SNYPR 6.3.1 Build 181059 0119 Release Notes

SNYPR 6.3.1 Build 190020_0610

Release Notes

Date Published: 7/8/2021

Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any

third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their

respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any

medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and

reference.

Information in this document is subject to change without notice. The software described in this document is

furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in

accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional

warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this

publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or

mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without

the written permission of Securonix.

Copyright © 2021 Securonix. All rights reserved.

Contact Information

Securonix

5080 Spectrum Drive, Suite 950W

Addison, TX 75001

(855) 732-6649

SNYPR Release Notes 2

Table of Contents

Introduction 4

Improvements 5

Bug Fixes 7

What's New in Content 12

New Connectors 12Contextual Connectors 16New Content 17Improved Content 33Deprecated Policies 53


Introduction

IntroductionSNYPR 6.3.1 Build 190020_0610 includes improvements, bug fixes, connectors, and content.

Note: An INC number in the Summary column indicates a customer logged ticket

that was resolved in this release.


Improvements

ImprovementsThis following table describes the improvements included in this release:

Component Summary

Analytics Service Improved out-of-the-box policies to be enabled by default.

Analytics ServiceImproved the processing time of the Violation Summary when

a policy has a high violation count.

Analytics ServiceImproved the behavior processing time for the Violation Extractor job. (INC-235167) (INC-235115)

Connector Improved the Prisma Cloud connector to retrieve policy severity details.

Connector Added an option to import user data from Splunk using RIN.

Hunting ServiceImproved reliability and availability by adding the Solr circuit breaker to process the number of resources needed to execute a task.

Response Service Improved the ServiceNow integration when logger is enabled.

Shared Service Added roles and group membership data fields in the audit

report download.


Improvements

Component Summary

Shared Service - Job Monitor

Improved the performance of job monitor by allowing users to

select any of the following options to refresh the Job Monitor

screen:

l Live

l Do Not Auto-refresh

l Refresh on 30 seconds

l Refresh on 60 seconds

Note: By default, the Do Not Auto-refresh option is

enabled.

(INC-233512) (INC-239737)


Bug Fixes

Bug FixesThe following table describes the bug fixes included in this release:

Component Summary

Analytics ServiceFixed the behavior violations to trigger as expected. (INC-

239489)

Analytics ServiceFixed the whitelist functionality in Spotter to work as expected for an account or attribute. (INC-237818)

Analytics ServiceFixed an issue that caused Individual Event Evaluator (IEE) job

to fail. (INC-242709) (INC-243768)

Analytics Service

Fixed an issue that caused the IEE job to fail when the

datetimelong value was parsed from raw events. (INC-241945)

(INC-242591)

Analytics ServiceFixed an issue that caused the Risk Scoring job to fail upon start

up.

Analytics Service Fixed an issue that caused the Traffic Analyzer job to fail.

Analytics ServiceFixed an issue that caused the Traffic Analyzer job to fail upon

restart.

Analytics ServiceFixed an issue that caused a null pointer exception error for the Traffic Analyzer job. (INC-242647) (INC-243146)

Analytics Service Fixed an issue where the Beaconing job was unable to restart.

Analytics Service Fixed the error that displayed for the Violation Extractor job.

Analytics ServiceFixed an issue that caused the Violation Extractor job to fail. (INC-240912)

Analytics ServiceFixed an issue in the job script that caused the Violation Extractor job to fail.

Analytics ServiceFixed an issue that caused the risk score job to fail when the

reading indexer counted the topic data. (INC-239528)


Bug Fixes

Component Summary

Analytics ServiceFixed an issue when making changes to Policy Violations where

the new changes would not save. (INC-241319) (INC-238017)

Analytics ServiceFixed the Violation Summary view to display the beaconing

graph. (INC-240984)

Analytics ServiceFixed the Whitelist module to process firewall-based policies faster. (INC-236391)

Analytics ServiceFixed an issue that caused the Violation Summary to not display

for behavioral policies. (INC-232989)

Analytics Service Fixed the policy names to support Japanese characters.

Analytics Service Fixed the error sending fetch requests.

Analytics ServiceFixed an issue that caused the behavior ID to duplicate when an

event rarity policy was duplicated in SNYPR. (INC-237310)

Analytics Service Fixed the Policy Violations to trigger as expected. (INC-233735)

Analytics Service

Fixed an issue when adding entities to an active list where the

entity would not appear on the active list for two days. (INC-

238629)

Analytics ServiceFixed the error that occurred when a user tried to delete a

datasource from the UI. (INC-236501)

Analytics Service

Fixed an issue where the policy Category would not update

when a policy was deployed from Sandbox to production. (INC-

239358)

Analytics ServiceFixed the Sandbox functionality to update the policy category when a policy transitions to production. (INC-239358)

Analytics ServiceFixed the save functionality on a disabled policy to maintain the disabled value when a policy is saved. (INC-240829)

Analytics ServiceFixed the delete option to allow users to delete violations for

identity policies. (INC-241691)

ConnectorFixed the user import process so that records with special characters can be imported correctly from OKTA. (INC-241638)


Bug Fixes

Component Summary

Hunting Service Fixed the connectivity issue with Spark job 3.

Hunting Service

Fixed an issue that caused reports to not export all records in

high availability mode from Spotter and Categorized Reports.

(INC-237759)

Hunting ServiceFixed an issue that caused the Spotter query to remove special characters when the query was saved. (INC-238778)

Hunting Service

Fixed an issue that caused the Spotter UI to display a different

count value compared to the exported Spotter report. (INC-

236645)

Hunting Service

Fixed an issue that caused the Spotter UI to display a different

count value compared to the data exported from archive. (INC-

242025)

Hunting ServiceFixed an issue that caused incorrect attribute names on the Spotter report.

Hunting ServiceFixed an issue that caused the indexer to fail due to inability to locate the SSL cert.

Hunting ServiceFixed an issue where aggregate Max(eventide) was blank in reports.

Hunting ServiceFixed an issue that caused the indexer to fail due to the long character length of the URL.

Ingestion ServiceFixed an error so that TPI files can be imported successfully

using RIN.

Response Service Fixed inaccuracies within Incident Management. (INC-239650)

Response ServiceFixed an issue that caused notes to not display on violation events. (INC-235889)

Response ServiceFixed an issue that caused the Available Tenants filter to display

incorrect tenants on Data Insight. (INC-235641)

Response Service

Fixed an issue in Incident Management that caused the Activity

Stream to disregard initial case comments. (INC-241807) (INC-

239491) (INC-237102)


Bug Fixes

Component Summary

Response ServiceFixed the risk score functionality to reset to zero when a non-

concern action is set for a policy. (INC-236518)

Response Service

Fixed an issue where the bulk triage action would triage all

violators, regardless of the granular access control settings.

(INC-241679)

Response ServiceFixed an issue that caused an incorrect risk score to display on the Incident Management screen. (INC-241522)

Response ServiceFixed an issue that caused data protection violations to repeat

after post-review. (INC-237807) (INC-236411)

Response ServiceFixed an issue that prevented auto cases from displaying in the Incident Management view. (INC-241031)

Response Service

Fixed an issue that caused the ingested events to connect to a

closed incident instead of creating a new incident. (INC-

229026)

Response ServiceFixed an issue where new violations would populate in existing

incidents when a violation was closed. (INC-238763)

Response Service

Fixed an issue where the Incident Management search bar was

unable to find results when a partial policy or IP address was

used in the search bar. (INC-242793)

Response ServiceFixed the policy validation error that occurred with the

ServiceNow integration. (INC-236980)

Shared Service - Email

Fixed the email notification for activity import so that users are

notified based on the parameters configured. (INC-240498)

Shared Service

Ingestion Service

Fixed an error to display the correct time SNYPR ingests an event in the following modules: Activity Import, emails, and Notifications. (INC-239464)

Shared Service Fixed Users to display status codes for employees in User Details (INC-238354)


Bug Fixes

Component Summary

Shared Service Fixed an issue to ensure scheduled reports are sent as an attachment to emails. (INC-237558)

Shared Service Fixed an expired SSL certificate. (INC-236996)

Shared ServiceFixed the Job Monitor screen to display correct data. (INC-242239) (INC 242880) (INC-243421)

Shared ServiceFixed an issue so that correct reports are merged when you

merge multiple Spotter reports in one report. (INC-242526)


What's New in Content

What's New in ContentThis section lists the following updates to content:

l New and improved connectors

l Contextual connectors

l Beta connectors

l New and improved content

l Deprecated parsers and policies

New Connectors The following connectors for activity import are included in this release:

Vendor Functionality Device TypeCollection

Method

ActivIdentity / HID Global

Physical Security / Badging

ActivIdentity HID Global

Collection Method: Syslog

Format: JSON

Amazon IncCloud Services / Applications

AWS Cloud Trail

Collection Method: Awssqss3

Format: JSON

Amazon IncAWS Cloud Services / Applications

AWS Cloudwatch

Collection Method: Awssqss3

Format: Regex

AnaplanCloud Application Audit

Anaplan Audit

Collection Method: Anaplan

Format: JSON

Atlassian Corporation Plc

IT Service Management

Jira

Collection Method: Jira

Format: JSON




Method

Atlassian Corporation Plc

Cloud Application Audit

Confluence Audit

Collection Method: Confluence

Format: JSON

BrivoPhysical Security / Badging

Brivo OnAir - Access

Collection Method: Brivoonair

Format: JSON

Carbon BlackEndpoint Management Systems

Carbon Black Defense - Audit

Collection Method: Carbonblack

Format: JSON


Carbon Black Defense - Alert


Format: JSON


Carbon Black Defense - V2


Format: JSON

Cloudflare Firewall Cloudflare

Collection Method: Cloudflarefirewall

Format: JSON

CloudKnoxAccess / Identity Management

CloudKnox Alerts

Collection Method: cloudknox

Format: JSON

CloudKnoxAccess / Privileged User

CloudKnox Activities

Collection Method: Googlereport2

Format: JSON

GoogleIdentity Access Management

Users Accounts


Format: JSON




Method

GoogleBusiness Collaboration Platforms

Google Chat


Format: JSON

GoogleAuthentication / SSO / Single Sign-On

Google Token


Format: JSON

GoogleAccess / Privileged User

Access Transparency


Format: JSON

GoogleMobile Device Management

Google Mobile


Format: JSON


Google Calendar


Format: JSON

GoogleAccess / Identity Management

Google Groups Enterprise


Format: JSON

GoogleAccess / Identity Management

Google Groups


Format: JSON


Google GPlus


Format: JSON

Google

Cloud Authentication /SSO / Single Sign-On

Google SAML


Format: JSON




Method

GoogleData Loss Prevention / Network DLP

Google Rules


Format: JSON


Google Meet


Format: JSON

Imperva Inc.Web Application Firewall

Imperva Web Application Firewall

Collection Method: Impervacloudwaf

Format: CEF

InformaticaAuthentication / SSO / Single Sign-On

Informatica Authentication

Collection Method: Informatica

Format: JSON

Microsoft Corporation

Cloud Services / Applications

Azure Active Directory Sign In

Collection Method: Azurereport

Format: Key Value

Pair

OS QueryOperating System Instrumentation Framework

OS Query Logs

Collection Method: Syslog

Format: JSON

Pager DutyIT Infrastructure Monitoring

Pager Duty

Collection Method: pagerdutyincidents

Format: JSON

Palo Alto NetworksIDS / IPS / UTM / Threat Detection

Prisma Audit

Collection Method: Prismacloud

Format: JSON

ProofpointCloud Email / Email Security

Proofpoint Email Isolation

Collection Method: Proofpointisolation

Format: JSON




Method

Proofpoint Inc.

Application AuditProofpoint Security Awareness Training

Collection Method: Proofpointsat

Format: JSON

SecurityScorecardSecurity Analytics Platform

Security Scorecard - Company Grade

Collection Method: Securityscorecard

Format: JSON

SecurityScorecardSecurity Analytics Platform

Security Scorecard - Company risk category score

Collection Method: Securityscorecard

Format: JSON

Symantec / Blue Coat Systems

Antivirus / Malware / EDR

Symantec Endpoint Protection

Collection Method: Symantecendpoint

Format: JSON

TenableVulnerability Scanners

Tenable Response

Collection Method: Tenable

Format: JSON

Verizon Digital Media Services

Web Application Firewall

Edgecast

Collection Method: Verizonedgecast

Format: JSON

Workday Inc.Access / Identity Management

Workday Audit

Collection Method: Workday

Format: Key Value

Pair

Contextual ConnectorsThis section lists connectors required to ingest the following types of data:

l Entity Metadata

l Lookup Data



l Third Party Intelligence

l Users

The following contextual connectors are included in this release:

Vendor Type

CSW Risksense Entity Metadata

FireEye Mandiant Third Party Intelligence

ZeroFox Third Party Intelligence

The following contextual connector is improved in this release:

Vendor Type

Splunk User Data

New ContentThe following new policies are added in this release:

Functionality Policy ID Policy Name

Access / Identity Management

ACI-ALL-800-ERR User changing job detection


ACI-ALL-801-BPAbnormal number of inactivate organization activity


ACI-ALL-802-ERR Business process definition edited


ACI-ALL-803-ERR Rare user assigning roles


ACI-ALL-804-PORare user assigning roles compared to peers





ACI-ALL-805-ERRRare user assigning user-based security groups for person

Access / Privileged User ACP-ALL-806-RU

Customer initiated access by Google to respond to a third party data request - Google access transparency

Access / Privileged User ACP-ALL-807-RUGoogle initiated service detected - Google Access Transparency

Access / Privileged User ACP-ALL-808-ERRGoogle initiated review - access detected from a rare geolocation

Access / Privileged User ACP-ALL-809-BPGoogle initiated review - account accessing multiple resources

Business Collaboration Platforms

BCP-ALL-801-DBAbnormal number of files downloaded from the chat - Gsuite

Business Collaboration Platforms

BCP-ALL-802-DBAbnormal number of files uploaded to the chat - Gsuite

Cloud Application Audit CAAU-SF-740-RU Account impersonation

Cloud Application Audit CAAU-SF-741-DBHuge Number Of Password Change

Cloud Application Audit CAAU-SF-738-RU Account activated tracking policy

Cloud Application Audit CAAU-SF-739-RURecently activated account de-activated within a short duration of time

Cloud Application Audit CAAU-SF-744-RUUser changing email to personal email

Cloud Application Audit CAAU-SF-743-RUUser changing email to non-business email

Cloud Application Audit CAAU-SF-759-RUUser changing email to non-internal email




Cloud Application Audit CAAU-SF-746-RUUser changing email to a disposable email address

Cloud Application Audit CAAU-SF-792-BPAbnormal frequency of target accounts logged in as

Cloud Application Audit CAAU-SF-742-RUNon admin account logging in as admin account

Cloud Application Audit CAAU-SF-791-TAPhone number registered for multiple users

Cloud Application Audit CAAU-ALL-808-BPAbnormal number of login failures detected

Cloud Application Audit CAAU-ALL-809-ERR Login from a Rare geolocation

Cloud Application Audit CAAU-ALL-810-BPAbnormal number of distinct recipes stopped by an account

Cloud Application Audit CAAU-ALL-811-BPAbnormal number of distinct recipe deleted by an account

Cloud Application Audit CAAU-ALL-812-RUAccount was observed disabling multifactor authentication

Cloud Application Audit CAAU-ALL-813-ERR Rare account deleting API policy

Cloud Application Audit CAAU-ALL-814-ERRRare account disabling audit log streaming

Cloud Application Audit CAAU-ALL-815-LS Impossible Travel Alert Detected

Cloud Application Audit CAAU-ALL-816-ERRRare account delegating admin account access

Cloud Application Audit CAAU-ALL-817-DBRole creation followed by deletion within a short period

Cloud Application Audit CAAU-ALL-818-ERRRare account adding a new connection

Cloud Application Audit CAAU-ALL-819-DBAccount deleting multiple folders within a short period




Cloud Application Audit CAAU-ALL-820-ERRRare account updating pub Sub topic

Cloud Application Audit CAAU-ALL-821-ERRRare account creating pub Sub topic

Cloud Application Audit CAAU-ALL-822-DBDelegated admin addition followed by deletion within a short period

Cloud Application Audit CAAU-ALL-823-ERRRare account updating delegated admin password

Cloud Application Audit CAAU-ALL-824-ERRConnection Disconnected by a Rare Account

Cloud Authentication / SSO / Single Sign-On

CSSO-ALL-847-BAAbnormal volume of file downloads from Salesforce-165


CSSO-ALL-448-BAAbnormal volume of data egressed using REST API requests-165


CSSO-ALL-449-BAAbnormal volume of data egressed via Visualforce requests-165


CSSO-ALL-450-DBLarge number of target accounts used for delegated login-165


CSSO-ALL-451-BPAbnormal number of target accounts used for delegated login-165


CSSO-ALL-845-ERRare user performing delegated logon-165


CSSO-ALL-846-ERInstallation of rare unmanaged package detected across organization-165


CSSO-SF-747-TASuccessful Logon of admin account from rare country compared to rest of the organization





CSSO-SF-750-RUSuccessful login following a spike in failed logins for an Admin account


CSSO-SF-752-LSLandspeed anomaly detected for an account


CSSO-SF-846-BPAbnormal number of failed logons from Admin accounts


CSSO-SF-745-TA

Successful Logon detected for a Non-admin account from rare country compared to rest of the organization


CSSO-SF-848-BPAbnormal number of logon failures from Non-admin accounts


CSSO-SF-751-DBAccount logging in from multiple countries in a day


CSSO-SF-755-ERRRare Application Accessing SalesForceCom API


CSSO-SF-886-BPAbnormal Number of Login Failures


CSSO-SF-887-BPAbnormal Number of Admin Login Failures


CSSO-SF-888-DBPassword spraying attempt from an IP on multiple accounts


CSSO-SF-789-TARobotic Pattern Observed from an IP - Failed Login


CSSO-SF-790-ERRSuccessful Logon detected from rare country compared to rest of the organization





CSSO-SF-792-ERR

Successful Logon detected from for an admin account in a rare country compared to rest of the organization


CSSO-SF-893-LSLandspeed anomaly detected for an admin account


CSSO-SF-794-RUUser changing email to non-business email


CSSO-SF-795-DBRecently activated account de-activated within a short duration of time


CSSO-SF-726-BPAbnormal number of Account Lockout events


CSSO-SF-723-TARobotic Pattern Observed - Failed Login


CSSO-SF-847-BAAbnormal volume of file downloads from Salesforce


CSSO-SF-727-ERR Rare User Agent Used For Log In


CSSO-SF-725-ERAuthentication from rare geolocation


CSSO-SF-748-BAAbnormal volume of data egressed using REST API requests


CSSO-SF-728-BPPossible User Enumeration Observed from an IPAddress


CSSO-SF-724-DB-SIEMHigh number of failed login attempts - SIEM


CSSO-SF-749-BAAbnormal volume of data egressed via Visualforce requests


CSSO-SF-734-BPAnomalous Number of Reports Exported





CSSO-SF-750-DBLarge number of target accounts used for delegated login


CSSO-SF-722-LS Landspeed Anomaly


CSSO-SF-719-DB High Number of Reports Exported


CSSO-SF-729-DB-SIEMMultiple number of Failure followed by Success - SIEM


CSSO-SF-754-BPAbnormal number of target accounts used for delegated login


CSSO-SF-845-ERRRare user performing delegated logon


CSSO-SF-846-ERRInstallation of rare unmanaged package detected across organization


CSSO-SF-721-RULoginAs Activity was observed with access of other User


CSSO-DUO-852-ERR

Rare combination of Country and State observed for user authenticating to multifactor device


CSSO-DUO-808-DBAbnormal amount of login attempt detected on Duo MFA


CSSO-DUO-812-RUAuthentication anomaly-Country Mismatch


CSSO-DUO-811-RUAuthentication anomaly-State Mismatch


CSSO-DUO-851-ERRRare combination of Country and State observed for user authenticating to access device





CSSO-DUO-809-LS Landspeed Anomaly detected


CSSO-DUO-827-ERR Logon from a rare country


CSSO-DUO-853-ERRAuthentication to access device observed from rare country across the organization


CSSO-DUO-854-ERRAuthentication to MFA device observed from rare country for user


CSSO-DUO-855-ERRAuthentication to MFA device observed from rare country across the organization


CSSO-DUO-856-RUSuccessful inline enrollment on Duo by uncorrelated account


CSSO-DUO-857-ERRUser performing inline enrollment on Duo from rare country compared to entire organization


CSSO-DUO-858-TASuccessful inline enrollment of multiple accounts on a single device


CSSO-DUO-859-ERRSuccessful login using bypass code from rare location compared to rest of organization


CSSO-DUO-860-RUFailed Authentication attempt marked as fraud by account


CSSO-DUO-861-DBMultiple failed Authentication attempts marked as fraud by account


CSSO-DUO-850-RUUser enrolling from a country different from work location





CSSO-DUO-885-BPPassword spraying attempts for one account on multiple applications


CSSO-DUO-831-RUSuccessful password spraying attempt from one account to multiple applications


CSSO-SF-776-RUSuccessful login following a spike in failed logins for a Non-admin account

Cloud Content Management System

CCMS-ALL-840-BPAbnormal number of files downloaded


CSA-ALL-854-ERRListBuckets API query on AWS S3 infrastructure from rare country


CSA-ALL-855-ERRListBuckets API query from account with unusual Role


CSA-ALL-856-BPAbnormal frequency of ListBuckets API queries for Account


CSA-ALL-857-BPAbnormal frequency of GetObject API queries for Account


CSA-ALL-858-ERRS3 bucket accessed from Rare User Agent


CSA-ALL-856-ERRAWS Instance started or terminated from rare country

Content Management System

CMS-ALL-831-BPAbnormal number of files downloaded -CMS

Endpoint Management Systems

EDR-ALL-71-BP

Possible Ransomware infection involving use of staging commands on abnormally large number of hosts





EDR-ALL-881-RUSuspicious creation and execution of Batch file followed by immediate deletion


EDR-ALL-883-ERRW3WP establishing network communication with rare external address


EDR-ALL-882-RUSuspicious modification of SSP configuration via Registry


EDR-ALL-884-ERRPossible Webshell created In Unusual file location


EDR-ALL-885-RUPossible execution of China Chopper Web Shell via Command line


EDR-ALL-886-RUMS Exchange unified messaging service spawning potentially suspicious child process


EDR-ALL-887-RUProcess dump using COM Plus Service DLL via CommandLine


EDR-ALL-888-BPAbnormal frequency of application errors in IIS worker process


EDR-ALL-889-RUReverse shell connection established via Powershell on Host


EDR-ALL-890-RU

Suspicious path of execution of Visual Studio Performance Monitor Executable on Hafnium Infected host


EDR-ALL-891-RUSuspicious spawning of Opera Browser process on Hafnium infected host





EDR-ALL-892-RUSuspicious DLL Side loading attempt from Opera browser process on Hafnium infected host


EDR-ALL-893-RUSuspicious use of Vssadmin List Shadows command on Hafnium infected host


EDR-ALL-894-RUSuspicious Scheduled task created on Hafnium infected host


EDR-ALL-895-RUSuspicious modification of ASPX file attributes


EDR-ALL-896-RUSuspicious child process spawned by Microsoft Exchange


EDR-ALL-897-RUEmail collection detected via Powershell


EDR-ALL-185-ER

Potential use of suspicious stager - Rare destination port used by LOLBIN executable on host to establish outbound communication


EDR-ALL-883-ERRW3WP establishing network communication with rare external address


EDR-ALL-882-RUSuspicious modification of SSP configuration via Registry


EDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic


EDR-ALL-161-RUPossible Egregor Ransomware Rclone To Svchost LOL Rename Analytic


EDR-ALL-162-RUPossible Malicious Certificate Export Analytic





EDR-ALL-163-RUPossible SUNSPOT Variant Dropped Artifact Analytic


EDR-ALL-164-RUPossible Qakbot-Egregor Initial Access Broker Ransomware Deployment Analytic


EDR-ALL-165-RUPossible Qakbot-Egregor Essential Usage Analytic


EDR-ALL-166-RUPossible Qakbot-Egregor Rundll Load Analytic


EDR-ALL-111-ERProxied execution of potentially suspicious process via binaries signed by trusted entities


EDR-ALL-109-RUPossible use of renamed LOL helper tool payload by malware - executable and hash tracking


EDR-ALL-110-RUPossible use of renamed LOL helper tool payload by malware - renamed payload executed


EDR-ALL-3-BPAbnormal number of encrypted files created

File Integrity Monitoring FIM-ALL-801-ERRRare FIM WebServer or FS File Change Analytic

Identity Access Management

IAM-ALL-801-DBPassword spraying attempts from an IP


IAM-ALL-802-RUSuccessful Password spraying attack from an IP


IAM-ALL-803-BPAbnormal frequency of authentication failures for an account





IAM-ALL-807-RUSuccessful authentication following an abnormal frequency of authentication failures


IAM-ALL-806-ERRAccount authenticating to Azure AD from rare country


IAM-ALL-804-ERRAccount authenticating to Azure AD from rare country across the organization


IAM-ALL-805-LSLandspeed anomaly detected on Azure AD


IAM-ALL-808-RUMulti Factor Authentication Disabled


IAM-ALL-809-RUAccount Recovery Information Changed


IAM-ALL-810-RUAdvance protection disabled for an account


IAM-ALL-811-DBAbnormal number of password change attempts

Microsoft Windows WEL-ALL-976-ERRUse of explicit credentials by a rare account - Account sharing or Password misuse

Microsoft Windows WEL-ALL-850-DBPossible Hexacorn-style Shellcode Execution Analytic

Microsoft Windows WEL-ALL-862-RUPossible Zerologon attack using tools

Microsoft Windows WEL-ALL-13-DBTicket Encryption and Ticket Options Analytic

Microsoft Windows WEL-ALL-30-BPPeak LsaRegisterLogonProcess Increase Analytic

Microsoft Windows WEL-ALL-15-BPPeak Distinct Account Change For Source User Analytic




Microsoft Windows Powershell

PSH-ALL-116-RUUse of Powershell for email collection


PSH-ALL-117-RUReverse shell connection established via Powershell on Host -Powershell Scriptblock logs


PSH-ALL-118-RUUse of Powercat tool to establish reverse shell on Host


PSH-ALL-115-RUPossible GoldenSAML Certificate Export Events Analytic


PSH-ALL-7-RUPossible Reflection Assembly Weaponization Activity Analytic

Network Traffic Analytics

NTA-ALL-880-BAAbnormal amount of data aggregated from SMB ports - NTA


NTA-ALL-881-BAAbnormal amount of data transmitted from DNS ports - NTA


NTA-ALL-882-BAAbnormal amount of data transmitted from SMTP ports - NTA


NTA-ALL-883-BAAbnormal amount of data transmitted over covert channels - NTA


NTA-ALL-884-BPPossible host enumeration over system ports - Internal - NTA


NTA-ALL-885-DBPossible host enumeration over system ports - External - NTA


NTA-ALL-886-DBPossible port scan from external IP Address - NTA


NTA-ALL-887-DBPossible port scan from internal IP Address - NTA




Next Generation Firewall

NGF-ALL-800-BPPossible port scanning from internal IP Address - Next Gen Firewall


PHY-ALL-808-RUFailed access attempt detected from an user to the facility


PHY-ALL-809-RUHigh number of failed entry attempts detected from the user


PHY-ALL-810-ERRRare account making changes to the physical security device


PHY-ALL-811-RUBoard Communication Failure Cleared


PHY-ALL-812-DBUser had unauthorized attempts across multiple locations

Virtualization / Containers

VIR-ALL-801-DBMultiple virtual machines shutdown - vCenter


VIR-ALL-802-DBHigh number of virtual machines deleted - vCenter


VIR-ALL-803-DBHigh CPU usage on ESXi hosts during Non-Business hours - vCenter


VIR-ALL-804-DBHigh number of snapshots created - vCenter


VIR-ALL-805-DBBruteForce attempts on user account of VM or ESxi or vCenter


VIR-ALL-809-BPMultiple Virtual Machine Images Downloaded by an Account - vCenter


VIR-ALL-806-DBVM Snapshot creation followed by Snapshot Memory file or State file download - vCenter





VIR-ALL-810-BPAbnormal number of virtual machines deleted - vCenter


VIR-ALL-807-DBHigh number of virtual machines cloned - vCenter


VIR-ALL-808-ERRNew account created on virtual machine


VIR-ALL-811-BPHost enumeration attempt detected from an account


IFW-ALL-820-ER Possible LFI Detection


IFW-ALL-821-DB Unusual URL Redirection


IFW-ALL-822-RUSuspicious Process Observed Over URL


IFW-ALL-823-RU Remote Command Execution


IFW-ALL-824-RUCommunication to Malware OR Trojan Suspicious Port


IFW-ALL-825-ER Rare Content Type Observed


IFW-ALL-826-DBCircumvention over URL Response Code


IFW-ALL-827-ER Unusual web requests


IFW-ALL-828-DBPossible Server Outage by Multiple Request


IFW-ALL-829-DBMultiple Allowed Attack Detection Over Insecure HTTP Version




Web Servers WEB-ALL-810-RUPossible SolarWinds SUPERNOVA Auth Bypass Exploitation Analytic

Web Servers WEB-ALL-809-ERPossible SolarWinds SUPERNOVA i18n Malicious Activity Analytic

Improved Content The following content was improved in this release:

Functionality Signature ID Policy Name


ACI-ALL-802-ERR Business Process definition Edited


EDR-ALL-769-BPSpike in number of Discovery Tactic Command Activity For Host Analytic - AVEDR


EDR-ALL-840-ERRRare file hashes for high severity endpoint alerts - EDR


EDR-ALL-838-BPAbnormal number of high severity endpoint alerts - EDR


EDR-ALL-844-RU Use of credential dumpers - EDR


EDR-ALL-747-RUMS EquationEditor process spawning child process - AVEDR


EDR-ALL-726-RUPotential use of Rubeus attack tool detected via command line - AVEDR


EDR-ALL-799-ERPossible Malicious Implant In-Memory Compilation Analytic - AVEDR





EDR-ALL-740-RU

Suspicious Process Activity - Targeted - Known Credential Dumping Tools Use Analytic - AVEDR


EDR-ALL-654-BPAbnormal number of Self Worker Process Execution - AVEDR


EDR-ALL-762-ERPotential attempt to bypass UAC using Eventvwr - AVEDR

Authentication / VPN VPN-ALL-803-DBPassword Spraying Attack Detected VPN - SIEM

Authentication / VPN VPN-ALL-801-DBConcurrent VPN from Multiple city - SIEM

Authentication / VPN VPN-ALL-815-DBAccounts authenticating from multiple IP - SIEM

Cloud Antivirus / Malware / EDR

CEDR-ALL-839-BPAbnormal number of high severity endpoint alerts - Cloud EDR


CEDR-ALL-845-RUUse of credential dumpers - Cloud EDR


CEDR-ALL-19-RUPotential Mimikatz CommandLine Usage - Cloud EDR


CEDR-ALL-26-RUPotential use of Rubeus attack tool detected via command line - Cloud EDR


CEDR-ALL-47-RUMS EquationEditor process spawning child process - Cloud EDR


CEDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic - Cloud EDR





CEDR-ALL-40-RU

Suspicious Process Activity - Targeted - Known Credential Dumping Tools Use Analytic - Cloud EDR


CEDR-ALL-154-BPAbnormal number of Self Worker Process Execution - Cloud EDR


CEDR-ALL-62-ERPotential attempt to bypass UAC using Eventvwr - Cloud EDR

Cloud Application Audit CAAU-ALL-800-RUPotential account compromise - Exchange


CSSO-ALL-843-DBLogin failure to Deleted Account - SIEM - SSO


CCMS-ALL-805-BPAbnormal number of files shared with Competitor email address


CCMS-ALL-800-DBFile manipulation followed by egress


CCMS-ALL-802-ERRAccount Activity detected from Rare Country


CCMS-ALL-804-BPAbnormal number of files shared with personal account


CCMS-ALL-810-BPAbnormal number of files downloaded by an account


CCMS-ALL-807-RUFile activity performed by terminated user


CCMS-ALL-801-ERSuspicious Modification of Privileges for Documents


CCMS-ALL-816-BPAbnormal number of files deleted by an account


CCMS-ALL-812-ERRare Operation performed by an User





CCMS-ALL-814-BPAbnormal Number of files Printed compared to past behavior


CCMS-ALL-815-DBRecovering Files along with Data Egress


CCMS-ALL-809-ERRAccount accessing file path never accessed before


CCMS-ALL-806-BPAbnormal number of files shared with Non Business account


CCMS-ALL-803-BPAbnormal number of document permission changes observed


CCMS-ALL-811-LSLandspeed Anomaly - Cloud Content Management System


CCMS-ALL-813-RUFile shared with Non business account


CCMS-ALL-835-BPAbnormal number of files downloaded compared to peers


CCMS-ALL-836-BPAbnormal number of files uploaded


CCMS-ALL-820-DBMultiple Files shared with Non Business Accounts


CCMS-ALL-837-RU File shared with personal account


CCMS-ALL-821-DBMultiple Files shared with Account having competitor domain


CCMS-ALL-822-RUCritical files shared with external Account


CCMS-ALL-823-RU Corporate documents made public


CCMS-ALL-838-BPAbnormal Number of Corporate documents made public





CCMS-ALL-824-DBExternal account accessing multiple critical files


CCMS-ALL-825-DBExternal account downloading high number of files


CCMS-ALL-839-BPExternal account downloading abnormally high number of files


CCMS-ALL-826-RUActivity from personal account belonging to company employee


CCMS-ALL-827-DBAccount activity from multiple countries in a day


CCMS-ALL-828-ERRAccount activity from a country rare to the organization


CCMS-ALL-829-ERRAccount activity from a country rare for the user


CCMS-ALL-830-LSLandspeed anomaly detected for account


CCMS-ALL-831-RU Activity from suspicious IP


CCMS-ALL-832-RUUser Changing Document Visibility to Anyone with a link-240


CCMS-ALL-808-ERUser performing unusual activity compared to peers


CCMS-ALL-803-BPAbnormal number of document permission changes observed


CCMS-ALL-800-DBFile manipulation followed by egress


CCMS-ALL-806-BPAbnormal number of files shared with Non Business account




Cloud Email / Email Security

CEML-ALL-820-BAAbnormal amount of data egressed to competitor domains compared to peer behavior - Cloud Email


CEML-ALL-830-BPAbnormal Number of Emails to Personal Email - Cloud Email


CEML-ALL-808-BPAbnormal Number of Email Forwards - Cloud Email


CMS-ALL-846-BPAbnormal number of files shared with Non Business account -CMS


CMS-ALL-847-BPAbnormal number of files downloaded by an account -CMS


CMS-ALL-846-BPAbnormal number of files shared with Non Business account -CMS


CSA-ALL-848-BPAbnormal number of distinct Pods accessed - Kubernetes


CSA-AWS-743-ERTemporary Credentials Generated by an User


CSA-AWS-741-ER Account Created New LoginProfile

Data Loss Prevention / Endpoint DLP

EDLP-ALL-827-BAAbnormal amount of data egressed to competitor domains compared to peer behavior - Endpoint DLP


EDLP-ALL-821-BA

Abnormal amount of data egressed to non-business domains compared to peer behavior - Endpoint DLP


EDLP-ALL-828-BPAbnormal number of emails sent to competitor domains compared to peer behavior - Endpoint DLP





EDLP-ALL-802-BPAbnormal number of emails to non business domains compared to peer behavior - Endpoint DLP


EDLP-ALL-804-BPAbnormal number of files printed compared to peer

Database Audit DBS-ALL-820-BPAbnormal number of tables dropped or truncated

Database Audit DBS-ALL-815-BPAbnormal number of alter or update statements executed on a database

DNS / DHCP DNS-ALL-805-TARandomly generated domain detected on dns response

Email / Email Security EML-ALL-816-RUFlight Risk Behavior Exhibited In Emails

Email / Email Security EML-ALL-805-BPAbnormal Number of Email Forwards

Email / Email Security EML-ALL-808-BPAbnormal Number of Emails to Personal Email


EDR-ALL-880-ERRRare child process spawned by WMI Provider Host process


EDR-ALL-79-ERSuspicious use of cradle - rare child process spawned from script interpreter


EDR-ALL-57-ERRare process spawned by WMI Provider Host process


EDR-ALL-89-RUPotential UAC bypass CSC executing payload from temp directory on host


EDR-ALL-69-BPSpike in number of Discovery Tactic Command Activity For Host Analytic





EDR-ALL-11-RUPossible Wdigest downgrade via registry modification


EDR-ALL-28-RUPotential Phishing URL received over an email


EDR-ALL-32-RUSuspicious Process Activity - Sysmon Termination


EDR-ALL-31-RU

Potential Phishing attack - Suspicious process spawned from MS office applications via infected attachment


EDR-ALL-43-RUPotential DLL injection using LoadLibrary API call


EDR-ALL-40-RU

Suspicious Process Activity - Targeted - Known Credential Dumping Tools Use Analytic


EDR-ALL-846-ERRare file hash detected on the network - endpoint monitoring


EDR-ALL-25-RUSuspicious Covertness Command Line Arguments


EDR-ALL-48-ERUnusual process adding a file in Startup Menu


EDR-ALL-66-RUSuspicious executable File creation - WebDAV File


EDR-ALL-27-RUSuspicious use of UNC Path for credential stealing


EDR-ALL-815-RUUse of credential dumpers - endpoint monitoring


EDR-ALL-29-RUSuspicious Document Received over an email





EDR-ALL-19-RUPotential Mimikatz CommandLine Usage


EDR-ALL-46-RUPossible Usage Of Keyloggers Abusing Nirsoft Tool Commands


EDR-ALL-57-ERRare process spawned by WMI Provider Host process


EDR-ALL-116-RUPossible SUNBURST Implant Activity Analytic




EDR-ALL-96-ERPotential InstallUtil-based Attack Payload Staging Analytic


EDR-ALL-97-ERPossible Stealthy Malicious Payload Assembly Unusual MSBuild Use Analytic


EDR-ALL-98-RUPeak Ransomware Backup Process Termination Analytic


EDR-ALL-92-RUPotential UACBypass CMSTP Inf Vector Analytic


EDR-ALL-91-ERPotential CLR injection - Rare combination of Image and loaded DLL detected for Account


EDR-ALL-93-RU

Suspicious Process Execution - Targeted - Possible Initial Infiltration Via Fake Chrome Update Analytic


EDR-ALL-94-RUPotential attempt to modify Firewall Rules


EDR-ALL-82-RUPotential use of Powershell stager to establish C2 communication





EDR-ALL-73-ERSuspicious Process Activity - Rare Executable File Or Script Creation Analytic


EDR-ALL-69-BPSpike in number of Discovery Tactic Command Activity For Host Analytic


EDR-ALL-33-RUPotential Golden and Silver Ticket Forging Attack Commands


EDR-ALL-30-ERPossible Phishing document - Rare process spawned from Office Applications


EDR-ALL-24-EREscalation of privilege via modification of AppInit DLL registry detected on host


EDR-ALL-139-RUSuspicious Registry modification - Internal monologue attack via NTLM version downgrade


EDR-ALL-164-RUPossible Qakbot-Egregor Initial Access Broker Ransomware Deployment Analytic


EDR-ALL-165-RUPossible Qakbot-Egregor Esentutl Usage Analytic


EDR-ALL-166-RUPossible Qakbot-Egregor Rundll Load Analytic


EDR-ALL-40-BPPossible token enumeration - Peak process token access analytic


EDR-ALL-101-BPPossible Meterpreter Process Enumeration Analytic


EDR-ALL-42-ERRInternetExplorer Application DLL Loading Injection Analytic





EDR-ALL-64-ERRRare Unsigned DLL Load For Process Potential DLL Hijacking Side-Loading Analytic


EDR-ALL-65-ERRRare Signed DLL Load For Process Potential DLL Hijacking Side Loading Analytic


EDR-ALL-91-ERRPotential CLR injection Rare combination of Image and loaded DLL detected for Account


EDR-ALL-105-ERRPossible Process Hollowing Herpaderping Rare Image Tampering Analytic


EDR-ALL-114-RUPossible TEARDROP Malicious Payload Variant Analytic


EDR-ALL-115-RURule Internet Explorer Application DLL Loading Injection Analytic


EDR-ALL-61-RU Malicious Named Pipes Analytic


EDR-ALL-114-ERRPossible ADFSDump Malicious Certificate Extraction Named Pipe Analytic


EDR-ALL-117-ERRPossible RAINDROP Variant Artifact Analytic


EDR-ALL-118-ERRPossible Cobalt Strike Beacon NamedPipe Use Artifact Analytic


EDR-ALL-119-ERRWatching the Watchers - Possible Trojaned Vendor Executable Named Pipe Discrepancy Analytic


EDR-ALL-884-ERRPossible Webshell created In Unusual file location





EDR-ALL-881-RUSuspicious creation and execution of Batch file followed by immediate deletion


EDR-ALL-885-RUPossible execution of China Chopper Web Shell via Command line


EDR-ALL-886-RUMS Exchange unified messaging service spawning potentially suspicious child process


EDR-ALL-887-RUProcess dump using COM Plus Service DLL via CommandLine


EDR-ALL-888-BPAbnormal frequency of application errors in IIS worker process


EDR-ALL-71-BP

Possible Ransomware infection involving use of staging commands on abnormally large number of hosts


EDR-ALL-154-BPAbnormal number of Self Worker Process Execution


EDR-ALL-62-ERPotential attempt to bypass UAC using Eventvwr


EDR-ALL-154-BPAbnormal number of Self Worker Process Execution


EDR-ALL-47-RUMS EquationEditor process spawning child process


EDR-ALL-54-ERRare Self Worker Process Execution


EDR-ALL-20-RUFile Creation via PWDUMP or Mimikatz


EDR-ALL-815-RUUse of credentialdumpers - endpoint monitoring





EDR-ALL-19-RUPotential Mimikatz CommandLine Usage


EDR-ALL-2-ERPotential Mimikatz Use or Hash Passing


EDR-ALL-26-RUPotential use of Rubeus attack tool detected via command line




EDR-ALL-42-ERRInternetExplorer Application DLL Loading Injection Analytic


EDR-ALL-64-ERRRare Unsigned DLL Load For Process Potential DLL Hijacking Side-Loading Analytic


EDR-ALL-65-ERRRare Signed DLL Load For Process Potential DLL Hijacking Side Loading Analytic


EDR-ALL-91-ERRPotential CLR injection Rare combination of Image and loaded DLL detected for Account


EDR-ALL-46-RUPossible Usage Of Keyloggers Abusing Nirsoft Tool Commands

Firewall IFW-ALL-700-BAAbnormal amount of data transmitted from DNS ports - Firewall

Firewall IFW-ALL-718-BAAbnormal amount of data aggregated from SMB ports - Firewall

Firewall IFW-ALL-701-BAAbnormal amount of data transmitted from known file transfer ports - Firewall




Firewall IFW-ALL-720-BAAbnormal amount of data aggregated from FTP ports - Firewall

Firewall IFW-ALL-702-BAAbnormal amount of data transmitted over covert channels - Firewall

Firewall IFW-ALL-732-BAAbnormal amount of data transmitted over SMTP ports - Firewall

Firewall IFW-ALL-718-BAAbnormal amount of data aggregated from SMB ports - Firewall

Firewall IFW-ALL-700-BAAbnormal amount of data transmitted from DNS ports - Firewall

Firewall IFW-ALL-717-BPPossible host enumeration over system ports - Firewall

Firewall IFW-ALL-721-TATraffic to rare server on DHCP ports - Firewall

Firewall IFW-ALL-708-BPAbnormal number of connections on SMB or NETBIOS ports - Firewall

Flow FLW-ALL-833-BAAbnormal amount of data transmitted from DNS ports - Flow

Flow FLW-ALL-853-BAAbnormal amount of data transmitted over covert channels - Flow

Flow FLW-ALL-852-BAAbnormal amount of data transmitted from known file transfer ports - Flow




Flow FLW-ALL-734-BAAbnormal amount of data transmitted over SMTP ports - Flow

Microsoft Windows WEL-ALL-967-ERExplicit login to high privileged account

Microsoft Windows WEL-ALL-860-BPpossible password spraying from an ipaddress

Microsoft Windows WEL-ALL-717-DBLarge frequency of usage for Ping utility

Microsoft Windows WEL-ALL-972-BPSuspicious Process Activity - Peak Netsh Execution For User Analytic

Microsoft Windows WOS-290-BPAbnormal number of kerberos pre authentication failures

Microsoft Windows WOS-214-BPAbnormal number of network share object access

Microsoft Windows WEL-ALL-906-BPSuspicious Account Activity - Peak Credential Validation Failure Increase For Host Analytic

Microsoft Windows WOS-295-BP

High number of accounts used from the same ipaddress for successful authentications or run as events

Microsoft Windows WOS-293-BPAbnormal number of hosts accessed - Logon Success

Microsoft Windows WOS-240-BPSpike in administrative shares accessed

Microsoft Windows WOS-202-BP Abnormal number of logon failures

Microsoft Windows WEL-ALL-710-ERRare scripting executables spawned from known processes

Microsoft Windows ALT-003-RU Use of default credentials




Microsoft Windows WOS-288-BPSpike in Number of privileges enumerated

Microsoft Windows WEL-ALL-948-DBPossible Password Spraying Attack detected - SIEM

Microsoft Windows WEL-ALL-711-ERRare execution of Regsvr32 process

Microsoft Windows WOS-225-RUPossible Privilege Escalation - Self Escalation

Microsoft Windows WEL-ALL-714-RUPotential use of MSHTA executable to download malicious payload

Microsoft Windows WOS-318-RU Use of credential dumpers

Microsoft Windows WOS-291Abnormal number of host access attempts - Logon Failure

Microsoft Windows WOS-215-RU Password hash access

Microsoft Windows WEL-ALL-710-ERRare scripting executables spawned from known processes

Microsoft Windows WOS-292Abnormal number of account enumeration attempts on a host

Microsoft Windows WOS-220Abnormal number of accounts created

Microsoft Windows WOS-278-BPAbnormal number of account lockout events

Microsoft Windows WEL-ALL-970-BPAbnormal number of distinct kerberos tickets requested - Enumeration

Microsoft Windows WEL-ALL-959-ERRare admin share access for a user compared to peer behavior

Microsoft Windows WEL-ALL-860-BPPassword spraying attempts from an IP - Microsoft Windows




Microsoft Windows WOS-225-RUPossible Privilege Escalation - Self Escalation

Microsoft Windows WEL-ALL-714-RUPotential use of MSHTA executable to download malicious payload


PSH-ALL-106-RUUse of Powershell encodedcommand parameter on host


PSH-ALL-108-RUUse of Powershell Invoke-Expression cmdlet on host


PSH-ALL-109-RUPowershell Execution Policy modified on host


PSH-ALL-26-RU

Suspicious Process Activity - Targeted - Potential Powershell Phanthom Event Log Thread Termination Covertness Analytic - A2B


PSH-ALL-20-RU

Suspicious Process Activity - Rule - Potential Attack Tool PWDUMP or Mimikatz Usage File Creation Analytic - A2B


PSH-ALL-1-RUSuspicious Powershell Activity Function - Targeted - Possible Bloodhound Attack Analytic


NTA-ALL-804-BAAbnormal amount of data aggregated from FTP ports - NTA


NTA-ALL-865-BAAbnormal amount of data transmitted from known file transfer ports - NTA


NTA-ALL-880-BAAbnormal amount of data aggregated from SMB ports - NTA





NTA-ALL-881-BAAbnormal amount of data transmitted from DNS ports - NTA


NTA-ALL-882-BAAbnormal amount of data transmitted from SMTP ports - NTA


NTA-ALL-883-BAAbnormal amount of data transmitted over covert channels - NTA


NGF-733Abnormal amount of data transmitted from DNS ports - Next Gen Firewall


IFW-ALL-904-RURDP Access allowed from the internet - SIEM


IFW-ALL-919-BP Remote Database Scanner - SIEM


IFW-ALL-905-TPInbound Traffic from C2 Domains and IP addresses - SIEM


IFW-ALL-901-TPOutbound Traffic to C2 Domains and IP addresses - SIEM


NGF-763Possible port scan from internal IP Address - Next Gen Firewall


NGF-768Possible host enumeration over system ports - Internal - Next Gen Firewall


NGF-177Traffic to rare server on DHCP ports - Next Gen Firewall


NGF-011Abnormal amount of data aggregated from SMB ports - Next Gen Firewall





NGF-071Abnormal amount of data aggregated from FTP ports - Next Gen Firewall


NGF-352Abnormal amount of data transmitted from known file transfer ports - Next Gen Firewall




IFW-ALL-1110-BAAbnormal amount of data transmitted from SMTP ports - NGFW


NGF-353Abnormal amount of data transmitted over covert channels - Next Gen Firewall


NGF-ALL-801-BAAbnormal amount of data uploads to storage sites - Next Gen Firewall


IFW-ALL-876-DBUpload Attempt to Multiple Distinct Storage Sites - Next Gen Firewall


NGF-710Abnormal number of DNS zone transfers - Next Gen Firewall


NGF-177Traffic to rare server on DHCP ports - Next Gen Firewall


NGF-766Abnormal number of connections on SMB or NETBIOS ports - Next Gen Firewall







IFW-ALL-928-DBMultiple Exploit Types Against Single Destination - SIEM


PXY-ALL-864-TATraffic to randomly generated domains - TPI - NGFW

Print PRN-ALL-837-RU Unauthorized printer usage

Print PRN-ALL-838-BPAbnormal number of files printed compared to peer

Unix / Linux / AIX UNX-ALL-801-DBBrute Force Followed by a Successful Login from internal - SIEM

Unix / Linux / AIX UNX-ALL-814-DBAccount was created and acted suspiciously - SIEM

Vulnerability Scanners SCN-ALL-803-RU Unpatched Vulnerability

Vulnerability Scanners SCN-ALL-802-RU Target Attack on vulnerable asset

Web Proxy PXY-ALL-864-TATraffic to randomly generated domains

Web Proxy PXY-ALL-864-TATraffic to randomly generated domains

Web Proxy PXY-ALL-868-BAAbnormal amount of data uploads to external sites

Web Proxy PXY-ALL-816-BAAbnormal amount of data uploads to storage sites

Web Proxy PXY-ALL-911-RUDetection of Blocked Web Requests

Web Proxy PXY-ALL-889-ERSuspicious Proxy Activity - Double Extension Download From Rare host

Web Proxy PXY-ALL-869-RUDetection of possible proxy circumvention




Web Proxy PXY-ALL-882-ER-SIEMRare teleconferencing application accessed by an account

Web Proxy PXY-ALL-830-RUBeaconing Traffic to proxy anonymizing websites

Web Proxy PXY-ALL-1-ER

Watching the watchers possible trojanized vendor executable establishing suspicious HTTP C2 communication

Web Server WEB-ALL-808-RUPossible Directory Traversal Attempt Detected

Deprecated Policies The following table lists the policies that are deprecated as part of this release:

Functionality Policy Name Reason


Medium Severity Endpoint Alert Detected - EDR

Removed the policy as it flagged low level events.


Repeat Attack-Network Intrusion Prevention System



Repeat Attack-Host Intrusion Prevention System


Authentication / SSO / Single Sign-On

Successful Login From Suspicious IP Address

These are replaced with the CRP policy.

Authentication / SSO / Single Sign-On

Robotic Pattern Observed from an IP - Failed Login

These are replaced with the CRP policy.




AWS - Cloud Services / Applications

Cloud storage resource accessed from a rare IP address



Suspicious cloud activity detected from a blacklisted IP address on cloud resources - TPI

Threat scenario covered as a part of another policy.


IAM User Creation from a Rare Geolocation



AWS account root user activity detected



Account Discovery Account lists all the AWS users in the region



Recon activity detected from a rare geolocation



Suspicious Data Access to S3 Buckets from Blacklisted IP address - TPI



Abnormal volume of data transferred from cloud storage resource



Disabling Cloudtrail Logging



Account Enumerating on Cloud Storage Resources



Recon Activity Detected on EC2 instances






Landspeed Anomaly Detected-Cloud Services



Detecting Implant Container Image



Rare privileged transaction performed by an account over Cloud Infrastructure



Privilege escalation through IAM instance profile



Possible Privilege Misuse-Account Deleting LoginProfile of Another User



Rare Account Modifying Snapshot Attribute



Abnormal number of denied transactions on cloud resources



Possible Defense Evasion-Audit Log Tampering



Snapshot Created From a Rare Geolocation



Abnormal Number of Cloud Storage Resources Deleted






Detecting AWS activity from a User originating from Tor exit node- AWS



Account modifying ACL of a cloud storage resource



Possible Privilege Escalation - Account authorizing high number of changes to security groups



Possible Lateral Movement - Detecting IAM role Enumeration



Possible Detection Evasion Attempt- AWS Cloud Trail



Possible Crypto Mining Attack-Multiple GPU Instances Spin Up



Account Manipulating Customer Managed IAM Policy



Rare Storage Service Deletion by an Account



Possible Privilege Escalation-Rare Account Updating Identity Policy



Rare Account Creating New Identity Policy






Possible Reconnaissance Attempt - Detect the usage of AWS Cloudtrail CreateTrail command



High Number of Objects Deleted-SIEM



Temporary Credentials Generated by a User



Suspicious Cloud Activity-Account Created New LoginProfile



Credential Harvesting Activity on EC2 Windows infrastructure



Possible Crypto Mining Attack - Single GPU Instance Spin Up



Possible Privilege Misuse-Account Updating LoginProfile of Another Account



Suspicious Cloud Activity-Rare Account Creating Accesskey



Possible Defense Evasion-Rare Account Disabling Monitoring for an Instance



Rare User Agent Detected for Assumed Role Events






Possible Defense Evasion - Misusing Accesskey of an IAM User



AWS Console Sign In Without MFA



Data transfer detected on cloud storage from blacklisted IP address



Low Severity Endpoint Alert Detected - Cloud EDR



Medium Severity Endpoint Alert Detected - Cloud EDR


Cloud Application AuditAbnormal Number of Distinct Emails Archived - Exchange



Landspeed anomaly detected for account



Abnormal number of files downloaded by an account

Duplicate - Threat scenario covered as part of another policy


Account Activity detected from Rare Geolocation



Account accessing file share never accessed before


Cloud PrintUnauthorized printer usage - Cloud Print





Cloud PrintAbnormal number of pages printed compared to peer - Cloud Print



Rare Cloud Storage Resource Deletion by an Account



Abnormal number of files downloaded by an account -CMS



Abnormal number of pages printed compared to peer - Endpoint DLP



Abnormal number of pages printed compared to peer



Abnormal number of files printed compared to peer



Suspicious Process Activity - Targeted - Potential ETW Disable Attempt Analytic



Potential WMI Lateral Movement Rare WmiPrvSe Subprocess



Rare USB device activity



Rare ports used by a process for high severity endpoint alerts



Rarity on system hardening monitor






Suspicious Process Activity - Targeted - Executable File Creation Analytic

Threat scenario covered as a part of anothe policy.


Abnormal number of file shares created



Rare Executive Host Accessed



Rare CD or DVD burning activity



Abnormal number of file shares deleted



Abnormal number of share folder creation on system



Abnormal number of failed logons



Abnormal number of low severity alerts



Rare login geo locationThreat scenario covered as a part of another policy.


Suspicious Process Activity - Targeted - Potential ETW Disable Attempt Analytic


Microsoft WindowsHigh number of failed login attempts from an IP - SIEM





Microsoft Windows

High number of accounts using the same ipaddress for authentication failures or lockout events


Microsoft Windows

Usage of potential scriptable executable to run or access malicious payload


Microsoft Windows

Suspicious Account Activity for Potential pass-the-hash using Host Length Analytic


Microsoft WindowsScheduled Task Creation activity


Microsoft WindowsDetection of Possible remote interactive logon enumeration


Microsoft WindowsHigh number of failed login attempts from an account- SIEM

Removed the policy as it flagged low level events

Microsoft WindowsRepeat Failure Authentication - SIEM


Microsoft WindowsHigh number of service tickets requested - SIEM


Microsoft WindowsDetection of Brute Force Attack To The Same Host - SIEM





Microsoft Windows

Use of explicit credentials for a possible Account sharing or Password misuse


Microsoft WindowsHigh number of host accessed - SIEM


Microsoft WindowsRare privileged level for a windows authentication



Use of Powershell encode command by an account



Powershell execution policy changed by Account



Use of Powershell Invoke Expression Command by Account



Rare dns host resolved - NTA



Possible port scan from internal IP Address - Next Gen Firewall



Internal system running port scan - horizontal siem

Legacy SIEM content. Removed the policy as it flagged low level events.


Non Mail server trying to send mails outside - SIEM

Legacy SIEM content. Removed the policy as it flagged low level events.





Inbound Traffic from C2 Domains and IP addresses - SIEM



Outbound Traffic to C2 Domains and IP addresses - SIEM



Abnormal amount of data uploads to storage sites over firewall


PrintAbnormal number of pages printed compared to peer


Single Sign-On / SSO / Authentication

Ascending Monotonic Pattern Detected



SNYPR 6.3.1 Build 181059 0119 Release Notes

Documents

Transcript of SNYPR 6.3.1 Build 181059 0119 Release Notes