snypr 6.4 release notes

SNYPR 6.4

Release Notes

Date Published: 8/12/2021

Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any

third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their

respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any

medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and

reference.

Information in this document is subject to change without notice. The software described in this document is

furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in

accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional

warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this

publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or

mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without

the written permission of Securonix.

Copyright © 2021 Securonix. All rights reserved.

Contact Information

Securonix

5080 Spectrum Drive, Suite 950W

Addison, TX 75001

(855) 732-6649

SNYPR Release Notes 2

Table of Contents

Introduction 4

What's New in this Release 5

Improvements 12

Bug Fixes 22

New and Improved Content 32

New Content 32Improved Content 58Decommissioned Content 71

Known Issues 148


Introduction

IntroductionThe Release Notes include the new features, improvements, bug fixes, and contentupdates for the SNYPR Jupiter release (6.4).

Note: You can check if your ticket is fixed in this release by referring to the

Summary section. The Summary section includes a description and customer logged

ticket number, if applicable.

Access to SNYPR 6.4

The Securonix team provides an access to the SNYPR 6.4 application. You have toinstall the RIN application from https://downloads.securonix.com for data ingestion.

Note: For information on how to install RIN, refer to the RIN Installation Guide.


https://downloads.securonix.com/

What's New in this Release

What's New in this ReleaseThis section offers a brief summary of the following new and improved features for theSNYPR 6.4 release:

SNYPR Services New and Improved Features

Analytics

l Content Management

l Data Dictionary

l Phishing Analyzer

l Publish Content Updates to Tenants (Multi-tenant)

l Policy Enhancements

Detection and Response

l EDR Playbook Response Actions

l Response Management

l Incident Assignee Chain

l On-Demand Incident

l Sandbox Widget

Hunting

l Live Channel

l Tabular View

l Timedifference Function

Ingestionl Autodiscovery of Datasources

l Ingestion Improvements

Sharedl Activity Monitor

l Data Masking for Multi-Tenant

For more information about each feature, see the SNYPR6.4 What's New Guide.



Content Management

The Content Management feature introduces the ability to seamlessly deploy andmanage content maintained by the Securonix content team. This feature gives youaccess to the most up-to-date threat content so you can maintain the highest level ofsecurity detection.

For more details about this feature, see the Content Management section in the

What's New Guide.

Data Dictionary

The Data Dictionary feature provides an ability to create your own labels for dataingested by SNYPR from datasources. These labels simplifies the ingestion, analytics,and hunting processes by providing consistent and easy to understand labels for data.

Content developers can use these mapped labels to perform data ingestion and createpolicies, and security analysts can use these labels to search Spotter.

For more details about this feature, see the Data Dictionary section in the What's

New Guide.

Phishing Analyzer Technique

The Phishing Analyzer detection technique allows the customer's content team and

security analysts team to create policies to detect phishing attacks. Using this policy,you can check email senders against comparators and detect emails pretending to befrom reputable companies.

For more details about this feature, see the Phishing Analyzer section in the What's

New Guide.



Publish Content Updates to Tenants

A new capability has been added that allows detection engineers to publish parsersand enrichment changes to other tenants instantly. This capability provides scalabilityand saves detection engineers time by avoiding manual updates for each tenant.

For more details about this feature, see the Publish Content Updates to Tenants

section in the What's New Guide.

Policy Enhancements

The release includes the following key enhancements to analytics:

l Policy Labels: Includes the capability to tag policies so that security analysts can

build reports, create dashboard, and search violations using specific labels.

l Risk Score Aggregation for all Entities: Provides aggregate risk scores for all entit-ies so that security analysts can have a unified view and a better risk profile foreach entity.

For more details about this feature, see the Policy Enhancements section in the

What's New Guide.

EDR Playbook Response Actions

CrowdStrike playbook response actions are now offered as part of the SNYPR nativeresponse actions. The CrowdStrike and Cylance playbook response actions areconfigured and run from the SNYPR user interface for single or multiple RemoteIngestion Nodes (RINs).

For more details about this feature, see the CrowdStrike Playbook Response Actions

section in the What's New Guide.



Response Management

The Response Management feature provides a new, centralized user interface UI toconfigure third-party automated response connections and manage playbook accessper tenant. In addition to the new centralized UI configurations, administrators havethe flexibility to manage separate connections for each tenant, while isolatingplaybooks per tenant.

For more details about this feature, see the Response Management section in the

What's New Guide.

Incident Assignee Chain

The Incident Assignee Chain controls incident visibility across specific users. Onlyusers listed on the Incident Assignee Chain have access to discuss, contribute,coordinate, and download incident information. This is especially helpful for largerenterprises and multi-tenant deployments that manage multiple incidents acrossdifferent teams.

For more details about this feature, see the Incident Assignee Chain section in the

What's New Guide.

On-Demand Incident

The On-Demand Incident feature allows analysts and threat hunters to create new

incidents and add context around those incidents from various locations in the SNYPRUI. Analysts and threat hunters can now create a new incident using a new global UIicon, add events to new or existing incidents from the Spotter Search Results view, andmanage activity from the Incident Management dashboard to better manage emergingthreats that might previously have gone unnoticed.

For more details about this feature, see the On-Demand Incident section in the

What's New Guide.



Sandbox Widget

The Sandbox widget enables security analysts to test policy violations in an isolatedenvironment to identify issues before making them public. With the ability to runthreat models in Sandbox at scale, the Sandbox widget significantly reduces alertnoise, improving detection time and enabling more focus for analysts.

For more details about this feature, see the Sandbox Widget section in the What's

New Guide.

Live Channel

Live Channel is a new detection mechanism that enables search and detection of newthreats, and provides the ability to search via regex across data sources and channels.

For more details about this feature, see the Live Channel section in the What's New

Guide.

Tabular View

Tabular View provides an easy-to-use UI for arranging and viewing event attributes,improving investigation and search efficiency.

For more details about this feature, see the Tabular View section in the What's New

Guide.

Timedifference Function

The Timedifference function calculates the difference between two time fields in ahuman readable format. With this new feature, you'll simply provide two time fields inSpotter, and the Timedifference function will quickly calculate and return the result asa time value.

For more details about this feature, see the Timedifference section in the What's

New Guide.



Autodiscovery of Datasources

SNYPR 6.4 provides auto-discovery of syslog based datasources that simplifies andautomates the onboarding process. This new workflow improves the time to value foronboarding datasources. Once you have configured your datasource to send events tothe RIN, SNYPR discovers those events and suggests a parser for it.

For more details about this feature, see the Ingestion 2.0 section in the What's New

Guide.

Ingestion Improvements

The release includes the following key enhancements to ingestion:

l Improved Activity Import: Provides an improved and intuitive User interface (UI).The new visual layout of Activity Import consists of an updated color pallet, gridview, font, and information design.

l Simplified Lookup Table Management for Multi-Tenant: Allows contentdevelopers to create a single policy that can be applied to all tenants without theneed to duplicate the policy and customize it for each tenant.

For more details on other improvement, see the Ingestion Improvements section in

the What's New Guide.

Activity Monitor

The Activity Monitor tool provides a crucial, real-time view of events ingested bySNYPR. Administrators can see ingestion trends by datasources to identify suddenincreases in number of events or ingestion delays.

For more details on other improvement, see the Activity Monitor section in the

What's New Guide.



Data Masking for Multi-Tenant

The Data Masking feature allows MSSPs to secure Personally Identifiable Information(PII) for users and entities. You can mask all activity account names, IP addresses,resource names, and event attributes for all datasources available for a tenant.

For more details on other improvement, see the Activity Monitor section in the

What's New Guide.


Improvements

ImprovementsThe following table describes the improvements that were made in this release:

Note: An INC number represents a ticket that was previously logged by a customer,

and is now improved in the current release.

Component Summary

Activity importImproved the performance of data enrichment for eventcategorization.

AlgorithmImplemented a new Domain Generation Algorithm (DGA)algorithm.

AnalyticsAdded support for static baselines and daily threshold to

Enumeration Behavior and Volume Spike Behavior.

Analytics Added a new analytic technique called Phishing Analyzer.

AnalyticsIncluded a list of enabled or disabled policies and threats for

policies. (INC-223929)

AnalyticsUpdated the default values for the BEACONING_DELETE_CONFIG configuration.

AnalyticsImproved the Landspeed analytics to increase the accuracy ofdetection.

Analytics Optimized the policy deletion process.

Analytics Added additional criteria for threat intelligence checks.

AnalyticsAdded an option to filter policies based on the policy category

from the Policy Management screen.

AnalyticsUpdated the Policy Name field to include square brackets. (INC-228027)

AnalyticsEnhanced the Threat Model screen to allow users to add

violators to an active list.


Improvements

Component Summary

Analytics

Improved the Behavior Profile screen by:

l Adding a search box to search behavior profiles.

l Displaying the profile names in an alphabetical order.

AnalyticsAdded an ability to provide labels for policies. These labels allowanalysts to build reports, dashboards, and search violations usingspecific labels.

Analytics

Added a warning message to alert users when any violation entityattribute (accountname, resourcename, ipaddress) is not mapped.The risk scores are not calculated correctly when violationentities are not mapped.

AnalyticsAdded an ability to provide aggregate risk scores for a machine

(resource) across datasources.

AnalyticsImproved the tool tip message for Violation Entity on the PolicyViolations screen.

AnalyticsImproved Event Attributes on the Create a Rule screen todisplay attributes alphabetically.

AnalyticsAdded data validation to check for special characters in attributesto fix an error that occurs while configuring violation.

AnalyticsAdded description for the Amount of Data field for creating AEEbased policies.

AnalyticsImproved user experience by sorting the values for the Edit filterdropdown in the Policy Configuration screen.

Analytics for Multi-Tenant

Enabled threat models for all tenants. (INC-229117)

Analytics for Multi-Tenant

Added an option to select tenants for functionality based

policies.

AuditingEnhanced auditing to include SAML assertion fields in auditing

logs when user logs in using SAML.


Improvements

Component Summary

AuthenticationAdded check to restrict users from using any of the last fivepasswords as the new password.

Authentication/AccessControl

Implemented checks to validate the email addresses of users andgroups.

Authorization/RBACAdded the ability to restrict an analyst's access to Users or TPISpotter indexes based on tenant or user.

Authorization/RBAC

for Multi-Tenant

Improved the Available Tenant filtering on the Security

Command Center to only display information for the selected

tenant.

Authorization/RBACfor Multi-Tenant

Restricted the group view by tenant. (INC-229347)

Authentication/SingleSign-On (SSO)

Added two new flags in the SAML Assertion for the following

scenarios:

l New users logging to SNYPR application for the first time:

Assign default group when the group information is not in

SAML assertion.

l Existing Users logging to SNYPR application: Retain the

group already assigned to the user. For example, if a user is

a member of any group other than default group, the group

information will not change. (INC-229021)

Authentication/SSOAdded a message to indicate that the user has successfully loggedoff from the SNYPR application. (INC-226076)

Authentication/SSO

Included an option to set the time-period after which the

SNYPR application logs off the user automatically. This option

must be set to automatically log off the user after the specified

time -period. (INC-223283)

Authentication/SSOIncluded an option to set the number of concurrent SNYPRsessions a user can have. (INC-226779)

Authentication/SSOIncluded a check for users to change their temporary passwordswhen they log into SNYPR for the first time.


Improvements

Component Summary

Authentication/SSOImplemented user authorization using SAML/ Sign-On (SSO)

when SSO is enabled.

Authentication/SSO Added support for NTLM authentication for SMTP.

Automated Response

Added an error message to the Connection Type drop-down

that displays when a connection already exists for a particular

connection type for a tenant.

Behavior/ActivityOutlier

Improved the clustering algorithm and performance for peerbehavior and all account behavior policies.

Case Management

Added a Violation Summary tab to the Incident Management

screen that includes a Threat Model violation view by stages

and a list of policies.

CaseManagement/IncidentManagement

Improved the alert email to include a link to access the incidentonce the incident is created.

ConnectorUpdated the AWS SQS S3 connector to send data from

multiple accounts to a single account.

Connector Updated the parsing technique for the Azure Storage connector.

Connector

Improved the AWS Cloudwatch connector to support the

authentication for cross-account access for Cloudwatch

resources.

Connector

Updated the AWS GuardDuty connector to support the

authentication for cross-account access for the GuardDuty

detectors.

ConnectorAdded functionality to support the ingestion of raw event data forCrowdstrike Falcon data replicator module.

ConnectorsEnhanced the ProofPoint connector to extract file extensions

separately.


Improvements

Component Summary

Data ImportEnhanced the conditional enrichment process to support the

Classless Inter-Domain Routing (CIDR) range.

Encryption/Masking

Improved the GDPR unmasking approval workflow:

l Sec_users in different sec_groups can belong to a single-step

or zero-step unmasking workflow.

l Workflows are configured according to the roles assigned

to sec_groups.

Event Enrichment

Added a new Spark job called Pipeline Orchestration that

prioritizes event data collections and manages congestion

during the ingestion process.

Event ParsingAdded a Windows XML parser to parse native Windows data in

XML format.

Incident Management

Added a table view on the Incident Management screen that

displays contextual information about all the events that are

added to an existing case from Spotter.

Incident

Management

Improved the archival/data retention policy in Incident

Management to ensure that events attached from Spotter

remain available during investigation, even if the data is

archived or deleted.

Incident Management Added an option to edit the criticality of an incident.

Incident ManagementModified the location of Playbook button for better user

experience.

Incident ManagementAdded functionality to run playbooks from the IncidentManagement screen.

Incident ManagementImproved user experience by adding a notification message onthe top of the screen.

Ingestion Improved parsing for CrowdStrike.

Ingestion Improved parsing for Microsoft O365 Azure.


Improvements

Component Summary

IngestionModified the Activity Import screen to use the Data Dictionaryfeature.

IngestionEnhanced SNYPR to manage multiple RINs from SNYPR userinterface.

IngestionEnhanced SNYPR to manage multiple RINs from SNYPR userinterface.

Ingestion - ActivityImport

Added an ability for users to assign custom names to action

filters.

Ingestion - EventsImproved the lookup data import process from AWS S3 to

support filtering by the folder path available in AWS S3.

Ingestion -Geolocation

Improved the geolocation import by adding enrichment for

destination address and source address attributes.

Ingestion -Geolocation

Improved the geolocation import by supporting enrichment of

IPV6 address with geolocation details. (INC-235616)

Ingestion - Third-Party Intelligence

Added an option to concatenate two or more attributes that areseparated by delimiter into one field.

Ingestion - TPI

Improved the enrichment process for activity data by including

the context for hash, URL, IP, vulnerability, and hash type

attributes for Recorded Future TPI. (INC-229276)

Lookup DataAdded RBAC controls for individual Watchlists and Lookup

tables.

NotificationFramework

Improved the Notification module so that analysts can filternotifications by types, date range, or both. Role based accesscontrol makes it easy for an analyst to configure the notificationsthey can see by default.

NotificationFramework

Implemented an option to send notification emails to end users

using REST API.


Improvements

Component Summary

Policy ConfigurationImproved the user experience by displaying the number of timesa particular condition is added for Risk Boosters while creating apolicy.

Policy ConfigurationAdded a new option to view all enabled and disabled policies inthe Policy Management screen.

Policy ConfigurationAdded a check to remove white space before and after the policyname. (CLOUD-2112)

Policy EngineEnhanced the policy creation process for functionalities byallowing users to create policies that can apply to multiplefunctionalities.

Policy EngineAdded an option for users to save and commit the policy to thecontent repository from the Policy Creation screen.

Policy Engine Improved the performance of the policy engine.

Policy EngineAdded a warning note when the account name is blank whilecreating a policy.

Policy EngineAdded the Check Against Named List option to create a new ruleby checking values against named lists.

Reporting Added the ability to email a Data Insights dashboard as a report.

ReportingAdded the ability to sort on the DateTime field for the TABLE

operator.

ReportingCreated a new report template with predefined attributesselected by default.

Reporting

Framework/Spotter

Console

Added the ability to quickly select attributes in the Run

Spotter Report view of Spotter to reduce the time spent on

exporting data from Spotter or creating reports.

Response/Notification Added functionality to integrate with Cherwell.

ResponseOrchestration

Enhanced integration with ServiceNow by adding more

metadata during incident creation (threat indicator and

category).


Improvements

Component Summary


Modified the connector to integrate with Phantom multi-tenantenvironment for case management. (INC-212561)


Added playbook information for an incident in Action History

for added context.

Response

Orchestration/SOAR

Added the ability to enable/disable the visibility of the

playbook action button according to the role provided to the

user.

ResponseOrchestration/SOAR

Added the ability for users to select one or multiple RINs while

taking response actions for a playbook.

Response

Orchestration/SOAR

Removed the ability to configure ingesters for RSA playbooks

on the Policy Violations and Threat Modeler screen as RSA

playbooks are not supported.

REST API

Improved the Watchlist REST API:

l The listWatchlist web service now provides the name and

count of entities in a Watchlist.

l Each Watchlist name includes a list of existing entities in

that Watchlist.

l When given a list of entities, a list will return stating which

Watchlist the entity belongs to.

l The Check if a entity exists in a watchlist web service now

accepts watchlistname as an optional parameter.

l The Add entity to a single watchlist web service now

allows you to add up to five entities per API call.

By default, entities in a Watchlist are sorted by the day the

entity was created.

REST APIAdded the ability to pull activity information from cases in

Incident Management.


Improvements

Component Summary

REST APIAdded information on the parent case for REST APIs within the

Incident Management category.

REST API

Improved the platform security by implementing:

l Token based authentication for all web services.

l Session Timeout for web services after user specified time

period.

REST API for Multi-Tenant

Improved Incident Management REST APIs to include tenant

name when querying SNYPR for activity and violation. If the

user has not specified the tenant name, the REST API retrieves

information only for the tenant the user has access to.

RINImproved RIN installation process by providing silent installer andprerequisite validation framework.

RINImproved the RIN monitoring capabilities to provide alerts for

disk usage and certificate expiration.

Role-based AccessControl

Ability to enable or disable policies can be controlled by a new

role privilege.

Security Command

Center

Added an ability to launch Spotter for top violators from EntityData in SCC.

Security Command

Center

Improved the calculation of risk score by consolidating

anomalies for the Resource and IP address entity type,

regardless of which data-feed generates the anomaly.

Security CommandCenter/Views

Added filter and sort functionalities for custom widgets createdusing SNYPR.

Spotter Added OrderBy filter to sort the Spotter search results.

SpotterImproved the performance of the IN and NOT IN queries whenthere are more than 10 values for a parameter.


Improvements

Component Summary

Spotter

Added a message on the Search Results view of Spotter to

inform users that the results are not ordered by eventtime

when a query is executed for an archival event.

SpotterImproved the WHERE operator to filter based on range,

aggregation, and field created at the time of search.

Spotter

Added the option to select all or multiple attributes at once

when you export Spotter results, rather than individually

selecting the attributes you want to be included in your Spotter

report.

Spotter

Improved the Spotter search to query archived data using

resource group, resource type, or rg_functionality. In addition,

the Spotter search uses the tenant name to query archived data

for a multi-tenant deployment.

Third-Party

Intelligence

Added the ability to perform TPI enrichment on multiple

attributes from the same event.

Third-PartyIntelligence

Added the ability to import TPI data from the RIN file.

Threat ModelerAdded a Do you want to generate incident for threat model

violators? toggle on the Threat Model screen.

User PreferencesAdded the ability to sort by the Enabled column when

searching for a threat model.

Workflow Added an option to whitelist while creating a new workflow.


Bug Fixes

Bug FixesThe following table describes the bug fixes that are included in this release:

Component Summary

Activity ImportFixed the Sync Content button on the last step of the

Activity Import screen to properly sync information.

Activity Import

Fixed an issue on the last step of the Activity Import screen

so that policies save when the Save Template button is

clicked.

Activity Import

Fixed the naming convention for the correlation rule to

ensure the rule name remains the same when the user has

not edited the rule. (INC- 228743)

Activity ImportFixed an issue so that correct values are generated for the

lookup and watchlist action filters during Activity Import.

AnalyticsFixed the issue to automatically delete incidents when

corresponding violations are deleted. (INC-212318)

AnalyticsFixed an issue where policies were not getting created whenthe Response Bot was enabled.

AnalyticsFixed an issue for TPI based policies where the violation

summary attributes displayed blank values.

AnalyticsFixed the DGA algorithm to correctly calculate the prediction

score.

Analytics

Fixed an issue where the violation events query was

removing double spacing from a policy name, resulting in an

incorrect query.

AnalyticsFixed the last step of Activity Import to allow users to enable

or disable policies. (INC-229409)

AnalyticsFixed an issue where users were unable to delete threat

models.


Bug Fixes

Component Summary

Analytics

Fixed the Create New Watchlist screen to display only one

drop-down list for the Watch List Criticality and Select

Tenant fields.

AnalyticsFixed an issue where the check against TPI was not flagging

violations.

Analytics for Multi-tenant

Fixed the Check Against TPI (Third Party Intelligence) policy

to flag correct violators from the same tenant.

AnalyticsFixed an issue where the check against lookup did not flag

event rarity policies.

AnalyticsFixed an issue where the conditions for filtering criteria were

not displaying on the UI.

AnalyticsFixed an issue so that Risk Boosters are saved for a policy.

(INC-229089)

AnalyticsFixed an issue so that user can whitelist accounts. (INC-

229114)

AnalyticsFixed violation summary to display the correct number of

violations. (INC-229046)

Analytics Fixed the loading issue for the policy screen.

AnalyticsFixed an issue where the violation summary used default

values for any out-of-the-box policies.

AnalyticsFixed an issue with policy configurations where a condition is

created even though there are no conditions provided.

AnalyticsFixed the issue of violations not displaying in the Top

Violations widget. (INC-228867)

Analytics

Fixed the UI to choose a single RIN as a default (from a list of

multiple RINs) for a policy so that the auto-playbook actions

for a Threat Model can be enabled and used.


Bug Fixes

Component Summary

AnalyticsFixed the Activity Import Summary screen to display

policies with multiple functionalities.

AnalyticsFixed an issue so that a validation message is displayed when

a normal category is added with the Sandbox category.

AnalyticsFixed an issue so that the correct risk score is calculated forphishing based policies.

AnalyticsFixed the Cluster Information section so that it displays thecorrect text message.

AnalyticsFixed an issue so that all threat model stages are deleted whena user deletes the last configured stage.

AnalyticsFixed the Threat Model for Threat screen so that it display

selected watchlists under Add watchlist Filter.

Analytics Improved performance for threshold detection use cases.

AnalyticsFixed an issue where new policies are disabled by default

while onboarding.

AnalyticsFixed Role Based Access Control (RBAC) to show correct

threat models on the Activity Import screen.

Analytics

Fixed an issue so that correct count of enabled and disabled

threat models are displayed when RBAC is applied for threat

models.

AnalyticsFixed the Send Notification toggle button of the Policy

Configuration screen. (INC-235266)

AnalyticsFixed an issue so that filter criteria conditions are saved

while editing IEE policies.

Analytics Fixed Views > Users to display behavior profiles.

Analytics Fixed an issue so that threat models are saved correctly.

AnalyticsFixed an issue where the Check Against Lookup Table did

not flag event rarity policies.


Bug Fixes

Component Summary

Analytics

Service/Response

Service

Fixed the Edit Threat Indicator pop-up accessed from Policy

Violations and Threat Model to display tenants and

playbooks based on the Role Based Access Control (RBAC) of

the analyst.

Analytics/Hunting

Fixed the Do you want to re-calculate entity score based on

Sandbox violations toggle to include a validation message

when set to NO. This message informs the user that the

violations and incidents associated with the policy will be

removed.

Analytics/HuntingFixed the parameter for URL Visited by Visitors. (INC-

228706)

Analytics/SpotterFixed an issue so that the violation events query returns the

correct results for policies with double spaces. (INC-229409)

Auditing Fixed the Token Generated audit message.

Authorization/RBAC

Fixed the Password Change Required setting so that when it

is enabled, the application requires users to change their

passwords when they login for the first time.

Authorization/RBACFixed the Access Control screen. to display the MinimumReuse Count setting for password.

Authorization/RBACFixed an issue so that the Kill Chain Analysis widget displays allviolations when Show only Correlated Data flag is enabled inGranular Access Control.

Authentication/SSOThe context file does not save the login URL when you enterthe Single Sign On login details from the Application Settingsscreen.

Behavior/ActivityOutliers

Fixed an issue to display correct baseline graph for historical

violations.

Behavior/ActivityOutliers

Fixed the behavior based policies to display outlier andviolation events in the same time zone.


Bug Fixes

Component Summary

Case ManagementFixed the status of an On-Demand Incident to display in the

Incidents by Status graph within Incident Management.

Case

Management/Security

Command Center

Fixed Activity Stream on the Security Command Center to

display only the incidents that are assigned to the logged in

analyst.

Data InsightsFixed the Data Insights drop-down option to fully display whenyou save a Spotter query as dashboard.

Data InsightsFixed an issue with the Data Insights dashboard when tenant

access is revoked from a non-admin user.

Incident Management

Fixed an issue on the Security Command Center that caused

incident IDs to not populate when incidents were created

through Auto Incident.

Incident ManagementFixed an issue during workflow creation that caused the

Show input form toggle to only be set to enabled.

Ingestion - EntityMetadata

Fixed the Job Monitor screen to display the number of recordsingested during entity metadata import using database.

Ingestion - SaveTemplate

Fixed the Save Template feature to publish changes made in

action filter.

Lookup TableFixed the preview of the look up table for AWS S3. (INC-230847)

Multi-Tenant - SettingsIncreased the length of the Customer ID field accessed fromAdmin > Settings > Hadoop.

Multi-Tenant - ThreatModeller

Added an option to assign tenant while importing threat models.

Policy Configuration Fixed the cloning issue of Sandbox policies.

Policy EngineFixed an issue to allow users to add policy violators to an

active list.


Bug Fixes

Component Summary

Policy EngineFixed the graph for rare behavior policy to display correct

information from Views > Users.

Policy EngineFixed an issue that caused the signatureid to replicate when

a use case was cloned.

Policy EngineFixed the Policy Category drop-down list to display the correctcategories.

Policy Engine Fixed the data deletion feature for the event rarity policy.

Policy EngineResolved an issue to display the correct TPI source name in theViolation Summary screen.

Policy EngineRemoved the extra icon for the rare behavior policies from theViolation Summary screen.

Policy EngineRemoved the Would you like to Aggregate Risk Score on EachRun? flag from the default identitypolicies packaged with the SNYPR application.

Policy Engine Fixed the traffic analyzer job for the event rarity policy.

Policy EngineResolved an issue where NULL conditions are saved for IEEpolicies.

Policy EngineRemoved unused operators such as greater than and less thanfrom the risk booster lookup table.

Policy Engine The account name for the lookup table is no longer duplicated.

Policy Engine The SCC screen displays the correct date for watchlists.

Policy Engine

When the Sandbox policy is published to production and the

recalculate risk score is set to no, the corresponding

incidents are deleted.

Policy EngineResolved an issue to display the Move to Production option forall Sandbox policies.

Policy EngineFixed the message to display the time when auto run is enabledfor a playbook.


Bug Fixes

Component Summary

Policy Engine/Behaviorand Activity Outlier

Fixed the user screen to display behavior profiles when a userwith non-admin rights accesses the SNYPR application.

Policy Violation

Notifications

Fixed an issue where Landspeed violations were not saving

violation information as expected.

ReportsFixed the header and footer of the KPI, SOC, Top Violator, andIncident reports to display the correct date and time.

REST APIFixed an issue where the Threat Model details were not

displaying in the reason section of the GET response.

Response OrchestrationFixed an issue so that playbooks are executed correctly for

threat models.

Response Orchestration Updated the payload format for Demisto.

RINThe Remote Ingester works as expected when the proxy isconfigured to communicate with SNYPR console. (INC 230017)

Security Command

Center

Fixed a user interface issue in the Top Violators widget that

caused text to appear close together when the policy name

was too long.

Security Command

Center

Fixed an issue on the Security Command Center that caused

violations to not load on the Violation Summary screen for a

policy or threat.

Security Command

Center

Fixed an issue on the Violation Summary screen that caused

icons to display inconsistently.

Security CommandCenter

Fixed the search filter for the Top Violator widget in theViolation Summary screen.

Security CommandCenter

Fixed an issue so that the incident number and Take Actionbutton for auto created incidents are now visible.

Spotter

Fixed an issue in the Search Results view of Spotter that

caused no returned results when the STATS query was used.

(INC-238031)


Bug Fixes

Component Summary

SpotterFixed an issue for queries with not equal to (!=) and

parenthesis. (INC-229647)

Spotter

Fixed an issue to ensure that violation events query returns

the correct results for policies with double spaces. (INC-

229538)

Spotter

Fixed Spotter to run the queries successfully when there are

more than 27 values with the NOT IN operator. (INC-

212549)

Spotter

Fixed an issue in Spotter that caused the Search Results to

fail when the ORDERBY operator was used with any visual

operator, such as charts and graphs.

Spotter

Fixed in issue that caused the following ORDERBY queries to

run, even though they are not supported:

l Geolink

l Geomap

l Heatmap

l timechart

SpotterFixed the Show Raw Events option in Spotter to display thecorrect value when raw events are retrieved by the query.

SpotterFixed an issue that caused queries with a wild card to only workwith the activity and violation index.

SpotterFixed the total record count beside the page navigation when aquery is run for an archived datasource and a time period isselected from the timeline.

SpotterFixed the Producer - Consumer Ratio (PCR) operator to work asexpected.


Bug Fixes

Component Summary

Spotter

Fixed an issue that caused SNYPR to not send an email when

you export the CSV report with more than 70,000 records in

Spotter.

SpotterFixed the Data Insight report to display correct data when youselect a filter for any widget and generate the report.

SpotterFixed the total record count when a Spotter query is run withaggregation operators (such as stats and table) and when a usernavigates between pages.

Spotter

Fixed an issue where the CONTAINS and NOT CONTAINS

operators were not working on raw event attributes when

the raw event indexing was enabled. (INC-229689 )

Threat Hunting

Fixed an issue in the Search Results view of Spotter that

caused the search results to fail when quotation marks were

not present in the index = archive query.

Threat HuntingFixed an issue that caused the SNYPR application to only be

accessible when the Tomcat application server was restarted.

Threat Hunting

Fixed an issue in the configuration settings for Data Insights

that prevented the widget from loading when the REX

operator was used in a custom query.

Threat ManagementFixed an issue to display the Action History for policies andthreat models when the violator is a user.

Threat ModelerFixed an issue so that users can enable the Add WatchlistFilters setting from the Threat Modeler screen.

Threat ModelerFixed an issue with the exponential risk scoring scheme todisplay a message when the weight value is set to zero.

Watchlist Fixed the edit functionality to edit the watchlist name correctly.

WhitelistFixed an issue so that the global whitelisted entities can not beflagged by any policy.


Bug Fixes

Component Summary

WhitelistFixed an issue that caused a default expiry date to display

when the Expiry Date setting was disabled. (INC-229079)

WhitelistFixed the search filter to display the whitelist correctly inViews > Whitelist.

WhitelistFixed an issue to recalculate the risk score when an entity isglobally whitelisted.


New and Improved Content

New and Improved ContentSNYPR 6.4 includes new and updates to content. This section includes the followinginformation:

l New Content

l Improved Content

l Decommissioned Content

New ContentThis sections contains all the new parsers, connectors, and threat detection contentincluded in this release.

New Connectors and Parsers

The following table contains the connectors and parsers that were added in this

release:

VendorFunctionality

DeviceType

CollectionMethod

ActivIdentity / HIDGlobal

PhysicalSecurity /Badging

ActivIdentityHID Global

Collection Method: Syslog

Format: JSON

Amazon IncCloud Services/ Applications

AWS CloudTrail

Collection Method:awssqss3

Format: JSON

Amazon IncCloud Services/ Applications

AWSCloudwatch


Format: REGEX



VendorFunctionality

DeviceType

CollectionMethod

AnaplanCloudApplicationAudit

Anaplan AuditCollection Method: anaplan

Format: JSON

AtlassianCorporation Plc

IT ServiceManagement

JiraCollection Method: Jira

Format: JSON

Bitglass

CloudApplicationSecurityBroker

Bitglass CASB- Admin

Collection Method: bitglass

Format: JSON

Bitglass


Bitglass CASB-Access


Format: JSON

Bitglass


Bitglass CASBAudit


Format: JSON

BrivoPhysicalSecurity /Badging

Brivo OnAir -Access

Collection Method:brivoonair

Format: JSON

Carbon Black,IncEndpointManagementSystems

Carbon BlackDefense - V2

Collection Method:carbonblack

Format: JSON

Carbon Black,IncEndpointManagementSystems

Carbon BlackDefence- Alert

Collection Method:carbonblack

Format: JSON

Cisco SystemsNetworkAccess Control/ NAC

Cisco IdentityServiceEngine - ISE

Collection Method: ciscoise

Format: Key Value Pair



VendorFunctionality

DeviceType

CollectionMethod

Cisco SystemsNetworkAccess Control/ NAC

Cisco IdentityServiceEngine

Collection Method: ciscoise


Cloudflare Firewall Cloudflare

Collection Method:cloudflarefirewall

Format: JSON

CloudKnoxAccess /IdentityManagement

CloudKnoxAlerts

Collection Method:cloudknox

Format: JSON

CloudKnoxAccess /PrivilegedUser

CloudKnoxActivities

Collection Method:cloudknox

Format: JSON

Code 42Data LossPrevention /Endpoint DLP

Code 42 - FileEvents

Collection Method: code42

Format: JSON

Google


Google GCP

Collection Method:googlereport2

Format: JSON

GoogleIdentity AccessManagement

UsersAccounts


Format: JSON

GoogleBusinessCollaborationPlatforms

Google Chat


Format: JSON

Google

Authentication/ SSO/ Single Sign-On

Google Token


Format: JSON



VendorFunctionality

DeviceType

CollectionMethod

GoogleAccess /PrivilegedUser

AccessTransparency


Format: JSON

GoogleMobile DeviceManagement

GoogleMobile


Format: JSON


GoogleCalendar


Format: JSON

GoogleAccess /IdentityManagement

GoogleGroupsEnterprise


Format: JSON

GoogleAccess /IdentityManagement

GoogleGroups


Format: JSON


Google G-Plus


Format: JSON

Google

CloudAuthentication/ SSO / SingleSign-On

Google SAML


Format: JSON

GoogleData LossPrevention /Network DLP

Google rules


Format: JSON

InformaticaAuthentication/ SSO / SingleSign-On

Informatica

Authentication

Collection Method:informatica

Format: JSON



VendorFunctionality

DeviceType

CollectionMethod

MicrosoftCorporation

Cloud Services/ Applications

Azure ActiveDirectorySign In

Collection Method:azurereport


OS QueryEndpointManagementSystems

OS QueryLogs

Collection Method: Syslog

Format: JSON

Pager DutyITInfrastructureMonitoring

Pager Duty

Collection Method:pagerdutyincidents

Format: JSON

Palo Alto NetworksPrisma CloudSecurity

Prisma Access

Collection Method:prismacloud

Format: JSON

Proofpoint Inc.Email / EmailSecurity

ProofpointTRAP

Collection Method:proofpointtrap

Format: JSON

Proofpoint Inc.Cloud Email /Email Security

ProofpointEmailIsolation

Collection Method:proofpointisolation

Format: JSON

Proofpoint Inc.ApplicationAudit

ProofpointSecurityAwarenessTraining

Collection Method:proofpointsat

Format: JSON

SecurityScorecard,Inc.

SecurityAnalyticsPlatform

SecurityScorecard -CompanyGrade

Collection Method:securityscorecard

Format: JSON

SecurityScorecard,Inc.

SecurityAnalyticsPlatform

SecurityScorecard -Company riskcategoryscore

Collection Method:securityscorecard

Format: JSON



VendorFunctionality

DeviceType

CollectionMethod

Symantec /Blue Coat Systems

Web ProxyWeb SecurityService

Collection Method:symantecwss

Format: REGEX

Symantec /Blue Coat Systems

Antivirus /Malware / EDR

SymantecEndpointProtection

Collection Method:symantecendpoint

Format: JSON

TenableVulnerabilityScanners

TenableResponse

Collection Method: tenable

Format: JSON

Threat Stack

Cloud IPS /IDS / UTM /ThreatDetection

Threat Stack -Alerts

Collection Method:threadstack

Format: JSON

Trend MicroInc.

Data LossPrevention /Endpoint DLP

TrendMicroSecurityRisk

Collection Method:trendmicrocas

Format: JSON

Workday Inc.


WorkAccount Sign-on

Collection Method:workdayidentitymanagement

Format: JSON

Workday Inc.


UnidentifiedSign-on

Collection Method:workdayidentitymanagement

Format: JSON

Workday Inc.Access /IdentityManagement

WorkdayAudit

Collection Method:workday




New Threat Detection Content

The following table contains the threat detection content that was added in thisrelease:

Functionality Signature ID Policy Name

Access / IdentityManagement

ACI-ALL-800-ERR User changing Job detection


ACI-ALL-801-BPAbnormal number ofinactivate Organizationactivity


ACI-ALL-802-ERRBusiness Process definitionEdited


ACI-ALL-803-ERR Rare User assigning roles


ACI-ALL-804-PORare User assigning rolescompared to peers


ACI-ALL-805-ERRRare user assigning user-based security groups forperson

Cloud Authentication / SSO/ Single Sign-On

CSSO-SF-747-TA

Successful logon of adminaccount from rare countrycompared to rest of theorganization


CSSO-SF-750-RUSuccessful login following aspike in failed logins for anAdmin account


CSSO-SF-752-LSLandspeed anomalydetected for an account


CSSO-SF-846-BPAbnormal number of failedlogons from Admin accounts





CSSO-SF-745-TA

Successful logon detectedfor a Non-admin accountfrom rare country comparedto rest of the organization


CSSO-SF-848-BPAbnormal number of logonfailures from Non-adminaccounts


CSSO-SF-751-DBAccount logging in frommultiple countries in a day


CSSO-SF-755-ERRRare application accessingSalesForceCom API


CSSO-SF-886-BPAbnormal number of loginFailures


CSSO-SF-887-BPAbnormal number of AdminLogin Failures


CSSO-SF-888-DBPassword spraying attemptfrom an IP on multipleaccounts


CSSO-SF-789-TARobotic pattern observedfrom an IP - failed login


CSSO-SF-790-ERRSuccessful logon detectedfrom rare country comparedto rest of the organization


CSSO-SF-792-ERR

Successful logon detectedfrom for an admin account ina rare country compared torest of the organization


CSSO-SF-893-LSLandspeed anomalydetected for an adminaccount


CSSO-SF-794-RUUser changing email to non-business email





CSSO-SF-795-DBRecently activated accountdeactivated within a shortduration of time


CSSO-SF-726-BPAbnormal number ofAccount Lockout events


CSSO-SF-723-TARobotic pattern observed -failed login


CSSO-SF-847-BAAbnormal volume of filedownloads from Salesforce


CSSO-SF-727-ERRRare User Agent Used ForLog In


CSSO-SF-725-ERAuthentication from raregeolocation


CSSO-SF-748-BAAbnormal volume of dataegressed using REST APIrequests


CSSO-SF-728-BPPossible User EnumerationObserved from anIPAddress


CSSO-SF-724-DB-SIEMHigh number of failed loginattempts - SIEM


CSSO-SF-749-BAAbnormal volume of dataegressed via Visualforcerequests


CSSO-SF-734-BPAnomalous number ofReports Exported


CSSO-SF-750-DBLarge number of targetaccounts used for delegatedlogin


CSSO-SF-722-LS Landspeed Anomaly





CSSO-SF-719-DBHigh Number of ReportsExported


CSSO-SF-729-DB-SIEMMultiple number of Failurefollowed by Success - SIEM


CSSO-SF-754-BPAbnormal number of targetaccounts used for delegatedlogin


CSSO-SF-845-ERRRare user performingdelegated logon


CSSO-SF-846-ERRInstallation of rareunmanaged packagedetected across organization


CSSO-SF-721-RULogin as activity wasobserved with access ofother User

Cloud Application Audit CAAU-SF-740-RU Account Impersonation

Cloud Application Audit CAAU-SF-741-DBHuge Number Of PasswordChange

Cloud Application Audit CAAU-SF-738-RUAccount activated trackingpolicy

Cloud Application Audit CAAU-SF-739-RURecently activated accountde-activated within a shortduration of time

Cloud Application Audit CAAU-SF-744-RUUser changing email topersonal email

Cloud Application Audit CAAU-SF-743-RUUser changing email to non-business email

Cloud Application Audit CAAU-SF-759-RUUser changing email to non-internal email

Cloud Application Audit CAAU-SF-746-RUUser changing email to adisposable email address




Cloud Application Audit CAAU-SF-792-BPAbnormal frequency oftarget accounts logged in as

Cloud Application Audit CAAU-SF-742-RUNon admin account loggingin as admin account

Cloud Application Audit CAAU-SF-791-TAPhone number registeredfor multiple users


CSSO-DUO-852-ERR

Rare combination ofCountry and State observedfor user authenticating tomultifactor device


CSSO-DUO-808-DBAbnormal amount of loginattempt detected on DuoMFA


CSSO-DUO-812-RUAuthentication anomaly-Country Mismatch


CSSO-DUO-811-RUAuthentication anomaly-State Mismatch


CSSO-DUO-851-ERR

Rare combination ofCountry and State observedfor user authenticating toaccess device


CSSO-DUO-809-LSLandspeed Anomalydetected


CSSO-DUO-827-ERR Logon from a rare country


CSSO-DUO-853-ERR

Authentication to accessdevice observed from rarecountry across theorganization


CSSO-DUO-854-ERRAuthentication to MFAdevice observed from rarecountry for user





CSSO-DUO-855-ERR

Authentication to MFAdevice observed from rarecountry across theorganization


CSSO-DUO-856-RUSuccessful inline enrollmenton Duo by uncorrelatedaccount


CSSO-DUO-857-ERR

User performing inlineenrollment on Duo fromrare country compared toentire organization


CSSO-DUO-858-TASuccessful inline enrollmentof multiple accounts on asingle device


CSSO-DUO-859-ERR

Successful login using bypasscode from rare locationcompared to rest oforganization


CSSO-DUO-860-RUFailed authenticationattempt marked as fraud byaccount


CSSO-DUO-861-DBMultiple failedAuthentication attemptsmarked as fraud by account


CSSO-DUO-850-RUUser enrolling from acountry different from worklocation


CSSO-DUO-885-BPPassword spraying attemptsfor one account on multipleapplications





CSSO-DUO-831-RU

Successful passwordspraying attempt from oneaccount to multipleapplications


CSSO-SF-776-RUSuccessful login following aspike in failed logins for aNon-admin account

Endpoint ManagementSystems

EDR-ALL-29-ERPotential WMI LateralMovement - Rare processspawnned


EDR-ALL-161-RU

Possible EgregorRansomware Rclone ToSvchost LOL RenameAnalytic


EDR-ALL-162-RUPossible MaliciousCertificate Export Analytic


EDR-ALL-163-RUPossible SUNSPOT VariantDropped Artifact Analytic


EDR-ALL-164-RU

Possible Qakbot-EgregorInitial Access BrokerRansomware DeploymentAnalytic


EDR-ALL-165-RUPossible Qakbot-EgregorEsentutl Usage Analytic


EDR-ALL-166-RUPossible Qakbot-EgregorRundll Load Analytic


EDR-ALL-87-RUPotential evasion attemptthrough disabling of EventTrace monitoring in dotnet

Microsoft WindowsPowershell

PSH-ALL-115-RUPossible GoldenSAMLCertificate Export EventsAnalytic




Microsoft Windows WEL-ALL-850-DBPossible Hexacorn-styleShellcode ExecutionAnalytic


EDR-ALL-880-ERRRare child process spawnedby WMI Provider Hostprocess


PSH-ALL-106-RUUse of Powershellencodedcommandparameter on host


PSH-ALL-108-RUUse of Powershell Invoke-Expression cmdlet on host


PSH-ALL-109-RUPowershell Execution Policymodified on host

Microsoft Windows WEL-ALL-905-RUSuspicious Account Activity- Potential pass-the-hash -Key Length Analytic

Microsoft Windows WEL-ALL-711-ERRare regsvr32 process andcommand execution

Microsoft Windows WOS-202-BPAbnormal number of logonfailures

Microsoft Windows WOS-290-BPAbnormal number ofkerberos pre authenticationfailures

Network Traffic Analytics NTA-ALL-880-BAAbnormal amount of dataaggregated from SMB ports -NTA

Network Traffic Analytics NTA-ALL-881-BAAbnormal amount of datatransmitted from DNS ports- NTA

Network Traffic Analytics NTA-ALL-882-BAAbnormal amount of datatransmitted from SMTPports - NTA




Network Traffic Analytics NTA-ALL-883-BAAbnormal amount of datatransmitted over covertchannels - NTA

Network Traffic Analytics NTA-ALL-884-BPPossible host enumerationover system ports - Internal- NTA

Network Traffic Analytics NTA-ALL-885-DBPossible host enumerationover system ports - External- NTA

Network Traffic Analytics NTA-ALL-886-DBPossible port scan fromexternal IP Address - NTA

Network Traffic Analytics NTA-ALL-887-DBPossible port scan frominternal IP Address - NTA

Web Application Firewall IFW-ALL-820-ER Possible LFI Detection

Web Application Firewall IFW-ALL-821-DB Unusual URL Redirection

Web Application Firewall IFW-ALL-822-RUSuspicious processObserved Over URL

Web Application Firewall IFW-ALL-823-RURemote CommandExecution

Web Application Firewall IFW-ALL-824-RUCommunication to MalwareOR Trojan Suspicious Port

Web Application Firewall IFW-ALL-825-ERRare Content TypeObserved

Web Application Firewall IFW-ALL-826-DBCircumvention over URLResponse Code

Web Application Firewall IFW-ALL-827-ER Unusual web requests

Web Application Firewall IFW-ALL-828-DBPossible Server Outage byMultiple Request

Web Application Firewall IFW-ALL-829-DBMultiple Allowed AttackDetection Over InsecureHTTP Version



New Policy/Threat Content

The following table contains the policy and threat content added in this release:


Access /Privileged User

ACP-ALL-808-ERRGoogle InitiatedReview - Access detectedfrom a rare geolocation


ACP-ALL-807-RUGoogle InitiatedService Detected - GoogleAccess Transparency


ACP-ALL-806-RU

Customer initiatedaccess by Google torespond to a third party datarequest - Google AccessTransparency


ACP-ALL-809-BPGoogle InitiatedReview - Account accessingmultiple resources

Authentication/ WiFi

AWI-AMN-802-ERRUsage of switchportmode access detected


AWI-AMN-801-ERRSSH ConnectionDetected from a RareAccount

BusinessCollaboration Platforms

BCP-ALL-802-DBAbnormal number offiles uploaded to the chat -Gsuite

BusinessCollaboration Platforms

BCP-ALL-801-DBAbnormal number offiles downloaded from thechat - Gsuite

CloudApplication Audit

CAAU-ALL-818-ERRRare account adding anew connection





CAAU-ALL-817-DBRole creationfollowed by deletion withina short period


CAAU-ALL-814-ERRRare accountdisabling audit logstreaming


CAAU-ALL-823-ERRRare account updatingdelegated admin password


CAAU-ALL-813-ERRRare account deletingAPI policy


CAAU-ALL-820-ERRRare account updatingpub Sub topic


CAAU-ALL-812-RUAccount was observeddisabling multifactorauthentication


CAAU-ALL-810-BPAbnormal number ofdistinct recipes stopped byan account


CAAU-ALL-815-LSImpossible TravelAlert Detected


CAAU-ALL-809-ERRLogin from a Raregeolocation


CAAU-ALL-824-ERRConnectionDisconnected by a RareAccount


CAAU-ALL-808-BPAbnormal number oflogin failures detected


CAAU-ALL-816-ERRRare accountdelegating admin accountaccess





CAAU-ALL-822-DB

Delegated adminaddition followed bydeletion within a shortperiod


CAAU-ALL-819-DBAccount deletingmultiple folders within ashort period


CAAU-ALL-821-ERRRare account creatingpub Sub topic


CAAU-ALL-811-BPAbnormal number ofdistinct recipe deleted byan account

CloudServices / Applications

CSA-ALL-860-ERRUnusual number of KeyVault operations


CSA-AWS-712-DBRecon ActivityDetected on CloudComputing Resource


CSA-ALL-861-ERRRare country for SAMLToken authentication


CSA-ALL-863-ERRResource launchedwith rare Instance type orImage ID


CSA-ALL-859-RUCustomer master keysDisabled or Scheduled forDeletion


CSA-ALL-884-ERRCritical Key vaultOperation performed byaccount


CSA-ALL-883-ERRRare account list allCloud accounts in theregion





CSA-ALL-882-ERRRare accountattempting to update rolepermissions


CSA-ALL-864-ERRCloud storageaccessed from RareGeolocation


CSA-ALL-865-ERRRare cloud storagediscovery activity fromAccount


CSA-ALL-880-ERIAM Role deleted byrare account


CSA-ALL-848-BPAbnormal number ofdistinct Pods accessed -Kubernetes


CSA-ALL-877-BPSpike in deniedtransactions on cloudresources by account


CSA-ALL-879-ERRRare implant or listcontainer image by account


CSA-ALL-878-ERRRare identity deletedcloud compute resources


CSA-ALL-870-RUSSH or RDP or DB portauthorized on securitygroup


CSA-ALL-875-ERRRare account deletedcloud storage resources


CSA-ALL-866-ERRRare IAM policyactivity from account


CSA-ALL-867-ERRCloud storageoperation from rare Role





CSA-ALL-876-ERRRare account creatingSnapshot or Volume


CSA-ALL-869-ERRRare account creatingSecurity group or computeFirewall


CSA-ALL-881-ERIAM Role Created byrare account


CSA-ALL-868-ERRRare accountgenerating Key Pair


CSA-ALL-755-RUNew Account CreationDetected


CSA-ALL-871-ERRRare security groupchanges on cloudinfrastructure by account


CSA-ALL-872-ERRRare privilegeescalation through IAMinstance profile


CSA-ALL-873-ERRRare AccountManipulating CustomerManaged IAM Policy


CSA-ALL-874-ERR

Rare CredentialHarvesting Activity onCloud Infrastructure byaccount


CSA-ALL-862-RUCloud Storageobserved with public access

ContentManagement System

CMS-ALL-831-BPAbnormal number offiles downloaded -CMS

EndpointManagement Systems

EDR-ALL-226-RU

Hijack Execution Flowmsmpeng executable DLLSideload File CreationAnalytic





EDR-ALL-64-ERR

Rare Unsigned DLLLoad For Process PotentialDLL Hijacking Side-LoadingAnalytic


EDR-ALL-105-ERR

Possible ProcessHollowing HerpaderpingRare Image TamperingAnalytic


EDR-ALL-221-ERR

PossibleCVE-2021-34527Exploitation AttemptUnusual Child ProcessAnalytic


EDR-ALL-114-RUPossible TEARDROPMalicious Payload VariantAnalytic


EDR-ALL-179-RUPotential DarkSideShadow Copy DeletionAnalytic


EDR-ALL-40-BPPossible tokenenumeration - Peak processtoken access analytic


EDR-ALL-183-RUPotentialExfiltration MegaSyncProcess Analytic


EDR-ALL-182-RUPotential MegaSync orMegaCmd Exfiltration DNSQuery Analytic


EDR-ALL-101-BPPossible MeterpreterProcess EnumerationAnalytic





EDR-ALL-01-RUDecoding PE or DLLFrom b64 Via CertutilAnalytic


EDR-ALL-61-RUMalicious Named PipesAnalytic


EDR-ALL-118-ERRPossible CobaltStrike Beacon NamedPipeUse Artifact Analytic


EDR-ALL-42-ERRInternetExplorerApplication DLL LoadingInjection Analytic


EDR-ALL-114-ERR

Possible ADFSDumpMalicious CertificateExtraction Named PipeAnalytic


EDR-ALL-230-RUHijack Execution Flowmsmpeng executable DLLSideload Analytic


EDR-ALL-116-RUPossible SUNBURSTImplant Activity Analytic


EDR-ALL-91-ERR

Potential CLRinjection Rare combinationof Image and loaded DLLdetected for Account


EDR-ALL-119-ERR

Watching the Watchers- Possible Trojaned VendorExecutable Named PipeDiscrepancy Analytic


EDR-ALL-117-ERRPossible RAINDROPVariant Artifact Analytic





EDR-ALL-65-ERR

Rare Signed DLL LoadFor Process Potential DLLHijacking Side LoadingAnalytic


EDR-ALL-124-RUPotential Usage OfArchiving SoftwareCommand Line Analytics


EDR-ALL-184-RUPotentialExfiltration MEGAcmdShellProcess Analytic


EDR-ALL-115-RURule InternetExplorer Application DLLLoading Injection Analytic

IdentityAccess Management

IAM-ALL-801-DBPassword sprayingattempts from an IP


IAM-ALL-810-RUAdvance protectiondisabled for an account


IAM-ALL-811-DBAbnormal number ofpassword change attempts


IAM-ALL-802-RUSuccessful Passwordspraying attack from an IP


IAM-ALL-807-RU

Successfulauthentication following anabnormal frequency ofauthentication failures


IAM-ALL-806-ERRAccountauthenticating to Azure ADfrom rare country


IAM-ALL-809-RUAccount RecoveryInformation Changed





IAM-ALL-803-BPAbnormal frequency ofauthentication failures foran account


IAM-ALL-808-RUMulti FactorAuthentication Disabled


IAM-ALL-804-ERR

Accountauthenticating to Azure ADfrom rare country acrossthe organization


IAM-ALL-805-LSLandspeed anomalydetected on Azure AD

MicrosoftWindows

WEL-ALL-859-BPPossible remoteinteractive logonenumeration

MicrosoftWindows

WEL-ALL-862-RUPossible Zerologonattack using tools

MicrosoftWindows

WEL-ALL-13-DBTicket Encryption andTicket Options Analytic

MicrosoftWindows

WEL-ALL-221-ERR

PossibleCVE-2021-34527Exploitation AttemptUnusual Child ProcessAnalytic - Windows

MicrosoftWindows

WEL-ALL-15-BPPeak Distinct AccountChange For Source UserAnalytic

MicrosoftWindows

WEL-ALL-976-ERR

Use of explicitcredentials by a rareaccount - Account sharing orPassword misuse

MicrosoftWindows

WEL-ALL-298-ERPotential Metasploitor Hash Passing Analytic




MicrosoftWindows

WEL-ALL-299-BPAbnormal frequency ofNetlogon access errors

MicrosoftWindows

WEL-ALL-30-BPPeakLsaRegisterLogonProcessIncrease Analytic

MicrosoftWindows Powershell

PSH-ALL-25-RU

PotentialPrintNightmare MaliciousPowershell ImplantExploitation AttemptAnalytic


PSH-ALL-7-RUPossible ReflectionAssembly WeaponizationActivity Analytic

NetworkTraffic Analytics

NTA-ALL-853-LSLandspeed anomaly onVPN - NTA

PhysicalSecurity / Badging

PHY-ALL-810-ERRRare account makingchanges to the physicalsecurity device


PHY-ALL-808-RUFailed access attemptdetected from an user tothe facility


PHY-ALL-809-RUHigh number of failedentry attempts detectedfrom the user


PHY-ALL-803-BPMultiple physicalaccess within short time


PHY-ALL-811-RUBoard CommunicationFailure Cleared


PHY-ALL-812-DBUser had unauthorizedattempts across multiplelocations




Unix / Linux/ AIX

UNX-ALL-825-BPAbnormal use ofprivileged super usercommand

Virtualization/ Containers

VIR-ALL-803-DBHigh CPU usage onESXi hosts during Non-Business hours - vCenter


VIR-ALL-804-DBHigh number ofSnapshots created -vCenter


VIR-ALL-811-BPHost enumerationattempt detected from anaccount


VIR-ALL-810-BPAbnormal number ofvirtual machines deleted -vCenter


VIR-ALL-808-ERRNew account createdon virtual machine


VIR-ALL-807-DBHigh number ofVirtual Machines cloned -vCenter


VIR-ALL-809-BP

Multiple VirtualMachine ImagesDownloaded by an Account- vCenter


VIR-ALL-806-DB

VM Snapshot creationfollowed by SnapshotMemory file or State filedownload - vCenter


VIR-ALL-805-DBBruteForce attemptson user account of VM orESxi or vCenter





VIR-ALL-802-DBHigh number ofvirtual machines deleted -vCenter


VIR-ALL-801-DBMultiple virtualmachines shutdown -vCenter

Improved ContentThis sections lists all improved parsers, connectors, and threat content.

Updated Connectors

Vendor Functionality Device Type Collection Method

Amazon Inc Database Audit AWS Redshift

Collection Method:splunkraw

Format: Regex

Amazon IncIDS / IPS / UTM /Threat Detection

AWS GuardDuty

Collection Method:

splunkraw

Format: JSON

BIND DNS DNS / DHCP BIND DNS

Collection Method:syslog

Format: Regex

Cisco SystemsNext GenerationFirewall

Cisco ASA


Format: CEF


Cisco ASA


Format: Regex




Cisco SystemsNetwork AccessControl / NAC

Cisco IdentityService Engine


Format: Regex

Cisco Systems Web Proxy Cisco ScanSafe


Format: Regex


Cisco Router andSwitch


Format: Regex


Cisco RouterCollection Method: file

Format: JSON


Cisco WirelessLANController TRAP


Format: Regex

Cisco Systems Web ProxyIronPort WebSecurityAppliance


Format: Regex


Cisco ASA


Format: Regex


Cisco FTD


Format: Regex

Cisco Systems DNS / DHCP Cisco Umbrella


Format: JSON



Format: JSON





Collection Method:ciscoumbrella

Format: JSON


Cisco MerakiFirewall


Format: Regex

Cisco Systems IP TelephonyCisco UnifiedCommunications


Format: Regex

CofenseEmail / EmailSecurity

O365 Cofense

Collection Method:office365phishingmailbox

Format: JSON

CrowdStrikeCloud Antivirus /Malware / EDR

CrowdstrikeAlertsQuery

Collection Method:crowdstrikequery

Format: JSON

CrowdStrikeEndpointManagementSystems

CrowdstrikeFalcon


Format: JSON

Dell /SonicWall Inc.

Next GenerationFirewall

SonicWall GlobalManagementSystem



Diamond IP /BT

DNS / DHCP Diamond IPAM


Format: Regex

F5 Networks Traffic ManagerF5 BigIP LoadBalancer


Format: Regex




FortinetNext GenerationFirewall

Fortigate



HAProxy Web Proxy HA Proxy


Format: Delimited-space

Infoblox DNS / DHCP Infoblox


Format: Regex

Intel Security/ McAfee Inc.

Web ProxyMcAfee WebGateway


Format: CEF

JuniperNetworks

Authentication /VPN

Juniper JunosPulseVPN


Format: Regex

JuniperNetworks

Authentication /VPN

Juniper SecureAccessVPN


Format: Regex

JuniperNetworks

FirewallJuniper JunosPulseFirewall


Format: Regex

JuniperNetworks

Authentication /VPN

JuniperNetscreen HVDVPN


Format: Regex


Email / EmailSecurity

MicrosoftExchangeServer


Format: Regex





MicrosoftWindows

MicrosoftWindowsSNARE


Format: snare


MicrosoftWindows

MicrosoftWindowsPSLOGLIST


Format: PSLOGLIST


MicrosoftWindows

MicrosoftWindowsWINEVENT


Format: WINEVENT


MicrosoftWindows

MicrosoftWindows


Format: WINDOWSRSA


DNS / DHCP Microsoft DHCP


Format: Delimited-

comma


MicrosoftWindows

MicrosoftWindowsSNARE


Format: snare


MicrosoftWindows

MicrosoftWindowsWINEVENT


Format: WINEVENT

OracleCorporation

Database Audit Oracle SysDB


Format: CEF

Palo AltoNetworks


Palo AltoNext-GenerationFirewall


Format: Regex




Palo AltoNetworks


Palo AltoNext-GenerationFirewall


Format: Regex

Palo AltoNetworks

Cloud Antivirus /Malware / EDR

PA Cortex


Format: CEF

Rapid 7VulnerabilityScanners

NexposeVulnerabilityScanner


Format: Regex

RSA SolutionsAuthentication /SSO/ Single Sign-On

RSA SecurIDAuthenticationManager

Collection Method: file

Format: Regex

RSA SolutionsAuthentication /SSO/ Single Sign-On

RSA SecurIDAuthenticationManager


Format: Regex

Symantec /Blue CoatSystems

Web Proxy Bluecoat Proxy


Format: Regex

TenableVulnerabilityScanners

NessusVulnerabilityScanner


Format: JSON

Trend MicroInc.

IDS / IPS / UTM /Threat Detection

TippingPoint IPS


Format: Regex

Unix / Red HatLinux / OracleLinux / AIX / BSD

Unix / Linux / AIX Unix


Format: Regex

VMwareVirtualization /Containers

VMware NSX-T


Format: Regex




ZoomBusinessCollaborationPlatforms

Zoom APICollection Method: zoom

Format: JSON

Zscaler Web Proxy Zscaler Proxy


Format: CEF

Updated Functionality

The following table contains the functionality that was updated in this release:

Resource Type Previous Functionality New Functionality

Aruba Clear Pass Network Access ControlNetwork Access Control /NAC

AWS CloudTrailAWS - Cloud Services /Applications

Cloud Services /Applications

AWS EKS Audit AWS KubernetesCloud Services /Applications

AWS EKS Authenticator AWS KubernetesCloud Services /Applications

AWS EKS ControllerManager

AWS KubernetesCloud Services /Applications

AWS foundryAWS - Cloud Services /Applications

Cloud Services /Applications

Bro Network Security Netflow / Sinkhole Flow

Cisco NXOS Operating SystemsNetwork Access Control /NAC

Cisco Umbrella Next Generation Firewall DNS / DHCP

DAMDatabase AccessMonitoring

Database Monitoring



Resource Type Previous Functionality New Functionality

Gigya Audit Application Audit

Imperva Database Security Database Audit

Mcafee Web Gateway Web Gateway Proxy Web Proxy

RedHat OpenShift CaaS Containers As A Service Virtualization / Containers

SVN Application Audit Source Code Repository

TaniumTanium/ WorkStationManagement Systems


Tanium DetectEndpoint ManagementSystems

Antivirus / Malware / EDR

Tanium EndpointTanium/ WorkStationManagement Systems


Improved Threat Detection Content

The following table contains the threat detection content that was improved in this

release:



EDR-ALL-729-ERPotential WMI Lateral Movement -Rare process spawnned - AVEDR

Cloud Antivirus /Malware / EDR

CEDR-ALL-29-ERPotential WMI Lateral Movement -Rare process spawnned - Cloud EDR

Cloud ApplicationSecurity Broker

CASB-ALL-818-RUUser visting stegnography sites -SIEM - CASB

Cloud ApplicationAudit

CAAU-ALL-800-RUPotential account compromise -Exchange

Cloud ContentManagementSystem

CCMS-ALL-805-BPAbnormal number of files sharedwith Competitor email address





CCMS-ALL-800-DBFile manipulation followed byegress


CCMS-ALL-802-ERRAccount Activity detected from RareCountry


CCMS-ALL-804-BPAbnormal number of files sharedwith personal account


CCMS-ALL-810-BPAbnormal number of filesdownloaded by an account


CCMS-ALL-807-RUFile activity performed byterminated user


CCMS-ALL-801-ERSuspicious Modification ofPrivileges for Documents


CCMS-ALL-816-BPAbnormal number of files deletedby an account


CCMS-ALL-812-ERRare Operation performed by anUser


CCMS-ALL-814-BPAbnormal Number of files Printedcompared to past behavior


CCMS-ALL-815-DBRecovering Files along with DataEgress





CCMS-ALL-809-ERRAccount accessing file path neveraccessed before


CCMS-ALL-806-BPAbnormal number of files sharedwith Non Business account


CCMS-ALL-803-BPAbnormal number of documentpermission changes observed


CCMS-ALL-811-LSLandspeed Anomaly - Cloud ContentManagement System


CCMS-ALL-813-RUFile shared with Non businessaccount


CCMS-ALL-835-BPAbnormal number of filesdownloaded compared to peers


CCMS-ALL-836-BP Abnormal number of files uploaded


CCMS-ALL-820-DBMultiple Files shared with NonBusiness Accounts


CCMS-ALL-837-RU File shared with personal account


CCMS-ALL-821-DBMultiple Files shared with Accounthaving competitor domain





CCMS-ALL-822-RUCritical files shared with externalAccount


CCMS-ALL-823-RU Corporate documents made public


CCMS-ALL-838-BPAbnormal Number of Corporatedocuments made public


CCMS-ALL-824-DBExternal account accessing multiplecritical files


CCMS-ALL-825-DBExternal account downloading highnumber of files


CCMS-ALL-839-BPExternal account downloadingabnormally high number of files


CCMS-ALL-826-RUActivity from personal accountbelonging to company employee


CCMS-ALL-827-DBAccount activity from multiplecountries in a day


CCMS-ALL-828-ERRAccount activity from a country rareto the organization


CCMS-ALL-829-ERRAccount activity from a countryrare for the user





CCMS-ALL-830-LSLandspeed anomaly detected foraccount


CCMS-ALL-831-RU Activity from suspicious IP


CCMS-ALL-832-RUUser Changing Document Visibilityto Anyone with a link-240


CCMS-ALL-808-ERUser performing unusual activitycompared to peers


CCMS-ALL-803-BPAbnormal number of documentpermission changes observed


CCMS-ALL-800-DBFile manipulation followed byegress


EML-ALL-816-RUFlight Risk Behavior Exhibited InEmails

EndpointManagementSystems

EDR-ALL-880-ERRRare child process spawned by WMIProvider Host process


EDR-ALL-79-ERSuspicious use of cradle - rare childprocess spawned from scriptinterpreter


EDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic


EDR-ALL-109-RUPossible use of renamed LOL helpertool payload by malware -executable and hash tracking





EDR-ALL-110-RUPossible use of renamed LOL helpertool payload by malware - renamedpayload executed


EDR-ALL-111-ERProxied execution of potentiallysuspicious process via binariessigned by trusted entities

MicrosoftWindows

WOS-214-BPAbnormal number of network shareobject access

MicrosoftWindows

WOS-290-BPAbnormal number of kerberos preauthentication failures

MicrosoftWindowsPowershell

PSH-ALL-26-RU

Suspicious Process Activity -Targeted - Potential PowershellPhanthom Event Log ThreadTermination Covertness Analytic -A2B

MicrosoftWindows

WEL-ALL-906-BP

Suspicious Account Activity - PeakCredential Validation FailureIncrease For HostAnalytic


IFW-ALL-904-RURDP Access allowed from theinternet - SIEM


IFW-ALL-919-BP Remote Database Scanner - SIEM


IFW-ALL-905-TPInbound Traffic from C2 Domainsand IP addresses - SIEM


IFW-ALL-901-TPOutbound Traffic to C2 Domains andIP addresses - SIEM


NGF-733Abnormal amount of datatransmitted from DNS ports - NextGen Firewall





NGF-768Possible host enumeration oversystem ports - Internal - Next GenFirewall

Unix / Linux / AIX UNX-ALL-801-DBBrute Force Followed By aSuccessful Login from internal -SIEM

Unix / Linux / AIX UNX-ALL-814-DBAccount was created and actedsuspiciously - SIEM

MicrosoftWindowsPowershell

PSH-ALL-26-RU

Suspicious Process Activity -Targeted - Potential PowershellPhanthom Event Log ThreadTermination Covertness Analytic -A2B

VulnerabilityScanners

SCN-ALL-803-RU Unpatched Vulnerability

VulnerabilityScanners

SCN-ALL-802-RU Target Attack on vulnerable asset

Web Proxy PXY-ALL-864-TATraffic to randomly generateddomains

Decommissioned ContentThe following table contains the formats that are no longer supported in this release:

Vendor Functionality Device TypeCollectionMethod

Amazon IncAWS - CloudServices/ Applications

AWS CloudTrail

Collection Method:

awssqss3

Format: JSON



Vendor Functionality Device TypeCollectionMethod

Amazon Inc Firewall AWS VPC Flow

Collection Method:

awscloudwatch

Format: Delimited-

space

DUO Security


Duo SecurityAuthentication

Collection Method:

duo

Format: JSON

Intel Security /McAfee Inc. / IronMail


Mcafee IronMailEmailGateway

Collection Method:file

Format: Regex

Raytheon / Websense/ ForcePoint Inc

Web Proxy Websense Proxy

Collection Method:

syslog

Format: CEF

TaniumAntivirus /Malware /EDR

Tanium Detect


Format: CEF

Policy Name Signature ID Signature Comments

Access /

Privileged

User

Possible sabotage -

Rare action performed

by account

N/A

Removed the policy as

it flagged low level

events.

Access /

Privileged

User

Abnormal number of

distinct accounts

accessed compared to

past behavior

N/ARemoved the policy as itflagged low level events.




Access /

Privileged

User

Possible sabotage -

Abnormal number of

Cyberark files deleted


Access /

Privileged

User

Rare action performed

on safe not performed

by peers


Antivirus /

Malware /

EDR

Abnormal amount of

data copied to

removable media - EDR


Antivirus /

Malware /

EDR

Abnormal number of

failed login attempts -

EDR


Antivirus /

Malware /

EDR

Abnormal number of

files transferred to



Antivirus /

Malware /

EDR

Abnormal number of

files with High Value

Extensions via



Antivirus /

Malware /

EDR

Abnormal Number of

Processes Terminated -

EDR


Antivirus /

Malware /

EDR

Admin user logging in

via clear text - EDRN/A

Removed the policy as itflagged low level events.

Antivirus /

Malware /

EDR

Beaconing traffic to

rare domains on web

activity - EDR





Antivirus /

Malware /

EDR

Flight risk behavior via

removable media - EDRN/A


Antivirus /

Malware /

EDR

Flight risk behavior via

removable media - EDRN/A


Antivirus /

Malware /

EDR

IOS Buffer Overflow -

EDRN/A


Antivirus /

Malware /

EDR

Job exiting behavior

exhibited in removable

media - EDR


Antivirus /

Malware /

EDR

Malicious Outbound

Redirect - Allowed -

EDR

N/A

Duplicate - Threat

scenario covered as

part of another policy

Antivirus /

Malware /

EDR

Malicious Outbound

Redirect - Blocked -

EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Malicious Software

Detected - EDRN/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Network connections to

rare systems - EDRN/A


Antivirus /

Malware /

EDR

Rare dll process and

path on the network -

EDR


Antivirus /

Malware /

EDR

Rare dll used by a

process on the network

- Cloud EDR - EDR





Antivirus /

Malware /

EDR

Rare function used by a

dll on the network -

EDR


Antivirus /

Malware /

EDR

Rare parent process

spawning a child


- EDR


Antivirus /

Malware /

EDR

Rare process and path

detected on the

network - EDR


Antivirus /

Malware /

EDR


for high severity

endpoint alerts - EDR


Antivirus /

Malware /

EDR

Rare use of critical

keywords in

commandline for Linux

- EDR - EDR


Antivirus /

Malware /

EDR

Suspicious Network

Activity - Peak

Powershell LDAP

Connection For Host

Analytic - A2B - EDR


Antivirus /

Malware /

EDR

Suspicious path of

execution for known

processes on Windows

- Explorer - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- LSAAS - EDR

N/A

Duplicate - Threat

scenario covered as





Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- LSM - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- Rundll32 - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- Services - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- SMSS - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- SVCHost - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- WinInit - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Potential

Injection - Unusual

Crossproc Analytic -

EDR





Antivirus /

Malware /

EDR

Suspicious Process

Activity - WMI Lateral

Movement - Unusual

WMI Child Process

Analytic -A2B - EDR


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Known

Threat Intel Malicious

Process Execution

Analytic - EDR


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Peak Rare

Process Spike For

Organization Analytic -

EDR


Antivirus /

Malware /

EDR

Suspicious Process


Phishing Sequence III -

Rare Office Child

Process Analytic - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process



Targeted - Suspicious

Office Child Process

Executable Analytic -

EDR

N/A

Duplicate - Threat

scenario covered as





Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare

CreateRemoteThread

Invocation Potential

BYOL-C Execute-

Assembly Analytics-

A2B - EDR


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare DLL

Invocation Via

Rundll32 For Host

Analytic - EDR


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare Parent-

Child Relationship For

User Analytic - EDR


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare Process

For Host Analytic -

EDR


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rule -

Potential Attack Tool

PWDUMP or Mimikatz

Usage File Creation


N/A



events.

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rule -

Potential Mimikatz

CommandLine Usage


N/A

Duplicate - Threat

scenario covered as





Antivirus /

Malware /

EDR

Suspicious Process

Activity - Shadow

Copy-Backup Deletion

Analytic - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process

Activity - Targeted -

Boot Recover Disable

Analytic - EDR

N/A



events.

Antivirus /

Malware /

EDR

Suspicious Process


Command Line

Arguments Analytic -

A2B - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process


Common Escalation of

Privilege AppInit DLL

Registry Analytic - EDR

N/A



events.

Antivirus /

Malware /

EDR

Suspicious Process


Keyloggers Abusing

Nirsoft Tools Analytic -

EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process


Possible Enum File

Creation Analytic - A2B

- EDR





Antivirus /

Malware /

EDR

Suspicious Process


Potential Command

Line Admin Share

Access Analytic - EDR


Antivirus /

Malware /

EDR

Suspicious Process


Potential Phishing

Sequence I Clicking

Analytic - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process


Potential Phishing

Sequence II Malicious

Payload Open Browser

Modality Analytic -

EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process


Potential Powershell

Phanthom Event Log

Thread Termination

Covertness Analytic -

A2B - EDR


Antivirus /

Malware /

EDR

Suspicious Process


Scripting File Types

Created Analytic - A2B

- EDR





Antivirus /

Malware /

EDR

Suspicious Process


Shim Database

Registration Changes


N/A



events.

Antivirus /

Malware /

EDR

Suspicious Process


Squiblydoo Attack

Analytic - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Process

Activity- Targeted -

Malicious Start Menu

Startup Modification

Analytic -A2B - EDR


Antivirus /

Malware /

EDR

Suspicious Process


Malicious Start Menu_


Analytic - EDR


Antivirus /

Malware /

EDR

Suspicious Process

Activity- Targeted - MS

EquationEditor

Spawning a Child

Process Analytic - EDR

N/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Suspicious Registry


Autorun Changes

Analytic -A2B - EDR





Antivirus /

Malware /

EDR

Suspicious Registry


Internal Monologue

Attack - NetNTLM

Version Update

Analytics-A2B - EDR


Antivirus /

Malware /

EDR

Usage of Credential

Dumpers - EDRN/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Virus and Malicious

Code Outbreak - EDRN/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Vulnerable Endpoint

monitoring - EDRN/A

Duplicate - Threat

scenario covered as


Antivirus /

Malware /

EDR

Medium Severity

Endpoint Alert

Detected - EDR


Antivirus /

Malware /

EDR

Repeat Attack-Network

Intrusion Prevention

System


Antivirus /

Malware /

EDR

Repeat Attack-Host

Intrusion Prevention

System


Application /

Enterprise /

SaaS

Abnormal amount of

data uploaded to cloud

storage


Application /

Enterprise /

SaaS

Abnormal number of

files uploaded to cloud

storage





Authentication

/ SSO / Single

Sign-On

Rare Okta Application

AccessN/A


Authentication

/ SSO / Single

Sign-On

Rare IP address -

successful Okta loginN/A


Authentication

/ SSO / Single

Sign-On

Successful Login From

Suspicious IP AddressN/A

These are replaced with

CRP policy

Authentication

/ SSO / Single

Sign-On

Robotic Pattern

Observed from an IP -

Failed Login

N/AThese are replaced with

CRP policy

Authentication

/ VPN

Account Authenticating

from Rare GeolocationN/A

Duplicate - Threat

scenario covered as


Authentication

/ VPN

Brute Force Access -

SIEMN/A

Duplicate - Threat

scenario covered as


Authentication

/ WiFi

Abnormal number of

High severity alerts

from an entity


Authentication

/ WiFi

Abnormal number of

User Authentication

Failure

N/A

Duplicate - Threat

scenario covered as


AWS / Cloud

Services /

Applications

Cloud storage resource

accessed from a rare IP

address

N/A Very Noisy




Cloud

Antivirus /

Malware /

EDR

Abnormal number of

files transferred to

removable media -

Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Abnormal number of

failed login attempts -

Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Abnormal Number of

Processes Terminated -

Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Admin user logging in

via clear text - Cloud

EDR


Cloud

Antivirus /

Malware /

EDR


rare domains on web

activity - Cloud EDR


Cloud

Antivirus /

Malware /

EDR

DNS traffic to

randomly generated

domains - Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Flight risk behaviour

via removable media -

Cloud EDR





Cloud

Antivirus /

Malware /

EDR

Infected Endpoint

monitoring - Cloud EDRN/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

IOS Buffer Overflow -

Cloud EDRN/A


Cloud

Antivirus /

Malware /

EDR

Job exiting behavior

exhibited in removable

media - Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Malicious Outbound

Redirect - Allowed -

Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Malicious Outbound

Redirect - Blocked -

Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Malicious Software

Detected - Cloud EDRN/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Network connections to

rare systems - Cloud

EDR

N/A Low fidelity




Cloud

Antivirus /

Malware /

EDR

Rare dll process and

path on the network -

Cloud EDR

N/A Low fidelity

Cloud

Antivirus /

Malware /

EDR

Rare dll used by a


- Cloud EDR

N/A Low fidelity

Cloud

Antivirus /

Malware /

EDR

Rare function used by a

dll on the network -

Cloud EDR

N/A Low fidelity

Cloud

Antivirus /

Malware /

EDR

Rare parent process

spawning a child


- Cloud EDR

N/A Low fidelity

Cloud

Antivirus /

Malware /

EDR


detected on the

network - Cloud EDR

N/A Low fidelity

Cloud

Antivirus /

Malware /

EDR


for high severity

endpoint alerts - Cloud

EDR

N/A Low fidelity

Cloud

Antivirus /

Malware /

EDR

Rare use of critical

keywords in

commandline for Linux

- Cloud EDR

N/A Low fidelity




Cloud

Antivirus /

Malware /

EDR

Suspicious Network

Activity - Peak

Powershell LDAP

Connection For Host

Analytic - A2B - Cloud

EDR

N/A Low fidelity

Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- Explorer - Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- LSAAS - Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- LSM - Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- Rundll32 - Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- Services - Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- SMSS - Cloud EDR

N/A

Duplicate - Threat

scenario covered as





Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- SVCHost - Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious path of

execution for known


- WinInit - Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Injection - Unusual

Crossproc Analytic -

Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - WMI Lateral

Movement - Unusual

WMI Child Process

Analytic -A2B - Cloud

EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Known

Threat Intel Malicious

Process Execution

Analytic - Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Peak Rare

Process Spike For

Organization Analytic -

Cloud EDR





Cloud

Antivirus /

Malware /

EDR

Suspicious Process



Rare Office Child

Process Analytic -

Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Process



Targeted - Suspicious

Office Child Process

Executable Analytic -

Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare

CreateRemoteThread

Invocation Potential

BYOL-C Execute-

Assembly Analytics-

A2B - Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare DLL

Invocation Via

Rundll32 For Host



Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare Parent-

Child Relationship For

User Analytic - Cloud

EDR





Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rare Process

For Host Analytic -

Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rule -

Potential Attack Tool

PWDUMP or Mimikatz

Usage File Creation


EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Rule -

Potential Mimikatz

CommandLine Usage


EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity - Shadow

Copy-Backup Deletion


N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Boot Recover Disable


N/A



events.

Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Command Line

Arguments Analytic -

A2B - Cloud EDR

N/A

Duplicate - Threat

scenario covered as





Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Common Escalation of

Privilege AppInit DLL

Registry Analytic -

Cloud EDR

N/A



events.

Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Keyloggers Abusing

Nirsoft Tools Analytic -

Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Possible Enum File

Creation Analytic - A2B

- Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Potential Command

Line Admin Share

Access Analytic - Cloud

EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Potential Phishing

Sequence I Clicking


N/A

Duplicate - Threat

scenario covered as





Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Potential Phishing

Sequence II Malicious

Payload Open Browser

Modality Analytic -

Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Potential Powershell

Phanthom Event Log

Thread Termination

Covertness Analytic -

A2B - Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Scripting File Types

Created Analytic - A2B

- Cloud EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Shim Database

Registration Changes


EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Squiblydoo Attack


N/A

Duplicate - Threat

scenario covered as





Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Malicious Start Menu



EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Process


Malicious Start Menu_




Cloud

Antivirus /

Malware /

EDR

Suspicious Process

Activity- Targeted - MS

EquationEditor

Spawning a Child

Process Analytic -

Cloud EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Suspicious Registry


Autorun Changes


EDR


Cloud

Antivirus /

Malware /

EDR

Suspicious Registry


Internal Monologue

Attack - NetNTLM

Version Update

Analytics-A2B - Cloud

EDR





Cloud

Antivirus /

Malware /

EDR

Usage of Credential

Dumpers - Cloud EDRN/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Virus and Malicious

Code Outbreak - Cloud

EDR

N/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Vulnerable Endpoint

monitoring - Cloud EDRN/A

Duplicate - Threat

scenario covered as


Cloud

Antivirus /

Malware /

EDR

Low Severity Endpoint

Alert Detected - Cloud

EDR


Cloud

Antivirus /

Malware /

EDR

Medium Severity

Endpoint Alert

Detected - Cloud EDR


Cloud

Authentication

/ SSO / Single

Sign-On

Brute Force Attack to

the same host - SIEM -

SSO

N/A

Duplicate - Threat

scenario covered as


Cloud

Authentication

/ SSO / Single

Sign-On

Repeat Failure

Authentication - SIEM -

SSO

N/A

Duplicate - Threat

scenario covered as





Cloud

Authentication

/ SSO / Single

Sign-On

Password Spraying

Attack Detected - SIEM

- SSO

N/A

Duplicate - Threat

scenario covered as


Cloud

Authentication

/ SSO / Single

Sign-On

High Failed Logins to

Domain Admin Account

- SIEM - SSO

N/A

Duplicate - Threat

scenario covered as


Cloud

Authentication

/ SSO / Single

Sign-On

Concurrent console

logon - SIEM - SSON/A

Duplicate - Threat

scenario covered as


Cloud

Authentication

/ SSO / Single

Sign-On

Multiple Lockouts -

SIEM - SSON/A

Duplicate - Threat

scenario covered as


Cloud

Authentication

/ SSO / Single

Sign-On

Login failure to

Disabled User Account

- SIEM - SSO

N/A

Duplicate - Threat

scenario covered as


Cloud

Authentication

/ SSO / Single

Sign-On

Probable Successful

Brute Force Attack -

SIEM - SSO

N/A

Duplicate - Threat

scenario covered as


Cloud

Application

Audit

Account authenticating

from rare geolocation -

Exchange


Cloud

Application

Audit

Abnormal Number of

Distinct Emails

Archived - Exchange





Cloud

Application

Security

Broker

Account performing

activity from a

suspicious location -

SIEM - CASB


Cloud

Application

Security

Broker

Uploads to personal

GitHub repository -

SIEM - CASB

N/A

Duplicate - Threat

scenario covered as


Cloud

Application

Security

Broker

Downloads with

multiple filename but

same filehash - SIEM -

CASB

N/A



events.

Cloud

Authentication

/ SSO / Single

Sign-On

Phone verification mfa

anomalyN/A


Cloud

Authentication

/ SSO / Single

Sign-On

User Account

Unlocking VIP User

accounts - SSO


Cloud

Authentication

/ SSO / Single

Sign-On

Use of Any Default

Credentials - SIEM -

SSO


Cloud

Authentication

/ SSO / Single

Sign-On

Activity seen from rare

cityN/A


Cloud Content

Management

System

Landspeed anomaly

detected for accountN/A



events.




Cloud Content

Management

System

File manipulation

followed by egressN/A


Cloud Content

Management

System

Suspicious Modification

of Privileges for

Documents


Cloud Content

Management

System

Abnormal number of

document permission

changes observed


Cloud Content

Management

System

Rare Operation

performed by an UserN/A


Cloud Content

Management

System

Recovering Files along

with Data EgressN/A


Cloud Content

Management

System

Abnormal number of

files downloaded by an

account

N/A

Duplicate - Threat

scenario covered as


Replaced with new

policy: Abnormal

number of files

downloaded

Content

Management

System

Abnormal amount of

files downloaded

compared to past

behavior

N/A

Duplicate - Threat

scenario covered as


Content

Management

System

Abnormal number of

file deletions compared

to past behavior

N/A

Duplicate - Threat

scenario covered as





Content

Management

System

Abnormal number of

files downloadedN/A

Duplicate - Threat

scenario covered as


Content

Management

System

Abnormal number of

files shared to

Competitor Domains


Content

Management

System

Abnormal number of

files shared to Non

Business domains


Content

Management

System

Abnormal number of

files shared with

personal accounts


Content

Management

System

Account accessing a file

share never accessed

before


Content

Management

System

Authentication from

rare geolocationN/A


Content

Management

System

File activity by

terminated userN/A

Duplicate - Threat

scenario covered as


Content

Management

System

File manipulation

followed by egress-129N/A


Content

Management

System

User performing

unusual activity

compared to peers


Content

Management

System

Account accessing file

never accessed beforeN/A





Content

Management

System

Abnormal number of

files downloaded by an

account -CMS

N/A

Duplicate - Threat

scenario covered as


Replaced with new

policy: Abnormal

number of files

downloaded -CMS

Cloud PrintUnauthorized printer

usage - Cloud PrintN/A

Duplicate - Threat

scenario covered as


Cloud Print

Abnormal number of

pages printed compared

to peer - Cloud Print

N/A

Duplicate - Threat

scenario covered as


Database

Audit

Rare DCL command

executed not

performed by peers


Database

Audit

Rare DB application

accessed by account

compared to peers


Database

Audit

Rare DML command

executed not

performed by peers


Database

Audit

Rare DDL command

executed not

performed by peers


Database

Audit

Rare TCL command

executed not

performed by peers





Database

Audit

Abnormal number of

concurrent sessions in a

day


Data Loss

Prevention /

Endpoint DLP

Abnormal number of


to peer - Endpoint DLP

N/A

Duplicate - Threat

scenario covered as


Data Loss

Prevention /

Endpoint DLP

Abnormal number of


to peer

N/A

Duplicate - Threat

scenario covered as


Data Loss

Prevention /

Endpoint DLP

Abnormal number of

files printed compared

to peer

N/A

Duplicate - Threat

scenario covered as


Database

Monitoring

Account accessing

critical PII database -

SIEM


Database

Monitoring

Rare Database

Accessed by an

Account


Database

Monitoring

Potential Account

Compromise on

Database Server


Database

Monitoring

Password Spraying

Attack Detected - SIEMN/A


Database

Monitoring

Attempted use of

disabled account -

SIEM


Database

Monitoring

Audit Log Tampering -

SIEMN/A





Database

Monitoring

concurrent console

logon - SIEMN/A


Database

Monitoring

Spike in Failed Logins

to a Database Server-

143

N/A

Duplicate - Threat

scenario covered as


Database

Security

Multiple Failed

Followed by Successful

Login to a Database

Server-143


Database

Security

Potential Account

Compromise on

Database Server-143


Database

Security

Rare Critical

Commands Executed on

a Database Server

N/A

Duplicate - Threat

scenario covered as


Database

Security

Rare Database

Accessed by an

Account


Database

Security

Spike in frequency of

DDL or DML

Commands Executed


Database

Security

Spike in Failed Logins

to a Database Server-

143


DNS / DHCPPossible fast flux

domain detected-123N/A

Duplicate - Threat

scenario covered as


DNS / DHCP Rare dns host resolved N/ARemoved the policy as itflagged low level events.




Email / Email

Security

Emails Sent with

Source Code - SIEM -

DLP


Email / Email

Security

Emails to Non-Business

Domains - SIEM - DLPN/A


Email / Email

Security

Emails Sent to Personal

Email - SIEM - DLPN/A


Email / Email

Security

Emails to Competitor

Domains - SIEM - DLPN/A


Email / Email

Security

Compressed Files in

Emails - SIEM - DLPN/A


Endpoint

Management

Systems

Suspicious Process


Potential ETW Disable

Attempt Analytic

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Rare USB device

activityN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Rare ports used by a

process for high

severity endpoint alerts

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Rarity on system

hardening monitorN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Suspicious Process


Executable File

Creation Analytic

N/A

Duplicate - Threat

scenario covered as





Endpoint

Management

Systems

Abnormal number of

file shares createdN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Rare Executive Host

AccessedN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Rare CD or DVD

burning activityN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Abnormal number of

file shares deletedN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Abnormal number of

share folder creation

on system

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Abnormal number of

failed logonsN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Abnormal number of

low severity alertsN/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Rare login geo location N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Executable or Script

file created by ProcessN/A


Endpoint

Management

Systems

Rare child process

spawned from

WMIPRVSE

N/A

Duplicate - Threat

scenario covered as





Endpoint

Management

Systems

Rare combination of

parent and child

process found for user


Endpoint

Management

Systems

Suspicious Process

Activity - Peak File RW

Process Terminations

For Host Analytic

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Suspicious Process

Activity - Rare DLL

Creation in SYSTEM

Directory Analytic

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Suspicious Process

Activity - Rare Egress

Destination Port For

LOLBIN App Potential

Malicious Stager

Analytic

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Suspicious Process

Activity - Rare High-

Integrity Process For

User Analytic

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Suspicious Process


Potential Stego

Embedding Tool

Agnostic Analytic

N/A

Duplicate - Threat

scenario covered as





Endpoint

Management

Systems

Suspicious Process


Potential UACBypass

csc Spawning Temp

Directory Payload

Analytic

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Use of invoke Phant0m

powershell tool to

disable endpoint

logging

N/A Misconfig

Endpoint

Management

Systems

Suspicious Process


Potential ETW Disable

Attempt Analytic

N/A

Duplicate - Threat

scenario covered as


Endpoint

Management

Systems

Potential WMI Lateral

Movement Rare

WmiPrvSe Subprocess

N/A

Duplicate - Threat

scenario covered as


Firewall

Firewall traffic to

randomly generated

domains - Firewall


FirewallRepeat Attack on

firewall-ForeignN/A

Duplicate - Threat

scenario covered as


Firewall

SmartDefense IPS

Rules - High Severity -

Firewall


Firewall

SmartDefense IPS

Rules - Malicious

address - Firewall





Firewall

SmartDefense IPS

Rules - Medium

Severity - Firewall


FirewallTraffic to rare domain

on DNS ports - FirewallN/A


Flow

Abnormal amount of

data aggregated from

FTP ports - Flow


Flow

Abnormal amount of

data aggregated from

SMB ports - Flow


Flow

Abnormal amount of

data uploads to external

sites-FLOW


Flow

Abnormal amount of

data uploads to storage

sites over firewall -

FLOW


Flow

Abnormal amount of


sites-FLOW


Flow

Abnormal number of

DHCP requests -

FLOW


FlowAbnormal time for dhcp

lease-FlowN/A


Flow

Abnormal upload

attempts to distinct

storage sites-FLOW





Flow

Account authenticating

from rare geolocation

on VPN - FLOW


Flow

Activity from known

malicious addresses

detected on VPN -

FLOW


FlowBeaconing traffic to

malicious sites-FLOWN/A


Flow


rare domains over dns-

flow


FlowBeaconing traffic to

rare domains-FLOWN/A


Flow

Data exfiltration over

known data transfer

services - Flow


FlowDHCP request from

rare device-FlowN/A


Flow

Firewall traffic to

randomly generated

domains - Flow


FlowLandspeed anomaly on

VPN - FLOWN/A


Flow

Persistent traffic to

rare non resolvable

domain dns responses-

Flow





Flow

Possible host

enumeration over

critical access ports -

Internal - Flow

N/A

Duplicate - Threat

scenario covered as


FlowPossible port scan over

system ports - FlowN/A

Duplicate - Threat

scenario covered as


FlowPotential lateral

movementN/A

Duplicate - Threat

scenario covered as


Flow

Randomly generated

domain detected on dns

response -flow


FlowRare dns host resolved

flowN/A


FlowRare dns host resolved-

FlowN/A


FlowTraffic to rare domain

on DNS ports - FlowN/A


Microsoft

Windows

Possible password

spraying from a

windows resource


Microsoft

Windows

High number of

accounts using the

same ipaddress for

authentication failures

or lockout events

N/A

Duplicate - Threat

scenario covered as


Microsoft

Windows

High number of failed

login attempts from an

IP - SIEM





Microsoft

Windows

High number of

accounts using the

same ipaddress for

authentication failures

or lockout events


Microsoft

Windows

Usage of potential

scriptable executable to

run or access malicious

payload


Microsoft

Windows

High number of failed

login attempts from an

account- SIEM

WEL-ALL-

942-DB


Microsoft

Windows

Repeat Failure

Authentication - SIEM

WEL-ALL-

949-DB


Microsoft

Windows

High number of service

tickets requested -

SIEM

WEL-ALL-

923-BP


Microsoft

Windows

Detection of Brute

Force Attack To The

Same Host - SIEM

WEL-ALL-

938-DB


Microsoft

Windows

Use of explicit

credentials for a

possible Account

sharing or Password

misuse

WOS-203-RU

Policy is replaced with

"Use of explicit

credentials by a rare

account - Account

sharing or Password

misuse".

Microsoft

Windows

High number of host

accessed - SIEM

WEL-ALL-

931-BP


Microsoft

Windows

Rare privileged level

for a windows

authentication

WOS-244-ERRemoved the policy as itflagged low level events.




Microsoft

Windows

Powershell

Use of Powershell

encode command by an

account

N/A

Duplicate - Threat

scenario covered as


Microsoft

Windows

Powershell

Powershell execution

policy changed by

Account

N/A

Duplicate - Threat

scenario covered as


Microsoft

Windows

Powershell

Use of Powershell

Invoke Expression

Command by Account

N/A

Duplicate - Threat

scenario covered as


Next

Generation

Firewall

Abnormal number of

connections on DNS

ports - NGFW

N/A



events.

Next

Generation

Firewall

Bruteforce on Critical

Service from an IP

Observed Performing

Network Recon

N/A

Duplicate - Threat

scenario covered as


Next

Generation

Firewall

Internal System

running port scan

Internally - SIEM


Next

Generation

Firewall

Monitoring Inbound

malicious IP addresses -

SIEM


Next

Generation

Firewall

Network Connection

from a rare

Geolocation

N/A

Duplicate - Threat

scenario covered as


Next

Generation

Firewall

Possible host

enumeration observed -

SIEM





Next

Generation

Firewall

Rare domain visited by

account - Next Gen

Firewall


Next

Generation

Firewall

Rare Filetype Observed

- Next Gen FirewallN/A


Next

Generation

Firewall

Rare operating system

detected for an account

on VPN - Next Gen

Firewall


Next

Generation

Firewall

Repeat Attack-Login

Source on VPN - Next

Gen Firewall


Next

Generation

Firewall

SMB traffic to and from

InternetN/A


Next

Generation

Firewall

Successful Network

Connection Observed

from an IP Performing

Network Recon


Next

Generation

Firewall

System running

external scan - SIEMN/A

Duplicate - Threat

scenario covered as


Next

Generation

Firewall

Traffic to rare domain

on DNS ports - Next

Gen Firewall

N/A



events.

Next

Generation

Firewall

Undocumented account

activity on VPN - Next

Gen Firewall

N/A

Duplicate - Threat

scenario covered as





Next

Generation

Firewall

Zone Transfer from

External to Internal -

SIEM

N/A

LowRemoved the policy

as it flagged low level

events.

Next

Generation

Firewall

Internal system running

port scan - horizontal

SIEM

N/ALegacy SIEM content -

Low fidelity

Next

Generation

Firewall

Non Mail server trying

to send mails outside -

SIEM

N/ALegacy SIEM content-

Low fidelity

Next

Generation

Firewall

Possible port scan from

internal IP Address -

Next Gen Firewall

N/A

Duplicate - Threat

scenario covered as


Next

Generation

Firewall

Inbound Traffic from

C2 Domains and IP

addresses - SIEM

IFW-ALL-905-

TP


Next

Generation

Firewall

Outbound Traffic to C2

Domains and IP

addresses - SIEM

IFW-ALL-901-

TP


Next

Generation

Firewall

Abnormal amount of


sites over firewall

IFW-CAF-

870-BA



events.

Network

Traffic

Analytics

Rare dns host resolved

- NTA (NTA-ALL-801-

TA)

NTA-ALL-801-TA



events.

Print

Abnormal number of


to peer

N/A

Duplicate - Threat

scenario covered as


Unix / Linux /

AIX

Undocumented

accounts performing

activity





Unix / Linux /

AIX

Use of any default

credentials on UnixN/A


Web

Application

Firewall

Abnormal number of

high severity WAF

alerts


Web

Application

Firewall

Possible directory

traversalN/A


Web

Application

Firewall

DNS amplification by

frequency of packets -

Firewall-119

N/A

Duplicate - Threat

scenario covered as


Web

Application

Firewall

Possible external host

enumeration over

system ports - Firewall-

119

N/A

Duplicate - Threat

scenario covered as


Web

Application

Firewall

Possible external port

scan over system ports

- Firewall-119

N/A

Duplicate - Threat

scenario covered as


Web

Application

Firewall

Traffic to Known

Attacker on firewall-

119

N/A

Duplicate - Threat

scenario covered as


Web

Application

Firewall

Repeat Attack on

firewall-Foreign-119N/A

Duplicate - Threat

scenario covered as


Web ProxyBeaconing Traffic

DetectedN/A

Duplicate - Threat

scenario covered as


Web Proxy

Detection of possible

proxy circumvention-

125

N/A

Duplicate - Threat

scenario covered as





Web Proxy



134

N/A

Duplicate - Threat

scenario covered as


Web Proxy



135

N/A

Duplicate - Threat

scenario covered as


Web ProxyRare domain visited by

accountN/A


Web ProxyUploads to news or

media websitesN/A


Web ServerCircumvention of URL

ControlsN/A


Web Server Rare User Agent Used N/ARemoved the policy as itflagged low level events.

Web ServerCircumvention of

Directory ControlsN/A


Web ServerCircumvention of

Directory Controls-124N/A

Duplicate - Threat

scenario covered as


Web ServerPossible Web Crawling

DetectedN/A



events.

Web ServerPossible Web Crawling

Detected-124N/A

Duplicate - Threat

scenario covered as


Web ServerRare HTTP Request

Method UsedN/A



events.



Decommissioned Policy/Threat Content

The following table contains the decommissioned policy and threat content in thisrelease:



ACP-CAP-804-BPAbnormal number ofpassword retrievalcompared to past behavior


ALT-028Repeat Attack-WebContent Filter

Antivirus / Malware / EDR EDR-FNX-930-DBVirus or Spyware Detectedbut Failedto Clean


EDR-MEV-932-DBRepeat IPS or IDSAttack-Foreign


EDR-MEV-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-MEV-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-FNX-923-DB Repeat IDS Events


EDR-FNX-932-DBRepeat IPS or IDSAttack-Foreign


EDR-FNX-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-FNX-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-TMC-930-DBVirus or SpywareDetected but Failed toClean


EDR-TMC-932-DBRepeat IPS or IDSAttack-Foreign





EDR-MEV-923-DB Repeat IDS Events


EDR-TMC-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-TMC-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-FHX-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-III-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-III-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-FHX-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-III-930-DBVirus or SpywareDetected but Failed toClean


EDR-FEX-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-TMC-923-DB Repeat IDS Events


EDR-SIS-932-DBRepeat IPS or IDSAttack-Foreign


EDR-MEV-930-DBVirus or SpywareDetected but Failed toClean


EDR-SEP-927-DBPossible Outbreak-Multiple Infected Hosts-313





EDR-ALL-840-ERRRare file hashes forhigh severity endpointalerts - EDR


EDR-ALL-829-ERRRare file hashdetected on network - EDR


EDR-ALL-820-ERRRare usage ofPsRemoting - EDR


EDR-ALL-842-BP

Abnormal number ofconnections to WS-Management or PowershellPorts - EDR


EDR-ALL-838-BPAbnormal number ofhigh severity endpointalerts - EDR


EDR-ALL-886-BPAbnormal number ofssh connections - EDR


EDR-ALL-885-BPAbnormal number oftelnet connections - EDR


EDR-SNI-932-DBRepeat IPS or IDSAttack-Foreign


EDR-MEH-930-DBVirus or SpywareDetected but Failed toClean


EDR-MEH-923-DB Repeat IDS Events


EDR-MEH-932-DBRepeat IPS or IDSAttack-Foreign


EDR-ALL-726-RUPotential use ofRubeus attack tool detectedvia command line - AVEDR





EDR-MEH-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-MEH-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-SNI-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-SNI-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-SNI-930-DBVirus or SpywareDetected but Failed toClean


EDR-SNI-923-DB Repeat IDS Events


EDR-SEP-930-DBVirus or SpywareDetected but Failed toClean-313


EDR-SEP-923-DB Repeat IDS Events-313


EDR-SEP-932-DBRepeat IPS or IDSAttack-Foreign-313


EDR-SEP-929-RUTraffic to KnownAttacker on IPS or IDS-313


EDR-SIS-923-DB Repeat IDS Events


EDR-ALL-821-ERRRare critical filemodified by an user - EDR


EDR-SIS-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-FHX-930-DBVirus or SpywareDetected but Failed toClean





EDR-FHX-923-DB Repeat IDS Events


EDR-FHX-932-DBRepeat IPS or IDSAttack-Foreign


EDR-III-932-DBRepeat IPS or IDSAttack-Foreign


EDR-III-923-DB Repeat IDS Events


EDR-TMC-814-RUResemblance BasedPhishing Attempts - PLDanalysis


EDR-TMC-813-RUResemblance BasedPhishing Attempts - TLDanalysis


EDR-FEX-932-DBRepeat IPS or IDSAttack-Foreign


EDR-SIS-930-DBVirus or SpywareDetected but Failed toClean


EDR-FEX-930-DBVirus or SpywareDetected but Failed toClean


EDR-PSE-930-DBVirus or SpywareDetected but Failed toClean


EDR-FEX-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-MNP-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-MNP-929-RUTraffic to KnownAttacker on IPS or IDS





EDR-FEX-923-DB Repeat IDS Events


EDR-PSE-932-DBRepeat IPS or IDSAttack-Foreign


EDR-SIS-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-MNP-932-DBRepeat IPS or IDSAttack-Foreign


EDR-MNP-923-DB Repeat IDS Events


EDR-PSE-927-DBPossible Outbreak-Multiple Infected Hosts


EDR-PSE-929-RUTraffic to KnownAttacker on IPS or IDS


EDR-PSE-923-DB Repeat IDS Events


EDR-MNP-930-DBVirus or SpywareDetected but Failed toClean

Application /Enterprise / SaaS

SAS-ALL-808-BAAbnormal amount ofdata uploaded to GitHub


SAS-ALL-810-ERFile accessed from arare geolocation - Netskope


SAS-ALL-807-BPAbnormal number offiles downloaded fromGitHub


SAS-ALL-811-ERUser downloadingfiles from a suspiciousgeolocation - Netskope





SAS-ALL-801-BAAbnormal volume ofdownloads from HIPAAsanctioned apps - Netskope


SAS-ALL-813-BPAbnormal number offiles uploaded to cloud

ATMMonitoring

ATM-ALL-804-TARare Buffer overflowdetection

ATMMonitoring

ATM-ALL-803-RUDisabling ofProtection

ATMMonitoring

ATM-ALL-811-BPAbnormal number ofSMB or NETBIOSconnections

ATMMonitoring

ATM-ALL-813-BPAbnormal number offile access attempts

ATMMonitoring

ATM-ALL-800-ERRare weekendtransaction by account

ATMMonitoring

ATM-ALL-806-TARare path for dllsaccessed

ATMMonitoring

ATM-ALL-807-ERRare timeslot for ATMactivity by account

ATMMonitoring

ATM-ALL-808-ERUnusual time of daydevice configuration

ATMMonitoring

ATM-ALL-809-ERSuspicious attemptsto modify registry

ATMMonitoring

ATM-ALL-810-ERUnusual passwordchange attempts

ATMMonitoring

ATM-ALL-805-BPAbnormal number ofdlls accessed

ATMMonitoring

ATM-ALL-801-ERUse of unauthorizeddevices




ATMMonitoring

ATM-ALL-802-ERAttempt to executesuspicious OS calls

Audit AAU-FAA-826-BPAbnormal number ofAuthentication Failures - F5

Authentication/ SSO / Single Sign-On

SSO-ALL-846-ERRare User Agent -successful Okta login

Authentication/ SSO / Single Sign-On

SSO-ALL-821-TAAscending MonotonicPattern Detected

Authentication/ VPN

VPN-ALL-808-DB Brute Force Access

Authentication/ VPN

VPN-ALL-851-RUVPN activity byUndocumented Accounts

Authentication/ VPN

VPN-ALL-805-DBSuccessful Loginafter Repeat Failed logins

Authentication/ VPN

VPN-ALL-804-DBPossible AccountSharing

Authentication/ VPN

VPN-ALL-800-RUVPN Activity fromKnown Malicious Addresses

Authentication/ VPN

VPN-ALL-811-ERVPN AuthenticationUsing a Rare OperatingSystem for an Account

Authentication/ VPN

VPN-ALL-852-BPAbnormal Number ofFailed Authentication for anAccount

Authentication/ VPN

VPN-ALL-809-RUVPN activity byTerminated Users


AWI-AMN-8115-DBEvil twin detectionacross multiple locationwith short span of time


AWI-AMN-8116-ERRare location eviltwin detected





AWI-AMN-817-ERRare location rogueAP detected


AWI-AMN-822-DBMultiple Rogue APdetected within samelocation


AWI-AMN-823-DBMultiple Evil Twindetected within samelocation

Aviation /Onboard Network System

AVI-ALL-818-BPAbnormal number of SUlogin failures by usingTarget user enumeration


AVI-ALL-802-BPAbnormal number ofdistinct destination hostsaccessed by an IP Address


AVI-ALL-812-BPAbnormal high numberof login failure by a'Remote Address


AVI-ALL-814-BP

Abnormal number ofdistinct destination hostsaccessed by an Activityaccount


AVI-ALL-815-BPSpike in number of SUauthentication failures


AVI-ALL-807-BPAbnormal number offailed ssh authenticationattempts by an IP Address


AVI-ALL-805-RUDetection of passwordretrievals from a non-secure file


AVI-ALL-800-BPSpike In number ofFailed SSHD Logs





AVI-ALL-808-ERActivity towards arare hostname which wasnever connected before

Cloud ContentManagement System

CCMS-ALL-804-BPAbnormal number offiles shared with personalaccount


CCMS-ALL-809-ERRAccount accessingfile path never accessedbefore


CCMS-ALL-828-ERRAccount activity froma country rare to theorganization


CCMS-ALL-829-ERRAccount activity froma country rare for the user


CCMS-ALL-805-BPAbnormal number offiles shared withCompetitor email address


CCMS-ALL-802-ERAccount Activitydetected from RareGeolocation


CCMS-ALL-813-RUFile shared with Nonbusiness account


CCMS-ALL-802-ERRAccount Activitydetected from RareCountry


CCMS-ALL-809-ERAccount accessingfile share never accessedbefore


CCMS-ALL-839-BPExternal accountdownloading abnormallyhigh number of files





CCMS-ALL-816-BPAbnormal number offiles deleted by an account


CCMS-ALL-814-BPAbnormal Number offiles Printed compared topast behavior


CCMS-ALL-806-BPAbnormal number offiles shared with NonBusiness account

Cloud Email /Email Security

CEML-ALL-805-BAAbnormal Amount ofData Emailed to PersonalEmail - Cloud Email


CEML-ALL-802-BPAbnormal Number ofSource Code Emailed -Cloud Email


CEML-ALL-808-BPAbnormal Number ofEmail Forwards - CloudEmail


CEML-ALL-818-BA

Abnormal amount ofdata egressed to non-business domains comparedto peer behavior - CloudEmail


CEML-ALL-828-BP

Abnormal number ofemails sent to competitordomains compared to peerbehavior - Cloud Email


CEML-ALL-830-BPAbnormal Number ofEmails to Personal Email -Cloud Email


CEML-ALL-826-BP

Abnormal number ofemails to non businessdomains compared to peerbehavior - Cloud Email





CEML-ALL-829-BA

Abnormal Amount ofData Emailed toNonbusiness Domain -Cloud Email


CEML-ALL-801-BPAbnormal Number ofCompressed Files Emailed -Cloud Email


CEML-ALL-803-BPAbnormal Number ofEmails to Competitor -Cloud Email


CEML-ALL-823-BPAbnormal Number ofEmails to NonbusinessDomains - Cloud Email


CEML-ALL-824-RUEmails from Newlyregistered domains - CloudEmail

Cloud Print CPRN-ALL-837-RUUnauthorized printerusage

Cloud Print CPRN-ALL-838-BPAbnormal number offiles printed compared to apeer group

Cloud Print CPRN-ALL-839-BPAbnormal number ofpages printed compared toa peer group

CloudAntivirus / Malware / EDR

CEDR-ALL-839-BPAbnormal number ofhigh severity endpointalerts - Cloud EDR


CEDR-ALL-26-RU

Potential use ofRubeus attack tool detectedvia command line - CloudEDR





CEDR-ALL-820-ERRRare usage ofPsRemoting - Cloud EDR


CEDR-ALL-858-BPAbnormal number ofCritical severity endpointalerts - Cloud EDR


CEDR-ALL-871-BPAbnormal number ofMedium severity endpointalerts - Cloud EDR


CEDR-ALL-19-RUPotential MimikatzCommandLine Usage -Cloud EDR


CEDR-ALL-829-ERRRare file hashdetected on network -Cloud EDR


CEDR-ALL-903-ERRRare file typedetected from an endpoint


CEDR-ALL-821-ERRRare critical filemodified by an user - CloudEDR


CAAU-ALL-805-ERAccountAuthenticating from rarecountry - Exchange


CAAU-ALL-807-BPAbnormal Number ofDistinct Emails Created -Exchange


CAAU-ALL-804-ERRare clientapplication detected for theuser - Exchange

CloudApplication SecurityBroker

CASB-ALL-805-RUFiles upload tounauthorized cloud storage- SIEM - CASB





CASB-ALL-802-DBSuccessful Loginafter Repeat Failed logins -SIEM - CASB


CASB-ALL-810-RUDownloads greaterthan 10MB from externaladdress - SIEM - CASB


CASB-ALL-800-RUUser uploadingsensitive files - SIEM -CASB


CASB-ALL-809-DBHigh number ofdownloads from externaladdress - SIEM - CASB

CloudAuthentication / SSO /Single Sign-On

CSSO-ALL-842-BPAbnormal number ofmfa bypass


CSSO-ALL-813-ERRare applicationaccessed by account


CSSO-ALL-820-BPSpike in number ofaccount lockout events


CSSO-ALL-818-ERAccount activity seenfrom a rare country


CSSO-ALL-832-BPPossible userenumeration observedfrom an account


CSSO-ALL-814-BPAbnormal number ofdevice alerts observed





CSSO-ALL-833-ER

Logon from a rarecountry compared to entireorganization -DUOAuthentication


CSSO-ALL-838-BPAbnormal number ofunauthorized attempts toan application


CSSO-ALL-834-BPPossible passwordspraying observed from anIP


CSSO-ALL-829-BP

Password sprayingattempts from one accountto multiple applications_enumeration -DuoAuthentication


CSSO-ALL-815-BPAbnormal number ofsign on failures


CSSO-ALL-827-ERLogon from a rarecountry -DUOAuthentication


CSSO-ALL-807-RUAttempted use ofdisabled account - SIEM -SSO


CSSO-ALL-841-ERRare logon to adminconsole


CSA-ALL-714-BPAbnormal Number ofsnapshots created


CSA-AWS-733-BP

Failed attemptsdetected from an userattempting to attach todifferent roles





CMS-ALL-830-ERAccount accessingfile path never accessedbefore -CMS


CMS-ALL-846-BPAbnormal number offiles shared with NonBusiness account -CMS

DatabaseAudit

DBS-ALL-821-BAAbnormal frequency ofdata aggregated fromdatabase

Data LossPrevention / Endpoint DLP

EDLP-ALL-819-BPAbnormal Number ofCompressed Files Emailed -DLP


EDLP-ALL-802-BP

Abnormal number ofemails to non businessdomains compared to peerbehavior - Endpoint DLP


EDLP-ALL-824-BPAbnormal number offiles egressed to removablemedia


EDLP-ALL-801-ERUnauthorized printerusage detected


EDLP-ALL-810-BPAbnormal number ofendpoint DLP match countviolations


EDLP-ALL-830-BAAbnormal amount ofendpoint DLP match countviolations


EDLP-ALL-827-BA

Abnormal amount ofdata egressed to competitordomains compared to peerbehavior - Endpoint DLP





EDLP-ALL-826-BAAbnormal amount ofdata egress to NonBusinessdomains - DLP


EDLP-ALL-814-RUMisuse of serviceaccounts to exfiltrate data -SIEM - DLP


EDLP-ALL-805-BAAbnormal amount ofdata egressed to removablemedia


EDLP-ALL-822-BAAbnormal amount ofendpoint DLP match countviolation compared to peer


EDLP-ALL-821-BA

Abnormal amount ofdata egressed to non-business domains comparedto peer behavior - EndpointDLP


EDLP-ALL-812-BAAbnormal amount ofdata egress to Competitor -DLP


EDLP-ALL-828-BP

Abnormal number ofemails sent to competitordomains compared to peerbehavior - Endpoint DLP


EDLP-ALL-823-BAAbnormal amount ofdata egress to Personalemail - DLP

DataWarehouse

DWH-ALL-802-ER

Login from a rarecountry compared to theentire organization -Authentication

DataWarehouse

DWH-ALL-801-ERLogin from a rarecountry - Authentication




DataWarehouse

DWH-ALL-808-RUSuccessful passwordspraying attack from an IP -Authentication

DataWarehouse

DWH-ALL-803-LSLandspeed anomalydetected for account -Authentication

DatabaseMonitoring

DBM-ALL-811-RU

Abnormal frequency ofselect commands executedon Database -DatabaseMonitoring

DNS / DHCP DNS-010Excessive number offailed DNS zone transfers

DNS / DHCP DNS-023Excessive number ofDNS NXDOMAINresponses

DNS / DHCP DNS-024Excessive number ofDNS SERVFAIL responses

DNS / DHCP DNS-ALL-810-TA Rare dns server used

DNS / DHCP DNS-ALL-808-BPAbnormal time fordhcp lease

DNS / DHCP DNS-ALL-801-ERRDHCP request fromrare device

DNS / DHCP DNS-ALL-804-BPAbnormal number ofDHCP requests


EDR-ALL-49-ER

Suspicious ProcessActivity - PotentialInjection - UnusualCrossproc Analytic


EDR-ALL-28-RUPotential PhishingURL received over anemail





EDR-ALL-62-ERPotential attempt tobypass UAC usingEventvwr


EDR-ALL-59-RUPossible PayloadAttack Via ParameterlessRundll32 Command


EDR-ALL-19-RUPotential MimikatzCommandLine Usage


EDR-ALL-889-RU

Possible ReverseShell connectionestablished via Invoke-PowerShellTcpOneLinescript


EDR-ALL-815-RUUse of credentialdumpers - endpointmonitoring


EDR-ALL-58-ERRDP communicationinitiated from a rareprocess


EDR-ALL-38-ERRare source andtarget images forCreateRemoteThread event


EDR-ALL-89-RUPotential UAC bypass- CSC executing payloadfrom temp directory on host


EDR-ALL-12-ERSuspicious CommandLine Arguments


EDR-ALL-102-RUUse of Steganographytools to encode or decodemedia files





EDR-ALL-71-BP

Possible Ransomwareinfection involving use ofstaging commands onabnormally large number ofhosts


EDR-ALL-886-RU

MS Exchange unifiedmessaging service spawningpotentially suspicious childprocess


EDR-ALL-81-ER

Possible WebshellActivity - Rare processspawned from Web serverworker process


EDR-ALL-24-ER

Escalation ofprivilege via modificationof AppInit DLL registrydetected on host


EDR-ALL-55-ERRare processcommunicating overKerberos port


EDR-ALL-53-ER

PotentialSysvol-Netlogon LateralMovement - Rare fileexecuted from Netlogonshare


EDR-ALL-69-BPSpike in number ofDiscovery Tactic CommandActivity For Host Analytic


EDR-ALL-54-ERRare Self WorkerProcess Execution


EMS-002Rare file hashdetected on the network -endpoint monitoring





EMS-001Rare function used bya dll on the network -endpoint monitoring


EDR-ALL-48-ERUnusual processadding a file in StartupMenu


EDR-ALL-19-ERRare DLL InvocationVia Rundll32 Command


EDR-ALL-26-RUPotential use ofRubeus attack tool detectedvia command line

Firewall IFW-CPS-873-BPPossible externalport scan over system ports- Firewall

Firewall IFW-JSF-874-BPPossible externalhost enumeration oversystem ports - Firewall

Firewall IFW-ALL-711-BPAbnormal number ofconnections on LDAP ports- Firewall

Firewall IFW-FTF-871-DBDNS amplification byfrequency of packets -Firewall

Firewall IFW-JPF-873-BPPossible externalport scan over system ports- Firewall

Firewall IFW-JPF-874-BPPossible externalhost enumeration oversystem ports - Firewall

Firewall IFW-JPF-871-DBDNS amplification byfrequency of packets -Firewall




Firewall IFW-CAF-807-ERRare file typedetected over firewalltraffic

Firewall IFW-CAF-873-BPPossible externalport scan over system ports

Firewall IFW-CAF-872-ERRare dns hostresolved over firewall

Firewall IFW-CPS-874-BPPossible externalhost enumeration oversystem ports - Firewall

Firewall IFW-CAF-928-DB Repeat Attack-Foreign

Firewall IFW-CAF-868-TABeaconing traffic tomalicious sites over firewall

Firewall IFW-CAF-929-RUTraffic to KnownAttacker

Firewall IFW-CAF-905-BPBrute Force Access onVPN

Firewall IFW-CAF-910-DBProbable SuccessfulBrute Force Attack on VPN

Firewall IFW-CAF-922-DB Repeat firewall drops

Firewall IFW-JSF-929-RUTraffic to KnownAttacker on firewall

Firewall IFW-JPF-929-RUTraffic to KnownAttacker on firewall

Firewall IFW-JSF-873-BPPossible externalport scan over system ports- Firewall

Firewall IFW-CAF-871-DBDNS amplification byfrequency of packets




Firewall IFW-CPS-871-DBDNS amplification byfrequency of packets -Firewall

Firewall IFW-JSF-871-DBDNS amplification byfrequency of packets -Firewall

Firewall IFW-CPF-873-BPPossible externalport scan over system ports- Firewall

Firewall IFW-CPS-929-RUTraffic to KnownAttacker on firewall

Firewall IFW-ALL-710-ERRRare application forknown protocols onnetwork traffic - Firewall

Firewall IFW-FTF-874-BPPossible externalhost enumeration oversystem ports - Firewall

Firewall IFW-FTF-873-BPPossible externalport scan over system ports- Firewall

Firewall IFW-FTF-929-RUTraffic to KnownAttacker on firewall

Firewall IFW-ALL-929-RUTraffic to KnownAttacker on Firewall

Firewall IFW-ALL-713-ERRRare port used byapplications on networktraffic - Firewall

Firewall IFW-CPF-929-RUTraffic to KnownAttacker on firewall

Firewall IFW-ALL-708-BPAbnormal number ofconnections on SMB orNETBIOS ports - Firewall




Firewall IFW-ALL-706-BPAbnormal number ofDNS zone transfers -Firewall

Firewall IFW-ALL-714-DBTraffic to KnownAttacker on Firewall

Firewall IFW-ALL-875-DBDNS Amplification byFrequency of Packets -Firewall

Firewall IFW-ALL-928-DBMultiple ExploitTypes Against SingleDestination - SIEM

Firewall IFW-CPF-874-BPPossible externalhost enumeration oversystem ports - Firewall

Firewall IFW-ALL-717-BPPossible hostenumeration over systemports - Firewall

Firewall IFW-CAF-874-BPPossible externalhost enumeration oversystem ports

Flow FLW-ALL-872-TAPossible lateralmovement over networktraffic - Flow

Flow FLW-ALL-803-BPPossible port scanfrom internal IP - Flow

Flow FLW-ALL-861-ERRRare application forknown protocols onnetwork traffic - Flow

IDS / IPS /UTM / Threat Detection

IDS-ALL-800-BPAbnormal number ofalerts observed


IDS-ALL-802-RUMedium severity alertobserved





IDS-ALL-803-RUHigh severity alertobserved

Mainframe MNF-ASO-811-BPAbnormal Number ofdistinct jobs on Mainframesystems

Mainframe MNF-ASO-809-ERRare audit JournalValue for a host

Mainframe MNF-ASO-810-BPAbnormal number ofmainframe audit failuresfrom an account

MicrosoftWindows

WEL-ALL-967-ERExplicit login tohigh privileged account

MicrosoftWindows

WOS-317-ERRare local accountcreated

MicrosoftWindows

WOS-277-BPAbnormal number ofremote logons

MicrosoftWindows

WOS-222-ERRare audit logclearing on Host

MicrosoftWindows

WEL-ALL-711-ERRare execution ofRegsvr32 process

MicrosoftWindows

WOS-316-ERRare admin groupmember additions by usercompared to peer

MicrosoftWindows

WOS-221-ERRare privilegedevents performed by usercompared to peer

MicrosoftWindows

WOS-318-RUUse of credentialdumpers

MicrosoftWindows

WOS-236-ERRare logon typedetected for an account




MicrosoftWindows

WEL-ALL-714-RUPotential use ofMSHTA executable todownload malicious payload

MicrosoftWindows

WOS-211-ERRare process creationon endpoint

MicrosoftWindows

WEL-ALL-710-ERRare scriptingexecutables spawned fromknown processes

MicrosoftWindows

WOS-293-BPAbnormal number ofhosts accessed - LogonSuccess

MicrosoftWindows

WOS-276-ERRare interactivelogon by service account

MicrosoftWindows

WEL-ALL-860-BPPassword sprayingattempts from an IP -Microsoft Windows

MicrosoftWindows

WOS-228-BPSpike in number ofpassword resets

MicrosoftWindows

WOS-281-ERRare privilegeenumeration eventdetected

MicrosoftWindows

WEL-ALL-709-ERRare usage of netviewcommands

MicrosoftWindows

WOS-240-BPSpike inadministrative sharesaccessed

MicrosoftWindows

WEL-ALL-713-ERRare child or parentprocess involving MSHTAexecutable detected

MicrosoftWindows

WOS-231-ERRare regedit usagecompared to peer




MicrosoftWindows

WOS-210-ERDetection of a newadmin account

MicrosoftWindows

WEL-ALL-708-RU

Suspiciousinteractions on lsassprocess - Potentialcredential dumping

MicrosoftWindows

WOS-229-ERRare registrymodification by account


PSH-ALL-1-RU

Suspicious PowershellActivity Function -Targeted - PossibleBloodhound Attack Analytic


PSH-ALL-112-ERRare usage of remotemanagement tools


PSH-ALL-110-ERRare powershellprivilege misuse


PSH-ALL-113-ERRare encodedPowershell Command

NetworkSecurity

ACR-CIS-896-RUPossible audit logtampering detected - ISE

NetworkSecurity

ACR-CIS-822-BP

Abnormal number ofpassword changescompared to past behavior -ISE

NetworkSecurity

ACR-CIS-804-BP

Abnormal number offailed authenticationscompared to past behavior -ISE

NetworkSecurity

ACR-CIS-810-RUDetection of newadmin accountauthentication - ISE




NetworkSecurity

ACR-CIS-805-BP

Abnormal number ofauthorization failurescompared to past behavior -ISE

NetworkSecurity

ACR-CIS-823-BPAbnormal number ofaudit file deletions - ISE

NetworkSecurity

ACR-CIS-811-BP

Abnormal number offailed adminauthentications compared topast behavior - ISE


NTA-ALL-868-BPAbnormal number offiles downloaded - NTA


NTA-ALL-833-BAAbnormal Amount ofData Emailed toCompetitor - NTA


NTA-ALL-805-ERRare user-agentDetected - NTA


NTA-ALL-843-BA

Abnormal amount ofdata egressed to competitordomains compared to peerbehavior - NTA


NTA-ALL-838-BPAbnormal number offiles shared to CompetitorDomains - NTA


NTA-ALL-859-BPAbnormal Number ofCompressed Files Emailed -NTA


NTA-ALL-801-TARare dns hostresolved - NTA


NTA-ALL-825-BPAbnormal Number ofEmails to Personal Email -NTA





NTA-ALL-845-BPAbnormal number ofDNS record type ANYqueries observed - NTA


NTA-ALL-840-BAAbnormal Amount ofData Emailed toNonbusiness Domain - NTA


NTA-ALL-804-BAAbnormal amount ofdata aggregated from FTPports - NTA


NTA-ALL-814-BAAbnormal amount offiles downloaded comparedto past behavior - NTA


NTA-ALL-808-BAAbnormal amount ofdata uploads to externalsites - NTA


NTA-ALL-854-BA

Abnormal amount ofdata egressed to non-business domains comparedto peer behavior - NTA


NTA-ALL-827-BPAbnormal Number ofSource Code Emailed -NTA


NTA-ALL-800-BPAbnormal Number ofEmails to Competitor - NTA


NTA-ALL-860-BPAbnormal number offiles shared to NonBusiness domains - NTA


NTA-ALL-818-BPAbnormal uploadattempts to distinct storagesites - NTA





NTA-ALL-828-BPAbnormal number offile deletions compared topast behavior - NTA


NTA-ALL-865-BA

Abnormal amount ofdata transmitted fromknown file transfer ports -NTA


NTA-ALL-819-BAAbnormal amount ofdata uploads to storagesites - NTA


NTA-ALL-809-ERDHCP request fromrare device - NTA


NTA-ALL-866-BPAbnormal number ofDHCP requests - NTA


NTA-ALL-841-ERAccount accessing afile share never accessedbefore - NTA


NTA-ALL-831-BP

Abnormal number ofemails sent to competitordomains compared to peerbehavior - NTA


NTA-ALL-867-BPAbnormal Number ofEmail Forwards - NTA


NTA-ALL-851-EROnly member in thepeer group to access a fileshare - NTA


NTA-ALL-846-BAAbnormal Amount ofData Emailed to PersonalEmail - NTA


NTA-ALL-857-RUUploads to textstorage websites - NTA





NTA-ALL-836-ERAccountauthenticating from raregeolocation on VPN - NTA


NTA-ALL-812-BPAbnormal Number ofEmails to NonbusinessDomains - NTA


NTA-ALL-858-BP

Abnormal number ofemails to non businessdomains compared to peerbehavior - NTA


NTA-ALL-821-ERRare File ShareDetected - NTA

NextGeneration Firewall

IFW-ALL-1151-ER

Accountauthenticating from raregeolocation on VPN - NextGen Firewall


NGF-760-ERRRare port used byapplications on networktraffic - Next Gen Firewall


IFW-ALL-881-RUVPN Activity fromKnown Malicious Addresses- Next Gen Firewall


IFW-ALL-919-BPRemote DatabaseScanner - SIEM


NGF-710Abnormal number ofDNS zone transfers - NextGen Firewall


IFW-ALL-805-RUPossible AccountSharing - Next Gen Firewall


IFW-ALL-913-DBPossible Enumerationover LDAP Port - SIEM





NGF-761-ERR

Rare application forknown protocols onnetwork traffic - Next GenFirewall


IFW-ALL-910-RUActivity byterminated user on Firewall- SIEM

Print PRN-ALL-837-RUUnauthorized printerusage

TestCaseGroup3 TST-CDA-803-BPSxTestCase1 - Accountenumeration from a host

TestCaseGroup4 TST-CDA-804-BPSxTestCase2 - Hostenumeration from anaccount

Unix / Linux/ AIX

UNX-ALL-818-BPSpike in SUauthentication failures-Behavior

Unix / Linux/ AIX

UNX-ALL-810-ERActivity towards arare hostname neverconnected before

Unix / Linux/ AIX

UNX-ALL-815-BPAbnormal high numberof login failure - RemoteAddress

Unix / Linux/ AIX

UNX-ALL-821-BPAbnormal number of SUlogin failures - Target userenumeration

Unix / Linux/ AIX

UNX-ALL-802-BPSpike In Failed SSHDLogs-Behavior

Web Proxy PXY-ALL-830-RUBeaconing Traffic toproxy anonymizingwebsites




Web Proxy PXY-ALL-869-RUDetection of possibleproxy circumvention

Web Proxy PXY-ALL-920-TA-SIEMBeaconing traffic toknown black list site

Web Proxy PXY-ALL-882-ERR-SIEMRare teleconferencingapplication accessed by anaccount

Web Server WEB-ALL-809-ERPossible SolarWindsSUPERNOVA i18nMalicious Activity Analytic

Web Server WEB-ALL-810-RUPossible SolarWindsSUPERNOVA Auth BypassExploitation Analytic

WebApplication Firewall

IFW-ALL-729-BPHigh number of attacksignatures across theresource


IFW-ALL-726-ERRRare geolocation forWAF host accessed


IFW-ALL-727-ERRRare port andprotocol combination


IFW-ALL-728-BPAbnormal number ofdistinct attack signaturesdetected on a host


IFW-ALL-730-ERRRare attack signaturedetected


Known Issues

Known IssuesThe following table describes the known issues that exist in this release:

Component Summary

Analytics ServiceThe Spotter query does not return any result when you create apolicy with the Batched Analytics technique.

Analytics ServiceThe custom-analyzer spark job fails while reading data from archivestorage (HDFS).

Analytics Service Scheduling does not work for Spotter based policies.

Analytics ServiceWhen you delete datasource and activity data, the application

does not delete the associated threat models.

Analytics Service

The Violation Summary screen displays incorrect information for

the Check Against Lookup Table policy type when the policy has

Not Equal and Does Not Contain operators.

Analytics ServiceBy default, the Violation Summary screen for AEE policies only

displays 5 values irrespective of the threshold value.

Analytics ServiceWhen you upgrade to SNYPR 6.4, the risk score for a few

violators might reduce to zero.

Analytics Service

When you access a policy in the edit mode after upgrading to

SNYPR 6.4, tier-2 checks created for a tenant are not displayed

However, this does not affect policy detection.

Hunting Service

After you upgrade SNYPR 6.4, newly ingested data may not be

visible in the Search Results view from Spotter. If your data is

not visible, you must manually update Spotter Cache to view your

ingested data.

Hunting Service

The validation message is not displayed when the following

queries are used in Spotter: index = activity and policyname not

null.


Known Issues

Component Summary

Hunting Service

For index = geolocation queries, the pause job icon does not

display the updated status when the query is paused from the

Spotter> View Jobs.

Hunting Service The Eval from_unixtime is displaying incorrect date and time.

Hunting ServiceWhen you run a query with the Where operator to specify a range,the records are out-of-the specified range.

Hunting Service The Delete operator is not working for the archived queries.

Hunting Service

When you run a query with Stats Distinct and Filter together, the

query does not display the result. However, it displays the

number of matched records in SNYPR.

For example: index= violation | FILTER index = riskscore andemployeeid = employeeid and doctype = entity_threatmodel | STATSDISTINCT(accountname) department

Hunting Service

When you export and import a Data Insight dashboard, the

original exported dashboard is over written by the imported

dashboard.

Ingestion ServiceWhen you modify the name of the RIN server, the data import stopsworking.

Ingestion ServiceThere are instances where the Parser Management screen ofActivity Import takes time to load.

Ingestion ServiceIn Derived Fields, the File Name Extractor operator does not workwhen the value has a special character except for backslash andforward slash.

Ingestion ServiceAction Filter to enrich using Persona information fails when

multiple Persona Builder actions are applied.

Ingestion Service The length of the tenant name can be up to 40 characters only.


Known Issues

Component Summary

Ingestion ServiceWhen the size of the lookup import file is more than 5MB, thesystem takes a long time to preview the data in the file.

Ingestion ServiceThe Whitelisting feature does not support comparison operator fordate and time attribute during User Import.

Response Service

l You cannot have duplicate events within a single case.

l Only the initial events that were added to an incident will

display in the Events view, within the Incident Management

screen, regardless of any additional events you may add.

l Only the first 1,000 events are added to an incident from

Spotter.

l When the incident data expires, the incident will no longer

have events in it.

l The status of an incident will not display in the Graphical

Analysis view within Incident Management.

Response Service

The Created By field in the Incidents panel displays as Admin

when an incident is created during playbook execution by a non

admin user.

Response Service

When Do you wish to stop action propagation for sub-incidents ? isenabled and an analyst updates the workflow for an incident withmultiple threats, then the workflow for the child incidents getsupdated. However, the Activity Stream of child incidents does notrecord the workflow update.

Response ServiceThe Action History button is not displayed for policy that has autoincident enabled.

Response ServiceThe watchlist widget displays the incorrect policy name for anentity, when that entity is watchlisted in two different policies.

Response Service

When you perform an action from the Other Policy tab of the

Security Command Center, the screen displays the message,

"Action taken in progress and may take some time." When the

waiting period is complete, you can perform the action again.


Known Issues

Component Summary

Response Service

The system takes some time to retrieve the records based on the

filter criteria specified while adding an attribute from Views >

Whitelist.

Response Service

For an On-Demand Incident, the Tabular view does not display

properly in Incident Management when events are added from

different datasources to an incident.

Response ServiceWhile assigning an incident, admin users and groups are not

getting listed.

Response Service

The Incident Management screen does not display an entities

name when the entity is white-listed and when an incident is

created for the entity.

Response ServiceWhen an incident is white-listed, the incident status does not

update to Incident Status: Completed.

Response ServiceThe playbook status does not display when a user runs a playbook

manually.

Response Service

The Take Action button is not visible on the Security Command

Center when an auto incident is generated for a network address

or uncorrelated account.

Response ServiceThe HTTP status code for the Anomali playbook is not seen in the

displayed message.

Response ServiceThe correlated accounts are not getting included in the watchlistwidget and are saved as uncorrelated accounts in View > Watchlist.

Response Service

When Securonix SOAR is enabled in SNYPR and you create a

threat indicator for a new policy, the Create New Threat

Indicator screen displays the list of child playbooks. Additionally,

the screen displays as undefined when you enable auto playbook.

Shared ServiceThe Audit framework does not record when the threat models are

deleted.


Known Issues

Component Summary

Shared Service

The Auditing Report's file size differs based on the file format.

The file size for DOC and RTF is more than other formats such as

PDF, CSV, and XLS.

Shared ServiceThe Auditing screen displays an incorrect group name when entitymetadata is deleted from the Job monitor.

Shared ServiceThe scheduled categorized report jobs are not listed in theScheduled Report Jobs screen.

Shared Service

(Multi-tenant)

In some scenarios, the null pointer exception error occurs when anadmin user accesses Add Data modules.
