Sensor Release Notes
New Features
Bug Fixes
- Grey Noise threat feed data is now added as an enrichment to Events.
- Data Exfiltration analytics (T1029, T1030, T1041) now only consider successful connections. T1029 and T1041 also now utilize the Producer-Consumer ratio of bytes sent and received to aid in exfiltration detection.
- T1110 (Brute Force) detection now includes the auth_attempts field in its analysis. It also now resets the count of failed attempts when a successful attempt occurs.
- T1205 (Port Knocking) now searches all traffic (instead of just anomalies/evidence) for a configurable number of failed connections (default 3) followed by a successful connection all within 1 minute and all on ports greater than 1024.
- T1046 (Network Service Discovery) now excludes connections initiating from port 7680 on internal IPs with a connection history of “R”.
- Rules and Filters can now use the not equals (!=) operator.
- All New Local MAC Events on a sensor are now rolled up into a single Event.
- Ransomware Events now roll up by the pattern that was matched, reducing the number of unique Events from files of the same type.
- Improved the Network Graph visualization with highlighting of selected and hovered nodes, more information about each node, and a pivot feature to move from node to node with a back button.
- The MaxMind IP Geolocation database is now updated automatically twice per week.
- Maps, Timelines, Pie charts, and Bar charts all now use HighCharts and have improved accessibility features.
Bug Fixes
- Fixed a bug in T1110 (Brute Force) detection that was counting authentication attempts as failed when no value was specified in the data.
- Fixed a bug which caused some pre-trained data to age off incorrectly.
- Fixed a bug which caused retrained user agent and byte estimator models to overwrite previous versions of the model instead of preserving them.
- Fixed a bug which caused long running API requests generated by the UI to keep running even if the user closed that view. This could stall future API requests if the user had too many canceled ones still running.
New Features
Bug Fixes
- Traffic Query and all Cards can now choose whether all of their filters are ANDed or ORed. This setting applies to all filters on the query or card collectively, but can not be mixed or applied to individual field pairs.
- Columns in all tables can now be rearranged and the ordering and sort selections will be saved in the user’s cookies.
- Events now have a Click to Filter button and Conns have a Click to Rule button. Each uses the information from the respective item to populate a Filter/Rule that the user can edit and confirm.
- T1090 Events are no longer produced by IPs or Hosts that are whitelisted in AlienVault.
- Events generated by IPs and Hosts that are whitelisted in AlienVault are now reduced to Low Priority. An enrichment is added to the Event to indicate this.
- Multicast IPs no longer generate New Local MAC Events.
- Brute Force over HTTP (T1110) now only generates Events for traffic on ports 80, 8080, 443, 8443, 14443, and 8008.
- Greater Than (>) and Less Than (<) operators can now be used with Priority and Confidence fields in Event filters.
- Cards and views which limit the amount of data shown (e.g. 10,000 conns in Traffic Viewer) can now be set to order by time ascending or descending ensuring the oldest or most recent data is returned depending on the user’s choice.
- A glossary of fields is now available in the Help Menu.
Bug Fixes
- Fixed a bug that caused filters on the Reason field to not function properly.
- Fixed a bug that caused the Suricata Events count on the System Info card to always be 0 event when Suricata Events existed.
- Using the external IP field in filters no longer throws an error on the Event Counts card.
- Fixed a bug that could cause the T1110 analytic to crash when trying to update an Event from a previous run.
- Descriptions longer than 1500 characters are now trimmed when displayed.
- Fixed a bug that caused new lines to not display in long Descriptions.
- Added accessibility text to buttons for Screen Reader support.
New Features
Bug Fixes
- Event mitigations now include Snort formatted suggested firewall rules that users can choose to implement to block potentially malicious traffic.
- Added collection filters for APIPA (169.254.*.*) addresses
- Added backwards compatibility support for times when the sensor version is older than management
- Duplicate Real Time Events are now rolled up into one instance, and have a date created and date updated field to track occurrences
Bug Fixes
- Fixed a bug in Traffic Query that caused the Submit button to stop working if a user first use the Click to pivot and the edited the date or display fields
- Fixed a bug that could cause the Timeline configuration to crash when attempting to display Evidence data
- Fixed a bug that caused sensors with very low data flow to crash and get stuck if they hadn't passed the burn in threshold after several months
- Added the Reset to Default button to cards that are popped out
New Features
Bug Fixes
- T1029, T1030, T1041 Analytics have been reworked to reduce false positives
- Created several new parameters that can be tuned in configuration to adjust behavior on the fly
- Increased thresholds for alerting on several existing parameters
- Removed UDP connections from consideration
- APIPA addresses are no longer considered in detecting T1557
- Analytics now run in parallel instead of serial, improving runtime of the pipeline
- New Local MAC now also runs as a real time analytic
- Added geolocation fields to connections in views throughout the tool
- Dashboard cards can now be popped out into their own window
- Updated Suricata rules from ProofPoint
- Added full Suricata rule enrichment to events which contain Suricata evidence
Bug Fixes
- Added more back end pings to keep login sessions from dying when a user is on a page other than the dashboard
- Deleting an element on the Timeline Card configuration no longer resets all other elements
- Fixed a mismatch between FTP, SMB, and SSL names that caused query filters to not match those data types
- Fixed a bug that could cause conns to lose the association with their source file if a crash happened at a specific time during ingest
- Fixed a bug that caused RDP data to not display correctly on drilldowns
- Removed Pivot to Traffic Query button for users that don't have permission to use Traffic Query
- Fixed a bug that prevented PDF reports from displaying correctly
New Features
Bug Fixes
- Local Model Retraining: Byte Estimator and User Agent String will now retrain weekly on data specific to the local sensor to provide more accurate anomaly detection tailored to the DIB.
- Traffic Search on Sensors: Users can now perform traffic searches on data on their sensor.
- Timeline improvements: The timeline card can now be configured to display any combination of data types over any time range.
- Drill down views now have tabs for more related objects. Conns have tabs for Evidence and Events related to that conn and Evidence has tabs for Events linked to them.
- The T1029 Analytic no longer generates Events for UDP Traffic
- Events with Suricata enrichment now display the rule text of the rule that hit.
- Events by External IP: The Event Table dashboard card can now be filtered by External IP.
- Dashboard cards can now be resized by the user to allow further customization.
- Release notes are now viewable in the tool. You're reading them right now! On the first login after each release the user will receive a popup displaying the notes. They can review them any time after that by clicking the version number in the Help menu.
- Users can now select multiple Events at once to close, add alerts, mark as read, or pin.
- Added a button to reset the entire dashboard to default settings.
- The default Event table view now includes the Confidence column.
Bug Fixes
- Fixed cases where T1587 and T1021 analytics were using a hard coded list to determine whether an IP was local or not.
- Events were incorrectly being generated with a single piece of evidence if it came from a Device Clustering anomaly. Fixed to require at least two pieces of evidence.
- T1029 Events are limited to 5000 conns in their linked evidence, this limit could cause the representative conn shown to the user to not be present in the evidence associated with the event. This has been fixed so that the representative conn is always added to the evidence.
- T1090.004 Events could be generated due to considering a hostname with a port appended different than the plain hostname. This comparison now ignores ports appended to the hostname.
- Fixed duplication and overcounting that could occur when setting queries for the Event by Identifying Conn dashboard card if an Event had multiple representative conns.
- Fixed colors for Confidence values in Dark Mode to make them more legible.