-
Print
-
DarkLight
-
PDF
Release Date | Version |
---|---|
04/05/2022 | v9.2.0 |
What's New?
Workbooks
- Audio Capture Detected
- Bypass UAC Via CMSTP Detected
- Curl Start Combination Detected
- Hidden Files And Directories - VSS Detected
- Hooking Activities Detected
- New Driver File Creation Detected
- Proxied Execution Via Signed Scripts
- Scheduled Task Creation via Microsoft Office Application
- Suspicious Bitsadmin Job Via BitsAdmin Exe
- Suspicious Bitsadmin Job Via PowerShell
- Install Root Certificate
- Login Failure From Expired Account
- Multiple Login Failure From A Disabled Account
- SSH Destinations
- SSH Sources
- Threat Detected on Host - File
- Threat Detected on Host - URL
- Bandwidth Usage by Users
- Phishing URL Accessed
- Threat Detected On Webfilter
- Top Configuration Changes By User
- Top Domains
- Top URL Accessed
- Top URL Blocked
- Top Users Accessing Blocked URLs
- Top Users
- Top Webfilter Signals
- URL Destination To Country
- URL Source By Country
- Webfilter Activity Timeline
- Webfilter Events
Dashboards
- WebFilter Monitoring
What's Changed?
Workbooks
- File Accessed or Downloaded From Regions with Restricted Access
- Email Attachment with Executable
- Attempt to Disable Syslog Service
- Base16 or Base32 Encoding or Decoding Activity
- Base64 Encoding-Decoding Activity
- Creation of Hidden Files and Directories
- Hex Encoding-Decoding Activity
- Netcat Network Activity
- Nmap Process Activity
- Persistence via Kernel Module Modification
- Unusual Process Execution - Temp
- Retrieve Compromised Host
- Batch File Write to System32
- Excessive Network Share Access Failures from a Compromised Host
- Malicious Service Installed
- Network Share Accessed from a Compromised Host
- Network Share Added to a Compromised Host
- Powershell Process Observed On A Compromised Host
- PsExec Process Observed on a Compromised Host
- Ryuk Ransomware Files Detected
- Scheduled Task Created on Multiple Hosts
- Scheduled Task Created on a Compromised Host
- Service Installed on a Compromised Host
- Multiple Successful Login from Different Country by Single User
- SSH from the Internet
- Azure Automation Runbook Deleted
- Azure Automation Webhook Created
- Azure Event Hub Authorization Rule Created or Updated
- All SMB Communications Detected
- Count Of Connections Established By Source Country
- DNS Allowed And Denied Requests Trend
- Data Egress From Sources
- Data Ingress to Destinations
- Encryption Method Used For RDP Connections
- Exfiltration Of Compressed Files
- Files Accessed By Sources
- Inbound Traffic By Countries
- MySQL Commands Summary
- MySQL Show Databases Attempt
- Outbound Traffic To Countries
- Protocols Used for Connections
- SSL Activity By Country
- TLS protocol version
- Top 10 Expired Certificates
- Top Connections over Port
- Top DNS Responses
- Top Recipient
- Top Senders
- Total Inbound Traffic
- Total Outbound Traffic
- Traffic Trend Over Last Week
- Usage of Well Known Ports
- Configuration Activity Timeline
- FIREWALL Modifications
- Top Configuration Changes
- Top Configuration Signals Over Last Week
- Top Users Deleting The Policy
- Top Users Erasing Configuration
- Top Users Changing License
- Top Users Granting Privileged Access
- Office Authentication By Source Country
Dashboards
- Firewall Monitoring
- Threat Alerts Monitoring
What 's Deprecated?
Workbooks
- Connection to External Network via Telnet
- Connection to Internal Network via Telnet
Release Date | Version |
---|---|
17/12/2021 | v9.1.1 |
What's New?
Workbooks
- File Accessed or Downloaded From Regions with Restricted Access
- File Uploaded With Public Access
- Email Attachment with Executable Hidden in Double File Extensions
- Email Attachment with Executable
- Mailbox Permission Added and Deleted in a Short Period of Time
- Potential Leakage of Data via Email Redirection to Non Business Email Service providers
- Excessive Nslookup Usage
- RDP Hijacking Tool Detected
- Excessive Denied SMB Traffic From a Compromised Host
- Large Outbound Transfer High Rate of Transfer
- Large Outbound Transfer Slow Rate of Transfer
- SMB Traffic Permitted From a Compromised Host
- Local Host Sending Malware
- Retrieve Compromised Host
- Same Threat Detected on Same Host
- Excessive Network Share Access Failures from a Compromised Host
- Lsass Process Connected to a Pipe
- Malicious Service Installed
- Network Share Accessed from a Compromised Host
- Network Share Added to a Compromised Host
- Powershell Process Observed On A Compromised Host
- Programming Environment Started with a Privileged Account
- PsExec Process Observed on a Compromised Host
- Ransomware Decryption Instructions Created
- Remote Management Service Connected to lsass Pipe
- Scheduled Task Created on Multiple Hosts
- Scheduled Task Created on a Compromised Host
- Service Installed on a Compromised Host
- Suspicious Access to lsass Process
- Database Remote Login Success
- Multiple Successful Login from Different Country by Single User
- Successful Login From a Compromised Host
- Configuration Changes Made to Endpoint Devices
- Multiple Failed API Requests From Same Source IP
- All SMB Communications Detected
- Count Of Connections Established By Source Country
- DNS Allowed And Denied Requests Trend
- Data Egress From Sources
- Data Ingress to Destinations
- Encryption Method Used For RDP Connections
- Exfiltration Of Compressed Files
- Files Accessed By Sources
- Inbound Traffic By Countries
- MySQL Commands Summary
- MySQL Show Databases Attempt
- Outbound Traffic To Countries
- Outlier Detected On Data Transfer
- Protocols Used for Connections
- TLS protocol version
- Top 10 Expired Certificates
- Top Connections over Port
- Top DNS Responses
- Top DNS Queries
- Top Recipient
- Top Senders
- Total Inbound Traffic
- Total Outbound Traffic
- Traffic Trend Over Last Week
- Usage of Well Known Ports
- Backup Failed Operation By Users
- Configuration Activity Timeline
- FIREWALL Modifications
- Top Configuration Changes
- Top Configuration Signals Over Last Week
- Top Users Deleting The Policy
- Top Users Erasing Configuration
- Top Users Changing License
- Top Users Granting Privileged Access
Dashboards
Configuration Monitoring
Reports
- NTA Weekly Report
What's Changed?
Workbooks
- Suspicious wevtutil Usage
- Abnormal SSH Login Attempts for a User
- Concurrent Logins from multiple Sources
- Changes to internet facing AWS RDS Database instances
Dashboard
- IAM Monitoring
Was this article helpful?