Relationship For
User Analytic - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare Process
For Host Analytic -
EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rule -
Potential Attack Tool
PWDUMP or Mimikatz
Usage File Creation
Analytic - A2B - EDR
N/A
Removed the policy as
it flagged low level
events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rule -
Potential Mimikatz
CommandLine Usage
Analytic - A2B - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 78
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Shadow
Copy-Backup Deletion
Analytic - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Boot Recover Disable
Analytic - EDR
N/A
Removed the policy as
it flagged low level
events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Command Line
Arguments Analytic -
A2B - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Common Escalation of
Privilege AppInit DLL
Registry Analytic - EDR
N/A
Removed the policy as
it flagged low level
events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Keyloggers Abusing
Nirsoft Tools Analytic -
EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Possible Enum File
Creation Analytic - A2B
- EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 79
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Command
Line Admin Share
Access Analytic - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Phishing
Sequence I Clicking
Analytic - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Phishing
Sequence II Malicious
Payload Open Browser
Modality Analytic -
EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Powershell
Phanthom Event Log
Thread Termination
Covertness Analytic -
A2B - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Scripting File Types
Created Analytic - A2B
- EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 80
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Shim Database
Registration Changes
Analytic - A2B - EDR
N/A
Removed the policy as
it flagged low level
events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Squiblydoo Attack
Analytic - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Process
Activity- Targeted -
Malicious Start Menu
Startup Modification
Analytic -A2B - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity- Targeted -
Malicious Start Menu_
Startup Modification
Analytic - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Suspicious Process
Activity- Targeted - MS
EquationEditor
Spawning a Child
Process Analytic - EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Suspicious Registry
Activity - Targeted -
Autorun Changes
Analytic -A2B - EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 81
New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus /
Malware /
EDR
Suspicious Registry
Activity - Targeted -
Internal Monologue
Attack - NetNTLM
Version Update
Analytics-A2B - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Usage of Credential
Dumpers - EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Virus and Malicious
Code Outbreak - EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Vulnerable Endpoint
monitoring - EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Antivirus /
Malware /
EDR
Medium Severity
Endpoint Alert
Detected - EDR
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Repeat Attack-Network
Intrusion Prevention
System
N/ARemoved the policy as itflagged low level events.
Antivirus /
Malware /
EDR
Repeat Attack-Host
Intrusion Prevention
System
N/ARemoved the policy as itflagged low level events.
Application /
Enterprise /
SaaS
Abnormal amount of
data uploaded to cloud
storage
N/ARemoved the policy as itflagged low level events.
Application /
Enterprise /
SaaS
Abnormal number of
files uploaded to cloud
storage
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 82
New and Improved Content
Policy Name Signature ID Signature Comments
Authentication
/ SSO / Single
Sign-On
Rare Okta Application
AccessN/A
Removed the policy as itflagged low level events.
Authentication
/ SSO / Single
Sign-On
Rare IP address -
successful Okta loginN/A
Removed the policy as itflagged low level events.
Authentication
/ SSO / Single
Sign-On
Successful Login From
Suspicious IP AddressN/A
These are replaced with
CRP policy
Authentication
/ SSO / Single
Sign-On
Robotic Pattern
Observed from an IP -
Failed Login
N/AThese are replaced with
CRP policy
Authentication
/ VPN
Account Authenticating
from Rare GeolocationN/A
Duplicate - Threat
scenario covered as
part of another policy
Authentication
/ VPN
Brute Force Access -
SIEMN/A
Duplicate - Threat
scenario covered as
part of another policy
Authentication
/ WiFi
Abnormal number of
High severity alerts
from an entity
N/ARemoved the policy as itflagged low level events.
Authentication
/ WiFi
Abnormal number of
User Authentication
Failure
N/A
Duplicate - Threat
scenario covered as
part of another policy
AWS / Cloud
Services /
Applications
Cloud storage resource
accessed from a rare IP
address
N/A Very Noisy
SNYPR Release Notes 83
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Abnormal number of
files transferred to
removable media -
Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Abnormal number of
failed login attempts -
Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Abnormal Number of
Processes Terminated -
Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Admin user logging in
via clear text - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Beaconing traffic to
rare domains on web
activity - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
DNS traffic to
randomly generated
domains - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Flight risk behaviour
via removable media -
Cloud EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 84
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Infected Endpoint
monitoring - Cloud EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
IOS Buffer Overflow -
Cloud EDRN/A
Removed the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Job exiting behavior
exhibited in removable
media - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Malicious Outbound
Redirect - Allowed -
Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Malicious Outbound
Redirect - Blocked -
Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Malicious Software
Detected - Cloud EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Network connections to
rare systems - Cloud
EDR
N/A Low fidelity
SNYPR Release Notes 85
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Rare dll process and
path on the network -
Cloud EDR
N/A Low fidelity
Cloud
Antivirus /
Malware /
EDR
Rare dll used by a
process on the network
- Cloud EDR
N/A Low fidelity
Cloud
Antivirus /
Malware /
EDR
Rare function used by a
dll on the network -
Cloud EDR
N/A Low fidelity
Cloud
Antivirus /
Malware /
EDR
Rare parent process
spawning a child
process on the network
- Cloud EDR
N/A Low fidelity
Cloud
Antivirus /
Malware /
EDR
Rare process and path
detected on the
network - Cloud EDR
N/A Low fidelity
Cloud
Antivirus /
Malware /
EDR
Rare process and path
for high severity
endpoint alerts - Cloud
EDR
N/A Low fidelity
Cloud
Antivirus /
Malware /
EDR
Rare use of critical
keywords in
commandline for Linux
- Cloud EDR
N/A Low fidelity
SNYPR Release Notes 86
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Suspicious Network
Activity - Peak
Powershell LDAP
Connection For Host
Analytic - A2B - Cloud
EDR
N/A Low fidelity
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- Explorer - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- LSAAS - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- LSM - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- Rundll32 - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- Services - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- SMSS - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 87
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- SVCHost - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious path of
execution for known
processes on Windows
- WinInit - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Potential
Injection - Unusual
Crossproc Analytic -
Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - WMI Lateral
Movement - Unusual
WMI Child Process
Analytic -A2B - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Known
Threat Intel Malicious
Process Execution
Analytic - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Peak Rare
Process Spike For
Organization Analytic -
Cloud EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 88
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Potential
Phishing Sequence III -
Rare Office Child
Process Analytic -
Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Potential
Phishing Sequence III -
Targeted - Suspicious
Office Child Process
Executable Analytic -
Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare
CreateRemoteThread
Invocation Potential
BYOL-C Execute-
Assembly Analytics-
A2B - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare DLL
Invocation Via
Rundll32 For Host
Analytic - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare Parent-
Child Relationship For
User Analytic - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 89
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rare Process
For Host Analytic -
Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rule -
Potential Attack Tool
PWDUMP or Mimikatz
Usage File Creation
Analytic - A2B - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Rule -
Potential Mimikatz
CommandLine Usage
Analytic - A2B - Cloud
EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Shadow
Copy-Backup Deletion
Analytic - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Boot Recover Disable
Analytic - Cloud EDR
N/A
Removed the policy as
it flagged low level
events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Command Line
Arguments Analytic -
A2B - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 90
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Common Escalation of
Privilege AppInit DLL
Registry Analytic -
Cloud EDR
N/A
Removed the policy as
it flagged low level
events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Keyloggers Abusing
Nirsoft Tools Analytic -
Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Possible Enum File
Creation Analytic - A2B
- Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Command
Line Admin Share
Access Analytic - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Phishing
Sequence I Clicking
Analytic - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 91
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Phishing
Sequence II Malicious
Payload Open Browser
Modality Analytic -
Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Potential Powershell
Phanthom Event Log
Thread Termination
Covertness Analytic -
A2B - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Scripting File Types
Created Analytic - A2B
- Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Shim Database
Registration Changes
Analytic - A2B - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity - Targeted -
Squiblydoo Attack
Analytic - Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 92
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity- Targeted -
Malicious Start Menu
Startup Modification
Analytic -A2B - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity- Targeted -
Malicious Start Menu_
Startup Modification
Analytic - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Process
Activity- Targeted - MS
EquationEditor
Spawning a Child
Process Analytic -
Cloud EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Suspicious Registry
Activity - Targeted -
Autorun Changes
Analytic -A2B - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Suspicious Registry
Activity - Targeted -
Internal Monologue
Attack - NetNTLM
Version Update
Analytics-A2B - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 93
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Antivirus /
Malware /
EDR
Usage of Credential
Dumpers - Cloud EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Virus and Malicious
Code Outbreak - Cloud
EDR
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Vulnerable Endpoint
monitoring - Cloud EDRN/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Antivirus /
Malware /
EDR
Low Severity Endpoint
Alert Detected - Cloud
EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Antivirus /
Malware /
EDR
Medium Severity
Endpoint Alert
Detected - Cloud EDR
N/ARemoved the policy as itflagged low level events.
Cloud
Authentication
/ SSO / Single
Sign-On
Brute Force Attack to
the same host - SIEM -
SSO
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Authentication
/ SSO / Single
Sign-On
Repeat Failure
Authentication - SIEM -
SSO
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 94
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Authentication
/ SSO / Single
Sign-On
Password Spraying
Attack Detected - SIEM
- SSO
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Authentication
/ SSO / Single
Sign-On
High Failed Logins to
Domain Admin Account
- SIEM - SSO
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Authentication
/ SSO / Single
Sign-On
Concurrent console
logon - SIEM - SSON/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Authentication
/ SSO / Single
Sign-On
Multiple Lockouts -
SIEM - SSON/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Authentication
/ SSO / Single
Sign-On
Login failure to
Disabled User Account
- SIEM - SSO
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Authentication
/ SSO / Single
Sign-On
Probable Successful
Brute Force Attack -
SIEM - SSO
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Application
Audit
Account authenticating
from rare geolocation -
Exchange
N/ARemoved the policy as itflagged low level events.
Cloud
Application
Audit
Abnormal Number of
Distinct Emails
Archived - Exchange
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 95
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud
Application
Security
Broker
Account performing
activity from a
suspicious location -
SIEM - CASB
N/ARemoved the policy as itflagged low level events.
Cloud
Application
Security
Broker
Uploads to personal
GitHub repository -
SIEM - CASB
N/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud
Application
Security
Broker
Downloads with
multiple filename but
same filehash - SIEM -
CASB
N/A
Removed the policy as
it flagged low level
events.
Cloud
Authentication
/ SSO / Single
Sign-On
Phone verification mfa
anomalyN/A
Removed the policy as itflagged low level events.
Cloud
Authentication
/ SSO / Single
Sign-On
User Account
Unlocking VIP User
accounts - SSO
N/ARemoved the policy as itflagged low level events.
Cloud
Authentication
/ SSO / Single
Sign-On
Use of Any Default
Credentials - SIEM -
SSO
N/ARemoved the policy as itflagged low level events.
Cloud
Authentication
/ SSO / Single
Sign-On
Activity seen from rare
cityN/A
Removed the policy as itflagged low level events.
Cloud Content
Management
System
Landspeed anomaly
detected for accountN/A
Removed the policy as
it flagged low level
events.
SNYPR Release Notes 96
New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Content
Management
System
File manipulation
followed by egressN/A
Removed the policy as itflagged low level events.
Cloud Content
Management
System
Suspicious Modification
of Privileges for
Documents
N/ARemoved the policy as itflagged low level events.
Cloud Content
Management
System
Abnormal number of
document permission
changes observed
N/ARemoved the policy as itflagged low level events.
Cloud Content
Management
System
Rare Operation
performed by an UserN/A
Removed the policy as itflagged low level events.
Cloud Content
Management
System
Recovering Files along
with Data EgressN/A
Removed the policy as itflagged low level events.
Cloud Content
Management
System
Abnormal number of
files downloaded by an
account
N/A
Duplicate - Threat
scenario covered as
part of another policy
Replaced with new
policy: Abnormal
number of files
downloaded
Content
Management
System
Abnormal amount of
files downloaded
compared to past
behavior
N/A
Duplicate - Threat
scenario covered as
part of another policy
Content
Management
System
Abnormal number of
file deletions compared
to past behavior
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 97
New and Improved Content
Policy Name Signature ID Signature Comments
Content
Management
System
Abnormal number of
files downloadedN/A
Duplicate - Threat
scenario covered as
part of another policy
Content
Management
System
Abnormal number of
files shared to
Competitor Domains
N/ARemoved the policy as itflagged low level events.
Content
Management
System
Abnormal number of
files shared to Non
Business domains
N/ARemoved the policy as itflagged low level events.
Content
Management
System
Abnormal number of
files shared with
personal accounts
N/ARemoved the policy as itflagged low level events.
Content
Management
System
Account accessing a file
share never accessed
before
N/ARemoved the policy as itflagged low level events.
Content
Management
System
Authentication from
rare geolocationN/A
Removed the policy as itflagged low level events.
Content
Management
System
File activity by
terminated userN/A
Duplicate - Threat
scenario covered as
part of another policy
Content
Management
System
File manipulation
followed by egress-129N/A
Removed the policy as itflagged low level events.
Content
Management
System
User performing
unusual activity
compared to peers
N/ARemoved the policy as itflagged low level events.
Content
Management
System
Account accessing file
never accessed beforeN/A
Removed the policy as itflagged low level events.
SNYPR Release Notes 98
New and Improved Content
Policy Name Signature ID Signature Comments
Content
Management
System
Abnormal number of
files downloaded by an
account -CMS
N/A
Duplicate - Threat
scenario covered as
part of another policy
Replaced with new
policy: Abnormal
number of files
downloaded -CMS
Cloud PrintUnauthorized printer
usage - Cloud PrintN/A
Duplicate - Threat
scenario covered as
part of another policy
Cloud Print
Abnormal number of
pages printed compared
to peer - Cloud Print
N/A
Duplicate - Threat
scenario covered as
part of another policy
Database
Audit
Rare DCL command
executed not
performed by peers
N/ARemoved the policy as itflagged low level events.
Database
Audit
Rare DB application
accessed by account
compared to peers
N/ARemoved the policy as itflagged low level events.
Database
Audit
Rare DML command
executed not
performed by peers
N/ARemoved the policy as itflagged low level events.
Database
Audit
Rare DDL command
executed not
performed by peers
N/ARemoved the policy as itflagged low level events.
Database
Audit
Rare TCL command
executed not
performed by peers
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 99
New and Improved Content
Policy Name Signature ID Signature Comments
Database
Audit
Abnormal number of
concurrent sessions in a
day
N/ARemoved the policy as itflagged low level events.
Data Loss
Prevention /
Endpoint DLP
Abnormal number of
pages printed compared
to peer - Endpoint DLP
N/A
Duplicate - Threat
scenario covered as
part of another policy
Data Loss
Prevention /
Endpoint DLP
Abnormal number of
pages printed compared
to peer
N/A
Duplicate - Threat
scenario covered as
part of another policy
Data Loss
Prevention /
Endpoint DLP
Abnormal number of
files printed compared
to peer
N/A
Duplicate - Threat
scenario covered as
part of another policy
Database
Monitoring
Account accessing
critical PII database -
SIEM
N/ARemoved the policy as itflagged low level events.
Database
Monitoring
Rare Database
Accessed by an
Account
N/ARemoved the policy as itflagged low level events.
Database
Monitoring
Potential Account
Compromise on
Database Server
N/ARemoved the policy as itflagged low level events.
Database
Monitoring
Password Spraying
Attack Detected - SIEMN/A
Removed the policy as itflagged low level events.
Database
Monitoring
Attempted use of
disabled account -
SIEM
N/ARemoved the policy as itflagged low level events.
Database
Monitoring
Audit Log Tampering -
SIEMN/A
Removed the policy as itflagged low level events.
SNYPR Release Notes 100
New and Improved Content
Policy Name Signature ID Signature Comments
Database
Monitoring
concurrent console
logon - SIEMN/A
Removed the policy as itflagged low level events.
Database
Monitoring
Spike in Failed Logins
to a Database Server-
143
N/A
Duplicate - Threat
scenario covered as
part of another policy
Database
Security
Multiple Failed
Followed by Successful
Login to a Database
Server-143
N/ARemoved the policy as itflagged low level events.
Database
Security
Potential Account
Compromise on
Database Server-143
N/ARemoved the policy as itflagged low level events.
Database
Security
Rare Critical
Commands Executed on
a Database Server
N/A
Duplicate - Threat
scenario covered as
part of another policy
Database
Security
Rare Database
Accessed by an
Account
N/ARemoved the policy as itflagged low level events.
Database
Security
Spike in frequency of
DDL or DML
Commands Executed
N/ARemoved the policy as itflagged low level events.
Database
Security
Spike in Failed Logins
to a Database Server-
143
N/ARemoved the policy as itflagged low level events.
DNS / DHCPPossible fast flux
domain detected-123N/A
Duplicate - Threat
scenario covered as
part of another policy
DNS / DHCP Rare dns host resolved N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 101
New and Improved Content
Policy Name Signature ID Signature Comments
Email / Email
Security
Emails Sent with
Source Code - SIEM -
DLP
N/ARemoved the policy as itflagged low level events.
Email / Email
Security
Emails to Non-Business
Domains - SIEM - DLPN/A
Removed the policy as itflagged low level events.
Email / Email
Security
Emails Sent to Personal
Email - SIEM - DLPN/A
Removed the policy as itflagged low level events.
Email / Email
Security
Emails to Competitor
Domains - SIEM - DLPN/A
Removed the policy as itflagged low level events.
Email / Email
Security
Compressed Files in
Emails - SIEM - DLPN/A
Removed the policy as itflagged low level events.
Endpoint
Management
Systems
Suspicious Process
Activity - Targeted -
Potential ETW Disable
Attempt Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Rare USB device
activityN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Rare ports used by a
process for high
severity endpoint alerts
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Rarity on system
hardening monitorN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Suspicious Process
Activity - Targeted -
Executable File
Creation Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 102
New and Improved Content
Policy Name Signature ID Signature Comments
Endpoint
Management
Systems
Abnormal number of
file shares createdN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Rare Executive Host
AccessedN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Rare CD or DVD
burning activityN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Abnormal number of
file shares deletedN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Abnormal number of
share folder creation
on system
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Abnormal number of
failed logonsN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Abnormal number of
low severity alertsN/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Rare login geo location N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Executable or Script
file created by ProcessN/A
Removed the policy as itflagged low level events.
Endpoint
Management
Systems
Rare child process
spawned from
WMIPRVSE
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 103
New and Improved Content
Policy Name Signature ID Signature Comments
Endpoint
Management
Systems
Rare combination of
parent and child
process found for user
N/ARemoved the policy as itflagged low level events.
Endpoint
Management
Systems
Suspicious Process
Activity - Peak File RW
Process Terminations
For Host Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Suspicious Process
Activity - Rare DLL
Creation in SYSTEM
Directory Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Suspicious Process
Activity - Rare Egress
Destination Port For
LOLBIN App Potential
Malicious Stager
Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Suspicious Process
Activity - Rare High-
Integrity Process For
User Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Suspicious Process
Activity - Targeted -
Potential Stego
Embedding Tool
Agnostic Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 104
New and Improved Content
Policy Name Signature ID Signature Comments
Endpoint
Management
Systems
Suspicious Process
Activity - Targeted -
Potential UACBypass
csc Spawning Temp
Directory Payload
Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Use of invoke Phant0m
powershell tool to
disable endpoint
logging
N/A Misconfig
Endpoint
Management
Systems
Suspicious Process
Activity - Targeted -
Potential ETW Disable
Attempt Analytic
N/A
Duplicate - Threat
scenario covered as
part of another policy
Endpoint
Management
Systems
Potential WMI Lateral
Movement Rare
WmiPrvSe Subprocess
N/A
Duplicate - Threat
scenario covered as
part of another policy
Firewall
Firewall traffic to
randomly generated
domains - Firewall
N/ARemoved the policy as itflagged low level events.
FirewallRepeat Attack on
firewall-ForeignN/A
Duplicate - Threat
scenario covered as
part of another policy
Firewall
SmartDefense IPS
Rules - High Severity -
Firewall
N/ARemoved the policy as itflagged low level events.
Firewall
SmartDefense IPS
Rules - Malicious
address - Firewall
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 105
New and Improved Content
Policy Name Signature ID Signature Comments
Firewall
SmartDefense IPS
Rules - Medium
Severity - Firewall
N/ARemoved the policy as itflagged low level events.
FirewallTraffic to rare domain
on DNS ports - FirewallN/A
Removed the policy as itflagged low level events.
Flow
Abnormal amount of
data aggregated from
FTP ports - Flow
N/ARemoved the policy as itflagged low level events.
Flow
Abnormal amount of
data aggregated from
SMB ports - Flow
N/ARemoved the policy as itflagged low level events.
Flow
Abnormal amount of
data uploads to external
sites-FLOW
N/ARemoved the policy as itflagged low level events.
Flow
Abnormal amount of
data uploads to storage
sites over firewall -
FLOW
N/ARemoved the policy as itflagged low level events.
Flow
Abnormal amount of
data uploads to storage
sites-FLOW
N/ARemoved the policy as itflagged low level events.
Flow
Abnormal number of
DHCP requests -
FLOW
N/ARemoved the policy as itflagged low level events.
FlowAbnormal time for dhcp
lease-FlowN/A
Removed the policy as itflagged low level events.
Flow
Abnormal upload
attempts to distinct
storage sites-FLOW
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 106
New and Improved Content
Policy Name Signature ID Signature Comments
Flow
Account authenticating
from rare geolocation
on VPN - FLOW
N/ARemoved the policy as itflagged low level events.
Flow
Activity from known
malicious addresses
detected on VPN -
FLOW
N/ARemoved the policy as itflagged low level events.
FlowBeaconing traffic to
malicious sites-FLOWN/A
Removed the policy as itflagged low level events.
Flow
Beaconing traffic to
rare domains over dns-
flow
N/ARemoved the policy as itflagged low level events.
FlowBeaconing traffic to
rare domains-FLOWN/A
Removed the policy as itflagged low level events.
Flow
Data exfiltration over
known data transfer
services - Flow
N/ARemoved the policy as itflagged low level events.
FlowDHCP request from
rare device-FlowN/A
Removed the policy as itflagged low level events.
Flow
Firewall traffic to
randomly generated
domains - Flow
N/ARemoved the policy as itflagged low level events.
FlowLandspeed anomaly on
VPN - FLOWN/A
Removed the policy as itflagged low level events.
Flow
Persistent traffic to
rare non resolvable
domain dns responses-
Flow
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 107
New and Improved Content
Policy Name Signature ID Signature Comments
Flow
Possible host
enumeration over
critical access ports -
Internal - Flow
N/A
Duplicate - Threat
scenario covered as
part of another policy
FlowPossible port scan over
system ports - FlowN/A
Duplicate - Threat
scenario covered as
part of another policy
FlowPotential lateral
movementN/A
Duplicate - Threat
scenario covered as
part of another policy
Flow
Randomly generated
domain detected on dns
response -flow
N/ARemoved the policy as itflagged low level events.
FlowRare dns host resolved
flowN/A
Removed the policy as itflagged low level events.
FlowRare dns host resolved-
FlowN/A
Removed the policy as itflagged low level events.
FlowTraffic to rare domain
on DNS ports - FlowN/A
Removed the policy as itflagged low level events.
Microsoft
Windows
Possible password
spraying from a
windows resource
N/ARemoved the policy as itflagged low level events.
Microsoft
Windows
High number of
accounts using the
same ipaddress for
authentication failures
or lockout events
N/A
Duplicate - Threat
scenario covered as
part of another policy
Microsoft
Windows
High number of failed
login attempts from an
IP - SIEM
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 108
New and Improved Content
Policy Name Signature ID Signature Comments
Microsoft
Windows
High number of
accounts using the
same ipaddress for
authentication failures
or lockout events
N/ARemoved the policy as itflagged low level events.
Microsoft
Windows
Usage of potential
scriptable executable to
run or access malicious
payload
N/ARemoved the policy as itflagged low level events.
Microsoft
Windows
High number of failed
login attempts from an
account- SIEM
WEL-ALL-
942-DB
Removed the policy as itflagged low level events.
Microsoft
Windows
Repeat Failure
Authentication - SIEM
WEL-ALL-
949-DB
Removed the policy as itflagged low level events.
Microsoft
Windows
High number of service
tickets requested -
SIEM
WEL-ALL-
923-BP
Removed the policy as itflagged low level events.
Microsoft
Windows
Detection of Brute
Force Attack To The
Same Host - SIEM
WEL-ALL-
938-DB
Removed the policy as itflagged low level events.
Microsoft
Windows
Use of explicit
credentials for a
possible Account
sharing or Password
misuse
WOS-203-RU
Policy is replaced with
"Use of explicit
credentials by a rare
account - Account
sharing or Password
misuse".
Microsoft
Windows
High number of host
accessed - SIEM
WEL-ALL-
931-BP
Removed the policy as itflagged low level events.
Microsoft
Windows
Rare privileged level
for a windows
authentication
WOS-244-ERRemoved the policy as itflagged low level events.
SNYPR Release Notes 109
New and Improved Content
Policy Name Signature ID Signature Comments
Microsoft
Windows
Powershell
Use of Powershell
encode command by an
account
N/A
Duplicate - Threat
scenario covered as
part of another policy
Microsoft
Windows
Powershell
Powershell execution
policy changed by
Account
N/A
Duplicate - Threat
scenario covered as
part of another policy
Microsoft
Windows
Powershell
Use of Powershell
Invoke Expression
Command by Account
N/A
Duplicate - Threat
scenario covered as
part of another policy
Next
Generation
Firewall
Abnormal number of
connections on DNS
ports - NGFW
N/A
Removed the policy as
it flagged low level
events.
Next
Generation
Firewall
Bruteforce on Critical
Service from an IP
Observed Performing
Network Recon
N/A
Duplicate - Threat
scenario covered as
part of another policy
Next
Generation
Firewall
Internal System
running port scan
Internally - SIEM
N/ARemoved the policy as itflagged low level events.
Next
Generation
Firewall
Monitoring Inbound
malicious IP addresses -
SIEM
N/ARemoved the policy as itflagged low level events.
Next
Generation
Firewall
Network Connection
from a rare
Geolocation
N/A
Duplicate - Threat
scenario covered as
part of another policy
Next
Generation
Firewall
Possible host
enumeration observed -
SIEM
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 110
New and Improved Content
Policy Name Signature ID Signature Comments
Next
Generation
Firewall
Rare domain visited by
account - Next Gen
Firewall
N/ARemoved the policy as itflagged low level events.
Next
Generation
Firewall
Rare Filetype Observed
- Next Gen FirewallN/A
Removed the policy as itflagged low level events.
Next
Generation
Firewall
Rare operating system
detected for an account
on VPN - Next Gen
Firewall
N/ARemoved the policy as itflagged low level events.
Next
Generation
Firewall
Repeat Attack-Login
Source on VPN - Next
Gen Firewall
N/ARemoved the policy as itflagged low level events.
Next
Generation
Firewall
SMB traffic to and from
InternetN/A
Removed the policy as itflagged low level events.
Next
Generation
Firewall
Successful Network
Connection Observed
from an IP Performing
Network Recon
N/ARemoved the policy as itflagged low level events.
Next
Generation
Firewall
System running
external scan - SIEMN/A
Duplicate - Threat
scenario covered as
part of another policy
Next
Generation
Firewall
Traffic to rare domain
on DNS ports - Next
Gen Firewall
N/A
Removed the policy as
it flagged low level
events.
Next
Generation
Firewall
Undocumented account
activity on VPN - Next
Gen Firewall
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 111
New and Improved Content
Policy Name Signature ID Signature Comments
Next
Generation
Firewall
Zone Transfer from
External to Internal -
SIEM
N/A
LowRemoved the policy
as it flagged low level
events.
Next
Generation
Firewall
Internal system running
port scan - horizontal
SIEM
N/ALegacy SIEM content -
Low fidelity
Next
Generation
Firewall
Non Mail server trying
to send mails outside -
SIEM
N/ALegacy SIEM content-
Low fidelity
Next
Generation
Firewall
Possible port scan from
internal IP Address -
Next Gen Firewall
N/A
Duplicate - Threat
scenario covered as
part of another policy
Next
Generation
Firewall
Inbound Traffic from
C2 Domains and IP
addresses - SIEM
IFW-ALL-905-
TP
Removed the policy as itflagged low level events.
Next
Generation
Firewall
Outbound Traffic to C2
Domains and IP
addresses - SIEM
IFW-ALL-901-
TP
Removed the policy as itflagged low level events.
Next
Generation
Firewall
Abnormal amount of
data uploads to storage
sites over firewall
IFW-CAF-
870-BA
Removed the policy as
it flagged low level
events.
Network
Traffic
Analytics
Rare dns host resolved
- NTA (NTA-ALL-801-
TA)
NTA-ALL-801-TA
Removed the policy as
it flagged low level
events.
Abnormal number of
pages printed compared
to peer
N/A
Duplicate - Threat
scenario covered as
part of another policy
Unix / Linux /
AIX
Undocumented
accounts performing
activity
N/ARemoved the policy as itflagged low level events.
SNYPR Release Notes 112
New and Improved Content
Policy Name Signature ID Signature Comments
Unix / Linux /
AIX
Use of any default
credentials on UnixN/A
Removed the policy as itflagged low level events.
Web
Application
Firewall
Abnormal number of
high severity WAF
alerts
N/ARemoved the policy as itflagged low level events.
Web
Application
Firewall
Possible directory
traversalN/A
Removed the policy as itflagged low level events.
Web
Application
Firewall
DNS amplification by
frequency of packets -
Firewall-119
N/A
Duplicate - Threat
scenario covered as
part of another policy
Web
Application
Firewall
Possible external host
enumeration over
system ports - Firewall-
119
N/A
Duplicate - Threat
scenario covered as
part of another policy
Web
Application
Firewall
Possible external port
scan over system ports
- Firewall-119
N/A
Duplicate - Threat
scenario covered as
part of another policy
Web
Application
Firewall
Traffic to Known
Attacker on firewall-
119
N/A
Duplicate - Threat
scenario covered as
part of another policy
Web
Application
Firewall
Repeat Attack on
firewall-Foreign-119N/A
Duplicate - Threat
scenario covered as
part of another policy
Web ProxyBeaconing Traffic
DetectedN/A
Duplicate - Threat
scenario covered as
part of another policy
Web Proxy
Detection of possible
proxy circumvention-
125
N/A
Duplicate - Threat
scenario covered as
part of another policy
SNYPR Release Notes 113
New and Improved Content
Policy Name Signature ID Signature Comments
Web Proxy
Detection of possible
proxy circumvention-
134
N/A
Duplicate - Threat
scenario covered as
part of another policy
Web Proxy
Detection of possible
proxy circumvention-
135
N/A
Duplicate - Threat
scenario covered as
part of another policy
Web ProxyRare domain visited by
accountN/A
Removed the policy as itflagged low level events.
Web ProxyUploads to news or
media websitesN/A
Removed the policy as itflagged low level events.
Web ServerCircumvention of URL
ControlsN/A
Removed the policy as itflagged low level events.
Web Server Rare User Agent Used N/ARemoved the policy as itflagged low level events.
Web ServerCircumvention of
Directory ControlsN/A
Removed the policy as itflagged low level events.
Web ServerCircumvention of
Directory Controls-124N/A
Duplicate - Threat
scenario covered as
part of another policy
Web ServerPossible Web Crawling
DetectedN/A
Removed the policy as
it flagged low level
events.
Web ServerPossible Web Crawling
Detected-124N/A
Duplicate - Threat
scenario covered as
part of another policy
Web ServerRare HTTP Request
Method UsedN/A
Removed the policy as
it flagged low level
events.
SNYPR Release Notes 114
New and Improved Content
Decommissioned Policy/Threat Content
The following table contains the decommissioned policy and threat content in thisrelease:
Functionality Signature ID Policy Name
Access /Privileged User
ACP-CAP-804-BPAbnormal number ofpassword retrievalcompared to past behavior
Access /Privileged User
ALT-028Repeat Attack-WebContent Filter
Antivirus / Malware / EDR EDR-FNX-930-DBVirus or Spyware Detectedbut Failedto Clean
Antivirus /Malware / EDR
EDR-MEV-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-MEV-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-MEV-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-FNX-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-FNX-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-FNX-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-FNX-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-TMC-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-TMC-932-DBRepeat IPS or IDSAttack-Foreign
SNYPR Release Notes 115
New and Improved Content
Functionality Signature ID Policy Name
Antivirus /Malware / EDR
EDR-MEV-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-TMC-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-TMC-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-FHX-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-III-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-III-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-FHX-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-III-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-FEX-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-TMC-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-SIS-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-MEV-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-SEP-927-DBPossible Outbreak-Multiple Infected Hosts-313
SNYPR Release Notes 116
New and Improved Content
Functionality Signature ID Policy Name
Antivirus /Malware / EDR
EDR-ALL-840-ERRRare file hashes forhigh severity endpointalerts - EDR
Antivirus /Malware / EDR
EDR-ALL-829-ERRRare file hashdetected on network - EDR
Antivirus /Malware / EDR
EDR-ALL-820-ERRRare usage ofPsRemoting - EDR
Antivirus /Malware / EDR
EDR-ALL-842-BP
Abnormal number ofconnections to WS-Management or PowershellPorts - EDR
Antivirus /Malware / EDR
EDR-ALL-838-BPAbnormal number ofhigh severity endpointalerts - EDR
Antivirus /Malware / EDR
EDR-ALL-886-BPAbnormal number ofssh connections - EDR
Antivirus /Malware / EDR
EDR-ALL-885-BPAbnormal number oftelnet connections - EDR
Antivirus /Malware / EDR
EDR-SNI-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-MEH-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-MEH-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-MEH-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-ALL-726-RUPotential use ofRubeus attack tool detectedvia command line - AVEDR
SNYPR Release Notes 117
New and Improved Content
Functionality Signature ID Policy Name
Antivirus /Malware / EDR
EDR-MEH-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-MEH-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-SNI-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-SNI-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-SNI-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-SNI-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-SEP-930-DBVirus or SpywareDetected but Failed toClean-313
Antivirus /Malware / EDR
EDR-SEP-923-DB Repeat IDS Events-313
Antivirus /Malware / EDR
EDR-SEP-932-DBRepeat IPS or IDSAttack-Foreign-313
Antivirus /Malware / EDR
EDR-SEP-929-RUTraffic to KnownAttacker on IPS or IDS-313
Antivirus /Malware / EDR
EDR-SIS-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-ALL-821-ERRRare critical filemodified by an user - EDR
Antivirus /Malware / EDR
EDR-SIS-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-FHX-930-DBVirus or SpywareDetected but Failed toClean
SNYPR Release Notes 118
New and Improved Content
Functionality Signature ID Policy Name
Antivirus /Malware / EDR
EDR-FHX-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-FHX-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-III-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-III-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-TMC-814-RUResemblance BasedPhishing Attempts - PLDanalysis
Antivirus /Malware / EDR
EDR-TMC-813-RUResemblance BasedPhishing Attempts - TLDanalysis
Antivirus /Malware / EDR
EDR-FEX-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-SIS-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-FEX-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-PSE-930-DBVirus or SpywareDetected but Failed toClean
Antivirus /Malware / EDR
EDR-FEX-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-MNP-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-MNP-929-RUTraffic to KnownAttacker on IPS or IDS
SNYPR Release Notes 119
New and Improved Content
Functionality Signature ID Policy Name
Antivirus /Malware / EDR
EDR-FEX-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-PSE-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-SIS-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-MNP-932-DBRepeat IPS or IDSAttack-Foreign
Antivirus /Malware / EDR
EDR-MNP-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-PSE-927-DBPossible Outbreak-Multiple Infected Hosts
Antivirus /Malware / EDR
EDR-PSE-929-RUTraffic to KnownAttacker on IPS or IDS
Antivirus /Malware / EDR
EDR-PSE-923-DB Repeat IDS Events
Antivirus /Malware / EDR
EDR-MNP-930-DBVirus or SpywareDetected but Failed toClean
Application /Enterprise / SaaS
SAS-ALL-808-BAAbnormal amount ofdata uploaded to GitHub
Application /Enterprise / SaaS
SAS-ALL-810-ERFile accessed from arare geolocation - Netskope
Application /Enterprise / SaaS
SAS-ALL-807-BPAbnormal number offiles downloaded fromGitHub
Application /Enterprise / SaaS
SAS-ALL-811-ERUser downloadingfiles from a suspiciousgeolocation - Netskope
SNYPR Release Notes 120
New and Improved Content
Functionality Signature ID Policy Name
Application /Enterprise / SaaS
SAS-ALL-801-BAAbnormal volume ofdownloads from HIPAAsanctioned apps - Netskope
Application /Enterprise / SaaS
SAS-ALL-813-BPAbnormal number offiles uploaded to cloud
ATMMonitoring
ATM-ALL-804-TARare Buffer overflowdetection
ATMMonitoring
ATM-ALL-803-RUDisabling ofProtection
ATMMonitoring
ATM-ALL-811-BPAbnormal number ofSMB or NETBIOSconnections
ATMMonitoring
ATM-ALL-813-BPAbnormal number offile access attempts
ATMMonitoring
ATM-ALL-800-ERRare weekendtransaction by account
ATMMonitoring
ATM-ALL-806-TARare path for dllsaccessed
ATMMonitoring
ATM-ALL-807-ERRare timeslot for ATMactivity by account
ATMMonitoring
ATM-ALL-808-ERUnusual time of daydevice configuration
ATMMonitoring
ATM-ALL-809-ERSuspicious attemptsto modify registry
ATMMonitoring
ATM-ALL-810-ERUnusual passwordchange attempts
ATMMonitoring
ATM-ALL-805-BPAbnormal number ofdlls accessed
ATMMonitoring
ATM-ALL-801-ERUse of unauthorizeddevices
SNYPR Release Notes 121
New and Improved Content
Functionality Signature ID Policy Name
ATMMonitoring
ATM-ALL-802-ERAttempt to executesuspicious OS calls
Audit AAU-FAA-826-BPAbnormal number ofAuthentication Failures - F5
Authentication/ SSO / Single Sign-On
SSO-ALL-846-ERRare User Agent -successful Okta login
Authentication/ SSO / Single Sign-On
SSO-ALL-821-TAAscending MonotonicPattern Detected
Authentication/ VPN
VPN-ALL-808-DB Brute Force Access
Authentication/ VPN
VPN-ALL-851-RUVPN activity byUndocumented Accounts
Authentication/ VPN
VPN-ALL-805-DBSuccessful Loginafter Repeat Failed logins
Authentication/ VPN
VPN-ALL-804-DBPossible AccountSharing
Authentication/ VPN
VPN-ALL-800-RUVPN Activity fromKnown Malicious Addresses
Authentication/ VPN
VPN-ALL-811-ERVPN AuthenticationUsing a Rare OperatingSystem for an Account
Authentication/ VPN
VPN-ALL-852-BPAbnormal Number ofFailed Authentication for anAccount
Authentication/ VPN
VPN-ALL-809-RUVPN activity byTerminated Users
Authentication/ WiFi
AWI-AMN-8115-DBEvil twin detectionacross multiple locationwith short span of time
Authentication/ WiFi
AWI-AMN-8116-ERRare location eviltwin detected
SNYPR Release Notes 122
New and Improved Content
Functionality Signature ID Policy Name
Authentication/ WiFi
AWI-AMN-817-ERRare location rogueAP detected
Authentication/ WiFi
AWI-AMN-822-DBMultiple Rogue APdetected within samelocation
Authentication/ WiFi
AWI-AMN-823-DBMultiple Evil Twindetected within samelocation
Aviation /Onboard Network System
AVI-ALL-818-BPAbnormal number of SUlogin failures by usingTarget user enumeration
Aviation /Onboard Network System
AVI-ALL-802-BPAbnormal number ofdistinct destination hostsaccessed by an IP Address
Aviation /Onboard Network System
AVI-ALL-812-BPAbnormal high numberof login failure by a'Remote Address
Aviation /Onboard Network System
AVI-ALL-814-BP
Abnormal number ofdistinct destination hostsaccessed by an Activityaccount
Aviation /Onboard Network System
AVI-ALL-815-BPSpike in number of SUauthentication failures
Aviation /Onboard Network System
AVI-ALL-807-BPAbnormal number offailed ssh authenticationattempts by an IP Address
Aviation /Onboard Network System
AVI-ALL-805-RUDetection of passwordretrievals from a non-secure file
Aviation /Onboard Network System
AVI-ALL-800-BPSpike In number ofFailed SSHD Logs
SNYPR Release Notes 123
New and Improved Content
Functionality Signature ID Policy Name
Aviation /Onboard Network System
AVI-ALL-808-ERActivity towards arare hostname which wasnever connected before
Cloud ContentManagement System
CCMS-ALL-804-BPAbnormal number offiles shared with personalaccount
Cloud ContentManagement System
CCMS-ALL-809-ERRAccount accessingfile path never accessedbefore
Cloud ContentManagement System
CCMS-ALL-828-ERRAccount activity froma country rare to theorganization
Cloud ContentManagement System
CCMS-ALL-829-ERRAccount activity froma country rare for the user
Cloud ContentManagement System
CCMS-ALL-805-BPAbnormal number offiles shared withCompetitor email address
Cloud ContentManagement System
CCMS-ALL-802-ERAccount Activitydetected from RareGeolocation
Cloud ContentManagement System
CCMS-ALL-813-RUFile shared with Nonbusiness account
Cloud ContentManagement System
CCMS-ALL-802-ERRAccount Activitydetected from RareCountry
Cloud ContentManagement System
CCMS-ALL-809-ERAccount accessingfile share never accessedbefore
Cloud ContentManagement System
CCMS-ALL-839-BPExternal accountdownloading abnormallyhigh number of files
SNYPR Release Notes 124
New and Improved Content
Functionality Signature ID Policy Name
Cloud ContentManagement System
CCMS-ALL-816-BPAbnormal number offiles deleted by an account
Cloud ContentManagement System
CCMS-ALL-814-BPAbnormal Number offiles Printed compared topast behavior
Cloud ContentManagement System
CCMS-ALL-806-BPAbnormal number offiles shared with NonBusiness account
Cloud Email /Email Security
CEML-ALL-805-BAAbnormal Amount ofData Emailed to PersonalEmail - Cloud Email
Cloud Email /Email Security
CEML-ALL-802-BPAbnormal Number ofSource Code Emailed -Cloud Email
Cloud Email /Email Security
CEML-ALL-808-BPAbnormal Number ofEmail Forwards - CloudEmail
Cloud Email /Email Security
CEML-ALL-818-BA
Abnormal amount ofdata egressed to non-business domains comparedto peer behavior - CloudEmail
Cloud Email /Email Security
CEML-ALL-828-BP
Abnormal number ofemails sent to competitordomains compared to peerbehavior - Cloud Email
Cloud Email /Email Security
CEML-ALL-830-BPAbnormal Number ofEmails to Personal Email -Cloud Email
Cloud Email /Email Security
CEML-ALL-826-BP
Abnormal number ofemails to non businessdomains compared to peerbehavior - Cloud Email
SNYPR Release Notes 125
New and Improved Content
Functionality Signature ID Policy Name
Cloud Email /Email Security
CEML-ALL-829-BA
Abnormal Amount ofData Emailed toNonbusiness Domain -Cloud Email
Cloud Email /Email Security
CEML-ALL-801-BPAbnormal Number ofCompressed Files Emailed -Cloud Email
Cloud Email /Email Security
CEML-ALL-803-BPAbnormal Number ofEmails to Competitor -Cloud Email
Cloud Email /Email Security
CEML-ALL-823-BPAbnormal Number ofEmails to NonbusinessDomains - Cloud Email
Cloud Email /Email Security
CEML-ALL-824-RUEmails from Newlyregistered domains - CloudEmail
Cloud Print CPRN-ALL-837-RUUnauthorized printerusage
Cloud Print CPRN-ALL-838-BPAbnormal number offiles printed compared to apeer group
Cloud Print CPRN-ALL-839-BPAbnormal number ofpages printed compared toa peer group
CloudAntivirus / Malware / EDR
CEDR-ALL-839-BPAbnormal number ofhigh severity endpointalerts - Cloud EDR
CloudAntivirus / Malware / EDR
CEDR-ALL-26-RU
Potential use ofRubeus attack tool detectedvia command line - CloudEDR
SNYPR Release Notes 126
New and Improved Content
Functionality Signature ID Policy Name
CloudAntivirus / Malware / EDR
CEDR-ALL-820-ERRRare usage ofPsRemoting - Cloud EDR
CloudAntivirus / Malware / EDR
CEDR-ALL-858-BPAbnormal number ofCritical severity endpointalerts - Cloud EDR
CloudAntivirus / Malware / EDR
CEDR-ALL-871-BPAbnormal number ofMedium severity endpointalerts - Cloud EDR
CloudAntivirus / Malware / EDR
CEDR-ALL-19-RUPotential MimikatzCommandLine Usage -Cloud EDR
CloudAntivirus / Malware / EDR
CEDR-ALL-829-ERRRare file hashdetected on network -Cloud EDR
CloudAntivirus / Malware / EDR
CEDR-ALL-903-ERRRare file typedetected from an endpoint
CloudAntivirus / Malware / EDR
CEDR-ALL-821-ERRRare critical filemodified by an user - CloudEDR
CloudApplication Audit
CAAU-ALL-805-ERAccountAuthenticating from rarecountry - Exchange
CloudApplication Audit
CAAU-ALL-807-BPAbnormal Number ofDistinct Emails Created -Exchange
CloudApplication Audit
CAAU-ALL-804-ERRare clientapplication detected for theuser - Exchange
CloudApplication SecurityBroker
CASB-ALL-805-RUFiles upload tounauthorized cloud storage- SIEM - CASB
SNYPR Release Notes 127
New and Improved Content
Functionality Signature ID Policy Name
CloudApplication SecurityBroker
CASB-ALL-802-DBSuccessful Loginafter Repeat Failed logins -SIEM - CASB
CloudApplication SecurityBroker
CASB-ALL-810-RUDownloads greaterthan 10MB from externaladdress - SIEM - CASB
CloudApplication SecurityBroker
CASB-ALL-800-RUUser uploadingsensitive files - SIEM -CASB
CloudApplication SecurityBroker
CASB-ALL-809-DBHigh number ofdownloads from externaladdress - SIEM - CASB
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-842-BPAbnormal number ofmfa bypass
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-813-ERRare applicationaccessed by account
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-820-BPSpike in number ofaccount lockout events
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-818-ERAccount activity seenfrom a rare country
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-832-BPPossible userenumeration observedfrom an account
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-814-BPAbnormal number ofdevice alerts observed
SNYPR Release Notes 128
New and Improved Content
Functionality Signature ID Policy Name
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-833-ER
Logon from a rarecountry compared to entireorganization -DUOAuthentication
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-838-BPAbnormal number ofunauthorized attempts toan application
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-834-BPPossible passwordspraying observed from anIP
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-829-BP
Password sprayingattempts from one accountto multiple applications_enumeration -DuoAuthentication
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-815-BPAbnormal number ofsign on failures
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-827-ERLogon from a rarecountry -DUOAuthentication
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-807-RUAttempted use ofdisabled account - SIEM -SSO
CloudAuthentication / SSO /Single Sign-On
CSSO-ALL-841-ERRare logon to adminconsole
CloudServices / Applications
CSA-ALL-714-BPAbnormal Number ofsnapshots created
CloudServices / Applications
CSA-AWS-733-BP
Failed attemptsdetected from an userattempting to attach todifferent roles
SNYPR Release Notes 129
New and Improved Content
Functionality Signature ID Policy Name
ContentManagement System
CMS-ALL-830-ERAccount accessingfile path never accessedbefore -CMS
ContentManagement System
CMS-ALL-846-BPAbnormal number offiles shared with NonBusiness account -CMS
DatabaseAudit
DBS-ALL-821-BAAbnormal frequency ofdata aggregated fromdatabase
Data LossPrevention / Endpoint DLP
EDLP-ALL-819-BPAbnormal Number ofCompressed Files Emailed -DLP
Data LossPrevention / Endpoint DLP
EDLP-ALL-802-BP
Abnormal number ofemails to non businessdomains compared to peerbehavior - Endpoint DLP
Data LossPrevention / Endpoint DLP
EDLP-ALL-824-BPAbnormal number offiles egressed to removablemedia
Data LossPrevention / Endpoint DLP
EDLP-ALL-801-ERUnauthorized printerusage detected
Data LossPrevention / Endpoint DLP
EDLP-ALL-810-BPAbnormal number ofendpoint DLP match countviolations
Data LossPrevention / Endpoint DLP
EDLP-ALL-830-BAAbnormal amount ofendpoint DLP match countviolations
Data LossPrevention / Endpoint DLP
EDLP-ALL-827-BA
Abnormal amount ofdata egressed to competitordomains compared to peerbehavior - Endpoint DLP
SNYPR Release Notes 130
New and Improved Content
Functionality Signature ID Policy Name
Data LossPrevention / Endpoint DLP
EDLP-ALL-826-BAAbnormal amount ofdata egress to NonBusinessdomains - DLP
Data LossPrevention / Endpoint DLP
EDLP-ALL-814-RUMisuse of serviceaccounts to exfiltrate data -SIEM - DLP
Data LossPrevention / Endpoint DLP
EDLP-ALL-805-BAAbnormal amount ofdata egressed to removablemedia
Data LossPrevention / Endpoint DLP
EDLP-ALL-822-BAAbnormal amount ofendpoint DLP match countviolation compared to peer
Data LossPrevention / Endpoint DLP
EDLP-ALL-821-BA
Abnormal amount ofdata egressed to non-business domains comparedto peer behavior - EndpointDLP
Data LossPrevention / Endpoint DLP
EDLP-ALL-812-BAAbnormal amount ofdata egress to Competitor -DLP
Data LossPrevention / Endpoint DLP
EDLP-ALL-828-BP
Abnormal number ofemails sent to competitordomains compared to peerbehavior - Endpoint DLP
Data LossPrevention / Endpoint DLP
EDLP-ALL-823-BAAbnormal amount ofdata egress to Personalemail - DLP
DataWarehouse
DWH-ALL-802-ER
Login from a rarecountry compared to theentire organization -Authentication
DataWarehouse
DWH-ALL-801-ERLogin from a rarecountry - Authentication
SNYPR Release Notes 131
New and Improved Content
Functionality Signature ID Policy Name
DataWarehouse
DWH-ALL-808-RUSuccessful passwordspraying attack from an IP -Authentication
DataWarehouse
DWH-ALL-803-LSLandspeed anomalydetected for account -Authentication
DatabaseMonitoring
DBM-ALL-811-RU
Abnormal frequency ofselect commands executedon Database -DatabaseMonitoring
DNS / DHCP DNS-010Excessive number offailed DNS zone transfers
DNS / DHCP DNS-023Excessive number ofDNS NXDOMAINresponses
DNS / DHCP DNS-024Excessive number ofDNS SERVFAIL responses
DNS / DHCP DNS-ALL-810-TA Rare dns server used
DNS / DHCP DNS-ALL-808-BPAbnormal time fordhcp lease
DNS / DHCP DNS-ALL-801-ERRDHCP request fromrare device
DNS / DHCP DNS-ALL-804-BPAbnormal number ofDHCP requests
EndpointManagement Systems
EDR-ALL-49-ER
Suspicious ProcessActivity - PotentialInjection - UnusualCrossproc Analytic
EndpointManagement Systems
EDR-ALL-28-RUPotential PhishingURL received over anemail
SNYPR Release Notes 132
New and Improved Content
Functionality Signature ID Policy Name
EndpointManagement Systems
EDR-ALL-62-ERPotential attempt tobypass UAC usingEventvwr
EndpointManagement Systems
EDR-ALL-59-RUPossible PayloadAttack Via ParameterlessRundll32 Command
EndpointManagement Systems
EDR-ALL-19-RUPotential MimikatzCommandLine Usage
EndpointManagement Systems
EDR-ALL-889-RU
Possible ReverseShell connectionestablished via Invoke-PowerShellTcpOneLinescript
EndpointManagement Systems
EDR-ALL-815-RUUse of credentialdumpers - endpointmonitoring
EndpointManagement Systems
EDR-ALL-58-ERRDP communicationinitiated from a rareprocess
EndpointManagement Systems
EDR-ALL-38-ERRare source andtarget images forCreateRemoteThread event
EndpointManagement Systems
EDR-ALL-89-RUPotential UAC bypass- CSC executing payloadfrom temp directory on host
EndpointManagement Systems
EDR-ALL-12-ERSuspicious CommandLine Arguments
EndpointManagement Systems
EDR-ALL-102-RUUse of Steganographytools to encode or decodemedia files
SNYPR Release Notes 133
New and Improved Content
Functionality Signature ID Policy Name
EndpointManagement Systems
EDR-ALL-71-BP
Possible Ransomwareinfection involving use ofstaging commands onabnormally large number ofhosts
EndpointManagement Systems
EDR-ALL-886-RU
MS Exchange unifiedmessaging service spawningpotentially suspicious childprocess
EndpointManagement Systems
EDR-ALL-81-ER
Possible WebshellActivity - Rare processspawned from Web serverworker process
EndpointManagement Systems
EDR-ALL-24-ER
Escalation ofprivilege via modificationof AppInit DLL registrydetected on host
EndpointManagement Systems
EDR-ALL-55-ERRare processcommunicating overKerberos port
EndpointManagement Systems
EDR-ALL-53-ER
PotentialSysvol-Netlogon LateralMovement - Rare fileexecuted from Netlogonshare
EndpointManagement Systems
EDR-ALL-69-BPSpike in number ofDiscovery Tactic CommandActivity For Host Analytic
EndpointManagement Systems
EDR-ALL-54-ERRare Self WorkerProcess Execution
EndpointManagement Systems
EMS-002Rare file hashdetected on the network -endpoint monitoring
SNYPR Release Notes 134
New and Improved Content
Functionality Signature ID Policy Name
EndpointManagement Systems
EMS-001Rare function used bya dll on the network -endpoint monitoring
EndpointManagement Systems
EDR-ALL-48-ERUnusual processadding a file in StartupMenu
EndpointManagement Systems
EDR-ALL-19-ERRare DLL InvocationVia Rundll32 Command
EndpointManagement Systems
EDR-ALL-26-RUPotential use ofRubeus attack tool detectedvia command line
Firewall IFW-CPS-873-BPPossible externalport scan over system ports- Firewall
Firewall IFW-JSF-874-BPPossible externalhost enumeration oversystem ports - Firewall
Firewall IFW-ALL-711-BPAbnormal number ofconnections on LDAP ports- Firewall
Firewall IFW-FTF-871-DBDNS amplification byfrequency of packets -Firewall
Firewall IFW-JPF-873-BPPossible externalport scan over system ports- Firewall
Firewall IFW-JPF-874-BPPossible externalhost enumeration oversystem ports - Firewall
Firewall IFW-JPF-871-DBDNS amplification byfrequency of packets -Firewall
SNYPR Release Notes 135
New and Improved Content
Functionality Signature ID Policy Name
Firewall IFW-CAF-807-ERRare file typedetected over firewalltraffic
Firewall IFW-CAF-873-BPPossible externalport scan over system ports
Firewall IFW-CAF-872-ERRare dns hostresolved over firewall
Firewall IFW-CPS-874-BPPossible externalhost enumeration oversystem ports - Firewall
Firewall IFW-CAF-928-DB Repeat Attack-Foreign
Firewall IFW-CAF-868-TABeaconing traffic tomalicious sites over firewall
Firewall IFW-CAF-929-RUTraffic to KnownAttacker
Firewall IFW-CAF-905-BPBrute Force Access onVPN
Firewall IFW-CAF-910-DBProbable SuccessfulBrute Force Attack on VPN
Firewall IFW-CAF-922-DB Repeat firewall drops
Firewall IFW-JSF-929-RUTraffic to KnownAttacker on firewall
Firewall IFW-JPF-929-RUTraffic to KnownAttacker on firewall
Firewall IFW-JSF-873-BPPossible externalport scan over system ports- Firewall
Firewall IFW-CAF-871-DBDNS amplification byfrequency of packets
SNYPR Release Notes 136
New and Improved Content
Functionality Signature ID Policy Name
Firewall IFW-CPS-871-DBDNS amplification byfrequency of packets -Firewall
Firewall IFW-JSF-871-DBDNS amplification byfrequency of packets -Firewall
Firewall IFW-CPF-873-BPPossible externalport scan over system ports- Firewall
Firewall IFW-CPS-929-RUTraffic to KnownAttacker on firewall
Firewall IFW-ALL-710-ERRRare application forknown protocols onnetwork traffic - Firewall
Firewall IFW-FTF-874-BPPossible externalhost enumeration oversystem ports - Firewall
Firewall IFW-FTF-873-BPPossible externalport scan over system ports- Firewall
Firewall IFW-FTF-929-RUTraffic to KnownAttacker on firewall
Firewall IFW-ALL-929-RUTraffic to KnownAttacker on Firewall
Firewall IFW-ALL-713-ERRRare port used byapplications on networktraffic - Firewall
Firewall IFW-CPF-929-RUTraffic to KnownAttacker on firewall
Firewall IFW-ALL-708-BPAbnormal number ofconnections on SMB orNETBIOS ports - Firewall
SNYPR Release Notes 137
New and Improved Content
Functionality Signature ID Policy Name
Firewall IFW-ALL-706-BPAbnormal number ofDNS zone transfers -Firewall
Firewall IFW-ALL-714-DBTraffic to KnownAttacker on Firewall
Firewall IFW-ALL-875-DBDNS Amplification byFrequency of Packets -Firewall
Firewall IFW-ALL-928-DBMultiple ExploitTypes Against SingleDestination - SIEM
Firewall IFW-CPF-874-BPPossible externalhost enumeration oversystem ports - Firewall
Firewall IFW-ALL-717-BPPossible hostenumeration over systemports - Firewall
Firewall IFW-CAF-874-BPPossible externalhost enumeration oversystem ports
Flow FLW-ALL-872-TAPossible lateralmovement over networktraffic - Flow
Flow FLW-ALL-803-BPPossible port scanfrom internal IP - Flow
Flow FLW-ALL-861-ERRRare application forknown protocols onnetwork traffic - Flow
IDS / IPS /UTM / Threat Detection
IDS-ALL-800-BPAbnormal number ofalerts observed
IDS / IPS /UTM / Threat Detection
IDS-ALL-802-RUMedium severity alertobserved
SNYPR Release Notes 138
New and Improved Content
Functionality Signature ID Policy Name
IDS / IPS /UTM / Threat Detection
IDS-ALL-803-RUHigh severity alertobserved
Mainframe MNF-ASO-811-BPAbnormal Number ofdistinct jobs on Mainframesystems
Mainframe MNF-ASO-809-ERRare audit JournalValue for a host
Mainframe MNF-ASO-810-BPAbnormal number ofmainframe audit failuresfrom an account
MicrosoftWindows
WEL-ALL-967-ERExplicit login tohigh privileged account
MicrosoftWindows
WOS-317-ERRare local accountcreated
MicrosoftWindows
WOS-277-BPAbnormal number ofremote logons
MicrosoftWindows
WOS-222-ERRare audit logclearing on Host
MicrosoftWindows
WEL-ALL-711-ERRare execution ofRegsvr32 process
MicrosoftWindows
WOS-316-ERRare admin groupmember additions by usercompared to peer
MicrosoftWindows
WOS-221-ERRare privilegedevents performed by usercompared to peer
MicrosoftWindows
WOS-318-RUUse of credentialdumpers
MicrosoftWindows
WOS-236-ERRare logon typedetected for an account
SNYPR Release Notes 139
New and Improved Content
Functionality Signature ID Policy Name
MicrosoftWindows
WEL-ALL-714-RUPotential use ofMSHTA executable todownload malicious payload
MicrosoftWindows
WOS-211-ERRare process creationon endpoint
MicrosoftWindows
WEL-ALL-710-ERRare scriptingexecutables spawned fromknown processes
MicrosoftWindows
WOS-293-BPAbnormal number ofhosts accessed - LogonSuccess
MicrosoftWindows
WOS-276-ERRare interactivelogon by service account
MicrosoftWindows
WEL-ALL-860-BPPassword sprayingattempts from an IP -Microsoft Windows
MicrosoftWindows
WOS-228-BPSpike in number ofpassword resets
MicrosoftWindows
WOS-281-ERRare privilegeenumeration eventdetected
MicrosoftWindows
WEL-ALL-709-ERRare usage of netviewcommands
MicrosoftWindows
WOS-240-BPSpike inadministrative sharesaccessed
MicrosoftWindows
WEL-ALL-713-ERRare child or parentprocess involving MSHTAexecutable detected
MicrosoftWindows
WOS-231-ERRare regedit usagecompared to peer
SNYPR Release Notes 140
New and Improved Content
Functionality Signature ID Policy Name
MicrosoftWindows
WOS-210-ERDetection of a newadmin account
MicrosoftWindows
WEL-ALL-708-RU
Suspiciousinteractions on lsassprocess - Potentialcredential dumping
MicrosoftWindows
WOS-229-ERRare registrymodification by account
MicrosoftWindows Powershell
PSH-ALL-1-RU
Suspicious PowershellActivity Function -Targeted - PossibleBloodhound Attack Analytic
MicrosoftWindows Powershell
PSH-ALL-112-ERRare usage of remotemanagement tools
MicrosoftWindows Powershell
PSH-ALL-110-ERRare powershellprivilege misuse
MicrosoftWindows Powershell
PSH-ALL-113-ERRare encodedPowershell Command
NetworkSecurity
ACR-CIS-896-RUPossible audit logtampering detected - ISE
NetworkSecurity
ACR-CIS-822-BP
Abnormal number ofpassword changescompared to past behavior -ISE
NetworkSecurity
ACR-CIS-804-BP
Abnormal number offailed authenticationscompared to past behavior -ISE
NetworkSecurity
ACR-CIS-810-RUDetection of newadmin accountauthentication - ISE
SNYPR Release Notes 141
New and Improved Content
Functionality Signature ID Policy Name
NetworkSecurity
ACR-CIS-805-BP
Abnormal number ofauthorization failurescompared to past behavior -ISE
NetworkSecurity
ACR-CIS-823-BPAbnormal number ofaudit file deletions - ISE
NetworkSecurity
ACR-CIS-811-BP
Abnormal number offailed adminauthentications compared topast behavior - ISE
NetworkTraffic Analytics
NTA-ALL-868-BPAbnormal number offiles downloaded - NTA
NetworkTraffic Analytics
NTA-ALL-833-BAAbnormal Amount ofData Emailed toCompetitor - NTA
NetworkTraffic Analytics
NTA-ALL-805-ERRare user-agentDetected - NTA
NetworkTraffic Analytics
NTA-ALL-843-BA
Abnormal amount ofdata egressed to competitordomains compared to peerbehavior - NTA
NetworkTraffic Analytics
NTA-ALL-838-BPAbnormal number offiles shared to CompetitorDomains - NTA
NetworkTraffic Analytics
NTA-ALL-859-BPAbnormal Number ofCompressed Files Emailed -NTA
NetworkTraffic Analytics
NTA-ALL-801-TARare dns hostresolved - NTA
NetworkTraffic Analytics
NTA-ALL-825-BPAbnormal Number ofEmails to Personal Email -NTA
SNYPR Release Notes 142
New and Improved Content
Functionality Signature ID Policy Name
NetworkTraffic Analytics
NTA-ALL-845-BPAbnormal number ofDNS record type ANYqueries observed - NTA
NetworkTraffic Analytics
NTA-ALL-840-BAAbnormal Amount ofData Emailed toNonbusiness Domain - NTA
NetworkTraffic Analytics
NTA-ALL-804-BAAbnormal amount ofdata aggregated from FTPports - NTA
NetworkTraffic Analytics
NTA-ALL-814-BAAbnormal amount offiles downloaded comparedto past behavior - NTA
NetworkTraffic Analytics
NTA-ALL-808-BAAbnormal amount ofdata uploads to externalsites - NTA
NetworkTraffic Analytics
NTA-ALL-854-BA
Abnormal amount ofdata egressed to non-business domains comparedto peer behavior - NTA
NetworkTraffic Analytics
NTA-ALL-827-BPAbnormal Number ofSource Code Emailed -NTA
NetworkTraffic Analytics
NTA-ALL-800-BPAbnormal Number ofEmails to Competitor - NTA
NetworkTraffic Analytics
NTA-ALL-860-BPAbnormal number offiles shared to NonBusiness domains - NTA
NetworkTraffic Analytics
NTA-ALL-818-BPAbnormal uploadattempts to distinct storagesites - NTA
SNYPR Release Notes 143
New and Improved Content
Functionality Signature ID Policy Name
NetworkTraffic Analytics
NTA-ALL-828-BPAbnormal number offile deletions compared topast behavior - NTA
NetworkTraffic Analytics
NTA-ALL-865-BA
Abnormal amount ofdata transmitted fromknown file transfer ports -NTA
NetworkTraffic Analytics
NTA-ALL-819-BAAbnormal amount ofdata uploads to storagesites - NTA
NetworkTraffic Analytics
NTA-ALL-809-ERDHCP request fromrare device - NTA
NetworkTraffic Analytics
NTA-ALL-866-BPAbnormal number ofDHCP requests - NTA
NetworkTraffic Analytics
NTA-ALL-841-ERAccount accessing afile share never accessedbefore - NTA
NetworkTraffic Analytics
NTA-ALL-831-BP
Abnormal number ofemails sent to competitordomains compared to peerbehavior - NTA
NetworkTraffic Analytics
NTA-ALL-867-BPAbnormal Number ofEmail Forwards - NTA
NetworkTraffic Analytics
NTA-ALL-851-EROnly member in thepeer group to access a fileshare - NTA
NetworkTraffic Analytics
NTA-ALL-846-BAAbnormal Amount ofData Emailed to PersonalEmail - NTA
NetworkTraffic Analytics
NTA-ALL-857-RUUploads to textstorage websites - NTA
SNYPR Release Notes 144
New and Improved Content
Functionality Signature ID Policy Name
NetworkTraffic Analytics
NTA-ALL-836-ERAccountauthenticating from raregeolocation on VPN - NTA
NetworkTraffic Analytics
NTA-ALL-812-BPAbnormal Number ofEmails to NonbusinessDomains - NTA
NetworkTraffic Analytics
NTA-ALL-858-BP
Abnormal number ofemails to non businessdomains compared to peerbehavior - NTA
NetworkTraffic Analytics
NTA-ALL-821-ERRare File ShareDetected - NTA
NextGeneration Firewall
IFW-ALL-1151-ER
Accountauthenticating from raregeolocation on VPN - NextGen Firewall
NextGeneration Firewall
NGF-760-ERRRare port used byapplications on networktraffic - Next Gen Firewall
NextGeneration Firewall
IFW-ALL-881-RUVPN Activity fromKnown Malicious Addresses- Next Gen Firewall
NextGeneration Firewall
IFW-ALL-919-BPRemote DatabaseScanner - SIEM
NextGeneration Firewall
NGF-710Abnormal number ofDNS zone transfers - NextGen Firewall
NextGeneration Firewall
IFW-ALL-805-RUPossible AccountSharing - Next Gen Firewall
NextGeneration Firewall
IFW-ALL-913-DBPossible Enumerationover LDAP Port - SIEM
SNYPR Release Notes 145
New and Improved Content
Functionality Signature ID Policy Name
NextGeneration Firewall
NGF-761-ERR
Rare application forknown protocols onnetwork traffic - Next GenFirewall
NextGeneration Firewall
IFW-ALL-910-RUActivity byterminated user on Firewall- SIEM
Print PRN-ALL-837-RUUnauthorized printerusage
TestCaseGroup3 TST-CDA-803-BPSxTestCase1 - Accountenumeration from a host
TestCaseGroup4 TST-CDA-804-BPSxTestCase2 - Hostenumeration from anaccount
Unix / Linux/ AIX
UNX-ALL-818-BPSpike in SUauthentication failures-Behavior
Unix / Linux/ AIX
UNX-ALL-810-ERActivity towards arare hostname neverconnected before
Unix / Linux/ AIX
UNX-ALL-815-BPAbnormal high numberof login failure - RemoteAddress
Unix / Linux/ AIX
UNX-ALL-821-BPAbnormal number of SUlogin failures - Target userenumeration
Unix / Linux/ AIX
UNX-ALL-802-BPSpike In Failed SSHDLogs-Behavior
Web Proxy PXY-ALL-830-RUBeaconing Traffic toproxy anonymizingwebsites
SNYPR Release Notes 146
New and Improved Content
Functionality Signature ID Policy Name
Web Proxy PXY-ALL-869-RUDetection of possibleproxy circumvention
Web Proxy PXY-ALL-920-TA-SIEMBeaconing traffic toknown black list site
Web Proxy PXY-ALL-882-ERR-SIEMRare teleconferencingapplication accessed by anaccount
Web Server WEB-ALL-809-ERPossible SolarWindsSUPERNOVA i18nMalicious Activity Analytic
Web Server WEB-ALL-810-RUPossible SolarWindsSUPERNOVA Auth BypassExploitation Analytic
WebApplication Firewall
IFW-ALL-729-BPHigh number of attacksignatures across theresource
WebApplication Firewall
IFW-ALL-726-ERRRare geolocation forWAF host accessed
WebApplication Firewall
IFW-ALL-727-ERRRare port andprotocol combination
WebApplication Firewall
IFW-ALL-728-BPAbnormal number ofdistinct attack signaturesdetected on a host
WebApplication Firewall
IFW-ALL-730-ERRRare attack signaturedetected
SNYPR Release Notes 147
Known Issues
Known IssuesThe following table describes the known issues that exist in this release:
Component Summary
Analytics ServiceThe Spotter query does not return any result when you create apolicy with the Batched Analytics technique.
Analytics ServiceThe custom-analyzer spark job fails while reading data from archivestorage (HDFS).
Analytics Service Scheduling does not work for Spotter based policies.
Analytics ServiceWhen you delete datasource and activity data, the application
does not delete the associated threat models.
Analytics Service
The Violation Summary screen displays incorrect information for
the Check Against Lookup Table policy type when the policy has
Not Equal and Does Not Contain operators.
Analytics ServiceBy default, the Violation Summary screen for AEE policies only
displays 5 values irrespective of the threshold value.
Analytics ServiceWhen you upgrade to SNYPR 6.4, the risk score for a few
violators might reduce to zero.
Analytics Service
When you access a policy in the edit mode after upgrading to
SNYPR 6.4, tier-2 checks created for a tenant are not displayed
However, this does not affect policy detection.
Hunting Service
After you upgrade SNYPR 6.4, newly ingested data may not be
visible in the Search Results view from Spotter. If your data is
not visible, you must manually update Spotter Cache to view your
ingested data.
Hunting Service
The validation message is not displayed when the following
queries are used in Spotter: index = activity and policyname not
null.
SNYPR Release Notes 148
Known Issues
Component Summary
Hunting Service
For index = geolocation queries, the pause job icon does not
display the updated status when the query is paused from the
Spotter> View Jobs.
Hunting Service The Eval from_unixtime is displaying incorrect date and time.
Hunting ServiceWhen you run a query with the Where operator to specify a range,the records are out-of-the specified range.
Hunting Service The Delete operator is not working for the archived queries.
Hunting Service
When you run a query with Stats Distinct and Filter together, the
query does not display the result. However, it displays the
number of matched records in SNYPR.
For example: index= violation | FILTER index = riskscore andemployeeid = employeeid and doctype = entity_threatmodel | STATSDISTINCT(accountname) department
Hunting Service
When you export and import a Data Insight dashboard, the
original exported dashboard is over written by the imported
dashboard.
Ingestion ServiceWhen you modify the name of the RIN server, the data import stopsworking.
Ingestion ServiceThere are instances where the Parser Management screen ofActivity Import takes time to load.
Ingestion ServiceIn Derived Fields, the File Name Extractor operator does not workwhen the value has a special character except for backslash andforward slash.
Ingestion ServiceAction Filter to enrich using Persona information fails when
multiple Persona Builder actions are applied.
Ingestion Service The length of the tenant name can be up to 40 characters only.
SNYPR Release Notes 149
Known Issues
Component Summary
Ingestion ServiceWhen the size of the lookup import file is more than 5MB, thesystem takes a long time to preview the data in the file.
Ingestion ServiceThe Whitelisting feature does not support comparison operator fordate and time attribute during User Import.
Response Service
l You cannot have duplicate events within a single case.
l Only the initial events that were added to an incident will
display in the Events view, within the Incident Management
screen, regardless of any additional events you may add.
l Only the first 1,000 events are added to an incident from
Spotter.
l When the incident data expires, the incident will no longer
have events in it.
l The status of an incident will not display in the Graphical
Analysis view within Incident Management.
Response Service
The Created By field in the Incidents panel displays as Admin
when an incident is created during playbook execution by a non
admin user.
Response Service
When Do you wish to stop action propagation for sub-incidents ? isenabled and an analyst updates the workflow for an incident withmultiple threats, then the workflow for the child incidents getsupdated. However, the Activity Stream of child incidents does notrecord the workflow update.
Response ServiceThe Action History button is not displayed for policy that has autoincident enabled.
Response ServiceThe watchlist widget displays the incorrect policy name for anentity, when that entity is watchlisted in two different policies.
Response Service
When you perform an action from the Other Policy tab of the
Security Command Center, the screen displays the message,
"Action taken in progress and may take some time." When the
waiting period is complete, you can perform the action again.
SNYPR Release Notes 150
Known Issues
Component Summary
Response Service
The system takes some time to retrieve the records based on the
filter criteria specified while adding an attribute from Views >
Whitelist.
Response Service
For an On-Demand Incident, the Tabular view does not display
properly in Incident Management when events are added from
different datasources to an incident.
Response ServiceWhile assigning an incident, admin users and groups are not
getting listed.
Response Service
The Incident Management screen does not display an entities
name when the entity is white-listed and when an incident is
created for the entity.
Response ServiceWhen an incident is white-listed, the incident status does not
update to Incident Status: Completed.
Response ServiceThe playbook status does not display when a user runs a playbook
manually.
Response Service
The Take Action button is not visible on the Security Command
Center when an auto incident is generated for a network address
or uncorrelated account.
Response ServiceThe HTTP status code for the Anomali playbook is not seen in the
displayed message.
Response ServiceThe correlated accounts are not getting included in the watchlistwidget and are saved as uncorrelated accounts in View > Watchlist.
Response Service
When Securonix SOAR is enabled in SNYPR and you create a
threat indicator for a new policy, the Create New Threat
Indicator screen displays the list of child playbooks. Additionally,
the screen displays as undefined when you enable auto playbook.
Shared ServiceThe Audit framework does not record when the threat models are
deleted.
SNYPR Release Notes 151
Known Issues
Component Summary
Shared Service
The Auditing Report's file size differs based on the file format.
The file size for DOC and RTF is more than other formats such as
PDF, CSV, and XLS.
Shared ServiceThe Auditing screen displays an incorrect group name when entitymetadata is deleted from the Job monitor.
Shared ServiceThe scheduled categorized report jobs are not listed in theScheduled Report Jobs screen.
Shared Service
(Multi-tenant)
In some scenarios, the null pointer exception error occurs when anadmin user accesses Add Data modules.
SNYPR Release Notes 152