Contents x
Content
  • 4 Minutes to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Contents

Content

  • 4 Minutes to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Release Date Version
04/05/2022 v9.2.0

What's New?

Workbooks

  • Audio Capture Detected
  • Bypass UAC Via CMSTP Detected
  • Curl Start Combination Detected
  • Hidden Files And Directories - VSS Detected
  • Hooking Activities Detected
  • New Driver File Creation Detected
  • Proxied Execution Via Signed Scripts
  • Scheduled Task Creation via Microsoft Office Application
  • Suspicious Bitsadmin Job Via BitsAdmin Exe
  • Suspicious Bitsadmin Job Via PowerShell
  • Install Root Certificate
  • Login Failure From Expired Account
  • Multiple Login Failure From A Disabled Account
  • SSH Destinations
  • SSH Sources
  • Threat Detected on Host - File
  • Threat Detected on Host - URL
  • Bandwidth Usage by Users
  • Phishing URL Accessed
  • Threat Detected On Webfilter
  • Top Configuration Changes By User
  • Top Domains
  • Top URL Accessed
  • Top URL Blocked
  • Top Users Accessing Blocked URLs
  • Top Users
  • Top Webfilter Signals
  • URL Destination To Country
  • URL Source By Country
  • Webfilter Activity Timeline
  • Webfilter Events

Dashboards

  • WebFilter Monitoring

What's Changed?

Workbooks

  • File Accessed or Downloaded From Regions with Restricted Access
  • Email Attachment with Executable
  • Attempt to Disable Syslog Service
  • Base16 or Base32 Encoding or Decoding Activity
  • Base64 Encoding-Decoding Activity
  • Creation of Hidden Files and Directories
  • Hex Encoding-Decoding Activity
  • Netcat Network Activity
  • Nmap Process Activity
  • Persistence via Kernel Module Modification
  • Unusual Process Execution - Temp
  • Retrieve Compromised Host
  • Batch File Write to System32
  • Excessive Network Share Access Failures from a Compromised Host
  • Malicious Service Installed
  • Network Share Accessed from a Compromised Host
  • Network Share Added to a Compromised Host
  • Powershell Process Observed On A Compromised Host
  • PsExec Process Observed on a Compromised Host
  • Ryuk Ransomware Files Detected
  • Scheduled Task Created on Multiple Hosts
  • Scheduled Task Created on a Compromised Host
  • Service Installed on a Compromised Host
  • Multiple Successful Login from Different Country by Single User
  • SSH from the Internet
  • Azure Automation Runbook Deleted
  • Azure Automation Webhook Created
  • Azure Event Hub Authorization Rule Created or Updated
  • All SMB Communications Detected
  • Count Of Connections Established By Source Country
  • DNS Allowed And Denied Requests Trend
  • Data Egress From Sources
  • Data Ingress to Destinations
  • Encryption Method Used For RDP Connections
  • Exfiltration Of Compressed Files
  • Files Accessed By Sources
  • Inbound Traffic By Countries
  • MySQL Commands Summary
  • MySQL Show Databases Attempt
  • Outbound Traffic To Countries
  • Protocols Used for Connections
  • SSL Activity By Country
  • TLS protocol version
  • Top 10 Expired Certificates
  • Top Connections over Port
  • Top DNS Responses
  • Top Recipient
  • Top Senders
  • Total Inbound Traffic
  • Total Outbound Traffic
  • Traffic Trend Over Last Week
  • Usage of Well Known Ports
  • Configuration Activity Timeline
  • FIREWALL Modifications
  • Top Configuration Changes
  • Top Configuration Signals Over Last Week
  • Top Users Deleting The Policy
  • Top Users Erasing Configuration
  • Top Users Changing License
  • Top Users Granting Privileged Access
  • Office Authentication By Source Country

Dashboards

  • Firewall Monitoring
  • Threat Alerts Monitoring

What 's Deprecated?

Workbooks

  • Connection to External Network via Telnet
  • Connection to Internal Network via Telnet
Release Date Version
17/12/2021 v9.1.1

What's New?

Workbooks

  • File Accessed or Downloaded From Regions with Restricted Access
  • File Uploaded With Public Access
  • Email Attachment with Executable Hidden in Double File Extensions
  • Email Attachment with Executable
  • Mailbox Permission Added and Deleted in a Short Period of Time
  • Potential Leakage of Data via Email Redirection to Non Business Email Service providers
  • Excessive Nslookup Usage
  • RDP Hijacking Tool Detected
  • Excessive Denied SMB Traffic From a Compromised Host
  • Large Outbound Transfer High Rate of Transfer
  • Large Outbound Transfer Slow Rate of Transfer
  • SMB Traffic Permitted From a Compromised Host
  • Local Host Sending Malware
  • Retrieve Compromised Host
  • Same Threat Detected on Same Host
  • Excessive Network Share Access Failures from a Compromised Host
  • Lsass Process Connected to a Pipe
  • Malicious Service Installed
  • Network Share Accessed from a Compromised Host
  • Network Share Added to a Compromised Host
  • Powershell Process Observed On A Compromised Host
  • Programming Environment Started with a Privileged Account
  • PsExec Process Observed on a Compromised Host
  • Ransomware Decryption Instructions Created
  • Remote Management Service Connected to lsass Pipe
  • Scheduled Task Created on Multiple Hosts
  • Scheduled Task Created on a Compromised Host
  • Service Installed on a Compromised Host
  • Suspicious Access to lsass Process
  • Database Remote Login Success
  • Multiple Successful Login from Different Country by Single User
  • Successful Login From a Compromised Host
  • Configuration Changes Made to Endpoint Devices
  • Multiple Failed API Requests From Same Source IP
  • All SMB Communications Detected
  • Count Of Connections Established By Source Country
  • DNS Allowed And Denied Requests Trend
  • Data Egress From Sources
  • Data Ingress to Destinations
  • Encryption Method Used For RDP Connections
  • Exfiltration Of Compressed Files
  • Files Accessed By Sources
  • Inbound Traffic By Countries
  • MySQL Commands Summary
  • MySQL Show Databases Attempt
  • Outbound Traffic To Countries
  • Outlier Detected On Data Transfer
  • Protocols Used for Connections
  • TLS protocol version
  • Top 10 Expired Certificates
  • Top Connections over Port
  • Top DNS Responses
  • Top DNS Queries
  • Top Recipient
  • Top Senders
  • Total Inbound Traffic
  • Total Outbound Traffic
  • Traffic Trend Over Last Week
  • Usage of Well Known Ports
  • Backup Failed Operation By Users
  • Configuration Activity Timeline
  • FIREWALL Modifications
  • Top Configuration Changes
  • Top Configuration Signals Over Last Week
  • Top Users Deleting The Policy
  • Top Users Erasing Configuration
  • Top Users Changing License
  • Top Users Granting Privileged Access

Dashboards

Configuration Monitoring

Reports

  • NTA Weekly Report

What's Changed?

Workbooks

  • Suspicious wevtutil Usage
  • Abnormal SSH Login Attempts for a User
  • Concurrent Logins from multiple Sources
  • Changes to internet facing AWS RDS Database instances

Dashboard

  • IAM Monitoring
Was this article helpful?
What's Next

Cookie consent

By entering and using this site, you consent to the use of only necessary cookies to enhance your site experience and improve our services.