We regularly introduce new features to USM Anywhere and USM Central to help your team to be more effective at detecting and responding to threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Here are a few of the highlights from our May 2018 releases:
New Alarm Management Capabilities in USM Central
Many of our MSSP and large enterprise users take advantage of USM Central to centrally monitor multiple USM Anywhere instances. This month, we added new features to help streamline alarm management across USM Central and USM Anywhere. This includes two-way synchronization of alarm labels and alarm status as well as hierarchical treatments to make it work ideally for tiered or co-managed deployments.
Here’s how it works:
- Any alarm status or label applied to an alarm in USM Central will synchronize with the same alarm in the USM Anywhere instance.
- If you create a label in USM Central, it can not be modified in USM Anywhere.
- If you create a label in USM Anywhere, it can not be modified in USM Central.
- However, if you create or assign a label in USM Anywhere and create the same label in USM Central, USM Central will take control of the label. From that point, it can not be modified in USM Anywhere
New Reporting Templates in USM Anywhere for ISO 27001 and more
AlienVault USM Anywhere has a large library of pre-built reporting templates that provide immediate visibility needed for compliance audits, executive briefs, and daily management. We continue to add new reporting templates to help accelerate and simplify reporting requirements. This month we added the following reporting templates:
ISO 27001 Compliance Reporting Templates:
On May 8, 2018, we added new compliance reporting templates for ISO 27001. These templates map directly to common ISO 27001 requirements, making it fast and simple to navigate the requirements and to satisfy requests for an audit. You can easily customize, save, and export any report as needed.
The ISO 27001 reporting templates in USM Anywhere can also serve as general guidelines as you prepare for the GDPR. Because ISO 27001 serves as a globally accepted framework for information security management, it can be helpful in demonstrating that you manage your data security in accordance with the EU General Data Protection Regulation (GDPR). By establishing an information security management framework (ISMS) in accordance with ISO 27001 requirements, organizations can better position themselves to be able to demonstrate compliance with the data security requirements of the GDPR.
AlienVault Generic Plugin Reporting Template:
The AlienVault Generic Plugin parses events that are not otherwise handled by a plugin specific to a product or data source. We’ve made it easier to search and report on these events with a new saved events view and corresponding reporting template, under the Event Type reporting templates. You can use these as a way to spot check for any events that should be handled by a product-specific plugin but, for some reason, are not handled correctly.
AlienVault Agent Data Source Reporting Templates:
We are working closely with select USM Anywhere users in our Early Access program for the AlienVault Agent. This month, we added five new reporting templates for the AlienVault Agent: Command History, Docker Containers, File Integrity Monitoring, Installed Software, and Login Activity. These reporting templates are available to Early Access participants as Event Type reports.
Event Searches by Minutes and Seconds
When you investigate an alarm, you often need to understand what activities and events occured in the minutes before, during, and after the alarm. To make this investigate faster and easier, we’ve introduced the ability to search and filter events and alarms more granularly. Now, when you filter by a custom time range, you can define it to the minute and even to the second.
New and Improved Data Sources
We regularly add support for new data sources and improve our methods of collection, parsing, and normalization for existing data sources. You can always find our full list of data sources, including AlienApps and plugins, here.
If you don’t see a data source that you want to support, don’t worry. AlienVault will build support for most commercially available products at no additional charge. You can submit a request here.
This month, we added or updated the following data sources in USM Anywhere:
New Data Sources:
- Bitdefender GravityZone
- Artica Proxy
Improvements to Existing Data Sources:
- Capture dns_rr_name from Microsoft Windows DNS Server using a LUA script
- Improved CheckPoint plugin to parse important fields
- Improved Windows Shadow Copies Deletion
- Updated Cisco Firepower NGFW Plugin
- Added destination_port_label and source_port_label to the Windows plugins highlight_fields
- Improved Windows status dictionary for Nxlog and Windows Agent plugins
- Improved Windows plugin to format the source IP address with Kerberos tickets
- Improved parsing for AWS Cloudtrail field AccessKeyID
- Added event_severity to the AlienVault Agent - Windows EventLog plugin
- Added event name dictionary to the Windows Agent Plugin
- Added new pefile keys to the Windows plugins
- Improved rule for multiple instances being shut down programmatically
- Filtered Cylance malware rule to ignore quarantine directories
- Improved Kerberos authentication fields in Windows plugins
- Improved AWSMultiplePermissionFailures to check for unique API calls
- Added support to Extract Payload field in PowerShell events
Fueling USM Anywhere with Continuous Threat Intelligence
The AlienVault Labs Security Research Team delivers continuous threat intelligence updates to USM Anywhere to keep your defenses always up to date as the threat landscape evolves. More than raw indicators of compromise, our threat intelligence is fully baked and includes support for new data sources, correlation rules, response guidance and more. Plus, it’s delivered automatically, so you don’t have to do anything to be able to continuously detect threats as they emerge and evolve in the wild.
In May, the AlienVault Labs Security Research Team delivered the following threat intelligence to the USM Anywhere platform, in addition to the new and updated data sources listed above. Please note that this is not an extensive list, but rather the highlights reel. Please read our weekly threat intelligence newsletter for more details.
New Detection Technique - Win32/TeleGrab:
TeleGrab evolved from malware that historically stole browser credentials and text files in the system. New versions target Telegram's desktop application, attempting to steal various cache files and key files to later hijack the Telegram accounts remotely.
We updated the 'System Compromise - Spyware infection' correlation rule to detect this activity.
New Detection Technique – Adobe Flash Zero day:
CVE-2018-4944 allows for arbitrary remote code execution on machines running Adobe Flash 188.8.131.52 and earlier. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
We updated the 'Exploitation & Installation - Client Side Exploit' correlation rule to detect this activity.
New Detection Technique - BKransomware:
BKRansomware was discovered in the wild in mid-April. Unusually, files affected by BKRansomware are not really encrypted. Instead, the files are encoded with ROT23, which is a simple letter substitution cipher.
We added the 'Malware infection – Ransomware' correlation rule to detect BKransomware.
Other Correlation Rules Added to USM Anywhere:
- AWS: Temporary Security Credentials request with long duration
- AWS: New temporary security credentials followed by multiple api keys deletion
- AWS: Multiple accounts deleted in a short period of time
- AWS: New account used to delete multiple accounts
- AWS: New account created followed by the original account being deleted
- AWS: Mass killing/pausing instances
- AWS: Mass starting instances
- AWS: Temporary Security Credentials request with maximum duration
- AWS: New temporary security credentials followed by original API credentials being deleted
- AWS: Instance Limit Exceeded after mass instance launch
- AWS: New AWS User account starting a high number of instances
- Windows: Executable launched from Recycle Bin
- Windows: Executable launched from System Volume Information folder
- Delete the backup catalog
- Network traffic from mshta.exe
- msiexec.exe to download an executable from a remote site
- Network traffic from msxsl.exe
- WMIC.EXE Whitelisting Bypass
- Exports the SAM, SECURITY and SYSTEM hives
- Suspicious Process Created by Microsoft Office Application
- Windows unusual process parent
- Unexpected network activity from Microsoft tools
- Suspicious Powershell arguments
- Detection of Kali Linux Update
- Process argument contains base64 encoded PE Header
- Windows: DLL CML Execution Via using pcwutl.dll