6.3.1build191954 0720 - documentation.securonix.com

6.3.1 Build 191954_0720

Release Notes

Date Published: 8/4/2021

Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any

third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their

respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any

medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and

reference.

Information in this document is subject to change without notice. The software described in this document is

furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in

accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional

warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this

publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or

mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without

the written permission of Securonix.

Copyright © 2021 Securonix. All rights reserved.

Contact Information

Securonix

5080 Spectrum Drive, Suite 950W

Addison, TX 75001

(855) 732-6649

Release Notes 2

Table of Contents

Introduction 4

Improvements 4

Bug Fixes 5

Known Issues 10

What's New in Content 11

New Connectors 11Contextual Connectors 11Improved Connectors 12Deprecated Connectors 15New Content 15Improved Content 16Deprecated Policies 23

Release Notes 3

Introduction

IntroductionSNYPR 6.3.1 Build 191954_0720 includes the following:

l Improvements

l Bug fixes

l Known Issues

l Content Updates

Note: An INC number in the Summary column indicates a customer logged ticket

that was resolved in this release.

ImprovementsThis following table describes the improvements included in this release:

Component Summary

HuntingImproved the Saved Queries tab in Spotter to ensure users canaccess only the queries that are selected within their tenant.

HuntingAdded permissions to the Saved Queries in Spotter to prevent

queries from being shared.

Ingestion ServiceImproved parsing for the Crowdstrike Streaming collection. (INC-242454) (INC-242714)

ResponseAdded capability to perform IP and domain checks against

DomainTools threat intel data.

ResponseAdded capability to perform IP, domain, URL, and filehash

reputation checks against Anomali threat intel data.

ResponseImproved the ServiceNow integration to prevent attaching new

violations to canceled incident status in ServiceNow.

Release Notes 4

Bug Fixes

Bug FixesThe following table describes the bug fixes included in this release:

Component Summary

Analytics Service(Multi-tenant)

Fixed the filter by tenant option for identity based policies.

Analytics ServiceFixed an RBAC issue to display Sandbox policies on the PolicyListing screen based on the user's access.

Analytics ServiceFixed an error so that Lookup and Third Party Intelligence checkscan be applied to all tenants while creating a policy.

Analytics ServiceFixed issue related to data consistency in results shown forOwner/Remediator field in the Policy Configuration screen.

Analytics Service Fixed an exception related to data onboarding.

Analytics Service Fixed an issue related to onboarding of behavior based policies.

Analytics ServiceFixed an error so that you can save configuration for peer basedpolicies.

Analytics ServiceFixed the policy onboarding process so that behavior baseline canbe formed for onboarded policies.

Analytics ServiceFixed the Send Notification toggle button to work as expected.(INC-235266)

Analytics ServiceFixed the SCC screen to display violations related to new policiescorrectly when dataosurces are onboarded.

Analytics ServiceFixed an error so that policies are enabled or disabled based on

the status setup while onboarding the data.

Analytics ServiceFixed an error to ensure when a violation is marked as non-concern,the violation status does not change incorrectly.

Analytics Service Fixed the null pointer error occurred while creating threat models.

Analytics ServiceFixed the Policy Configuration screen to resolve the 504

Gateway timeout error that occurred while opening a policy.

Release Notes 5

Bug Fixes

Component Summary

Analytics ServiceFixed the Delete option to allow users to delete violations foridentity policies. (INC-241691)

Analytics ServiceFixed an issue so that attribute configuration for behavior basedpolicies can be saved.

Analytics Service Fixed an issue with static risk scores generated for policies

Analytics ServiceFixed an issue so that aggregated risk scores generated for policiesdoes not change without any violation.

Analytics ServiceFixed an issue so that threat models are displayed correctly. (INC-

239374)

Analytics ServiceFixed the Whitelisting module so that whitelisted entities can nottrigger violations.

Analytics ServiceAdded a check so that users can not edit the name of an identitybased policy once the violations are flagged for that policy. (INC-238082)

HuntingFixed the Spotter UI to display data when there is a Secure

Sockets Layer (SSL) connection.

HuntingFixed the Spotter and Categorized Reports to ensure results are

generated for admin users.

HuntingFixed an issue in Spotter, enabling access to saved queries when a

query is imported.

HuntingFixed Data Insights to display a circuit breaker error message whena search errors out.

Hunting

Fixed Spotter queries to include records with NULL values when

the not equal comparison operator (!=) is used in the archive

query.

HuntingFixed the Data Insights filter to ensure all mapped attributes

display in the Fields list.

Release Notes 6

Bug Fixes

Component Summary

Hunting

Fixed the Selected Fields panel in the Search Results view of

Spotter to display a validation message when there are no results

available.

HuntingFixed the pagination in Spotter to ensure users can navigate

between archived search results.

Hunting

Fixed the Search Results functionality in Spotter to preserve any

mo wdifications made to a saved query when the tenant filter is

applied.

Hunting

Fixed the Spotter Report screen to:

l Display correct field names.

l Improve the text lag when the drag-and-drop functionality is

used for an attribute.

Response Fixed the ServiceNow connector to create events.

ResponseFixed an issue with Top Violators to ensure the Entity Details

display in the production environment.

ResponseFixed the bulk Select All action on the Security Command Center

to work as expected from the Threats widget.

ResponseFixed the Action icon on the Security Command Center to

display the Action History, watchlisted details, and entity details.

Response

Fixed an issue on the Security Command Center where violations

displayed as Complete, even when the violation was set to Mark

in progress (still investigating).

ResponseFixed an issue on the Security Command Center that preventedusers from selecting an assignee when an incident was created.

Response

Fixed an issue on the Security Command Center that caused

violation actions to not get updated on the UI when an action is

taken from the top level.

ResponseFixed the Whitelist entries to display and accept special

characters.

Release Notes 7

Bug Fixes

Component Summary

Shared Services(Multi-tenant)

Fixed the Schedule Report screen to display Top Violator GraphicalView reports scheduled by admin users.

Shared ServicesFixed the tenant selection option to generate the Auditing reportand Log Tampering report correctly from the Auditing screen.

Shared ServicesFixed an error so that users can select the correctAuditingReport.jrxml report.

Shared ServiceFixed the null pointer exception that occurred while generating theTop Violator Graphical View report.

Shared ServiceFixed the SLA report by range to display the time period for

which the report is generated.

Shared ServiceFixed the Notification module to display notifications once thereports are generated.

Shared ServiceFixed the SLA custom report to leave the column blank if the

value is null and display correct values.

Shared Services(Multi-Tenant)

Fixed the Available Tenants filter for the SCC screen. (INC-246974)


Fixed the global Available Tenants selection window for theAuditing option.


Fixed the Log Tampering auditing report to display tenant names.

Shared Service

Fixed an issue so that admin users can save Spotter queries, and

create and edit reports.

Note: A non-admin user cannot save spotter queries as a

report.

Shared ServiceFixed the SLA Report to display correct incident count and

success rate. (INC-245096)

Release Notes 8

Bug Fixes

Component Summary

Shared ServiceFixed an error to display data for the Incident Management Detailreport.

Shared Service Fixed the xls/pptx format option for the SCC - Top Violator report.

Shared Service Fixed Categorized Reports to display the Owner field name.

Shared ServiceFixed an error so that scheduled reports are generated for thecorrect time-period. (INC-243129)

Shared ServiceFixed the Search feature for the Masking Approver Workflowscreen to search users or groups correctly.

Shared ServiceFixed an issue so that users with the ROLE_RBAC-TPA-SECURITYANALYSTS role and correct report privileges can viewthe Schedule Report screen. (INC-244566) (INC-244783)

Release Notes 9

Known Issues

Known IssuesThe following table describes the known issues that exist in this release:

Component Summary

ResponseThe DomainTools reputation playbook does not returncorrect domain values.

ResponsePlaybooks can not be executed for threat models with return type

as Users and NetworkAddress.

ResponseAnomali's playbooks run on violations that are not associated with

the alert.

Shared ServiceThe Top Violations widget displays no data for admin users whenRBAC condition is applied from Granular Access Control.

Release Notes 10

What's New in Content

What's New in ContentThis section lists the following updates to content:

l New connectors

l Contextual connectors

l Improved connectors

l Deprecated Connectors

l New content

l Improved content

l Deprecated policies

NewConnectorsThe following connectors for activity import are included in this release:

Vendor Functionality Device TypeCollection

Method

MicrosoftCorporation

Cloud Services /Applications

Azure ActiveDirectory Sign In

Collection Method:azurereport

Palo Alto NetworksIDS / IPS / UTM /Threat Detection

Prisma Audit

Collection Method:prismacloud

Format: JSON

Symantec / BlueCoat Systems

Antivirus / Malware/ EDR

Symantec EndpointProtection

Collection Method:symantecendpoint

Format: JSON

Contextual ConnectorsThis section lists connectors required to ingest the following types of data:

Release Notes 11


l Entity Metadata

l Lookup Data

l Third Party Intelligence

l Users

The following contextual connectors are included in this release:

Vendor Type

CSW Risk Sense (INC-235077) Entity Metadata

Improved ConnectorsThe following connectors are improved in this release:

Vendor Functionality Device Type Collection Method

BeyondTrustAccess / PrivilegedUser

Powerbroker

Collection Method:Syslog

Format: Regex

BeyondTrustAccess / PrivilegedUser

Powerbroker

Collection Method:Splunkraw

Format: Regex

Cisco SystemsNext GenerationFirewall

Cisco ASA


Format: CEF


Cisco ASA


Format: Regex


Cisco ASA


Format: Regex

Release Notes 12




Cisco FTD


Format: Regex

Cisco Systems Web ProxyIronPort WebSecurity Appliance


Format: Regex


Cisco MerakiFirewall


Format: Regex


Cisco MerakiFirewall


Format: Regex

Citrix SystemsAuthentication /VPN

Netscaler VPN


Format: Regex

Dell / SonicWallInc.

Next GenerationFirewall

SonicWall GlobalManagementSystem


Format: Key Value

Pair

FortinetNext GenerationFirewall

Fortigate


Format: Key Value

Pair

FortinetNext GenerationFirewall

Fortigate


Format: Key Value

Pair

Release Notes 13



Infoblox DNS / DHCP Infoblox


Format: Regex

Palo AltoNetworks


Palo Alto Next-Generation Firewall


Format: Regex

Palo AltoNetworks


Palo Alto Next-Generation Firewall


Format: Regex

SophosNext GenerationFirewall

Sophos UTM


Format: Key Value

Pair


Sophos UTM


Format: Key Value

Pair


Sophos SG Firewall


Format: Key Value

Pair


Sophos XG Firewall


Format: Key Value

Pair

Release Notes 14


Deprecated ConnectorsVendor Functionality Device Type Collection Method

Intel Security /McAfee Inc. /IronMail

Email / EmailSecurity

Mcafee IronMailEmail Gateway

Collection Method:File

Format: Regex

Raytheon /Websense /ForcePoint Inc

Web Proxy Websense Proxy


Format: CEF

NewContentThe following new policies are added in this release:

Functionality Signature ID Policy Name


CSA-ALL-859-RUCustomer master keys Disabled orScheduled for Deletion


CSA-ALL-860-ERR Unusual number of Key Vault operations


CSA-ALL-862-RU Cloud Storage observed with public access


CSA-ALL-863-ERRResource launched with rare Instance typeor Image ID


CSA-ALL-864-ERRCloud storage accessed from RareGeolocation


CSA-ALL-865-ERRRare cloud storage discovery activity fromAccount


CSA-ALL-866-ERR Rare IAM policy activity from account


CSA-ALL-867-ERR Cloud storage operation from rare Role

Release Notes 15




CSA-ALL-861-ERRRare country for SAML Tokenauthentication


CSA-ALL-873-ERRRare Account Manipulating CustomerManaged IAM Policy


CSA-ALL-874-ERRRare Credential Harvesting Activity onCloud Infrastructure byaccount


CSA-ALL-875-ERRRare account deleted cloud storageresources


CSA-ALL-876-ERR Rare account creating Snapshot or Volume


CSA-ALL-877-BPSpike in denied transactions on cloudresources by account


CSA-ALL-878-ERRRare identity deleted cloud computeresources


CSA-ALL-879-ERRRare implant or list container image byaccount


CSA-ALL-880-ER IAM Role deleted by rare account


CSA-ALL-881-ER IAM Role Created by rare account


CSA-ALL-882-ERRRare account attempting to update rolepermissions


CSA-ALL-883-ERRRare account list all Cloud accounts in theregion


CSA-ALL-884-ERRCritical Key vault Operation performed byaccount

Improved ContentThe following content was improved in this release:

Release Notes 16



CloudServices /Applications

CSA-AWS-734-DBAccount Updating IAM AssumeRolePolicy


CSA-ALL-727-ERR Account accessing rare IAM role


CSA-AWS-730-ERR

Account removing encryption from thecloud storage resource


CSA-AWS-733-BPFailed attempts detected from an userattempting to attach todifferent roles


CSA-AWS-732-RUAWS Security Token Service Requestedfrom MFA Disabled Account


CSA-ALL-745-BPAbnormal number of failed authenticationattempts detected onCloud


CSA-ALL-746-ERRAuthentication detected from a raregeolocation on Cloud


CSA-AWS-748-ERR

Rare account generating credential reportsfor a region


CSA-AWS-747-DBCredential Reports Generated for MultipleRegions - SIEM


CSA-ALL-749-DBSuccessful Login after Multiple FailedAuthentication Attemptsfrom an Account


CSA-ALL-708-BPAbnormal Number of Cloud StorageResources Deleted


CSA-ALL-704-DB Detecting Implant Container Image


CSA-ALL-711-ERRRare Storage Service Deletion by anAccount

Release Notes 17




CSA-AWS-718-ERR

Recon activity detected from a raregeolocation


CSA-ALL-719-LSLandspeed Anomaly Detected on CloudResources


CSA-AWS-743-ERTemporary Credentials Generated by anUser


CSA-ALL-717-ERRAccount modifying ACL or Permissions of acloud storageresource


CSA-AWS-742-ERR

Rare Account Creating Accesskey


CSA-ALL-702-BPMultiple Cloud Instances or VirtualMachines Terminated


CSA-ALL-715-TPData transfer detected on cloud storagefrom blacklisted IPaddress


CSA-AWS-735-DBHIgh Number of Failed AssumedRoleRequests Detected from anAccount


CSA-AWS-739-DBPrivilege escalation through IAM instanceprofile


CSA-AWS-736-BPAccount Authorizing Changes to MultipleSecurity Groups


CSA-ALL-713-TPSuspicious cloud activity detected from ablacklisted IPaddress on cloud resources


CSA-ALL-701-DB Possible Cryptomining Attack Detected


CSA-ALL-714-BP Abnormal Number of snapshots created

Release Notes 18




CSA-ALL-725-BPAbnormal Number of Denied Transactionson Cloud Resources


CSA-ALL-703-DBMultiple Cloud Instances or VirtualMachines Deleted withinShort Period Of Time


CSA-ALL-726-RUDisabling OR Modifying Audit Logs on CloudPlatforms


CSA-ALL-707-ERRAccount Creating Network Access ControlList


CSA-ALL-709-DBMultiple Cloud Storage Resources Deletedwithin a Short Time


CSA-ALL-710-ERR Possible Exfiltration Activity Detected


CSA-ALL-731-RURoot User Activity Detected on CloudInstance


CSA-ALL-720-ERRFirewall Rule Modification or DeletionDetected From a RareAccount


CSA-ALL-721-ERRVirtual Private Cloud Network DeletionDetected


CSA-ALL-722-ERR Virtual Private Cloud Network Created


CSA-ALL-737-ERRAccount Deleting LoginProfile of AnotherUser


CSA-ALL-723-ERR User Deleting Table in a Database


CSA-ALL-738-ERRAccount Updating LoginProfile of AnotherAccount


CSA-ALL-740-ERRRare Account Creating OR ModifyingIdentity Policy

Release Notes 19




CSA-AWS-741-ER Account Created New LoginProfile


CSA-ALL-744-RU Sign in Detected without MFA


CSA-ALL-750-ERR Service Account Created


CSA-AZ-706-ERRCommand Execution Detected on a VirtualMachine


CSA-ALL-705-BPCredential Harvesting Activity on cloudinfrastructure


CSA-AWS-728-ERR

Account Discovery - Account lists all theAWS accounts in theregion


CSA-AWS-729-DBAccount Manipulating Customer ManagedIAM Policy


CSA-AWS-712-DBRecon Activity Detected on CloudComputing Resource


CSA-ALL-716-TP Traffic to cryptomining domains


CSA-AWS-724-ERR

AWS RDS Cluster Creation


CSA-ALL-753-ERR IAM Role Creation Detected


CSA-ALL-751-ERR IAM Role Deletion Detected


CSA-ALL-752-ERRService Account Deletion or DisablingDetected


CSA-ALL-760-ERR Rare Account Deleting Pub-Sub Subscription

Release Notes 20




CSA-ALL-761-RU External Guest User Invitation Detected


CSA-ALL-762-RUCreation or Modification of AutomationRunbook ORWebhookDetected


CSA-ALL-763-ERRAccount Creating Audit Trail on CloudPlatforms


CSA-AZ-754-RU Sign in Detected Using Powershell


CSA-ALL-755-RU New Account Creation Detected


CSA-ALL-756-ERR User Addition to a Group Detected


CSA-ALL-757-DBBrute Force Attempts Detected on RootUser


CSA-ALL-758-ERR Rare Account Accessing the Secret Manager


CSA-ALL-759-ERR Rare Account Creating Pub Sub Subscription


CSA-AWS-764-RU MFA Disabled for Root User Account

EndpointManagementSystems

EDR-ALL-3-BP Abnormal number of encrypted files created


EDR-ALL-884-ERRPossible Webshell created In Unusual filelocation


EDR-ALL-889-RUPossible Reverse Shell connectionestablished viaInvoke-PowerShellTcpOneLine script

Release Notes 21




EDR-ALL-885-RUPossible execution of China Chopper WebShell via Command line


EDR-ALL-886-RUMS Exchange unified messaging servicespawning potentiallysuspicious child process


EDR-ALL-887-RUProcess dump using COM Plus Service DLLvia Command line

Microsoft Windows WOS-225-RUPossible Privilege Escalation - SelfEscalation

Microsoft WindowsPowershell

PSH-ALL-118-RUUse of Powercat tool to establish reverseshell on Host

Unix / Linux / AIX UNX-ALL-804-BPAbnormal number of distinct destinationhosts accessed - IPAddress

Unix / Linux / AIX UNX-ALL-818-BP Spike in SU authentication failures-Behavior

Unix / Linux / AIX UNX-ALL-809-BPAbnormal number of failed sshauthentication attempts - IPAddress

Unix / Linux / AIX UNX-ALL-806-RUUser emailing files to external emailaddresses

Unix / Linux / AIX UNX-ALL-817-BPAbnormal number of distinct destinationhosts accessed -Activity account

Unix / Linux / AIX UNX-ALL-802-BP Spike In Failed SSHD Logs-Behavior

Unix / Linux / AIX UNX-ALL-821-BPAbnormal number of SU login failures -Target user enumeration

Unix / Linux / AIX UNX-ALL-822-RU Use of cron job commands executed - SIEM

Unix / Linux / AIX UNX-ALL-820-RU Detect audit log tampering

Release Notes 22



Unix / Linux / AIX UNX-ALL-815-BPAbnormal high number of login failure -Remote Address

Unix / Linux / AIX UNX-ALL-812-RUDetect presence and attempted use of thetelnet utility

Unix / Linux / AIX UNX-ALL-816-RU Activity Performed by Terminated Account

Unix / Linux / AIX UNX-ALL-819-RUUnauthorized Privileged Account Creationor Deletion

Unix / Linux / AIX UNX-ALL-825-BPAbnormal use of privileged super usercommand

Deprecated PoliciesThe following table lists the policies that are deprecated as part of this release:

Functionality PolicyName Categorization

Antivirus /Malware /EDR

Rare usage of PsRemoting - EDR (EDR-ALL-820-ERR)

Removed the policy as itflagged low level events.

CloudAntivirus /Malware /EDR

Rare usage of PsRemoting - Cloud EDR(CEDR-ALL-820-ERR)


CloudAuthentication/ SSO /Single Sign-On

Abnormal volume of data egressed usingREST API requests (CSSO-ALL-448-BA)


Release Notes 23




Abnormal volume of data egressed viaVisualforce requests (CSSO-ALL-449-BA)



Large number of target accounts used fordelegated login (CSSO-ALL-450-DB)



Abnormal number of target accounts usedfor delegated login (CSSO-ALL-451-BP)



Rare user performing delegated logon(CSSO-ALL-845-ER)



Installation of rare unmanaged packagedetected acrossorganization (CSSO-ALL-846-ER)



Abnormal volume of file downloads fromSalesforce (CSSO-ALL-847-BA)


Release Notes 24




Login failure to Disabled User Account -SIEM - SSO (CSSO-ALL-826-DB)



Password spraying attempts from oneaccount to multipleapplications_enumeration -DuoAuthentication (CSSO-ALL-829-BP)


Cloud ContentManagementSystem

Account Activity detected from RareGeolocation (CCMS-ALL-802-ER)

Threat scenario covered aspart of another policy.


Account accessing file share neveraccessed before (CCMS-ALL-809-ER)



Account activity from a country rare tothe organization (CCMS-ALL-828-ERR)



Account activity from a country rare forthe user (CCMS-ALL-829-ERR)



External account downloading abnormallyhigh number of files (CCMS-ALL-839-BP)


DatabaseAudit

Abnormal frequency of data aggregatedfrom database (DBS-ALL-821-BA)


DNS / DHCPExcessive number of failed DNS zonetransfers (DNS-010)

Threat scenario covered aspart of another policy

DNS / DHCPExcessive number of DNS NXDOMAINresponses (DNS-023)


Release Notes 25



DNS / DHCPExcessive number of DNS SERVFAILresponses (DNS-024)



Persistent Phishing Attempts (EML-SML-820-RU)



Multiple Emails to Nonbusiness Domains(EGW-007)



Persistent Phishing Attempts (EML-SVE-820-RU)



Freemail domain phishing attempts (EDR-TMC-812-RU)



Resemblance Based Phishing Attempts -TLD analysis (EDR-TMC-813-RU)



Resemblance Based Phishing Attempts -PLD analysis (EDR-TMC-814-RU)



Persistent Phishing Attempts (EDR-TMC-815-RU)


FirewallPossible external port scan over systemports - Firewall (IFW-FTF-873-BP)


FirewallRepeat Attack on firewall-Foreign (IFW-FTF-928-DB)


FirewallTraffic to Known Attacker on firewall(IFW-FTF-929-RU)


FirewallPossible external port scan over systemports - Firewall (IFW-FAW-873-BP)


FirewallRepeat Attack on firewall-Foreign (IFW-FAW-928-DB)


FirewallTraffic to Known Attacker on firewall(IFW-FAW-929-RU)


FirewallPossible external port scan over systemports - Firewall (IFW-AWP-873-BP)


Release Notes 26



FirewallRepeat Attack on firewall-Foreign (IFW-AWP-928-DB)


FirewallTraffic to Known Attacker on firewall(IFW-AWP-929-RU)


FirewallPossible external port scan over systemports - Firewall (IFW-AWP-873-BP)


FirewallRepeat Attack on firewall-Foreign (IFW-AWP-928-DB)


FirewallTraffic to Known Attacker on firewall(IFW-AWP-929-RU)


FirewallRepeat Attack on firewall-Foreign (IFW-ALL-928-DB)


FirewallTraffic to Known Attacker on Firewall(IFW-ALL-929-RU)


FirewallPossible external port scan over systemports - Firewall (IFW-CPF-873-BP)


FirewallPossible external port scan over systemports - Firewall (IFW-JPF-873-BP)


FirewallRepeat Attack on firewall-Foreign (IFW-JPF-928-DB)


FirewallTraffic to Known Attacker on firewall(IFW-JPF-929-RU)


FirewallPossible external port scan over systemports - Firewall (IFW-JSF-873-BP)


FirewallRepeat Attack on firewall-Foreign (IFW-JSF-928-DB)


FirewallTraffic to Known Attacker on firewall(IFW-JSF-929-RU)


FirewallRepeat Attack on firewall-Foreign (IFW-CPF-928-DB)


Release Notes 27



FirewallTraffic to Known Attacker on firewall(IFW-CPF-929-RU)


FirewallPossible external port scan over systemports - Firewall (IFW-CPS-873-BP)


FirewallRepeat Attack on firewall-Foreign (IFW-CPS-928-DB)


FirewallTraffic to Known Attacker on firewall(IFW-CPS-929-RU)


Firewall External network port scan - SIEMRemoved the policy as itflagged low level events.

Firewall External Port scan - SIEMRemoved the policy as itflagged low level events.

FirewallExternal source scan to Internal network -SIEM


FirewallInternal System running port scan -Horizontal SIEM


FirewallInternal System running port scan -Vertical SIEM


FirewallInternal System running port scanInternally - SIEM


FirewallConnection attempt to Zeus Domain or IPAddress - SIEM


Firewall Ping Sweep or ICMP Inbound Scan - SIEMRemoved the policy as itflagged low level events.

FirewallSMB Services allowed from internet -SIEM


FirewallNon Mail server trying to send mailsoutside - SIEM


Firewall RDP Attempt from Malicious IP - SIEMRemoved the policy as itflagged low level events.

Release Notes 28



FirewallOutbound Spamhaus observed Traffic -SIEM


FirewallRDP Access allowed from the internet -Account - SIEM


Firewall Brute Force Attack - Next Gen FirewallRemoved the policy as itflagged low level events.

FirewallTraffic to rare domain on DNS ports -Next Gen Firewall


FirewallPossible host enumeration over systemports - Next GenFirewall


FirewallPossible lateral movement over networktraffic - Next GenFirewall


FirewallJob Exiting Behavior on Web Browsing -Next Gen Firewall


FirewallFlight Risk Behavior on Web Browsing -Next Gen Firewall


FirewallSmartDefense IPS Rules - High Severity -Next Gen Firewall


FirewallSmartDefense IPS Rules - MediumSeverity - Next Gen Firewall


FirewallSmartDefense IPS Rules - Maliciousaddress - Next Gen Firewall


FirewallVPN activity by Undocumented Accounts- Next Gen Firewall


FirewallVPN Authentication Using a RareOperating System for anAccount - Next Gen Firewall


Release Notes 29



FirewallSuspicious Wildfire Submission Resultfrom the Firewall - NextGen Firewall


FirewallSuspicious Threat Category Observed -Next Gen Firewall


FirewallAbnormal number of vulnerabilitiesobserved - Next GenFirewall


FirewallFile Blocking Profile Initiated - Next GenFirewall


FirewallPossible lateral movement observed onnetwork traffic - SIEM


FirewallPossible port scan over distinct systemports - Next GenFirewall


Firewall Remote Database Scanner - SIEMRemoved the policy as itflagged low level events.

FirewallRemote Recon Network Sweep or scan -SIEM


Firewall Scan over plain text ports - SIEMRemoved the policy as itflagged low level events.

FirewallPossible external host enumeration oversystem ports-197


FirewallPossible external port scan over systemports- 197


FirewallInternal Host Communicating to BadReputed IP - SIEM


Firewall Possible port scan observed - SIEMRemoved the policy as itflagged low level events.

Firewall User connecting to infected sites - SIEMRemoved the policy as itflagged low level events.

Release Notes 30



FirewallDNS amplification by frequency ofpackets - Firewall-236


MicrosoftWindows

Account added and removed to securitygroup (WEL-MWO-824-DB)


MicrosoftWindows

Abnormal number of Kerberosimpersonation attempts detected (WEL-MWO-840-BP)


NextGenerationFirewall

Remote Database Scanner - SIEM (IFW-ALL-919-BP)



Repeat firewall drops (IFW-CAF-922-DB)Removed the policy as itflagged low level events.


Beaconing traffic to malicious sites overfirewall (IFW-CAF-868-TA)



Rare dns host resolved over firewall(IFW-CAF-872-ER)



Rare file type detected over firewalltraffic (IFW-CAF-807-ER)



Brute Force Access on VPN (IFW-CAF-905-BP)



Repeat Attack-Foreign (IFW-CAF-928-DB)



Possible external host enumeration oversystem ports (IFW-CAF-874-BP)


Release Notes 31




Traffic to Known Attacker (IFW-CAF-929-RU)



Possible external port scan over systemports (IFW-CAF-873-BP)



DNS amplification by frequency ofpackets (IFW-CAF-871-DB)



Probable Successful Brute Force Attackon VPN (IFW-CAF-910-DB)


Unix / Linux /AIX

Possible DoS Attack - sshd (XOS-UNX-813-DB)


Unix / Linux /AIX

Possible brute force attack (XOS-UNX-

806-BP)


Web ProxyRepeat Attack-Web Content Filter (ALT-028)


Web ProxyAttempted connection to botnet domain -SIEM


Web Proxy Beaconing Traffic DetectedRemoved the policy as itflagged low level events.

Web Proxy Beaconing traffic to known black list siteRemoved the policy as itflagged low level events.

Web ProxyCommunication with Suspicious ExternalIP from internalnetwork - SIEM


Web ProxyConnection attempt to Zeus Domain or IPAddress - SIEM Proxy


Web ProxyConnection to known ransomware IP -SIEM


Release Notes 32



Web ProxyDetection of Web Requests to RareBlocked Domains


Web ProxyInternal Host Communicating to BadReputed Domain - Proxy SIEM


Web ProxyInternal Host Communicating to BadReputed IP - Proxy SIEM


Web ProxyInternal Host Communicating to BadReputed URL - Proxy SIEM


Web ProxyInternal Traffic for Blocked Domain -Proxy SIEM


Web ProxyMultiple sources connection to A botnetdomain - SIEM


Web ProxyOutbound Spamhaus observed Traffic -Proxy SIEM


Web Proxy Outbound TOR Traffic - Proxy SIEMRemoved the policy as itflagged low level events.

Web Proxy Outbound Traffic to Fraud sites - SIEMRemoved the policy as itflagged low level events.

Web Proxy Phishing detected - SIEMRemoved the policy as itflagged low level events.

Web Proxy Rare domain visited by accountRemoved the policy as itflagged low level events.

Web Proxy Rare User Agent Used by AccountRemoved the policy as itflagged low level events.

Web ProxyRemote Desktop or Private VPNAccessed - SIEM


Web ProxySame User Connecting to multiple botnetdomains - SIEM


Web ProxySuspicious connection PUT using HTTP -SIEM


Release Notes 33



Web ProxySuspicious Connections to URL contains“Trojan”


Web ProxySuspicious downloads to URL containswget - SIEM


Web Proxy Traffic to Phishing SiteRemoved the policy as itflagged low level events.

Web ProxyTraffic to rare domain on DNS ports -Firewall


Web Proxy Uploads to news or media websitesRemoved the policy as itflagged low level events.

Release Notes 34

6.3.1build191954 0720 - documentation.securonix.com

Documents