SNYPR 6.4 Release Notes
Date Published: 8/12/2021 Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference.
Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of Securonix.
Copyright © 2021 Securonix. All rights reserved.
Contact Information
Securonix 5080 Spectrum Drive, Suite 950W Addison, TX 75001 (855) 732-6649
SNYPR Release Notes 2 Table of Contents
Introduction 4 What's New in this Release 5 Improvements 12 Bug Fixes 22 New and Improved Content 32 New Content 32 Improved Content 58 Decommissioned Content 71 Known Issues 148
SNYPR Release Notes 3 Introduction
Introduction
The Release Notes include the new features, improvements, bug fixes, and content updates for the SNYPR Jupiter release (6.4).
Note: You can check if your ticket is fixed in this release by referring to the Summary section. The Summary section includes a description and customer logged ticket number, if applicable.
Access to SNYPR 6.4
The Securonix team provides an access to the SNYPR 6.4 application. You have to install the RIN application from https://downloads.securonix.com for data ingestion.
Note: For information on how to install RIN, refer to the RIN Installation Guide.
SNYPR Release Notes 4 What's New in this Release
What's New in this Release
This section offers a brief summary of the following new and improved features for the SNYPR 6.4 release:
SNYPR Services New and Improved Features
l Content Management
l Data Dictionary
l Phishing Analyzer Analytics l Publish Content Updates to Tenants (Multi- tenant)
l Policy Enhancements
l EDR Playbook Response Actions
l Response Management
Detection and Response l Incident Assignee Chain
l On-Demand Incident
l Sandbox Widget
l Live Channel
Hunting l Tabular View
l Timedifference Function
l Autodiscovery of Datasources Ingestion l Ingestion Improvements
l Activity Monitor Shared l Data Masking for Multi-Tenant
For more information about each feature, see the SNYPR6.4 What's New Guide.
SNYPR Release Notes 5 What's New in this Release
Content Management
The Content Management feature introduces the ability to seamlessly deploy and manage content maintained by the Securonix content team. This feature gives you access to the most up-to-date threat content so you can maintain the highest level of security detection.
For more details about this feature, see the Content Management section in the What's New Guide.
Data Dictionary
The Data Dictionary feature provides an ability to create your own labels for data ingested by SNYPR from datasources. These labels simplifies the ingestion, analytics, and hunting processes by providing consistent and easy to understand labels for data.
Content developers can use these mapped labels to perform data ingestion and create policies, and security analysts can use these labels to search Spotter.
For more details about this feature, see the Data Dictionary section in the What's New Guide.
Phishing Analyzer Technique
The Phishing Analyzer detection technique allows the customer's content team and security analysts team to create policies to detect phishing attacks. Using this policy, you can check email senders against comparators and detect emails pretending to be from reputable companies.
For more details about this feature, see the Phishing Analyzer section in the What's New Guide.
SNYPR Release Notes 6 What's New in this Release
Publish Content Updates to Tenants
A new capability has been added that allows detection engineers to publish parsers and enrichment changes to other tenants instantly. This capability provides scalability and saves detection engineers time by avoiding manual updates for each tenant.
For more details about this feature, see the Publish Content Updates to Tenants section in the What's New Guide.
Policy Enhancements
The release includes the following key enhancements to analytics:
l Policy Labels: Includes the capability to tag policies so that security analysts can build reports, create dashboard, and search violations using specific labels. l Risk Score Aggregation for all Entities: Provides aggregate risk scores for all entit- ies so that security analysts can have a unified view and a better risk profile for each entity.
For more details about this feature, see the Policy Enhancements section in the What's New Guide.
EDR Playbook Response Actions
CrowdStrike playbook response actions are now offered as part of the SNYPR native response actions. The CrowdStrike and Cylance playbook response actions are configured and run from the SNYPR user interface for single or multiple Remote Ingestion Nodes (RINs).
For more details about this feature, see the CrowdStrike Playbook Response Actions section in the What's New Guide.
SNYPR Release Notes 7 What's New in this Release
Response Management
The Response Management feature provides a new, centralized user interface UI to configure third-party automated response connections and manage playbook access per tenant. In addition to the new centralized UI configurations, administrators have the flexibility to manage separate connections for each tenant, while isolating playbooks per tenant.
For more details about this feature, see the Response Management section in the What's New Guide.
Incident Assignee Chain
The Incident Assignee Chain controls incident visibility across specific users. Only users listed on the Incident Assignee Chain have access to discuss, contribute, coordinate, and download incident information. This is especially helpful for larger enterprises and multi-tenant deployments that manage multiple incidents across different teams.
For more details about this feature, see the Incident Assignee Chain section in the What's New Guide.
On-Demand Incident
The On-Demand Incident feature allows analysts and threat hunters to create new incidents and add context around those incidents from various locations in the SNYPR UI. Analysts and threat hunters can now create a new incident using a new global UI icon, add events to new or existing incidents from the Spotter Search Results view, and manage activity from the Incident Management dashboard to better manage emerging threats that might previously have gone unnoticed.
For more details about this feature, see the On-Demand Incident section in the What's New Guide.
SNYPR Release Notes 8 What's New in this Release
Sandbox Widget
The Sandbox widget enables security analysts to test policy violations in an isolated environment to identify issues before making them public. With the ability to run threat models in Sandbox at scale, the Sandbox widget significantly reduces alert noise, improving detection time and enabling more focus for analysts.
For more details about this feature, see the Sandbox Widget section in the What's New Guide.
Live Channel
Live Channel is a new detection mechanism that enables search and detection of new threats, and provides the ability to search via regex across data sources and channels.
For more details about this feature, see the Live Channel section in the What's New Guide.
Tabular View
Tabular View provides an easy-to-use UI for arranging and viewing event attributes, improving investigation and search efficiency.
For more details about this feature, see the Tabular View section in the What's New Guide.
Timedifference Function
The Timedifference function calculates the difference between two time fields in a human readable format. With this new feature, you'll simply provide two time fields in Spotter, and the Timedifference function will quickly calculate and return the result as a time value.
For more details about this feature, see the Timedifference section in the What's New Guide.
SNYPR Release Notes 9 What's New in this Release
Autodiscovery of Datasources
SNYPR 6.4 provides auto-discovery of syslog based datasources that simplifies and automates the onboarding process. This new workflow improves the time to value for onboarding datasources. Once you have configured your datasource to send events to the RIN, SNYPR discovers those events and suggests a parser for it.
For more details about this feature, see the Ingestion 2.0 section in the What's New Guide.
Ingestion Improvements
The release includes the following key enhancements to ingestion:
l Improved Activity Import: Provides an improved and intuitive User interface (UI). The new visual layout of Activity Import consists of an updated color pallet, grid view, font, and information design. l Simplified Lookup Table Management for Multi-Tenant: Allows content developers to create a single policy that can be applied to all tenants without the need to duplicate the policy and customize it for each tenant.
For more details on other improvement, see the Ingestion Improvements section in the What's New Guide.
Activity Monitor
The Activity Monitor tool provides a crucial, real-time view of events ingested by SNYPR. Administrators can see ingestion trends by datasources to identify sudden increases in number of events or ingestion delays.
For more details on other improvement, see the Activity Monitor section in the What's New Guide.
SNYPR Release Notes 10 What's New in this Release
Data Masking for Multi-Tenant
The Data Masking feature allows MSSPs to secure Personally Identifiable Information (PII) for users and entities. You can mask all activity account names, IP addresses, resource names, and event attributes for all datasources available for a tenant.
For more details on other improvement, see the Activity Monitor section in the What's New Guide.
SNYPR Release Notes 11 Improvements
Improvements
The following table describes the improvements that were made in this release:
Note: An INC number represents a ticket that was previously logged by a customer, and is now improved in the current release.
Component Summary
Improved the performance of data enrichment for event Activity import categorization.
Implemented a new Domain Generation Algorithm (DGA) Algorithm algorithm.
Added support for static baselines and daily threshold to Analytics Enumeration Behavior and Volume Spike Behavior.
Analytics Added a new analytic technique called Phishing Analyzer.
Included a list of enabled or disabled policies and threats for Analytics policies. (INC-223929)
Updated the default values for the BEACONING_DELETE_ Analytics CONFIG configuration.
Improved the Landspeed analytics to increase the accuracy of Analytics detection.
Analytics Optimized the policy deletion process.
Analytics Added additional criteria for threat intelligence checks.
Added an option to filter policies based on the policy category Analytics from the Policy Management screen.
Updated the Policy Name field to include square brackets. (INC- Analytics 228027)
Enhanced the Threat Model screen to allow users to add Analytics violators to an active list.
SNYPR Release Notes 12 Improvements
Component Summary
Improved the Behavior Profile screen by:
Analytics l Adding a search box to search behavior profiles.
l Displaying the profile names in an alphabetical order.
Added an ability to provide labels for policies. These labels allow Analytics analysts to build reports, dashboards, and search violations using specific labels.
Added a warning message to alert users when any violation entity attribute (accountname, resourcename, ipaddress) is not mapped. Analytics The risk scores are not calculated correctly when violation entities are not mapped.
Added an ability to provide aggregate risk scores for a machine Analytics (resource) across datasources.
Improved the tool tip message for Violation Entity on the Policy Analytics Violations screen.
Improved Event Attributes on the Create a Rule screen to Analytics display attributes alphabetically.
Added data validation to check for special characters in attributes Analytics to fix an error that occurs while configuring violation.
Added description for the Amount of Data field for creating AEE Analytics based policies.
Improved user experience by sorting the values for the Edit filter Analytics dropdown in the Policy Configuration screen.
Analytics for Multi- Enabled threat models for all tenants. (INC-229117) Tenant
Analytics for Multi- Added an option to select tenants for functionality based Tenant policies.
Enhanced auditing to include SAML assertion fields in auditing Auditing logs when user logs in using SAML.
SNYPR Release Notes 13 Improvements
Component Summary
Added check to restrict users from using any of the last five Authentication passwords as the new password.
Authentication/Access Implemented checks to validate the email addresses of users and Control groups.
Added the ability to restrict an analyst's access to Users or TPI Authorization/RBAC Spotter indexes based on tenant or user.
Improved the Available Tenant filtering on the Security Authorization/RBAC Command Center to only display information for the selected for Multi-Tenant tenant.
Authorization/RBAC Restricted the group view by tenant. (INC-229347) for Multi-Tenant
Added two new flags in the SAML Assertion for the following scenarios:
l New users logging to SNYPR application for the first time: Assign default group when the group information is not in Authentication/Single SAML assertion. Sign-On (SSO)
l Existing Users logging to SNYPR application: Retain the group already assigned to the user. For example, if a user is a member of any group other than default group, the group information will not change. (INC-229021)
Added a message to indicate that the user has successfully logged Authentication/SSO off from the SNYPR application. (INC-226076)
Included an option to set the time-period after which the SNYPR application logs off the user automatically. This option Authentication/SSO must be set to automatically log off the user after the specified time -period. (INC-223283)
Included an option to set the number of concurrent SNYPR Authentication/SSO sessions a user can have. (INC-226779)
Included a check for users to change their temporary passwords Authentication/SSO when they log into SNYPR for the first time.
SNYPR Release Notes 14 Improvements
Component Summary
Implemented user authorization using SAML/ Sign-On (SSO) Authentication/SSO when SSO is enabled.
Authentication/SSO Added support for NTLM authentication for SMTP.
Added an error message to the Connection Type drop-down Automated Response that displays when a connection already exists for a particular connection type for a tenant.
Behavior/Activity Improved the clustering algorithm and performance for peer Outlier behavior and all account behavior policies.
Added a Violation Summary tab to the Incident Management Case Management screen that includes a Threat Model violation view by stages and a list of policies.
Case Improved the alert email to include a link to access the incident Management/Incident once the incident is created. Management
Updated the AWS SQS S3 connector to send data from Connector multiple accounts to a single account.
Connector Updated the parsing technique for the Azure Storage connector.
Improved the AWS Cloudwatch connector to support the Connector authentication for cross-account access for Cloudwatch resources.
Updated the AWS GuardDuty connector to support the Connector authentication for cross-account access for the GuardDuty detectors.
Added functionality to support the ingestion of raw event data for Connector Crowdstrike Falcon data replicator module.
Enhanced the ProofPoint connector to extract file extensions Connectors separately.
SNYPR Release Notes 15 Improvements
Component Summary
Enhanced the conditional enrichment process to support the Data Import Classless Inter-Domain Routing (CIDR) range.
Improved the GDPR unmasking approval workflow:
l Sec_users in different sec_groups can belong to a single-step Encryption/Masking or zero-step unmasking workflow.
l Workflows are configured according to the roles assigned to sec_groups.
Added a new Spark job called Pipeline Orchestration that Event Enrichment prioritizes event data collections and manages congestion during the ingestion process.
Added a Windows XML parser to parse native Windows data in Event Parsing XML format.
Added a table view on the Incident Management screen that Incident Management displays contextual information about all the events that are added to an existing case from Spotter.
Improved the archival/data retention policy in Incident Incident Management to ensure that events attached from Spotter Management remain available during investigation, even if the data is archived or deleted.
Incident Management Added an option to edit the criticality of an incident.
Modified the location of Playbook button for better user Incident Management experience.
Added functionality to run playbooks from the Incident Incident Management Management screen.
Improved user experience by adding a notification message on Incident Management the top of the screen.
Ingestion Improved parsing for CrowdStrike.
Ingestion Improved parsing for Microsoft O365 Azure.
SNYPR Release Notes 16 Improvements
Component Summary
Modified the Activity Import screen to use the Data Dictionary Ingestion feature.
Enhanced SNYPR to manage multiple RINs from SNYPR user Ingestion interface.
Enhanced SNYPR to manage multiple RINs from SNYPR user Ingestion interface.
Ingestion - Activity Added an ability for users to assign custom names to action Import filters.
Improved the lookup data import process from AWS S3 to Ingestion - Events support filtering by the folder path available in AWS S3.
Ingestion - Improved the geolocation import by adding enrichment for Geolocation destination address and source address attributes.
Ingestion - Improved the geolocation import by supporting enrichment of Geolocation IPV6 address with geolocation details. (INC-235616)
Ingestion - Third- Added an option to concatenate two or more attributes that are Party Intelligence separated by delimiter into one field.
Improved the enrichment process for activity data by including Ingestion - TPI the context for hash, URL, IP, vulnerability, and hash type attributes for Recorded Future TPI. (INC-229276)
Added RBAC controls for individual Watchlists and Lookup Lookup Data tables.
Improved the Notification module so that analysts can filter Notification notifications by types, date range, or both. Role based access Framework control makes it easy for an analyst to configure the notifications they can see by default.
Notification Implemented an option to send notification emails to end users Framework using REST API.
SNYPR Release Notes 17 Improvements
Component Summary
Improved the user experience by displaying the number of times Policy Configuration a particular condition is added for Risk Boosters while creating a policy.
Added a new option to view all enabled and disabled policies in Policy Configuration the Policy Management screen.
Added a check to remove white space before and after the policy Policy Configuration name. (CLOUD-2112)
Enhanced the policy creation process for functionalities by Policy Engine allowing users to create policies that can apply to multiple functionalities.
Added an option for users to save and commit the policy to the Policy Engine content repository from the Policy Creation screen.
Policy Engine Improved the performance of the policy engine.
Added a warning note when the account name is blank while Policy Engine creating a policy.
Added the Check Against Named List option to create a new rule Policy Engine by checking values against named lists.
Reporting Added the ability to email a Data Insights dashboard as a report.
Added the ability to sort on the DateTime field for the TABLE Reporting operator.
Created a new report template with predefined attributes Reporting selected by default.
Reporting Added the ability to quickly select attributes in the Run Framework/Spotter Spotter Report view of Spotter to reduce the time spent on Console exporting data from Spotter or creating reports.
Response/Notification Added functionality to integrate with Cherwell.
Enhanced integration with ServiceNow by adding more Response metadata during incident creation (threat indicator and Orchestration category).
SNYPR Release Notes 18 Improvements
Component Summary
Response Modified the connector to integrate with Phantom multi-tenant Orchestration environment for case management. (INC-212561)
Response Added playbook information for an incident in Action History Orchestration for added context.
Added the ability to enable/disable the visibility of the Response playbook action button according to the role provided to the Orchestration/SOAR user.
Response Added the ability for users to select one or multiple RINs while Orchestration/SOAR taking response actions for a playbook.
Removed the ability to configure ingesters for RSA playbooks Response on the Policy Violations and Threat Modeler screen as RSA Orchestration/SOAR playbooks are not supported.
Improved the Watchlist REST API:
l The listWatchlist web service now provides the name and count of entities in a Watchlist.
l Each Watchlist name includes a list of existing entities in that Watchlist.
l When given a list of entities, a list will return stating which REST API Watchlist the entity belongs to.
l The Check if a entity exists in a watchlist web service now accepts watchlistname as an optional parameter.
l The Add entity to a single watchlist web service now allows you to add up to five entities per API call. By default, entities in a Watchlist are sorted by the day the entity was created.
Added the ability to pull activity information from cases in REST API Incident Management.
SNYPR Release Notes 19 Improvements
Component Summary
Added information on the parent case for REST APIs within the REST API Incident Management category.
Improved the platform security by implementing:
l Token based authentication for all web services. REST API
l Session Timeout for web services after user specified time period.
Improved Incident Management REST APIs to include tenant REST API for Multi- name when querying SNYPR for activity and violation. If the Tenant user has not specified the tenant name, the REST API retrieves information only for the tenant the user has access to.
Improved RIN installation process by providing silent installer and RIN prerequisite validation framework.
Improved the RIN monitoring capabilities to provide alerts for RIN disk usage and certificate expiration.
Role-based Access Ability to enable or disable policies can be controlled by a new Control role privilege.
Security Command Added an ability to launch Spotter for top violators from Entity Center Data in SCC.
Improved the calculation of risk score by consolidating Security Command anomalies for the Resource and IP address entity type, Center regardless of which data-feed generates the anomaly.
Security Command Added filter and sort functionalities for custom widgets created Center/Views using SNYPR.
Spotter Added OrderBy filter to sort the Spotter search results.
Improved the performance of the IN and NOT IN queries when Spotter there are more than 10 values for a parameter.
SNYPR Release Notes 20 Improvements
Component Summary
Added a message on the Search Results view of Spotter to Spotter inform users that the results are not ordered by eventtime when a query is executed for an archival event.
Improved the WHERE operator to filter based on range, Spotter aggregation, and field created at the time of search.
Added the option to select all or multiple attributes at once when you export Spotter results, rather than individually Spotter selecting the attributes you want to be included in your Spotter report.
Improved the Spotter search to query archived data using resource group, resource type, or rg_functionality. In addition, Spotter the Spotter search uses the tenant name to query archived data for a multi-tenant deployment.
Third-Party Added the ability to perform TPI enrichment on multiple Intelligence attributes from the same event.
Third-Party Added the ability to import TPI data from the RIN file. Intelligence
Added a Do you want to generate incident for threat model Threat Modeler violators? toggle on the Threat Model screen.
Added the ability to sort by the Enabled column when User Preferences searching for a threat model.
Workflow Added an option to whitelist while creating a new workflow.
SNYPR Release Notes 21 Bug Fixes
Bug Fixes
The following table describes the bug fixes that are included in this release:
Component Summary
Fixed the Sync Content button on the last step of the Activity Import Activity Import screen to properly sync information.
Fixed an issue on the last step of the Activity Import screen Activity Import so that policies save when the Save Template button is clicked.
Fixed the naming convention for the correlation rule to Activity Import ensure the rule name remains the same when the user has not edited the rule. (INC- 228743)
Fixed an issue so that correct values are generated for the Activity Import lookup and watchlist action filters during Activity Import.
Fixed the issue to automatically delete incidents when Analytics corresponding violations are deleted. (INC-212318)
Fixed an issue where policies were not getting created when Analytics the Response Bot was enabled.
Fixed an issue for TPI based policies where the violation Analytics summary attributes displayed blank values.
Fixed the DGA algorithm to correctly calculate the prediction Analytics score.
Fixed an issue where the violation events query was Analytics removing double spacing from a policy name, resulting in an incorrect query.
Fixed the last step of Activity Import to allow users to enable Analytics or disable policies. (INC-229409)
Fixed an issue where users were unable to delete threat Analytics models.
SNYPR Release Notes 22 Bug Fixes
Component Summary
Fixed the Create New Watchlist screen to display only one Analytics drop-down list for the Watch List Criticality and Select Tenant fields.
Fixed an issue where the check against TPI was not flagging Analytics violations.
Analytics for Multi- Fixed the Check Against TPI (Third Party Intelligence) policy tenant to flag correct violators from the same tenant.
Fixed an issue where the check against lookup did not flag Analytics event rarity policies.
Fixed an issue where the conditions for filtering criteria were Analytics not displaying on the UI.
Fixed an issue so that Risk Boosters are saved for a policy. Analytics (INC-229089)
Fixed an issue so that user can whitelist accounts. (INC- Analytics 229114)
Fixed violation summary to display the correct number of Analytics violations. (INC-229046)
Analytics Fixed the loading issue for the policy screen.
Fixed an issue where the violation summary used default Analytics values for any out-of-the-box policies.
Fixed an issue with policy configurations where a condition is Analytics created even though there are no conditions provided.
Fixed the issue of violations not displaying in the Top Analytics Violations widget. (INC-228867)
Fixed the UI to choose a single RIN as a default (from a list of Analytics multiple RINs) for a policy so that the auto-playbook actions for a Threat Model can be enabled and used.
SNYPR Release Notes 23 Bug Fixes
Component Summary
Fixed the Activity Import Summary screen to display Analytics policies with multiple functionalities.
Fixed an issue so that a validation message is displayed when Analytics a normal category is added with the Sandbox category.
Fixed an issue so that the correct risk score is calculated for Analytics phishing based policies.
Fixed the Cluster Information section so that it displays the Analytics correct text message.
Fixed an issue so that all threat model stages are deleted when Analytics a user deletes the last configured stage.
Fixed the Threat Model for Threat screen so that it display Analytics selected watchlists under Add watchlist Filter.
Analytics Improved performance for threshold detection use cases.
Fixed an issue where new policies are disabled by default Analytics while onboarding.
Fixed Role Based Access Control (RBAC) to show correct Analytics threat models on the Activity Import screen.
Fixed an issue so that correct count of enabled and disabled Analytics threat models are displayed when RBAC is applied for threat models.
Fixed the Send Notification toggle button of the Policy Analytics Configuration screen. (INC-235266)
Fixed an issue so that filter criteria conditions are saved Analytics while editing IEE policies.
Analytics Fixed Views > Users to display behavior profiles.
Analytics Fixed an issue so that threat models are saved correctly.
Fixed an issue where the Check Against Lookup Table did Analytics not flag event rarity policies.
SNYPR Release Notes 24 Bug Fixes
Component Summary
Fixed the Edit Threat Indicator pop-up accessed from Policy Analytics Violations and Threat Model to display tenants and Service/Response playbooks based on the Role Based Access Control (RBAC) of Service the analyst.
Fixed the Do you want to re-calculate entity score based on Sandbox violations toggle to include a validation message Analytics/Hunting when set to NO. This message informs the user that the violations and incidents associated with the policy will be removed.
Fixed the parameter for URL Visited by Visitors. (INC- Analytics/Hunting 228706)
Fixed an issue so that the violation events query returns the Analytics/Spotter correct results for policies with double spaces. (INC-229409)
Auditing Fixed the Token Generated audit message.
Fixed the Password Change Required setting so that when it Authorization/RBAC is enabled, the application requires users to change their passwords when they login for the first time.
Fixed the Access Control screen. to display the Minimum Authorization/RBAC Reuse Count setting for password.
Fixed an issue so that the Kill Chain Analysis widget displays all Authorization/RBAC violations when Show only Correlated Data flag is enabled in Granular Access Control.
The context file does not save the login URL when you enter Authentication/SSO the Single Sign On login details from the Application Settings screen.
Behavior/Activity Fixed an issue to display correct baseline graph for historical Outliers violations.
Behavior/Activity Fixed the behavior based policies to display outlier and Outliers violation events in the same time zone.
SNYPR Release Notes 25 Bug Fixes
Component Summary
Fixed the status of an On-Demand Incident to display in the Case Management Incidents by Status graph within Incident Management.
Case Fixed Activity Stream on the Security Command Center to Management/Security display only the incidents that are assigned to the logged in Command Center analyst.
Fixed the Data Insights drop-down option to fully display when Data Insights you save a Spotter query as dashboard.
Fixed an issue with the Data Insights dashboard when tenant Data Insights access is revoked from a non-admin user.
Fixed an issue on the Security Command Center that caused Incident Management incident IDs to not populate when incidents were created through Auto Incident.
Fixed an issue during workflow creation that caused the Incident Management Show input form toggle to only be set to enabled.
Ingestion - Entity Fixed the Job Monitor screen to display the number of records Metadata ingested during entity metadata import using database.
Ingestion - Save Fixed the Save Template feature to publish changes made in Template action filter.
Fixed the preview of the look up table for AWS S3. (INC- Lookup Table 230847)
Increased the length of the Customer ID field accessed from Multi-Tenant - Settings Admin > Settings > Hadoop.
Multi-Tenant - Threat Added an option to assign tenant while importing threat models. Modeller
Policy Configuration Fixed the cloning issue of Sandbox policies.
Fixed an issue to allow users to add policy violators to an Policy Engine active list.
SNYPR Release Notes 26 Bug Fixes
Component Summary
Fixed the graph for rare behavior policy to display correct Policy Engine information from Views > Users.
Fixed an issue that caused the signatureid to replicate when Policy Engine a use case was cloned.
Fixed the Policy Category drop-down list to display the correct Policy Engine categories.
Policy Engine Fixed the data deletion feature for the event rarity policy.
Resolved an issue to display the correct TPI source name in the Policy Engine Violation Summary screen.
Removed the extra icon for the rare behavior policies from the Policy Engine Violation Summary screen.
Removed the Would you like to Aggregate Risk Score on Each Policy Engine Run? flag from the default identity policies packaged with the SNYPR application.
Policy Engine Fixed the traffic analyzer job for the event rarity policy.
Resolved an issue where NULL conditions are saved for IEE Policy Engine policies.
Removed unused operators such as greater than and less than Policy Engine from the risk booster lookup table.
Policy Engine The account name for the lookup table is no longer duplicated.
Policy Engine The SCC screen displays the correct date for watchlists.
When the Sandbox policy is published to production and the Policy Engine recalculate risk score is set to no, the corresponding incidents are deleted.
Resolved an issue to display the Move to Production option for Policy Engine all Sandbox policies.
Fixed the message to display the time when auto run is enabled Policy Engine for a playbook.
SNYPR Release Notes 27 Bug Fixes
Component Summary
Policy Engine/Behavior Fixed the user screen to display behavior profiles when a user and Activity Outlier with non-admin rights accesses the SNYPR application.
Policy Violation Fixed an issue where Landspeed violations were not saving Notifications violation information as expected.
Fixed the header and footer of the KPI, SOC, Top Violator, and Reports Incident reports to display the correct date and time.
Fixed an issue where the Threat Model details were not REST API displaying in the reason section of the GET response.
Fixed an issue so that playbooks are executed correctly for Response Orchestration threat models.
Response Orchestration Updated the payload format for Demisto.
The Remote Ingester works as expected when the proxy is RIN configured to communicate with SNYPR console. (INC 230017)
Fixed a user interface issue in the Top Violators widget that Security Command caused text to appear close together when the policy name Center was too long.
Fixed an issue on the Security Command Center that caused Security Command violations to not load on the Violation Summary screen for a Center policy or threat.
Security Command Fixed an issue on the Violation Summary screen that caused Center icons to display inconsistently.
Security Command Fixed the search filter for the Top Violator widget in the Center Violation Summary screen.
Security Command Fixed an issue so that the incident number and Take Action Center button for auto created incidents are now visible.
Fixed an issue in the Search Results view of Spotter that Spotter caused no returned results when the STATS query was used. (INC-238031)
SNYPR Release Notes 28 Bug Fixes
Component Summary
Fixed an issue for queries with not equal to (!=) and Spotter parenthesis. (INC-229647)
Fixed an issue to ensure that violation events query returns Spotter the correct results for policies with double spaces. (INC- 229538)
Fixed Spotter to run the queries successfully when there are Spotter more than 27 values with the NOT IN operator. (INC- 212549)
Fixed an issue in Spotter that caused the Search Results to Spotter fail when the ORDERBY operator was used with any visual operator, such as charts and graphs.
Fixed in issue that caused the following ORDERBY queries to run, even though they are not supported:
l Geolink Spotter l Geomap
l Heatmap
l timechart
Fixed the Show Raw Events option in Spotter to display the Spotter correct value when raw events are retrieved by the query.
Fixed an issue that caused queries with a wild card to only work Spotter with the activity and violation index.
Fixed the total record count beside the page navigation when a Spotter query is run for an archived datasource and a time period is selected from the timeline.
Fixed the Producer - Consumer Ratio (PCR) operator to work as Spotter expected.
SNYPR Release Notes 29 Bug Fixes
Component Summary
Fixed an issue that caused SNYPR to not send an email when Spotter you export the CSV report with more than 70,000 records in Spotter.
Fixed the Data Insight report to display correct data when you Spotter select a filter for any widget and generate the report.
Fixed the total record count when a Spotter query is run with Spotter aggregation operators (such as stats and table) and when a user navigates between pages.
Fixed an issue where the CONTAINS and NOT CONTAINS Spotter operators were not working on raw event attributes when the raw event indexing was enabled. (INC-229689 )
Fixed an issue in the Search Results view of Spotter that Threat Hunting caused the search results to fail when quotation marks were not present in the index = archive query.
Fixed an issue that caused the SNYPR application to only be Threat Hunting accessible when the Tomcat application server was restarted.
Fixed an issue in the configuration settings for Data Insights Threat Hunting that prevented the widget from loading when the REX operator was used in a custom query.
Fixed an issue to display the Action History for policies and Threat Management threat models when the violator is a user.
Fixed an issue so that users can enable the Add Watchlist Threat Modeler Filters setting from the Threat Modeler screen.
Fixed an issue with the exponential risk scoring scheme to Threat Modeler display a message when the weight value is set to zero.
Watchlist Fixed the edit functionality to edit the watchlist name correctly.
Fixed an issue so that the global whitelisted entities can not be Whitelist flagged by any policy.
SNYPR Release Notes 30 Bug Fixes
Component Summary
Fixed an issue that caused a default expiry date to display Whitelist when the Expiry Date setting was disabled. (INC-229079)
Fixed the search filter to display the whitelist correctly in Whitelist Views > Whitelist.
Fixed an issue to recalculate the risk score when an entity is Whitelist globally whitelisted.
SNYPR Release Notes 31 New and Improved Content
New and Improved Content
SNYPR 6.4 includes new and updates to content. This section includes the following information:
l New Content l Improved Content l Decommissioned Content
New Content
This sections contains all the new parsers, connectors, and threat detection content included in this release.
New Connectors and Parsers The following table contains the connectors and parsers that were added in this release:
Functionalit Device Collection Vendor y Type Method
Physical ActivIdentity / HID ActivIdentity Collection Method: Syslog Security / Global HID Global Format: JSON Badging
Collection Method: Cloud Services AWS Cloud Amazon Inc awssqss3 / Applications Trail Format: JSON
Collection Method: Cloud Services AWS Amazon Inc awssqss3 / Applications Cloudwatch Format: REGEX
SNYPR Release Notes 32 New and Improved Content
Functionalit Device Collection Vendor y Type Method
Cloud Collection Method: anaplan Anaplan Application Anaplan Audit Format: JSON Audit
Atlassian IT Service Collection Method: Jira Jira Corporation Plc Management Format: JSON
Cloud Application Bitglass CASB Collection Method: bitglass Bitglass Security - Admin Format: JSON Broker
Cloud Bitglass CASB Application Collection Method: bitglass Bitglass - Security Format: JSON Access Broker
Cloud Application Bitglass CASB Collection Method: bitglass Bitglass Security Audit Format: JSON Broker
Physical Collection Method: Brivo OnAir - Brivo Security / brivoonair Access Badging Format: JSON
Endpoint Collection Method: Carbon Black Carbon Black,Inc Management carbonblack Defense - V2 Systems Format: JSON
Endpoint Carbon Black Collection Method: Carbon Black,Inc Management Defence carbonblack Systems - Alert Format: JSON
Network Cisco Identity Collection Method: ciscoise Cisco Systems Access Control Service Format: Key Value Pair / NAC Engine - ISE
SNYPR Release Notes 33 New and Improved Content
Functionalit Device Collection Vendor y Type Method
Network Cisco Identity Collection Method: ciscoise Cisco Systems Access Control Service Format: Key Value Pair / NAC Engine
Collection Method: Cloudflare Firewall Cloudflare cloudflarefirewall Format: JSON
Access / Collection Method: CloudKnox CloudKnox Identity cloudknox Alerts Management Format: JSON
Access / Collection Method: CloudKnox CloudKnox Privileged cloudknox Activities User Format: JSON
Data Loss Code 42 - File Collection Method: code42 Code 42 Prevention / Events Format: JSON Endpoint DLP
Cloud Collection Method: Application Google Google GCP googlereport2 Security Format: JSON Broker
Collection Method: Identity Access Users Google googlereport2 Management Accounts Format: JSON
Business Collection Method: Google Collaboration Google Chat googlereport2 Platforms Format: JSON
Authentication Collection Method: / SSO Google Google Token googlereport2 / Single Sign- Format: JSON On
SNYPR Release Notes 34 New and Improved Content
Functionalit Device Collection Vendor y Type Method
Access / Collection Method: Access Google Privileged googlereport2 Transparency User Format: JSON
Collection Method: Mobile Device Google Google googlereport2 Management Mobile Format: JSON
Business Collection Method: Google Google Collaboration googlereport2 Calendar Platforms Format: JSON
Access / Google Collection Method: Google Identity Groups googlereport2 Management Enterprise Format: JSON
Access / Collection Method: Google Google Identity googlereport2 Groups Management Format: JSON
Business Collection Method: Google Collaboration Google G-Plus googlereport2 Platforms Format: JSON
Cloud Collection Method: Authentication Google Google SAML googlereport2 / SSO / Single Format: JSON Sign-On
Data Loss Collection Method: Google Prevention / Google rules googlereport2 Network DLP Format: JSON
Informatica Authentication Collection Method: Informatica / SSO / Single informatica Authenticatio Sign-On Format: JSON n
SNYPR Release Notes 35 New and Improved Content
Functionalit Device Collection Vendor y Type Method
Azure Active Collection Method: Microsoft Cloud Services Directory azurereport Corporation / Applications Sign In Format: Key Value Pair
Endpoint OS Query Collection Method: Syslog OS Query Management Logs Format: JSON Systems
IT Collection Method: Pager Duty Infrastructure Pager Duty pagerdutyincidents Monitoring Format: JSON
Collection Method: Prisma Cloud Palo Alto Networks Prisma Access prismacloud Security Format: JSON
Collection Method: Email / Email Proofpoint Proofpoint Inc. proofpointtrap Security TRAP Format: JSON
Proofpoint Collection Method: Cloud Email / Proofpoint Inc. Email proofpointisolation Email Security Isolation Format: JSON
Proofpoint Collection Method: Application Security Proofpoint Inc. proofpointsat Audit Awareness Format: JSON Training
Security Security Collection Method: SecurityScorecard,In Scorecard - Analytics securityscorecard c. Company Platform Format: JSON Grade
Security Security Scorecard - Collection Method: SecurityScorecard,In Analytics Company risk securityscorecard c. Platform category Format: JSON score
SNYPR Release Notes 36 New and Improved Content
Functionalit Device Collection Vendor y Type Method
Collection Method: Symantec / Web Security Web Proxy symantecwss Blue Coat Systems Service Format: REGEX
Symantec Collection Method: Symantec / Antivirus / Endpoint symantecendpoint Blue Coat Systems Malware / EDR Protection Format: JSON
Vulnerability Tenable Collection Method: tenable Tenable Scanners Response Format: JSON
Cloud IPS / Collection Method: IDS / UTM / Threat Stack - Threat Stack threadstack Threat Alerts Format: JSON Detection
Data Loss TrendMicro Collection Method: Trend Micro Prevention / Security trendmicrocas Inc. Endpoint DLP Risk Format: JSON
Cloud Collection Method: Work Authentication workdayidentitymanagemen Workday Inc. Account Sign- / SSO / Single t on Sign-On Format: JSON
Cloud Collection Method: Authentication Unidentified workdayidentitymanagemen Workday Inc. / SSO / Single Sign-on t Sign-On Format: JSON
Access / Collection Method: Workday Workday Inc. Identity workday Audit Management Format: Key Value Pair
SNYPR Release Notes 37 New and Improved Content
New Threat Detection Content The following table contains the threat detection content that was added in this release:
Functionality Signature ID Policy Name
Access / Identity ACI-ALL-800-ERR User changing Job detection Management
Abnormal number of Access / Identity ACI-ALL-801-BP inactivate Organization Management activity
Access / Identity Business Process definition ACI-ALL-802-ERR Management Edited
Access / Identity ACI-ALL-803-ERR Rare User assigning roles Management
Access / Identity Rare User assigning roles ACI-ALL-804-PO Management compared to peers
Rare user assigning user- Access / Identity ACI-ALL-805-ERR based security groups for Management person
Successful logon of admin Cloud Authentication / SSO account from rare country CSSO-SF-747-TA / Single Sign-On compared to rest of the organization
Successful login following a Cloud Authentication / SSO CSSO-SF-750-RU spike in failed logins for an / Single Sign-On Admin account
Cloud Authentication / SSO Landspeed anomaly CSSO-SF-752-LS / Single Sign-On detected for an account
Cloud Authentication / SSO Abnormal number of failed CSSO-SF-846-BP / Single Sign-On logons from Admin accounts
SNYPR Release Notes 38 New and Improved Content
Functionality Signature ID Policy Name
Successful logon detected Cloud Authentication / SSO for a Non-admin account CSSO-SF-745-TA / Single Sign-On from rare country compared to rest of the organization
Abnormal number of logon Cloud Authentication / SSO CSSO-SF-848-BP failures from Non-admin / Single Sign-On accounts
Cloud Authentication / SSO Account logging in from CSSO-SF-751-DB / Single Sign-On multiple countries in a day
Cloud Authentication / SSO Rare application accessing CSSO-SF-755-ERR / Single Sign-On SalesForceCom API
Cloud Authentication / SSO Abnormal number of login CSSO-SF-886-BP / Single Sign-On Failures
Cloud Authentication / SSO Abnormal number of Admin CSSO-SF-887-BP / Single Sign-On Login Failures
Password spraying attempt Cloud Authentication / SSO CSSO-SF-888-DB from an IP on multiple / Single Sign-On accounts
Cloud Authentication / SSO Robotic pattern observed CSSO-SF-789-TA / Single Sign-On from an IP - failed login
Successful logon detected Cloud Authentication / SSO CSSO-SF-790-ERR from rare country compared / Single Sign-On to rest of the organization
Successful logon detected Cloud Authentication / SSO from for an admin account in CSSO-SF-792-ERR / Single Sign-On a rare country compared to rest of the organization
Landspeed anomaly Cloud Authentication / SSO CSSO-SF-893-LS detected for an admin / Single Sign-On account
Cloud Authentication / SSO User changing email to non- CSSO-SF-794-RU / Single Sign-On business email
SNYPR Release Notes 39 New and Improved Content
Functionality Signature ID Policy Name
Recently activated account Cloud Authentication / SSO CSSO-SF-795-DB deactivated within a short / Single Sign-On duration of time
Cloud Authentication / SSO Abnormal number of CSSO-SF-726-BP / Single Sign-On Account Lockout events
Cloud Authentication / SSO Robotic pattern observed - CSSO-SF-723-TA / Single Sign-On failed login
Cloud Authentication / SSO Abnormal volume of file CSSO-SF-847-BA / Single Sign-On downloads from Salesforce
Cloud Authentication / SSO Rare User Agent Used For CSSO-SF-727-ERR / Single Sign-On Log In
Cloud Authentication / SSO Authentication from rare CSSO-SF-725-ER / Single Sign-On geolocation
Abnormal volume of data Cloud Authentication / SSO CSSO-SF-748-BA egressed using REST API / Single Sign-On requests
Possible User Enumeration Cloud Authentication / SSO CSSO-SF-728-BP Observed from an / Single Sign-On IPAddress
Cloud Authentication / SSO High number of failed login CSSO-SF-724-DB-SIEM / Single Sign-On attempts - SIEM
Abnormal volume of data Cloud Authentication / SSO CSSO-SF-749-BA egressed via Visualforce / Single Sign-On requests
Cloud Authentication / SSO Anomalous number of CSSO-SF-734-BP / Single Sign-On Reports Exported
Large number of target Cloud Authentication / SSO CSSO-SF-750-DB accounts used for delegated / Single Sign-On login
Cloud Authentication / SSO CSSO-SF-722-LS Landspeed Anomaly / Single Sign-On
SNYPR Release Notes 40 New and Improved Content
Functionality Signature ID Policy Name
Cloud Authentication / SSO High Number of Reports CSSO-SF-719-DB / Single Sign-On Exported
Cloud Authentication / SSO Multiple number of Failure CSSO-SF-729-DB-SIEM / Single Sign-On followed by Success - SIEM
Abnormal number of target Cloud Authentication / SSO CSSO-SF-754-BP accounts used for delegated / Single Sign-On login
Cloud Authentication / SSO Rare user performing CSSO-SF-845-ERR / Single Sign-On delegated logon
Installation of rare Cloud Authentication / SSO CSSO-SF-846-ERR unmanaged package / Single Sign-On detected across organization
Login as activity was Cloud Authentication / SSO CSSO-SF-721-RU observed with access of / Single Sign-On other User
Cloud Application Audit CAAU-SF-740-RU Account Impersonation
Huge Number Of Password Cloud Application Audit CAAU-SF-741-DB Change
Account activated tracking Cloud Application Audit CAAU-SF-738-RU policy
Recently activated account Cloud Application Audit CAAU-SF-739-RU de-activated within a short duration of time
User changing email to Cloud Application Audit CAAU-SF-744-RU personal email
User changing email to non- Cloud Application Audit CAAU-SF-743-RU business email
User changing email to non- Cloud Application Audit CAAU-SF-759-RU internal email
User changing email to a Cloud Application Audit CAAU-SF-746-RU disposable email address
SNYPR Release Notes 41 New and Improved Content
Functionality Signature ID Policy Name
Abnormal frequency of Cloud Application Audit CAAU-SF-792-BP target accounts logged in as
Non admin account logging Cloud Application Audit CAAU-SF-742-RU in as admin account
Phone number registered Cloud Application Audit CAAU-SF-791-TA for multiple users
Rare combination of Cloud Authentication / SSO Country and State observed CSSO-DUO-852-ERR / Single Sign-On for user authenticating to multifactor device
Abnormal amount of login Cloud Authentication / SSO CSSO-DUO-808-DB attempt detected on Duo / Single Sign-On MFA
Cloud Authentication / SSO Authentication anomaly- CSSO-DUO-812-RU / Single Sign-On Country Mismatch
Cloud Authentication / SSO Authentication anomaly- CSSO-DUO-811-RU / Single Sign-On State Mismatch
Rare combination of Cloud Authentication / SSO Country and State observed CSSO-DUO-851-ERR / Single Sign-On for user authenticating to access device
Cloud Authentication / SSO Landspeed Anomaly CSSO-DUO-809-LS / Single Sign-On detected
Cloud Authentication / SSO CSSO-DUO-827-ERR Logon from a rare country / Single Sign-On
Authentication to access Cloud Authentication / SSO device observed from rare CSSO-DUO-853-ERR / Single Sign-On country across the organization
Authentication to MFA Cloud Authentication / SSO CSSO-DUO-854-ERR device observed from rare / Single Sign-On country for user
SNYPR Release Notes 42 New and Improved Content
Functionality Signature ID Policy Name
Authentication to MFA Cloud Authentication / SSO device observed from rare CSSO-DUO-855-ERR / Single Sign-On country across the organization
Successful inline enrollment Cloud Authentication / SSO CSSO-DUO-856-RU on Duo by uncorrelated / Single Sign-On account
User performing inline Cloud Authentication / SSO enrollment on Duo from CSSO-DUO-857-ERR / Single Sign-On rare country compared to entire organization
Successful inline enrollment Cloud Authentication / SSO CSSO-DUO-858-TA of multiple accounts on a / Single Sign-On single device
Successful login using bypass Cloud Authentication / SSO code from rare location CSSO-DUO-859-ERR / Single Sign-On compared to rest of organization
Failed authentication Cloud Authentication / SSO CSSO-DUO-860-RU attempt marked as fraud by / Single Sign-On account
Multiple failed Cloud Authentication / SSO CSSO-DUO-861-DB Authentication attempts / Single Sign-On marked as fraud by account
User enrolling from a Cloud Authentication / SSO CSSO-DUO-850-RU country different from work / Single Sign-On location
Password spraying attempts Cloud Authentication / SSO CSSO-DUO-885-BP for one account on multiple / Single Sign-On applications
SNYPR Release Notes 43 New and Improved Content
Functionality Signature ID Policy Name
Successful password Cloud Authentication / SSO spraying attempt from one CSSO-DUO-831-RU / Single Sign-On account to multiple applications
Successful login following a Cloud Authentication / SSO CSSO-SF-776-RU spike in failed logins for a / Single Sign-On Non-admin account
Potential WMI Lateral Endpoint Management EDR-ALL-29-ER Movement - Rare process Systems spawnned
Possible Egregor Endpoint Management Ransomware Rclone To EDR-ALL-161-RU Systems Svchost LOL Rename Analytic
Endpoint Management Possible Malicious EDR-ALL-162-RU Systems Certificate Export Analytic
Endpoint Management Possible SUNSPOT Variant EDR-ALL-163-RU Systems Dropped Artifact Analytic
Possible Qakbot-Egregor Endpoint Management Initial Access Broker EDR-ALL-164-RU Systems Ransomware Deployment Analytic
Endpoint Management Possible Qakbot-Egregor EDR-ALL-165-RU Systems Esentutl Usage Analytic
Endpoint Management Possible Qakbot-Egregor EDR-ALL-166-RU Systems Rundll Load Analytic
Potential evasion attempt Endpoint Management EDR-ALL-87-RU through disabling of Event Systems Trace monitoring in dotnet
Possible GoldenSAML Microsoft Windows PSH-ALL-115-RU Certificate Export Events Powershell Analytic
SNYPR Release Notes 44 New and Improved Content
Functionality Signature ID Policy Name
Possible Hexacorn-style Microsoft Windows WEL-ALL-850-DB Shellcode Execution Analytic
Rare child process spawned Endpoint Management EDR-ALL-880-ERR by WMI Provider Host Systems process
Use of Powershell Microsoft Windows PSH-ALL-106-RU encodedcommand Powershell parameter on host
Microsoft Windows Use of Powershell Invoke- PSH-ALL-108-RU Powershell Expression cmdlet on host
Microsoft Windows Powershell Execution Policy PSH-ALL-109-RU Powershell modified on host
Suspicious Account Activity Microsoft Windows WEL-ALL-905-RU - Potential pass-the-hash - Key Length Analytic
Rare regsvr32 process and Microsoft Windows WEL-ALL-711-ER command execution
Abnormal number of logon Microsoft Windows WOS-202-BP failures
Abnormal number of Microsoft Windows WOS-290-BP kerberos pre authentication failures
Abnormal amount of data Network Traffic Analytics NTA-ALL-880-BA aggregated from SMB ports - NTA
Abnormal amount of data Network Traffic Analytics NTA-ALL-881-BA transmitted from DNS ports - NTA
Abnormal amount of data Network Traffic Analytics NTA-ALL-882-BA transmitted from SMTP ports - NTA
SNYPR Release Notes 45 New and Improved Content
Functionality Signature ID Policy Name
Abnormal amount of data Network Traffic Analytics NTA-ALL-883-BA transmitted over covert channels - NTA
Possible host enumeration Network Traffic Analytics NTA-ALL-884-BP over system ports - Internal - NTA
Possible host enumeration Network Traffic Analytics NTA-ALL-885-DB over system ports - External - NTA
Possible port scan from Network Traffic Analytics NTA-ALL-886-DB external IP Address - NTA
Possible port scan from Network Traffic Analytics NTA-ALL-887-DB internal IP Address - NTA
Web Application Firewall IFW-ALL-820-ER Possible LFI Detection
Web Application Firewall IFW-ALL-821-DB Unusual URL Redirection
Suspicious process Web Application Firewall IFW-ALL-822-RU Observed Over URL
Remote Command Web Application Firewall IFW-ALL-823-RU Execution
Communication to Malware Web Application Firewall IFW-ALL-824-RU OR Trojan Suspicious Port
Rare Content Type Web Application Firewall IFW-ALL-825-ER Observed
Circumvention over URL Web Application Firewall IFW-ALL-826-DB Response Code
Web Application Firewall IFW-ALL-827-ER Unusual web requests
Possible Server Outage by Web Application Firewall IFW-ALL-828-DB Multiple Request
Multiple Allowed Attack Web Application Firewall IFW-ALL-829-DB Detection Over Insecure HTTP Version
SNYPR Release Notes 46 New and Improved Content
New Policy/Threat Content The following table contains the policy and threat content added in this release:
Functionality Signature ID Policy Name
Google Initiated Access / ACP-ALL-808-ERR Review - Access detected Privileged User from a rare geolocation
Google Initiated Access / ACP-ALL-807-RU Service Detected - Google Privileged User Access Transparency
Customer initiated access by Google to Access / ACP-ALL-806-RU respond to a third party data Privileged User request - Google Access Transparency
Google Initiated Access / ACP-ALL-809-BP Review - Account accessing Privileged User multiple resources
Authentication Usage of switchport AWI-AMN-802-ERR / WiFi mode access detected
SSH Connection Authentication AWI-AMN-801-ERR Detected from a Rare / WiFi Account
Abnormal number of Business BCP-ALL-802-DB files uploaded to the chat - Collaboration Platforms Gsuite
Abnormal number of Business BCP-ALL-801-DB files downloaded from the Collaboration Platforms chat - Gsuite
Cloud Rare account adding a CAAU-ALL-818-ERR Application Audit new connection
SNYPR Release Notes 47 New and Improved Content
Functionality Signature ID Policy Name
Role creation Cloud CAAU-ALL-817-DB followed by deletion within Application Audit a short period
Rare account Cloud CAAU-ALL-814-ERR disabling audit log Application Audit streaming
Cloud Rare account updating CAAU-ALL-823-ERR Application Audit delegated admin password
Cloud Rare account deleting CAAU-ALL-813-ERR Application Audit API policy
Cloud Rare account updating CAAU-ALL-820-ERR Application Audit pub Sub topic
Account was observed Cloud CAAU-ALL-812-RU disabling multifactor Application Audit authentication
Abnormal number of Cloud CAAU-ALL-810-BP distinct recipes stopped by Application Audit an account
Cloud Impossible Travel CAAU-ALL-815-LS Application Audit Alert Detected
Cloud Login from a Rare CAAU-ALL-809-ERR Application Audit geolocation
Connection Cloud CAAU-ALL-824-ERR Disconnected by a Rare Application Audit Account
Cloud Abnormal number of CAAU-ALL-808-BP Application Audit login failures detected
Rare account Cloud CAAU-ALL-816-ERR delegating admin account Application Audit access
SNYPR Release Notes 48 New and Improved Content
Functionality Signature ID Policy Name
Delegated admin Cloud addition followed by CAAU-ALL-822-DB Application Audit deletion within a short period
Account deleting Cloud CAAU-ALL-819-DB multiple folders within a Application Audit short period
Cloud Rare account creating CAAU-ALL-821-ERR Application Audit pub Sub topic
Abnormal number of Cloud CAAU-ALL-811-BP distinct recipe deleted by Application Audit an account
Cloud Unusual number of Key CSA-ALL-860-ERR Services / Applications Vault operations
Recon Activity Cloud CSA-AWS-712-DB Detected on Cloud Services / Applications Computing Resource
Cloud Rare country for SAML CSA-ALL-861-ERR Services / Applications Token authentication
Resource launched Cloud CSA-ALL-863-ERR with rare Instance type or Services / Applications Image ID
Customer master keys Cloud CSA-ALL-859-RU Disabled or Scheduled for Services / Applications Deletion
Critical Key vault Cloud CSA-ALL-884-ERR Operation performed by Services / Applications account
Rare account list all Cloud CSA-ALL-883-ERR Cloud accounts in the Services / Applications region
SNYPR Release Notes 49 New and Improved Content
Functionality Signature ID Policy Name
Rare account Cloud CSA-ALL-882-ERR attempting to update role Services / Applications permissions
Cloud storage Cloud CSA-ALL-864-ERR accessed from Rare Services / Applications Geolocation
Rare cloud storage Cloud CSA-ALL-865-ERR discovery activity from Services / Applications Account
Cloud IAM Role deleted by CSA-ALL-880-ER Services / Applications rare account
Abnormal number of Cloud CSA-ALL-848-BP distinct Pods accessed - Services / Applications Kubernetes
Spike in denied Cloud CSA-ALL-877-BP transactions on cloud Services / Applications resources by account
Cloud Rare implant or list CSA-ALL-879-ERR Services / Applications container image by account
Cloud Rare identity deleted CSA-ALL-878-ERR Services / Applications cloud compute resources
SSH or RDP or DB port Cloud CSA-ALL-870-RU authorized on security Services / Applications group
Cloud Rare account deleted CSA-ALL-875-ERR Services / Applications cloud storage resources
Cloud Rare IAM policy CSA-ALL-866-ERR Services / Applications activity from account
Cloud Cloud storage CSA-ALL-867-ERR Services / Applications operation from rare Role
SNYPR Release Notes 50 New and Improved Content
Functionality Signature ID Policy Name
Cloud Rare account creating CSA-ALL-876-ERR Services / Applications Snapshot or Volume
Rare account creating Cloud CSA-ALL-869-ERR Security group or compute Services / Applications Firewall
Cloud IAM Role Created by CSA-ALL-881-ER Services / Applications rare account
Cloud Rare account CSA-ALL-868-ERR Services / Applications generating Key Pair
Cloud New Account Creation CSA-ALL-755-RU Services / Applications Detected
Rare security group Cloud CSA-ALL-871-ERR changes on cloud Services / Applications infrastructure by account
Rare privilege Cloud CSA-ALL-872-ERR escalation through IAM Services / Applications instance profile
Rare Account Cloud CSA-ALL-873-ERR Manipulating Customer Services / Applications Managed IAM Policy
Rare Credential Cloud Harvesting Activity on CSA-ALL-874-ERR Services / Applications Cloud Infrastructure by account
Cloud Cloud Storage CSA-ALL-862-RU Services / Applications observed with public access
Content Abnormal number of CMS-ALL-831-BP Management System files downloaded -CMS
Hijack Execution Flow Endpoint msmpeng executable DLL EDR-ALL-226-RU Management Systems Sideload File Creation Analytic
SNYPR Release Notes 51 New and Improved Content
Functionality Signature ID Policy Name
Rare Unsigned DLL Endpoint Load For Process Potential EDR-ALL-64-ERR Management Systems DLL Hijacking Side-Loading Analytic
Possible Process Endpoint Hollowing Herpaderping EDR-ALL-105-ERR Management Systems Rare Image Tampering Analytic
Possible CVE-2021-34527 Endpoint EDR-ALL-221-ERR Exploitation Attempt Management Systems Unusual Child Process Analytic
Possible TEARDROP Endpoint EDR-ALL-114-RU Malicious Payload Variant Management Systems Analytic
Potential DarkSide Endpoint EDR-ALL-179-RU Shadow Copy Deletion Management Systems Analytic
Possible token Endpoint EDR-ALL-40-BP enumeration - Peak process Management Systems token access analytic
Potential Endpoint EDR-ALL-183-RU Exfiltration MegaSync Management Systems Process Analytic
Potential MegaSync or Endpoint EDR-ALL-182-RU MegaCmd Exfiltration DNS Management Systems Query Analytic
Possible Meterpreter Endpoint EDR-ALL-101-BP Process Enumeration Management Systems Analytic
SNYPR Release Notes 52 New and Improved Content
Functionality Signature ID Policy Name
Decoding PE or DLL Endpoint EDR-ALL-01-RU From b64 Via Certutil Management Systems Analytic
Endpoint Malicious Named Pipes EDR-ALL-61-RU Management Systems Analytic
Possible Cobalt Endpoint EDR-ALL-118-ERR Strike Beacon NamedPipe Management Systems Use Artifact Analytic
InternetExplorer Endpoint EDR-ALL-42-ERR Application DLL Loading Management Systems Injection Analytic
Possible ADFSDump Endpoint Malicious Certificate EDR-ALL-114-ERR Management Systems Extraction Named Pipe Analytic
Hijack Execution Flow Endpoint EDR-ALL-230-RU msmpeng executable DLL Management Systems Sideload Analytic
Endpoint Possible SUNBURST EDR-ALL-116-RU Management Systems Implant Activity Analytic
Potential CLR Endpoint injection Rare combination EDR-ALL-91-ERR Management Systems of Image and loaded DLL detected for Account
Watching the Watchers Endpoint - Possible Trojaned Vendor EDR-ALL-119-ERR Management Systems Executable Named Pipe Discrepancy Analytic
Endpoint Possible RAINDROP EDR-ALL-117-ERR Management Systems Variant Artifact Analytic
SNYPR Release Notes 53 New and Improved Content
Functionality Signature ID Policy Name
Rare Signed DLL Load Endpoint For Process Potential DLL EDR-ALL-65-ERR Management Systems Hijacking Side Loading Analytic
Potential Usage Of Endpoint EDR-ALL-124-RU Archiving Software Management Systems Command Line Analytics
Potential Endpoint EDR-ALL-184-RU Exfiltration MEGAcmdShell Management Systems Process Analytic
Rule Internet Endpoint EDR-ALL-115-RU Explorer Application DLL Management Systems Loading Injection Analytic
Identity Password spraying IAM-ALL-801-DB Access Management attempts from an IP
Identity Advance protection IAM-ALL-810-RU Access Management disabled for an account
Identity Abnormal number of IAM-ALL-811-DB Access Management password change attempts
Identity Successful Password IAM-ALL-802-RU Access Management spraying attack from an IP
Successful Identity authentication following an IAM-ALL-807-RU Access Management abnormal frequency of authentication failures
Account Identity IAM-ALL-806-ERR authenticating to Azure AD Access Management from rare country
Identity Account Recovery IAM-ALL-809-RU Access Management Information Changed
SNYPR Release Notes 54 New and Improved Content
Functionality Signature ID Policy Name
Abnormal frequency of Identity IAM-ALL-803-BP authentication failures for Access Management an account
Identity Multi Factor IAM-ALL-808-RU Access Management Authentication Disabled
Account Identity authenticating to Azure AD IAM-ALL-804-ERR Access Management from rare country across the organization
Identity Landspeed anomaly IAM-ALL-805-LS Access Management detected on Azure AD
Possible remote Microsoft WEL-ALL-859-BP interactive logon Windows enumeration
Microsoft Possible Zerologon WEL-ALL-862-RU Windows attack using tools
Microsoft Ticket Encryption and WEL-ALL-13-DB Windows Ticket Options Analytic
Possible CVE-2021-34527 Microsoft WEL-ALL-221-ERR Exploitation Attempt Windows Unusual Child Process Analytic - Windows
Peak Distinct Account Microsoft WEL-ALL-15-BP Change For Source User Windows Analytic
Use of explicit Microsoft credentials by a rare WEL-ALL-976-ERR Windows account - Account sharing or Password misuse
Microsoft Potential Metasploit WEL-ALL-298-ER Windows or Hash Passing Analytic
SNYPR Release Notes 55 New and Improved Content
Functionality Signature ID Policy Name
Microsoft Abnormal frequency of WEL-ALL-299-BP Windows Netlogon access errors
Peak Microsoft WEL-ALL-30-BP LsaRegisterLogonProcess Windows Increase Analytic
Potential PrintNightmare Malicious Microsoft PSH-ALL-25-RU Powershell Implant Windows Powershell Exploitation Attempt Analytic
Possible Reflection Microsoft PSH-ALL-7-RU Assembly Weaponization Windows Powershell Activity Analytic
Network Landspeed anomaly on NTA-ALL-853-LS Traffic Analytics VPN - NTA
Rare account making Physical PHY-ALL-810-ERR changes to the physical Security / Badging security device
Failed access attempt Physical PHY-ALL-808-RU detected from an user to Security / Badging the facility
High number of failed Physical PHY-ALL-809-RU entry attempts detected Security / Badging from the user
Physical Multiple physical PHY-ALL-803-BP Security / Badging access within short time
Physical Board Communication PHY-ALL-811-RU Security / Badging Failure Cleared
User had unauthorized Physical PHY-ALL-812-DB attempts across multiple Security / Badging locations
SNYPR Release Notes 56 New and Improved Content
Functionality Signature ID Policy Name
Abnormal use of Unix / Linux UNX-ALL-825-BP privileged super user / AIX command
High CPU usage on Virtualization VIR-ALL-803-DB ESXi hosts during Non- / Containers Business hours - vCenter
High number of Virtualization VIR-ALL-804-DB Snapshots created - / Containers vCenter
Host enumeration Virtualization VIR-ALL-811-BP attempt detected from an / Containers account
Abnormal number of Virtualization VIR-ALL-810-BP virtual machines deleted - / Containers vCenter
Virtualization New account created VIR-ALL-808-ERR / Containers on virtual machine
High number of Virtualization VIR-ALL-807-DB Virtual Machines cloned - / Containers vCenter
Multiple Virtual Virtualization Machine Images VIR-ALL-809-BP / Containers Downloaded by an Account - vCenter
VM Snapshot creation Virtualization followed by Snapshot VIR-ALL-806-DB / Containers Memory file or State file download - vCenter
BruteForce attempts Virtualization VIR-ALL-805-DB on user account of VM or / Containers ESxi or vCenter
SNYPR Release Notes 57 New and Improved Content
Functionality Signature ID Policy Name
High number of Virtualization VIR-ALL-802-DB virtual machines deleted - / Containers vCenter
Multiple virtual Virtualization VIR-ALL-801-DB machines shutdown - / Containers vCenter
Improved Content
This sections lists all improved parsers, connectors, and threat content.
Updated Connectors
Vendor Functionality Device Type Collection Method
Collection Method: Amazon Inc Database Audit AWS Redshift splunkraw Format: Regex
Collection Method: splunkraw IDS / IPS / UTM / Amazon Inc AWS GuardDuty Threat Detection Format: JSON
Collection Method: BIND DNS DNS / DHCP BIND DNS syslog Format: Regex
Collection Method: Next Generation Cisco Systems Cisco ASA syslog Firewall Format: CEF
Collection Method: Next Generation Cisco Systems Cisco ASA syslog Firewall Format: Regex
SNYPR Release Notes 58 New and Improved Content
Vendor Functionality Device Type Collection Method
Collection Method: Network Access Cisco Identity Cisco Systems syslog Control / NAC Service Engine Format: Regex
Collection Method: Cisco Systems Web Proxy Cisco ScanSafe syslog Format: Regex
Collection Method: Network Access Cisco Router and Cisco Systems syslog Control / NAC Switch Format: Regex
Network Access Collection Method: file Cisco Systems Cisco Router Control / NAC Format: JSON
Cisco Wireless Collection Method: Network Access Cisco Systems LAN syslog Control / NAC Controller TRAP Format: Regex
IronPort Web Collection Method: Cisco Systems Web Proxy Security syslog Appliance Format: Regex
Collection Method: Next Generation Cisco Systems Cisco ASA splunkraw Firewall Format: Regex
Collection Method: Next Generation Cisco Systems Cisco FTD syslog Firewall Format: Regex
Collection Method: Cisco Systems DNS / DHCP Cisco Umbrella syslog Format: JSON
Collection Method: Cisco Systems DNS / DHCP Cisco Umbrella splunkraw Format: JSON
SNYPR Release Notes 59 New and Improved Content
Vendor Functionality Device Type Collection Method
Collection Method: Cisco Systems DNS / DHCP Cisco Umbrella ciscoumbrella Format: JSON
Collection Method: Next Generation Cisco Meraki Cisco Systems syslog Firewall Firewall Format: Regex
Collection Method: Cisco Unified Cisco Systems IP Telephony syslog Communications Format: Regex
Collection Method: Email / Email Cofense O365 Cofense office365phishingmailbox Security Format: JSON
Crowdstrike Collection Method: Cloud Antivirus / CrowdStrike Alerts crowdstrikequery Malware / EDR Query Format: JSON
Endpoint Collection Method: Crowdstrike CrowdStrike Management awssqss3 Falcon Systems Format: JSON
SonicWall Global Collection Method: Dell / Next Generation Management syslog SonicWall Inc. Firewall System Format: Key Value Pair
Collection Method: Diamond IP / DNS / DHCP Diamond IPAM syslog BT Format: Regex
Collection Method: F5 BigIP Load F5 Networks Traffic Manager syslog Balancer Format: Regex
SNYPR Release Notes 60 New and Improved Content
Vendor Functionality Device Type Collection Method
Collection Method: Next Generation Fortinet Fortigate syslog Firewall Format: Key Value Pair
Collection Method: HAProxy Web Proxy HA Proxy syslog Format: Delimited-space
Collection Method: Infoblox DNS / DHCP Infoblox syslog Format: Regex
Collection Method: Intel Security McAfee Web Web Proxy syslog / McAfee Inc. Gateway Format: CEF
Juniper Junos Collection Method: Juniper Authentication / Pulse syslog Networks VPN VPN Format: Regex
Juniper Secure Collection Method: Juniper Authentication / Access syslog Networks VPN VPN Format: Regex
Juniper Junos Collection Method: Juniper Firewall Pulse syslog Networks Firewall Format: Regex
Juniper Collection Method: Juniper Authentication / Netscreen HVD syslog Networks VPN VPN Format: Regex
Microsoft Collection Method: Microsoft Email / Email Exchange syslog Corporation Security Server Format: Regex
SNYPR Release Notes 61 New and Improved Content
Vendor Functionality Device Type Collection Method
Microsoft Collection Method: Microsoft Microsoft Windows syslog Corporation Windows SNARE Format: snare
Microsoft Collection Method: Microsoft Microsoft Windows syslog Corporation Windows PSLOGLIST Format: PSLOGLIST
Microsoft Collection Method: Microsoft Microsoft Windows syslog Corporation Windows WINEVENT Format: WINEVENT
Collection Method: Microsoft Microsoft Microsoft syslog Corporation Windows Windows Format: WINDOWSRSA
Collection Method: syslog Microsoft DNS / DHCP Microsoft DHCP Corporation Format: Delimited- comma
Microsoft Collection Method: Microsoft Microsoft Windows splunkraw Corporation Windows SNARE Format: snare
Microsoft Collection Method: Microsoft Microsoft Windows splunkraw Corporation Windows WINEVENT Format: WINEVENT
Collection Method: Oracle Database Audit Oracle SysDB syslog Corporation Format: CEF
Palo Alto Collection Method: Palo Alto Next Generation Next-Generation splunkraw Networks Firewall Firewall Format: Regex
SNYPR Release Notes 62 New and Improved Content
Vendor Functionality Device Type Collection Method
Palo Alto Collection Method: Palo Alto Next Generation Next-Generation syslog Networks Firewall Firewall Format: Regex
Collection Method: Palo Alto Cloud Antivirus / PA Cortex syslog Networks Malware / EDR Format: CEF
Nexpose Collection Method: Vulnerability Rapid 7 Vulnerability syslog Scanners Scanner Format: Regex
Authentication / RSA SecurID Collection Method: file RSA Solutions SSO Authentication Format: Regex / Single Sign-On Manager
Authentication / RSA SecurID Collection Method: RSA Solutions SSO Authentication splunkraw / Single Sign-On Manager Format: Regex
Symantec / Collection Method: Blue Coat Web Proxy Bluecoat Proxy syslog Systems Format: Regex
Nessus Collection Method: Vulnerability Tenable Vulnerability syslog Scanners Scanner Format: JSON
Collection Method: Trend Micro IDS / IPS / UTM / TippingPoint IPS syslog Inc. Threat Detection Format: Regex
Unix / Red Hat Collection Method: Linux / Oracle Unix / Linux / AIX Unix syslog Linux / AIX / BSD Format: Regex
Collection Method: Virtualization / VMware VMware NSX-T syslog Containers Format: Regex
SNYPR Release Notes 63 New and Improved Content
Vendor Functionality Device Type Collection Method
Business Collection Method: zoom Zoom Collaboration Zoom API Format: JSON Platforms
Collection Method: Zscaler Web Proxy Zscaler Proxy syslog Format: CEF
Updated Functionality The following table contains the functionality that was updated in this release:
Resource Type Previous Functionality New Functionality
Network Access Control / Aruba Clear Pass Network Access Control NAC
AWS - Cloud Services / Cloud Services / AWS CloudTrail Applications Applications
Cloud Services / AWS EKS Audit AWS Kubernetes Applications
Cloud Services / AWS EKS Authenticator AWS Kubernetes Applications
AWS EKS Controller Cloud Services / AWS Kubernetes Manager Applications
AWS - Cloud Services / Cloud Services / AWS foundry Applications Applications
Bro Network Security Netflow / Sinkhole Flow
Network Access Control / Cisco NXOS Operating Systems NAC
Cisco Umbrella Next Generation Firewall DNS / DHCP
Database Access DAM Database Monitoring Monitoring
SNYPR Release Notes 64 New and Improved Content
Resource Type Previous Functionality New Functionality
Gigya Audit Application Audit
Imperva Database Security Database Audit
Mcafee Web Gateway Web Gateway Proxy Web Proxy
RedHat OpenShift CaaS Containers As A Service Virtualization / Containers
SVN Application Audit Source Code Repository
Tanium/ WorkStation Endpoint Management Tanium Management Systems Systems
Endpoint Management Tanium Detect Antivirus / Malware / EDR Systems
Tanium/ WorkStation Endpoint Management Tanium Endpoint Management Systems Systems
Improved Threat Detection Content The following table contains the threat detection content that was improved in this release:
Functionality Signature ID Policy Name
Antivirus / Potential WMI Lateral Movement - EDR-ALL-729-ER Malware / EDR Rare process spawnned - AVEDR
Cloud Antivirus / Potential WMI Lateral Movement - CEDR-ALL-29-ER Malware / EDR Rare process spawnned - Cloud EDR
Cloud Application User visting stegnography sites - CASB-ALL-818-RU Security Broker SIEM - CASB
Cloud Application Potential account compromise - CAAU-ALL-800-RU Audit Exchange
Cloud Content Abnormal number of files shared Management CCMS-ALL-805-BP with Competitor email address System
SNYPR Release Notes 65 New and Improved Content
Functionality Signature ID Policy Name
Cloud Content File manipulation followed by Management CCMS-ALL-800-DB egress System
Cloud Content Account Activity detected from Rare Management CCMS-ALL-802-ERR Country System
Cloud Content Abnormal number of files shared Management CCMS-ALL-804-BP with personal account System
Cloud Content Abnormal number of files Management CCMS-ALL-810-BP downloaded by an account System
Cloud Content File activity performed by Management CCMS-ALL-807-RU terminated user System
Cloud Content Suspicious Modification of Management CCMS-ALL-801-ER Privileges for Documents System
Cloud Content Abnormal number of files deleted Management CCMS-ALL-816-BP by an account System
Cloud Content Rare Operation performed by an Management CCMS-ALL-812-ER User System
Cloud Content Abnormal Number of files Printed Management CCMS-ALL-814-BP compared to past behavior System
Cloud Content Recovering Files along with Data Management CCMS-ALL-815-DB Egress System
SNYPR Release Notes 66 New and Improved Content
Functionality Signature ID Policy Name
Cloud Content Account accessing file path never Management CCMS-ALL-809-ERR accessed before System
Cloud Content Abnormal number of files shared Management CCMS-ALL-806-BP with Non Business account System
Cloud Content Abnormal number of document Management CCMS-ALL-803-BP permission changes observed System
Cloud Content Landspeed Anomaly - Cloud Content Management CCMS-ALL-811-LS Management System System
Cloud Content File shared with Non business Management CCMS-ALL-813-RU account System
Cloud Content Abnormal number of files Management CCMS-ALL-835-BP downloaded compared to peers System
Cloud Content Management CCMS-ALL-836-BP Abnormal number of files uploaded System
Cloud Content Multiple Files shared with Non Management CCMS-ALL-820-DB Business Accounts System
Cloud Content Management CCMS-ALL-837-RU File shared with personal account System
Cloud Content Multiple Files shared with Account Management CCMS-ALL-821-DB having competitor domain System
SNYPR Release Notes 67 New and Improved Content
Functionality Signature ID Policy Name
Cloud Content Critical files shared with external Management CCMS-ALL-822-RU Account System
Cloud Content Management CCMS-ALL-823-RU Corporate documents made public System
Cloud Content Abnormal Number of Corporate Management CCMS-ALL-838-BP documents made public System
Cloud Content External account accessing multiple Management CCMS-ALL-824-DB critical files System
Cloud Content External account downloading high Management CCMS-ALL-825-DB number of files System
Cloud Content External account downloading Management CCMS-ALL-839-BP abnormally high number of files System
Cloud Content Activity from personal account Management CCMS-ALL-826-RU belonging to company employee System
Cloud Content Account activity from multiple Management CCMS-ALL-827-DB countries in a day System
Cloud Content Account activity from a country rare Management CCMS-ALL-828-ERR to the organization System
Cloud Content Account activity from a country Management CCMS-ALL-829-ERR rare for the user System
SNYPR Release Notes 68 New and Improved Content
Functionality Signature ID Policy Name
Cloud Content Landspeed anomaly detected for Management CCMS-ALL-830-LS account System
Cloud Content Management CCMS-ALL-831-RU Activity from suspicious IP System
Cloud Content User Changing Document Visibility Management CCMS-ALL-832-RU to Anyone with a link-240 System
Cloud Content User performing unusual activity Management CCMS-ALL-808-ER compared to peers System
Cloud Content Abnormal number of document Management CCMS-ALL-803-BP permission changes observed System
Cloud Content File manipulation followed by Management CCMS-ALL-800-DB egress System
Email / Email Flight Risk Behavior Exhibited In EML-ALL-816-RU Security Emails
Endpoint Rare child process spawned by WMI Management EDR-ALL-880-ERR Provider Host process Systems
Endpoint Suspicious use of cradle - rare child Management EDR-ALL-79-ER process spawned from script Systems interpreter
Endpoint Possible Malicious Implant In- Management EDR-ALL-99-ER Memory Compilation Analytic Systems
Endpoint Possible use of renamed LOL helper Management EDR-ALL-109-RU tool payload by malware - Systems executable and hash tracking
SNYPR Release Notes 69 New and Improved Content
Functionality Signature ID Policy Name
Endpoint Possible use of renamed LOL helper Management EDR-ALL-110-RU tool payload by malware - renamed Systems payload executed
Endpoint Proxied execution of potentially Management EDR-ALL-111-ER suspicious process via binaries Systems signed by trusted entities
Microsoft Abnormal number of network share WOS-214-BP Windows object access
Microsoft Abnormal number of kerberos pre WOS-290-BP Windows authentication failures
Suspicious Process Activity - Microsoft Targeted - Potential Powershell Windows PSH-ALL-26-RU Phanthom Event Log Thread Powershell Termination Covertness Analytic - A2B
Suspicious Account Activity - Peak Microsoft Credential Validation Failure WEL-ALL-906-BP Windows Increase For Host Analytic
Next Generation RDP Access allowed from the IFW-ALL-904-RU Firewall internet - SIEM
Next Generation IFW-ALL-919-BP Remote Database Scanner - SIEM Firewall
Next Generation Inbound Traffic from C2 Domains IFW-ALL-905-TP Firewall and IP addresses - SIEM
Next Generation Outbound Traffic to C2 Domains and IFW-ALL-901-TP Firewall IP addresses - SIEM
Abnormal amount of data Next Generation NGF-733 transmitted from DNS ports - Next Firewall Gen Firewall
SNYPR Release Notes 70 New and Improved Content
Functionality Signature ID Policy Name
Possible host enumeration over Next Generation NGF-768 system ports - Internal - Next Gen Firewall Firewall
Brute Force Followed By a Unix / Linux / AIX UNX-ALL-801-DB Successful Login from internal - SIEM
Account was created and acted Unix / Linux / AIX UNX-ALL-814-DB suspiciously - SIEM
Suspicious Process Activity - Microsoft Targeted - Potential Powershell Windows PSH-ALL-26-RU Phanthom Event Log Thread Powershell Termination Covertness Analytic - A2B
Vulnerability SCN-ALL-803-RU Unpatched Vulnerability Scanners
Vulnerability SCN-ALL-802-RU Target Attack on vulnerable asset Scanners
Traffic to randomly generated Web Proxy PXY-ALL-864-TA domains
Decommissioned Content
The following table contains the formats that are no longer supported in this release:
Collection Vendor Functionality Device Type Method
Collection Method: AWS - Cloud awssqss3 Amazon Inc Services AWS CloudTrail / Applications Format: JSON
SNYPR Release Notes 71 New and Improved Content
Collection Vendor Functionality Device Type Method
Collection Method: awscloudwatch Amazon Inc Firewall AWS VPC Flow Format: Delimited- space
Cloud Collection Method: Authentication Duo Security duo DUO Security / SSO / Single Authentication Sign-On Format: JSON
Mcafee IronMail Collection Method: Intel Security / Email / Email Email file McAfee Inc. / IronMail Security Gateway Format: Regex
Collection Method: Raytheon / Websense syslog Web Proxy Websense Proxy / ForcePoint Inc Format: CEF
Antivirus / Collection Method: Tanium Malware / Tanium Detect syslog EDR Format: CEF
Policy Name Signature ID Signature Comments
Access / Possible sabotage - Removed the policy as Privileged Rare action performed N/A it flagged low level User by account events.
Abnormal number of Access / distinct accounts Removed the policy as it Privileged N/A accessed compared to flagged low level events. User past behavior
SNYPR Release Notes 72 New and Improved Content
Policy Name Signature ID Signature Comments
Access / Possible sabotage - Removed the policy as it Privileged Abnormal number of N/A flagged low level events. User Cyberark files deleted
Access / Rare action performed Removed the policy as it Privileged on safe not performed N/A flagged low level events. User by peers
Antivirus / Abnormal amount of Removed the policy as it Malware / data copied to N/A flagged low level events. EDR removable media - EDR
Antivirus / Abnormal number of Removed the policy as it Malware / failed login attempts - N/A flagged low level events. EDR EDR
Antivirus / Abnormal number of Removed the policy as it Malware / files transferred to N/A flagged low level events. EDR removable media - EDR
Abnormal number of Antivirus / files with High Value Removed the policy as it Malware / N/A Extensions via flagged low level events. EDR removable media - EDR
Antivirus / Abnormal Number of Removed the policy as it Malware / Processes Terminated - N/A flagged low level events. EDR EDR
Antivirus / Admin user logging in Removed the policy as it Malware / N/A via clear text - EDR flagged low level events. EDR
Antivirus / Beaconing traffic to Removed the policy as it Malware / rare domains on web N/A flagged low level events. EDR activity - EDR
SNYPR Release Notes 73 New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus / Flight risk behavior via Removed the policy as it Malware / N/A removable media - EDR flagged low level events. EDR
Antivirus / Flight risk behavior via Removed the policy as it Malware / N/A removable media - EDR flagged low level events. EDR
Antivirus / IOS Buffer Overflow - Removed the policy as it Malware / N/A EDR flagged low level events. EDR
Antivirus / Job exiting behavior Removed the policy as it Malware / exhibited in removable N/A flagged low level events. EDR media - EDR
Antivirus / Malicious Outbound Duplicate - Threat Malware / Redirect - Allowed - N/A scenario covered as EDR EDR part of another policy
Antivirus / Malicious Outbound Duplicate - Threat Malware / Redirect - Blocked - N/A scenario covered as EDR EDR part of another policy
Antivirus / Duplicate - Threat Malicious Software Malware / N/A scenario covered as Detected - EDR EDR part of another policy
Antivirus / Network connections to Removed the policy as it Malware / N/A rare systems - EDR flagged low level events. EDR
Antivirus / Rare dll process and Removed the policy as it Malware / path on the network - N/A flagged low level events. EDR EDR
Antivirus / Rare dll used by a Removed the policy as it Malware / process on the network N/A flagged low level events. EDR - Cloud EDR - EDR
SNYPR Release Notes 74 New and Improved Content
Policy Name Signature ID Signature Comments
Antivirus / Rare function used by a Removed the policy as it Malware / dll on the network - N/A flagged low level events. EDR EDR
Rare parent process Antivirus / spawning a child Removed the policy as it Malware / N/A process on the network flagged low level events. EDR - EDR
Antivirus / Rare process and path Removed the policy as it Malware / detected on the N/A flagged low level events. EDR network - EDR
Antivirus / Rare process and path Removed the policy as it Malware / for high severity N/A flagged low level events. EDR endpoint alerts - EDR
Rare use of critical Antivirus / keywords in Removed the policy as it Malware / N/A commandline for Linux flagged low level events. EDR - EDR - EDR
Suspicious Network Antivirus / Activity - Peak Removed the policy as it Malware / Powershell LDAP N/A flagged low level events. EDR Connection For Host Analytic - A2B - EDR
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - Explorer - EDR
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - LSAAS - EDR
SNYPR Release Notes 75 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - LSM - EDR
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - Rundll32 - EDR
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - Services - EDR
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - SMSS - EDR
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - SVCHost - EDR
Suspicious path of Antivirus / Duplicate - Threat execution for known Malware / N/A scenario covered as processes on Windows EDR part of another policy - WinInit - EDR
Suspicious Process Antivirus / Activity - Potential Removed the policy as it Malware / Injection - Unusual N/A flagged low level events. EDR Crossproc Analytic - EDR
SNYPR Release Notes 76 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Antivirus / Activity - WMI Lateral Removed the policy as it Malware / Movement - Unusual N/A flagged low level events. EDR WMI Child Process Analytic -A2B - EDR
Suspicious Process Antivirus / Activity - Known Removed the policy as it Malware / Threat Intel Malicious N/A flagged low level events. EDR Process Execution Analytic - EDR
Suspicious Process Antivirus / Activity - Peak Rare Removed the policy as it Malware / Process Spike For N/A flagged low level events. EDR Organization Analytic - EDR
Suspicious Process Antivirus / Activity - Potential Duplicate - Threat Malware / Phishing Sequence III - N/A scenario covered as EDR Rare Office Child part of another policy Process Analytic - EDR
Suspicious Process Activity - Potential Antivirus / Phishing Sequence III - Duplicate - Threat Malware / Targeted - Suspicious N/A scenario covered as EDR Office Child Process part of another policy Executable Analytic - EDR
SNYPR Release Notes 77 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Activity - Rare Antivirus / CreateRemoteThread Removed the policy as it Malware / Invocation Potential N/A flagged low level events. EDR BYOL-C Execute- Assembly Analytics- A2B - EDR
Suspicious Process Antivirus / Activity - Rare DLL Removed the policy as it Malware / Invocation Via N/A flagged low level events. EDR Rundll32 For Host Analytic - EDR
Suspicious Process Antivirus / Activity - Rare Parent- Removed the policy as it Malware / N/A Child Relationship For flagged low level events. EDR User Analytic - EDR
Suspicious Process Antivirus / Activity - Rare Process Removed the policy as it Malware / N/A For Host Analytic - flagged low level events. EDR EDR
Suspicious Process Activity - Rule - Antivirus / Removed the policy as Potential Attack Tool Malware / N/A it flagged low level PWDUMP or Mimikatz EDR events. Usage File Creation Analytic - A2B - EDR
Suspicious Process Antivirus / Activity - Rule - Duplicate - Threat Malware / Potential Mimikatz N/A scenario covered as EDR CommandLine Usage part of another policy Analytic - A2B - EDR
SNYPR Release Notes 78 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Antivirus / Duplicate - Threat Activity - Shadow Malware / N/A scenario covered as Copy-Backup Deletion EDR part of another policy Analytic - EDR
Suspicious Process Antivirus / Removed the policy as Activity - Targeted - Malware / N/A it flagged low level Boot Recover Disable EDR events. Analytic - EDR
Suspicious Process Antivirus / Activity - Targeted - Duplicate - Threat Malware / Command Line N/A scenario covered as EDR Arguments Analytic - part of another policy A2B - EDR
Suspicious Process Antivirus / Activity - Targeted - Removed the policy as Malware / Common Escalation of N/A it flagged low level EDR Privilege AppInit DLL events. Registry Analytic - EDR
Suspicious Process Antivirus / Activity - Targeted - Duplicate - Threat Malware / Keyloggers Abusing N/A scenario covered as EDR Nirsoft Tools Analytic - part of another policy EDR
Suspicious Process Antivirus / Activity - Targeted - Removed the policy as it Malware / Possible Enum File N/A flagged low level events. EDR Creation Analytic - A2B - EDR
SNYPR Release Notes 79 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Antivirus / Activity - Targeted - Removed the policy as it Malware / Potential Command N/A flagged low level events. EDR Line Admin Share Access Analytic - EDR
Suspicious Process Antivirus / Activity - Targeted - Duplicate - Threat Malware / Potential Phishing N/A scenario covered as EDR Sequence I Clicking part of another policy Analytic - EDR
Suspicious Process Activity - Targeted - Antivirus / Potential Phishing Duplicate - Threat Malware / Sequence II Malicious N/A scenario covered as EDR Payload Open Browser part of another policy Modality Analytic - EDR
Suspicious Process Activity - Targeted - Antivirus / Potential Powershell Removed the policy as it Malware / Phanthom Event Log N/A flagged low level events. EDR Thread Termination Covertness Analytic - A2B - EDR
Suspicious Process Antivirus / Activity - Targeted - Removed the policy as it Malware / Scripting File Types N/A flagged low level events. EDR Created Analytic - A2B - EDR
SNYPR Release Notes 80 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Antivirus / Activity - Targeted - Removed the policy as Malware / Shim Database N/A it flagged low level EDR Registration Changes events. Analytic - A2B - EDR
Suspicious Process Antivirus / Duplicate - Threat Activity - Targeted - Malware / N/A scenario covered as Squiblydoo Attack EDR part of another policy Analytic - EDR
Suspicious Process Antivirus / Activity- Targeted - Removed the policy as it Malware / Malicious Start Menu N/A flagged low level events. EDR Startup Modification Analytic -A2B - EDR
Suspicious Process Antivirus / Activity- Targeted - Removed the policy as it Malware / Malicious Start Menu_ N/A flagged low level events. EDR Startup Modification Analytic - EDR
Suspicious Process Antivirus / Activity- Targeted - MS Duplicate - Threat Malware / EquationEditor N/A scenario covered as EDR Spawning a Child part of another policy Process Analytic - EDR
Suspicious Registry Antivirus / Activity - Targeted - Removed the policy as it Malware / N/A Autorun Changes flagged low level events. EDR Analytic -A2B - EDR
SNYPR Release Notes 81 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Registry Activity - Targeted - Antivirus / Internal Monologue Removed the policy as it Malware / N/A Attack - NetNTLM flagged low level events. EDR Version Update Analytics-A2B - EDR
Antivirus / Duplicate - Threat Usage of Credential Malware / N/A scenario covered as Dumpers - EDR EDR part of another policy
Antivirus / Duplicate - Threat Virus and Malicious Malware / N/A scenario covered as Code Outbreak - EDR EDR part of another policy
Antivirus / Duplicate - Threat Vulnerable Endpoint Malware / N/A scenario covered as monitoring - EDR EDR part of another policy
Antivirus / Medium Severity Removed the policy as it Malware / Endpoint Alert N/A flagged low level events. EDR Detected - EDR
Antivirus / Repeat Attack-Network Removed the policy as it Malware / Intrusion Prevention N/A flagged low level events. EDR System
Antivirus / Repeat Attack-Host Removed the policy as it Malware / Intrusion Prevention N/A flagged low level events. EDR System
Application / Abnormal amount of Removed the policy as it Enterprise / data uploaded to cloud N/A flagged low level events. SaaS storage
Application / Abnormal number of Removed the policy as it Enterprise / files uploaded to cloud N/A flagged low level events. SaaS storage
SNYPR Release Notes 82 New and Improved Content
Policy Name Signature ID Signature Comments
Authentication Rare Okta Application Removed the policy as it / SSO / Single N/A Access flagged low level events. Sign-On
Authentication Rare IP address - Removed the policy as it / SSO / Single N/A successful Okta login flagged low level events. Sign-On
Authentication Successful Login From These are replaced with / SSO / Single N/A Suspicious IP Address CRP policy Sign-On
Authentication Robotic Pattern These are replaced with / SSO / Single Observed from an IP - N/A CRP policy Sign-On Failed Login
Duplicate - Threat Authentication Account Authenticating N/A scenario covered as / VPN from Rare Geolocation part of another policy
Duplicate - Threat Authentication Brute Force Access - N/A scenario covered as / VPN SIEM part of another policy
Abnormal number of Authentication Removed the policy as it High severity alerts N/A / WiFi flagged low level events. from an entity
Abnormal number of Duplicate - Threat Authentication User Authentication N/A scenario covered as / WiFi Failure part of another policy
AWS / Cloud Cloud storage resource Services / accessed from a rare IP N/A Very Noisy Applications address
SNYPR Release Notes 83 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Abnormal number of Antivirus / files transferred to Removed the policy as it N/A Malware / removable media - flagged low level events. EDR Cloud EDR
Cloud Abnormal number of Antivirus / Removed the policy as it failed login attempts - N/A Malware / flagged low level events. Cloud EDR EDR
Cloud Abnormal Number of Antivirus / Removed the policy as it Processes Terminated - N/A Malware / flagged low level events. Cloud EDR EDR
Cloud Admin user logging in Antivirus / Removed the policy as it via clear text - Cloud N/A Malware / flagged low level events. EDR EDR
Cloud Beaconing traffic to Antivirus / Removed the policy as it rare domains on web N/A Malware / flagged low level events. activity - Cloud EDR EDR
Cloud DNS traffic to Antivirus / Removed the policy as it randomly generated N/A Malware / flagged low level events. domains - Cloud EDR EDR
Cloud Flight risk behaviour Antivirus / Removed the policy as it via removable media - N/A Malware / flagged low level events. Cloud EDR EDR
SNYPR Release Notes 84 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Duplicate - Threat Antivirus / Infected Endpoint N/A scenario covered as Malware / monitoring - Cloud EDR part of another policy EDR
Cloud Antivirus / IOS Buffer Overflow - Removed the policy as it N/A Malware / Cloud EDR flagged low level events. EDR
Cloud Job exiting behavior Antivirus / Removed the policy as it exhibited in removable N/A Malware / flagged low level events. media - Cloud EDR EDR
Cloud Malicious Outbound Duplicate - Threat Antivirus / Redirect - Allowed - N/A scenario covered as Malware / Cloud EDR part of another policy EDR
Cloud Malicious Outbound Duplicate - Threat Antivirus / Redirect - Blocked - N/A scenario covered as Malware / Cloud EDR part of another policy EDR
Cloud Duplicate - Threat Antivirus / Malicious Software N/A scenario covered as Malware / Detected - Cloud EDR part of another policy EDR
Cloud Network connections to Antivirus / rare systems - Cloud N/A Low fidelity Malware / EDR EDR
SNYPR Release Notes 85 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Rare dll process and Antivirus / path on the network - N/A Low fidelity Malware / Cloud EDR EDR
Cloud Rare dll used by a Antivirus / process on the network N/A Low fidelity Malware / - Cloud EDR EDR
Cloud Rare function used by a Antivirus / dll on the network - N/A Low fidelity Malware / Cloud EDR EDR
Cloud Rare parent process Antivirus / spawning a child N/A Low fidelity Malware / process on the network EDR - Cloud EDR
Cloud Rare process and path Antivirus / detected on the N/A Low fidelity Malware / network - Cloud EDR EDR
Cloud Rare process and path Antivirus / for high severity N/A Low fidelity Malware / endpoint alerts - Cloud EDR EDR
Cloud Rare use of critical Antivirus / keywords in N/A Low fidelity Malware / commandline for Linux EDR - Cloud EDR
SNYPR Release Notes 86 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Network Cloud Activity - Peak Antivirus / Powershell LDAP N/A Low fidelity Malware / Connection For Host EDR Analytic - A2B - Cloud EDR
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - Explorer - Cloud EDR
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - LSAAS - Cloud EDR
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - LSM - Cloud EDR
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - Rundll32 - Cloud EDR
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - Services - Cloud EDR
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - SMSS - Cloud EDR
SNYPR Release Notes 87 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - SVCHost - Cloud EDR
Cloud Suspicious path of Duplicate - Threat Antivirus / execution for known N/A scenario covered as Malware / processes on Windows part of another policy EDR - WinInit - Cloud EDR
Suspicious Process Cloud Activity - Potential Antivirus / Removed the policy as it Injection - Unusual N/A Malware / flagged low level events. Crossproc Analytic - EDR Cloud EDR
Suspicious Process Cloud Activity - WMI Lateral Antivirus / Movement - Unusual Removed the policy as it N/A Malware / WMI Child Process flagged low level events. EDR Analytic -A2B - Cloud EDR
Suspicious Process Cloud Activity - Known Antivirus / Removed the policy as it Threat Intel Malicious N/A Malware / flagged low level events. Process Execution EDR Analytic - Cloud EDR
Suspicious Process Cloud Activity - Peak Rare Antivirus / Removed the policy as it Process Spike For N/A Malware / flagged low level events. Organization Analytic - EDR Cloud EDR
SNYPR Release Notes 88 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Cloud Activity - Potential Duplicate - Threat Antivirus / Phishing Sequence III - N/A scenario covered as Malware / Rare Office Child part of another policy EDR Process Analytic - Cloud EDR
Suspicious Process Activity - Potential Cloud Phishing Sequence III - Duplicate - Threat Antivirus / Targeted - Suspicious N/A scenario covered as Malware / Office Child Process part of another policy EDR Executable Analytic - Cloud EDR
Suspicious Process Activity - Rare Cloud CreateRemoteThread Antivirus / Removed the policy as it Invocation Potential N/A Malware / flagged low level events. BYOL-C Execute- EDR Assembly Analytics- A2B - Cloud EDR
Suspicious Process Cloud Activity - Rare DLL Antivirus / Removed the policy as it Invocation Via N/A Malware / flagged low level events. Rundll32 For Host EDR Analytic - Cloud EDR
Suspicious Process Cloud Activity - Rare Parent- Antivirus / Removed the policy as it Child Relationship For N/A Malware / flagged low level events. User Analytic - Cloud EDR EDR
SNYPR Release Notes 89 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Suspicious Process Antivirus / Activity - Rare Process Removed the policy as it N/A Malware / For Host Analytic - flagged low level events. EDR Cloud EDR
Suspicious Process Activity - Rule - Cloud Potential Attack Tool Antivirus / Removed the policy as it PWDUMP or Mimikatz N/A Malware / flagged low level events. Usage File Creation EDR Analytic - A2B - Cloud EDR
Suspicious Process Cloud Activity - Rule - Duplicate - Threat Antivirus / Potential Mimikatz N/A scenario covered as Malware / CommandLine Usage part of another policy EDR Analytic - A2B - Cloud EDR
Cloud Suspicious Process Duplicate - Threat Antivirus / Activity - Shadow N/A scenario covered as Malware / Copy-Backup Deletion part of another policy EDR Analytic - Cloud EDR
Cloud Suspicious Process Removed the policy as Antivirus / Activity - Targeted - N/A it flagged low level Malware / Boot Recover Disable events. EDR Analytic - Cloud EDR
Suspicious Process Cloud Activity - Targeted - Duplicate - Threat Antivirus / Command Line N/A scenario covered as Malware / Arguments Analytic - part of another policy EDR A2B - Cloud EDR
SNYPR Release Notes 90 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Cloud Activity - Targeted - Removed the policy as Antivirus / Common Escalation of N/A it flagged low level Malware / Privilege AppInit DLL events. EDR Registry Analytic - Cloud EDR
Suspicious Process Cloud Activity - Targeted - Duplicate - Threat Antivirus / Keyloggers Abusing N/A scenario covered as Malware / Nirsoft Tools Analytic - part of another policy EDR Cloud EDR
Suspicious Process Cloud Activity - Targeted - Antivirus / Removed the policy as it Possible Enum File N/A Malware / flagged low level events. Creation Analytic - A2B EDR - Cloud EDR
Suspicious Process Cloud Activity - Targeted - Antivirus / Potential Command Removed the policy as it N/A Malware / Line Admin Share flagged low level events. EDR Access Analytic - Cloud EDR
Suspicious Process Cloud Activity - Targeted - Duplicate - Threat Antivirus / Potential Phishing N/A scenario covered as Malware / Sequence I Clicking part of another policy EDR Analytic - Cloud EDR
SNYPR Release Notes 91 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Activity - Targeted - Cloud Potential Phishing Duplicate - Threat Antivirus / Sequence II Malicious N/A scenario covered as Malware / Payload Open Browser part of another policy EDR Modality Analytic - Cloud EDR
Suspicious Process Activity - Targeted - Cloud Potential Powershell Antivirus / Removed the policy as it Phanthom Event Log N/A Malware / flagged low level events. Thread Termination EDR Covertness Analytic - A2B - Cloud EDR
Suspicious Process Cloud Activity - Targeted - Antivirus / Removed the policy as it Scripting File Types N/A Malware / flagged low level events. Created Analytic - A2B EDR - Cloud EDR
Suspicious Process Cloud Activity - Targeted - Antivirus / Shim Database Removed the policy as it N/A Malware / Registration Changes flagged low level events. EDR Analytic - A2B - Cloud EDR
Cloud Suspicious Process Duplicate - Threat Antivirus / Activity - Targeted - N/A scenario covered as Malware / Squiblydoo Attack part of another policy EDR Analytic - Cloud EDR
SNYPR Release Notes 92 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Cloud Activity- Targeted - Antivirus / Malicious Start Menu Removed the policy as it N/A Malware / Startup Modification flagged low level events. EDR Analytic -A2B - Cloud EDR
Suspicious Process Cloud Activity- Targeted - Antivirus / Removed the policy as it Malicious Start Menu_ N/A Malware / flagged low level events. Startup Modification EDR Analytic - Cloud EDR
Suspicious Process Cloud Activity- Targeted - MS Duplicate - Threat Antivirus / EquationEditor N/A scenario covered as Malware / Spawning a Child part of another policy EDR Process Analytic - Cloud EDR
Suspicious Registry Cloud Activity - Targeted - Antivirus / Removed the policy as it Autorun Changes N/A Malware / flagged low level events. Analytic -A2B - Cloud EDR EDR
Suspicious Registry Activity - Targeted - Cloud Internal Monologue Antivirus / Removed the policy as it Attack - NetNTLM N/A Malware / flagged low level events. Version Update EDR Analytics-A2B - Cloud EDR
SNYPR Release Notes 93 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Duplicate - Threat Antivirus / Usage of Credential N/A scenario covered as Malware / Dumpers - Cloud EDR part of another policy EDR
Cloud Virus and Malicious Duplicate - Threat Antivirus / Code Outbreak - Cloud N/A scenario covered as Malware / EDR part of another policy EDR
Cloud Duplicate - Threat Antivirus / Vulnerable Endpoint N/A scenario covered as Malware / monitoring - Cloud EDR part of another policy EDR
Cloud Low Severity Endpoint Antivirus / Removed the policy as it Alert Detected - Cloud N/A Malware / flagged low level events. EDR EDR
Cloud Medium Severity Antivirus / Removed the policy as it Endpoint Alert N/A Malware / flagged low level events. Detected - Cloud EDR EDR
Cloud Brute Force Attack to Duplicate - Threat Authentication the same host - SIEM - N/A scenario covered as / SSO / Single SSO part of another policy Sign-On
Cloud Repeat Failure Duplicate - Threat Authentication Authentication - SIEM - N/A scenario covered as / SSO / Single SSO part of another policy Sign-On
SNYPR Release Notes 94 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Password Spraying Duplicate - Threat Authentication Attack Detected - SIEM N/A scenario covered as / SSO / Single - SSO part of another policy Sign-On
Cloud High Failed Logins to Duplicate - Threat Authentication Domain Admin Account N/A scenario covered as / SSO / Single - SIEM - SSO part of another policy Sign-On
Cloud Duplicate - Threat Authentication Concurrent console N/A scenario covered as / SSO / Single logon - SIEM - SSO part of another policy Sign-On
Cloud Duplicate - Threat Authentication Multiple Lockouts - N/A scenario covered as / SSO / Single SIEM - SSO part of another policy Sign-On
Cloud Login failure to Duplicate - Threat Authentication Disabled User Account N/A scenario covered as / SSO / Single - SIEM - SSO part of another policy Sign-On
Cloud Probable Successful Duplicate - Threat Authentication Brute Force Attack - N/A scenario covered as / SSO / Single SIEM - SSO part of another policy Sign-On
Cloud Account authenticating Removed the policy as it Application from rare geolocation - N/A flagged low level events. Audit Exchange
Cloud Abnormal Number of Removed the policy as it Application Distinct Emails N/A flagged low level events. Audit Archived - Exchange
SNYPR Release Notes 95 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Account performing Application activity from a Removed the policy as it N/A Security suspicious location - flagged low level events. Broker SIEM - CASB
Cloud Uploads to personal Duplicate - Threat Application GitHub repository - N/A scenario covered as Security SIEM - CASB part of another policy Broker
Cloud Downloads with Removed the policy as Application multiple filename but N/A it flagged low level Security same filehash - SIEM - events. Broker CASB
Cloud Authentication Phone verification mfa Removed the policy as it N/A / SSO / Single anomaly flagged low level events. Sign-On
Cloud User Account Authentication Removed the policy as it Unlocking VIP User N/A / SSO / Single flagged low level events. accounts - SSO Sign-On
Cloud Use of Any Default Authentication Removed the policy as it Credentials - SIEM - N/A / SSO / Single flagged low level events. SSO Sign-On
Cloud Authentication Activity seen from rare Removed the policy as it N/A / SSO / Single city flagged low level events. Sign-On
Cloud Content Removed the policy as Landspeed anomaly Management N/A it flagged low level detected for account System events.
SNYPR Release Notes 96 New and Improved Content
Policy Name Signature ID Signature Comments
Cloud Content File manipulation Removed the policy as it Management N/A followed by egress flagged low level events. System
Cloud Content Suspicious Modification Removed the policy as it Management of Privileges for N/A flagged low level events. System Documents
Cloud Content Abnormal number of Removed the policy as it Management document permission N/A flagged low level events. System changes observed
Cloud Content Rare Operation Removed the policy as it Management N/A performed by an User flagged low level events. System
Cloud Content Recovering Files along Removed the policy as it Management N/A with Data Egress flagged low level events. System
Duplicate - Threat scenario covered as part of another policy Cloud Content Abnormal number of Management files downloaded by an N/A Replaced with new System account policy: Abnormal number of files downloaded
Abnormal amount of Content Duplicate - Threat files downloaded Management N/A scenario covered as compared to past System part of another policy behavior
Content Abnormal number of Duplicate - Threat Management file deletions compared N/A scenario covered as System to past behavior part of another policy
SNYPR Release Notes 97 New and Improved Content
Policy Name Signature ID Signature Comments
Content Duplicate - Threat Abnormal number of Management N/A scenario covered as files downloaded System part of another policy
Content Abnormal number of Removed the policy as it Management files shared to N/A flagged low level events. System Competitor Domains
Content Abnormal number of Removed the policy as it Management files shared to Non N/A flagged low level events. System Business domains
Content Abnormal number of Removed the policy as it Management files shared with N/A flagged low level events. System personal accounts
Content Account accessing a file Removed the policy as it Management share never accessed N/A flagged low level events. System before
Content Authentication from Removed the policy as it Management N/A rare geolocation flagged low level events. System
Content Duplicate - Threat File activity by Management N/A scenario covered as terminated user System part of another policy
Content File manipulation Removed the policy as it Management N/A followed by egress-129 flagged low level events. System
Content User performing Removed the policy as it Management unusual activity N/A flagged low level events. System compared to peers
Content Account accessing file Removed the policy as it Management N/A never accessed before flagged low level events. System
SNYPR Release Notes 98 New and Improved Content
Policy Name Signature ID Signature Comments
Duplicate - Threat scenario covered as part of another policy Content Abnormal number of Management files downloaded by an N/A Replaced with new System account -CMS policy: Abnormal number of files downloaded -CMS
Duplicate - Threat Unauthorized printer Cloud Print N/A scenario covered as usage - Cloud Print part of another policy
Abnormal number of Duplicate - Threat Cloud Print pages printed compared N/A scenario covered as to peer - Cloud Print part of another policy
Rare DCL command Database Removed the policy as it executed not N/A Audit flagged low level events. performed by peers
Rare DB application Database Removed the policy as it accessed by account N/A Audit flagged low level events. compared to peers
Rare DML command Database Removed the policy as it executed not N/A Audit flagged low level events. performed by peers
Rare DDL command Database Removed the policy as it executed not N/A Audit flagged low level events. performed by peers
Rare TCL command Database Removed the policy as it executed not N/A Audit flagged low level events. performed by peers
SNYPR Release Notes 99 New and Improved Content
Policy Name Signature ID Signature Comments
Abnormal number of Database Removed the policy as it concurrent sessions in a N/A Audit flagged low level events. day
Data Loss Abnormal number of Duplicate - Threat Prevention / pages printed compared N/A scenario covered as Endpoint DLP to peer - Endpoint DLP part of another policy
Data Loss Abnormal number of Duplicate - Threat Prevention / pages printed compared N/A scenario covered as Endpoint DLP to peer part of another policy
Data Loss Abnormal number of Duplicate - Threat Prevention / files printed compared N/A scenario covered as Endpoint DLP to peer part of another policy
Account accessing Database Removed the policy as it critical PII database - N/A Monitoring flagged low level events. SIEM
Rare Database Database Removed the policy as it Accessed by an N/A Monitoring flagged low level events. Account
Potential Account Database Removed the policy as it Compromise on N/A Monitoring flagged low level events. Database Server
Database Password Spraying Removed the policy as it N/A Monitoring Attack Detected - SIEM flagged low level events.
Attempted use of Database Removed the policy as it disabled account - N/A Monitoring flagged low level events. SIEM
Database Audit Log Tampering - Removed the policy as it N/A Monitoring SIEM flagged low level events.
SNYPR Release Notes 100 New and Improved Content
Policy Name Signature ID Signature Comments
Database concurrent console Removed the policy as it N/A Monitoring logon - SIEM flagged low level events.
Spike in Failed Logins Duplicate - Threat Database to a Database Server- N/A scenario covered as Monitoring 143 part of another policy
Multiple Failed Database Followed by Successful Removed the policy as it N/A Security Login to a Database flagged low level events. Server-143
Potential Account Database Removed the policy as it Compromise on N/A Security flagged low level events. Database Server-143
Rare Critical Duplicate - Threat Database Commands Executed on N/A scenario covered as Security a Database Server part of another policy
Rare Database Database Removed the policy as it Accessed by an N/A Security flagged low level events. Account
Spike in frequency of Database Removed the policy as it DDL or DML N/A Security flagged low level events. Commands Executed
Spike in Failed Logins Database Removed the policy as it to a Database Server- N/A Security flagged low level events. 143
Duplicate - Threat Possible fast flux DNS / DHCP N/A scenario covered as domain detected-123 part of another policy
Removed the policy as it DNS / DHCP Rare dns host resolved N/A flagged low level events.
SNYPR Release Notes 101 New and Improved Content
Policy Name Signature ID Signature Comments
Emails Sent with Email / Email Removed the policy as it Source Code - SIEM - N/A Security flagged low level events. DLP
Email / Email Emails to Non-Business Removed the policy as it N/A Security Domains - SIEM - DLP flagged low level events.
Email / Email Emails Sent to Personal Removed the policy as it N/A Security Email - SIEM - DLP flagged low level events.
Email / Email Emails to Competitor Removed the policy as it N/A Security Domains - SIEM - DLP flagged low level events.
Email / Email Compressed Files in Removed the policy as it N/A Security Emails - SIEM - DLP flagged low level events.
Suspicious Process Endpoint Duplicate - Threat Activity - Targeted - Management N/A scenario covered as Potential ETW Disable Systems part of another policy Attempt Analytic
Endpoint Duplicate - Threat Rare USB device Management N/A scenario covered as activity Systems part of another policy
Endpoint Rare ports used by a Duplicate - Threat Management process for high N/A scenario covered as Systems severity endpoint alerts part of another policy
Endpoint Duplicate - Threat Rarity on system Management N/A scenario covered as hardening monitor Systems part of another policy
Suspicious Process Endpoint Duplicate - Threat Activity - Targeted - Management N/A scenario covered as Executable File Systems part of another policy Creation Analytic
SNYPR Release Notes 102 New and Improved Content
Policy Name Signature ID Signature Comments
Endpoint Duplicate - Threat Abnormal number of Management N/A scenario covered as file shares created Systems part of another policy
Endpoint Duplicate - Threat Rare Executive Host Management N/A scenario covered as Accessed Systems part of another policy
Endpoint Duplicate - Threat Rare CD or DVD Management N/A scenario covered as burning activity Systems part of another policy
Endpoint Duplicate - Threat Abnormal number of Management N/A scenario covered as file shares deleted Systems part of another policy
Endpoint Abnormal number of Duplicate - Threat Management share folder creation N/A scenario covered as Systems on system part of another policy
Endpoint Duplicate - Threat Abnormal number of Management N/A scenario covered as failed logons Systems part of another policy
Endpoint Duplicate - Threat Abnormal number of Management N/A scenario covered as low severity alerts Systems part of another policy
Endpoint Duplicate - Threat Management Rare login geo location N/A scenario covered as Systems part of another policy
Endpoint Executable or Script Removed the policy as it Management N/A file created by Process flagged low level events. Systems
Endpoint Rare child process Duplicate - Threat Management spawned from N/A scenario covered as Systems WMIPRVSE part of another policy
SNYPR Release Notes 103 New and Improved Content
Policy Name Signature ID Signature Comments
Endpoint Rare combination of Removed the policy as it Management parent and child N/A flagged low level events. Systems process found for user
Suspicious Process Endpoint Duplicate - Threat Activity - Peak File RW Management N/A scenario covered as Process Terminations Systems part of another policy For Host Analytic
Suspicious Process Endpoint Duplicate - Threat Activity - Rare DLL Management N/A scenario covered as Creation in SYSTEM Systems part of another policy Directory Analytic
Suspicious Process Activity - Rare Egress Endpoint Duplicate - Threat Destination Port For Management N/A scenario covered as LOLBIN App Potential Systems part of another policy Malicious Stager Analytic
Suspicious Process Endpoint Duplicate - Threat Activity - Rare High- Management N/A scenario covered as Integrity Process For Systems part of another policy User Analytic
Suspicious Process Endpoint Activity - Targeted - Duplicate - Threat Management Potential Stego N/A scenario covered as Systems Embedding Tool part of another policy Agnostic Analytic
SNYPR Release Notes 104 New and Improved Content
Policy Name Signature ID Signature Comments
Suspicious Process Activity - Targeted - Endpoint Duplicate - Threat Potential UACBypass Management N/A scenario covered as csc Spawning Temp Systems part of another policy Directory Payload Analytic
Use of invoke Phant0m Endpoint powershell tool to Management N/A Misconfig disable endpoint Systems logging
Suspicious Process Endpoint Duplicate - Threat Activity - Targeted - Management N/A scenario covered as Potential ETW Disable Systems part of another policy Attempt Analytic
Endpoint Potential WMI Lateral Duplicate - Threat Management Movement Rare N/A scenario covered as Systems WmiPrvSe Subprocess part of another policy
Firewall traffic to Removed the policy as it Firewall randomly generated N/A flagged low level events. domains - Firewall
Duplicate - Threat Repeat Attack on Firewall N/A scenario covered as firewall-Foreign part of another policy
SmartDefense IPS Removed the policy as it Firewall Rules - High Severity - N/A flagged low level events. Firewall
SmartDefense IPS Removed the policy as it Firewall Rules - Malicious N/A flagged low level events. address - Firewall
SNYPR Release Notes 105 New and Improved Content
Policy Name Signature ID Signature Comments
SmartDefense IPS Removed the policy as it Firewall Rules - Medium N/A flagged low level events. Severity - Firewall
Traffic to rare domain Removed the policy as it Firewall N/A on DNS ports - Firewall flagged low level events.
Abnormal amount of Removed the policy as it Flow data aggregated from N/A flagged low level events. FTP ports - Flow
Abnormal amount of Removed the policy as it Flow data aggregated from N/A flagged low level events. SMB ports - Flow
Abnormal amount of Removed the policy as it Flow data uploads to external N/A flagged low level events. sites-FLOW
Abnormal amount of data uploads to storage Removed the policy as it Flow N/A sites over firewall - flagged low level events. FLOW
Abnormal amount of Removed the policy as it Flow data uploads to storage N/A flagged low level events. sites-FLOW
Abnormal number of Removed the policy as it Flow DHCP requests - N/A flagged low level events. FLOW
Abnormal time for dhcp Removed the policy as it Flow N/A lease-Flow flagged low level events.
Abnormal upload Removed the policy as it Flow attempts to distinct N/A flagged low level events. storage sites-FLOW
SNYPR Release Notes 106 New and Improved Content
Policy Name Signature ID Signature Comments
Account authenticating Removed the policy as it Flow from rare geolocation N/A flagged low level events. on VPN - FLOW
Activity from known malicious addresses Removed the policy as it Flow N/A detected on VPN - flagged low level events. FLOW
Beaconing traffic to Removed the policy as it Flow N/A malicious sites-FLOW flagged low level events.
Beaconing traffic to Removed the policy as it Flow rare domains over dns- N/A flagged low level events. flow
Beaconing traffic to Removed the policy as it Flow N/A rare domains-FLOW flagged low level events.
Data exfiltration over Removed the policy as it Flow known data transfer N/A flagged low level events. services - Flow
DHCP request from Removed the policy as it Flow N/A rare device-Flow flagged low level events.
Firewall traffic to Removed the policy as it Flow randomly generated N/A flagged low level events. domains - Flow
Landspeed anomaly on Removed the policy as it Flow N/A VPN - FLOW flagged low level events.
Persistent traffic to rare non resolvable Removed the policy as it Flow N/A domain dns responses- flagged low level events. Flow
SNYPR Release Notes 107 New and Improved Content
Policy Name Signature ID Signature Comments
Possible host Duplicate - Threat enumeration over Flow N/A scenario covered as critical access ports - part of another policy Internal - Flow
Duplicate - Threat Possible port scan over Flow N/A scenario covered as system ports - Flow part of another policy
Duplicate - Threat Potential lateral Flow N/A scenario covered as movement part of another policy
Randomly generated Removed the policy as it Flow domain detected on dns N/A flagged low level events. response -flow
Rare dns host resolved Removed the policy as it Flow N/A flow flagged low level events.
Rare dns host resolved- Removed the policy as it Flow N/A Flow flagged low level events.
Traffic to rare domain Removed the policy as it Flow N/A on DNS ports - Flow flagged low level events.
Possible password Microsoft Removed the policy as it spraying from a N/A Windows flagged low level events. windows resource
High number of accounts using the Duplicate - Threat Microsoft same ipaddress for N/A scenario covered as Windows authentication failures part of another policy or lockout events
High number of failed Microsoft Removed the policy as it login attempts from an N/A Windows flagged low level events. IP - SIEM
SNYPR Release Notes 108 New and Improved Content
Policy Name Signature ID Signature Comments
High number of accounts using the Microsoft Removed the policy as it same ipaddress for N/A Windows flagged low level events. authentication failures or lockout events
Usage of potential Microsoft scriptable executable to Removed the policy as it N/A Windows run or access malicious flagged low level events. payload
High number of failed Microsoft WEL-ALL- Removed the policy as it login attempts from an Windows 942-DB flagged low level events. account- SIEM
Microsoft Repeat Failure WEL-ALL- Removed the policy as it Windows Authentication - SIEM 949-DB flagged low level events.
High number of service Microsoft WEL-ALL- Removed the policy as it tickets requested - Windows 923-BP flagged low level events. SIEM
Detection of Brute Microsoft WEL-ALL- Removed the policy as it Force Attack To The Windows 938-DB flagged low level events. Same Host - SIEM
Policy is replaced with Use of explicit "Use of explicit credentials for a Microsoft credentials by a rare possible Account WOS-203-RU Windows account - Account sharing or Password sharing or Password misuse misuse".
Microsoft High number of host WEL-ALL- Removed the policy as it Windows accessed - SIEM 931-BP flagged low level events.
Rare privileged level Microsoft Removed the policy as it for a windows WOS-244-ER Windows flagged low level events. authentication
SNYPR Release Notes 109 New and Improved Content
Policy Name Signature ID Signature Comments
Microsoft Use of Powershell Duplicate - Threat Windows encode command by an N/A scenario covered as Powershell account part of another policy
Microsoft Powershell execution Duplicate - Threat Windows policy changed by N/A scenario covered as Powershell Account part of another policy
Microsoft Use of Powershell Duplicate - Threat Windows Invoke Expression N/A scenario covered as Powershell Command by Account part of another policy
Next Abnormal number of Removed the policy as Generation connections on DNS N/A it flagged low level Firewall ports - NGFW events.
Bruteforce on Critical Next Duplicate - Threat Service from an IP Generation N/A scenario covered as Observed Performing Firewall part of another policy Network Recon
Next Internal System Removed the policy as it Generation running port scan N/A flagged low level events. Firewall Internally - SIEM
Next Monitoring Inbound Removed the policy as it Generation malicious IP addresses - N/A flagged low level events. Firewall SIEM
Next Network Connection Duplicate - Threat Generation from a rare N/A scenario covered as Firewall Geolocation part of another policy
Next Possible host Removed the policy as it Generation enumeration observed - N/A flagged low level events. Firewall SIEM
SNYPR Release Notes 110 New and Improved Content
Policy Name Signature ID Signature Comments
Next Rare domain visited by Removed the policy as it Generation account - Next Gen N/A flagged low level events. Firewall Firewall
Next Rare Filetype Observed Removed the policy as it Generation N/A - Next Gen Firewall flagged low level events. Firewall
Rare operating system Next detected for an account Removed the policy as it Generation N/A on VPN - Next Gen flagged low level events. Firewall Firewall
Next Repeat Attack-Login Removed the policy as it Generation Source on VPN - Next N/A flagged low level events. Firewall Gen Firewall
Next SMB traffic to and from Removed the policy as it Generation N/A Internet flagged low level events. Firewall
Successful Network Next Connection Observed Removed the policy as it Generation N/A from an IP Performing flagged low level events. Firewall Network Recon
Next Duplicate - Threat System running Generation N/A scenario covered as external scan - SIEM Firewall part of another policy
Next Traffic to rare domain Removed the policy as Generation on DNS ports - Next N/A it flagged low level Firewall Gen Firewall events.
Next Undocumented account Duplicate - Threat Generation activity on VPN - Next N/A scenario covered as Firewall Gen Firewall part of another policy
SNYPR Release Notes 111 New and Improved Content
Policy Name Signature ID Signature Comments
Next Zone Transfer from LowRemoved the policy Generation External to Internal - N/A as it flagged low level Firewall SIEM events.
Next Internal system running Legacy SIEM content - Generation port scan - horizontal N/A Low fidelity Firewall SIEM
Next Non Mail server trying Legacy SIEM content- Generation to send mails outside - N/A Low fidelity Firewall SIEM
Next Possible port scan from Duplicate - Threat Generation internal IP Address - N/A scenario covered as Firewall Next Gen Firewall part of another policy
Next Inbound Traffic from IFW-ALL-905- Removed the policy as it Generation C2 Domains and IP TP flagged low level events. Firewall addresses - SIEM
Next Outbound Traffic to C2 IFW-ALL-901- Removed the policy as it Generation Domains and IP TP flagged low level events. Firewall addresses - SIEM
Next Abnormal amount of Removed the policy as IFW-CAF- Generation data uploads to storage it flagged low level 870-BA Firewall sites over firewall events.
Network Rare dns host resolved Removed the policy as NTA-ALL-801- Traffic - NTA (NTA-ALL-801- it flagged low level TA Analytics TA) events.
Abnormal number of Duplicate - Threat Print pages printed compared N/A scenario covered as to peer part of another policy
Undocumented Unix / Linux / Removed the policy as it accounts performing N/A AIX flagged low level events. activity
SNYPR Release Notes 112 New and Improved Content
Policy Name Signature ID Signature Comments
Unix / Linux / Use of any default Removed the policy as it N/A AIX credentials on Unix flagged low level events.
Web Abnormal number of Removed the policy as it Application high severity WAF N/A flagged low level events. Firewall alerts
Web Possible directory Removed the policy as it Application N/A traversal flagged low level events. Firewall
Web DNS amplification by Duplicate - Threat Application frequency of packets - N/A scenario covered as Firewall Firewall-119 part of another policy
Possible external host Web Duplicate - Threat enumeration over Application N/A scenario covered as system ports - Firewall- Firewall part of another policy 119
Web Possible external port Duplicate - Threat Application scan over system ports N/A scenario covered as Firewall - Firewall-119 part of another policy
Web Traffic to Known Duplicate - Threat Application Attacker on firewall- N/A scenario covered as Firewall 119 part of another policy
Web Duplicate - Threat Repeat Attack on Application N/A scenario covered as firewall-Foreign-119 Firewall part of another policy
Duplicate - Threat Beaconing Traffic Web Proxy N/A scenario covered as Detected part of another policy
Detection of possible Duplicate - Threat Web Proxy proxy circumvention- N/A scenario covered as 125 part of another policy
SNYPR Release Notes 113 New and Improved Content
Policy Name Signature ID Signature Comments
Detection of possible Duplicate - Threat Web Proxy proxy circumvention- N/A scenario covered as 134 part of another policy
Detection of possible Duplicate - Threat Web Proxy proxy circumvention- N/A scenario covered as 135 part of another policy
Rare domain visited by Removed the policy as it Web Proxy N/A account flagged low level events.
Uploads to news or Removed the policy as it Web Proxy N/A media websites flagged low level events.
Circumvention of URL Removed the policy as it Web Server N/A Controls flagged low level events.
Removed the policy as it Web Server Rare User Agent Used N/A flagged low level events.
Circumvention of Removed the policy as it Web Server N/A Directory Controls flagged low level events.
Duplicate - Threat Circumvention of Web Server N/A scenario covered as Directory Controls-124 part of another policy
Removed the policy as Possible Web Crawling Web Server N/A it flagged low level Detected events.
Duplicate - Threat Possible Web Crawling Web Server N/A scenario covered as Detected-124 part of another policy
Removed the policy as Rare HTTP Request Web Server N/A it flagged low level Method Used events.
SNYPR Release Notes 114 New and Improved Content
Decommissioned Policy/Threat Content The following table contains the decommissioned policy and threat content in this release:
Functionality Signature ID Policy Name
Abnormal number of Access / ACP-CAP-804-BP password retrieval Privileged User compared to past behavior
Access / Repeat Attack-Web ALT-028 Privileged User Content Filter
Virus or Spyware Detected Antivirus / Malware / EDR EDR-FNX-930-DB but Failed to Clean
Antivirus / Repeat IPS or IDS EDR-MEV-932-DB Malware / EDR Attack-Foreign
Antivirus / Possible Outbreak EDR-MEV-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-MEV-929-RU Malware / EDR Attacker on IPS or IDS
Antivirus / EDR-FNX-923-DB Repeat IDS Events Malware / EDR
Antivirus / Repeat IPS or IDS EDR-FNX-932-DB Malware / EDR Attack-Foreign
Antivirus / Possible Outbreak EDR-FNX-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-FNX-929-RU Malware / EDR Attacker on IPS or IDS
Virus or Spyware Antivirus / EDR-TMC-930-DB Detected but Failed to Malware / EDR Clean
Antivirus / Repeat IPS or IDS EDR-TMC-932-DB Malware / EDR Attack-Foreign
SNYPR Release Notes 115 New and Improved Content
Functionality Signature ID Policy Name
Antivirus / EDR-MEV-923-DB Repeat IDS Events Malware / EDR
Antivirus / Possible Outbreak EDR-TMC-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-TMC-929-RU Malware / EDR Attacker on IPS or IDS
Antivirus / Possible Outbreak EDR-FHX-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Possible Outbreak EDR-III-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-III-929-RU Malware / EDR Attacker on IPS or IDS
Antivirus / Traffic to Known EDR-FHX-929-RU Malware / EDR Attacker on IPS or IDS
Virus or Spyware Antivirus / EDR-III-930-DB Detected but Failed to Malware / EDR Clean
Antivirus / Possible Outbreak EDR-FEX-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / EDR-TMC-923-DB Repeat IDS Events Malware / EDR
Antivirus / Repeat IPS or IDS EDR-SIS-932-DB Malware / EDR Attack-Foreign
Virus or Spyware Antivirus / EDR-MEV-930-DB Detected but Failed to Malware / EDR Clean
Possible Outbreak Antivirus / EDR-SEP-927-DB -Multiple Infected Hosts- Malware / EDR 313
SNYPR Release Notes 116 New and Improved Content
Functionality Signature ID Policy Name
Rare file hashes for Antivirus / EDR-ALL-840-ERR high severity endpoint Malware / EDR alerts - EDR
Antivirus / Rare file hash EDR-ALL-829-ERR Malware / EDR detected on network - EDR
Antivirus / Rare usage of EDR-ALL-820-ERR Malware / EDR PsRemoting - EDR
Abnormal number of Antivirus / connections to WS- EDR-ALL-842-BP Malware / EDR Management or Powershell Ports - EDR
Abnormal number of Antivirus / EDR-ALL-838-BP high severity endpoint Malware / EDR alerts - EDR
Antivirus / Abnormal number of EDR-ALL-886-BP Malware / EDR ssh connections - EDR
Antivirus / Abnormal number of EDR-ALL-885-BP Malware / EDR telnet connections - EDR
Antivirus / Repeat IPS or IDS EDR-SNI-932-DB Malware / EDR Attack-Foreign
Virus or Spyware Antivirus / EDR-MEH-930-DB Detected but Failed to Malware / EDR Clean
Antivirus / EDR-MEH-923-DB Repeat IDS Events Malware / EDR
Antivirus / Repeat IPS or IDS EDR-MEH-932-DB Malware / EDR Attack-Foreign
Potential use of Antivirus / EDR-ALL-726-RU Rubeus attack tool detected Malware / EDR via command line - AVEDR
SNYPR Release Notes 117 New and Improved Content
Functionality Signature ID Policy Name
Antivirus / Possible Outbreak EDR-MEH-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-MEH-929-RU Malware / EDR Attacker on IPS or IDS
Antivirus / Possible Outbreak EDR-SNI-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-SNI-929-RU Malware / EDR Attacker on IPS or IDS
Virus or Spyware Antivirus / EDR-SNI-930-DB Detected but Failed to Malware / EDR Clean
Antivirus / EDR-SNI-923-DB Repeat IDS Events Malware / EDR
Virus or Spyware Antivirus / EDR-SEP-930-DB Detected but Failed to Malware / EDR Clean-313
Antivirus / EDR-SEP-923-DB Repeat IDS Events-313 Malware / EDR
Antivirus / Repeat IPS or IDS EDR-SEP-932-DB Malware / EDR Attack-Foreign-313
Antivirus / Traffic to Known EDR-SEP-929-RU Malware / EDR Attacker on IPS or IDS-313
Antivirus / EDR-SIS-923-DB Repeat IDS Events Malware / EDR
Antivirus / Rare critical file EDR-ALL-821-ERR Malware / EDR modified by an user - EDR
Antivirus / Traffic to Known EDR-SIS-929-RU Malware / EDR Attacker on IPS or IDS
Virus or Spyware Antivirus / EDR-FHX-930-DB Detected but Failed to Malware / EDR Clean
SNYPR Release Notes 118 New and Improved Content
Functionality Signature ID Policy Name
Antivirus / EDR-FHX-923-DB Repeat IDS Events Malware / EDR
Antivirus / Repeat IPS or IDS EDR-FHX-932-DB Malware / EDR Attack-Foreign
Antivirus / Repeat IPS or IDS EDR-III-932-DB Malware / EDR Attack-Foreign
Antivirus / EDR-III-923-DB Repeat IDS Events Malware / EDR
Resemblance Based Antivirus / EDR-TMC-814-RU Phishing Attempts - PLD Malware / EDR analysis
Resemblance Based Antivirus / EDR-TMC-813-RU Phishing Attempts - TLD Malware / EDR analysis
Antivirus / Repeat IPS or IDS EDR-FEX-932-DB Malware / EDR Attack-Foreign
Virus or Spyware Antivirus / EDR-SIS-930-DB Detected but Failed to Malware / EDR Clean
Virus or Spyware Antivirus / EDR-FEX-930-DB Detected but Failed to Malware / EDR Clean
Virus or Spyware Antivirus / EDR-PSE-930-DB Detected but Failed to Malware / EDR Clean
Antivirus / Traffic to Known EDR-FEX-929-RU Malware / EDR Attacker on IPS or IDS
Antivirus / Possible Outbreak EDR-MNP-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-MNP-929-RU Malware / EDR Attacker on IPS or IDS
SNYPR Release Notes 119 New and Improved Content
Functionality Signature ID Policy Name
Antivirus / EDR-FEX-923-DB Repeat IDS Events Malware / EDR
Antivirus / Repeat IPS or IDS EDR-PSE-932-DB Malware / EDR Attack-Foreign
Antivirus / Possible Outbreak EDR-SIS-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Repeat IPS or IDS EDR-MNP-932-DB Malware / EDR Attack-Foreign
Antivirus / EDR-MNP-923-DB Repeat IDS Events Malware / EDR
Antivirus / Possible Outbreak EDR-PSE-927-DB Malware / EDR -Multiple Infected Hosts
Antivirus / Traffic to Known EDR-PSE-929-RU Malware / EDR Attacker on IPS or IDS
Antivirus / EDR-PSE-923-DB Repeat IDS Events Malware / EDR
Virus or Spyware Antivirus / EDR-MNP-930-DB Detected but Failed to Malware / EDR Clean
Application / Abnormal amount of SAS-ALL-808-BA Enterprise / SaaS data uploaded to GitHub
Application / File accessed from a SAS-ALL-810-ER Enterprise / SaaS rare geolocation - Netskope
Abnormal number of Application / SAS-ALL-807-BP files downloaded from Enterprise / SaaS GitHub
User downloading Application / SAS-ALL-811-ER files from a suspicious Enterprise / SaaS geolocation - Netskope
SNYPR Release Notes 120 New and Improved Content
Functionality Signature ID Policy Name
Abnormal volume of Application / SAS-ALL-801-BA downloads from HIPAA Enterprise / SaaS sanctioned apps - Netskope
Application / Abnormal number of SAS-ALL-813-BP Enterprise / SaaS files uploaded to cloud
ATM Rare Buffer overflow ATM-ALL-804-TA Monitoring detection
ATM Disabling of ATM-ALL-803-RU Monitoring Protection
Abnormal number of ATM ATM-ALL-811-BP SMB or NETBIOS Monitoring connections
ATM Abnormal number of ATM-ALL-813-BP Monitoring file access attempts
ATM Rare weekend ATM-ALL-800-ER Monitoring transaction by account
ATM Rare path for dlls ATM-ALL-806-TA Monitoring accessed
ATM Rare timeslot for ATM ATM-ALL-807-ER Monitoring activity by account
ATM Unusual time of day ATM-ALL-808-ER Monitoring device configuration
ATM Suspicious attempts ATM-ALL-809-ER Monitoring to modify registry
ATM Unusual password ATM-ALL-810-ER Monitoring change attempts
ATM Abnormal number of ATM-ALL-805-BP Monitoring dlls accessed
ATM Use of unauthorized ATM-ALL-801-ER Monitoring devices
SNYPR Release Notes 121 New and Improved Content
Functionality Signature ID Policy Name
ATM Attempt to execute ATM-ALL-802-ER Monitoring suspicious OS calls
Abnormal number of Audit AAU-FAA-826-BP Authentication Failures - F5
Authentication Rare User Agent - SSO-ALL-846-ER / SSO / Single Sign-On successful Okta login
Authentication Ascending Monotonic SSO-ALL-821-TA / SSO / Single Sign-On Pattern Detected
Authentication VPN-ALL-808-DB Brute Force Access / VPN
Authentication VPN activity by VPN-ALL-851-RU / VPN Undocumented Accounts
Authentication Successful Login VPN-ALL-805-DB / VPN after Repeat Failed logins
Authentication Possible Account VPN-ALL-804-DB / VPN Sharing
Authentication VPN Activity from VPN-ALL-800-RU / VPN Known Malicious Addresses
VPN Authentication Authentication VPN-ALL-811-ER Using a Rare Operating / VPN System for an Account
Abnormal Number of Authentication VPN-ALL-852-BP Failed Authentication for an / VPN Account
Authentication VPN activity by VPN-ALL-809-RU / VPN Terminated Users
Evil twin detection Authentication AWI-AMN-8115-DB across multiple location / WiFi with short span of time
Authentication Rare location evil AWI-AMN-8116-ER / WiFi twin detected
SNYPR Release Notes 122 New and Improved Content
Functionality Signature ID Policy Name
Authentication Rare location rogue AWI-AMN-817-ER / WiFi AP detected
Multiple Rogue AP Authentication AWI-AMN-822-DB detected within same / WiFi location
Multiple Evil Twin Authentication AWI-AMN-823-DB detected within same / WiFi location
Abnormal number of SU Aviation / AVI-ALL-818-BP login failures by using Onboard Network System Target user enumeration
Abnormal number of Aviation / AVI-ALL-802-BP distinct destination hosts Onboard Network System accessed by an IP Address
Abnormal high number Aviation / AVI-ALL-812-BP of login failure by a Onboard Network System 'Remote Address
Abnormal number of Aviation / distinct destination hosts AVI-ALL-814-BP Onboard Network System accessed by an Activity account
Aviation / Spike in number of SU AVI-ALL-815-BP Onboard Network System authentication failures
Abnormal number of Aviation / AVI-ALL-807-BP failed ssh authentication Onboard Network System attempts by an IP Address
Detection of password Aviation / AVI-ALL-805-RU retrievals from a non- Onboard Network System secure file
Aviation / Spike In number of AVI-ALL-800-BP Onboard Network System Failed SSHD Logs
SNYPR Release Notes 123 New and Improved Content
Functionality Signature ID Policy Name
Activity towards a Aviation / AVI-ALL-808-ER rare hostname which was Onboard Network System never connected before
Abnormal number of Cloud Content CCMS-ALL-804-BP files shared with personal Management System account
Account accessing Cloud Content CCMS-ALL-809-ERR file path never accessed Management System before
Account activity from Cloud Content CCMS-ALL-828-ERR a country rare to the Management System organization
Cloud Content Account activity from CCMS-ALL-829-ERR Management System a country rare for the user
Abnormal number of Cloud Content CCMS-ALL-805-BP files shared with Management System Competitor email address
Account Activity Cloud Content CCMS-ALL-802-ER detected from Rare Management System Geolocation
Cloud Content File shared with Non CCMS-ALL-813-RU Management System business account
Account Activity Cloud Content CCMS-ALL-802-ERR detected from Rare Management System Country
Account accessing Cloud Content CCMS-ALL-809-ER file share never accessed Management System before
External account Cloud Content CCMS-ALL-839-BP downloading abnormally Management System high number of files
SNYPR Release Notes 124 New and Improved Content
Functionality Signature ID Policy Name
Cloud Content Abnormal number of CCMS-ALL-816-BP Management System files deleted by an account
Abnormal Number of Cloud Content CCMS-ALL-814-BP files Printed compared to Management System past behavior
Abnormal number of Cloud Content CCMS-ALL-806-BP files shared with Non Management System Business account
Abnormal Amount of Cloud Email / CEML-ALL-805-BA Data Emailed to Personal Email Security Email - Cloud Email
Abnormal Number of Cloud Email / CEML-ALL-802-BP Source Code Emailed - Email Security Cloud Email
Abnormal Number of Cloud Email / CEML-ALL-808-BP Email Forwards - Cloud Email Security Email
Abnormal amount of data egressed to non- Cloud Email / CEML-ALL-818-BA business domains compared Email Security to peer behavior - Cloud Email
Abnormal number of Cloud Email / emails sent to competitor CEML-ALL-828-BP Email Security domains compared to peer behavior - Cloud Email
Abnormal Number of Cloud Email / CEML-ALL-830-BP Emails to Personal Email - Email Security Cloud Email
Abnormal number of Cloud Email / emails to non business CEML-ALL-826-BP Email Security domains compared to peer behavior - Cloud Email
SNYPR Release Notes 125 New and Improved Content
Functionality Signature ID Policy Name
Abnormal Amount of Cloud Email / Data Emailed to CEML-ALL-829-BA Email Security Nonbusiness Domain - Cloud Email
Abnormal Number of Cloud Email / CEML-ALL-801-BP Compressed Files Emailed - Email Security Cloud Email
Abnormal Number of Cloud Email / CEML-ALL-803-BP Emails to Competitor - Email Security Cloud Email
Abnormal Number of Cloud Email / CEML-ALL-823-BP Emails to Nonbusiness Email Security Domains - Cloud Email
Emails from Newly Cloud Email / CEML-ALL-824-RU registered domains - Cloud Email Security Email
Unauthorized printer Cloud Print CPRN-ALL-837-RU usage
Abnormal number of Cloud Print CPRN-ALL-838-BP files printed compared to a peer group
Abnormal number of Cloud Print CPRN-ALL-839-BP pages printed compared to a peer group
Abnormal number of Cloud CEDR-ALL-839-BP high severity endpoint Antivirus / Malware / EDR alerts - Cloud EDR
Potential use of Cloud Rubeus attack tool detected CEDR-ALL-26-RU Antivirus / Malware / EDR via command line - Cloud EDR
SNYPR Release Notes 126 New and Improved Content
Functionality Signature ID Policy Name
Cloud Rare usage of CEDR-ALL-820-ERR Antivirus / Malware / EDR PsRemoting - Cloud EDR
Abnormal number of Cloud CEDR-ALL-858-BP Critical severity endpoint Antivirus / Malware / EDR alerts - Cloud EDR
Abnormal number of Cloud CEDR-ALL-871-BP Medium severity endpoint Antivirus / Malware / EDR alerts - Cloud EDR
Potential Mimikatz Cloud CEDR-ALL-19-RU CommandLine Usage - Antivirus / Malware / EDR Cloud EDR
Rare file hash Cloud CEDR-ALL-829-ERR detected on network - Antivirus / Malware / EDR Cloud EDR
Cloud Rare file type CEDR-ALL-903-ERR Antivirus / Malware / EDR detected from an endpoint
Rare critical file Cloud CEDR-ALL-821-ERR modified by an user - Cloud Antivirus / Malware / EDR EDR
Account Cloud CAAU-ALL-805-ER Authenticating from rare Application Audit country - Exchange
Abnormal Number of Cloud CAAU-ALL-807-BP Distinct Emails Created - Application Audit Exchange
Rare client Cloud CAAU-ALL-804-ER application detected for the Application Audit user - Exchange
Cloud Files upload to Application Security CASB-ALL-805-RU unauthorized cloud storage Broker - SIEM - CASB
SNYPR Release Notes 127 New and Improved Content
Functionality Signature ID Policy Name
Cloud Successful Login Application Security CASB-ALL-802-DB after Repeat Failed logins - Broker SIEM - CASB
Cloud Downloads greater Application Security CASB-ALL-810-RU than 10MB from external Broker address - SIEM - CASB
Cloud User uploading Application Security CASB-ALL-800-RU sensitive files - SIEM - Broker CASB
Cloud High number of Application Security CASB-ALL-809-DB downloads from external Broker address - SIEM - CASB
Cloud Abnormal number of Authentication / SSO / CSSO-ALL-842-BP mfa bypass Single Sign-On
Cloud Rare application Authentication / SSO / CSSO-ALL-813-ER accessed by account Single Sign-On
Cloud Spike in number of Authentication / SSO / CSSO-ALL-820-BP account lockout events Single Sign-On
Cloud Account activity seen Authentication / SSO / CSSO-ALL-818-ER from a rare country Single Sign-On
Cloud Possible user Authentication / SSO / CSSO-ALL-832-BP enumeration observed Single Sign-On from an account
Cloud Abnormal number of Authentication / SSO / CSSO-ALL-814-BP device alerts observed Single Sign-On
SNYPR Release Notes 128 New and Improved Content
Functionality Signature ID Policy Name
Logon from a rare Cloud country compared to entire Authentication / SSO / CSSO-ALL-833-ER organization -DUO Single Sign-On Authentication
Cloud Abnormal number of Authentication / SSO / CSSO-ALL-838-BP unauthorized attempts to Single Sign-On an application
Cloud Possible password Authentication / SSO / CSSO-ALL-834-BP spraying observed from an Single Sign-On IP
Password spraying Cloud attempts from one account Authentication / SSO / CSSO-ALL-829-BP to multiple applications_ Single Sign-On enumeration -Duo Authentication
Cloud Abnormal number of Authentication / SSO / CSSO-ALL-815-BP sign on failures Single Sign-On
Cloud Logon from a rare Authentication / SSO / CSSO-ALL-827-ER country -DUO Single Sign-On Authentication
Cloud Attempted use of Authentication / SSO / CSSO-ALL-807-RU disabled account - SIEM - Single Sign-On SSO
Cloud Rare logon to admin Authentication / SSO / CSSO-ALL-841-ER console Single Sign-On
Cloud Abnormal Number of CSA-ALL-714-BP Services / Applications snapshots created
Failed attempts Cloud detected from an user CSA-AWS-733-BP Services / Applications attempting to attach to different roles
SNYPR Release Notes 129 New and Improved Content
Functionality Signature ID Policy Name
Account accessing Content CMS-ALL-830-ER file path never accessed Management System before -CMS
Abnormal number of Content CMS-ALL-846-BP files shared with Non Management System Business account -CMS
Abnormal frequency of Database DBS-ALL-821-BA data aggregated from Audit database
Abnormal Number of Data Loss EDLP-ALL-819-BP Compressed Files Emailed - Prevention / Endpoint DLP DLP
Abnormal number of Data Loss emails to non business EDLP-ALL-802-BP Prevention / Endpoint DLP domains compared to peer behavior - Endpoint DLP
Abnormal number of Data Loss EDLP-ALL-824-BP files egressed to removable Prevention / Endpoint DLP media
Data Loss Unauthorized printer EDLP-ALL-801-ER Prevention / Endpoint DLP usage detected
Abnormal number of Data Loss EDLP-ALL-810-BP endpoint DLP match count Prevention / Endpoint DLP violations
Abnormal amount of Data Loss EDLP-ALL-830-BA endpoint DLP match count Prevention / Endpoint DLP violations
Abnormal amount of Data Loss data egressed to competitor EDLP-ALL-827-BA Prevention / Endpoint DLP domains compared to peer behavior - Endpoint DLP
SNYPR Release Notes 130 New and Improved Content
Functionality Signature ID Policy Name
Abnormal amount of Data Loss EDLP-ALL-826-BA data egress to NonBusiness Prevention / Endpoint DLP domains - DLP
Misuse of service Data Loss EDLP-ALL-814-RU accounts to exfiltrate data - Prevention / Endpoint DLP SIEM - DLP
Abnormal amount of Data Loss EDLP-ALL-805-BA data egressed to removable Prevention / Endpoint DLP media
Abnormal amount of Data Loss EDLP-ALL-822-BA endpoint DLP match count Prevention / Endpoint DLP violation compared to peer
Abnormal amount of data egressed to non- Data Loss EDLP-ALL-821-BA business domains compared Prevention / Endpoint DLP to peer behavior - Endpoint DLP
Abnormal amount of Data Loss EDLP-ALL-812-BA data egress to Competitor - Prevention / Endpoint DLP DLP
Abnormal number of Data Loss emails sent to competitor EDLP-ALL-828-BP Prevention / Endpoint DLP domains compared to peer behavior - Endpoint DLP
Abnormal amount of Data Loss EDLP-ALL-823-BA data egress to Personal Prevention / Endpoint DLP email - DLP
Login from a rare Data country compared to the DWH-ALL-802-ER Warehouse entire organization - Authentication
Data Login from a rare DWH-ALL-801-ER Warehouse country - Authentication
SNYPR Release Notes 131 New and Improved Content
Functionality Signature ID Policy Name
Successful password Data DWH-ALL-808-RU spraying attack from an IP - Warehouse Authentication
Landspeed anomaly Data DWH-ALL-803-LS detected for account - Warehouse Authentication
Abnormal frequency of Database select commands executed DBM-ALL-811-RU Monitoring on Database -Database Monitoring
Excessive number of DNS / DHCP DNS-010 failed DNS zone transfers
Excessive number of DNS / DHCP DNS-023 DNS NXDOMAIN responses
Excessive number of DNS / DHCP DNS-024 DNS SERVFAIL responses
DNS / DHCP DNS-ALL-810-TA Rare dns server used
Abnormal time for DNS / DHCP DNS-ALL-808-BP dhcp lease
DHCP request from DNS / DHCP DNS-ALL-801-ERR rare device
Abnormal number of DNS / DHCP DNS-ALL-804-BP DHCP requests
Suspicious Process Endpoint Activity - Potential EDR-ALL-49-ER Management Systems Injection - Unusual Crossproc Analytic
Potential Phishing Endpoint EDR-ALL-28-RU URL received over an Management Systems email
SNYPR Release Notes 132 New and Improved Content
Functionality Signature ID Policy Name
Potential attempt to Endpoint EDR-ALL-62-ER bypass UAC using Management Systems Eventvwr
Possible Payload Endpoint EDR-ALL-59-RU Attack Via Parameterless Management Systems Rundll32 Command
Endpoint Potential Mimikatz EDR-ALL-19-RU Management Systems CommandLine Usage
Possible Reverse Shell connection Endpoint EDR-ALL-889-RU established via Invoke- Management Systems PowerShellTcpOneLine script
Use of credential Endpoint EDR-ALL-815-RU dumpers - endpoint Management Systems monitoring
RDP communication Endpoint EDR-ALL-58-ER initiated from a rare Management Systems process
Rare source and Endpoint EDR-ALL-38-ER target images for Management Systems CreateRemoteThread event
Potential UAC bypass Endpoint EDR-ALL-89-RU - CSC executing payload Management Systems from temp directory on host
Endpoint Suspicious Command EDR-ALL-12-ER Management Systems Line Arguments
Use of Steganography Endpoint EDR-ALL-102-RU tools to encode or decode Management Systems media files
SNYPR Release Notes 133 New and Improved Content
Functionality Signature ID Policy Name
Possible Ransomware infection involving use of Endpoint EDR-ALL-71-BP staging commands on Management Systems abnormally large number of hosts
MS Exchange unified Endpoint messaging service spawning EDR-ALL-886-RU Management Systems potentially suspicious child process
Possible Webshell Endpoint Activity - Rare process EDR-ALL-81-ER Management Systems spawned from Web server worker process
Escalation of Endpoint privilege via modification EDR-ALL-24-ER Management Systems of AppInit DLL registry detected on host
Rare process Endpoint EDR-ALL-55-ER communicating over Management Systems Kerberos port
Potential Sysvol-Netlogon Lateral Endpoint EDR-ALL-53-ER Movement - Rare file Management Systems executed from Netlogon share
Spike in number of Endpoint EDR-ALL-69-BP Discovery Tactic Command Management Systems Activity For Host Analytic
Endpoint Rare Self Worker EDR-ALL-54-ER Management Systems Process Execution
Rare file hash Endpoint EMS-002 detected on the network - Management Systems endpoint monitoring
SNYPR Release Notes 134 New and Improved Content
Functionality Signature ID Policy Name
Rare function used by Endpoint EMS-001 a dll on the network - Management Systems endpoint monitoring
Unusual process Endpoint EDR-ALL-48-ER adding a file in Startup Management Systems Menu
Endpoint Rare DLL Invocation EDR-ALL-19-ER Management Systems Via Rundll32 Command
Potential use of Endpoint EDR-ALL-26-RU Rubeus attack tool detected Management Systems via command line
Possible external Firewall IFW-CPS-873-BP port scan over system ports - Firewall
Possible external Firewall IFW-JSF-874-BP host enumeration over system ports - Firewall
Abnormal number of Firewall IFW-ALL-711-BP connections on LDAP ports - Firewall
DNS amplification by Firewall IFW-FTF-871-DB frequency of packets - Firewall
Possible external Firewall IFW-JPF-873-BP port scan over system ports - Firewall
Possible external Firewall IFW-JPF-874-BP host enumeration over system ports - Firewall
DNS amplification by Firewall IFW-JPF-871-DB frequency of packets - Firewall
SNYPR Release Notes 135 New and Improved Content
Functionality Signature ID Policy Name
Rare file type Firewall IFW-CAF-807-ER detected over firewall traffic
Possible external Firewall IFW-CAF-873-BP port scan over system ports
Rare dns host Firewall IFW-CAF-872-ER resolved over firewall
Possible external Firewall IFW-CPS-874-BP host enumeration over system ports - Firewall
Firewall IFW-CAF-928-DB Repeat Attack-Foreign
Beaconing traffic to Firewall IFW-CAF-868-TA malicious sites over firewall
Traffic to Known Firewall IFW-CAF-929-RU Attacker
Brute Force Access on Firewall IFW-CAF-905-BP VPN
Probable Successful Firewall IFW-CAF-910-DB Brute Force Attack on VPN
Firewall IFW-CAF-922-DB Repeat firewall drops
Traffic to Known Firewall IFW-JSF-929-RU Attacker on firewall
Traffic to Known Firewall IFW-JPF-929-RU Attacker on firewall
Possible external Firewall IFW-JSF-873-BP port scan over system ports - Firewall
DNS amplification by Firewall IFW-CAF-871-DB frequency of packets
SNYPR Release Notes 136 New and Improved Content
Functionality Signature ID Policy Name
DNS amplification by Firewall IFW-CPS-871-DB frequency of packets - Firewall
DNS amplification by Firewall IFW-JSF-871-DB frequency of packets - Firewall
Possible external Firewall IFW-CPF-873-BP port scan over system ports - Firewall
Traffic to Known Firewall IFW-CPS-929-RU Attacker on firewall
Rare application for Firewall IFW-ALL-710-ERR known protocols on network traffic - Firewall
Possible external Firewall IFW-FTF-874-BP host enumeration over system ports - Firewall
Possible external Firewall IFW-FTF-873-BP port scan over system ports - Firewall
Traffic to Known Firewall IFW-FTF-929-RU Attacker on firewall
Traffic to Known Firewall IFW-ALL-929-RU Attacker on Firewall
Rare port used by Firewall IFW-ALL-713-ERR applications on network traffic - Firewall
Traffic to Known Firewall IFW-CPF-929-RU Attacker on firewall
Abnormal number of Firewall IFW-ALL-708-BP connections on SMB or NETBIOS ports - Firewall
SNYPR Release Notes 137 New and Improved Content
Functionality Signature ID Policy Name
Abnormal number of Firewall IFW-ALL-706-BP DNS zone transfers - Firewall
Traffic to Known Firewall IFW-ALL-714-DB Attacker on Firewall
DNS Amplification by Firewall IFW-ALL-875-DB Frequency of Packets - Firewall
Multiple Exploit Firewall IFW-ALL-928-DB Types Against Single Destination - SIEM
Possible external Firewall IFW-CPF-874-BP host enumeration over system ports - Firewall
Possible host Firewall IFW-ALL-717-BP enumeration over system ports - Firewall
Possible external Firewall IFW-CAF-874-BP host enumeration over system ports
Possible lateral Flow FLW-ALL-872-TA movement over network traffic - Flow
Possible port scan Flow FLW-ALL-803-BP from internal IP - Flow
Rare application for Flow FLW-ALL-861-ERR known protocols on network traffic - Flow
IDS / IPS / Abnormal number of IDS-ALL-800-BP UTM / Threat Detection alerts observed
IDS / IPS / Medium severity alert IDS-ALL-802-RU UTM / Threat Detection observed
SNYPR Release Notes 138 New and Improved Content
Functionality Signature ID Policy Name
IDS / IPS / High severity alert IDS-ALL-803-RU UTM / Threat Detection observed
Abnormal Number of Mainframe MNF-ASO-811-BP distinct jobs on Mainframe systems
Rare audit Journal Mainframe MNF-ASO-809-ER Value for a host
Abnormal number of Mainframe MNF-ASO-810-BP mainframe audit failures from an account
Microsoft Explicit login to WEL-ALL-967-ER Windows high privileged account
Microsoft Rare local account WOS-317-ER Windows created
Microsoft Abnormal number of WOS-277-BP Windows remote logons
Microsoft Rare audit log WOS-222-ER Windows clearing on Host
Microsoft Rare execution of WEL-ALL-711-ER Windows Regsvr32 process
Rare admin group Microsoft WOS-316-ER member additions by user Windows compared to peer
Rare privileged Microsoft WOS-221-ER events performed by user Windows compared to peer
Microsoft Use of credential WOS-318-RU Windows dumpers
Microsoft Rare logon type WOS-236-ER Windows detected for an account
SNYPR Release Notes 139 New and Improved Content
Functionality Signature ID Policy Name
Potential use of Microsoft WEL-ALL-714-RU MSHTA executable to Windows download malicious payload
Microsoft Rare process creation WOS-211-ER Windows on endpoint
Rare scripting Microsoft WEL-ALL-710-ER executables spawned from Windows known processes
Abnormal number of Microsoft WOS-293-BP hosts accessed - Logon Windows Success
Microsoft Rare interactive WOS-276-ER Windows logon by service account
Password spraying Microsoft WEL-ALL-860-BP attempts from an IP - Windows Microsoft Windows
Microsoft Spike in number of WOS-228-BP Windows password resets
Rare privilege Microsoft WOS-281-ER enumeration event Windows detected
Microsoft Rare usage of netview WEL-ALL-709-ER Windows commands
Spike in Microsoft WOS-240-BP administrative shares Windows accessed
Rare child or parent Microsoft WEL-ALL-713-ER process involving MSHTA Windows executable detected
Microsoft Rare regedit usage WOS-231-ER Windows compared to peer
SNYPR Release Notes 140 New and Improved Content
Functionality Signature ID Policy Name
Microsoft Detection of a new WOS-210-ER Windows admin account
Suspicious Microsoft interactions on lsass WEL-ALL-708-RU Windows process - Potential credential dumping
Microsoft Rare registry WOS-229-ER Windows modification by account
Suspicious Powershell Microsoft Activity Function - PSH-ALL-1-RU Windows Powershell Targeted - Possible Bloodhound Attack Analytic
Microsoft Rare usage of remote PSH-ALL-112-ER Windows Powershell management tools
Microsoft Rare powershell PSH-ALL-110-ER Windows Powershell privilege misuse
Microsoft Rare encoded PSH-ALL-113-ER Windows Powershell Powershell Command
Network Possible audit log ACR-CIS-896-RU Security tampering detected - ISE
Abnormal number of Network password changes ACR-CIS-822-BP Security compared to past behavior - ISE
Abnormal number of Network failed authentications ACR-CIS-804-BP Security compared to past behavior - ISE
Detection of new Network ACR-CIS-810-RU admin account Security authentication - ISE
SNYPR Release Notes 141 New and Improved Content
Functionality Signature ID Policy Name
Abnormal number of Network authorization failures ACR-CIS-805-BP Security compared to past behavior - ISE
Network Abnormal number of ACR-CIS-823-BP Security audit file deletions - ISE
Abnormal number of Network failed admin ACR-CIS-811-BP Security authentications compared to past behavior - ISE
Network Abnormal number of NTA-ALL-868-BP Traffic Analytics files downloaded - NTA
Abnormal Amount of Network NTA-ALL-833-BA Data Emailed to Traffic Analytics Competitor - NTA
Network Rare user-agent NTA-ALL-805-ER Traffic Analytics Detected - NTA
Abnormal amount of Network data egressed to competitor NTA-ALL-843-BA Traffic Analytics domains compared to peer behavior - NTA
Abnormal number of Network NTA-ALL-838-BP files shared to Competitor Traffic Analytics Domains - NTA
Abnormal Number of Network NTA-ALL-859-BP Compressed Files Emailed - Traffic Analytics NTA
Network Rare dns host NTA-ALL-801-TA Traffic Analytics resolved - NTA
Abnormal Number of Network NTA-ALL-825-BP Emails to Personal Email - Traffic Analytics NTA
SNYPR Release Notes 142 New and Improved Content
Functionality Signature ID Policy Name
Abnormal number of Network NTA-ALL-845-BP DNS record type ANY Traffic Analytics queries observed - NTA
Abnormal Amount of Network NTA-ALL-840-BA Data Emailed to Traffic Analytics Nonbusiness Domain - NTA
Abnormal amount of Network NTA-ALL-804-BA data aggregated from FTP Traffic Analytics ports - NTA
Abnormal amount of Network NTA-ALL-814-BA files downloaded compared Traffic Analytics to past behavior - NTA
Abnormal amount of Network NTA-ALL-808-BA data uploads to external Traffic Analytics sites - NTA
Abnormal amount of Network data egressed to non- NTA-ALL-854-BA Traffic Analytics business domains compared to peer behavior - NTA
Abnormal Number of Network NTA-ALL-827-BP Source Code Emailed - Traffic Analytics NTA
Network Abnormal Number of NTA-ALL-800-BP Traffic Analytics Emails to Competitor - NTA
Abnormal number of Network NTA-ALL-860-BP files shared to Non Traffic Analytics Business domains - NTA
Abnormal upload Network NTA-ALL-818-BP attempts to distinct storage Traffic Analytics sites - NTA
SNYPR Release Notes 143 New and Improved Content
Functionality Signature ID Policy Name
Abnormal number of Network NTA-ALL-828-BP file deletions compared to Traffic Analytics past behavior - NTA
Abnormal amount of Network data transmitted from NTA-ALL-865-BA Traffic Analytics known file transfer ports - NTA
Abnormal amount of Network NTA-ALL-819-BA data uploads to storage Traffic Analytics sites - NTA
Network DHCP request from NTA-ALL-809-ER Traffic Analytics rare device - NTA
Network Abnormal number of NTA-ALL-866-BP Traffic Analytics DHCP requests - NTA
Account accessing a Network NTA-ALL-841-ER file share never accessed Traffic Analytics before - NTA
Abnormal number of Network emails sent to competitor NTA-ALL-831-BP Traffic Analytics domains compared to peer behavior - NTA
Network Abnormal Number of NTA-ALL-867-BP Traffic Analytics Email Forwards - NTA
Only member in the Network NTA-ALL-851-ER peer group to access a file Traffic Analytics share - NTA
Abnormal Amount of Network NTA-ALL-846-BA Data Emailed to Personal Traffic Analytics Email - NTA
Network Uploads to text NTA-ALL-857-RU Traffic Analytics storage websites - NTA
SNYPR Release Notes 144 New and Improved Content
Functionality Signature ID Policy Name
Account Network NTA-ALL-836-ER authenticating from rare Traffic Analytics geolocation on VPN - NTA
Abnormal Number of Network NTA-ALL-812-BP Emails to Nonbusiness Traffic Analytics Domains - NTA
Abnormal number of Network emails to non business NTA-ALL-858-BP Traffic Analytics domains compared to peer behavior - NTA
Network Rare File Share NTA-ALL-821-ER Traffic Analytics Detected - NTA
Account Next authenticating from rare IFW-ALL-1151-ER Generation Firewall geolocation on VPN - Next Gen Firewall
Rare port used by Next NGF-760-ERR applications on network Generation Firewall traffic - Next Gen Firewall
VPN Activity from Next IFW-ALL-881-RU Known Malicious Addresses Generation Firewall - Next Gen Firewall
Next Remote Database IFW-ALL-919-BP Generation Firewall Scanner - SIEM
Abnormal number of Next NGF-710 DNS zone transfers - Next Generation Firewall Gen Firewall
Next Possible Account IFW-ALL-805-RU Generation Firewall Sharing - Next Gen Firewall
Next Possible Enumeration IFW-ALL-913-DB Generation Firewall over LDAP Port - SIEM
SNYPR Release Notes 145 New and Improved Content
Functionality Signature ID Policy Name
Rare application for Next known protocols on NGF-761-ERR Generation Firewall network traffic - Next Gen Firewall
Activity by Next IFW-ALL-910-RU terminated user on Firewall Generation Firewall - SIEM
Unauthorized printer Print PRN-ALL-837-RU usage
SxTestCase1 - Account TestCaseGroup3 TST-CDA-803-BP enumeration from a host
SxTestCase2 - Host TestCaseGroup4 TST-CDA-804-BP enumeration from an account
Spike in SU Unix / Linux UNX-ALL-818-BP authentication failures- / AIX Behavior
Activity towards a Unix / Linux UNX-ALL-810-ER rare hostname never / AIX connected before
Abnormal high number Unix / Linux UNX-ALL-815-BP of login failure - Remote / AIX Address
Abnormal number of SU Unix / Linux UNX-ALL-821-BP login failures - Target user / AIX enumeration
Unix / Linux Spike In Failed SSHD UNX-ALL-802-BP / AIX Logs-Behavior
Beaconing Traffic to Web Proxy PXY-ALL-830-RU proxy anonymizing websites
SNYPR Release Notes 146 New and Improved Content
Functionality Signature ID Policy Name
Detection of possible Web Proxy PXY-ALL-869-RU proxy circumvention
Beaconing traffic to Web Proxy PXY-ALL-920-TA-SIEM known black list site
Rare teleconferencing Web Proxy PXY-ALL-882-ERR-SIEM application accessed by an account
Possible SolarWinds Web Server WEB-ALL-809-ER SUPERNOVA i18n Malicious Activity Analytic
Possible SolarWinds Web Server WEB-ALL-810-RU SUPERNOVA Auth Bypass Exploitation Analytic
High number of attack Web IFW-ALL-729-BP signatures across the Application Firewall resource
Web Rare geolocation for IFW-ALL-726-ERR Application Firewall WAF host accessed
Web Rare port and IFW-ALL-727-ERR Application Firewall protocol combination
Abnormal number of Web IFW-ALL-728-BP distinct attack signatures Application Firewall detected on a host
Web Rare attack signature IFW-ALL-730-ERR Application Firewall detected
SNYPR Release Notes 147 Known Issues
Known Issues
The following table describes the known issues that exist in this release:
Component Summary
The Spotter query does not return any result when you create a Analytics Service policy with the Batched Analytics technique.
The custom-analyzer spark job fails while reading data from archive Analytics Service storage (HDFS).
Analytics Service Scheduling does not work for Spotter based policies.
When you delete datasource and activity data, the application Analytics Service does not delete the associated threat models.
The Violation Summary screen displays incorrect information for Analytics Service the Check Against Lookup Table policy type when the policy has Not Equal and Does Not Contain operators.
By default, the Violation Summary screen for AEE policies only Analytics Service displays 5 values irrespective of the threshold value.
When you upgrade to SNYPR 6.4, the risk score for a few Analytics Service violators might reduce to zero.
When you access a policy in the edit mode after upgrading to Analytics Service SNYPR 6.4, tier-2 checks created for a tenant are not displayed However, this does not affect policy detection.
After you upgrade SNYPR 6.4, newly ingested data may not be visible in the Search Results view from Spotter. If your data is Hunting Service not visible, you must manually update Spotter Cache to view your ingested data.
The validation message is not displayed when the following Hunting Service queries are used in Spotter: index = activity and policyname not null.
SNYPR Release Notes 148 Known Issues
Component Summary
For index = geolocation queries, the pause job icon does not Hunting Service display the updated status when the query is paused from the Spotter> View Jobs.
Hunting Service The Eval from_unixtime is displaying incorrect date and time.
When you run a query with the Where operator to specify a range, Hunting Service the records are out-of-the specified range.
Hunting Service The Delete operator is not working for the archived queries.
When you run a query with Stats Distinct and Filter together, the query does not display the result. However, it displays the number of matched records in SNYPR. Hunting Service For example: index= violation | FILTER index = riskscore and employeeid = employeeid and doctype = entity_threatmodel | STATS DISTINCT(accountname) department
When you export and import a Data Insight dashboard, the Hunting Service original exported dashboard is over written by the imported dashboard.
When you modify the name of the RIN server, the data import stops Ingestion Service working.
There are instances where the Parser Management screen of Ingestion Service Activity Import takes time to load.
In Derived Fields, the File Name Extractor operator does not work Ingestion Service when the value has a special character except for backslash and forward slash.
Action Filter to enrich using Persona information fails when Ingestion Service multiple Persona Builder actions are applied.
Ingestion Service The length of the tenant name can be up to 40 characters only.
SNYPR Release Notes 149 Known Issues
Component Summary
When the size of the lookup import file is more than 5MB, the Ingestion Service system takes a long time to preview the data in the file.
The Whitelisting feature does not support comparison operator for Ingestion Service date and time attribute during User Import.
l You cannot have duplicate events within a single case.
l Only the initial events that were added to an incident will display in the Events view, within the Incident Management screen, regardless of any additional events you may add.
l Only the first 1,000 events are added to an incident from Response Service Spotter.
l When the incident data expires, the incident will no longer have events in it.
l The status of an incident will not display in the Graphical Analysis view within Incident Management.
The Created By field in the Incidents panel displays as Admin Response Service when an incident is created during playbook execution by a non admin user.
When Do you wish to stop action propagation for sub-incidents ? is enabled and an analyst updates the workflow for an incident with Response Service multiple threats, then the workflow for the child incidents gets updated. However, the Activity Stream of child incidents does not record the workflow update.
The Action History button is not displayed for policy that has auto Response Service incident enabled.
The watchlist widget displays the incorrect policy name for an Response Service entity, when that entity is watchlisted in two different policies.
When you perform an action from the Other Policy tab of the Security Command Center, the screen displays the message, Response Service "Action taken in progress and may take some time." When the waiting period is complete, you can perform the action again.
SNYPR Release Notes 150 Known Issues
Component Summary
The system takes some time to retrieve the records based on the Response Service filter criteria specified while adding an attribute from Views > Whitelist.
For an On-Demand Incident, the Tabular view does not display Response Service properly in Incident Management when events are added from different datasources to an incident.
While assigning an incident, admin users and groups are not Response Service getting listed.
The Incident Management screen does not display an entities Response Service name when the entity is white-listed and when an incident is created for the entity.
When an incident is white-listed, the incident status does not Response Service update to Incident Status: Completed.
The playbook status does not display when a user runs a playbook Response Service manually.
The Take Action button is not visible on the Security Command Response Service Center when an auto incident is generated for a network address or uncorrelated account.
The HTTP status code for the Anomali playbook is not seen in the Response Service displayed message.
The correlated accounts are not getting included in the watchlist Response Service widget and are saved as uncorrelated accounts in View > Watchlist.
When Securonix SOAR is enabled in SNYPR and you create a threat indicator for a new policy, the Create New Threat Response Service Indicator screen displays the list of child playbooks. Additionally, the screen displays as undefined when you enable auto playbook.
The Audit framework does not record when the threat models are Shared Service deleted.
SNYPR Release Notes 151 Known Issues
Component Summary
The Auditing Report's file size differs based on the file format. Shared Service The file size for DOC and RTF is more than other formats such as PDF, CSV, and XLS.
The Auditing screen displays an incorrect group name when entity Shared Service metadata is deleted from the Job monitor.
The scheduled categorized report jobs are not listed in the Shared Service Scheduled Report Jobs screen.
Shared Service In some scenarios, the null pointer exception error occurs when an (Multi-tenant) admin user accesses Add Data modules.
SNYPR Release Notes 152