Change Logs

Date of Update

Completed Items

1. AWS Suspicious IAM Activity
2. AWS Suspicious Root Account Activity
3. AWS Suspicious Route 53 Activity
4. AWS Suspicious Bucket Enumeration
5. AWS Suspicious modification of Route table
6. AWS Suspicious VPC flow logs modification
7. AWS Malicious Activity
8. AWS Suspicious RDS event
9. AWS Suspicious EC2 Activity
10. AWS Suspicious modification of S3 bucket
11. AWS Suspicious EBS Activity

1. XDR: External User Success Brute-forcer Anomaly
   • Improved ticket escalations specifically around the Okta login type.
2. XDR: Azure AD Risk Detections
   • Improved playbook logic such that similar/duplicate alerts are grouped together while ensuring that alerts qualifying critical escalations are not missed/delayed.
3. XDR: GSuite Login outside the US
   • In addition to creating this new alert type for customers who have compatible log sources, the playbook has also been enhanced to incorporate the existing “Travel Advisory” feature from CyFlare ONE portal.

• XDR: Outbytes Anomaly
  • Improved alert fidelity by excluding default Microsoft IPs since they get flagged by the XDR tool as known false positives.

1. XDR: Jump Cloud Command Run
   • This new alert looks for the command_run event type in Jump Cloud logs for any commands that are run through the console and provides additional context around whether the activity is authorized or not.
2. XDR: Jump Cloud login outside the US
   • This new alert looks for login activity based on geo-location and flags any anomalous behavior from users that are not expected to login from a certain country beyond the norm.
   • Playbooks for this alert type have also been implemented to include travel advisories from the ONE portal to avoid known authorized travel activity.

• XDR: Duo User Bypass Status Update
  • This new alert will query for logs indicating that a user is put into bypass status in Duo portal which are known adversarial methods used by malicious actors to bypass multi-factor authentication and compromise user accounts.

• XDR: Microsoft 365 Data Destruction
  • Playbook for this alert type has been improved with threat hunting queries curated specifically to provide context around this activity and giving accurate enrichment information about included entities.
• XDR: RDP Settings Hijacking
  • Playbook for this alert type has been improved with threat hunting queries curated specifically to provide context around this activity. This also includes adding contextual lookups for known RDP servers from Client knowledge base in ONE portal.

• XDR: AWS Console login outside the US

• XDR: AWS Console login outside the US
  • Improved playbook logic around escalation with curated ticket template and improved fidelity by adding travel advisory look up from the ONE platform.

• XDR: Multiple Users deleted
  • The playbook has been refined to augment the information presented during ticket escalations. This includes the incorporation of alert-specific look-ups that contribute valuable insights and present a comprehensive narrative of the events leading up to the alert being triggered.

• XDR: Potential Exploitation of CVE-2022-42475
  • This detection was implemented to alert on any of the known indicators of compromise for CVE-2022-42475 for customers that forward FortiOS logs.

• XDR: Office365 and Azure login outside the US
  • Activity flagged between Azure and Office365 are usually around the same time due to the fact that users access both of these resources while being outside the country. Anomalous behavior that correlates to the same user from both log sources will now get matched as duplicates and avoid creating additional tickets for customers.

1. SentinelOne: Inhibit System Recovery
2. Google Workspace: Suspicious Login

Date of Update

Completed Items

• We have developed and implemented a new automated playbook action within our SOAR platform that retrieves the list of recognized external scanner IP addresses from the Cybersecurity and Infrastructure Security Agency (CISA). Consequently, any alerts generated by XDR systems that are attributed to authorized scanning activities from these IP addresses will be automatically resolved. This ensures that such benign alerts are not unnecessarily escalated as tickets to our clients.

• We have tuned out known benign user agents within our Stellar Cyber platform that are involved with ZoneAlarm, Nessus Scanners, Kaspersky Updates and DuckDuckGo web crawling.

• Enabled User Impossible Travel globally this detection triggers when a user logged in from locations that are geographically impossible to travel between in the time frame. The new rule takes the default XDR alert and correlates them to other high fidelity geo-location based alerts in order to improve the overall actionable items within each escalation.

• This playbook has been updated to add enrichment for Google Workspace Phishing detections for clients who also utilize Proofpoint, this additional enrichment provides additional information from the initial sender.

• This alert has been updated with improved information enriched from the original log events. This results in accurate ticketing information that can be used to either tune or take actions within the customer’s environment.

• A new threat hunting rule for our clients that have GSuite integration within stellar which alerts on “Suspicious Login” event activity. This alert utilizes GSuites logic for detections.

• This change allows end-users to add both IPs and Hostnames within the Vulnerability scanner category for the CKB records. The playbooks on SOAR have been improved to accomodate both data types allowing users slightly improved flexibility in adding new records.

Date of Update

Completed Items

1. Application Access Level Modified
   • Detects when an access level is changed for a Google Workspace application.
2. Application Removed
   • Detects when an application is removed from Google Workspace.
3. Granted Domain API Access
   • Detects when an API access service account is granted domain authority within a Workspace environment.
4. Role Modified or Deleted
   • Detects when a role is modified or deleted within Google Workspace.
5. Role Privilege Deleted
   • Detects when a role privilege is deleted within Google Workspace.
6. User Granted Admin Privileges
   • Detects when a Google Workspace user is granted admin privileges.
7. Multi-Factor Authentication Disabled
   • Detects when multi-factor authentication (MFA) is disabled.

• Revamped logic around alert de-duplication within SOAR playbooks and avoid creating duplicate tickets about the same entities.

• The SOC improved internal processes that track and measure metrics around Critical alerts initiated for various customers.

• The SOC now supports a new vendor “Recorded Future” and also have custom playbooks built around the same. This includes default Recorded Future alerts as well as custom built playbook alerting from the customer’s environment.

• This enhancement effectively resolves previously identified challenges with ingestion latency and introduces additional advanced features to the SOAR infrastructure. Our XDR system now ensures prompt and comprehensive alert ingestion, eliminating gaps and offering a suite of sophisticated authentication methods tailored to diverse platform settings.

• The SentinelOne playbook has been comprehensively updated, offering enhanced features for more effective security operations management. The key improvements include:
  • The integration of Gen-AI technology to summarize threat indicators identified by SentinelOne for each escalated threat, aiding customers in understanding the potential impact.
  • Refined alert prioritization mechanisms that more accurately categorize the severity of detected threats, ensuring that SOC investigations align with the associated risks.
  • An upgrade to the latest version of the SentinelOne API, enriching the data with additional details, an expanded feature set, and the full suite of capabilities available in the new API iteration.

• The playbook has been refined to augment the information presented during ticket escalations. This includes the incorporation of alert-specific look-ups that contribute valuable insights and present a comprehensive narrative of the events leading up to the alert being triggered.

• The playbook has been updated to refine the alert escalation process, and the ticket template has been augmented to include more comprehensive information enriched by XDR. The enhancements address the following alert types:
  • Internal/External Trojan Activity
  • AWS login without No Multi-factor authenticated (MFA) detected

• The playbook has been extensively redesigned to incorporate a hybrid approach, having the nosier alert types have automatic escalation, while retaining manual options for others.

1. AWS Identity Center Identity Provider Change
2. AWS Config Disabling Channel/Recorder
3. AWS CloudTrail Important Change
4. AWS IAM S3Browser User or AccessKey Creation
5. Restore Public AWS RDS Instance
6. AWS SecurityHub Findings Evasion

Date of Update

Completed Items

• Custom built alert Utilizing Windows Sysmon.
• Tracks well known tools use of data exfiltration over alternative protocols from user accounts.

• Custom logic built around the Stellar alert Outbytes Anomaly.
• The detection is looking for anomalously high volume being transferred to a destination host used for external storage.

• Custom built alert Utilizing Windows Sysmon.
• This alert is looking for the execution of tools used for Application Layer Protocol and DNS Exfiltration.

• Added more logic to not alert around Microsoft related activity like Windows Updates.
• This was also implemented last month, but logic was further enhanced to not alert around this activity.

• More logic implemented within the playbook to account for activity that is already being blocked by a client’s firewall.

1. Default – Generic Alarm
2. DGA Resolvable
3. DHCP Server Anomaly
4. DNS Tunneling Anomaly
5. Domain Controller Spoofed Authentication
6. DPAPI Domain Backup Key Extraction
7. Exploited Command and Control Connection
8. Fortinet Admin Configuration Change
9. G Suite – Account Security Settings Disabled
10. G Suite – User Suspended
11. Google Workspace Alert – XDR Anomaly
12. Honey Account Login Failure
13. Kerberoasting
14. Kerberos Silver Ticket
15. Known Malicious User Agent Detected
16. M365 – Exfiltration Over Web Service
17. M365 – User Added to Privilege Group
18. Malware Activity
19. Malware on Disk
20. Metasploit Download Microsoft Defender ATP
21. Microsoft Teams Vulnerability
22. Mimikatz Credential Dump

• Playbook has been re-evaluated and adjusted prioritization levels for certain criteria to meet up to Critical Severity.
• Also added automation to this playbook and this will result in much faster escalations of potentially critical events.

• Custom detection that hunts for Scheduled Task Names that have been utilized by APT29 via GraphicalProton Backdoor.

• Custom detection to hunt for behavior observed in multiple Raspberry-Robin variants.

Date of Update

Completed Items

• Client Knowledge Base defined service accounts that are flagged deleting users through our custom ATH rule “Multiple Users Deleted” will be auto-closed as Muted Operational detections.

• Alert tuning complete for IDS signature based detections, if firewall decision is listed as blocked the detection is excluded preventing unnecessary alerting.

• If the alert contains a certain stellar field, that will be included as the source IP as this is the actual source of the request.

• If the Anomalous DC Sync is from a known service account listed in the CKB then it will not result in an escalation.

• Looking for modified properties new value field to contain “Global Administrator” from the activity display name of “Add member to role” in Azure AD logs.

• To avoid our clients from mistakenly clicking on IPs, URLs or other IOCs that can be potentially harmful, we have made these IOCs non-clickable.
• This action will take in an IOC, or list of IOCs (comma delaminated) and return a JSON of the IOCs with their “.” surrounded by brackets ([]).

• Alert tuning for User Impossible Travel alerts if the user and country pair are listed in CKB.

• Stellar Detections related to malware were being frequently raised when related to routine Microsoft Updates.
• This alert will no longer be escalated moving forward.

• Muted some IDS Signatures that the SOC does not deem as critical or actionable for a client.
• The signatures are related to non-existent domain responses that pose minimal risk and low fidelity.

1. AWS Malicious Host Access
2. AWS Not MFA Authenticated
3. AWS Root Logon Detected
4. Azure AD Add App Multitenant
5. Azure AD Change Domain
6. Azure AD Risk Detection
7. Azure Domain Policy Modification
8. Azure Failed Login Outside the US
9. Azure XDR Location Anomaly
10. Bad Destination Reputation
11. Bad Reputation Login
12. Bad Source Reputation Anomaly
13. BlueKeep
14. Cisco Login Failed
15. CrowdStrike – Command and Scripting Interpreter
16. CrowdStrike – Data Encrypted for Impact

• Detection made in response to recent ScreenConnect Vulnerability, hunting for file names used in initial compromise.
• Reference our “Screen Connect Security Advisory” posted on February 28th, which addresses “CVE-2024-1708” and “CVE-2024-1709”.

Date of Update

Completed Items

Alert Tuning: Public to Private Exploit Anomaly

• The ticket template for this alarm type has been modified to now include a sub-bullet mentioning internal source IPs associated with the detection.
• If blocked / dropped connections / no bytes transferred, the playbook will not escalate the event.

New Feature: Temporary Suppression per Entity

• Customers can now provide certain entities for the SOC to mute alerting due to expected activity, authorized testing activity or other scenarios leading to a known flood of alerts from a specific source.
• Customers can reach out to the SOC and provide usernames/IPs that need this mute along with start or end date.

Playbook Enhancement: Okta Login Outside the US

• This alarm type has now been upgraded to use newer playbook features like Travel advisory lookup making it more efficient and reliable when triaging.
• As a result this will result in less false positives or expected activity to be alerted on.

Alert Tuning: Malware Activity & Exploit Anomaly Logic

• External Malware Activity and Public to Private Exploit Anomaly Playbooks, will now feature a condition where automated logic will close out the case as a false positive if it meets certain criteria.
• The criteria includes validation of successful or failed connection attempts, as well as amount of bytes exchanged related tot he incident.

Alert Tuning: Exploited Command and Control Connection Logic

• If the IDS signature reported by XDR is “GPL VOIP SIP INVITE message flooding” and both flagged IPs are internal only, the SOC has deemed this scenario to be non-actionable.
• The alert is still leveraged for correlative activity with other alerts/playbooks.

Playbook Enhancement: External Malware Activity

• All DNS-related alarm types now focus the investigation strictly on the DNS detected within the evidence information.
• This helps improve escalation quality and provide consistent investigations.

New Feature: Alert Grouping for SentinelOne Threats

• Alert grouping is now being leveraged within our playbooks for SentinelOne Threats based on the file hash of a threat.
• This will avoid the creation of duplicate tickets of the same threat when playbooks get ran concurrently.

Playbook Enhancement: User Success Brute-Forcer CKB Lookup

• This alarm type now utilizes the Client Knowledge Base data by automatically closing detections as false positives if they originate from a known Vulnerability Scanner within your environment.

Playbook Enhancement: SentinelOne Playbook Logic Re-Vamped

• The Playbook improvement has a focus on the logic around applying a more appropriate priority level based on other threats or related IOCs observed within your environment.

Alert Tuning: Azure AD Risk Detection

• Playbook modifications to account for scenarios where alerts were generated with no known successful logins from the flagged source/user.
• This adjustment should make escalation higher in fidelity and accuracy moving forward.

Alert Tuning: Password Spray Playbook

• This alarm type now has a newly updated playbook functionality in order to filter out any scenarios where reported number of unique users are less than 5.
• This change will make the alarm type more reliable to report actual password spray activity.

New Feature: Entity Hunter (Beta)

• New feature within our SOAR platform that helps us increase visibility over a certain entity through an automated watchlist functionality.
• Due to any recent security incident like a user compromise, they can reach out to the SOC and have the specific username added to our Entity Hunter.
• Once added in, every case monitored by the SOC will raise to a HIGH severity if it matches any entity present within our watchlist.

Date of Update

Completed Items

Playbook Enhancement: Vulnerability Scanners in Exploit Attempt Detections

• Now have logic to mute all Exploit Attempts from being escalated when triggered by a Vulnerability Scanner that is in a client’s CKB.

Playbook Enhancement: IP Location Lookup

• For any playbook involving an IP Location as the reason for escalation we have added logic to verify the IPs location within the playbook prior to escalation.

Playbook Enhancement: CISA Vulnerability Management IPs

• The Cybersecurity and Infrastructure Security Agency (CISA) regularly release known public IPs they utilize for external scanning.
• CyFlare has leveraged this list and will not escalate any detections to clients if it matches a CISA defined IP Address.
  • Find the list here: https://rules.ncats.cyber.dhs.gov/

Playbook Enhancement: Successful Logins Outside the US

• Any Successful Login Outside the US will be checked to see if there is an open ticket in the past 24 hours for it, if yes then close the repeat alert.
• This was done in an effort to eliminate spam on an already escalated ticket that a client should already have on their radar.
• If the activity resurfaces after 24 hours, we will comment on the already escalated ticket.

Playbook Enhancement: User Success Brute-Forcer (IPv6 Check)

• If the Source IP is an IPv6 formatted IP the SOC will perform extra checks to ensure the tickets gets the necessary information.

Playbook Enhancement: Multiple Login Failures from One Source IP

• This playbook now has a CKB Lookup for Vulnerability Scanners as we noticed scanners had frequently been triggering this Custom ATH Rule.
• If the IP involved is a Vulnerability Scanner it will not get escalated as a ticket.

New Detection: Password Spray

• Alert introduced in a recent Stellar Update.
• The detection is looking for an anomalously large number of failed logins with multiple different user names involved and failures originating from One IP.

New Detection: Port Scan TSA

• Alert introduced in a recent Stellar Update.
• This is a new variation of port scanning by Stellar that leverages “Time Series Analytics (TSA) Model”.
• TSA model based detections involve three different types of detections:
  • Spike detection
  • Continuous low detection
  • Rare detection

New Detection: IDS Signature Spike

• Alert introduced in a recent Stellar Update.
• Detection looking for a source IP address that has transmitted an anomalous number of different IDS signatures.

New Detection: DarkTrace Stellar Integration

• Detection for clients who utilize DarkTrace within their Stellar Environment.
• We are only tracking DarkTrace Detections with a severity of 7 or higher.
• Any client who would like a lower threshold will have to request this with the CyFlare SOC.

Playbook Enhancement: Device Management and Condition Check

• Logins outside the US no check if the device is managed and if the Conditional Access status is successful.

Playbook Enhancement: Office 365 Content Filtering Policy Changed

• This alarm type had a issues associated with the data fields being provided from Office 365 API Source.
• The playbook is now accommodating for the lack of details provided, or too many details provided.
• The new template will addjust accordingly to maintain readability and effective formatting.

New Feature: Custom Python Functions

• Within SOAR playbooks, the SOC has the ability to create custom python-based actions on the data fields that are ingested from various source tools.
• This helps us create conditional criteria based on certain fields that are not always available via Stellar connector logs.
• This is only applicable for those who request something unique to be done via a Python Function and if we have a connector within SOAR.

Date of Update

Completed Items

New Feature: SOAR monitoring for XDR log ingestion

• The SOC has now enabled a new features where all XDR instances will be monitored for their log ingestion every 6 hours. If no logs were ingested in the time period, an investigation will be initiated by the SOC.

Gen AI: Launched within SOAR

• At CyFlare, all analysts now benefit from the integration of Generative AI into their case investigations. This advanced feature facilitates the provision of historical context for received alerts and offers comprehensive recommendations for potential remediation actions.

Ticket Templates Revamped: Project Update

• The SOC has been working towards making all the ticket escalations more cohesive and easy to read. As part of this project, the SOC completed over 90% of the tickets being escalated.

Playbook Enhancement: Improved utilization of Client Knowledge Base

• The SOC has refined all playbooks designed for network traffic-related alerts to exclude known vulnerability scanners from the Client knowledge base, resulting in their automatic closure. This enhancement is expected to enhance the accuracy and reliability of cases escalated by the SOC.
• Added “Potential Shell Shock” lookup for Vulnerability scanners to avoid escalating False Positives for known scanners in the environment.

Template Update: Ticket Template updated for Exploit Anomalies

• For all exploit anomalies related to DNS queries, the SOC has updated ticket templates so we are including investigation details associated with the specific domain flagged in network events.

 New Playbook: M365 Defender

• For customers having dedicated M365 Defender integrated with SOAR, the SOC is now equipped with a dedicated playbook custom built to investigate and manage Defender alerts. Some features of the playbook includes: Threat hunting queries for defender, incident management, glue book functionality for correlating other events from XDR platform.

Playbook Enhancement: External User Success Brute-force Anomaly

• In the event that a flagged user has a history of successful logins, the SOC performs a validation check within the last hour to identify any events with error code 70044. This error code signifies instances where the session has either expired or become invalid due to sign-in frequency checks imposed by conditional access. To mitigate the occurrence of false positives, playbooks will be automatically closed when the specified condition is fulfilled.

Template Updates: New Ticket Templates

• Duo Security Failed Authentication
• Terry Server External outbound Traffic
• Microsoft 365 – XDR NBA Rule Violation
• Custom Darktrace detection
• Suspicious Scan Loop on Network
• Multiple Login failures from one Source IP
• Duo Security Failed login
• Multiple User Deleted
• Windows User Account Changed
• Box Shield Alert

Playbook Enhancement: Change to Login Outside the US Alerts

• Our playbook now closes these detections from escalation if the following error codes are generated:
  • 53003 – Access has been blocked due to conditional access policies
  • 50126 – Invalid username or password or Invalid on-premises username or password, automatically close as benign.

Template Update: Change to Subject Line for Escalated Tickets

• Moving forward, all tickets will have alert priority mentioned towards the end of the subject line. This is mainly to assist with customers to prioritize certain tickets before informational/low alarms.

Playbook Enhancement: M365 Defender using GlueBook Functionality

• Adding glue book functionality to “Internal User success brute-forced login anomaly” playbook with Defender threat hunting queries.
• This will add value to investigations done by the SOC for customers that have defender API functionality. For known mananged devices based on AzureAD records in Defender, we will auto-close these alerts as they give little to no security implication.

Date of Update

Completed Items

Playbook Enhancement: DPAPI Domain Backup Key Extraction

• Modified playbook logic and updated ticket template.

Response Action: Microsoft Defender

• The SOC has enabled response actions for Microsoft Defender within playbooks.
• Customers who choose this option will empower the SOC to promptly initiate incident response upon detecting critical Defender events, without unnecessary delays while waiting for customer input to identify actions.
• The SOC is well-equipped to execute specific response actions and deliver comprehensive details during escalations, ensuring timely and informed incident handling.

1. 1. Initiate AV scan on the endpoint
   2. Stop and Quarantine file
   3. Isolated endpoint from network

Playbook Enhancement: Suspicious PowerShell Script Detection

• Modified the ticket template to include additional information about the rule and query that was observed within the detection.

Playbook Enhancement: Office365 Successful Login outside the US

• Modified the playbook to handle multiple instances where usernames are either not available or have different field names from XDR tool.
• These are now being normalized and handled accordingly.

New Detection: Multiple Users Deleted

• A detection focused on detecting an abnormal number of users deleted in a short amount of time via Windows Events.

Playbook Enhancement: Azure XDR Successful Login outside the US

• Modified playbook logic and updated ticket template.
• SOC Response actions were added as part of playbook automation where the SOC has the ability to take response actions when an anomalous login from an unfamiliar location is observed.
• These actions can be from the following:

1. 1. Revoke user session
   2. Force password update
   3. Reset password
   4. Disable user account

New Detection: Multiple Failed Login Attempts from One Source/Destination/Workstation

• To be able to continue monitor and cover any potential brute-force attempts, excessive login failures, password spraying, etc.
• The SOC implemented a custom detection that can catch multiple logins failures from a singular source/destination/workstation.
• This improves fidelity and reduces noise from the usual login failure alarms that are triggered in XDR platforms.

Playbook Enhancement: Get Hash from String

• Added a new functionality within SOAR that allows playbooks to hash any larger text and compare to already defined hashes in order ensure known entities are excluded accurately.
  • For example, if certain PowerShell scripts are known to run, the SOC can hash the script text and validate any future detections for suspicious PowerShell scripts.

Playbook Enhancement: External Malware Activity

• Modified playbook logic and updated ticket template.
• Our logic now looks into firewall actions as well as IDS signatures.
• For domain specific IDS signatures, domain query searches are now included within escalation details.

New Detection: Azure AD Sign in from AzureHound

• Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent.

Revamped Ticket Templates

• The new template enhances readability and provides convenient access to relevant information. This change marks a significant step toward the upcoming ONE v2.0 platform, which will further elevate the user experience and streamline SOC communication.
• The following detections were improved:
  1. RDP Brute Force Attack
  2. RDP Reverse Tunnel
  3. RDP Suspicious Logon Attempt
  4. RDP Suspicious Logon
  5. Windows User Added to Domain Admins Group – Global
  6. Windows User Added to Enterprise Admins Group – Global
  7. Windows User Added to Local Administrators Group – Global
  8. Windows User Added to Schema Admins Group – Global
  9. Windows User Removed from Domain Admin Group
  10. Windows User Removed from Local Admin Group

Playbook Enhancement: Improvement to Sophos Escalation

• Modified Sophos ticket templates within playbooks to individually highlight various detections from operational to malicious hits.

SLA Change

• With the release of our new offerings in “SOC Support Program & SLA Overview” we have made adjustments to SLA plans for all previous “Essential” Tenants.
  • With this change all clients who were “Essential” or “Enhanced” have been moved to an “Advanced” SLA Plan.
  • All previous “Premiere” level clients will remain at this level.
• For more information please refer to the following link: https://cyflare.com/wp-content/uploads/SOC-Support-and-SLA-Overview-REV04_1023_FINAL.pdf
• Alternatively you can reach out to your Assigned CSM to get more information.

Revamped Ticket Templates (Continued)

• This is a continuation of our ticket template enhancement process, these will be ongoing throughout the rest of the month and November.
• The following detections were improved:
  1. Command and Control Reputation
  2. Credential Stuffing
  3. Emerging Threat
  4. Sophos EDR
  5. Windows Account Lockout Event
  6. Windows Domain Policy Changed
  7. Windows Security-Enabled Global Group Created
  8. Windows Security-Enabled Local Group Created
  9. Windows Security-Enabled Universal Group Created
  10. Windows Unauthorized Password Reset

Alert Tuning: Suspicious PowerShell Script – SentinelOne Related Detections

• Logic adjusted to no longer escalate SentinelOne related processes for clients utilizing our MDR solutions.

Date of Update

Completed Items

Alert Tuning: Abnormal Parent-Child Process 

• Increased fidelity and threshold of escalation, more used for correlative behavior, analytics, and investigations now. Other detections are enabled in response to this change. 

Playbook Enhancement: O365 – Malicious URL Clicked 

• Modified playbook logic and updated ticket template 

Alert Tuning: Suspicious User Agent Detection 

• Muting of low fidelity IOCs related to this detection that are not actionable, data will still exist within analytics and can be correlated with other detections/activity. 

Alert Tuning: Cold Fusion Vulnerability 

• Updated the Stellar custom ATH rule to run every 10 minutes and will also combine the result of every detection per tenant rather than multiple detections at once. 

New Detection: Suspicious Process Creation Commandline Detection 

• Enabled new ATH Rule for all tenants that includes the following types of detections: 

1. 1. Empire PowerShell UAC Bypass 
   2. Emotet Process Creation 
   3. LockerGoga Ransomware 
   4. CrackMapExec Command Execution 
   5. Suspicious Use of Procdump on LSASS 
   6. Unidentified Attacker November 2018 
   7. Winnti Pipemon Characteristics 
   8. PowerShell Base64 Encoded Shellcode 
   9. Ryuk Ransomware 
   10. DTRACK Process Creation 
   11. ShimCache Flush 
   12. Snatch Ransomware 
   13. TropicTrooper Campaign November 2018 

Template Update: CrowdStrike: Disable or Modify Tools 

• Template modification to enhance the quality of escalated tickets and analyst triage process 

Playbook Enhancement: Azure AD Risk Detections 

• Modified playbook logic and updated ticket template 

Playbook Enhancement: Azure Login Outside the US 

• Modified playbook logic and updated ticket template 

Playbook Enhancement: Custom Sophos EDR Detections in Stellar 

• Modified playbook logic and updated ticket template 

Template Update: Applied a Fix for Critical IR Cases 

• Fix was applied to all Critical cases where the ticket did not reflect a critical priority 

Playbook Enhancement: Office365 and Azure – Successful Login outside the US

• Modified ticket template to include a link for Travel Advisory that can be added for known authorized travel. 
• Travel Advisory lets clients let the SOC know when a user in their environment travels. The SOC will then see this activity is authorized and not escalate the action. 

Playbook Enhancement: Modified External User Success Brute-force Anomaly 

• Upon identifying IP addresses flagged as malicious due to OSINT findings and SSH login attempts, the SOC will promptly initiate Incident Response procedures and notify customers using the available information. 

Playbook Enhancement: Google Workspace Phishing Alert

• Added glue book functionality where if the customer has Proofpoint integration, the information from the same Proofpoint log event can be added within ticket details. 
• Modified playbook logic and updated ticket template.

Playbook Enhancement: SentinelOne (Endpoint Isolation) 

• Depending on the defined policy, SentinelOne may isolate an endpoint from the network as a remediation step when detecting suspicious or malicious threats. In the future, the SOC will proactively initiate Incident Response procedures whenever SentinelOne isolates an endpoint based on the policy configuration. 

New Feature: Critical Incident Handler Emails 

• Clients can now update their Critical IH plan with different emails, such as the Primary and Secondary Contacts within tickets. 
• Please reach out to your Assigned CSM to get this updated. 

New Detection: Suspicious PowerShell Script Detection 

• Enabled new ATH Rule for all tenants that includes the following types of detections: 

1. 1. PowerShell Mailbox Collection Script 
   2. Suspicious Portable Executable Encoded in Powershell Script 
   3. PowerShell Suspicious Script with Screenshot Capabilities 
   4. PowerShell Script with Token Impersonation Capabilities 
   5. PowerShell Invoke-NinjaCopy script 
   6. PowerShell Suspicious Script with Audio Capture Capabilities 
   7. PowerShell Suspicious Script with Clipboard Retrieval Capabilities 
   8. PowerShell Share Enumeration Script 
   9. PowerShell Script with Encryption/Decryption Capabilities 
   10. PowerShell MiniDump Script 
   11. PowerShell PSReflect Script 
   12. PowerShell PSAttack 
   13. Computer Discovery And Export Via Get-ADComputer Cmdlet – PowerShell 
   14. Access to Browser Login Data 
   15. Invoke-Obfuscation CLIP+ Launcher – PowerShell 
   16. PowerShell ICMP Exfiltration 
   17. Powershell Directory Enumeration 
   18. Suspicious Hyper-V Cmdlets 
   19. Change User Agents with WebRequest 
   20. Suspicious Get-ADReplAccount 

New Detection: Kerberos Replay Attack Detected 

• Looking for relevant Windows Event IDS if a request was received twice with identical information.

New Detection: SoftPerfect Network Scanner Execution 

• Looking for any activity related to the SoftPerfect Network Scanner Product via Process Name/Command Line Activity 

Playbook Enhancement: Malware Activity

• The SOC identified significant tuning opportunities with this specific alarm type.
• Utilizing firewall responses to ignore alerts when the firewall has already blocked them 
• Auto-closing certain low-priority IDS Signatures based on the lack of network traffic observed between the flagged domain and the internal host. 

Playbook Enhancement: Possible Impacket SecretDump Remote Activity 

• The playbook was created with updated logic and modifications for the observed remote activity.