New Features

• Event Tagging: Events are now labeled with Tags. These Tags are used to indicate several characteristics of an Event, including whether the traffic is a significant threat or just an anomaly, whether there is a foreign IP involved, and whether the traffic is all internal to the local network.
• The representative Connection displayed when clicking into an Event can now contain fields from the specific child object relevant to the Event (i.e. HTTP, DNS, DHCP, etc.). These fields have been added for a subset of detections for this version: T1021, T1133, T1557, T1568, T1587, Expired Certificate, and Ransomware. This will continue to be added to more detections in coming releases until all relevant detections have these additional fields.
• Prebuilt Dashboards: There are now prebuilt dashboards to give users a better starting point. Users can select from options tailored toward use cases of the tool.
• Event Card configurations are now split into tabs. This includes a new Quick Filters tab to let users quickly filter the view by tags and other commonly used criteria.
• New Detection T1036.008: Masquerading File Type. This will detect cases where a file in an SMB file share was renamed from a non-executable extension to executable (exe, bat, js, etc.) to indicate that someone may be trying to evade detection of a suspicious executable.
• The Foreign IP Reports card can now be filtered in the card configuration.
• Broadened thresholds for Time Clustering such that there will be fewer outliers and thus fewer Odd Traffic Events.
• Sensors will now add to standard port lists based on activity seen on the network.

Bug Fixes

• Fixed a bug that was causing hard disk health checks to fail on sensors.

New Features

• Event Viewer Redesign: The Event Viewer has been reworked to convey more useful information up front.
  • Reasons displayed in the Event Reports table are now more descriptive of the activity instead of only using the ATT&CK TTP name. The TTP code is still included after the text.
  • More details have been added to the Description displayed after clicking on the Event. It now better describes why an Event is notable and how it may relate to malicious behavior.
  • Evidence has been moved to the Explanations tab.
  • All items on the Evidence tab are now better labeled as Root Cause or Supporting.
• Added detection for T1021.001 and T1021.005 Remote Services. Alerts on RDP or VNC connections to internal resources.
• Updated detection for T1021.003 to consider timing windows and uncommon named pipes.
• T1190 SQL Injection Events now display the suspicious URI in the Description text.
• Added ability to filter Events based on User Agent String.
• User Feedback Models are now automatically updated based on Likes/Dislikes and retrained weekly on all deployments.
• Suricata rules are now automatically updated weekly from ETPro.
• Updated Suricata Events to be sensitive to time as well as Community ID when linking the detection to Zeek data.
• Migrated to GreyNoise v3 API endpoints.

Bug Fixes

• • Fixed a bug that caused rules with long descriptions to throw an error in auditing and appear to not be created.
  • Fixed a bug that caused Mosaics to remain read when new Events were added to them.
  • Fixed a bug that caused an error when clicking to IP Biographies from the Geolocation tab in an Event on management.
  • Fixed a bug that caused the Ransomware analytic to fail when it ran at the same time as the Real Time Ransomware analytic.
  • Fixed an error that caused T1557 Adversary in the Middle to sometimes fail when data was missing a MAC address.
  • Fixed a bug that caused errors when SSL/TLS certificates had negative values for valid dates.

New Features

• Foreign IP Reports Card: This card displays all foreign IPs that have been seen based on their IP geolocation at the time they were seen. Users can also download a complete list of the IPs even if it exceeds the 10,000 display limit.
• Updated T1557 Analytic to identify potentially spoofed DHCP servers.
• DIBs now have a page to display their survey results within the dashboard.
• Users can now upload filename patterns as Indicators.
• Indicator Events now display information about the uploaded Indicator in their Description and Reason fields.
• Added a page to view currently active Indicators.
• Events will now delete Evidence older than 60 days when receiving new evidence. This keeps long running Events from growing excessively large.
• Added an Expand All button to tables across the tool where applicable.
• The current user’s roles and permissions are displayed on the dashboard user settings page.
• Users can now set an email address other than their username for alerts to be sent to.

Bug Fixes

• Fixed a bug that caused T1595 Events to associate unrelated conns with their Evidence.
• Fixed a bug that caused the T1568 analytic to fail if multiple conns referenced the same DNS object.
• Fixed a bug that caused related Mosaics to not combine.
• Fixed a bug that would cause a user to be stuck at an unauthorized screen when attempting to log in without the proper permissions, even after their permissions changed.

New Features

• T1595.001 Echo Ping Detection has been rewritten from scratch to reduce false positives. It now specifically looks for at least 30 ICMP Pings within a 15 minutes period (both values are configurable).
• Expired Certificate Events will now roll up by fingerprint and no longer generate Events for internal to internal traffic. They also display the certificate expiration date in the the description.
• New Local MAC Events will now display the MAC address on the description of each piece of Evidence.
• Refined T1568.001 Fast Flux DNS to be more selective by considering sequences of DNS answers and geolocation.
• User created Rules now also run as part of Real Time Analytics and will return results every 15 minutes in addition to full Events every 6 hours.
• Added configuration for Filtered MACs for T1557 Adversary in the Middle enabling MAC addresses to be filtered from the analytic dynamic. Added a filter to that configuration for 33:33:00:01:00:03.
• IP Geolocation is now displayed in a tab on the Event view and Geolocation for all Connections is displayed.
• Data is now pushed to Elastic at 15 minute intervals instead of every 6 hours.
• Manually closed Events on management are now deleted as if they were LOW priority regardless of their actual priority.
• Users can now download the Indicator Upload template instead of needing to create a file from scratch.
• Power Users can now view Login history for the deployment.
• The Help menu now includes a link to email questions to help@cyberspan.us.

Bug Fixes

• Fixed a bug with T1110 Brute Force which would ignore successful logins if they were linked to the same connection that had failures.
• Fixed a bug that could cause Rules with a Geolocation country to throw an error and not process.
• T1190 no longer displays an incorrect reason and description. It was displaying reason and description for T1090.
• Fixed a bug that caused Elastic pivots from the management dashboard using byte counts to not return the correct results.
• Fixed a bug that caused priority to be lost when editing an existing Rule.

New Features

• Feedback Adjusted Event Prioritization: Events are now given a score based on the like/dislike feedback provided by users. There is a new Curated Event Reports card which displays only Events with a preference score higher than a customizable threshold. This preference score can also be added as a column in the existing Event Reports card.
• Events are now enriched with data from the CISA AIS threat feed.
• IP Conversation Metrics: The IP Conversation screen now has a Metrics tab that functions similarly to the Traffic Counts card, but only includes data from the selected IP Conversation.
• Events are now generated for expired SSL/TLS certificates utilized in connections.
• Rules and Filters now have a name field. A Rule’s name will be displayed on the Event Reports card as the title of an Event it generates.
• The FF:FF:FF:FF:FF:FF broadcast MAC is excluded from generating T1557 (Adversary in the Middle) Events.

Bug Fixes

• Fixed an issue which caused Split PCAP download to not appear as an option when clicking a context menus for a conn.
• Fixed an issue which caused IP Conversations to show all Events and Evidence for linked to one of the IPs instead of only items linked to the pair.

New Features

• IP Conversations: Users can now enter a pair of IPs and view the traffic between them as well as any Events or Evidence associated with the pair. This feature has been combined with IP Biographies on the new IP Lookup page that provides access to both features.
• PCAP Downloads from Events and IP Conversations have the option to only contain data relevant to the Event or IP pair.
• Events are now filtered based on data from GreyNoise.
  • TTP Events will not be generated if there is a Trust Level 1 enrichment or Trust Level 2 with a classification of Benign.
  • Other TTP Events classified as Benign or Unknown will have their priority level reduced.
  • Odd Traffic Events will not be generated if there is a Trust Level 1 or Trust Level 2 enrichment.
• Users can now Like or Dislike events using the Thumbs Up/Down buttons on the Event. This currently has no effect, but the data gathered will be used in future versions to refine the Events displayed based on the user’s preferences.
• Click to Elastic now allows users to choose fields and values from the clicked Conn to narrow the query into Elastic.
• Uploaded Indicators will now be run over historical data if the valid_from field is set in the past.
• Added a Submit and Close button to Event Notes to save the Note and Close the Event with one click.
• Firewall Rule Mitigations can now be downloaded as Ansible formatted YAML files.
• Renamed FTP_DATA to FILE to more accurately describe that the data displayed there encompasses all files transmitted over the connection, not just files FTPed.

Bug Fixes

• Fixed a bug that caused an error when using Deployment Name as a filter on cards.
• Fixed a bug that caused GreyNoise enrichment to only pull Noise data when RIOT and Noise were both present.
• Fixed a bug which could cause an error to be thrown if there were URI and Hash indicators uploaded and certain fields in collection were blank.

New Features

• Grey Noise threat feed data is now added as an enrichment to Events.
• Data Exfiltration analytics (T1029, T1030, T1041) now only consider successful connections. T1029 and T1041 also now utilize the Producer-Consumer ratio of bytes sent and received to aid in exfiltration detection.
• T1110 (Brute Force) detection now includes the auth_attempts field in its analysis. It also now resets the count of failed attempts when a successful attempt occurs.
• T1205 (Port Knocking) now searches all traffic (instead of just anomalies/evidence) for a configurable number of failed connections (default 3) followed by a successful connection all within 1 minute and all on ports greater than 1024.
• T1046 (Network Service Discovery) now excludes connections initiating from port 7680 on internal IPs with a connection history of “R”.
• Rules and Filters can now use the not equals (!=) operator.
• All New Local MAC Events on a sensor are now rolled up into a single Event.
• Ransomware Events now roll up by the pattern that was matched, reducing the number of unique Events from files of the same type.
• The MaxMind IP Geolocation database is now updated automatically twice per week.
• Maps, Timelines, Pie charts, and Bar charts all now use HighCharts and have improved accessibility features.
• Management Power Users can now view the list of auditable events that have occurred on management. This includes downloading PCAP or Zeek, closing Events and Mosaics, creating or deleting Rules, creating or deleting Event alerts, and configuration changes.
• Viewing notes created on Management is now restricted to only Management Power Users. Notes created on Management can still be set to shared, and those shared notes will be viewable on the associated Sensor.
• Rules and Indicators that are set to send to “All Deployments” are now correctly sent to newly created deployments.

Bug Fixes

• Fixed a bug in T1110 (Brute Force) detection that was counting authentication attempts as failed when no value was specified in the data.
• Fixed a bug which caused some Events to be sent to management repeatedly. They were deduplicated so this did not affect display or analytics, only extra processing time and traffic.
• Fixed a bug which caused retrained user agent and byte estimator models to overwrite previous versions of the model instead of preserving them.
• Fixed a bug which caused long running API requests generated by the UI to keep running even if the user closed that view. This could stall future API requests if the user had too many canceled ones still running.
• Fixed a bug which caused Mosaic timelines to show as horizontal bars instead of vertical.

New Features

• Traffic Query and all Cards can now choose whether all of their filters are ANDed or ORed. This setting applies to all filters on the query or card collectively, but can not be mixed or applied to individual field pairs.
• Columns in all tables can now be rearranged and the ordering and sort selections will be saved in the user’s cookies.
• Conns on the Management dashboard now have a Click to Elastic button which will send the user directly to that Conn in Elastic.
• Events now have a Click to Filter button and Conns have a Click to Rule button. Each uses the information from the respective item to populate a Filter/Rule that the user can edit and confirm.
• T1090 Events are no longer produced by IPs or Hosts that are whitelisted in AlienVault.
• Events generated by IPs and Hosts that are whitelisted in AlienVault are now reduced to Low Priority. An enrichment is added to the Event to indicate this.
• Multicast IPs no longer generate New Local MAC Events.
• Brute Force over HTTP (T1110) now only generates Events for traffic on ports 80, 8080, 443, 8443, 14443, and 8008.
• Greater Than (>) and Less Than (<) operators can now be used with Priority and Confidence fields in Event filters.
• Management users can now download a list of all previously uploaded Indicators.
• Cards and views which limit the amount of data shown (e.g. 10,000 conns in Traffic Viewer) can now be set to order by time ascending or descending ensuring the oldest or most recent data is returned depending on the user’s choice.
• A glossary of fields is now available in the Help Menu.

Bug Fixes

• Fixed a bug that caused filters on the Reason field to not function properly.
• Fixed a bug that caused the Suricata Events count on the System Info card to always be 0 event when Suricata Events existed.
• Using the external IP field in filters no longer throws an error on the Event Counts card.
• Fixed a bug that could cause the T1110 analytic to crash when trying to update an Event from a previous run.
• Descriptions longer than 1500 characters are now trimmed when displayed.
• Fixed a bug that caused new lines to not display in long Descriptions.
• Added accessibility text to buttons for Screen Reader support.

New Features

• Mosaics now display a timeline summarization of the Events they contain
• Access to individual Threat Feeds can now be restricted on a per sensor basis
• Event mitigations now include Snort formatted suggested firewall rules that users can choose to implement to block potentially malicious traffic
• Indicator Upload now supports wildcards in indicators
• Industry Tags are now called Traits and are no longer restricted to only DOD industries
• Added collection filters for APIPA (169.254.*.*) addresses
• Added backwards compatibility support for times when the sensor version is older than management

Bug Fixes

• Fixed a bug in Traffic Query that caused the Submit button to stop working if a user first use the Click to pivot and the edited the date or display fields
• Fixed a bug that could cause the Timeline configuration to crash when attempting to display Evidence data
• Added the Reset to Default button to cards that are popped out

New Features

• T1029, T1030, T1041 Analytics have been reworked to reduce false positives
  • Created several new parameters that can be tuned in configuration to adjust behavior on the fly
  • Increased thresholds for alerting on several existing parameters
  • Removed UDP connections from consideration
• APIPA addresses are no longer considered in detecting T1557
• Mosaics now display a tab with connections associated with the Events in that Mosaic
• IP Biographies are now available on the Management Dashboard
• Added geolocation fields to connections in views throughout the tool
• Dashboard cards can now be popped out into their own window
• Added full Suricata rule enrichment to events which contain Suricata evidence

Bug Fixes

• Added more back end pings to keep login sessions from dying when a user is on a page other than the dashboard
• Deleting an element on the Timeline Card configuration no longer resets all other elements
• Fixed a mismatch between FTP, SMB, and SSL names that caused query filters to not match those data types
• Fixed a bug that could cause conns to lose the association with their source file if a crash happened at a specific time during ingest
• Fixed a bug that caused RDP data to not display correctly on drilldowns
• Removed Pivot to Traffic Query button for users that don't have permission to use Traffic Query
• Fixed a bug that prevented PDF reports from displaying correctly

New Features

• Satellite Sensors: A single company can now have multiple satellite sensors deployed at disparate locations which will all feed data back to the main sensor for processing as one collected data batch.
• Elastic Integration: Data from all sensors is now populated into an Elastic instance located at <siem.cyberspan.us>. This includes all Zeek data processed by sensors since November 20.
• Custom Indicator Upload: On management, users can upload files with lists of indicators for the system to alert on.
• Local Model Retraining: Byte Estimator and User Agent String will now retrain weekly on data specific to the local sensor to provide more accurate anomaly detection tailored to the DIB.
• Traffic Search on Sensors: DIB users can now perform traffic searches local to their own sensors without accessing management.
• Management Containerization: The entire management environment is now fully containerized and runs as a set of containers isolating the running application, the threat feed retrieval proxy, and the database.
• Timeline improvements: A timeline card can now be added to the management dashboard. Timeline cards on both sensor and management can now be configured to display any combination of data types over any time range.
• Drill down views now have tabs for more related objects. Conns have tabs for Evidence and Events related to that conn, Evidence has tabs for Events and Mosaics (management only) linked to them, and Events have a tab for linked Mosaics ( management only).
• The T1029 Analytic no longer generates Events for UDP Traffic
• Added Country Code as a searchable field in Traffic Query
• Events with Suricata enrichment now display the rule text of the rule that hit.
• Pivoting from a Conn to Traffic Search now opens in a new tab.
• Events by External IP: The Event Table dashboard card can now be filtered by External IP.
• Dashboard cards can now be resized by the user to allow further customization.
• Release notes are now viewable in the tool. You're reading them right now! On the first login after each release the user will receive a popup displaying the notes. They can review them any time after that by clicking the version number in the Help menu.
• Users can now select multiple Events at once to close, add alerts, mark as read, or pin.
• Added a button to reset the entire dashboard to default settings.
• The default Event table view now includes the Confidence column.

Bug Fixes

• Fixed cases where T1587 and T1021 analytics were using a hard coded list to determine whether an IP was local or not.
• Events were incorrectly being generated with a single piece of evidence if it came from a Device Clustering anomaly. Fixed to require at least two pieces of evidence.
• Fixed incorrect text description for user created rules.
• T1029 Events are limited to 5000 conns in their linked evidence, this limit could cause the representative conn shown to the user to not be present in the evidence associated with the event. This has been fixed so that the representative conn is always added to the evidence.
• T1090.004 Events could be generated due to considering a hostname with a port appended different than the plain hostname. This comparison now ignores ports appended to the hostname.
• Fixed duplication and overcounting that could occur when setting queries for the Event by Identifying Conn dashboard card if an Event had multiple representative conns.
• Fixed colors for Confidence values in Dark Mode to make them more legible.