Date of Update

Completed Items

Playbook Enhancement: DPAPI Domain Backup Key Extraction

• Modified playbook logic and updated ticket template.

Response Action: Microsoft Defender

• The SOC has enabled response actions for Microsoft Defender within playbooks.
• Customers who choose this option will empower the SOC to promptly initiate incident response upon detecting critical Defender events, without unnecessary delays while waiting for customer input to identify actions.
• The SOC is well-equipped to execute specific response actions and deliver comprehensive details during escalations, ensuring timely and informed incident handling.

1. 1. Initiate AV scan on the endpoint
   2. Stop and Quarantine file
   3. Isolated endpoint from network

Playbook Enhancement: Suspicious PowerShell Script Detection

• Modified the ticket template to include additional information about the rule and query that was observed within the detection.

Playbook Enhancement: Office365 Successful Login outside the US

• Modified the playbook to handle multiple instances where usernames are either not available or have different field names from XDR tool.
• These are now being normalized and handled accordingly.

New Detection: Multiple Users Deleted

• A detection focused on detecting an abnormal number of users deleted in a short amount of time via Windows Events.

Playbook Enhancement: Azure XDR Successful Login outside the US

• Modified playbook logic and updated ticket template.
• SOC Response actions were added as part of playbook automation where the SOC has the ability to take response actions when an anomalous login from an unfamiliar location is observed.
• These actions can be from the following:

1. 1. Revoke user session
   2. Force password update
   3. Reset password
   4. Disable user account

New Detection: Multiple Failed Login Attempts from One Source/Destination/Workstation

• To be able to continue monitor and cover any potential brute-force attempts, excessive login failures, password spraying, etc.
• The SOC implemented a custom detection that can catch multiple logins failures from a singular source/destination/workstation.
• This improves fidelity and reduces noise from the usual login failure alarms that are triggered in XDR platforms.

New Feature: Get Hash from String

• Added a new functionality within SOAR that allows playbooks to hash any larger text and compare to already defined hashes in order ensure known entities are excluded accurately.
  • For example, if certain PowerShell scripts are known to run, the SOC can hash the script text and validate any future detections for suspicious PowerShell scripts.

Playbook Enhancement: External Malware Activity

• Modified playbook logic and updated ticket template.
• Our logic now looks into firewall actions as well as IDS signatures.
• For domain specific IDS signatures, domain query searches are now included within escalation details.

New Detection: Azure AD Sign in from AzureHound

• Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent.

Revamped Ticket Templates

• The new template enhances readability and provides convenient access to relevant information. This change marks a significant step toward the upcoming ONE v2.0 platform, which will further elevate the user experience and streamline SOC communication.
• The following detections were improved:
  1. RDP Brute Force Attack
  2. RDP Reverse Tunnel
  3. RDP Suspicious Logon Attempt
  4. RDP Suspicious Logon
  5. Windows User Added to Domain Admins Group – Global
  6. Windows User Added to Enterprise Admins Group – Global
  7. Windows User Added to Local Administrators Group – Global
  8. Windows User Added to Schema Admins Group – Global
  9. Windows User Removed from Domain Admin Group
  10. Windows User Removed from Local Admin Group

Playbook Enhancement: Improvement to Sophos Escalation

• Modified Sophos ticket templates within playbooks to individually highlight various detections from operational to malicious hits.

SLA Change

• With the release of our new offerings in “SOC Support Program & SLA Overview” we have made adjustments to SLA plans for all previous “Essential” Tenants.
  • With this change all clients who were “Essential” or “Enhanced” have been moved to an “Advanced” SLA Plan.
  • All previous “Premiere” level clients will remain at this level.
• For more information please refer to the following link: https://cyflare.com/wp-content/uploads/SOC-Support-and-SLA-Overview-REV04_1023_FINAL.pdf
• Alternatively you can reach out to your Assigned CSM to get more information.

Revamped Ticket Templates (Continued)

• This is a continuation of our ticket template enhancement process, these will be ongoing throughout the rest of the month and November.
• The following detections were improved:
  1. Command and Control Reputation
  2. Credential Stuffing
  3. Emerging Threat
  4. Sophos EDR
  5. Windows Account Lockout Event
  6. Windows Domain Policy Changed
  7. Windows Security-Enabled Global Group Created
  8. Windows Security-Enabled Local Group Created
  9. Windows Security-Enabled Universal Group Created
  10. Windows Unauthorized Password Reset

Alert Tuning: Suspicious PowerShell Script – SentinelOne Related Detections

• Logic adjusted to no longer escalate SentinelOne related processes for clients utilizing our MDR solutions.

Date of Update

Completed Items

Abnormal Parent-Child Process 

• Increased fidelity and threshold of escalation, more used for correlative behavior, analytics, and investigations now. Other detections are enabled in response to this change. 

O365 – Malicious URL Clicked 

• Modified playbook logic and updated ticket template 

Suspicious User Agent Detection 

• Muting of low fidelity IOCs related to this detection that are not actionable, data will still exist within analytics and can be correlated with other detections/activity. 

Cold Fusion Vulnerability 

• Updated the Stellar custom ATH rule to run every 10 minutes and will also combine the result of every detection per tenant rather than multiple detections at once. 

New Alarm: Suspicious Process Creation Commandline Detection 

• Enabled new ATH Rule for all tenants that includes the following types of detections: 

1. 1. Empire PowerShell UAC Bypass 
   2. Emotet Process Creation 
   3. LockerGoga Ransomware 
   4. CrackMapExec Command Execution 
   5. Suspicious Use of Procdump on LSASS 
   6. Unidentified Attacker November 2018 
   7. Winnti Pipemon Characteristics 
   8. PowerShell Base64 Encoded Shellcode 
   9. Ryuk Ransomware 
   10. DTRACK Process Creation 
   11. ShimCache Flush 
   12. Snatch Ransomware 
   13. TropicTrooper Campaign November 2018 

CrowdStrike: Disable or Modify Tools 

• Template modification to enhance the quality of escalated tickets and analyst triage process 

Azure AD Risk Detections: 

• Modified playbook logic and updated ticket template 

Azure Login Outside the US 

• Modified playbook logic and updated ticket template 

Custom Sophos EDR – from Stellar: 

• Modified playbook logic and updated ticket template 

Applied a fix for Critical IR cases: 

• Fix was applied to all Critical cases where the ticket did not reflect a critical priority 

Office365 and Azure – Successful Login outside the US: 

• Modified ticket template to include a link for Travel Advisory that can be added for known authorized travel. 
• Travel Advisory lets clients let the SOC know when a user in their environment travels. The SOC will then see this activity is authorized and not escalate the action. 

Modified External User Success Brute-force Anomaly 

• Upon identifying IP addresses flagged as malicious due to OSINT findings and SSH login attempts, the SOC will promptly initiate Incident Response procedures and notify customers using the available information. 

Google Workspace Phishing Alert: 

• They added glue book functionality where if the customer has Proofpoint integration, the information from the same Proofpoint log event can be added within ticket details. 
• Modified playbook logic and updated ticket template.

SentinelOne Playbook Modification: (Endpoint Isolation) 

• Depending on the defined policy, SentinelOne may isolate an endpoint from the network as a remediation step when detecting suspicious or malicious threats. In the future, the SOC will proactively initiate Incident Response procedures whenever SentinelOne isolates an endpoint based on the policy configuration. 

New Feature: Critical Incident Handler Emails 

• Clients can now update their Critical IH plan with different emails, such as the Primary and Secondary Contacts within tickets. 
• Please reach out to your Assigned CSM to get this updated. 

New Detection: Suspicious PowerShell Script Detection 

• Enabled new ATH Rule for all tenants that includes the following types of detections: 

1. 1. PowerShell Mailbox Collection Script 
   2. Suspicious Portable Executable Encoded in Powershell Script 
   3. PowerShell Suspicious Script with Screenshot Capabilities 
   4. PowerShell Script with Token Impersonation Capabilities 
   5. PowerShell Invoke-NinjaCopy script 
   6. PowerShell Suspicious Script with Audio Capture Capabilities 
   7. PowerShell Suspicious Script with Clipboard Retrieval Capabilities 
   8. PowerShell Share Enumeration Script 
   9. PowerShell Script with Encryption/Decryption Capabilities 
   10. PowerShell MiniDump Script 
   11. PowerShell PSReflect Script 
   12. PowerShell PSAttack 
   13. Computer Discovery And Export Via Get-ADComputer Cmdlet – PowerShell 
   14. Access to Browser Login Data 
   15. Invoke-Obfuscation CLIP+ Launcher – PowerShell 
   16. PowerShell ICMP Exfiltration 
   17. Powershell Directory Enumeration 
   18. Suspicious Hyper-V Cmdlets 
   19. Change User Agents with WebRequest 
   20. Suspicious Get-ADReplAccount 

New Detection: Kerberos Replay Attack Detected 

• Looking for relevant Windows Event IDS if a request was received twice with identical information.

New Detection: SoftPerfect Network Scanner Execution 

• Looking for any activity related to the SoftPerfect Network Scanner Product via Process Name/Command Line Activity 

Malware Activity: 

• The SOC identified significant tuning opportunities with this specific alarm type.
• Utilizing firewall responses to ignore alerts when the firewall has already blocked them 
• Auto-closing certain low-priority IDS Signatures based on the lack of network traffic observed between the flagged domain and the internal host. 

Possible Impacket SecretDump Remote Activity 

• The playbook was created with updated logic and modifications for the observed remote activity.