The CyFlare Updates page records all new features, alarms, and playbook enhancements, and will highlight any upcoming changes you can expect.
- SOC Change Logs:
- To increase the effectiveness of our communications with our clients, we will release updates of SOC changes in real time to our site here: https://cyflare.com/soc-change-log/.
- We will then release “Highlights” of the previous month during the first week of the new month, like this Advisory here.
- Critical Incident Handler Emails:
- Clients now have the ability to update their Critical IH plan with different emails, such as the Primary Contact, and also update the Secondary Contacts within tickets.
- If you would like to update this, please contact your assigned CSM
- Suspicious Process Creation Commandline Detection – this covers the following types of detections:
- Empire PowerShell UAC Bypass
- Emotet Process Creation
- LockerGoga Ransomware
- CrackMapExec Command Execution
- Suspicious Use of Procdump on LSASS
- Unidentified Attacker November 2018
- Winnti Pipemon Characteristics
- PowerShell Base64 Encoded Shellcode
- Ryuk Ransomware
- DTRACK Process Creation
- ShimCache Flush
- Snatch Ransomware
- TropicTrooper Campaign November 2018
- Suspicious PowerShell Script Detection – this covers the following types of detections:
- PowerShell Mailbox Collection Script
- Suspicious Portable Executable Encoded in Powershell Script
- PowerShell Suspicious Script with Screenshot Capabilities
- PowerShell Script with Token Impersonation Capabilities
- PowerShell Invoke-NinjaCopy script
- PowerShell Suspicious Script with Audio Capture Capabilities
- PowerShell Suspicious Script with Clipboard Retrieval Capabilities
- PowerShell Share Enumeration Script
- PowerShell Script with Encryption/Decryption Capabilities
- PowerShell MiniDump Script
- PowerShell PSReflect Script
- PowerShell PSAttack
- Computer Discovery And Export Via Get-ADComputer Cmdlet – PowerShell
- Access to Browser Login Data
- Invoke-Obfuscation CLIP+ Launcher – PowerShell
- PowerShell ICMP Exfiltration
- Powershell Directory Enumeration
- Suspicious Hyper-V Cmdlets
- Change User Agents with WebRequest
- Suspicious Get-ADReplAccount
- Kerberos Replay Attack Detected
- Looking for Event ID 4649 – a request was received twice with identical information.
- SoftPerfect Network Scanner Execution
- Looking for any activity related to the SoftPerfect Network Scanner Product via Process Name/Command Line Activity
- Office365 and Azure – Successful Login outside the US
- Modified ticket template to include a link for Travel Advisory that can be added for known authorized travel.
- Travel Advisory allows clients to let the SOC know when a user in their environment is traveling and the SOC will then know this activity is authorized and not escalate the activity.
- External User Success Brute-force Anomaly
- Upon identifying IP addresses flagged as malicious due to OSINT findings and SSH login attempts, the SOC will promptly initiate Incident Response procedures and notify customers using the available information.
- Google Workspace Phishing Alert
- Added glue book functionality where if the customer has Proofpoint integration, the information from the same Proofpoint log event can be added within ticket details.
- Modified playbook logic and updated ticket template
- SentinelOne Playbook Modification: (Endpoint Isolation)
- Depending on the defined policy, SentinelOne may isolate an endpoint from the network as a remediation step when detecting suspicious or malicious threats. Going forward, the SOC will proactively initiate Incident Response procedures whenever SentinelOne isolates an endpoint based on the policy configuration.
- Malware Activity
- The SOC identified major tuning opportunities with this specific alarm type.
- Utilizing firewall responses to ignore alerts when they’ve already been blocked by the firewall
- Auto-closing certain low-priority IDS Signatures based on the lack of network traffic observed between the flagged domain and the internal host
Note: If you believe any of our ticket templates can be improved or suggest an improvement, please contact [email protected]. Or reach out via our 24/7 Chat Support via ONE Platform.
- Further rework on Malware Activity and Trojan Activity detections to ensure higher fidelity in ticket escalation.
- Enhancing playbook logic for Protocol Account Login Failure Anomaly detection.
- Improved playbook performance to avoid creating blank/incomplete ticket escalations.
- If you have any changes or improvements you would like to see the SOC make, please contact the SOC via email at [email protected] or utilize our 24/7 Chat Support via ONE Platform.