Management Release Notes
New Features
Bug Fixes
- Grey Noise threat feed data is now added as an enrichment to Events.
- Data Exfiltration analytics (T1029, T1030, T1041) now only consider successful connections. T1029 and T1041 also now utilize the Producer-Consumer ratio of bytes sent and received to aid in exfiltration detection.
- T1110 (Brute Force) detection now includes the auth_attempts field in its analysis. It also now resets the count of failed attempts when a successful attempt occurs.
- T1205 (Port Knocking) now searches all traffic (instead of just anomalies/evidence) for a configurable number of failed connections (default 3) followed by a successful connection all within 1 minute and all on ports greater than 1024.
- T1046 (Network Service Discovery) now excludes connections initiating from port 7680 on internal IPs with a connection history of “R”.
- Rules and Filters can now use the not equals (!=) operator.
- All New Local MAC Events on a sensor are now rolled up into a single Event.
- Ransomware Events now roll up by the pattern that was matched, reducing the number of unique Events from files of the same type.
- The MaxMind IP Geolocation database is now updated automatically twice per week.
- Maps, Timelines, Pie charts, and Bar charts all now use HighCharts and have improved accessibility features.
- Management Power Users can now view the list of auditable events that have occurred on management. This includes downloading PCAP or Zeek, closing Events and Mosaics, creating or deleting Rules, creating or deleting Event alerts, and configuration changes.
- Viewing notes created on Management is now restricted to only Management Power Users. Notes created on Management can still be set to shared, and those shared notes will be viewable on the associated Sensor.
- Rules and Indicators that are set to send to “All Deployments” are now correctly sent to newly created deployments.
Bug Fixes
- Fixed a bug in T1110 (Brute Force) detection that was counting authentication attempts as failed when no value was specified in the data.
- Fixed a bug which caused some Events to be sent to management repeatedly. They were deduplicated so this did not affect display or analytics, only extra processing time and traffic.
- Fixed a bug which caused retrained user agent and byte estimator models to overwrite previous versions of the model instead of preserving them.
- Fixed a bug which caused long running API requests generated by the UI to keep running even if the user closed that view. This could stall future API requests if the user had too many canceled ones still running.
- Fixed a bug which caused Mosaic timelines to show as horizontal bars instead of vertical.
New Features
Bug Fixes
- Traffic Query and all Cards can now choose whether all of their filters are ANDed or ORed. This setting applies to all filters on the query or card collectively, but can not be mixed or applied to individual field pairs.
- Columns in all tables can now be rearranged and the ordering and sort selections will be saved in the user’s cookies.
- Conns on the Management dashboard now have a Click to Elastic button which will send the user directly to that Conn in Elastic.
- Events now have a Click to Filter button and Conns have a Click to Rule button. Each uses the information from the respective item to populate a Filter/Rule that the user can edit and confirm.
- T1090 Events are no longer produced by IPs or Hosts that are whitelisted in AlienVault.
- Events generated by IPs and Hosts that are whitelisted in AlienVault are now reduced to Low Priority. An enrichment is added to the Event to indicate this.
- Multicast IPs no longer generate New Local MAC Events.
- Brute Force over HTTP (T1110) now only generates Events for traffic on ports 80, 8080, 443, 8443, 14443, and 8008.
- Greater Than (>) and Less Than (<) operators can now be used with Priority and Confidence fields in Event filters.
- Management users can now download a list of all previously uploaded Indicators.
- Cards and views which limit the amount of data shown (e.g. 10,000 conns in Traffic Viewer) can now be set to order by time ascending or descending ensuring the oldest or most recent data is returned depending on the user’s choice.
- A glossary of fields is now available in the Help Menu.
Bug Fixes
- Fixed a bug that caused filters on the Reason field to not function properly.
- Fixed a bug that caused the Suricata Events count on the System Info card to always be 0 event when Suricata Events existed.
- Using the external IP field in filters no longer throws an error on the Event Counts card.
- Fixed a bug that could cause the T1110 analytic to crash when trying to update an Event from a previous run.
- Descriptions longer than 1500 characters are now trimmed when displayed.
- Fixed a bug that caused new lines to not display in long Descriptions.
- Added accessibility text to buttons for Screen Reader support.
New Features
Bug Fixes
- Mosaics now display a timeline summarization of the Events they contain
- Access to individual Threat Feeds can now be restricted on a per sensor basis
- Event mitigations now include Snort formatted suggested firewall rules that users can choose to implement to block potentially malicious traffic
- Indicator Upload now supports wildcards in indicators
- Industry Tags are now called Traits and are no longer restricted to only DOD industries
- Added collection filters for APIPA (169.254.*.*) addresses
- Added backwards compatibility support for times when the sensor version is older than management
Bug Fixes
- Fixed a bug in Traffic Query that caused the Submit button to stop working if a user first use the Click to pivot and the edited the date or display fields
- Fixed a bug that could cause the Timeline configuration to crash when attempting to display Evidence data
- Added the Reset to Default button to cards that are popped out
New Features
Bug Fixes
- T1029, T1030, T1041 Analytics have been reworked to reduce false positives
- Created several new parameters that can be tuned in configuration to adjust behavior on the fly
- Increased thresholds for alerting on several existing parameters
- Removed UDP connections from consideration
- APIPA addresses are no longer considered in detecting T1557
- Mosaics now display a tab with connections associated with the Events in that Mosaic
- IP Biographies are now available on the Management Dashboard
- Added geolocation fields to connections in views throughout the tool
- Dashboard cards can now be popped out into their own window
- Added full Suricata rule enrichment to events which contain Suricata evidence
Bug Fixes
- Added more back end pings to keep login sessions from dying when a user is on a page other than the dashboard
- Deleting an element on the Timeline Card configuration no longer resets all other elements
- Fixed a mismatch between FTP, SMB, and SSL names that caused query filters to not match those data types
- Fixed a bug that could cause conns to lose the association with their source file if a crash happened at a specific time during ingest
- Fixed a bug that caused RDP data to not display correctly on drilldowns
- Removed Pivot to Traffic Query button for users that don't have permission to use Traffic Query
- Fixed a bug that prevented PDF reports from displaying correctly
New Features
Bug Fixes
- Satellite Sensors: A single company can now have multiple satellite sensors deployed at disparate locations which will all feed data back to the main sensor for processing as one collected data batch.
- Elastic Integration: Data from all sensors is now populated into an Elastic instance located at <siem.cyberspan.us>. This includes all Zeek data processed by sensors since November 20.
- Custom Indicator Upload: On management, users can upload files with lists of indicators for the system to alert on.
- Local Model Retraining: Byte Estimator and User Agent String will now retrain weekly on data specific to the local sensor to provide more accurate anomaly detection tailored to the DIB.
- Traffic Search on Sensors: DIB users can now perform traffic searches local to their own sensors without accessing management.
- Management Containerization: The entire management environment is now fully containerized and runs as a set of containers isolating the running application, the threat feed retrieval proxy, and the database.
- Timeline improvements: A timeline card can now be added to the management dashboard. Timeline cards on both sensor and management can now be configured to display any combination of data types over any time range.
- Drill down views now have tabs for more related objects. Conns have tabs for Evidence and Events related to that conn, Evidence has tabs for Events and Mosaics (management only) linked to them, and Events have a tab for linked Mosaics ( management only).
- The T1029 Analytic no longer generates Events for UDP Traffic
- Added Country Code as a searchable field in Traffic Query
- Events with Suricata enrichment now display the rule text of the rule that hit.
- Pivoting from a Conn to Traffic Search now opens in a new tab.
- Events by External IP: The Event Table dashboard card can now be filtered by External IP.
- Dashboard cards can now be resized by the user to allow further customization.
- Release notes are now viewable in the tool. You're reading them right now! On the first login after each release the user will receive a popup displaying the notes. They can review them any time after that by clicking the version number in the Help menu.
- Users can now select multiple Events at once to close, add alerts, mark as read, or pin.
- Added a button to reset the entire dashboard to default settings.
- The default Event table view now includes the Confidence column.
Bug Fixes
- Fixed cases where T1587 and T1021 analytics were using a hard coded list to determine whether an IP was local or not.
- Events were incorrectly being generated with a single piece of evidence if it came from a Device Clustering anomaly. Fixed to require at least two pieces of evidence.
- Fixed incorrect text description for user created rules.
- T1029 Events are limited to 5000 conns in their linked evidence, this limit could cause the representative conn shown to the user to not be present in the evidence associated with the event. This has been fixed so that the representative conn is always added to the evidence.
- T1090.004 Events could be generated due to considering a hostname with a port appended different than the plain hostname. This comparison now ignores ports appended to the hostname.
- Fixed duplication and overcounting that could occur when setting queries for the Event by Identifying Conn dashboard card if an Event had multiple representative conns.
- Fixed colors for Confidence values in Dark Mode to make them more legible.