Change Logs

The CyFlare SOC Change Log Updates page comprehensively records all modifications and enhancements to the CyFlare Security Operations Center (SOC) platform. Stay informed about the latest improvements and changes that impact your cybersecurity strategy and SOC operations.

October 2024
Update Category
Completed Items
Playbook Enhancement

Alfie Insights

  • We’re excited to introduce a new feature designed to provide greater transparency and visibility in the ticket escalation process. Many clients have expressed interest in understanding the checks and queries run by our playbooks when they are not all fully detailed in the ticket notes. Alfie Insights will address this need by making that information visible across all escalations.
  • The purpose of this feature is for our customers to review and provide feedback on how our playbooks are operating and to be vocal about issues with the logic that we have in place.This new feature, Alfie Insights, is now available in Beta and can be found at the bottom of some tickets.
  • Over 80% of the playbooks now have this feature enabled.
Other

The SOC has also enabled and built custom integrations for the following CyFlare Services offerings:

  1. Vicarius – Vulnerability Scanning Service (VSS)
  2. Checkpoint Harmony Email Security – Managed Email Security (mESS)
  3. CrowdStrike – Managed EDR (mEDR)
  •  These Services are now SOC-enabled with appropriate playbooks/integrations built within the SOAR. Please reach out to your CSM for further information about SOC use cases.
September 2024
Update Category
Completed Items
New Playbook
  1. Microsoft Entra changes to Privileged account
  2. External Password Spraying Anomaly
  3. Microsoft Entra Bitlocker Key Retrieval
  4. Microsoft Entra PIM Setting changed
  5. AWS Access Key created
  6. Salesforce login outside the US
  7. Potentially Malicious Windows activity
  8. AWS Create User
  9. Suspicious AWS EBS Activity
  10. Internal DLP Rule Match
Playbook EnhancementGen-AI use cases were implemented for the following playbooks:
  • The SOC escalation template now includes Gen-AI use case integrated within The alert snapshot as well as catered rememdiation actions All ticket templates will include an AI emoji indicating that corresponding text has been generated using Gen-AI
    • XDR: Trojan Activity
    • Darktrace detections
    • XDR: Public to Private exploit anomaly
    • Azure AD Risk detections
    • Bad Reputation Anomaly
    • Microsoft Entra Suspicious Changes to Conditional Access Policy
    • User Impossible Travel Anomaly
    • FIM – Created, Deleted, Modified
    • Exploit Attempt Correlation
    • Office365 detections
    • Google Workspace detections
    • Emerging Threat
    • All login outside the US alerts – Office365, Azure, Duo, G-Suite, JumpCloud, etc
    • DNS Tunneling Anomaly
Alert Tuning
  • XDR: Exploit Anomalies
    • This alert type has recently been updated to trigger on a sub-event type identified as an IPS traffic anomaly. This event type is highly sensitive to traffic that has already been blocked by the firewall, which may result in a higher incidence of false positive alerts due to its lower fidelity.
    • Additionally, the alert type “private to public exploit anomaly” will now auto-close all alerts that are triggered based on a known “ms-update” activity considering the IPs associated with alerts are clean on OSINT.
  • Mimecast Detections
    • Mimecast alerts types usually trigger from source tool even when mimecast has already handled the entity by marking them as rejected. The playbooks are now modified to validate if action is rejected and mark those as false positives.
New Detections
  1. XDR: Google Workspace detections
    • Google Workspace Deny Access Request
    • Google Workspace Unassign Role
    • Google Workspace Assign Role
    • Google Workspace Password Edit
    • Google Workspace Revoke 3LO Token
    • Google Workspace Move User To Organizational Unit
    • Google Workspace Create User
August 2024
Update Category
Completed Items
New Features

New Automation Use Case:

  • The SOC is now enabled with response actions associated with CrowdStrike EDR tool. Any customers utilizing CrowdStrike as their Endpoint security solution can reach out to their CSM and ask about further details on how we can integrate with the SOC’s response actions.

AI use-case within SOC incidents:

  • The SOC playbooks are now beginning to get integrated with AI-capabilities to enhance our incidence response. Our playbooks seamlessly integrate with our custom built AI models and assist in summarizing and providing remediation steps for end-users.
    • The use case is currently being leveraged by select few playbooks and SOC escalations will now feature an appropriate disclaimer when such integrations are present in the tickets.

Exempt Sites for EDR customers:

  • To provide additional customization for automation use-cases catered for EDR tools, customers can now reach out to the SOC and provide specific site names to exempt from being considered for automated response actions permanently or for a specific period of time. This allows for unnecessary operational overhead in case an authorized activity is expected for certain endpoints/sites.
New Detections
  1. XDR: Potential APT FIN7 Exploitation Activity
    • This detection will alert on any of the known process chains seen associated with FIN7 as reported by Google. Rdpinit.exe spawning notepad++.exe or Notepad++.exe spawning cmd.exe
  2. XDR: File Integrity Monitoring
    • This detection will alert on a creation, modification, or deletion of files in the following file paths: C:\autoexec.bat, C:\boot.ini, C:\Windows\system.ini, C:\Windows\win.ini, C:\Windows\regedit.exe
      C:\Windows\explorer.exe, C:\Windows\System32\userinit.exe, C:\Program Files\Microsoft Security Client\msseces.exe
New Playbooks

XDR Alert types that now have a dedicated playbook for each detection making the triage and escalation workflow catered towards the type of activity:

  1. SentinelOne – Virtualization Sandbox Evasion
  2. Google Workspace Alert – XDR Login Anomaly
  3. Suspicious AWS IAM Activity
  4. Proofpoint Outbound Email Spike
  5. DUO User Update Bypass
  6. AWS Suspicious Root Activity
  7. Microsoft Entra Sign-In Failure
  8. Suspicious Modification of AWS CloudTrail Logs
  9. Suspicious Modification of S3 Bucket
  10. Azure changes to device registration policy
  11. JumpCloud MFA Push Failure
  12. Jumpcloud login outside the US
  13. McAfee ESM failed login activity
  14. Windows Domain policy changed
  15. Suspicious AWS Route 53 activity
  16. Microsoft Entra Suspicious changes to conditional access policy
  17. Microsoft Entra application configuration changes
Playbook Enhancement
  1. XDR: IDS Signature Spike
    • The playbook now correlates already escalated exploit anomalies and automatically adds comments. For new anomalies, the playbook automatically resolves them to a new SOC escalation.
  2. XDR: Duo login outside the US
    • The SOC escalation template now includes correlated threat hunting searches that present contextual information around the flagged entities. Additionally, the playbook is also equipped with Customer Knowledge Base (CKB) lookup for known travel advisories for the user.
  3. XDR: Multiple login from one workstation/Source IP/Destination IP
    • The playbook was updated with specific threat hunting queries to provide entity-specific information and add reason to an alert being triggered.
  4. XDR: GoFile Room User login failure
    • It now include tailored threat hunting search queries via Stellar API and provides comprehensive context about the reported activity in the ticket escalated
  5. AI use cases enabled for the following playbooks
    • XDR: Office365 Content policy filter changed
    • XDR: Azure user added to global admin group
    • XDR: Malware Activity 
      • The SOC escalation template now includes Gen-AI use case integrated within The alert snapshot as well as catered remediation actions
        All ticket templates will include an AI emoji indicating that corresponding text has been generated using Gen-AI.
  6. Microsoft Defender Playbooks
    • These playbooks now include an additional lookup for DNS hostnames and correlate the IP associated with known vulnerability scanner to improve alert fidelity and avoid obvious false positives.
  7. XDR: User Impossible Travel Anomaly
    • This playbook has built-in correlation for various alerts to ensure standalone alerts are not generated due to them being very sensitive. These now also include Azure AD (Entra) Risk Detection alerts as a correlated alert type.
  8. XDR: Azure/Office365 Login outside the US
    • As part of continuous improvement with playbook logic, the SOC has decided to implement an additional check for customers that have this alert type as muted. Moving forward, if the IP used to login has been marked malicious by OSINT, it will ignore the mute and continue to escalate as potential risky sign-in for that user.
July 2024
Date of Update
Completed Items
07/01/2024New Detections: XDR Rules
  1. Azure Sign-in failures
  2. Azure Discovery using Azurehound
  3. Azure changes to Privileged role assignment
  4. Azure PIN setting changed
  5. Azure application configuration changes
  6. Azure Unusual Account creation
  7. Azure suspicious changes to conditional access policy
  8. Azure guest user invited by non-approved invitees
  9. Azure federation modified
  10. Azure privileged account assignment or elevation
  11. Azure changes to privileged account
  12. Azure Bitlocker key retrieval
  13. Azure changes to device registration policy
07/01/2024Playbook Enhancement:
  • EDR: Microsoft365 Defender
    • This playbook now has additional improved enrichment queries specific to alert type “Activity from Anonymous Proxy” which makes the escalated ticket include improved contextual details around the activity.
07/02/2024Playbook Enhancement:
  1. XDR: Windows User Added/Removed from Local/Domain Admin Group
    • These playbooks have been modified with additional look-ups to cover missing usernames from the original alert. A curated threat hunting query is used to fetch the user with the SID provided in windows events.
07/03/2024New Playbooks: XDR
  1. Windows Audit Log Cleared
  2. Suspicious AWS EC2 Activity
  3. Potentially Malicious AWS Activity
  4. Remote Access Team Viewer
  5. Multiple Administrator Account Lockouts
  6. Suspicious AWS RDS Event
  7. McAfee ESM Failed Login
07/04/2024Playbook Enhancement:
  • XDR: Private to Public Exploit Anomaly
    • The ticket template has been improved with added details focusing on the original application responsible for triggering the external connection.
07/09/2024Playbook Enhancement:
  • Windows User Added to Local Administrator
    • For certain alerts that don’t come with user information, playbook now accounts for those scenarios and runs additional lookup queries to XDR tool in order to fetch the user associated with the SID information.
07/15/2024New Playbook: Microsoft 365
  1. Password Spray
  2. Antimalware Action Failed
  3. Connection to adversary-in-the-middle AiTM phishing site
  4. Malware Detection
  5. Unfamiliar Sign-In Properties
  6. Anomalous Token
  7. Malware Was Detected in a CAB Archive File
07/16/2024Playbook Enhancement:
  • Suspicious PowerShell Script Detection
    • This playbook now collects all pieces of the script that was flagged as suspicious and gives the analyst a better view of the purpose of the script and judge it potential malicious nature.
07/19/2024Playbook Enhancement:
  • AI Summarization
    • XDR: Private to Public Exploit alerts now have this feature included where IDs signatures are interpreted by AI and an alert snapshot is generated to better explain what triggered and flagged the activity in the ticket.
    • The information given to gen-AI is not confidential to any specific entity/company/user. All information provided by Gen-AI is still being reviewed by the SOC and still under beta-testing phase.
07/25/2024New Playbook:
  • XDR: Exploit attempt correlation
    • This playbook was built from ground up using custom logic that correlates activity based on a previously seen exploit attempt alerts and adds further context when necessary.
  • XDR: Potential User Compromise via Axios user agent
    • This playbook now caters specifically for activity around axios user agent and auto-escalates cases to Critical when successful login attempts are observed by the SOC.
  • XDR: M365 User added to privileged group
    • The playbook now contains a tailored ticket template that includes threat hunting queries giving more context around the user’s activity around the time of this alert.
June 2024
Date of Update
Completed Items
06/03/2024New Detections: XDR Rules
  1. AWS Suspicious IAM Activity
  2. AWS Suspicious Root Account Activity
  3. AWS Suspicious Route 53 Activity
  4. AWS Suspicious Bucket Enumeration
  5. AWS Suspicious modification of Route table
  6. AWS Suspicious VPC flow logs modification
  7. AWS Malicious Activity
  8. AWS Suspicious RDS event
  9. AWS Suspicious EC2 Activity
  10. AWS Suspicious modification of S3 bucket
  11. AWS Suspicious EBS Activity
06/04/2024Playbook Enhancement:
  1. XDR: External User Success Brute-forcer Anomaly
    • Improved ticket escalations specifically around the Okta login type.
  2. XDR: Azure AD Risk Detections
    • Improved playbook logic such that similar/duplicate alerts are grouped together while ensuring that alerts qualifying critical escalations are not missed/delayed.
  3. XDR: GSuite Login outside the US
    • In addition to creating this new alert type for customers who have compatible log sources, the playbook has also been enhanced to incorporate the existing “Travel Advisory” feature from CyFlare ONE portal.
06/09/2024Alert Tuning:
  • XDR: Outbytes Anomaly
    • Improved alert fidelity by excluding default Microsoft IPs since they get flagged by the XDR tool as known false positives.
06/10/2024New Detection:
  1. XDR: Jump Cloud Command Run
    • This new alert looks for the command_run event type in Jump Cloud logs for any commands that are run through the console and provides additional context around whether the activity is authorized or not.
  2. XDR: Jump Cloud login outside the US
    • This new alert looks for login activity based on geo-location and flags any anomalous behavior from users that are not expected to login from a certain country beyond the norm.
    • Playbooks for this alert type have also been implemented to include travel advisories from the ONE portal to avoid known authorized travel activity.
06/12/2024New Detection:
  • XDR: Duo User Bypass Status Update
    • This new alert will query for logs indicating that a user is put into bypass status in Duo portal which are known adversarial methods used by malicious actors to bypass multi-factor authentication and compromise user accounts.
06/14/2024New Playbook:
  • XDR: Microsoft 365 Data Destruction
    • Playbook for this alert type has been improved with threat hunting queries curated specifically to provide context around this activity and giving accurate enrichment information about included entities.
  • XDR: RDP Settings Hijacking
    • Playbook for this alert type has been improved with threat hunting queries curated specifically to provide context around this activity. This also includes adding contextual lookups for known RDP servers from Client knowledge base in ONE portal.
06/16/2024New Detection:
  • XDR: AWS Console login outside the US
06/18/2024Playbook Enhancement:
  • XDR: AWS Console login outside the US
    • Improved playbook logic around escalation with curated ticket template and improved fidelity by adding travel advisory look up from the ONE platform.
06/19/2024Playbook Enhancement:
  • XDR: Multiple Users deleted
    • The playbook has been refined to augment the information presented during ticket escalations. This includes the incorporation of alert-specific look-ups that contribute valuable insights and present a comprehensive narrative of the events leading up to the alert being triggered.
New Detection:
  • XDR: Potential Exploitation of CVE-2022-42475
    • This detection was implemented to alert on any of the known indicators of compromise for CVE-2022-42475 for customers that forward FortiOS logs.
06/24/2024Playbook Enhancement:
  • XDR: Office365 and Azure login outside the US
    • Activity flagged between Azure and Office365 are usually around the same time due to the fact that users access both of these resources while being outside the country. Anomalous behavior that correlates to the same user from both log sources will now get matched as duplicates and avoid creating additional tickets for customers.
06/27/2024New Playbook:
  1. SentinelOne: Inhibit System Recovery
  2. Google Workspace: Suspicious Login
May 2024
Date of Update
Completed Items
05/01/2024New Feature: CISA Vulnerability Scanners
  • We have developed and implemented a new automated playbook action within our SOAR platform that retrieves the list of recognized external scanner IP addresses from the Cybersecurity and Infrastructure Security Agency (CISA). Consequently, any alerts generated by XDR systems that are attributed to authorized scanning activities from these IP addresses will be automatically resolved. This ensures that such benign alerts are not unnecessarily escalated as tickets to our clients.
05/06/2024Alert Tuning: Suspicious User Agent Detection
  • We have tuned out known benign user agents within our Stellar Cyber platform that are involved with ZoneAlarm, Nessus Scanners, Kaspersky Updates and DuckDuckGo web crawling.
05/08/2024New Detection: User Impossible Travel Anomaly
  • Enabled User Impossible Travel globally this detection triggers when a user logged in from locations that are geographically impossible to travel between in the time frame. The new rule takes the default XDR alert and correlates them to other high fidelity geo-location based alerts in order to improve the overall actionable items within each escalation.
05/08/2024Playbook Enhancement: Google Workspace Phishing
  • This playbook has been updated to add enrichment for Google Workspace Phishing detections for clients who also utilize Proofpoint, this additional enrichment provides additional information from the initial sender.
05/14/2024Playbook Enhancement: Creation of forwarding and redirect rule
  • This alert has been updated with improved information enriched from the original log events. This results in accurate ticketing information that can be used to either tune or take actions within the customer’s environment.
05/17/2024New Detection: Google Workspace Suspicious Login
  • A new threat hunting rule for our clients that have GSuite integration within stellar which alerts on “Suspicious Login” event activity. This alert utilizes GSuites logic for detections.
05/20/2024Other: Improved Client knowledge base category for Vulnerability Scanners
  • This change allows end-users to add both IPs and Hostnames within the Vulnerability scanner category for the CKB records. The playbooks on SOAR have been improved to accomodate both data types allowing users slightly improved flexibility in adding new records.
April 2024
Date of Update
Completed Items
04/01/2024New Detection: Google Workspace – 7 New Detections
  1. Application Access Level Modified
    • Detects when an access level is changed for a Google Workspace application.
  2. Application Removed
    • Detects when an application is removed from Google Workspace.
  3. Granted Domain API Access
    • Detects when an API access service account is granted domain authority within a Workspace environment.
  4. Role Modified or Deleted
    • Detects when a role is modified or deleted within Google Workspace.
  5. Role Privilege Deleted
    • Detects when a role privilege is deleted within Google Workspace.
  6. User Granted Admin Privileges
    • Detects when a Google Workspace user is granted admin privileges.
  7. Multi-Factor Authentication Disabled
    • Detects when multi-factor authentication (MFA) is disabled.
04/02/2024Playbook Enhancement: Conditional Access Blocked Login
  • Revamped logic around alert de-duplication within SOAR playbooks and avoid creating duplicate tickets about the same entities.
04/03/2024New Feature: Improved metrics around Critical alerts
  • The SOC improved internal processes that track and measure metrics around Critical alerts initiated for various customers.
04/03/2024New Feature: Recorded Future connector
  • The SOC now supports a new vendor “Recorded Future” and also have custom playbooks built around the same. This includes default Recorded Future alerts as well as custom built playbook alerting from the customer’s environment.
04/05/2024Other: Upgraded XDR Integration with SOAR
  • This enhancement effectively resolves previously identified challenges with ingestion latency and introduces additional advanced features to the SOAR infrastructure. Our XDR system now ensures prompt and comprehensive alert ingestion, eliminating gaps and offering a suite of sophisticated authentication methods tailored to diverse platform settings.
04/08/2024Playbook Enhancement: Revamped SentinelOne playbook
  • The SentinelOne playbook has been comprehensively updated, offering enhanced features for more effective security operations management. The key improvements include:
    • The integration of Gen-AI technology to summarize threat indicators identified by SentinelOne for each escalated threat, aiding customers in understanding the potential impact.
    • Refined alert prioritization mechanisms that more accurately categorize the severity of detected threats, ensuring that SOC investigations align with the associated risks.
    • An upgrade to the latest version of the SentinelOne API, enriching the data with additional details, an expanded feature set, and the full suite of capabilities available in the new API iteration.
04/09/2024Playbook Enhancement: Improved logic for SSH Brute-force activity
  • The playbook has been refined to augment the information presented during ticket escalations. This includes the incorporation of alert-specific look-ups that contribute valuable insights and present a comprehensive narrative of the events leading up to the alert being triggered.
04/15/2024Playbook Enhancement: Improved logic for multiple XDR alert types
  • The playbook has been updated to refine the alert escalation process, and the ticket template has been augmented to include more comprehensive information enriched by XDR. The enhancements address the following alert types:
    • Internal/External Trojan Activity
    • AWS login without No Multi-factor authenticated (MFA) detected
04/19/2024Playbook Enhancement: Improved logic for Azure AD Risk Detection
  • The playbook has been extensively redesigned to incorporate a hybrid approach, having the nosier alert types have automatic escalation, while retaining manual options for others.
04/23/2024New Detection: Google Workspace – 6 New Detections
  1. AWS Identity Center Identity Provider Change
  2. AWS Config Disabling Channel/Recorder
  3. AWS CloudTrail Important Change
  4. AWS IAM S3Browser User or AccessKey Creation
  5. Restore Public AWS RDS Instance
  6. AWS SecurityHub Findings Evasion
March 2024
Date of Update
Completed Items
03/14/2024New Detection: Exfiltration and Tunneling Tools Execution
  • Custom built alert Utilizing Windows Sysmon.
  • Tracks well known tools use of data exfiltration over alternative protocols from user accounts.
03/14/2024New Detection: Data Exfiltration to Text Storage Sites and Cloud Storage
  • Custom logic built around the Stellar alert Outbytes Anomaly.
  • The detection is looking for anomalously high volume being transferred to a destination host used for external storage.
03/14/2024New Detection: DNS Exfiltration Tools Execution Detected
  • Custom built alert Utilizing Windows Sysmon.
  • This alert is looking for the execution of tools used for Application Layer Protocol and DNS Exfiltration.
03/14/2024Alert Tuning: Malware Activity – Microsoft related Activity
  • Added more logic to not alert around Microsoft related activity like Windows Updates.
  • This was also implemented last month, but logic was further enhanced to not alert around this activity.
03/15/2024Alert Tuning: Public to Private Exploit Anomaly
  • More logic implemented within the playbook to account for activity that is already being blocked by a client’s firewall.
03/18/2024Template Update – The following template updates were implemented to reflect our improved formatting:
  1. Default – Generic Alarm
  2. DGA Resolvable
  3. DHCP Server Anomaly
  4. DNS Tunneling Anomaly
  5. Domain Controller Spoofed Authentication
  6. DPAPI Domain Backup Key Extraction
  7. Exploited Command and Control Connection
  8. Fortinet Admin Configuration Change
  9. G Suite – Account Security Settings Disabled
  10. G Suite – User Suspended
  11. Google Workspace Alert – XDR Anomaly
  12. Honey Account Login Failure
  13. Kerberoasting
  14. Kerberos Silver Ticket
  15. Known Malicious User Agent Detected
  16. M365 – Exfiltration Over Web Service
  17. M365 – User Added to Privilege Group
  18. Malware Activity
  19. Malware on Disk
  20. Metasploit Download Microsoft Defender ATP
  21. Microsoft Teams Vulnerability
  22. Mimikatz Credential Dump
03/28/2024Playbook Enhancement: Bad Reputation Anomaly
  • Playbook has been re-evaluated and adjusted prioritization levels for certain criteria to meet up to Critical Severity.
  • Also added automation to this playbook and this will result in much faster escalations of potentially critical events.
03/29/2024New Detection: Potential APT29 Related Scheduled Tasks
  • Custom detection that hunts for Scheduled Task Names that have been utilized by APT29 via GraphicalProton Backdoor.
03/29/2024New Detection: Potential Raspberry Robin CPL Execution Activity
  • Custom detection to hunt for behavior observed in multiple Raspberry-Robin variants.
February 2024
Date of Update
Completed Items
02/02/2024Alert Tuning: Multiple Users Deleted
  • Client Knowledge Base defined service accounts that are flagged deleting users through our custom ATH rule “Multiple Users Deleted” will be auto-closed as Muted Operational detections.
02/03/2024Alert Tuning: Exploit Anomalies | Malware/Trojan Activity
  • Alert tuning complete for IDS signature based detections, if firewall decision is listed as blocked the detection is excluded preventing unnecessary alerting.
02/05/2024Playbook Enhancement: Potential Shell Shock User Agent Request
  • If the alert contains a certain stellar field, that will be included as the source IP as this is the actual source of the request.
02/07/2024Alert Tuning: Anomalous DC Sync
  • If the Anomalous DC Sync is from a known service account listed in the CKB then it will not result in an escalation.
02/08/2024New Detection: Azure User Added to Global Admin Group
  • Looking for modified properties new value field to contain “Global Administrator” from the activity display name of “Add member to role” in Azure AD logs.
02/12/2024New Feature: Indicators of Compromise now Non-Clickable
  • To avoid our clients from mistakenly clicking on IPs, URLs or other IOCs that can be potentially harmful, we have made these IOCs non-clickable.
  • This action will take in an IOC, or list of IOCs (comma delaminated) and return a JSON of the IOCs with their “.” surrounded by brackets ([]).
02/14/2024Alert Tuning: User Impossible Travel
  • Alert tuning for User Impossible Travel alerts if the user and country pair are listed in CKB.
02/21/2024Alert Tuning: Malware Activity Flagged from Microsoft Updates
  • Stellar Detections related to malware were being frequently raised when related to routine Microsoft Updates.
  • This alert will no longer be escalated moving forward.
02/21/2024Alert Tuning: Trojan Activity Benign Signatures
  • Muted some IDS Signatures that the SOC does not deem as critical or actionable for a client.
  • The signatures are related to non-existent domain responses that pose minimal risk and low fidelity.
02/26/2024Template Update: The following template updates were implemented to reflect our improved formatting:
  1. AWS Malicious Host Access
  2. AWS Not MFA Authenticated
  3. AWS Root Logon Detected
  4. Azure AD Add App Multitenant
  5. Azure AD Change Domain
  6. Azure AD Risk Detection
  7. Azure Domain Policy Modification
  8. Azure Failed Login Outside the US
  9. Azure XDR Location Anomaly
  10. Bad Destination Reputation
  11. Bad Reputation Login
  12. Bad Source Reputation Anomaly
  13. BlueKeep
  14. Cisco Login Failed
  15. CrowdStrike – Command and Scripting Interpreter
  16. CrowdStrike – Data Encrypted for Impact
02/27/2024New Detection: Potential ScreenConnect Vulnerability
  • Detection made in response to recent ScreenConnect Vulnerability, hunting for file names used in initial compromise.
  • Reference our “Screen Connect Security Advisory” posted on February 28th, which addresses “CVE-2024-1708” and “CVE-2024-1709”.
January 2024
Date of Update
Completed Items
01/03/2024

Alert Tuning: Public to Private Exploit Anomaly

  • The ticket template for this alarm type has been modified to now include a sub-bullet mentioning internal source IPs associated with the detection.
  • If blocked / dropped connections / no bytes transferred, the playbook will not escalate the event.
01/04/2024

New Feature: Temporary Suppression per Entity

  • Customers can now provide certain entities for the SOC to mute alerting due to expected activity, authorized testing activity or other scenarios leading to a known flood of alerts from a specific source.
  • Customers can reach out to the SOC and provide usernames/IPs that need this mute along with start or end date.
01/06/2024

Playbook Enhancement: Okta Login Outside the US

  • This alarm type has now been upgraded to use newer playbook features like Travel advisory lookup making it more efficient and reliable when triaging.
  • As a result this will result in less false positives or expected activity to be alerted on.
01/10/2024

Alert Tuning: Malware Activity & Exploit Anomaly Logic

  • External Malware Activity and Public to Private Exploit Anomaly Playbooks, will now feature a condition where automated logic will close out the case as a false positive if it meets certain criteria.
  • The criteria includes validation of successful or failed connection attempts, as well as amount of bytes exchanged related tot he incident.
01/11/2024

Alert Tuning: Exploited Command and Control Connection Logic

  • If the IDS signature reported by XDR is “GPL VOIP SIP INVITE message flooding” and both flagged IPs are internal only, the SOC has deemed this scenario to be non-actionable.
  • The alert is still leveraged for correlative activity with other alerts/playbooks.
01/12/2024

Playbook Enhancement: External Malware Activity

  • All DNS-related alarm types now focus the investigation strictly on the DNS detected within the evidence information.
  • This helps improve escalation quality and provide consistent investigations.
01/16/2024

New Feature: Alert Grouping for SentinelOne Threats

  • Alert grouping is now being leveraged within our playbooks for SentinelOne Threats based on the file hash of a threat.
  • This will avoid the creation of duplicate tickets of the same threat when playbooks get ran concurrently.
01/25/2024

Playbook Enhancement: User Success Brute-Forcer CKB Lookup

  • This alarm type now utilizes the Client Knowledge Base data by automatically closing detections as false positives if they originate from a known Vulnerability Scanner within your environment.
01/25/2024

Playbook Enhancement: SentinelOne Playbook Logic Re-Vamped

  • The Playbook improvement has a focus on the logic around applying a more appropriate priority level based on other threats or related IOCs observed within your environment.
01/28/2024

Alert Tuning: Azure AD Risk Detection

  • Playbook modifications to account for scenarios where alerts were generated with no known successful logins from the flagged source/user.
  • This adjustment should make escalation higher in fidelity and accuracy moving forward.
01/29/2024

Alert Tuning: Password Spray Playbook

  • This alarm type now has a newly updated playbook functionality in order to filter out any scenarios where reported number of unique users are less than 5.
  • This change will make the alarm type more reliable to report actual password spray activity.
01/30/2024

New Feature: Entity Hunter (Beta)

  • New feature within our SOAR platform that helps us increase visibility over a certain entity through an automated watchlist functionality.
  • Due to any recent security incident like a user compromise, they can reach out to the SOC and have the specific username added to our Entity Hunter.
  • Once added in, every case monitored by the SOC will raise to a HIGH severity if it matches any entity present within our watchlist.
December 2023
Date of Update
Completed Items
12/04/2023 

Playbook Enhancement: Vulnerability Scanners in Exploit Attempt Detections

  • Now have logic to mute all Exploit Attempts from being escalated when triggered by a Vulnerability Scanner that is in a client’s CKB.
12/05/2023

Playbook Enhancement: IP Location Lookup

  • For any playbook involving an IP Location as the reason for escalation we have added logic to verify the IPs location within the playbook prior to escalation.
12/08/2023

Playbook Enhancement: CISA Vulnerability Management IPs

  • The Cybersecurity and Infrastructure Security Agency (CISA) regularly release known public IPs they utilize for external scanning.
  • CyFlare has leveraged this list and will not escalate any detections to clients if it matches a CISA defined IP Address.
12/08/2023

Playbook Enhancement: Successful Logins Outside the US

  • Any Successful Login Outside the US will be checked to see if there is an open ticket in the past 24 hours for it, if yes then close the repeat alert.
  • This was done in an effort to eliminate spam on an already escalated ticket that a client should already have on their radar.
  • If the activity resurfaces after 24 hours, we will comment on the already escalated ticket.
12/13/2023

Playbook Enhancement: User Success Brute-Forcer (IPv6 Check)

  • If the Source IP is an IPv6 formatted IP the SOC will perform extra checks to ensure the tickets gets the necessary information.
12/13/2023

Playbook Enhancement: Multiple Login Failures from One Source IP

  • This playbook now has a CKB Lookup for Vulnerability Scanners as we noticed scanners had frequently been triggering this Custom ATH Rule.
  • If the IP involved is a Vulnerability Scanner it will not get escalated as a ticket.
12/15/2023

New Detection: Password Spray

  • Alert introduced in a recent Stellar Update.
  • The detection is looking for an anomalously large number of failed logins with multiple different user names involved and failures originating from One IP.
12/15/2023

New Detection: Port Scan TSA

  • Alert introduced in a recent Stellar Update.
  • This is a new variation of port scanning by Stellar that leverages “Time Series Analytics (TSA) Model”.
  • TSA model based detections involve three different types of detections:
    • Spike detection
    • Continuous low detection
    • Rare detection
12/15/2023

New Detection: IDS Signature Spike

  • Alert introduced in a recent Stellar Update.
  • Detection looking for a source IP address that has transmitted an anomalous number of different IDS signatures.
12/19/2023

New Detection: DarkTrace Stellar Integration

  • Detection for clients who utilize DarkTrace within their Stellar Environment.
  • We are only tracking DarkTrace Detections with a severity of 7 or higher.
  • Any client who would like a lower threshold will have to request this with the CyFlare SOC.
12/19/2023

Playbook Enhancement: Device Management and Condition Check

  • Logins outside the US no check if the device is managed and if the Conditional Access status is successful.
12/21/2023

Playbook Enhancement: Office 365 Content Filtering Policy Changed

  • This alarm type had a issues associated with the data fields being provided from Office 365 API Source.
  • The playbook is now accommodating for the lack of details provided, or too many details provided.
  • The new template will addjust accordingly to maintain readability and effective formatting.
12/24/2023

New Feature: Custom Python Functions

  • Within SOAR playbooks, the SOC has the ability to create custom python-based actions on the data fields that are ingested from various source tools.
  • This helps us create conditional criteria based on certain fields that are not always available via Stellar connector logs.
  • This is only applicable for those who request something unique to be done via a Python Function and if we have a connector within SOAR.
November 2023
Date of Update
Completed Items
11/03/2023 

New Feature: SOAR monitoring for XDR log ingestion

  • The SOC has now enabled a new features where all XDR instances will be monitored for their log ingestion every 6 hours. If no logs were ingested in the time period, an investigation will be initiated by the SOC.
11/06/2023

Gen AI: Launched within SOAR

  • At CyFlare, all analysts now benefit from the integration of Generative AI into their case investigations. This advanced feature facilitates the provision of historical context for received alerts and offers comprehensive recommendations for potential remediation actions.
11/07/2023

Ticket Templates Revamped: Project Update

  • The SOC has been working towards making all the ticket escalations more cohesive and easy to read. As part of this project, the SOC completed over 90% of the tickets being escalated.
11/08/2023

Playbook Enhancement: Improved utilization of Client Knowledge Base

  • The SOC has refined all playbooks designed for network traffic-related alerts to exclude known vulnerability scanners from the Client knowledge base, resulting in their automatic closure. This enhancement is expected to enhance the accuracy and reliability of cases escalated by the SOC.
  • Added “Potential Shell Shock” lookup for Vulnerability scanners to avoid escalating False Positives for known scanners in the environment.
11/16/2023

Template Update: Ticket Template updated for Exploit Anomalies

  • For all exploit anomalies related to DNS queries, the SOC has updated ticket templates so we are including investigation details associated with the specific domain flagged in network events.
11/16/2023

 New Playbook: M365 Defender

  • For customers having dedicated M365 Defender integrated with SOAR, the SOC is now equipped with a dedicated playbook custom built to investigate and manage Defender alerts. Some features of the playbook includes: Threat hunting queries for defender, incident management, glue book functionality for correlating other events from XDR platform.
11/21/2023

Playbook Enhancement: External User Success Brute-force Anomaly

  • In the event that a flagged user has a history of successful logins, the SOC performs a validation check within the last hour to identify any events with error code 70044. This error code signifies instances where the session has either expired or become invalid due to sign-in frequency checks imposed by conditional access. To mitigate the occurrence of false positives, playbooks will be automatically closed when the specified condition is fulfilled.
11/22/2023

Template Updates: New Ticket Templates

  • Duo Security Failed Authentication
  • Terry Server External outbound Traffic
  • Microsoft 365 – XDR NBA Rule Violation
  • Custom Darktrace detection
  • Suspicious Scan Loop on Network
  • Multiple Login failures from one Source IP
  • Duo Security Failed login
  • Multiple User Deleted
  • Windows User Account Changed
  • Box Shield Alert
11/23/2023

Playbook Enhancement: Change to Login Outside the US Alerts

  • Our playbook now closes these detections from escalation if the following error codes are generated:
    • 53003 – Access has been blocked due to conditional access policies
    • 50126 – Invalid username or password or Invalid on-premises username or password, automatically close as benign.
11/24/2023

Template Update: Change to Subject Line for Escalated Tickets

  • Moving forward, all tickets will have alert priority mentioned towards the end of the subject line. This is mainly to assist with customers to prioritize certain tickets before informational/low alarms.
11/28/2023

Playbook Enhancement: M365 Defender using GlueBook Functionality

  • Adding glue book functionality to “Internal User success brute-forced login anomaly” playbook with Defender threat hunting queries.
  • This will add value to investigations done by the SOC for customers that have defender API functionality. For known mananged devices based on AzureAD records in Defender, we will auto-close these alerts as they give little to no security implication.
October 2023
Date of Update
Completed Items
10/02/2023 

Playbook Enhancement: DPAPI Domain Backup Key Extraction

  • Modified playbook logic and updated ticket template.
10/03/2023

Response Action: Microsoft Defender

  • The SOC has enabled response actions for Microsoft Defender within playbooks.
  • Customers who choose this option will empower the SOC to promptly initiate incident response upon detecting critical Defender events, without unnecessary delays while waiting for customer input to identify actions.
  • The SOC is well-equipped to execute specific response actions and deliver comprehensive details during escalations, ensuring timely and informed incident handling.
    1. Initiate AV scan on the endpoint
    2. Stop and Quarantine file
    3. Isolated endpoint from network
10/04/2023

Playbook Enhancement: Suspicious PowerShell Script Detection

  • Modified the ticket template to include additional information about the rule and query that was observed within the detection.
10/04/2023

Playbook Enhancement: Office365 Successful Login outside the US

  • Modified the playbook to handle multiple instances where usernames are either not available or have different field names from XDR tool.
  • These are now being normalized and handled accordingly.
10/05/2023

New Detection: Multiple Users Deleted

  • A detection focused on detecting an abnormal number of users deleted in a short amount of time via Windows Events.
10/09/2023

Playbook Enhancement: Azure XDR Successful Login outside the US

  • Modified playbook logic and updated ticket template.
  • SOC Response actions were added as part of playbook automation where the SOC has the ability to take response actions when an anomalous login from an unfamiliar location is observed.
  • These actions can be from the following:
    1. Revoke user session
    2. Force password update
    3. Reset password
    4. Disable user account
10/10/2023

New Detection: Multiple Failed Login Attempts from One Source/Destination/Workstation

  • To be able to continue monitor and cover any potential brute-force attempts, excessive login failures, password spraying, etc.
  • The SOC implemented a custom detection that can catch multiple logins failures from a singular source/destination/workstation.
  • This improves fidelity and reduces noise from the usual login failure alarms that are triggered in XDR platforms.
10/11/2023

Playbook Enhancement: Get Hash from String

  • Added a new functionality within SOAR that allows playbooks to hash any larger text and compare to already defined hashes in order ensure known entities are excluded accurately.
    • For example, if certain PowerShell scripts are known to run, the SOC can hash the script text and validate any future detections for suspicious PowerShell scripts.
10/12/2023

Playbook Enhancement: External Malware Activity

  • Modified playbook logic and updated ticket template.
  • Our logic now looks into firewall actions as well as IDS signatures.
  • For domain specific IDS signatures, domain query searches are now included within escalation details.
10/13/2023

New Detection: Azure AD Sign in from AzureHound

  • Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent.
10/19/2023

Revamped Ticket Templates

  • The new template enhances readability and provides convenient access to relevant information. This change marks a significant step toward the upcoming ONE v2.0 platform, which will further elevate the user experience and streamline SOC communication.
  • The following detections were improved:
    1. RDP Brute Force Attack
    2. RDP Reverse Tunnel
    3. RDP Suspicious Logon Attempt
    4. RDP Suspicious Logon
    5. Windows User Added to Domain Admins Group – Global
    6. Windows User Added to Enterprise Admins Group – Global
    7. Windows User Added to Local Administrators Group – Global
    8. Windows User Added to Schema Admins Group – Global
    9. Windows User Removed from Domain Admin Group
    10. Windows User Removed from Local Admin Group
10/23/2023

Playbook Enhancement: Improvement to Sophos Escalation

  • Modified Sophos ticket templates within playbooks to individually highlight various detections from operational to malicious hits.
10/25/2023

SLA Change

  • With the release of our new offerings in “SOC Support Program & SLA Overview” we have made adjustments to SLA plans for all previous “Essential” Tenants.
    • With this change all clients who were “Essential” or “Enhanced” have been moved to an “Advanced” SLA Plan.
    • All previous “Premiere” level clients will remain at this level.
  • For more information please refer to the following link: https://cyflare.com/wp-content/uploads/SOC-Support-and-SLA-Overview-REV04_1023_FINAL.pdf
  • Alternatively you can reach out to your Assigned CSM to get more information.
10/26/2023

Revamped Ticket Templates (Continued)

  • This is a continuation of our ticket template enhancement process, these will be ongoing throughout the rest of the month and November.
  • The following detections were improved:
    1. Command and Control Reputation
    2. Credential Stuffing
    3. Emerging Threat
    4. Sophos EDR
    5. Windows Account Lockout Event
    6. Windows Domain Policy Changed
    7. Windows Security-Enabled Global Group Created
    8. Windows Security-Enabled Local Group Created
    9. Windows Security-Enabled Universal Group Created
    10. Windows Unauthorized Password Reset
10/27/2023

Alert Tuning: Suspicious PowerShell Script – SentinelOne Related Detections

  • Logic adjusted to no longer escalate SentinelOne related processes for clients utilizing our MDR solutions.
September 2023
Date of Update
Completed Items
9/4/2023 

Alert Tuning: Abnormal Parent-Child Process 

  • Increased fidelity and threshold of escalation, more used for correlative behavior, analytics, and investigations now. Other detections are enabled in response to this change. 
9/4/2023 

Playbook Enhancement: O365 – Malicious URL Clicked 

  • Modified playbook logic and updated ticket template 
9/4/2023 

Alert Tuning: Suspicious User Agent Detection 

  • Muting of low fidelity IOCs related to this detection that are not actionable, data will still exist within analytics and can be correlated with other detections/activity. 
9/4/2023 

Alert Tuning: Cold Fusion Vulnerability 

  • Updated the Stellar custom ATH rule to run every 10 minutes and will also combine the result of every detection per tenant rather than multiple detections at once. 
9/5/2023 

New Detection: Suspicious Process Creation Commandline Detection 

  • Enabled new ATH Rule for all tenants that includes the following types of detections: 
    1. Empire PowerShell UAC Bypass 
    2. Emotet Process Creation 
    3. LockerGoga Ransomware 
    4. CrackMapExec Command Execution 
    5. Suspicious Use of Procdump on LSASS 
    6. Unidentified Attacker November 2018 
    7. Winnti Pipemon Characteristics 
    8. PowerShell Base64 Encoded Shellcode 
    9. Ryuk Ransomware 
    10. DTRACK Process Creation 
    11. ShimCache Flush 
    12. Snatch Ransomware 
    13. TropicTrooper Campaign November 2018 
9/5/2023 

Template Update: CrowdStrike: Disable or Modify Tools 

  • Template modification to enhance the quality of escalated tickets and analyst triage process 
9/6/2023 

Playbook Enhancement: Azure AD Risk Detections 

  • Modified playbook logic and updated ticket template 
9/6/2023 

Playbook Enhancement: Azure Login Outside the US 

  • Modified playbook logic and updated ticket template 
9/6/2023 

Playbook Enhancement: Custom Sophos EDR Detections in Stellar 

  • Modified playbook logic and updated ticket template 
9/12/2023 

Template Update: Applied a Fix for Critical IR Cases 

  • Fix was applied to all Critical cases where the ticket did not reflect a critical priority 
9/14/2023 

Playbook Enhancement: Office365 and Azure – Successful Login outside the US

  • Modified ticket template to include a link for Travel Advisory that can be added for known authorized travel. 
  • Travel Advisory lets clients let the SOC know when a user in their environment travels. The SOC will then see this activity is authorized and not escalate the action. 
9/21/2023 

Playbook Enhancement: Modified External User Success Brute-force Anomaly 

  • Upon identifying IP addresses flagged as malicious due to OSINT findings and SSH login attempts, the SOC will promptly initiate Incident Response procedures and notify customers using the available information. 
9/25/2023 

Playbook Enhancement: Google Workspace Phishing Alert

  • Added glue book functionality where if the customer has Proofpoint integration, the information from the same Proofpoint log event can be added within ticket details. 
  • Modified playbook logic and updated ticket template.
9/25/2023 

Playbook Enhancement: SentinelOne (Endpoint Isolation) 

  • Depending on the defined policy, SentinelOne may isolate an endpoint from the network as a remediation step when detecting suspicious or malicious threats. In the future, the SOC will proactively initiate Incident Response procedures whenever SentinelOne isolates an endpoint based on the policy configuration. 
9/25/2023 

New Feature: Critical Incident Handler Emails 

  • Clients can now update their Critical IH plan with different emails, such as the Primary and Secondary Contacts within tickets. 
  • Please reach out to your Assigned CSM to get this updated. 
9/27/2023 

New Detection: Suspicious PowerShell Script Detection 

  • Enabled new ATH Rule for all tenants that includes the following types of detections: 
    1. PowerShell Mailbox Collection Script 
    2. Suspicious Portable Executable Encoded in Powershell Script 
    3. PowerShell Suspicious Script with Screenshot Capabilities 
    4. PowerShell Script with Token Impersonation Capabilities 
    5. PowerShell Invoke-NinjaCopy script 
    6. PowerShell Suspicious Script with Audio Capture Capabilities 
    7. PowerShell Suspicious Script with Clipboard Retrieval Capabilities 
    8. PowerShell Share Enumeration Script 
    9. PowerShell Script with Encryption/Decryption Capabilities 
    10. PowerShell MiniDump Script 
    11. PowerShell PSReflect Script 
    12. PowerShell PSAttack 
    13. Computer Discovery And Export Via Get-ADComputer Cmdlet – PowerShell 
    14. Access to Browser Login Data 
    15. Invoke-Obfuscation CLIP+ Launcher – PowerShell 
    16. PowerShell ICMP Exfiltration 
    17. Powershell Directory Enumeration 
    18. Suspicious Hyper-V Cmdlets 
    19. Change User Agents with WebRequest 
    20. Suspicious Get-ADReplAccount 
9/27/2023 

New Detection: Kerberos Replay Attack Detected 

  • Looking for relevant Windows Event IDS if a request was received twice with identical information.
9/27/2023 

New Detection: SoftPerfect Network Scanner Execution 

  • Looking for any activity related to the SoftPerfect Network Scanner Product via Process Name/Command Line Activity 
9/29/2023 

Playbook Enhancement: Malware Activity

  • The SOC identified significant tuning opportunities with this specific alarm type.
  • Utilizing firewall responses to ignore alerts when the firewall has already blocked them 
  • Auto-closing certain low-priority IDS Signatures based on the lack of network traffic observed between the flagged domain and the internal host. 
9/29/2023 

Playbook Enhancement: Possible Impacket SecretDump Remote Activity 

  • The playbook was created with updated logic and modifications for the observed remote activity.