6.3.1build191954 0720 - documentation.securonix.com
TRANSCRIPT
Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any
third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and
reference.
Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional
warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without
the written permission of Securonix.
Copyright © 2021 Securonix. All rights reserved.
Contact Information
Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649
Release Notes 2
Table of Contents
Introduction 4
Improvements 4
Bug Fixes 5
Known Issues 10
What's New in Content 11
New Connectors 11Contextual Connectors 11Improved Connectors 12Deprecated Connectors 15New Content 15Improved Content 16Deprecated Policies 23
Release Notes 3
Introduction
IntroductionSNYPR 6.3.1 Build 191954_0720 includes the following:
l Improvements
l Bug fixes
l Known Issues
l Content Updates
Note: An INC number in the Summary column indicates a customer logged ticket
that was resolved in this release.
ImprovementsThis following table describes the improvements included in this release:
Component Summary
HuntingImproved the Saved Queries tab in Spotter to ensure users canaccess only the queries that are selected within their tenant.
HuntingAdded permissions to the Saved Queries in Spotter to prevent
queries from being shared.
Ingestion ServiceImproved parsing for the Crowdstrike Streaming collection. (INC-242454) (INC-242714)
ResponseAdded capability to perform IP and domain checks against
DomainTools threat intel data.
ResponseAdded capability to perform IP, domain, URL, and filehash
reputation checks against Anomali threat intel data.
ResponseImproved the ServiceNow integration to prevent attaching new
violations to canceled incident status in ServiceNow.
Release Notes 4
Bug Fixes
Bug FixesThe following table describes the bug fixes included in this release:
Component Summary
Analytics Service(Multi-tenant)
Fixed the filter by tenant option for identity based policies.
Analytics ServiceFixed an RBAC issue to display Sandbox policies on the PolicyListing screen based on the user's access.
Analytics ServiceFixed an error so that Lookup and Third Party Intelligence checkscan be applied to all tenants while creating a policy.
Analytics ServiceFixed issue related to data consistency in results shown forOwner/Remediator field in the Policy Configuration screen.
Analytics Service Fixed an exception related to data onboarding.
Analytics Service Fixed an issue related to onboarding of behavior based policies.
Analytics ServiceFixed an error so that you can save configuration for peer basedpolicies.
Analytics ServiceFixed the policy onboarding process so that behavior baseline canbe formed for onboarded policies.
Analytics ServiceFixed the Send Notification toggle button to work as expected.(INC-235266)
Analytics ServiceFixed the SCC screen to display violations related to new policiescorrectly when dataosurces are onboarded.
Analytics ServiceFixed an error so that policies are enabled or disabled based on
the status setup while onboarding the data.
Analytics ServiceFixed an error to ensure when a violation is marked as non-concern,the violation status does not change incorrectly.
Analytics Service Fixed the null pointer error occurred while creating threat models.
Analytics ServiceFixed the Policy Configuration screen to resolve the 504
Gateway timeout error that occurred while opening a policy.
Release Notes 5
Bug Fixes
Component Summary
Analytics ServiceFixed the Delete option to allow users to delete violations foridentity policies. (INC-241691)
Analytics ServiceFixed an issue so that attribute configuration for behavior basedpolicies can be saved.
Analytics Service Fixed an issue with static risk scores generated for policies
Analytics ServiceFixed an issue so that aggregated risk scores generated for policiesdoes not change without any violation.
Analytics ServiceFixed an issue so that threat models are displayed correctly. (INC-
239374)
Analytics ServiceFixed the Whitelisting module so that whitelisted entities can nottrigger violations.
Analytics ServiceAdded a check so that users can not edit the name of an identitybased policy once the violations are flagged for that policy. (INC-238082)
HuntingFixed the Spotter UI to display data when there is a Secure
Sockets Layer (SSL) connection.
HuntingFixed the Spotter and Categorized Reports to ensure results are
generated for admin users.
HuntingFixed an issue in Spotter, enabling access to saved queries when a
query is imported.
HuntingFixed Data Insights to display a circuit breaker error message whena search errors out.
Hunting
Fixed Spotter queries to include records with NULL values when
the not equal comparison operator (!=) is used in the archive
query.
HuntingFixed the Data Insights filter to ensure all mapped attributes
display in the Fields list.
Release Notes 6
Bug Fixes
Component Summary
Hunting
Fixed the Selected Fields panel in the Search Results view of
Spotter to display a validation message when there are no results
available.
HuntingFixed the pagination in Spotter to ensure users can navigate
between archived search results.
Hunting
Fixed the Search Results functionality in Spotter to preserve any
mo wdifications made to a saved query when the tenant filter is
applied.
Hunting
Fixed the Spotter Report screen to:
l Display correct field names.
l Improve the text lag when the drag-and-drop functionality is
used for an attribute.
Response Fixed the ServiceNow connector to create events.
ResponseFixed an issue with Top Violators to ensure the Entity Details
display in the production environment.
ResponseFixed the bulk Select All action on the Security Command Center
to work as expected from the Threats widget.
ResponseFixed the Action icon on the Security Command Center to
display the Action History, watchlisted details, and entity details.
Response
Fixed an issue on the Security Command Center where violations
displayed as Complete, even when the violation was set to Mark
in progress (still investigating).
ResponseFixed an issue on the Security Command Center that preventedusers from selecting an assignee when an incident was created.
Response
Fixed an issue on the Security Command Center that caused
violation actions to not get updated on the UI when an action is
taken from the top level.
ResponseFixed the Whitelist entries to display and accept special
characters.
Release Notes 7
Bug Fixes
Component Summary
Shared Services(Multi-tenant)
Fixed the Schedule Report screen to display Top Violator GraphicalView reports scheduled by admin users.
Shared ServicesFixed the tenant selection option to generate the Auditing reportand Log Tampering report correctly from the Auditing screen.
Shared ServicesFixed an error so that users can select the correctAuditingReport.jrxml report.
Shared ServiceFixed the null pointer exception that occurred while generating theTop Violator Graphical View report.
Shared ServiceFixed the SLA report by range to display the time period for
which the report is generated.
Shared ServiceFixed the Notification module to display notifications once thereports are generated.
Shared ServiceFixed the SLA custom report to leave the column blank if the
value is null and display correct values.
Shared Services(Multi-Tenant)
Fixed the Available Tenants filter for the SCC screen. (INC-246974)
Shared Services(Multi-Tenant)
Fixed the global Available Tenants selection window for theAuditing option.
Shared Services(Multi-Tenant)
Fixed the Log Tampering auditing report to display tenant names.
Shared Service
Fixed an issue so that admin users can save Spotter queries, and
create and edit reports.
Note: A non-admin user cannot save spotter queries as a
report.
Shared ServiceFixed the SLA Report to display correct incident count and
success rate. (INC-245096)
Release Notes 8
Bug Fixes
Component Summary
Shared ServiceFixed an error to display data for the Incident Management Detailreport.
Shared Service Fixed the xls/pptx format option for the SCC - Top Violator report.
Shared Service Fixed Categorized Reports to display the Owner field name.
Shared ServiceFixed an error so that scheduled reports are generated for thecorrect time-period. (INC-243129)
Shared ServiceFixed the Search feature for the Masking Approver Workflowscreen to search users or groups correctly.
Shared ServiceFixed an issue so that users with the ROLE_RBAC-TPA-SECURITYANALYSTS role and correct report privileges can viewthe Schedule Report screen. (INC-244566) (INC-244783)
Release Notes 9
Known Issues
Known IssuesThe following table describes the known issues that exist in this release:
Component Summary
ResponseThe DomainTools reputation playbook does not returncorrect domain values.
ResponsePlaybooks can not be executed for threat models with return type
as Users and NetworkAddress.
ResponseAnomali's playbooks run on violations that are not associated with
the alert.
Shared ServiceThe Top Violations widget displays no data for admin users whenRBAC condition is applied from Granular Access Control.
Release Notes 10
What's New in Content
What's New in ContentThis section lists the following updates to content:
l New connectors
l Contextual connectors
l Improved connectors
l Deprecated Connectors
l New content
l Improved content
l Deprecated policies
NewConnectorsThe following connectors for activity import are included in this release:
Vendor Functionality Device TypeCollection
Method
MicrosoftCorporation
Cloud Services /Applications
Azure ActiveDirectory Sign In
Collection Method:azurereport
Palo Alto NetworksIDS / IPS / UTM /Threat Detection
Prisma Audit
Collection Method:prismacloud
Format: JSON
Symantec / BlueCoat Systems
Antivirus / Malware/ EDR
Symantec EndpointProtection
Collection Method:symantecendpoint
Format: JSON
Contextual ConnectorsThis section lists connectors required to ingest the following types of data:
Release Notes 11
What's New in Content
l Entity Metadata
l Lookup Data
l Third Party Intelligence
l Users
The following contextual connectors are included in this release:
Vendor Type
CSW Risk Sense (INC-235077) Entity Metadata
Improved ConnectorsThe following connectors are improved in this release:
Vendor Functionality Device Type Collection Method
BeyondTrustAccess / PrivilegedUser
Powerbroker
Collection Method:Syslog
Format: Regex
BeyondTrustAccess / PrivilegedUser
Powerbroker
Collection Method:Splunkraw
Format: Regex
Cisco SystemsNext GenerationFirewall
Cisco ASA
Collection Method:Syslog
Format: CEF
Cisco SystemsNext GenerationFirewall
Cisco ASA
Collection Method:Syslog
Format: Regex
Cisco SystemsNext GenerationFirewall
Cisco ASA
Collection Method:Splunkraw
Format: Regex
Release Notes 12
What's New in Content
Vendor Functionality Device Type Collection Method
Cisco SystemsNext GenerationFirewall
Cisco FTD
Collection Method:Syslog
Format: Regex
Cisco Systems Web ProxyIronPort WebSecurity Appliance
Collection Method:Syslog
Format: Regex
Cisco SystemsNext GenerationFirewall
Cisco MerakiFirewall
Collection Method:Syslog
Format: Regex
Cisco SystemsNext GenerationFirewall
Cisco MerakiFirewall
Collection Method:Splunkraw
Format: Regex
Citrix SystemsAuthentication /VPN
Netscaler VPN
Collection Method:Syslog
Format: Regex
Dell / SonicWallInc.
Next GenerationFirewall
SonicWall GlobalManagementSystem
Collection Method:Syslog
Format: Key Value
Pair
FortinetNext GenerationFirewall
Fortigate
Collection Method:Syslog
Format: Key Value
Pair
FortinetNext GenerationFirewall
Fortigate
Collection Method:Splunkraw
Format: Key Value
Pair
Release Notes 13
What's New in Content
Vendor Functionality Device Type Collection Method
Infoblox DNS / DHCP Infoblox
Collection Method:Syslog
Format: Regex
Palo AltoNetworks
Next GenerationFirewall
Palo Alto Next-Generation Firewall
Collection Method:Syslog
Format: Regex
Palo AltoNetworks
Next GenerationFirewall
Palo Alto Next-Generation Firewall
Collection Method:Splunkraw
Format: Regex
SophosNext GenerationFirewall
Sophos UTM
Collection Method:Syslog
Format: Key Value
Pair
SophosNext GenerationFirewall
Sophos UTM
Collection Method:Splunkraw
Format: Key Value
Pair
SophosNext GenerationFirewall
Sophos SG Firewall
Collection Method:Syslog
Format: Key Value
Pair
SophosNext GenerationFirewall
Sophos XG Firewall
Collection Method:Syslog
Format: Key Value
Pair
Release Notes 14
What's New in Content
Deprecated ConnectorsVendor Functionality Device Type Collection Method
Intel Security /McAfee Inc. /IronMail
Email / EmailSecurity
Mcafee IronMailEmail Gateway
Collection Method:File
Format: Regex
Raytheon /Websense /ForcePoint Inc
Web Proxy Websense Proxy
Collection Method:Syslog
Format: CEF
NewContentThe following new policies are added in this release:
Functionality Signature ID Policy Name
Cloud Services /Applications
CSA-ALL-859-RUCustomer master keys Disabled orScheduled for Deletion
Cloud Services /Applications
CSA-ALL-860-ERR Unusual number of Key Vault operations
Cloud Services /Applications
CSA-ALL-862-RU Cloud Storage observed with public access
Cloud Services /Applications
CSA-ALL-863-ERRResource launched with rare Instance typeor Image ID
Cloud Services /Applications
CSA-ALL-864-ERRCloud storage accessed from RareGeolocation
Cloud Services /Applications
CSA-ALL-865-ERRRare cloud storage discovery activity fromAccount
Cloud Services /Applications
CSA-ALL-866-ERR Rare IAM policy activity from account
Cloud Services /Applications
CSA-ALL-867-ERR Cloud storage operation from rare Role
Release Notes 15
What's New in Content
Functionality Signature ID Policy Name
Cloud Services /Applications
CSA-ALL-861-ERRRare country for SAML Tokenauthentication
Cloud Services /Applications
CSA-ALL-873-ERRRare Account Manipulating CustomerManaged IAM Policy
Cloud Services /Applications
CSA-ALL-874-ERRRare Credential Harvesting Activity onCloud Infrastructure byaccount
Cloud Services /Applications
CSA-ALL-875-ERRRare account deleted cloud storageresources
Cloud Services /Applications
CSA-ALL-876-ERR Rare account creating Snapshot or Volume
Cloud Services /Applications
CSA-ALL-877-BPSpike in denied transactions on cloudresources by account
Cloud Services /Applications
CSA-ALL-878-ERRRare identity deleted cloud computeresources
Cloud Services /Applications
CSA-ALL-879-ERRRare implant or list container image byaccount
Cloud Services /Applications
CSA-ALL-880-ER IAM Role deleted by rare account
Cloud Services /Applications
CSA-ALL-881-ER IAM Role Created by rare account
Cloud Services /Applications
CSA-ALL-882-ERRRare account attempting to update rolepermissions
Cloud Services /Applications
CSA-ALL-883-ERRRare account list all Cloud accounts in theregion
Cloud Services /Applications
CSA-ALL-884-ERRCritical Key vault Operation performed byaccount
Improved ContentThe following content was improved in this release:
Release Notes 16
What's New in Content
Functionality Signature ID Policy Name
CloudServices /Applications
CSA-AWS-734-DBAccount Updating IAM AssumeRolePolicy
Cloud Services /Applications
CSA-ALL-727-ERR Account accessing rare IAM role
Cloud Services /Applications
CSA-AWS-730-ERR
Account removing encryption from thecloud storage resource
Cloud Services /Applications
CSA-AWS-733-BPFailed attempts detected from an userattempting to attach todifferent roles
Cloud Services /Applications
CSA-AWS-732-RUAWS Security Token Service Requestedfrom MFA Disabled Account
Cloud Services /Applications
CSA-ALL-745-BPAbnormal number of failed authenticationattempts detected onCloud
Cloud Services /Applications
CSA-ALL-746-ERRAuthentication detected from a raregeolocation on Cloud
Cloud Services /Applications
CSA-AWS-748-ERR
Rare account generating credential reportsfor a region
Cloud Services /Applications
CSA-AWS-747-DBCredential Reports Generated for MultipleRegions - SIEM
Cloud Services /Applications
CSA-ALL-749-DBSuccessful Login after Multiple FailedAuthentication Attemptsfrom an Account
Cloud Services /Applications
CSA-ALL-708-BPAbnormal Number of Cloud StorageResources Deleted
Cloud Services /Applications
CSA-ALL-704-DB Detecting Implant Container Image
Cloud Services /Applications
CSA-ALL-711-ERRRare Storage Service Deletion by anAccount
Release Notes 17
What's New in Content
Functionality Signature ID Policy Name
Cloud Services /Applications
CSA-AWS-718-ERR
Recon activity detected from a raregeolocation
Cloud Services /Applications
CSA-ALL-719-LSLandspeed Anomaly Detected on CloudResources
Cloud Services /Applications
CSA-AWS-743-ERTemporary Credentials Generated by anUser
Cloud Services /Applications
CSA-ALL-717-ERRAccount modifying ACL or Permissions of acloud storageresource
Cloud Services /Applications
CSA-AWS-742-ERR
Rare Account Creating Accesskey
Cloud Services /Applications
CSA-ALL-702-BPMultiple Cloud Instances or VirtualMachines Terminated
Cloud Services /Applications
CSA-ALL-715-TPData transfer detected on cloud storagefrom blacklisted IPaddress
Cloud Services /Applications
CSA-AWS-735-DBHIgh Number of Failed AssumedRoleRequests Detected from anAccount
Cloud Services /Applications
CSA-AWS-739-DBPrivilege escalation through IAM instanceprofile
Cloud Services /Applications
CSA-AWS-736-BPAccount Authorizing Changes to MultipleSecurity Groups
Cloud Services /Applications
CSA-ALL-713-TPSuspicious cloud activity detected from ablacklisted IPaddress on cloud resources
Cloud Services /Applications
CSA-ALL-701-DB Possible Cryptomining Attack Detected
Cloud Services /Applications
CSA-ALL-714-BP Abnormal Number of snapshots created
Release Notes 18
What's New in Content
Functionality Signature ID Policy Name
Cloud Services /Applications
CSA-ALL-725-BPAbnormal Number of Denied Transactionson Cloud Resources
Cloud Services /Applications
CSA-ALL-703-DBMultiple Cloud Instances or VirtualMachines Deleted withinShort Period Of Time
Cloud Services /Applications
CSA-ALL-726-RUDisabling OR Modifying Audit Logs on CloudPlatforms
Cloud Services /Applications
CSA-ALL-707-ERRAccount Creating Network Access ControlList
Cloud Services /Applications
CSA-ALL-709-DBMultiple Cloud Storage Resources Deletedwithin a Short Time
Cloud Services /Applications
CSA-ALL-710-ERR Possible Exfiltration Activity Detected
Cloud Services /Applications
CSA-ALL-731-RURoot User Activity Detected on CloudInstance
Cloud Services /Applications
CSA-ALL-720-ERRFirewall Rule Modification or DeletionDetected From a RareAccount
Cloud Services /Applications
CSA-ALL-721-ERRVirtual Private Cloud Network DeletionDetected
Cloud Services /Applications
CSA-ALL-722-ERR Virtual Private Cloud Network Created
Cloud Services /Applications
CSA-ALL-737-ERRAccount Deleting LoginProfile of AnotherUser
Cloud Services /Applications
CSA-ALL-723-ERR User Deleting Table in a Database
Cloud Services /Applications
CSA-ALL-738-ERRAccount Updating LoginProfile of AnotherAccount
Cloud Services /Applications
CSA-ALL-740-ERRRare Account Creating OR ModifyingIdentity Policy
Release Notes 19
What's New in Content
Functionality Signature ID Policy Name
Cloud Services /Applications
CSA-AWS-741-ER Account Created New LoginProfile
Cloud Services /Applications
CSA-ALL-744-RU Sign in Detected without MFA
Cloud Services /Applications
CSA-ALL-750-ERR Service Account Created
Cloud Services /Applications
CSA-AZ-706-ERRCommand Execution Detected on a VirtualMachine
Cloud Services /Applications
CSA-ALL-705-BPCredential Harvesting Activity on cloudinfrastructure
Cloud Services /Applications
CSA-AWS-728-ERR
Account Discovery - Account lists all theAWS accounts in theregion
Cloud Services /Applications
CSA-AWS-729-DBAccount Manipulating Customer ManagedIAM Policy
Cloud Services /Applications
CSA-AWS-712-DBRecon Activity Detected on CloudComputing Resource
Cloud Services /Applications
CSA-ALL-716-TP Traffic to cryptomining domains
Cloud Services /Applications
CSA-AWS-724-ERR
AWS RDS Cluster Creation
Cloud Services /Applications
CSA-ALL-753-ERR IAM Role Creation Detected
Cloud Services /Applications
CSA-ALL-751-ERR IAM Role Deletion Detected
Cloud Services /Applications
CSA-ALL-752-ERRService Account Deletion or DisablingDetected
Cloud Services /Applications
CSA-ALL-760-ERR Rare Account Deleting Pub-Sub Subscription
Release Notes 20
What's New in Content
Functionality Signature ID Policy Name
Cloud Services /Applications
CSA-ALL-761-RU External Guest User Invitation Detected
Cloud Services /Applications
CSA-ALL-762-RUCreation or Modification of AutomationRunbook ORWebhookDetected
Cloud Services /Applications
CSA-ALL-763-ERRAccount Creating Audit Trail on CloudPlatforms
Cloud Services /Applications
CSA-AZ-754-RU Sign in Detected Using Powershell
Cloud Services /Applications
CSA-ALL-755-RU New Account Creation Detected
Cloud Services /Applications
CSA-ALL-756-ERR User Addition to a Group Detected
Cloud Services /Applications
CSA-ALL-757-DBBrute Force Attempts Detected on RootUser
Cloud Services /Applications
CSA-ALL-758-ERR Rare Account Accessing the Secret Manager
Cloud Services /Applications
CSA-ALL-759-ERR Rare Account Creating Pub Sub Subscription
Cloud Services /Applications
CSA-AWS-764-RU MFA Disabled for Root User Account
EndpointManagementSystems
EDR-ALL-3-BP Abnormal number of encrypted files created
EndpointManagementSystems
EDR-ALL-884-ERRPossible Webshell created In Unusual filelocation
EndpointManagementSystems
EDR-ALL-889-RUPossible Reverse Shell connectionestablished viaInvoke-PowerShellTcpOneLine script
Release Notes 21
What's New in Content
Functionality Signature ID Policy Name
EndpointManagementSystems
EDR-ALL-885-RUPossible execution of China Chopper WebShell via Command line
EndpointManagementSystems
EDR-ALL-886-RUMS Exchange unified messaging servicespawning potentiallysuspicious child process
EndpointManagementSystems
EDR-ALL-887-RUProcess dump using COM Plus Service DLLvia Command line
Microsoft Windows WOS-225-RUPossible Privilege Escalation - SelfEscalation
Microsoft WindowsPowershell
PSH-ALL-118-RUUse of Powercat tool to establish reverseshell on Host
Unix / Linux / AIX UNX-ALL-804-BPAbnormal number of distinct destinationhosts accessed - IPAddress
Unix / Linux / AIX UNX-ALL-818-BP Spike in SU authentication failures-Behavior
Unix / Linux / AIX UNX-ALL-809-BPAbnormal number of failed sshauthentication attempts - IPAddress
Unix / Linux / AIX UNX-ALL-806-RUUser emailing files to external emailaddresses
Unix / Linux / AIX UNX-ALL-817-BPAbnormal number of distinct destinationhosts accessed -Activity account
Unix / Linux / AIX UNX-ALL-802-BP Spike In Failed SSHD Logs-Behavior
Unix / Linux / AIX UNX-ALL-821-BPAbnormal number of SU login failures -Target user enumeration
Unix / Linux / AIX UNX-ALL-822-RU Use of cron job commands executed - SIEM
Unix / Linux / AIX UNX-ALL-820-RU Detect audit log tampering
Release Notes 22
What's New in Content
Functionality Signature ID Policy Name
Unix / Linux / AIX UNX-ALL-815-BPAbnormal high number of login failure -Remote Address
Unix / Linux / AIX UNX-ALL-812-RUDetect presence and attempted use of thetelnet utility
Unix / Linux / AIX UNX-ALL-816-RU Activity Performed by Terminated Account
Unix / Linux / AIX UNX-ALL-819-RUUnauthorized Privileged Account Creationor Deletion
Unix / Linux / AIX UNX-ALL-825-BPAbnormal use of privileged super usercommand
Deprecated PoliciesThe following table lists the policies that are deprecated as part of this release:
Functionality PolicyName Categorization
Antivirus /Malware /EDR
Rare usage of PsRemoting - EDR (EDR-ALL-820-ERR)
Removed the policy as itflagged low level events.
CloudAntivirus /Malware /EDR
Rare usage of PsRemoting - Cloud EDR(CEDR-ALL-820-ERR)
Removed the policy as itflagged low level events.
CloudAuthentication/ SSO /Single Sign-On
Abnormal volume of data egressed usingREST API requests (CSSO-ALL-448-BA)
Removed the policy as itflagged low level events.
Release Notes 23
What's New in Content
Functionality PolicyName Categorization
CloudAuthentication/ SSO /Single Sign-On
Abnormal volume of data egressed viaVisualforce requests (CSSO-ALL-449-BA)
Removed the policy as itflagged low level events.
CloudAuthentication/ SSO /Single Sign-On
Large number of target accounts used fordelegated login (CSSO-ALL-450-DB)
Removed the policy as itflagged low level events.
CloudAuthentication/ SSO /Single Sign-On
Abnormal number of target accounts usedfor delegated login (CSSO-ALL-451-BP)
Removed the policy as itflagged low level events.
CloudAuthentication/ SSO /Single Sign-On
Rare user performing delegated logon(CSSO-ALL-845-ER)
Removed the policy as itflagged low level events.
CloudAuthentication/ SSO /Single Sign-On
Installation of rare unmanaged packagedetected acrossorganization (CSSO-ALL-846-ER)
Removed the policy as itflagged low level events.
CloudAuthentication/ SSO /Single Sign-On
Abnormal volume of file downloads fromSalesforce (CSSO-ALL-847-BA)
Removed the policy as itflagged low level events.
Release Notes 24
What's New in Content
Functionality PolicyName Categorization
CloudAuthentication/ SSO /Single Sign-On
Login failure to Disabled User Account -SIEM - SSO (CSSO-ALL-826-DB)
Removed the policy as itflagged low level events.
CloudAuthentication/ SSO /Single Sign-On
Password spraying attempts from oneaccount to multipleapplications_enumeration -DuoAuthentication (CSSO-ALL-829-BP)
Removed the policy as itflagged low level events.
Cloud ContentManagementSystem
Account Activity detected from RareGeolocation (CCMS-ALL-802-ER)
Threat scenario covered aspart of another policy.
Cloud ContentManagementSystem
Account accessing file share neveraccessed before (CCMS-ALL-809-ER)
Threat scenario covered aspart of another policy.
Cloud ContentManagementSystem
Account activity from a country rare tothe organization (CCMS-ALL-828-ERR)
Removed the policy as itflagged low level events.
Cloud ContentManagementSystem
Account activity from a country rare forthe user (CCMS-ALL-829-ERR)
Removed the policy as itflagged low level events.
Cloud ContentManagementSystem
External account downloading abnormallyhigh number of files (CCMS-ALL-839-BP)
Removed the policy as itflagged low level events.
DatabaseAudit
Abnormal frequency of data aggregatedfrom database (DBS-ALL-821-BA)
Removed the policy as itflagged low level events.
DNS / DHCPExcessive number of failed DNS zonetransfers (DNS-010)
Threat scenario covered aspart of another policy
DNS / DHCPExcessive number of DNS NXDOMAINresponses (DNS-023)
Threat scenario covered aspart of another policy
Release Notes 25
What's New in Content
Functionality PolicyName Categorization
DNS / DHCPExcessive number of DNS SERVFAILresponses (DNS-024)
Threat scenario covered aspart of another policy
Email / EmailSecurity
Persistent Phishing Attempts (EML-SML-820-RU)
Removed the policy as itflagged low level events.
Email / EmailSecurity
Multiple Emails to Nonbusiness Domains(EGW-007)
Removed the policy as itflagged low level events.
Email / EmailSecurity
Persistent Phishing Attempts (EML-SVE-820-RU)
Removed the policy as itflagged low level events.
Email / EmailSecurity
Freemail domain phishing attempts (EDR-TMC-812-RU)
Removed the policy as itflagged low level events.
Email / EmailSecurity
Resemblance Based Phishing Attempts -TLD analysis (EDR-TMC-813-RU)
Removed the policy as itflagged low level events.
Email / EmailSecurity
Resemblance Based Phishing Attempts -PLD analysis (EDR-TMC-814-RU)
Removed the policy as itflagged low level events.
Email / EmailSecurity
Persistent Phishing Attempts (EDR-TMC-815-RU)
Removed the policy as itflagged low level events.
FirewallPossible external port scan over systemports - Firewall (IFW-FTF-873-BP)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-FTF-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on firewall(IFW-FTF-929-RU)
Threat scenario covered aspart of another policy.
FirewallPossible external port scan over systemports - Firewall (IFW-FAW-873-BP)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-FAW-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on firewall(IFW-FAW-929-RU)
Threat scenario covered aspart of another policy.
FirewallPossible external port scan over systemports - Firewall (IFW-AWP-873-BP)
Threat scenario covered aspart of another policy.
Release Notes 26
What's New in Content
Functionality PolicyName Categorization
FirewallRepeat Attack on firewall-Foreign (IFW-AWP-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on firewall(IFW-AWP-929-RU)
Threat scenario covered aspart of another policy.
FirewallPossible external port scan over systemports - Firewall (IFW-AWP-873-BP)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-AWP-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on firewall(IFW-AWP-929-RU)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-ALL-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on Firewall(IFW-ALL-929-RU)
Threat scenario covered aspart of another policy.
FirewallPossible external port scan over systemports - Firewall (IFW-CPF-873-BP)
Threat scenario covered aspart of another policy.
FirewallPossible external port scan over systemports - Firewall (IFW-JPF-873-BP)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-JPF-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on firewall(IFW-JPF-929-RU)
Threat scenario covered aspart of another policy.
FirewallPossible external port scan over systemports - Firewall (IFW-JSF-873-BP)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-JSF-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on firewall(IFW-JSF-929-RU)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-CPF-928-DB)
Threat scenario covered aspart of another policy.
Release Notes 27
What's New in Content
Functionality PolicyName Categorization
FirewallTraffic to Known Attacker on firewall(IFW-CPF-929-RU)
Threat scenario covered aspart of another policy.
FirewallPossible external port scan over systemports - Firewall (IFW-CPS-873-BP)
Threat scenario covered aspart of another policy.
FirewallRepeat Attack on firewall-Foreign (IFW-CPS-928-DB)
Threat scenario covered aspart of another policy.
FirewallTraffic to Known Attacker on firewall(IFW-CPS-929-RU)
Threat scenario covered aspart of another policy.
Firewall External network port scan - SIEMRemoved the policy as itflagged low level events.
Firewall External Port scan - SIEMRemoved the policy as itflagged low level events.
FirewallExternal source scan to Internal network -SIEM
Removed the policy as itflagged low level events.
FirewallInternal System running port scan -Horizontal SIEM
Removed the policy as itflagged low level events.
FirewallInternal System running port scan -Vertical SIEM
Removed the policy as itflagged low level events.
FirewallInternal System running port scanInternally - SIEM
Removed the policy as itflagged low level events.
FirewallConnection attempt to Zeus Domain or IPAddress - SIEM
Removed the policy as itflagged low level events.
Firewall Ping Sweep or ICMP Inbound Scan - SIEMRemoved the policy as itflagged low level events.
FirewallSMB Services allowed from internet -SIEM
Removed the policy as itflagged low level events.
FirewallNon Mail server trying to send mailsoutside - SIEM
Removed the policy as itflagged low level events.
Firewall RDP Attempt from Malicious IP - SIEMRemoved the policy as itflagged low level events.
Release Notes 28
What's New in Content
Functionality PolicyName Categorization
FirewallOutbound Spamhaus observed Traffic -SIEM
Removed the policy as itflagged low level events.
FirewallRDP Access allowed from the internet -Account - SIEM
Removed the policy as itflagged low level events.
Firewall Brute Force Attack - Next Gen FirewallRemoved the policy as itflagged low level events.
FirewallTraffic to rare domain on DNS ports -Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallPossible host enumeration over systemports - Next GenFirewall
Removed the policy as itflagged low level events.
FirewallPossible lateral movement over networktraffic - Next GenFirewall
Removed the policy as itflagged low level events.
FirewallJob Exiting Behavior on Web Browsing -Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallFlight Risk Behavior on Web Browsing -Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallSmartDefense IPS Rules - High Severity -Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallSmartDefense IPS Rules - MediumSeverity - Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallSmartDefense IPS Rules - Maliciousaddress - Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallVPN activity by Undocumented Accounts- Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallVPN Authentication Using a RareOperating System for anAccount - Next Gen Firewall
Removed the policy as itflagged low level events.
Release Notes 29
What's New in Content
Functionality PolicyName Categorization
FirewallSuspicious Wildfire Submission Resultfrom the Firewall - NextGen Firewall
Removed the policy as itflagged low level events.
FirewallSuspicious Threat Category Observed -Next Gen Firewall
Removed the policy as itflagged low level events.
FirewallAbnormal number of vulnerabilitiesobserved - Next GenFirewall
Removed the policy as itflagged low level events.
FirewallFile Blocking Profile Initiated - Next GenFirewall
Removed the policy as itflagged low level events.
FirewallPossible lateral movement observed onnetwork traffic - SIEM
Removed the policy as itflagged low level events.
FirewallPossible port scan over distinct systemports - Next GenFirewall
Removed the policy as itflagged low level events.
Firewall Remote Database Scanner - SIEMRemoved the policy as itflagged low level events.
FirewallRemote Recon Network Sweep or scan -SIEM
Removed the policy as itflagged low level events.
Firewall Scan over plain text ports - SIEMRemoved the policy as itflagged low level events.
FirewallPossible external host enumeration oversystem ports-197
Removed the policy as itflagged low level events.
FirewallPossible external port scan over systemports- 197
Removed the policy as itflagged low level events.
FirewallInternal Host Communicating to BadReputed IP - SIEM
Removed the policy as itflagged low level events.
Firewall Possible port scan observed - SIEMRemoved the policy as itflagged low level events.
Firewall User connecting to infected sites - SIEMRemoved the policy as itflagged low level events.
Release Notes 30
What's New in Content
Functionality PolicyName Categorization
FirewallDNS amplification by frequency ofpackets - Firewall-236
Threat scenario covered aspart of another policy
MicrosoftWindows
Account added and removed to securitygroup (WEL-MWO-824-DB)
Removed the policy as itflagged low level events.
MicrosoftWindows
Abnormal number of Kerberosimpersonation attempts detected (WEL-MWO-840-BP)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Remote Database Scanner - SIEM (IFW-ALL-919-BP)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Repeat firewall drops (IFW-CAF-922-DB)Removed the policy as itflagged low level events.
NextGenerationFirewall
Beaconing traffic to malicious sites overfirewall (IFW-CAF-868-TA)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Rare dns host resolved over firewall(IFW-CAF-872-ER)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Rare file type detected over firewalltraffic (IFW-CAF-807-ER)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Brute Force Access on VPN (IFW-CAF-905-BP)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Repeat Attack-Foreign (IFW-CAF-928-DB)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Possible external host enumeration oversystem ports (IFW-CAF-874-BP)
Threat scenario covered aspart of another policy
Release Notes 31
What's New in Content
Functionality PolicyName Categorization
NextGenerationFirewall
Traffic to Known Attacker (IFW-CAF-929-RU)
Threat scenario covered aspart of another policy
NextGenerationFirewall
Possible external port scan over systemports (IFW-CAF-873-BP)
Removed the policy as itflagged low level events.
NextGenerationFirewall
DNS amplification by frequency ofpackets (IFW-CAF-871-DB)
Removed the policy as itflagged low level events.
NextGenerationFirewall
Probable Successful Brute Force Attackon VPN (IFW-CAF-910-DB)
Removed the policy as itflagged low level events.
Unix / Linux /AIX
Possible DoS Attack - sshd (XOS-UNX-813-DB)
Removed the policy as itflagged low level events.
Unix / Linux /AIX
Possible brute force attack (XOS-UNX-
806-BP)
Removed the policy as itflagged low level events.
Web ProxyRepeat Attack-Web Content Filter (ALT-028)
Removed the policy as itflagged low level events.
Web ProxyAttempted connection to botnet domain -SIEM
Removed the policy as itflagged low level events.
Web Proxy Beaconing Traffic DetectedRemoved the policy as itflagged low level events.
Web Proxy Beaconing traffic to known black list siteRemoved the policy as itflagged low level events.
Web ProxyCommunication with Suspicious ExternalIP from internalnetwork - SIEM
Removed the policy as itflagged low level events.
Web ProxyConnection attempt to Zeus Domain or IPAddress - SIEM Proxy
Removed the policy as itflagged low level events.
Web ProxyConnection to known ransomware IP -SIEM
Removed the policy as itflagged low level events.
Release Notes 32
What's New in Content
Functionality PolicyName Categorization
Web ProxyDetection of Web Requests to RareBlocked Domains
Removed the policy as itflagged low level events.
Web ProxyInternal Host Communicating to BadReputed Domain - Proxy SIEM
Removed the policy as itflagged low level events.
Web ProxyInternal Host Communicating to BadReputed IP - Proxy SIEM
Removed the policy as itflagged low level events.
Web ProxyInternal Host Communicating to BadReputed URL - Proxy SIEM
Removed the policy as itflagged low level events.
Web ProxyInternal Traffic for Blocked Domain -Proxy SIEM
Removed the policy as itflagged low level events.
Web ProxyMultiple sources connection to A botnetdomain - SIEM
Removed the policy as itflagged low level events.
Web ProxyOutbound Spamhaus observed Traffic -Proxy SIEM
Removed the policy as itflagged low level events.
Web Proxy Outbound TOR Traffic - Proxy SIEMRemoved the policy as itflagged low level events.
Web Proxy Outbound Traffic to Fraud sites - SIEMRemoved the policy as itflagged low level events.
Web Proxy Phishing detected - SIEMRemoved the policy as itflagged low level events.
Web Proxy Rare domain visited by accountRemoved the policy as itflagged low level events.
Web Proxy Rare User Agent Used by AccountRemoved the policy as itflagged low level events.
Web ProxyRemote Desktop or Private VPNAccessed - SIEM
Removed the policy as itflagged low level events.
Web ProxySame User Connecting to multiple botnetdomains - SIEM
Removed the policy as itflagged low level events.
Web ProxySuspicious connection PUT using HTTP -SIEM
Removed the policy as itflagged low level events.
Release Notes 33
What's New in Content
Functionality PolicyName Categorization
Web ProxySuspicious Connections to URL contains“Trojan”
Removed the policy as itflagged low level events.
Web ProxySuspicious downloads to URL containswget - SIEM
Removed the policy as itflagged low level events.
Web Proxy Traffic to Phishing SiteRemoved the policy as itflagged low level events.
Web ProxyTraffic to rare domain on DNS ports -Firewall
Removed the policy as itflagged low level events.
Web Proxy Uploads to news or media websitesRemoved the policy as itflagged low level events.
Release Notes 34