Content
  • 04 May 2022
  • 4 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Content

  • Dark
    Light
  • PDF

Release Date Version
04/05/2022 v9.2.0

What's New?

Workbooks

  • Audio Capture Detected
  • Bypass UAC Via CMSTP Detected
  • Curl Start Combination Detected
  • Hidden Files And Directories - VSS Detected
  • Hooking Activities Detected
  • New Driver File Creation Detected
  • Proxied Execution Via Signed Scripts
  • Scheduled Task Creation via Microsoft Office Application
  • Suspicious Bitsadmin Job Via BitsAdmin Exe
  • Suspicious Bitsadmin Job Via PowerShell
  • Install Root Certificate
  • Login Failure From Expired Account
  • Multiple Login Failure From A Disabled Account
  • SSH Destinations
  • SSH Sources
  • Threat Detected on Host - File
  • Threat Detected on Host - URL
  • Bandwidth Usage by Users
  • Phishing URL Accessed
  • Threat Detected On Webfilter
  • Top Configuration Changes By User
  • Top Domains
  • Top URL Accessed
  • Top URL Blocked
  • Top Users Accessing Blocked URLs
  • Top Users
  • Top Webfilter Signals
  • URL Destination To Country
  • URL Source By Country
  • Webfilter Activity Timeline
  • Webfilter Events

Dashboards

  • WebFilter Monitoring

What's Changed?

Workbooks

  • File Accessed or Downloaded From Regions with Restricted Access
  • Email Attachment with Executable
  • Attempt to Disable Syslog Service
  • Base16 or Base32 Encoding or Decoding Activity
  • Base64 Encoding-Decoding Activity
  • Creation of Hidden Files and Directories
  • Hex Encoding-Decoding Activity
  • Netcat Network Activity
  • Nmap Process Activity
  • Persistence via Kernel Module Modification
  • Unusual Process Execution - Temp
  • Retrieve Compromised Host
  • Batch File Write to System32
  • Excessive Network Share Access Failures from a Compromised Host
  • Malicious Service Installed
  • Network Share Accessed from a Compromised Host
  • Network Share Added to a Compromised Host
  • Powershell Process Observed On A Compromised Host
  • PsExec Process Observed on a Compromised Host
  • Ryuk Ransomware Files Detected
  • Scheduled Task Created on Multiple Hosts
  • Scheduled Task Created on a Compromised Host
  • Service Installed on a Compromised Host
  • Multiple Successful Login from Different Country by Single User
  • SSH from the Internet
  • Azure Automation Runbook Deleted
  • Azure Automation Webhook Created
  • Azure Event Hub Authorization Rule Created or Updated
  • All SMB Communications Detected
  • Count Of Connections Established By Source Country
  • DNS Allowed And Denied Requests Trend
  • Data Egress From Sources
  • Data Ingress to Destinations
  • Encryption Method Used For RDP Connections
  • Exfiltration Of Compressed Files
  • Files Accessed By Sources
  • Inbound Traffic By Countries
  • MySQL Commands Summary
  • MySQL Show Databases Attempt
  • Outbound Traffic To Countries
  • Protocols Used for Connections
  • SSL Activity By Country
  • TLS protocol version
  • Top 10 Expired Certificates
  • Top Connections over Port
  • Top DNS Responses
  • Top Recipient
  • Top Senders
  • Total Inbound Traffic
  • Total Outbound Traffic
  • Traffic Trend Over Last Week
  • Usage of Well Known Ports
  • Configuration Activity Timeline
  • FIREWALL Modifications
  • Top Configuration Changes
  • Top Configuration Signals Over Last Week
  • Top Users Deleting The Policy
  • Top Users Erasing Configuration
  • Top Users Changing License
  • Top Users Granting Privileged Access
  • Office Authentication By Source Country

Dashboards

  • Firewall Monitoring
  • Threat Alerts Monitoring

What 's Deprecated?

Workbooks

  • Connection to External Network via Telnet
  • Connection to Internal Network via Telnet
Release Date Version
17/12/2021 v9.1.1

What's New?

Workbooks

  • File Accessed or Downloaded From Regions with Restricted Access
  • File Uploaded With Public Access
  • Email Attachment with Executable Hidden in Double File Extensions
  • Email Attachment with Executable
  • Mailbox Permission Added and Deleted in a Short Period of Time
  • Potential Leakage of Data via Email Redirection to Non Business Email Service providers
  • Excessive Nslookup Usage
  • RDP Hijacking Tool Detected
  • Excessive Denied SMB Traffic From a Compromised Host
  • Large Outbound Transfer High Rate of Transfer
  • Large Outbound Transfer Slow Rate of Transfer
  • SMB Traffic Permitted From a Compromised Host
  • Local Host Sending Malware
  • Retrieve Compromised Host
  • Same Threat Detected on Same Host
  • Excessive Network Share Access Failures from a Compromised Host
  • Lsass Process Connected to a Pipe
  • Malicious Service Installed
  • Network Share Accessed from a Compromised Host
  • Network Share Added to a Compromised Host
  • Powershell Process Observed On A Compromised Host
  • Programming Environment Started with a Privileged Account
  • PsExec Process Observed on a Compromised Host
  • Ransomware Decryption Instructions Created
  • Remote Management Service Connected to lsass Pipe
  • Scheduled Task Created on Multiple Hosts
  • Scheduled Task Created on a Compromised Host
  • Service Installed on a Compromised Host
  • Suspicious Access to lsass Process
  • Database Remote Login Success
  • Multiple Successful Login from Different Country by Single User
  • Successful Login From a Compromised Host
  • Configuration Changes Made to Endpoint Devices
  • Multiple Failed API Requests From Same Source IP
  • All SMB Communications Detected
  • Count Of Connections Established By Source Country
  • DNS Allowed And Denied Requests Trend
  • Data Egress From Sources
  • Data Ingress to Destinations
  • Encryption Method Used For RDP Connections
  • Exfiltration Of Compressed Files
  • Files Accessed By Sources
  • Inbound Traffic By Countries
  • MySQL Commands Summary
  • MySQL Show Databases Attempt
  • Outbound Traffic To Countries
  • Outlier Detected On Data Transfer
  • Protocols Used for Connections
  • TLS protocol version
  • Top 10 Expired Certificates
  • Top Connections over Port
  • Top DNS Responses
  • Top DNS Queries
  • Top Recipient
  • Top Senders
  • Total Inbound Traffic
  • Total Outbound Traffic
  • Traffic Trend Over Last Week
  • Usage of Well Known Ports
  • Backup Failed Operation By Users
  • Configuration Activity Timeline
  • FIREWALL Modifications
  • Top Configuration Changes
  • Top Configuration Signals Over Last Week
  • Top Users Deleting The Policy
  • Top Users Erasing Configuration
  • Top Users Changing License
  • Top Users Granting Privileged Access

Dashboards

Configuration Monitoring

Reports

  • NTA Weekly Report

What's Changed?

Workbooks

  • Suspicious wevtutil Usage
  • Abnormal SSH Login Attempts for a User
  • Concurrent Logins from multiple Sources
  • Changes to internet facing AWS RDS Database instances

Dashboard

  • IAM Monitoring

Was this article helpful?

What's Next