Planned System Upgrade - Breach Detection Service 4.1.2
Scheduled Maintenance Report for CyFlare
Completed
The scheduled maintenance has been completed.
Posted Oct 07, 2021 - 16:00 EDT
In progress
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Posted Oct 07, 2021 - 14:00 EDT
Scheduled
Dear Subscriber,
Tomorrow, Thursday, October 7th, at 2:00pm EST, CyFlare will be performing regular system maintenance and upgrading our Breach Detection Service, powered by Stellar Cyber XDR platform, to version 4.1.2. This update includes new features, improvements, enhancements, key fixes and known issues.

Release Highlights:

• Introduced a new XDR Kill Chain™ that replaces the Lockheed-Martin Cyber Killchain
• Added support for MITRE | ATT&CK® Framework under the XDR Kill Chain
• Replaced the home dashboard with the new XDR Kill Chain dashboard
• Introduced new incidents feature which automatically group individual, related alerts into incidents,
leveraged by machine learning
• Added a new Alerts interface that simplifies the search and display of available alert types
• Improved Automated Threat Hunting custom security alerts to support the XDR Kill Chain
• Introduced connectors for integration with Box, Jumpcloud, Trend Micro Apex Central, Trend Micro Cloud One Workload Security, Trend Micro Vision One and Forescout
• Introduced several new log parsers and parser enhancements
• Allow users to change their default home page
• Allow users to set the Geolocation of an IP address manually in order to override the result from the built-in IP Geolocation database
• Alert descriptions are automatically enriched with context information to assist security analysts to triage alerts and incidents
• Introduced new integration with
• Introduced an API that returns detailed information on all sensors

Deprecated Features:
• Threat Hunting no longer supports the ability to combine a custom security event with built-in Alert Types. There are no behavior changes to existing configurations. However, we encourage users to migrate existing ATH configurations by creating custom security alerts in custom Alert Types. An automatic migration will take place in a future release in the next six months.

New Incidents Feature:
The Incidents feature that replaces the legacy Case Management tool. Incidents provide the following benefits:

• Multiple security alerts can be grouped into an incident automatically by ML or manually by analysts
• Users can be assigned to incidents for investigation
• Incidents are automatically assigned a score based on the scores and status of their underlying alerts. Incident scores represent the overall risk of the incident
• A graphical view assists incident investigation by illustrating the causal and timeline relationships among associated alerts

XDR Kill Chain:
This release includes a new XDR Kill Chain that better represents the stages and significance of security alerts in an enterprise environment.

• XDR Kill Chain replaces the Lockheed-Martin Cyber Killchain
• Incorporates tactics and techniques and is compatible with the V8 MITRE | ATT&CK framework
• Extended MITRE | ATT&CK® tactics and techniques with a set of extended XDR Alert Type categories
• Introduced Alert Type tags to organize Alert Types so they can capture hot trends
• Introduced internal and external alerts to indicate lateral movement of alerts
• Added a new Home Dashboard that features the new XDR Kill Chain
• Added a new Alerts interface that simplifies the search and display of available alert types
• Improved ATH custom security alerts to support the XDR Kill Chain

Parser Enhancements:
• Introduced the following new parsers:
o Versa Network Firewall
o Ahnlab Policy Center
o SSR MetiEye
o SECUI MF2
o Graylog
o Untangle
• Added support for the following additional log formats:
o Winstech IPS
o Winstech DDX
o Linux syslog
• Renamed the top-level field host as log.syslog.hostname for all parsers. As an exception, if the host field is not from the syslog header, it is renamed as hostname
• Improved the Forti Fortigate parser to recognize fields and values from devid, app, appcat, srccountry, and dstcountry
• Introduced new parsers for
o Aruba Switch syslogs
o Dell Switch syslogs
o VMware NSX-T Data Center syslogs
o Blue Coat ProxySG logs
o Corelight sensor logs
o OpenShift logs
o Cisco UCS logs
• Enhanced the CEF parser to support Trend Micro Apex Central and Apex One logs
• Improved the Ubiquiti UAP-ACPro parser to cover more log types
• Improved the Linux syslog parser to cover more log types
• Normalized the SonicWall sid log field to ids.signature_id and the msg fields to ids.signature so that it can be stored in the Maltrace index
• Enhanced Sensor statistics collection to give better insight on contribution of different log source types to ingestion volume.

Connector Enhancements:
• Introduced a Forescout connector that allows Stellar Cyber to set Host Properties in Forescout. Users first need to install a Forescout plugin on their Forescout product from the following location in order to use the processor:
https://github.com/Forescout/eyeExtend-Connect/tree/master/Connect-training-demo/ActionAPI
• Introduced a Box connector that ingests account events into Stellar Cyber
• Introduced a JumpCloud connector that collects user profile data and directory events
• Introduced a Trend Micro Apex Central connector that retrieves endpoint and server assets into Stellar Cyber
• Introduced a Trend Micro Cloud One Workload Security connector that retrieves computer assets into Stellar Cyber
• Introduced a Trend Micro Vision One connector that ingests Alerts and Observed Attack Techniques into Stellar Cyber
• Admins can now configure the refresh frequency of different Azure AD data types to minimize latency
• Moved the Box connector from the SaaS category to PaaS category
• Introduced an Akamai connector that runs on the Data Processor and collects logs from a configured Akamai account.
• Introduced a Microsoft SQL Server connector that collects Klassify logs stored in the database. The connector can run on a network/security/modular data sensor of version 4.1.2 and later.

Usability Improvements:
• Allow users to change the default home page
• Allow users to select columns when generating a CSV report
• Log filters can be created directly from the Threat Hunting interface with prefilled fields from events in the Traffic, Windows Events, Syslog, and ML-IDS/Malware Sandbox Events indices
• The Automated Threat Hunting Playbooks table now reports Query Name as one of its default fields
• Added a “More Info” button to correlation alerts to display alert details
• Introduced new chart management capabilities under Investigate | Visualizer | Charts. Charts can be created or cloned and then included in a dashboard
• Replaced the filter icon in the Interflow Event Details display with separate buttons for Add an Alert Filter and Add a Log Filter
• Removed the Thumbs Up and Thumbs Down buttons in the Interflow Event Details display
• Added a G Suite dashboard to the Threat Hunting Library (Investigate | Threat Hunting | Threat Hunting Library) to provide visibility on G Suite Security Central alerts

Alert/Machine Learning Improvements:
• Alert descriptions are automatically enriched with context information to assist security analysts with triage of alerts and incidents
• There is a major improvement and upgrade of the Machine Learning framework to separate internal and external attacks. As a result, ML models that depend on historical data will retrain as part of the upgrade from 3.12 to 4.1.0, requiring as much as 14 days of raw data to complete. During this time, the DP may use more CPU/memory and occasionally seem busier than usual.
• Introduced a Mute feature in ATH that lets users specify a period of time during which Stellar Cyber will not create a new alert based on the same conditions. You can mute either a rule as a whole or individual actions associated with a playbook

Please note: We will not be upgrading agents at this time. During this upgrade, we may see that ingestion and UI are delayed for a period of 60 to 90 minutes. All sensors are configured to “buffer” log data in the event of a loss of connectivity.
• Absolutely no data will be lost during this process.
• Updates will be sent throughout the upgrade process.
Posted Oct 06, 2021 - 16:11 EDT
This scheduled maintenance affected: Breach Detection Service.