SNYPR 6.3.1 Release Notes - documentation.securonix.com€¦ · Introduction 4 NewInstallation 4...
Transcript of SNYPR 6.3.1 Release Notes - documentation.securonix.com€¦ · Introduction 4 NewInstallation 4...
SNYPR 6.3.1
Release Notes
Date Published: 12/17/2020
Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any
third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and
reference.
Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional
warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without
the written permission of Securonix.
Copyright © 2020 Securonix. All rights reserved.
Contact Information
Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649
SNYPR Release Notes 2
Table of ContentsIntroduction 4
New Installation 4Upgrade 4Compatibility Matrix 4
New Features 6
Fixes 11
What's New in Content 15
New Connectors 15Community Sourced Connectors 18Improved Connectors 21Improved Content 21
Known Issues 24
SNYPR Release Notes 3
Introduction
IntroductionSNYPR 6.3.1 includes new features, improvements, and bug fixes.
New InstallationFor a new installation, download the SNYPR 6.3.1 installer from https://downloads.securonix.com and complete the installation.
UpgradeFor upgrade, apply the Service Pack on SNYPR 6.2 CU4 SP1, SP2, SP3, or SP4 using the packages posted on the Securonix downloads portal, https://downloads.securonix.com.
Once the upgrade is complete, you have to update the database query that is used for ingesting audit logs in SNYPR, and all subsequent configurations related to policies, data insights dashboard, and reports to support the enhanced auditing framework. For
more information, refer to Auditing Framework in the What's New Guide.
Note: During upgrade, add innodb_large_prefix=1 property in the my.cnf file if
you have MySql version 5.6x or older.
Compatibility Matrix
PrerequisitesEnsure you have the following software requirements:
l Oracle Java 1.8.0_162 (on all nodes, including YARN containers for Spark)
l MySQL 5.7.x
SNYPR Release Notes 4
Introduction
Supported Browser Ensure you have any of the following browsers:
l Firefox 77 and above version
l Chrome 83 and above version
l Safari (Latest version)
Operating SystemThe operating system required for Hadoop distribution:
Hadoop Distribution Operating System
CDH 5.16.x CentOS 7.5 (core)
CDH 6.3.x CentOS 7.5 (core)
Hortonworks 2.6.x CentOS 7.7 (core)
Hortonworks 3.1.x CentOS 7.7 (core)
SNYPR Release Notes 5
New Features
New FeaturesThis section provides a summary of new features included in the SNYPR 6.3.1 release:
Analytics SandboxSNYPR 6.3.1 provides an isolated analytics sandbox that allows organizations to build, test, and validate use cases before publishing it to production. This allows SOC team to work on high priority events rather than investigating false positive alerts.
See Analytics Sandbox in the What's New Guide for details.
Duplicate PolicySNYPR6.3.1 provides an option to create a new policy by copying an existing policy and editing the details as required. This allows the content team to save time by utilizing an existing policy to create a similar policy.
See Duplicate Policy in the What's New Guide.
Enhanced Auditing FrameworkSNYPR 6.3.1 enhances the existing auditing framework by maintaining a historical record of users actions to provide proof of compliance and system integrity. The audit trail meets the
stringent controls required by auditors for corporate governance and compliance with regulations such as General Data Protection Regulation (GDPR).
After you upgrade to SNYPR 6.3.1, you have to update the database query that is used for ingesting audit logs in SNYPR, and all subsequent configurations related to policies, data insights dashboard, and reports to support the enhanced auditing framework.
See Auditing Framework in the What's New Guide for details.
SNYPR Release Notes 6
New Features
Event Rarity PolicySNYPR 6.3.1 introduces a new Event Rarity analytic to reduce false positives generated when a rare behavior has occurred for the first time and the rare behavior is the new behavior
See Event Rarity Behavior Based Policy in the What's New Guide for details.
Incident Management EnhancementsSNYPR 6.3.1 includes new features and enhancement in Incident Management to provide better visibility, collaboration, and case management for security analysts.
See Incident Management Enhancements in the What's New Guide for details.
MITRE ATT&CK Aligned Threat Content SNYPR 6.3.1 introduces the content, use cases, and threat models that are created based on MITRE ATT&CK framework. SNYPR
inherits these tactics and techniques to provide behavioral models and threat chains to prioritize the risks.
See MITRE ATT&CK in the What's New Guide for details.
Multi-Tenancy for Service ProvidersSNYPR 6.3.1 supports Multi-Tenant architecture that provides usability and cost effectiveness by implementing centralized monitoring, tracking, and threat hunting for multiple customers using a single SNYPR application.
See Multi-Tenancy for Service Providers in the What's New Guide for details.
SNYPR Release Notes 7
New Features
Notification Enhancements SNYPR 6.3.1 includes new filters for analysts to filter notifications by module, type, and time period. This allows security analysts to save time by quickly locating specific notification.
See Notification Enhancements in the What's New Guide for details.
Securonix SOARSNYPR 6.3.1 provides Securonix SOAR solution to automate process workflows and playbooks. This eliminates the repetitive manual tasks of security analysts.
See Securonix SOAR in the What's New Guide for details.
Spotter Queries/Reports EnhancementsSNYPR 6.3.1 includes multiple ways for analysts to share queries, reports, and dashboards. Analysts and threat hunters can use these features to:
l Import/export saved queries and dashboards.
l Save Spotter query as a widget on Data Insights dashboard.
See Spotter and Reports in the What's New Guide for details.
SNYPR Release Notes 8
New Features
Spotter's Threat Hunting Features SNYPR 6.3.1 provides new features to make threat hunting more robust. These features enable security analysts and threat hunters to:
l Locate hot spots for threat hunting by seeing the visual representation of origin and destination in a map.
l Quickly highlight multiple points of interest at one time by viewing data with the heat map. This increases analysts efficiency in locating hot spots.
l Perform mathematical calculations using Eval operator. The threat hunters can apply these ratios to identify suspicious activities within a system.
See Spotter in the What's New Guide for details.
Threat Model Enhancements SNYPR 6.3.1 includes the following new features for threat models:
l Watchlisting in Threat Models: Provides the ability to assign watchlist to a threat model. This reduces the violations generated in SCC from the zero risk policy used only for creating watchlist for the threat model.
l Advanced Threat Detection: Includes the ability to detect attacks when violation entities differ across datasources in the threat model.
See Threat Model Enhancements in the What's New Guide for details.
SNYPR Release Notes 9
New Features
Threshold Checks for Behavior Based Policies SNYPR 6.3.1 introduces two threshold checks for behavior based policies to set manual baseline when the calculated baseline has not been formed and reduce false positives by setting a minimum value for an outlier.
See Threshold for Behavior-Based Use Cases in the What's New Guide for details.
Whitelisting Attribute ValuesSNYPR 6.3.1 supports whitelisting of attributes. Security analysts can whitelist any attribute during the triage process. This ensures the triage process is efficient by taking feedback from an analyst and making it available to all analysts. Additionally, it provides less number of false positives so that analysts can focus on high threat entities.
See Whitelisting Attribute Values in the What's New Guide for details.
SNYPR Release Notes 10
Fixes
FixesThis section lists the fixes that are included in this release:
Key Component Summary
62012 Activity Import Fixed an issue where incorrect values were
captured in device direction attribute.
73147Asset
Management/Metadata
Fixed asset enrichment to enrich multiple
attributes.
215040Asset
Management/Metadata
Fixed asset enrichment to enrich multiple
fields.
210135 Authentication/SSOFixed an issue where users were unable to
authenticate SMTP.
214682 Authentication/SSO
Fixed an issue where the application had to
be restarted before the Kerberos ticket
was updated.
- Authorization/RBACFixed SNYPR to assign tenants for a user with role as non-admin and group as an administrator.
213175Case/Incident Management
Fixed an issue where users where unable to
close open cases if the violator was added
to a Whitelist before closing.
214289Case/Incident Management
Fixed the Submit button in Incident
Management.
212062Case/Incident Management
Fixed an issue where users cannot search
some incidents.
SNYPR Release Notes 11
Fixes
Key Component Summary
211579Case/Incident Management
Fixed an issue where incidents were not
being generated through the Demisto
integration.
79395Case/Incident Management
Fixed Incident Management to ensure
incidents assigned to a team member is
visible to all members of the group. Other
members can view and add comments.
60634Case/Incident Management
Fixed the commenting feature to record comments correctly.
60553Case/Incident Management
Fixed the drop-down in workflow.
214671 Connectors Fixed an issue in which events appeared in
Splunk but did not appear in Spotter.
214406 Connectors Fixed the Box connector to ensure data is
not duplicated.
60028 Data ImportFixed the delete functionality for Activity Import.
214837 Email Templates
Fixed an issue in which violations generated
duplicate email notifications with the same
content.
214453 Email Templates Fixed the email templates to show human
readable time instead of epoch time.
62948 ReportsFixed the Top Violator Reports to display the header correctly.
214208 ReportFixed the CSV formatting for detailed
Incident Management report.
214546 ReportFixed an issue where Spotter-based reports
generated a blank output.
SNYPR Release Notes 12
Fixes
Key Component Summary
213946 ReportFixed Categorized Reports to allow users
to download and save the report.
58745 Report
Fixed an issue where notifications were
getting cleared for all analysts if one
analyst cleared their notifications.
214819 REST APIFixed the Incident Management API to
download all incidents.
INC 230017 RIN
The Remote Ingester actions and download RIN logs work as expected when the proxy is configured to communicate with SNYPR console.
214048 SCCFixed an issue to display correct account
name in the Violation Summary screen.
60261 SCCFixed the Top Violators widget to display correct records when widget size is modified.
61274 SCCFixed Top Violator to aggregate all violations for an entity.
62848 Spark JobsFixed the Indexer job and events are now indexed to SOLR.
62953 Spotter
Fixed Spotter so that only users with
privacy master role can view the masked
data while searching for archived data.
65100 Spotter Fixed Spotter to clear the paused queries.
62501 SpotterFixed Spotter to display correct data when the order of attributes in the search query is reversed.
72173 SpotterFixed the resource name inconsistency for violation entries.
SNYPR Release Notes 13
Fixes
Key Component Summary
214686
72218
214554
Spotter Queries/Operators
Fixed the Spotter query index = users
.
215853Spotter
Queries/Operators
Fixed the issue where users were unable to
query data from HDFS due to case
sensitivity.
213109Spotter
Queries/Operators
Fixed an issue where the ellipsis was not
showing raw event data from HDFS.
213564 User Experience
Fixed the drop-down filter in the Summary
section of Spotter to allow users to select
all items in the drop-down.
213929 User ExperienceFixed the Spotter UI to allow users to
download Spotter reports.
209300 User Experience
Fixed an issue on the SCC where the
Viewers icon was listing inaccurate
viewers.
214025 User Import Fixed the LDAP User Import to accept
special characters.
SNYPR Release Notes 14
What's New in Content
What's New in ContentSNYPR 6.3.1 content includes new and improved connectors, and improved content.
New Connectors The following connectors are included in this release:
Vendor Functionality Device Type Collection Method
Akamai
Technologies
Content Delivery
Network
Akamai Data
Stream
Collection Method:
API
Amazon Inc.Authentication / VPN
Redshift AWS
Collection Method:
File Import/Syslog
Format: Delimited-
pipe
Amazon Inc. Database Audit AWS Redshift Server Events
Collection Method:
File Import/Syslog
Format: Regex
Amazon Inc. Unix / Linux / AIX AWS Jump Server
Collection Method:
File
Format: Regex
Amazon Inc.Cloud Services /
Application CloudWatch
Collection Method:
API
Amazon Inc.Cloud Services /
Application AWS S3
Collection Method: API
SNYPR Release Notes 15
What's New in Content
Vendor Functionality Device Type Collection Method
Aruba Networks Network Access Control / NAC
Aruba ClearPass
Collection Method:
Syslog
Format: Key-Value
Pair
BindDNS DNS / DHCP DNSBind
Collection Method:
File
Format: Regex
Carbon Black Endpoint Management Systems
CarbonBlack Protect
Collection Method:
Syslog
Format: CEF
DUO Security
Cloud Authentication / SSO / Single Sign-On
Duo Security Authentication
Collection Method:
API
Format: JSON
DUO SecurityCloud Application Audit
Duo Security Telephony
Collection Method:
API
Format: JSON
DUO SecurityCloud Application Audit
Duo Security Administrator
Collection Method:
API
Format: JSON
IBM Database Audit IBM Guardium
Collection Method:
File
Format: Regex
SNYPR Release Notes 16
What's New in Content
Vendor Functionality Device Type Collection Method
Juniper NetworksFirewall / NGFW / WAF
Juniper Firewall
Collection Method:
Syslog
Format: Regex
ManageEngineAccess / PriviligedUser
PasswordManager
Collection Method:
File
Format: Regex
McAfeeCloud Application Security Broker
SkyHigh
Collection Method:
File
Format: Regex
MimecastEmail / Email Security
Mimecast API Email
Collection Method: API
Format: JSON
OneLoginIdentity & Access Management
OneLogin
Collection Method: One Login
Format: JSON
Proofpoint Inc.Email / Email Security
Proofpoint Email API
Collection Method: API
Format: JSON
SAPApplication / Enterprise / SaaS
SAP_GDWH
Collection Method:
Syslog
Format: Regex
Squid Web Proxy Squid Proxy
Collection Method: Syslog
Format: Regex
SNYPR Release Notes 17
What's New in Content
Vendor Functionality Device Type Collection Method
Symantec Antivirus / Malware / EDR
Symantec Endpoint Protection
Collection Method:
Syslog
Format: CEF
Symantec / Blue Coat Systems
Data Loss Prevention / Endpoint DLP
Symantec DLP
Collection Method:
Syslog
Format: Regex
Community Sourced Connectors This release includes community sourced connectors that are pending Securonix Quality Assurance (QA) validation. In future releases, these connectors will be validated by Securonix QA team and include improved analytics.
The following community sourced connectors are included in this release:
Vendor Functionality Device Type Collection Method
Amazon Inc. AWS KubernetesAWS EKS Controller Manager
Collection Method: AWS CloudWatch API
Format: Regex
Amazon Inc. AWS Kubernetes AWS EKS Audit
Collection Method: AWS CloudWatch API
Format: JSON
Amazon Inc. AWS KubernetesAWS EKS Authenticator
Collection Method: AWS CloudWatch API
Format: Key Value
Pair
SNYPR Release Notes 18
What's New in Content
Vendor Functionality Device Type Collection Method
Amazon Inc. Firewall AWS VPC Flow
Collection Method: AWS CloudWatch API
Format: Delimited-
space
Amazon Inc.IDS / IPS / UTM /
Threat Detection AWS GuardDuty
Collection Method: API
Format: JSON
Amazon Inc. Unix / Linux / AIX AWS Linux
Collection Method: AWS CloudWatch API
Format: Regex
Cisco SystemsNext Generation Firewall
Cisco Umbrella
Collection Method:
API
Format: JSON
GigyaCloud Application Audit
Gigya
Collection Method: API
Format: JSON
GoogleCloud Services / Applications
GCP GKE
Collection Method: Cloud Pub/Sub API
Format: JSON
GoogleCloud Services / Applications
Google GCE
Collection Method: Cloud Pub/Sub API
Format: JSON
GoogleIDS / IPS / UTM / Threat Detection
Alert Center
Collection Method: API
Format: JSON
SNYPR Release Notes 19
What's New in Content
Vendor Functionality Device Type Collection Method
Microsoft Corporation
Antivirus / Malware / EDR
Microsoft Defender ATP
Collection Method: API
Format: JSON
Microsoft Corporation
Application Audit Key Value Pair
Application Audit
Collection Method:
Azure Monitor API
Format: Key-Value
Pair
Microsoft Corporation
Cloud Application Audit
Azure Active Directory
Collection Method: Azure Report API
Format: Key Value
Pair
Microsoft Corporation
Identity Access Management
Azure Identity Protection
Collection Method: Graph Security API
Format: JSON
Microsoft Corporation
Microsoft WindowsWindows Security Auditing
Collection Method: Azure Log Analytics API
Format: Delimited-
pipe
Microsoft Corporation
Microsoft WindowsWindows AppLocker
Collection Method: Azure Log Analytics API
Format: Delimited-
pipe
Salesforce
Cloud Authentication / SSO / Single Sign-On
Salesforce EventLog API
Collection Method: API
Format: Key-Value
Pair
SNYPR Release Notes 20
What's New in Content
Vendor Functionality Device Type Collection Method
Unix / Red Hat Linux / Oracle Linux / AIX / BSD
Unix / Linux / AIX UNIX
Collection Method:
Azure Log
Analytics API
Format: Delimited-
pipe
ZoomBusiness Collaboration Platforms
Zoom API
Collection Method: API
Format: JSON
Improved Connectors The following connectors are improved in this release:
Vendor Functionality Device Type Collection Method
Akamai
Technologies
Content
Delivery
Network
Akamai Data
StreamCollection Method: API
Amazon Inc.Authentication / VPN
Redshift AWS
Collection Method: File
Import/Syslog
Format: Delimited-pipe
Microsoft Corporation
Active Directory
Office 365 Azure
Collection Method: API
Format: Key-Value Pair
Improved ContentThe following content was improved in this release:
SNYPR Release Notes 21
What's New in Content
Vendor/Functionality Content Type Summary
Vendor: Unix Connector Added line filters in Unix.
Vendor: Symatec SEP Connector Added line filters.
Vendor: Cisco FTD Connector Added 10 line filters.
Vendor: Windows Snare parser
Connector Added new header Regex and mapped a field using existing attributes.
Vendor: Palo Alto Connector Updated mapping.
Vendor: Infoblox Connector Added a line filter.
Vendor: DiamondIP Connector Added 13 line filters and updated 2 existing line filters.
Vendor: Antivirus/Malware/EDR
Connector Added one line filter and
updated one line filter.
Vendor: Fortigate Connector Added Simple Map.
Vendor: Juniper Pulse Secure VPN
Connector Added 29 line filters.
Vendor: Google Drive Connector
Updated two
categorization/action
filters, including:
File_Administration_
Success
User_Administration_
Success
Functionality: Cloud Content Management System
PolicyUpdated the Rare Operation performed by an User policy.
SNYPR Release Notes 22
What's New in Content
Vendor/Functionality Content Type Summary
Functionality: Cloud Content Management System
PolicyUpdated the Recovering Files along with Data Egress policy.
Functionality: Cloud Content Management System
Policy
Updated the Abnormal Number of Transactions performed by an User to Change visibility of Documents policy.
Functionality: Cloud Content Management System
PolicyUpdated the Account Activity detected from Rare Geolocation policy.
SNYPR Release Notes 23
Known Issues
Known IssuesThis section lists the known issues exist in SNYPR 6.3.1:
Key Component Summary
82622 AnalyticsIncorrect riskscore is calculated for phishing based policies.
181691 Behavior and Activity Outlier
The behavior based policies display outlier and violation events in different time zones.
82734 Ingestion - Entity Metadata
The Job Monitor screen does not display the number of records ingested during entity metadata import using database.
77162 Ingestion - Lookup Data
When the size of the lookup import file is more than 5MB, the system takes a long time to preview the data in the file.
121987 Ingestion - Activity Import
If the tenant name is more than 40 characters and you preview the activity data, the system generate a null pointer exception.
118497 Multi-Tenant
In the multi-tenant deployment, the first two characters of a tenant name is used as short code when the user has not specified the short code while creating a tenant. In this scenario, there is a possibility that the short code is not unique.
120878 Multi-Tenant - Settings
If the Customer ID field is greater than 100 and has special characters, an exception occurs.
- Multi-Tenant - Threat Modeller
SNYPR does not have any option to assign tenant while importing threat models.
87385 Policy EngineThe custom-analyzer spark job fails while reading data from archive storage (HDFS).
83869 Policy EngineThe scheduling does not work for spotter based policies.
83601 Role Based Access Control
The Kill Chain Analysis widget does not display all violations when Show only Correlated Data flag is enabled in Granular Access Control.
SNYPR Release Notes 24
Known Issues
Key Component Summary
193880 Security Command Center
When an analyst with administrator rights enables the flag to restrict access to a group, admin users cannot view the group.
115857 Security Command Center
The Action History button is not displayed for policy that has auto incident enabled.
84996 Security Command Center
The watchlist widget displays the incorrect policy name for an entity, when that entity is watchlisted in two different policies.
92571 Security Command Center
The Top Violator widget in SCC does not display correct risk score.
83057
Security Command Center/Threat Management
When you perform any action from the Other
Policy tab of SCC, the screen displays the
message, "Action taken in progress and may take
some time." When the waiting period is complete,
you can perform the action again.
72072 Security Command Center/Watchlist
The correlated accounts are not getting included in the watchlist widget and are saved as uncorrelated accounts in View > Watchlist.
78933 SOAR
When SOAR is enabled in SNYPR and you are
creating a threat indicator for a new policy, the
Create New Threat Indicator screen displays the
list of child playbooks. Additionally, the screen
displays "undefined" minutes in place of 15
minutes when you enable auto playbook.
225499 Spotter Query/Operator
The Eval from_unixtime is displaying incorrect date and time.
192298 Spotter Query/Operator
The Show Raw Events option in Spotter displays zero, even when the raw events are retrieved by the query.
SNYPR Release Notes 25
Known Issues
Key Component Summary
131741 Spotter Query/Operator
A query with wild card does not work except for the activity and violation index.
118508 Spotter Query/Operator
When you run a query with the Where operator to specify a range, the records are out-of-the specified range.
116053 Spotter Query/Operator
The Delete operator is not working for the archived queries.
115691 Spotter Query/Operator
The Data Insight report displays incorrect data when you select a filter for any widget and then generate the report.
89978 Spotter Query/Operator
SNYPR does not send an email when you export
the CSV report with more than 70 thousand
records in Spotter.
80879 Spotter Query/Operator
When you run a query with Stats Distinct and
Filter together, the query does not display the
result. However, it displays the number of
matched records in SNYPR. For example, index=
violation | FILTER index = riskscore and
employeeid = employeeid and doctype = entity_
threatmodel | STATS DISTINCT(accountname)
department
57238 Spotter Query/Operator
The Producer - Consumer Ratio (PCR) operator is not working.
SNYPR Release Notes 26
Known Issues
Key Component Summary
NASpotter Query/Operator
For Cloud Customers: When performing
aggregation on a large number of fields, the
allowedFacetFields operator is configured with a
maximum (default) value of 6 facets to be used in
a query for optimal performance.
For On-Premises Customers: When performing
aggregation on a large number of fields, the
allowedFacetFields operator is configured with a
maximum (default) value of 6 facets to be used in
a query for optimal performance. This can be
adjusted to a maximum value of 12 with the
appropriate infrastructure/configuration settings.
Note: Contact Securonix Support if you
want to change the memory to maintain
application stability and avoid
interruptions in service. The
recommendation is not to exceed 8.
195815 Views - PeerThe Views > Peer screen does not display records when a filter is applied.
131809 Whitelist
The search feature takes longer than expected
time to display the attributes based on the filter
criteria specified, when adding it to a whitelist.
SNYPR Release Notes 27