SNYPR 6.3.1 Release Notes - documentation.securonix.com€¦ · Introduction 4 NewInstallation 4 Upgrade 4 CompatibilityMatrix 4 NewFeatures 6 Improvements 10 Fixes 16 What'sNewinContent

SNYPR 6.3.1

Release Notes

Date Published: 12/17/2020

Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any

third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their

respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any

medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and

reference.

Information in this document is subject to change without notice. The software described in this document is

furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in

accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional

warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this

publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or

mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without

the written permission of Securonix.

Copyright © 2020 Securonix. All rights reserved.

Contact Information

Securonix

5080 Spectrum Drive, Suite 950W

Addison, TX 75001

(855) 732-6649

SNYPR Release Notes 2

Table of ContentsIntroduction 4

New Installation 4Upgrade 4Compatibility Matrix 4

New Features 6

Fixes 11

What's New in Content 15

New Connectors 15Community Sourced Connectors 18Improved Connectors 21Improved Content 21

Known Issues 24


Introduction

IntroductionSNYPR 6.3.1 includes new features, improvements, and bug fixes.

New InstallationFor a new installation, download the SNYPR 6.3.1 installer from https://downloads.securonix.com and complete the installation.

UpgradeFor upgrade, apply the Service Pack on SNYPR 6.2 CU4 SP1, SP2, SP3, or SP4 using the packages posted on the Securonix downloads portal, https://downloads.securonix.com.

Once the upgrade is complete, you have to update the database query that is used for ingesting audit logs in SNYPR, and all subsequent configurations related to policies, data insights dashboard, and reports to support the enhanced auditing framework. For

more information, refer to Auditing Framework in the What's New Guide.

Note: During upgrade, add innodb_large_prefix=1 property in the my.cnf file if

you have MySql version 5.6x or older.

Compatibility Matrix

PrerequisitesEnsure you have the following software requirements:

l Oracle Java 1.8.0_162 (on all nodes, including YARN containers for Spark)

l MySQL 5.7.x


https://downloads.securonix.com/

https://downloads.securonix.com/

Introduction

Supported Browser Ensure you have any of the following browsers:

l Firefox 77 and above version

l Chrome 83 and above version

l Safari (Latest version)

Operating SystemThe operating system required for Hadoop distribution:

Hadoop Distribution Operating System

CDH 5.16.x CentOS 7.5 (core)

CDH 6.3.x CentOS 7.5 (core)

Hortonworks 2.6.x CentOS 7.7 (core)

Hortonworks 3.1.x CentOS 7.7 (core)


New Features

New FeaturesThis section provides a summary of new features included in the SNYPR 6.3.1 release:

Analytics SandboxSNYPR 6.3.1 provides an isolated analytics sandbox that allows organizations to build, test, and validate use cases before publishing it to production. This allows SOC team to work on high priority events rather than investigating false positive alerts.

See Analytics Sandbox in the What's New Guide for details.

Duplicate PolicySNYPR6.3.1 provides an option to create a new policy by copying an existing policy and editing the details as required. This allows the content team to save time by utilizing an existing policy to create a similar policy.

See Duplicate Policy in the What's New Guide.

Enhanced Auditing FrameworkSNYPR 6.3.1 enhances the existing auditing framework by maintaining a historical record of users actions to provide proof of compliance and system integrity. The audit trail meets the

stringent controls required by auditors for corporate governance and compliance with regulations such as General Data Protection Regulation (GDPR).

After you upgrade to SNYPR 6.3.1, you have to update the database query that is used for ingesting audit logs in SNYPR, and all subsequent configurations related to policies, data insights dashboard, and reports to support the enhanced auditing framework.

See Auditing Framework in the What's New Guide for details.


New Features

Event Rarity PolicySNYPR 6.3.1 introduces a new Event Rarity analytic to reduce false positives generated when a rare behavior has occurred for the first time and the rare behavior is the new behavior

See Event Rarity Behavior Based Policy in the What's New Guide for details.

Incident Management EnhancementsSNYPR 6.3.1 includes new features and enhancement in Incident Management to provide better visibility, collaboration, and case management for security analysts.

See Incident Management Enhancements in the What's New Guide for details.

MITRE ATT&CK Aligned Threat Content SNYPR 6.3.1 introduces the content, use cases, and threat models that are created based on MITRE ATT&CK framework. SNYPR

inherits these tactics and techniques to provide behavioral models and threat chains to prioritize the risks.

See MITRE ATT&CK in the What's New Guide for details.

Multi-Tenancy for Service ProvidersSNYPR 6.3.1 supports Multi-Tenant architecture that provides usability and cost effectiveness by implementing centralized monitoring, tracking, and threat hunting for multiple customers using a single SNYPR application.

See Multi-Tenancy for Service Providers in the What's New Guide for details.


New Features

Notification Enhancements SNYPR 6.3.1 includes new filters for analysts to filter notifications by module, type, and time period. This allows security analysts to save time by quickly locating specific notification.

See Notification Enhancements in the What's New Guide for details.

Securonix SOARSNYPR 6.3.1 provides Securonix SOAR solution to automate process workflows and playbooks. This eliminates the repetitive manual tasks of security analysts.

See Securonix SOAR in the What's New Guide for details.

Spotter Queries/Reports EnhancementsSNYPR 6.3.1 includes multiple ways for analysts to share queries, reports, and dashboards. Analysts and threat hunters can use these features to:

l Import/export saved queries and dashboards.

l Save Spotter query as a widget on Data Insights dashboard.

See Spotter and Reports in the What's New Guide for details.


New Features

Spotter's Threat Hunting Features SNYPR 6.3.1 provides new features to make threat hunting more robust. These features enable security analysts and threat hunters to:

l Locate hot spots for threat hunting by seeing the visual representation of origin and destination in a map.

l Quickly highlight multiple points of interest at one time by viewing data with the heat map. This increases analysts efficiency in locating hot spots.

l Perform mathematical calculations using Eval operator. The threat hunters can apply these ratios to identify suspicious activities within a system.

See Spotter in the What's New Guide for details.

Threat Model Enhancements SNYPR 6.3.1 includes the following new features for threat models:

l Watchlisting in Threat Models: Provides the ability to assign watchlist to a threat model. This reduces the violations generated in SCC from the zero risk policy used only for creating watchlist for the threat model.

l Advanced Threat Detection: Includes the ability to detect attacks when violation entities differ across datasources in the threat model.

See Threat Model Enhancements in the What's New Guide for details.


New Features

Threshold Checks for Behavior Based Policies SNYPR 6.3.1 introduces two threshold checks for behavior based policies to set manual baseline when the calculated baseline has not been formed and reduce false positives by setting a minimum value for an outlier.

See Threshold for Behavior-Based Use Cases in the What's New Guide for details.

Whitelisting Attribute ValuesSNYPR 6.3.1 supports whitelisting of attributes. Security analysts can whitelist any attribute during the triage process. This ensures the triage process is efficient by taking feedback from an analyst and making it available to all analysts. Additionally, it provides less number of false positives so that analysts can focus on high threat entities.

See Whitelisting Attribute Values in the What's New Guide for details.


Fixes

FixesThis section lists the fixes that are included in this release:

Key Component Summary

62012 Activity Import Fixed an issue where incorrect values were

captured in device direction attribute.

73147Asset

Management/Metadata

Fixed asset enrichment to enrich multiple

attributes.

215040Asset

Management/Metadata

Fixed asset enrichment to enrich multiple

fields.

210135 Authentication/SSOFixed an issue where users were unable to

authenticate SMTP.

214682 Authentication/SSO

Fixed an issue where the application had to

be restarted before the Kerberos ticket

was updated.

- Authorization/RBACFixed SNYPR to assign tenants for a user with role as non-admin and group as an administrator.

213175Case/Incident Management

Fixed an issue where users where unable to

close open cases if the violator was added

to a Whitelist before closing.


Fixed the Submit button in Incident

Management.


Fixed an issue where users cannot search

some incidents.


Fixes



Fixed an issue where incidents were not

being generated through the Demisto

integration.


Fixed Incident Management to ensure

incidents assigned to a team member is

visible to all members of the group. Other

members can view and add comments.


Fixed the commenting feature to record comments correctly.


Fixed the drop-down in workflow.

214671 Connectors Fixed an issue in which events appeared in

Splunk but did not appear in Spotter.

214406 Connectors Fixed the Box connector to ensure data is

not duplicated.

60028 Data ImportFixed the delete functionality for Activity Import.

214837 Email Templates

Fixed an issue in which violations generated

duplicate email notifications with the same

content.

214453 Email Templates Fixed the email templates to show human

readable time instead of epoch time.

62948 ReportsFixed the Top Violator Reports to display the header correctly.

214208 ReportFixed the CSV formatting for detailed

Incident Management report.

214546 ReportFixed an issue where Spotter-based reports

generated a blank output.


Fixes


213946 ReportFixed Categorized Reports to allow users

to download and save the report.

58745 Report

Fixed an issue where notifications were

getting cleared for all analysts if one

analyst cleared their notifications.

214819 REST APIFixed the Incident Management API to

download all incidents.

INC 230017 RIN

The Remote Ingester actions and download RIN logs work as expected when the proxy is configured to communicate with SNYPR console.

214048 SCCFixed an issue to display correct account

name in the Violation Summary screen.

60261 SCCFixed the Top Violators widget to display correct records when widget size is modified.

61274 SCCFixed Top Violator to aggregate all violations for an entity.

62848 Spark JobsFixed the Indexer job and events are now indexed to SOLR.

62953 Spotter

Fixed Spotter so that only users with

privacy master role can view the masked

data while searching for archived data.

65100 Spotter Fixed Spotter to clear the paused queries.

62501 SpotterFixed Spotter to display correct data when the order of attributes in the search query is reversed.

72173 SpotterFixed the resource name inconsistency for violation entries.


Fixes


214686

72218

214554

Spotter Queries/Operators

Fixed the Spotter query index = users

.

215853Spotter

Queries/Operators

Fixed the issue where users were unable to

query data from HDFS due to case

sensitivity.

213109Spotter

Queries/Operators

Fixed an issue where the ellipsis was not

showing raw event data from HDFS.

213564 User Experience

Fixed the drop-down filter in the Summary

section of Spotter to allow users to select

all items in the drop-down.

213929 User ExperienceFixed the Spotter UI to allow users to

download Spotter reports.

209300 User Experience

Fixed an issue on the SCC where the

Viewers icon was listing inaccurate

viewers.

214025 User Import Fixed the LDAP User Import to accept

special characters.


What's New in Content

What's New in ContentSNYPR 6.3.1 content includes new and improved connectors, and improved content.

New Connectors The following connectors are included in this release:

Vendor Functionality Device Type Collection Method

Akamai

Technologies

Content Delivery

Network

Akamai Data

Stream

Collection Method:

API

Amazon Inc.Authentication / VPN

Redshift AWS

Collection Method:

File Import/Syslog

Format: Delimited-

pipe

Amazon Inc. Database Audit AWS Redshift Server Events

Collection Method:

File Import/Syslog

Format: Regex

Amazon Inc. Unix / Linux / AIX AWS Jump Server

Collection Method:

File

Format: Regex

Amazon Inc.Cloud Services /

Application CloudWatch

Collection Method:

API

Amazon Inc.Cloud Services /

Application AWS S3

Collection Method: API




Aruba Networks Network Access Control / NAC

Aruba ClearPass

Collection Method:

Syslog

Format: Key-Value

Pair

BindDNS DNS / DHCP DNSBind

Collection Method:

File

Format: Regex

Carbon Black Endpoint Management Systems

CarbonBlack Protect

Collection Method:

Syslog

Format: CEF

DUO Security

Cloud Authentication / SSO / Single Sign-On

Duo Security Authentication

Collection Method:

API

Format: JSON

DUO SecurityCloud Application Audit

Duo Security Telephony

Collection Method:

API

Format: JSON

DUO SecurityCloud Application Audit

Duo Security Administrator

Collection Method:

API

Format: JSON

IBM Database Audit IBM Guardium

Collection Method:

File

Format: Regex




Juniper NetworksFirewall / NGFW / WAF

Juniper Firewall

Collection Method:

Syslog

Format: Regex

ManageEngineAccess / PriviligedUser

PasswordManager

Collection Method:

File

Format: Regex

McAfeeCloud Application Security Broker

SkyHigh

Collection Method:

File

Format: Regex

MimecastEmail / Email Security

Mimecast API Email


Format: JSON

OneLoginIdentity & Access Management

OneLogin

Collection Method: One Login

Format: JSON

Proofpoint Inc.Email / Email Security

Proofpoint Email API


Format: JSON

SAPApplication / Enterprise / SaaS

SAP_GDWH

Collection Method:

Syslog

Format: Regex

Squid Web Proxy Squid Proxy

Collection Method: Syslog

Format: Regex




Symantec Antivirus / Malware / EDR

Symantec Endpoint Protection

Collection Method:

Syslog

Format: CEF

Symantec / Blue Coat Systems

Data Loss Prevention / Endpoint DLP

Symantec DLP

Collection Method:

Syslog

Format: Regex

Community Sourced Connectors This release includes community sourced connectors that are pending Securonix Quality Assurance (QA) validation. In future releases, these connectors will be validated by Securonix QA team and include improved analytics.

The following community sourced connectors are included in this release:


Amazon Inc. AWS KubernetesAWS EKS Controller Manager

Collection Method: AWS CloudWatch API

Format: Regex

Amazon Inc. AWS Kubernetes AWS EKS Audit


Format: JSON

Amazon Inc. AWS KubernetesAWS EKS Authenticator


Format: Key Value

Pair




Amazon Inc. Firewall AWS VPC Flow


Format: Delimited-

space

Amazon Inc.IDS / IPS / UTM /

Threat Detection AWS GuardDuty


Format: JSON

Amazon Inc. Unix / Linux / AIX AWS Linux


Format: Regex

Cisco SystemsNext Generation Firewall

Cisco Umbrella

Collection Method:

API

Format: JSON

GigyaCloud Application Audit

Gigya


Format: JSON

GoogleCloud Services / Applications

GCP GKE

Collection Method: Cloud Pub/Sub API

Format: JSON

GoogleCloud Services / Applications

Google GCE

Collection Method: Cloud Pub/Sub API

Format: JSON

GoogleIDS / IPS / UTM / Threat Detection

Alert Center


Format: JSON




Microsoft Corporation

Antivirus / Malware / EDR

Microsoft Defender ATP


Format: JSON


Application Audit Key Value Pair

Application Audit

Collection Method:

Azure Monitor API

Format: Key-Value

Pair


Cloud Application Audit

Azure Active Directory

Collection Method: Azure Report API

Format: Key Value

Pair


Identity Access Management

Azure Identity Protection

Collection Method: Graph Security API

Format: JSON


Microsoft WindowsWindows Security Auditing

Collection Method: Azure Log Analytics API

Format: Delimited-

pipe


Microsoft WindowsWindows AppLocker

Collection Method: Azure Log Analytics API

Format: Delimited-

pipe

Salesforce

Cloud Authentication / SSO / Single Sign-On

Salesforce EventLog API


Format: Key-Value

Pair




Unix / Red Hat Linux / Oracle Linux / AIX / BSD

Unix / Linux / AIX UNIX

Collection Method:

Azure Log

Analytics API

Format: Delimited-

pipe

ZoomBusiness Collaboration Platforms

Zoom API


Format: JSON

Improved Connectors The following connectors are improved in this release:


Akamai

Technologies

Content

Delivery

Network

Akamai Data

StreamCollection Method: API

Amazon Inc.Authentication / VPN

Redshift AWS

Collection Method: File

Import/Syslog

Format: Delimited-pipe


Active Directory

Office 365 Azure


Format: Key-Value Pair

Improved ContentThe following content was improved in this release:



Vendor/Functionality Content Type Summary

Vendor: Unix Connector Added line filters in Unix.

Vendor: Symatec SEP Connector Added line filters.

Vendor: Cisco FTD Connector Added 10 line filters.

Vendor: Windows Snare parser

Connector Added new header Regex and mapped a field using existing attributes.

Vendor: Palo Alto Connector Updated mapping.

Vendor: Infoblox Connector Added a line filter.

Vendor: DiamondIP Connector Added 13 line filters and updated 2 existing line filters.

Vendor: Antivirus/Malware/EDR

Connector Added one line filter and

updated one line filter.

Vendor: Fortigate Connector Added Simple Map.

Vendor: Juniper Pulse Secure VPN

Connector Added 29 line filters.

Vendor: Google Drive Connector

Updated two

categorization/action

filters, including:

File_Administration_

Success

User_Administration_

Success

Functionality: Cloud Content Management System

PolicyUpdated the Rare Operation performed by an User policy.



Vendor/Functionality Content Type Summary


PolicyUpdated the Recovering Files along with Data Egress policy.


Policy

Updated the Abnormal Number of Transactions performed by an User to Change visibility of Documents policy.


PolicyUpdated the Account Activity detected from Rare Geolocation policy.


Known Issues

Known IssuesThis section lists the known issues exist in SNYPR 6.3.1:


82622 AnalyticsIncorrect riskscore is calculated for phishing based policies.

181691 Behavior and Activity Outlier

The behavior based policies display outlier and violation events in different time zones.

82734 Ingestion - Entity Metadata

The Job Monitor screen does not display the number of records ingested during entity metadata import using database.

77162 Ingestion - Lookup Data

When the size of the lookup import file is more than 5MB, the system takes a long time to preview the data in the file.

121987 Ingestion - Activity Import

If the tenant name is more than 40 characters and you preview the activity data, the system generate a null pointer exception.

118497 Multi-Tenant

In the multi-tenant deployment, the first two characters of a tenant name is used as short code when the user has not specified the short code while creating a tenant. In this scenario, there is a possibility that the short code is not unique.

120878 Multi-Tenant - Settings

If the Customer ID field is greater than 100 and has special characters, an exception occurs.

- Multi-Tenant - Threat Modeller

SNYPR does not have any option to assign tenant while importing threat models.

87385 Policy EngineThe custom-analyzer spark job fails while reading data from archive storage (HDFS).

83869 Policy EngineThe scheduling does not work for spotter based policies.

83601 Role Based Access Control

The Kill Chain Analysis widget does not display all violations when Show only Correlated Data flag is enabled in Granular Access Control.


Known Issues


193880 Security Command Center

When an analyst with administrator rights enables the flag to restrict access to a group, admin users cannot view the group.


The Action History button is not displayed for policy that has auto incident enabled.


The watchlist widget displays the incorrect policy name for an entity, when that entity is watchlisted in two different policies.


The Top Violator widget in SCC does not display correct risk score.

83057

Security Command Center/Threat Management

When you perform any action from the Other

Policy tab of SCC, the screen displays the

message, "Action taken in progress and may take

some time." When the waiting period is complete,

you can perform the action again.

72072 Security Command Center/Watchlist

The correlated accounts are not getting included in the watchlist widget and are saved as uncorrelated accounts in View > Watchlist.

78933 SOAR

When SOAR is enabled in SNYPR and you are

creating a threat indicator for a new policy, the

Create New Threat Indicator screen displays the

list of child playbooks. Additionally, the screen

displays "undefined" minutes in place of 15

minutes when you enable auto playbook.

225499 Spotter Query/Operator

The Eval from_unixtime is displaying incorrect date and time.


The Show Raw Events option in Spotter displays zero, even when the raw events are retrieved by the query.


Known Issues



A query with wild card does not work except for the activity and violation index.


When you run a query with the Where operator to specify a range, the records are out-of-the specified range.


The Delete operator is not working for the archived queries.


The Data Insight report displays incorrect data when you select a filter for any widget and then generate the report.


SNYPR does not send an email when you export

the CSV report with more than 70 thousand

records in Spotter.


When you run a query with Stats Distinct and

Filter together, the query does not display the

result. However, it displays the number of

matched records in SNYPR. For example, index=

violation | FILTER index = riskscore and

employeeid = employeeid and doctype = entity_

threatmodel | STATS DISTINCT(accountname)

department


The Producer - Consumer Ratio (PCR) operator is not working.


Known Issues


NASpotter Query/Operator

For Cloud Customers: When performing

aggregation on a large number of fields, the

allowedFacetFields operator is configured with a

maximum (default) value of 6 facets to be used in

a query for optimal performance.

For On-Premises Customers: When performing

aggregation on a large number of fields, the

allowedFacetFields operator is configured with a

maximum (default) value of 6 facets to be used in

a query for optimal performance. This can be

adjusted to a maximum value of 12 with the

appropriate infrastructure/configuration settings.

Note: Contact Securonix Support if you

want to change the memory to maintain

application stability and avoid

interruptions in service. The

recommendation is not to exceed 8.

195815 Views - PeerThe Views > Peer screen does not display records when a filter is applied.

131809 Whitelist

The search feature takes longer than expected

time to display the attributes based on the filter

criteria specified, when adding it to a whitelist.
