Content

What's New?

Workbooks

• Audio Capture Detected
• Bypass UAC Via CMSTP Detected
• Curl Start Combination Detected
• Hidden Files And Directories - VSS Detected
• Hooking Activities Detected
• New Driver File Creation Detected
• Proxied Execution Via Signed Scripts
• Scheduled Task Creation via Microsoft Office Application
• Suspicious Bitsadmin Job Via BitsAdmin Exe
• Suspicious Bitsadmin Job Via PowerShell
• Install Root Certificate
• Login Failure From Expired Account
• Multiple Login Failure From A Disabled Account
• SSH Destinations
• SSH Sources
• Threat Detected on Host - File
• Threat Detected on Host - URL
• Bandwidth Usage by Users
• Phishing URL Accessed
• Threat Detected On Webfilter
• Top Configuration Changes By User
• Top Domains
• Top URL Accessed
• Top URL Blocked
• Top Users Accessing Blocked URLs
• Top Users
• Top Webfilter Signals
• URL Destination To Country
• URL Source By Country
• Webfilter Activity Timeline
• Webfilter Events

Dashboards

• WebFilter Monitoring

What's Changed?

Workbooks

• File Accessed or Downloaded From Regions with Restricted Access
• Email Attachment with Executable
• Attempt to Disable Syslog Service
• Base16 or Base32 Encoding or Decoding Activity
• Base64 Encoding-Decoding Activity
• Creation of Hidden Files and Directories
• Hex Encoding-Decoding Activity
• Netcat Network Activity
• Nmap Process Activity
• Persistence via Kernel Module Modification
• Unusual Process Execution - Temp
• Retrieve Compromised Host
• Batch File Write to System32
• Excessive Network Share Access Failures from a Compromised Host
• Malicious Service Installed
• Network Share Accessed from a Compromised Host
• Network Share Added to a Compromised Host
• Powershell Process Observed On A Compromised Host
• PsExec Process Observed on a Compromised Host
• Ryuk Ransomware Files Detected
• Scheduled Task Created on Multiple Hosts
• Scheduled Task Created on a Compromised Host
• Service Installed on a Compromised Host
• Multiple Successful Login from Different Country by Single User
• SSH from the Internet
• Azure Automation Runbook Deleted
• Azure Automation Webhook Created
• Azure Event Hub Authorization Rule Created or Updated
• All SMB Communications Detected
• Count Of Connections Established By Source Country
• DNS Allowed And Denied Requests Trend
• Data Egress From Sources
• Data Ingress to Destinations
• Encryption Method Used For RDP Connections
• Exfiltration Of Compressed Files
• Files Accessed By Sources
• Inbound Traffic By Countries
• MySQL Commands Summary
• MySQL Show Databases Attempt
• Outbound Traffic To Countries
• Protocols Used for Connections
• SSL Activity By Country
• TLS protocol version
• Top 10 Expired Certificates
• Top Connections over Port
• Top DNS Responses
• Top Recipient
• Top Senders
• Total Inbound Traffic
• Total Outbound Traffic
• Traffic Trend Over Last Week
• Usage of Well Known Ports
• Configuration Activity Timeline
• FIREWALL Modifications
• Top Configuration Changes
• Top Configuration Signals Over Last Week
• Top Users Deleting The Policy
• Top Users Erasing Configuration
• Top Users Changing License
• Top Users Granting Privileged Access
• Office Authentication By Source Country

Dashboards

• Firewall Monitoring
• Threat Alerts Monitoring

What 's Deprecated?

Workbooks

• Connection to External Network via Telnet
• Connection to Internal Network via Telnet

What's New?

Workbooks

• File Accessed or Downloaded From Regions with Restricted Access
• File Uploaded With Public Access
• Email Attachment with Executable Hidden in Double File Extensions
• Email Attachment with Executable
• Mailbox Permission Added and Deleted in a Short Period of Time
• Potential Leakage of Data via Email Redirection to Non Business Email Service providers
• Excessive Nslookup Usage
• RDP Hijacking Tool Detected
• Excessive Denied SMB Traffic From a Compromised Host
• Large Outbound Transfer High Rate of Transfer
• Large Outbound Transfer Slow Rate of Transfer
• SMB Traffic Permitted From a Compromised Host
• Local Host Sending Malware
• Retrieve Compromised Host
• Same Threat Detected on Same Host
• Excessive Network Share Access Failures from a Compromised Host
• Lsass Process Connected to a Pipe
• Malicious Service Installed
• Network Share Accessed from a Compromised Host
• Network Share Added to a Compromised Host
• Powershell Process Observed On A Compromised Host
• Programming Environment Started with a Privileged Account
• PsExec Process Observed on a Compromised Host
• Ransomware Decryption Instructions Created
• Remote Management Service Connected to lsass Pipe
• Scheduled Task Created on Multiple Hosts
• Scheduled Task Created on a Compromised Host
• Service Installed on a Compromised Host
• Suspicious Access to lsass Process
• Database Remote Login Success
• Multiple Successful Login from Different Country by Single User
• Successful Login From a Compromised Host
• Configuration Changes Made to Endpoint Devices
• Multiple Failed API Requests From Same Source IP
• All SMB Communications Detected
• Count Of Connections Established By Source Country
• DNS Allowed And Denied Requests Trend
• Data Egress From Sources
• Data Ingress to Destinations
• Encryption Method Used For RDP Connections
• Exfiltration Of Compressed Files
• Files Accessed By Sources
• Inbound Traffic By Countries
• MySQL Commands Summary
• MySQL Show Databases Attempt
• Outbound Traffic To Countries
• Outlier Detected On Data Transfer
• Protocols Used for Connections
• TLS protocol version
• Top 10 Expired Certificates
• Top Connections over Port
• Top DNS Responses
• Top DNS Queries
• Top Recipient
• Top Senders
• Total Inbound Traffic
• Total Outbound Traffic
• Traffic Trend Over Last Week
• Usage of Well Known Ports
• Backup Failed Operation By Users
• Configuration Activity Timeline
• FIREWALL Modifications
• Top Configuration Changes
• Top Configuration Signals Over Last Week
• Top Users Deleting The Policy
• Top Users Erasing Configuration
• Top Users Changing License
• Top Users Granting Privileged Access

Dashboards

Configuration Monitoring

Reports

• NTA Weekly Report

What's Changed?

Workbooks

• Suspicious wevtutil Usage
• Abnormal SSH Login Attempts for a User
• Concurrent Logins from multiple Sources
• Changes to internet facing AWS RDS Database instances

Dashboard

• IAM Monitoring