SNYPR 6.3.1 Build 181059_0119 Release Notes
Date Published: 1/20/2021 Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference.
Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of Securonix.
Copyright © 2020 Securonix. All rights reserved.
Contact Information
Securonix 5080 Spectrum Drive, Suite 950W Addison, TX 75001 (855) 732-6649
SNYPR Release Notes 2 Table of Contents
Introduction 4 Improvements 5 Bug Fixes 7 Known Issues 11 What's New in Content 12 New Connectors 12 Contextual Connectors 15 Beta Connectors 16 Improved Connectors 16 New Content 21 Improved Content 22 Deprecated Parsers 28 Deprecated Policies 40
SNYPR Release Notes 3 Introduction
Introduction
SNYPR 6.3.1 Build 181059_0119 includes improvements, bug fixes, connectors, and content.
SNYPR Release Notes 4 Introduction
Improvements
This following table describes the improvements included in this release:
Key Component Summary
The Audit Trail records the following information for improved monitoring and tracking:
l Tenant setup details such as adding a new tenant, modifying an existing tenant, and deleting an existing tenant. This is only applicable for multi-tenant module.
l Detailed user information such as user name, email address, last login time, INC-233922 role membership, group membership, Auditing and access level. INC-231748
Note: In the multi-tenant mode, tenant access is recorded in place of the access level.
l User login type to determine if the user is logging using the local authentication or Single Sign On (SSO).
Case/Incident Removed the Switch Workflow option - Management from the Incident Management screen.
Improved the O365 connector to filter INC-236467 Connector duplicate events.
SNYPR Release Notes 5 Introduction
Key Component Summary
Added scroll functionality to the Take Action drop-down on the Violations view, Security Command - allowing users to view all available actions Center regardless of where the violation displays on the screen.
The following improvements were made for SCC widgets that displayed Sandbox violations:
l The Sandbox widget populates results Security Command - l The Violation Timeline widget Center displays all Sandbox policies
l Sandbox categories display appropriate names when selecting a policy category
l Older violations are visible for the policies
Added the Classless Inter-Domain Routing Spotter - (CIDR) search to improve the allocation of Queries/Operators IP addresses.
SNYPR Release Notes 6 Bug Fixes
Bug Fixes
The following table describes the bug fixes included in this release:
Key Component Summary
The application saves the Login URL when - Authentication you enable Single Sign-On (SSO) from Settings > Single Sign On.
Fixed an issue where the Show User Input Case/Incident - Form? setting was not holding its disabled Management status after a workflow is saved.
Fixed an issue in the Activity Stream of Case/Incident Incident Management that caused the - Management activity stream to only be visible by users assigned to the case.
Fixed an issue that caused incidents to not appear on the SCC for threat models, Case/Incident - regardless of if the incident was created Management and visible on the Incident Management screen.
Fixed an issue on the Incident Management screen that caused the Case/Incident - violation summary to display an Management UNKNOWN value for policies on open Incidents.
Fixed an issue in Incident Management Case/Incident - that caused a blank screen to display when Management an incident was selected.
Fixed an issue so that the Category field - Policy Engine displays the original policy's category when you create a duplicate policy.
SNYPR Release Notes 7 Bug Fixes
Key Component Summary
Fixed the Policy Creation screen to CLOUD-23660 Policy Engine display correct Japanese characters.
The violation summary and related information are displayed for Aggregated - Policy Engine Event Evaluator (AEE) policies where the violation entity is Network Address.
The Identity based policy displays the CLOUD-23721 Policy Engine correct preview of rule conditions.
Included CURRENT_DATE functions for CLOUD-23722 Policy Engine Identity based policies.
Improved the performance of the Does_ - Policy Engine Not_Contain_In_List operator.
Fixed an issue so that the Security Command Center screen displays violation - Policy Engine events and tree view for hourly behavior policies.
- Policy Engine Fixed the risk booster for the lookup table.
Fixed Job 13: Action Prediction to resolve Response Bot the incorrect queue error.
Security Command Fixed a discrepancy in views for users - Center between Top Threats and Top Violators.
Fixed an issue on the Violations screen Security Command - where incidents failed to generate Center automatically.
Security Command Fixed an issue where bulk action does not - Center mark all the selected policies.
Fixed an issue that caused the same case Security Command - details and Violation Summary to display Center for different incidents.
SNYPR Release Notes 8 Bug Fixes
Key Component Summary
Fixed an issue so that User Import activity CLOUD-18047 Shared Service runs on schedule.
Fixed an issue that caused the Indexer - Spotter Cache Counts Consumer to fail an automatic restart when updating the cache.
Fixed an issue in the Search Results view of Spotter that triggered the Max query - Spotter Console limit reached # 1000 error message and caused search results to not display when the maximum query limit was reached.
Fixed an issue in the Search Results view of Spotter that caused the event card to Spotter - display the most recent eventtime results Queries/Operators instead of displaying the eventtime results that were selected in the query bar chart.
Fixed an issue in the Search Results view Spotter of Spotter that caused an incorrect - Queries/Operators pagination count to display when the table query was run.
Fixed an issue that caused the query Spotter formation to become corrupt when - Queries/Operators whitespace characters were used in the Spotter search query.
Fixed the attribute autosuggestion list to Spotter populate in alphabetical order, ensuring - Queries/Operators you apply the correct attribute as you type your Spotter search query.
Fixed an issue in Spotter that caused - Spotter Reporting additional attributes to display when exporting TABLE query results.
SNYPR Release Notes 9 Bug Fixes
Key Component Summary
Fixed an issue in Spotter that caused long text strings to truncate in text format and - Spotter Reporting in the footer pagination when reports were exported.
Fixed an issue in Spotter that caused the csv format to use the value in the pdf - Spotter Reporting format when the report-type order was changed in drop-down.
Fixed an issue in Spotter and in the Security Command Center that caused an - Spotter Reporting inconsistent report output when users tried to view a violation event for a policy.
Fixed an issue in Spotter that caused an - Spotter Reporting inconsistency in exported reports.
Fixed an issue so that the Box connector Third-Party token remains valid when the datasource is INC-232172 Integration rescheduled or data is previewed after schedule.
Fixed the sort by tenant function in the INC-231057 Views - Resources Resource screen.
Fixed an issue that caused searching for a - Watchlist masked member of a watchlist to not be possible with masked ID.
Fixed an issue so that users can whitelist - Whitelist accounts with the account name ending with the $ sign.
SNYPR Release Notes 10 Known Issues
Known Issues
The following table describes the known issues that exist in this release:
Component Summary
When you delete a threat model, it deletes the violations associated Analytics to the threat model but the entry is displayed in the Threat Modeler screen.
The entity meta data attributes are not listed in the Action filter drop Entity Metadata down.
1. CIDR search is only available for the following comparison operators:
l Equals (=)
l Not Equals (!=) Spotter l In Queries/Operators
l Not In
2. CIDR search is dependent on the data stored at time of ingestion. Data ingested prior to CIDR search being enabled is not retrieved.
When the ipaddress_long field is used in the Spotter search query, Spotter no queries are found. However, the ipaddress_long field displays Queries/Operators in the event data.
The Refresh Splunk Searches link is not working when user data is User Import imported from Splunk.
SNYPR Release Notes 11 What's New in Content
What's New in Content SNYPR6.3.1 Build 181059_0119 content includes new and improved connectors, and improved content.
New Connectors The following connectors for activity import are included in this release:
Vendor Functionality Device Type Collection Method
Collection Method: Svn Apache Application Audit SVN Format: Delimited - pipe
Collection Method: AWS Web App Amazon Inc. Firewall API Firewall (WAF) Format: JSON
Collection Method: API Amazon Inc Flow AWS VPC Flow Format: Delimited- space
Collection Method: Cloud Antivirus / BitDefender BitDefender EDR File Malware / EDR Format: JSON
Collection Method: Cloud Antivirus / BitDefender BitDefender EDR Syslog Malware / EDR Format: JSON
Collection Method: Cloud Antivirus / BitDefender BitDefender EDR API Malware / EDR Format: JSON
SNYPR Release Notes 12 What's New in Content
Vendor Functionality Device Type Collection Method
Antivirus / Collection Method: Carbon Black, CarbonBlack Malware / Carbonblackalerts Inc Response EDR Format: JSON
Collection Method: Cisco Unified Cisco Systems IP Telephony File Communications Format: Regex
Collection Method: Cisco Unified Cisco Systems IP Telephony Syslog Communications Format: Regex
Collection Method: Cisco Unified Cisco Systems IP Telephony Splunkraw Communications Format: Regex
Collection Method: Cloud Services / Clouderaaudit Cloudera cloudera Applications Format: Delimited- pipe
Cloud Content Collection Dropbox Management Dropbox API Method:Dropbox System Format: JSON
Collection Method: Access / Privileged Googlereport Google Google Token User Format: Delimited- pipe
Collection Method: Cloud Antivirus / Google Google SCC Googlescc Malware / EDR Format: JSON
SNYPR Release Notes 13 What's New in Content
Vendor Functionality Device Type Collection Method
Authentication Collection Method: JumpCloud JumpCloud / SSO / Single JumpCloud SSO SSO Sign-On Format: JSON
Collection Method: Access / Privileged Last Pass Password Last Pass Lastpassenterprise User Management Format: JSON
Collection Method: Microsoft Cloud Services / Azure Key Vault Azurekeyvaultstorage Corporation Applications Format: JSON
Collection Method: Palo Alto Cloud Antivirus / PA Cortex File Networks Malware / EDR Format: CEF
Collection Method: Palo Alto Cloud Antivirus / PA Cortex Syslog Networks Malware / EDR Format: CEF
Collection Method: Palo Alto Cloud Antivirus / PA Cortex Splunkraw Networks Malware / EDR Format: CEF
Cloud Collection Method: Authentication SecureAuth SecureAuth Syslog / SSO / Single Authentication Format: Regex Sign-On
Collection Method: API Snowflake Data Warehouse Snowflake - Login Format: Delimited- pipe
SNYPR Release Notes 14 What's New in Content
Vendor Functionality Device Type Collection Method
Collection Method: API Snowflake Data Warehouse Snowflake - Query Format: Delimited- pipe
Collection Method: Thycotic Access / Privileged Thycotic Server file Software User Format: Regex
Collection Method: Thycotic Access / Privileged Thycotic Server syslog Software User Format: Regex
Collection Method: Thycotic Access / Privileged Thycotic Server Splunkraw Software User Format: Regex
Collection Method: Unified Access VMware Web Proxy Syslog Gateway Format: Regex
Collection Method: Unified Access VMware Web Proxy Splunkraw Gateway Format: Regex
Contextual Connectors This section lists connectors required to ingest the following types of data:
l Entity Metadata
l Lookup Data
l Third Party Intelligence
l Users
The following contextual connectors are included in this release:
SNYPR Release Notes 15 What's New in Content
Vendor Type Collection Method
AZURE AD User Import API
Saviynt User Import API
CloudKnox Lookup Table Cloud
Beta Connectors
The following beta connectors are included in this release:
Collection Vendor Functionality Device Type Method
Cloud Content Collection Method: Devo API Devo Management DevoAPI Connector System Format: JSON
Duo Collection Method: DUO Cloud Security Duo Security Application Audit Telephony Format: JSON
Collection Method: Database Access Snowflake Snowflake Snowflake JDBC Monitoring Format: Delimited- pipe
Improved Connectors
The following connectors are improved in this release:
Vendor Functionality Device Type Collection Method
AWS - Cloud Collection Method: awssqss3 Amazon Inc Services AWS CloudTrail Format: JSON / Applications
SNYPR Release Notes 16 What's New in Content
Vendor Functionality Device Type Collection Method
Arista Networks / Authentication / Mojo Network Collection Method: File Mojo WiFi Events Format: Regex Networks Inc.
Access / Collection Method: Syslog BeyondTrust Powerbroker Privileged User Format: Regex
Access / Collection Method: File BeyondTrust Privileged Powerbroker Format: Regex User
Access / Collection Method: BeyondTrust Privileged Powerbroker Splunkraw User Format: Regex
Cloud Content Collection Method: Box Inc Management Box BoxContent System Format: BoxContent
CA Application Technologies Collection Method: File Access eTrust / PrivacyTrust Format: Regex Control / eTrust
Cloud Antivirus Collection Method: Crowdstrike Alerts CrowdStrike / Splunkraw Streaming File Malware / EDR Format: JSON
Cloud Antivirus Crowdstrike Alerts Collection Method: Syslog CrowdStrike / Streaming File Format: JSON Malware / EDR
Cloud Antivirus Crowdstrike Alerts Collection Method: File CrowdStrike / Streaming File Format: JSON Malware / EDR
SNYPR Release Notes 17 What's New in Content
Vendor Functionality Device Type Collection Method
Cloud Antivirus Collection Method: cylance Cylance / CylancePROTECT Format: Key Value Pain Malware / EDR
Dell / Antivirus / Secureworks Collection Method: File Secureworks Malware / iSensor Format: Regex Inc. EDR
Cloud Duo Security Collection Method: duo DUO Security Application Administrator Format: JSON Audit
IBM General Unix / Linux / Collection Method: File IBM Parallel AIX Format: Regex File System
Network Access Collection Method: File IBPort IBPort IB SW Control / NAC Format: Regex
Collection Method: File Infoblox DNS / DHCP Infoblox Format: Regex
Collection Method: Syslog Infoblox DNS / DHCP Infoblox Format: Regex
Collection Method: Infoblox DNS / DHCP Infoblox Splunkraw Format: Regex
Mellanox Network Access Collection Method: File Mellanox Switch Technologies Control / NAC Format: Regex
Antivirus / Microsoft Collection Method: Microsoft Malware / Defender msftdefenderatp Corporation EDR ATP Format: JSON
Cloud Collection Method: API Microsoft Office 365 Email/Email Format: JSON
SNYPR Release Notes 18 What's New in Content
Vendor Functionality Device Type Collection Method
Microsoft Microsoft IIS Collection Method: File Web Server Corporation Server Format: Regex
Microsoft Microsoft IIS Collection Method: Syslog Web Server Corporation Server Format: Regex
Collection Method: Microsoft Microsoft IIS Web Server Splunkraw Corporation Server Format: Regex
Application / Collection Method: Netskope Netskope Inc Enterprise / Netskope Alerts Format: Key Value Pair SaaS
Cloud Authentication Collection Method: onelogin One Login One Login API / SSO / Single Format: JSON Sign-On
Next Palo Alto Collection Method: Palo Alto Generation Next-Generation Splunkraw Networks Firewall Firewall Format: Regex
Next Palo Alto Palo Alto Collection Method: File Generation Next-Generation Networks Format: Regex Firewall Firewall
Next Palo Alto Palo Alto Collection Method: Syslog Generation Next-Generation Networks Format: Regex Firewall Firewall
Application Collection Method: File SecureLink SecureLink Audit Audit Format: Regex
Security Collection Method: Database Securonix Analytics Securonix Audit Format: Delimited-pipe Platform
SNYPR Release Notes 19 What's New in Content
Vendor Functionality Device Type Collection Method
Next Sophos SG Collection Method: File Sophos Generation Firewall Format: Key Value Pair Firewall
Next Sophos SG Collection Method: Syslog Sophos Generation Firewall Format: Key Value Pair Firewall
Next Sophos XG Collection Method: File Sophos Generation Firewall Format: Key Value Pair Firewall
Next Sophos XG Collection Method: Syslog Sophos Generation Firewall Format: Key Value Pair Firewall
Symantec / Authentication / Symantec PGP Collection Method: File Blue Coat VPN Server Format: Regex Systems
Symantec / Authentication / Symantec PGP Collection Method: Syslog Blue Coat VPN Server Format: Regex Systems
Symantec / Collection Method: Authentication / Symantec PGP Blue Coat Splunkraw VPN Server Systems Format: Regex
Symantec / Antivirus / Symantec Collection Method: File Blue Coat Malware / Endpoint Format: Regex Systems EDR Protection
Symantec / Collection Method: Syslog Blue Coat Web Proxy Bluecoat Proxy Format: CEF Systems
Symantec / Collection Method: File Blue Coat Web Proxy Bluecoat Proxy Format: CEF Systems
SNYPR Release Notes 20 What's New in Content
Vendor Functionality Device Type Collection Method
Symantec / Collection Method: File Blue Coat Web Proxy Bluecoat Proxy Format: Regex Systems
Symantec / Collection Method: Syslog Blue Coat Web Proxy Bluecoat Proxy Format: Regex Systems
Symantec / Collection Method: Splunk Blue Coat Web Proxy Bluecoat Proxy Format: Regex Systems
File Integrity Tripwire Collection Method: File Tripwire Monitoring Enterprise Format: CEF
Unix / Red Hat Unix / Linux / Collection Method: Syslog Linux / Unix AIX Format: Regex Oracle Linux / AIX / BSD
Unix / Red Hat Unix / Linux / Collection Method: File Linux / Unix AIX Format: Regex Oracle Linux / AIX / BSD
Collection Method: Syslog Zscaler Web Proxy Zscaler Proxy Format: CEF
Collection Method: File Zscaler Web Proxy Zscaler Proxy Format: CEF
New Content
The following content is new in this release:
SNYPR Release Notes 21 What's New in Content
Vendor Content Type
Apache Parser
Carbon Black, Parser Inc
Cisco Systems Parser
Cloudera Parser
Dropbox Parser
Google Parser
JumpCloud Parser
Last Pass Parser
Microsoft Parser Corporation
Palo Alto Parser Networks
SecureAuth Parser
Thycotic Parser Software
Improved Content
The following content was improved in this release:
Content Vendor/Functionality Summary Type
Added mapping and updated for Amazon Inc Parser minor changes.
Arista Parser Updated line filter. Networks / Mojo Networks Inc.
BeyondTrust Parser Updated mapping.
SNYPR Release Notes 22 What's New in Content
Content Vendor/Functionality Summary Type
Box Inc Parser Updated mapping.
CA Technologies / PrivacyTrust / Parser Added mapping. eTrust
CrowdStrike Parser Added mapping
Cylance Parser Added mapping
Deep Instinct Parser Added mapping.
Devo Parser Added mapping.
Dell / Parser Updated line filter. Secureworks Inc.
DUO Security Parser Added mapping
IBM Parser Updated line filter.
IBPort Parser Added mapping.
Infoblox Parser Added collection method.
Mellanox Parser Updated for minor changes. Technologies
Microsoft Parser Added mapping Corporation
MobileIron Inc. Parser Added mapping
Netskope Inc Parser Added mapping.
One Login Parser Added mapping
Palo Alto Parser Added mapping. Networks
RSA Solutions Parser Added line filters.
Salesforce Parser Updated for minor change.
Securonix Parser Updated mapping.
SNYPR Release Notes 23 What's New in Content
Content Vendor/Functionality Summary Type
Sophos Parser Added mapping
Added mapping. Symantec / Parser Blue Coat Systems Added line filters and updated a few line filters.
SecureLink Parser Added mapping
Tripwire Parser Added mapping
Unix / Red Hat Added mapping and Parser Linux / Oracle Linux / AIX / BSD line filters.
Zscaler Parser Added mapping.
l Changed MITRE technique
Next Generation Firewall Policy l Changed Violation Summary l Added named list check
l Changed MITRE technique Firewall Policy l Changed Violation Summary
l Changed MITRE technique Web Proxy Policy l Changed Violation Summary
l Changed MITRE technique
l Flow Policy Changed Violation Summary
l Changed policy category.
l Changed MITRE technique
l Changed Violation Summary Web Server Policy l Changed verbose information template
SNYPR Release Notes 24 What's New in Content
Content Vendor/Functionality Summary Type
l Changed MITRE technique DNS / DHCP Policy l Changed Violation summary
Antivirus / Malware / EDR Policy l Changed MITRE technique
l Changed MITRE technique Cloud Antivirus / Malware / EDR Policy l Changed Violation Summary
l Changed Violation Summary Microsoft Windows Powershell Policy l Changed MITRE technique
The following parsers are updated to use syslog as the default collection method:
Vendor Format Resource Type
Microsoft Corporation Regex Microsoft SharePoint
Microsoft Windows Print Microsoft Corporation Regex Server
Oracle Corporation CEF Oracle Database
Oracle Corporation CEF Oracle SysDB
Oracle Corporation Regex Oracle SysDB
Oracle Corporation Delimited-comma Oracle Peoplesoft
Symantec / Blue Coat CEF Symantec DLP Endpoint Systems
Unix / Red Hat Linux / JSON Unix cron Events Oracle Linux / AIX / BSD
Microsoft Corporation CEF MSSQL Audit
SNYPR Release Notes 25 What's New in Content
Vendor Format Resource Type
Epic Systems CEF Epic Auth
ForeFront Threat Microsoft Corporation Regex Management Gateway Firewall
F5 ASM Web Application F5 Networks JSON Firewall
Intel Security / McAfee Inc. CEF McAfee ePO VirusScan
Avanan Inc. Key Value Pair Avanan
Symantec / Blue Coat CEF Symantec CloudSOC Systems
ActivIdentity / HID Global Key Value Pair ActivIdentity
Cisco Wireless LAN Cisco Systems Regex Controller TRAP
Qualys Vulnerability Qualys, Inc Key Value Pair Scanner
Intel Security / McAfee Inc. Regex McAfee Firewall
Gemalto Regex DS3 Authentication Server
CA Technologies / Regex eTrust PrivacyTrust / eTrust
IBM Regex IBM RACF
IBM CEF IBM System i / AS400
IBM Regex IBM System i / AS400
IBPort Regex IBPort IB SW
Mellanox Technologies Regex Mellanox Switch
SecureLink Regex SecureLink Audit
Dell / Secureworks Inc. Regex Secureworks iSensor
SWIFT Regex SWIFT Transactions
SNYPR Release Notes 26 What's New in Content
Vendor Format Resource Type
VitalQIP Regex VitalQIP DHCP
Quanta Cloud Technology / Quanta Artificial Regex QCT Intelligence
Informatica Regex Informatica Exceptions
Informatica Regex Infromatica Node
Informatica Regex Informatica Catalina
IBM Regex IBM Tape Device
Check Point Software JSON Check Point Antivirus Technologies
Check Point Software JSON Check Point Antimalware Technologies
Check Point Software JSON Check Point SmartDefense Technologies
Check Point Software Check Point Application Key Value Pair Technologies control
Nessus Vulnerability Tenable JSON Scanner
IBM General Parallel File IBM Regex System
Asus Regex Object Storage
Check Point Software Check Point Identity JSON Technologies Awareness
Arista Networks / Mojo Regex Mojo Network Events Networks Inc.
Arista Networks / Mojo Mojo Network Delimited-comma Networks Inc. Authentication
Tanium JSON Tanium Endpoint
Intel Security / McAfee Inc. Key Value Pair Mcafee ATD
SNYPR Release Notes 27 What's New in Content
Vendor Format Resource Type
Intel Security / McAfee Inc. CEF DAM
Boeing Regex FSM
Boeing Key Value Pair Network Interface Module
Boeing Regex Onboard Network System
Corelight JSON Network Traffic Analytics
Cisco Systems Regex Cisco FTD
Gigamon Network Traffic Gigamon CEF Analytics
VMware Regex VMware NSX-T
Quest Inc. Delimited-comma Active Role Server
Veriato / SpectorSoft Key Value Pair Veriato
Microsoft Corporation JSON Microsoft Azure EDR
Proview Regex Proview Monitoring
Darktrace LEEF Darktrace
Zscaler JSON Zscaler VPN
Securonix Delimited-pipe ControlsDS1
Securonix Delimited-pipe ControlsDS2
Deprecated Parsers
The following table lists the formats that are no longer supported in this release:
Note: The vendors in the previous table are still supported, but the formats are no longer supported.
SNYPR Release Notes 28 What's New in Content
Vendor Unsupported Format Resource Type
Symantec / Blue Coat Delimited-pipe Bluecoat Proxy Systems
Symantec / Blue Coat Regex Bluecoat Proxy Systems
Symantec / Blue Coat CEF Bluecoat Proxy Systems
IBM Regex IBM Guardium
Juniper Networks CEF Juniper Junos Pulse VPN
Juniper Networks Regex Juniper Junos Pulse VPN
Juniper Junos Pulse Juniper Networks Regex Firewall
Juniper Junos Pulse Juniper Networks JSON Firewall
Intel Security / McAfee Inc. JSON McAfee Web Gateway
Microsoft Corporation Key Value Pair Azure Active Directory
Microsoft Corporation Key Value Pair Azure Active Directory
Microsoft Corporation Regex Microsoft Exchange Server
Palo Alto Next-Generation Palo Alto Networks Regex Firewall
Symantec / Blue Coat Regex Symantec DLP Endpoint Systems
Symantec / Blue Coat Regex Symantec DLP Systems
Symantec / Blue Coat Symantec Message Security CEF Systems Gateway
Symantec / Blue Coat Symantec Message Security LEEF Systems Gateway
Unix / Red Hat Linux / Delimited-pipe Unix Oracle Linux / AIX / BSD
SNYPR Release Notes 29 What's New in Content
Vendor Unsupported Format Resource Type
Unix / Red Hat Linux / JSON Unix Oracle Linux / AIX / BSD
Unix / Red Hat Linux / JSON Unix Oracle Linux / AIX / BSD
Unix / Red Hat Linux / JSON Unix Oracle Linux / AIX / BSD
Unix / Red Hat Linux / Regex Unix Oracle Linux / AIX / BSD
Microsoft Corporation Regex Microsoft IIS Server
Raytheon / Websense / LEEF Websense Proxy ForcePoint Inc
CyberArk Enterprise CyberArk CEF Password Vault
Microsoft Windows Microsoft Corporation WINEVENT WINEVENT
Symantec / Blue Coat JSON Critical System Protection Systems
Trend Micro Control Trend Micro Inc. Key Value Pair Manager
Zscaler Regex Zscaler Proxy
Lieberman Software Lieberman Identity Key Value Pair Corporation Management
ForeFront Threat Microsoft Corporation Regex Management Gateway Proxy
Microsoft Corporation Delimited-comma Microsoft DHCP
Microsoft Corporation Regex Microsoft Sysmon
Symantec / Blue Coat LEEF Bluecoat Proxy Systems
SNYPR Release Notes 30 What's New in Content
Vendor Unsupported Format Resource Type
Symantec / Blue Coat LEEF Bluecoat Proxy Systems
RSA SecurID Authentication RSA Solutions JSON Manager
Tyco / Software House Delimited-pipe Tyco C-Cure
Google LEEF Google Cloud Platform
Zimperium JSON ZimperiumMobile
Microsoft Corporation JSON Microsoft Application Audit
Microsoft Corporation Delimited-comma RADIUS_NPS
Intel Security / McAfee Inc. Mcafee IronMail Email CEF / IronMail Gateway
Intel Security / McAfee Inc. Mcafee IronMail Email LEEF / IronMail Gateway
Intel Security / McAfee Inc. Mcafee IronMail Email LEEF / IronMail Gateway
Juniper Networks LEEF Juniper Junos Pulse VPN
Juniper Networks LEEF Juniper Junos Pulse VPN
Juniper Networks Regex Juniper Secure Access VPN
Juniper Networks CEF Juniper Secure Access VPN
Juniper Networks LEEF Juniper Secure Access VPN
Juniper Networks LEEF Juniper Secure Access VPN
Intel Security / McAfee Inc. CEF McAfee Web Gateway
Intel Security / McAfee Inc. LEEF McAfee Web Gateway
Intel Security / McAfee Inc. LEEF McAfee Web Gateway
Intel Security / McAfee Inc. JSON McAfee Web Gateway
Intel Security / McAfee Inc. JSON McAfee Web Gateway
Microsoft Corporation Key Value Pair Microsoft DHCP
SNYPR Release Notes 31 What's New in Content
Vendor Unsupported Format Resource Type
Microsoft Corporation Delimited-comma Microsoft Outlook
Proofpoint Inc. Regex Proofpoint TAP
Proofpoint Inc. CEF Proofpoint TAP
Proofpoint Inc. LEEF Proofpoint TAP
Proofpoint Inc. LEEF Proofpoint TAP
Symantec / Blue Coat Symantec Endpoint Regex Systems Protection
Raytheon / Websense / CEF Websense Proxy ForcePoint Inc
Raytheon / Websense / Regex Websense Proxy ForcePoint Inc
Raytheon / Websense / LEEF Websense Proxy ForcePoint Inc
Raytheon / Websense / CEF Forcepoint DLP ForcePoint Inc
Symantec / Blue Coat JSON Data Center Security Systems
Microsoft Corporation snare Microsoft Windows SNARE
Microsoft Windows Microsoft Corporation PSLOGLIST PSLOGLIST
Zscaler CEF Zscaler Proxy
Zscaler LEEF Zscaler Proxy
Zscaler LEEF Zscaler Proxy
PingFederate Regex PingFederate
ForeFront Threat Microsoft Corporation CEF Management Gateway Proxy
SNYPR Release Notes 32 What's New in Content
Vendor Unsupported Format Resource Type
ForeFront Threat Microsoft Corporation LEEF Management Gateway Proxy
ForeFront Threat Microsoft Corporation LEEF Management Gateway Proxy
Juniper Netscreen HVD Juniper Networks Regex VPN
Juniper Netscreen HVD Juniper Networks CEF VPN
Juniper Netscreen HVD Juniper Networks LEEF VPN
Juniper Netscreen HVD Juniper Networks LEEF VPN
Netskope Inc Key Value Pair Netskope Alerts
Netskope Inc Key Value Pair Netskope Events
Tanium Key Value Pair Tanium
Fortinet Key Value Pair Fortigate
Red Hat Inc. Regex RedHat DHCP
Squid Regex Squid Proxy
IBM Regex IBM AIX
Microsoft Corporation CEF Microsoft Windows CEF
Trend Micro Inc. Regex TippingPoint IPS
Symantec / Blue Coat Regex Symantec_IPS Systems
CrowdStrike JSON Crowdstrike Raw
Microsoft Corporation Key Value Pair Office 365 Azure
Microsoft Corporation Key Value Pair Office 365 Azure
SNYPR Release Notes 33 What's New in Content
Vendor Unsupported Format Resource Type
Zscaler Key Value Pair Zscaler Proxy
Microsoft Corporation CEF Microsoft Windows EPV
Google Delimited-pipe Google Login
Google Delimited-pipe Google Drive
Infoblox LEEF Infoblox
Crowdstrike Alerts CrowdStrike JSON Streaming File
Okta JSON Okta System Authentication
Salesforce.com Delimited-comma Saleforce
Okta Key Value Pair Okta System Authentication
Raytheon / Websense / CEF Websense Triton DLP ForcePoint Inc
Microsoft Corporation Key Value Pair Office 365 Exchange API
Sophos Key Value Pair Sophos UTM
Salesforce.com Delimited-space Salesforce_BCBS
Okta Delimited-pipe Okta System Authentication
Crowdstrike Alerts CrowdStrike Key Value Pair Streaming File
Microsoft Corporation Delimited-pipe Entitlement-Outlier
Microsoft Corporation Delimited-pipe Entitlement-Inlier
F5 Networks Regex F5 BigIP Load Balancer
Intel Security / McAfee Inc. Regex McAfee Web Gateway
ManageEngine Regex Password Manager Pro
Intel Security / McAfee Inc. Regex SkyHigh CASB
Dtex Systems CEF Dtex
SNYPR Release Notes 34 What's New in Content
Vendor Unsupported Format Resource Type
Symantec / Blue Coat Key Value Pair Symantec CASB Systems
Diamond IP / BT Regex Diamond IPAM
Kronos Inc. Delimited-comma Kronos
Microsoft Corporation Regex PAM Index
Nexpose Vulnerability Rapid 7 Regex Scanner
Symantec / Blue Coat CEF Symatec SEP CEF Systems
Microsoft Corporation CEF Microsoft Exchange Server
Sophos Key Value Pair Sophos SG Firewall
Sophos Key Value Pair Sophos XG Firewall
Symantec / Blue Coat Regex Symantec PGP Server Systems
VMware Regex VMware ESXi
VMware Regex VMware ESXi-6.x
VMware JSON VMware vCentre
Microsoft Regex Microsoft Print Service
Proofpoint Inc. JSON Proofpoint Email API
Netscout / Arbor Networks Regex Arbor PeakFlow
Mimecast JSON Mimecast Email API
DUO Security JSON Duo Security Authentication
Microsoft Corporation Key Value Pair Office 365 SharePoint API
Microsoft Windows DNS Microsoft Corporation Key Value Pair Server
Microsoft Corporation CEF Microsoft Windows CEF
Microsoft Corporation CEF Microsoft Windows CEF
SNYPR Release Notes 35 What's New in Content
Vendor Unsupported Format Resource Type
Imperva Inc. Key Value Pair Imperva WAF
Tanium CEF Tanium Detect
GTB Technology CEF GTB Endpoint DLP
Cynet CEF Cynet EDR
Oracle Corporation Regex Sun Solaris
VMware Regex VMware Vcentre
Intel Security / McAfee Inc. CEF McAfee CASB
Microsoft Corporation Regex Microsoft DNS Server
HAProxy Delimited-space HaProxy
Intel Security / McAfee Inc. Delimited-comma Mcafee Web Gateway
Palantir JSON Palantir Audit
TrustWave Regex TrustWave
Darktrace LEEF Darktrace
Zscaler JSON Zscaler VPN
BeyondTrust Regex Powerbroker
BIND DNS Regex BIND DNS
Bluecat Networks Inc. Regex Bluecat_DHCP
Box Inc BoxContent Box
Box Inc Key Value Pair Box
Box Inc Delimited-pipe Box
Carbon Black, Inc LEEF CarbonBlack
Carbon Black, Inc Key Value Pair CarbonBlack Protect
Carbon Black, Inc JSON CarbonBlack Response
Carbon Black, Inc Key Value Pair CarbonBlack Response
Cerner delimited Cerner
SNYPR Release Notes 36 What's New in Content
Vendor Unsupported Format Resource Type
Check Point Software Key Value Pair Check Point Firewall Technologies
Check Point Software Regex Check Point Firewall Technologies
Cisco Systems CEF Cisco Anyconnect
Cisco Systems Regex Cisco Anyconnect
Cisco Systems Regex Cisco ASA
Cisco Systems LEEF Cisco ASA
Cisco Systems Key Value Pair Cisco Meraki
Cisco Systems Regex Cisco Meraki Firewall
Cisco Systems Regex Cisco Router and Switch
Cisco Systems JSON Cisco Secure ACS
Cisco Systems JSON Cisco Umbrella
Cisco Unified Cisco Systems Regex Communications
IronPort Web Security Cisco Systems CEF Appliance
IronPort Web Security Cisco Systems LEEF Appliance
IronPort Web Security Cisco Systems Regex Appliance
IronPort Web Security Cisco Systems LEEF Appliance
Cisco Systems JSON SourceFire Intrusion Sensor
Cisco Systems CEF Netscaler VPN
Cisco Systems LEEF Netscaler VPN
Cisco Systems Regex Netscaler VPN
SNYPR Release Notes 37 What's New in Content
Vendor Unsupported Format Resource Type
Cisco Systems LEEF Netscaler VPN
Cofense Delimited-comma Cofense PhishMe
CrowdStrike JSON Crowdstrike
Symantec / Blue Coat Symantec Endpoint Regex Systems Protection - ADC
Bitdefender JSON Bitdefender Antivirus
Infoblox Regex Infoblox
Microsoft Corporation Regex Microsoft IIS Server
Box Inc BoxContent Box
Crowdstrike Alerts CrowdStrike JSON Streaming
CrowdStrike JSON Crowdstrike Raw
Cisco Systems JSON SourceFire Intrusion Sensor
VMware JSON VMware vCentre
Microsoft Corporation Delimited-comma Microsoft Outlook
Amazon Inc Regex AWS OGW
Amazon Inc Regex AWS OGW
Fortinet Regex FortiGate
Symantec / Blue Coat Symantec Endpoint Regex Systems Protection
Cisco Systems JSON Cisco Umbrella
Darktrace LEEF Darktrace
Zscaler JSON Zscaler VPN
MobileIron Inc. JSON Mobile Threat Defense
Amazon Inc Database Audit Regex
BeyondTrust Access / Privileged User JSON
SNYPR Release Notes 38 What's New in Content
Vendor Unsupported Format Resource Type
Citrix Systems CEF Netscaler VPN
Citrix Systems LEEF Netscaler VPN
Citrix Systems LEEF Netscaler VPN
Citrix Systems Regex Netscaler VPN
Aruba Networks Regex Aruba Authentication
Amazon Inc Regex AWS OGW
Amazon Inc Regex AWS OGW
Amazon Inc Regex AWS Jump Server
Apache JSON Apache Webserver
Apache JSON Apache Webserver
Amazon Inc JSON AWS GuardDuty
Aruba Networks CEF Aruba Authentication
Amazon Inc Regex AWS S3 Bucket
Amazon Inc Regex AWS S3 Bucket
Amazon Inc JSON AWS GuardDuty
Aruba Networks Regex Aruba Clear Pass
Microsoft Corporation Key Value Pair Microsoft IIS Server
GitHub Regex GitHub
Devo JSON Devo API Connector
Devo Key Value Pair Devo API Connector
Microsoft Corporation Key Value Pair Azure Active Directory
Thycotic Software Regex Thycotic Server
Palo Alto Networks CEF PA Cortex
Crowdstrike Alerts CrowdStrike JSON Streaming File
SNYPR Release Notes 39 What's New in Content
Vendor Unsupported Format Resource Type
Amazon Inc Delimited-pipe AWS Redshift
Amazon Inc Delimited-pipe AWS Redshift
Amazon Inc Delimited-pipe AWS Redshift
Crowdstrike Alerts CrowdStrike JSON Streaming
CrowdStrike JSON Crowdstrike Raw
Nexpose Vulnerability Rapid 7 Regex Scanner
VMware Regex VMware ESXi
VMware Regex VMware ESXi
VMware Regex VMware ESXi-6.x
VMware JSON VMware vCentre
Fortinet Regex FortiGate
Microsoft Corporation Delimited-pipe Office 365 Azure-Test
Deprecated Policies
The following table lists the policies that are deprecated as part of this release:
Functionality Policy Name Categorization
Possible sabotage - Rare Access: Privileged User action performed by Low fidelity account
Abnormal number of Access: Privileged User distinct accounts accessed Low fidelity compared to past behavior
Possible sabotage - Access: Privileged User Abnormal number of Low fidelity Cyberark files deleted
SNYPR Release Notes 40 What's New in Content
Functionality Policy Name Categorization
Rare action performed on Access: Privileged User safe not performed by Low fidelity peers
Abnormal amount of data Antivirus / Malware / EDR copied to removable media Low fidelity - EDR
Abnormal number of failed Antivirus / Malware / EDR Low fidelity login attempts - EDR
Abnormal number of files Antivirus / Malware / EDR transferred to removable Low fidelity media - EDR
Abnormal number of files with High Value Extensions Antivirus / Malware / EDR Low fidelity via removable media - EDR
Abnormal Number of Antivirus / Malware / EDR Processes Terminated - Low fidelity EDR
Admin user logging in via Antivirus / Malware / EDR Low fidelity clear text - EDR
Beaconing traffic to rare Antivirus / Malware / EDR domains on web activity - Low fidelity EDR
Flight risk behaviour via Antivirus / Malware / EDR Low fidelity removable media - EDR
Antivirus / Malware / EDR IOS Buffer Overflow - EDR Low fidelity
Job exiting behavior Antivirus / Malware / EDR exhibited in removable Low fidelity media - EDR
Duplicate - Threat scenario Malicious Outbound Antivirus / Malware / EDR covered as part of another Redirect - Allowed - EDR policy
SNYPR Release Notes 41 What's New in Content
Functionality Policy Name Categorization
Duplicate - Threat scenario Malicious Outbound Antivirus / Malware / EDR covered as part of another Redirect - Blocked - EDR policy
Duplicate - Threat scenario Malicious Software Antivirus / Malware / EDR covered as part of another Detected - EDR policy
Network connections to Antivirus / Malware / EDR Low fidelity rare systems - EDR
Rare dll process and path Antivirus / Malware / EDR Low fidelity on the network - EDR
Rare dll used by a process Antivirus / Malware / EDR on the network - Cloud Low fidelity EDR - EDR
Rare function used by a dll Antivirus / Malware / EDR Low fidelity on the network - EDR
Rare parent process Antivirus / Malware / EDR spawning a child process on Low fidelity the network - EDR
Rare process and path Antivirus / Malware / EDR detected on the network - Low fidelity EDR
Rare process and path for Antivirus / Malware / EDR high severity endpoint Low fidelity alerts - EDR
Rare use of critical Antivirus / Malware / EDR keywords in commandline Low fidelity for Linux - EDR - EDR
Suspicious Network Activity - Peak Powershell Antivirus / Malware / EDR Low fidelity LDAP Connection For Host Analytic - A2B - EDR
SNYPR Release Notes 42 What's New in Content
Functionality Policy Name Categorization
Suspicious path of execution for known Duplicate - Threat scenario Antivirus / Malware / EDR processes on Windows - covered as part of another Explorer - policy EDR
Suspicious path of Duplicate - Threat scenario execution for known Antivirus / Malware / EDR covered as part of another processes on Windows - policy LSAAS - EDR
Suspicious path of Duplicate - Threat scenario execution for known Antivirus / Malware / EDR covered as part of another processes on Windows - policy LSM - EDR
Suspicious path of execution for known Duplicate - Threat scenario Antivirus / Malware / EDR processes on Windows - covered as part of another Rundll32 - policy EDR
Suspicious path of execution for known Duplicate - Threat scenario Antivirus / Malware / EDR processes on Windows - covered as part of another Services - policy EDR
Suspicious path of Duplicate - Threat scenario execution for known Antivirus / Malware / EDR covered as part of another processes on Windows - policy SMSS - EDR
Suspicious path of execution for known Duplicate - Threat scenario Antivirus / Malware / EDR processes on Windows - covered as part of another SVCHost - policy EDR
SNYPR Release Notes 43 What's New in Content
Functionality Policy Name Categorization
Suspicious path of execution for known Duplicate - Threat scenario Antivirus / Malware / EDR processes on Windows - covered as part of another WinInit - policy EDR
Suspicious Process Activity - Potential Injection - Antivirus / Malware / EDR Low fidelity Unusual Crossproc Analytic - EDR
Suspicious Process Activity - WMI Lateral Movement - Antivirus / Malware / EDR Unusual WMI Child Low fidelity Process Analytic -A2B - EDR
Suspicious Process Activity - Known Threat Intel Antivirus / Malware / EDR Low fidelity Malicious Process Execution Analytic - EDR
Suspicious Process Activity - Peak Rare Process Spike Antivirus / Malware / EDR Low fidelity For Organization Analytic - EDR
Suspicious Process Activity - Potential Phishing Duplicate - Threat scenario Antivirus / Malware / EDR Sequence III - Rare covered as part of another Office Child Process policy Analytic - EDR
Suspicious Process Activity - Potential Phishing Duplicate - Threat scenario Sequence III - Targeted Antivirus / Malware / EDR covered as part of another - Suspicious Office Child policy Process Executable Analytic - EDR
SNYPR Release Notes 44 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity - Rare CreateRemoteThread Antivirus / Malware / EDR Invocation Low fidelity Potential BYOL-C Execute- Assembly Analytics-A2B - EDR
Suspicious Process Activity - Rare DLL Invocation Via Antivirus / Malware / EDR Low fidelity Rundll32 For Host Analytic - EDR
Suspicious Process Activity - Rare Parent-Child Antivirus / Malware / EDR Low fidelity Relationship For User Analytic - EDR
Suspicious Process Activity Antivirus / Malware / EDR - Rare Process For Host Low fidelity Analytic - EDR
Suspicious Process Activity - Rule - Potential Attack Tool PWDUMP or Antivirus / Malware / EDR Low fidelity Mimikatz Usage File Creation Analytic - A2B - EDR
Suspicious Process Activity Duplicate - Threat scenario - Rule - Potential Mimikatz Antivirus / Malware / EDR covered as part of another CommandLine Usage policy Analytic - A2B - EDR
Suspicious Process Activity Duplicate - Threat scenario Antivirus / Malware / EDR - Shadow Copy-Backup covered as part of another Deletion Analytic - EDR policy
SNYPR Release Notes 45 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity - Targeted - Boot Recover Antivirus / Malware / EDR Low fidelity Disable Analytic - EDR
Suspicious Process Activity Duplicate - Threat scenario - Targeted - Command Line Antivirus / Malware / EDR covered as part of another Arguments Analytic policy - A2B - EDR
Suspicious Process Activity - Targeted - Common Antivirus / Malware / EDR Escalation of Privilege Low fidelity AppInit DLL Registry Analytic - EDR
Suspicious Process Activity Duplicate - Threat scenario - Targeted - Keyloggers Antivirus / Malware / EDR covered as part of another Abusing Nirsoft Tools policy Analytic - EDR
Suspicious Process Activity - Targeted - Possible Enum Antivirus / Malware / EDR Low fidelity File Creation Analytic - A2B - EDR
Suspicious Process Activity - Targeted - Potential Antivirus / Malware / EDR Command Line Admin Low fidelity Share Access Analytic - EDR
Suspicious Process Activity Duplicate - Threat scenario - Targeted - Potential Antivirus / Malware / EDR covered as part of another Phishing Sequence I policy Clicking Analytic - EDR
SNYPR Release Notes 46 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity - Targeted - Potential Duplicate - Threat scenario Phishing Sequence II Antivirus / Malware / EDR covered as part of another Malicious Payload Open policy Browser Modality Analytic - EDR
Suspicious Process Activity - Targeted - Potential Powershell Phanthom Antivirus / Malware / EDR Low fidelity Event Log Thread Termination Covertness Analytic - A2B - EDR
Suspicious Process Activity - Targeted - Scripting File Antivirus / Malware / EDR Low fidelity Types Created Analytic - A2B - EDR
Suspicious Process Activity - Targeted - Shim Database Antivirus / Malware / EDR Registration Low fidelity Changes Analytic - A2B - EDR
Suspicious Process Activity Duplicate - Threat scenario Antivirus / Malware / EDR - Targeted - Squiblydoo covered as part of another Attack Analytic - EDR policy
Suspicious Process Activity- Targeted - Malicious Start Antivirus / Malware / EDR Menu Startup Low fidelity Modification Analytic -A2B - EDR
Suspicious Process Activity- Targeted - Malicious Start Antivirus / Malware / EDR Menu_Startup Low fidelity Modification Analytic - EDR
SNYPR Release Notes 47 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity- Targeted - MS Duplicate - Threat scenario Antivirus / Malware / EDR EquationEditor Spawning a covered as part of another Child Process Analytic - policy EDR
Suspicious Registry Activity - Targeted - Autorun Antivirus / Malware / EDR Low fidelity Changes Analytic -A2B - EDR
Suspicious Registry Activity - Targeted - Internal Antivirus / Malware / EDR Monologue Attack - Low fidelity NetNTLM Version Update Analytics-A2B - EDR
Duplicate - Threat scenario Usage of Credential Antivirus / Malware / EDR covered as part of another Dumpers - EDR policy
Duplicate - Threat scenario Virus and Malicious Code Antivirus / Malware / EDR covered as part of another Outbreak - EDR policy
Duplicate - Threat scenario Vulnerable Endpoint Antivirus / Malware / EDR covered as part of another monitoring - EDR policy
Application ~ Enterprise ~ Abnormal amount of data Low fidelity SaaS uploaded to cloud storage
Application ~ Enterprise ~ Abnormal number of files Low fidelity SaaS uploaded to cloud storage
Authentication ~ SSO ~ Rare Okta Application Single Low fidelity Access Sign-On
Authentication ~ SSO ~ Rare IP address - successful Single Low fidelity Okta login Sign-On
SNYPR Release Notes 48 What's New in Content
Functionality Policy Name Categorization
Duplicate - Threat scenario Account Authenticating Authentication ~ VPN covered as part of another from Rare Geolocation policy
Duplicate - Threat scenario Authentication ~ VPN Brute Force Access - SIEM covered as part of another policy
Abnormal number of High Authentication ~ WiFi severity alerts from an Low fidelity entity
Duplicate - Threat scenario Abnormal number of User Authentication ~ WiFi covered as part of another Authentication Failure policy
Abnormal number of files Cloud Antivirus / Malware / transferred to removable Low fidelity EDR media - Cloud EDR
Cloud Antivirus / Malware / Abnormal number of failed Low fidelity EDR login attempts - Cloud EDR
Abnormal Number of Cloud Antivirus / Malware / Processes Terminated - Low fidelity EDR Cloud EDR
Cloud Antivirus / Malware / Admin user logging in via Low fidelity EDR clear text - Cloud EDR
Beaconing traffic to rare Cloud Antivirus / Malware / domains on web activity - Low fidelity EDR Cloud EDR
DNS traffic to randomly Cloud Antivirus / Malware / generated domains - Cloud Low fidelity EDR EDR
Flight risk behaviour via Cloud Antivirus / Malware / removable media - Cloud Low fidelity EDR EDR
SNYPR Release Notes 49 What's New in Content
Functionality Policy Name Categorization
Duplicate - Threat scenario Cloud Antivirus / Malware / Infected Endpoint covered as part of another EDR monitoring - Cloud EDR policy
Cloud Antivirus / Malware / IOS Buffer Overflow - Low fidelity EDR Cloud EDR
Job exiting behavior Cloud Antivirus / Malware / exhibited in removable Low fidelity EDR media - Cloud EDR
Malicious Outbound Duplicate - Threat scenario Cloud Antivirus / Malware / Redirect - Allowed - Cloud covered as part of another EDR EDR policy
Malicious Outbound Duplicate - Threat scenario Cloud Antivirus / Malware / Redirect - Blocked - Cloud covered as part of another EDR EDR policy
Duplicate - Threat scenario Cloud Antivirus / Malware / Malicious Software covered as part of another EDR Detected - Cloud EDR policy
Cloud Antivirus / Malware / Network connections to Low fidelity EDR rare systems - Cloud EDR
Rare dll process and path Cloud Antivirus / Malware / on the network - Cloud Low fidelity EDR EDR
Rare dll used by a process Cloud Antivirus / Malware / on the network - Cloud Low fidelity EDR EDR
Rare function used by a dll Cloud Antivirus / Malware / on the network - Cloud Low fidelity EDR EDR
Rare parent process Cloud Antivirus / Malware / spawning a child process on Low fidelity EDR the network - Cloud EDR
SNYPR Release Notes 50 What's New in Content
Functionality Policy Name Categorization
Rare process and path Cloud Antivirus / Malware / detected on the network - Low fidelity EDR Cloud EDR
Rare process and path for Cloud Antivirus / Malware / high severity endpoint Low fidelity EDR alerts - Cloud EDR
Rare use of critical Cloud Antivirus / Malware / keywords in commandline Low fidelity EDR for Linux - Cloud EDR
Suspicious Network Activity - Peak Powershell Cloud Antivirus / Malware / LDAP Connection For Host Low fidelity EDR Analytic - A2B - Cloud EDR
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR Explorer - policy Cloud EDR
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR LSAAS - policy Cloud EDR
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR LSM - Cloud policy EDR
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR Rundll32 - policy Cloud EDR
SNYPR Release Notes 51 What's New in Content
Functionality Policy Name Categorization
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR Services - policy Cloud EDR
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR SMSS - policy Cloud EDR
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR SVCHost - policy Cloud EDR
Suspicious path of execution for known Duplicate - Threat scenario Cloud Antivirus / Malware / processes on Windows - covered as part of another EDR WinInit - policy Cloud EDR
Suspicious Process Activity Cloud Antivirus / Malware / - Potential Injection - Low fidelity EDR Unusual Crossproc Analytic - Cloud EDR
Suspicious Process Activity - WMI Lateral Movement - Cloud Antivirus / Malware / Unusual WMI Child Low fidelity EDR Process Analytic -A2B - Cloud EDR
Suspicious Process Activity - Known Threat Intel Cloud Antivirus / Malware / Malicious Process Low fidelity EDR Execution Analytic - Cloud EDR
SNYPR Release Notes 52 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity Cloud Antivirus / Malware / - Peak Rare Process Spike Low fidelity EDR For Organization Analytic - Cloud EDR
Suspicious Process Activity - Potential Phishing Duplicate - Threat scenario Cloud Antivirus / Malware / Sequence III - Rare covered as part of another EDR Office Child Process policy Analytic - Cloud EDR
Suspicious Process Activity - Potential Phishing Duplicate - Threat scenario Cloud Antivirus / Malware / Sequence III - Targeted covered as part of another EDR - Suspicious Office Child policy Process Executable Analytic - Cloud EDR
Suspicious Process Activity - Rare CreateRemoteThread Cloud Antivirus / Malware / Invocation Low fidelity EDR Potential BYOL-C Execute- Assembly Analytics-A2B - Cloud EDR
Suspicious Process Activity Cloud Antivirus / Malware / - Rare DLL Invocation Via Low fidelity EDR Rundll32 For Host Analytic - Cloud EDR
Suspicious Process Activity Cloud Antivirus / Malware / - Rare Parent-Child Low fidelity EDR Relationship For User Analytic - Cloud EDR
Suspicious Process Activity Cloud Antivirus / Malware / - Rare Process For Host Low fidelity EDR Analytic - Cloud EDR
SNYPR Release Notes 53 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity - Rule - Potential Attack Cloud Antivirus / Malware / Tool PWDUMP or Low fidelity EDR Mimikatz Usage File Creation Analytic - A2B - Cloud EDR
Suspicious Process Activity - Rule - Potential Mimikatz Duplicate - Threat scenario Cloud Antivirus / Malware / CommandLine Usage covered as part of another EDR Analytic - A2B - Cloud policy EDR
Suspicious Process Activity Duplicate - Threat scenario Cloud Antivirus / Malware / - Shadow Copy-Backup covered as part of another EDR Deletion Analytic - policy Cloud EDR
Suspicious Process Activity Cloud Antivirus / Malware / - Targeted - Boot Recover Low fidelity EDR Disable Analytic - Cloud EDR
Suspicious Process Activity Duplicate - Threat scenario Cloud Antivirus / Malware / - Targeted - Command Line covered as part of another EDR Arguments Analytic policy - A2B - Cloud EDR
Suspicious Process Activity - Targeted - Common Cloud Antivirus / Malware / Escalation of Privilege Low fidelity EDR AppInit DLL Registry Analytic - Cloud EDR
Suspicious Process Activity Duplicate - Threat scenario Cloud Antivirus / Malware / - Targeted - Keyloggers covered as part of another EDR Abusing Nirsoft Tools policy Analytic - Cloud EDR
SNYPR Release Notes 54 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity - Targeted - Possible Enum Cloud Antivirus / Malware / File Creation Low fidelity EDR Analytic - A2B - Cloud EDR
Suspicious Process Activity - Targeted - Potential Cloud Antivirus / Malware / Command Line Admin Low fidelity EDR Share Access Analytic - Cloud EDR
Suspicious Process Activity - Targeted - Potential Duplicate - Threat scenario Cloud Antivirus / Malware / Phishing Sequence I covered as part of another EDR Clicking Analytic - Cloud policy EDR
Suspicious Process Activity - Targeted - Potential Duplicate - Threat scenario Cloud Antivirus / Malware / Phishing Sequence II covered as part of another EDR Malicious Payload Open policy Browser Modality Analytic - Cloud EDR
Suspicious Process Activity - Targeted - Potential Cloud Antivirus / Malware / Powershell Phanthom Low fidelity EDR Event Log Thread Termination Covertness Analytic - A2B - Cloud EDR
Suspicious Process Activity - Targeted - Scripting File Cloud Antivirus / Malware / Types Created Low fidelity EDR Analytic - A2B - Cloud EDR
SNYPR Release Notes 55 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity - Targeted - Shim Database Cloud Antivirus / Malware / Registration Low fidelity EDR Changes Analytic - A2B - Cloud EDR
Suspicious Process Activity Duplicate - Threat scenario Cloud Antivirus / Malware / - Targeted - Squiblydoo covered as part of another EDR Attack Analytic - policy Cloud EDR
Suspicious Process Activity- Targeted - Malicious Start Cloud Antivirus / Malware / Menu Startup Low fidelity EDR Modification Analytic -A2B - Cloud EDR
Suspicious Process Activity- Targeted - Malicious Start Cloud Antivirus / Malware / Menu_Startup Low fidelity EDR Modification Analytic - Cloud EDR
Suspicious Process Activity- Targeted - MS Duplicate - Threat scenario Cloud Antivirus / Malware / EquationEditor Spawning a covered as part of another EDR Child Process Analytic - policy Cloud EDR
Suspicious Registry Activity Cloud Antivirus / Malware / - Targeted - Autorun Low fidelity EDR Changes Analytic -A2B - Cloud EDR
Suspicious Registry Activity - Targeted - Internal Cloud Antivirus / Malware / Monologue Attack - Low fidelity EDR NetNTLM Version Update Analytics-A2B - Cloud EDR
SNYPR Release Notes 56 What's New in Content
Functionality Policy Name Categorization
Duplicate - Threat scenario Cloud Antivirus / Malware / Usage of Credential covered as part of another EDR Dumpers - Cloud EDR policy
Duplicate - Threat scenario Cloud Antivirus / Malware / Virus and Malicious Code covered as part of another EDR Outbreak - Cloud EDR policy
Duplicate - Threat scenario Cloud Antivirus / Malware / Vulnerable Endpoint covered as part of another EDR monitoring - Cloud EDR policy
Account authenticating Cloud Application Audit from rare geolocation - Low fidelity Exchange
Account performing activity Cloud Application Security from a suspicious location - Low fidelity Broker SIEM - CASB
Duplicate - Threat scenario Cloud Application Security Uploads to personal GitHub covered as part of another Broker repository - SIEM - CASB policy
Downloads with multiple Cloud Application Security filename but same filehash - Low fidelity Broker SIEM - CASB
Cloud Authentication - SSO Phone verification mfa - Low fidelity anomaly Single Sign-On
Cloud Authentication - SSO User Account Unlocking - Low fidelity VIP User accounts - SSO Single Sign-On
Cloud Authentication - SSO Use of Any Default - Low fidelity Credentials - SIEM - SSO Single Sign-On
SNYPR Release Notes 57 What's New in Content
Functionality Policy Name Categorization
Cloud Authentication - SSO - Activity seen from rare city Low fidelity Single Sign-On
Cloud Content Management File manipulation followed Low fidelity System by egress
Cloud Content Management Suspicious Modification of Low fidelity System Privileges for Documents
Abnormal number of Cloud Content Management document permission Low fidelity System changes observed
Cloud Content Management Rare Operation performed Low fidelity System by an User
Cloud Content Management Recovering Files along with Low fidelity System Data Egress
Abnormal amount of files Duplicate - Threat scenario Content Management downloaded compared to covered as part of another System past behavior policy
Abnormal number of file Duplicate - Threat scenario Content Management deletions compared to past covered as part of another System behavior policy
Duplicate - Threat scenario Content Management Abnormal number of files covered as part of another System downloaded policy
Abnormal number of files Content Management shared to Competitor Low fidelity System Domains
Abnormal number of files Content Management shared to Non Business Low fidelity System domains
Abnormal number of files Content Management shared with personal Low fidelity System accounts
SNYPR Release Notes 58 What's New in Content
Functionality Policy Name Categorization
Account accessing a file Content Management share never accessed Low fidelity System before
Content Management Authentication from rare Low fidelity System geolocation
Duplicate - Threat scenario Content Management File activity by terminated covered as part of another System user policy
Content Management File manipulation followed Low fidelity System by egress-129
Content Management User performing unusual Low fidelity System activity compared to peers
Content Management Account accessing file Low fidelity System never accessed before
Rare DCL command Database Audit executed not performed by Low fidelity peers
Rare DB application Database Audit accessed by account Low fidelity compared to peers
Rare DML command Database Audit executed not performed by Low fidelity peers
Rare DDL command Database Audit executed not performed by Low fidelity peers
Rare TCL command Database Audit executed not performed by Low fidelity peers
Abnormal number of Database Audit Low fidelity concurrent sessions in a day
SNYPR Release Notes 59 What's New in Content
Functionality Policy Name Categorization
Account accessing critical Database Monitoring Low fidelity PII database - SIEM
Rare Database Accessed by Database Monitoring Low fidelity an Account
Potential Account Database Monitoring Compromise on Database Low fidelity Server
Password Spraying Attack Database Monitoring Low fidelity Detected - SIEM
Attempted use of disabled Database Monitoring Low fidelity account - SIEM
Audit Log Tampering - Database Monitoring Low fidelity SIEM
concurrent console logon - Database Monitoring Low fidelity SIEM
Multiple Failed Followed by Database Security Successful Login to a Low fidelity Database Server-143
Potential Account Database Security Compromise on Database Low fidelity Server-143
Rare Critical Commands Duplicate - Threat scenario Database Security Executed on a Database covered as part of another Server policy
Rare Database Accessed by Database Security Low fidelity an Account
Spike in frequency of DDL Database Security or DML Commands Low fidelity Executed
Spike in Failed Logins to a Database Security Low fidelity Databaser Server-143
SNYPR Release Notes 60 What's New in Content
Functionality Policy Name Categorization
Duplicate - Threat scenario Possible fast flux domain DNS / DHCP covered as part of another detected-123 policy
DNS / DHCP Rare dns host resolved Low fidelity
Emails Sent with Source Email / Email Security Low fidelity Code - SIEM - DLP
Emails to Non-Business Email / Email Security Low fidelity Domains - SIEM - DLP
Emails Sent to Personal Email / Email Security Low fidelity Email - SIEM - DLP
Emails to Competitor Email / Email Security Low fidelity Domains - SIEM - DLP
Compressed Files in Emails Email / Email Security Low fidelity - SIEM - DLP
Endpoint Management Executable or Script file Low fidelity Systems created by Process
Duplicate - Threat scenario Endpoint Management Rare child process spawned covered as part of another Systems from WMIPRVSE policy
Rare combination of parent Endpoint Management and child process found for Low fidelity Systems user
Suspicious Process Activity Duplicate - Threat scenario Endpoint Management - Peak File RW Process covered as part of another Systems Terminations For Host policy Analytic
Suspicious Process Activity Duplicate - Threat scenario Endpoint Management - Rare DLL Creation in covered as part of another Systems SYSTEM Directory policy Analytic
SNYPR Release Notes 61 What's New in Content
Functionality Policy Name Categorization
Suspicious Process Activity - Rare Egress Destination Duplicate - Threat scenario Endpoint Management Port For LOLBIN App covered as part of another Systems Potential Malicious Stager policy Analytic
Suspicious Process Activity Duplicate - Threat scenario Endpoint Management - Rare High-Integrity covered as part of another Systems Process For User policy Analytic
Suspicious Process Activity Duplicate - Threat scenario Endpoint Management - Targeted - Potential Stego covered as part of another Systems Embedding Tool policy Agnostic Analytic
Suspicious Process Activity - Targeted - Potential Duplicate - Threat scenario Endpoint Management UACBypass csc Spawning covered as part of another Systems Temp Directory Payload policy Analytic
Use of invoke Phant0m Endpoint Management powershell tool to disable Misconfig Systems endpoint logging
Firewall traffic to randomly Firewall generated domains - Low fidelity Firewall
Duplicate - Threat scenario Repeat Attack on firewall- Firewall covered as part of another Foreign policy
SmartDefense IPS Rules - Firewall Low fidelity High Severity - Firewall
SmartDefense IPS Rules - Firewall Low fidelity Malicious address - Firewall
SmartDefense IPS Rules - Firewall Low fidelity Medium Severity - Firewall
SNYPR Release Notes 62 What's New in Content
Functionality Policy Name Categorization
Traffic to rare domain on Firewall Low fidelity DNS ports - Firewall
Abnormal amount of data Flow aggregated from FTP ports - Low fidelity Flow
Abnormal amount of data Flow aggregated from SMB ports Low fidelity - Flow
Abnormal amount of data Flow uploads to external sites- Low fidelity FLOW
Abnormal amount of data Flow uploads to storage sites Low fidelity over firewall - FLOW
Abnormal amount of data Flow uploads to storage sites- Low fidelity FLOW
Abnormal number of DHCP Flow Low fidelity requests - FLOW
Abnormal time for dhcp Flow Low fidelity lease-Flow
Abnormal upload attempts Flow to distinct storage sites- Low fidelity FLOW
Account authenticating Flow from rare geolocation on Low fidelity VPN - FLOW
Activity from known Flow malicious addresses Low fidelity detected on VPN - FLOW
Beaconing traffic to Flow Low fidelity malicious sites-FLOW
SNYPR Release Notes 63 What's New in Content
Functionality Policy Name Categorization
Beaconing traffic to rare Flow Low fidelity domains over dns- flow
Beaconing traffic to rare Flow Low fidelity domains-FLOW
Data exfiltration over Flow known data transfer Low fidelity services - Flow
DHCP request from rare Flow Low fidelity device-Flow
Firewall traffic to randomly Flow Low fidelity generated domains - Flow
Landspeed anomaly on VPN Flow Low fidelity - FLOW
Persistent traffic to rare Flow non resolvable domain dns Low fidelity responses-Flow
Possible host enumeration Duplicate - Threat scenario Flow over critical access ports - covered as part of another Internal - Flow policy
Duplicate - Threat scenario Possible port scan over Flow covered as part of another system ports - Flow policy
Duplicate - Threat scenario Flow Potential lateral movement covered as part of another policy
Randomly generated Flow domain detected on dns Low fidelity response -flow
Flow Rare dns host resolved flow Low fidelity
Rare dns host resolved- Flow Low fidelity Flow
SNYPR Release Notes 64 What's New in Content
Functionality Policy Name Categorization
Traffic to rare domain on Flow Low fidelity DNS ports - Flow
Possible password spraying Microsoft Windows Low fidelity from a windows resource
High number of accounts Duplicate - Threat scenario using the same ipaddress Microsoft Windows covered as part of another for authentication policy failures or lockout events
Abnormal number of Next Generation Firewall connections on DNS ports - Low fidelity NGFW
Bruteforce on Critical Service from an IP Duplicate - Threat scenario Next Generation Firewall Observed Performing covered as part of another Network policy Recon
Internal System running Next Generation Firewall Low fidelity port scan Internally - SIEM
Monitoring Inbound Next Generation Firewall malicious IP addresses - Low fidelity SIEM
Duplicate - Threat scenario Network Connection from a Next Generation Firewall covered as part of another rare Geolocation policy
Possible host enumeration Next Generation Firewall Low fidelity observed - SIEM
Rare domain visited by Next Generation Firewall Low fidelity account - Next Gen Firewall
Rare Filetype Observed - Next Generation Firewall Low fidelity Next Gen Firewall
SNYPR Release Notes 65 What's New in Content
Functionality Policy Name Categorization
Rare operating system Next Generation Firewall detected for an account on Low fidelity VPN - Next Gen Firewall
Repeat Attack-Login Source Next Generation Firewall Low fidelity on VPN - Next Gen Firewall
SMB traffic to and from Next Generation Firewall Low fidelity Internet
Successful Network Connection Observed from Next Generation Firewall Low fidelity an IP Performing Network Recon
Duplicate - Threat scenario System running external Next Generation Firewall covered as part of another scan - SIEM policy
Traffic to rare domain on Next Generation Firewall DNS ports - Next Gen Low fidelity Firewall
Undocumented account Duplicate - Threat scenario Next Generation Firewall activity on VPN - Next Gen covered as part of another Firewall policy
Zone Transfer from Next Generation Firewall Low fidelity External to Internal - SIEM
Ping Sweep or ICMP Next Generation Firewall Low fidelity Inbound Scan - SIEM
Scan over plain text ports - Next Generation Firewall Low fidelity SIEM
External source scan to Next Generation Firewall Low fidelity Internal network - SIEM
External network port scan Next Generation Firewall Low fidelity - SIEM
SNYPR Release Notes 66 What's New in Content
Functionality Policy Name Categorization
Duplicate - Threat scenario Remote Recon Network Next Generation Firewall covered as part of another Sweep or scan - SIEM policy
Duplicate - Threat scenario Next Generation Firewall External Port scan - SIEM covered as part of another policy
Connection attempt to Zeus Duplicate - Threat scenario Next Generation Firewall Domain or IP Address - covered as part of another SIEM policy
Duplicate - Threat scenario SMB Services allowed from Next Generation Firewall covered as part of another internet - SIEM policy
Duplicate - Threat scenario RDP Attempt from Next Generation Firewall covered as part of another Malicious IP - SIEM policy
Duplicate - Threat scenario Outbound Spamhaus Next Generation Firewall covered as part of another observed Traffic - SIEM policy
RDP Access allowed from Duplicate - Threat scenario Next Generation Firewall the internet - Account - covered as part of another SIEM policy
Duplicate - Threat scenario Brute Force Attack - Next Next Generation Firewall covered as part of another Gen Firewall policy
Possible port scan over Duplicate - Threat scenario Next Generation Firewall distinct system ports - Next covered as part of another Gen Firewall policy
Possible host enumeration Next Generation Firewall over system ports - Next Low fidelity Gen Firewall
SNYPR Release Notes 67 What's New in Content
Functionality Policy Name Categorization
Possible lateral movement Next Generation Firewall over network traffic - Next Low fidelity Gen Firewall
Job Exiting Behavior on Next Generation Firewall Web Browsing - Next Gen Low fidelity Firewall
Flight Risk Behavior on Next Generation Firewall Web Browsing - Next Gen Low fidelity Firewall
SmartDefense IPS Rules - Next Generation Firewall High Severity - Next Gen Low fidelity Firewall
SmartDefense IPS Rules - Duplicate - Threat scenario Next Generation Firewall Medium Severity - Next covered as part of another Gen Firewall policy
SmartDefense IPS Rules - Next Generation Firewall Malicious address - Next Low fidelity Gen Firewall
VPN activity by Duplicate - Threat scenario Next Generation Firewall Undocumented Accounts - covered as part of another Next Gen Firewall policy
Suspicious Wildfire Submission Result from the Next Generation Firewall Low fidelity Firewall - Next Gen Firewall
Suspicious Threat Category Duplicate - Threat scenario Next Generation Firewall Observed - Next Gen covered as part of another Firewall policy
Abnormal number of Duplicate - Threat scenario Next Generation Firewall vulnerabilities observed - covered as part of another Next Gen Firewall policy
SNYPR Release Notes 68 What's New in Content
Functionality Policy Name Categorization
File Blocking Profile Duplicate - Threat scenario Next Generation Firewall Initiated - Next Gen covered as part of another Firewall policy
Possible lateral movement Duplicate - Threat scenario Next Generation Firewall observed on network traffic covered as part of another – SIEM policy
Duplicate - Threat scenario Undocumented accounts Unix / Linux / AIX covered as part of another performing activity policy
Duplicate - Threat scenario Use of any default Unix / Linux / AIX covered as part of another credentials on Unix policy
Abnormal number of high Web Application Firewall TPI - Consolidation severity WAF alerts
Duplicate - Threat scenario Web Application Firewall Possible directory traversal covered as part of another policy
DNS amplification by Duplicate - Threat scenario Web Application Firewall frequency of packets - covered as part of another Firewall policy
Possible external host Web Application Firewall enumeration over system TPI - Consolidation ports - Firewall
Duplicate - Threat scenario Possible external port scan Web Application Firewall covered as part of another over system ports - Firewall policy
Duplicate - Threat scenario Traffic to Known Attacker Web Application Firewall covered as part of another on firewall policy
Duplicate - Threat scenario Repeat Attack on firewall- Web Application Firewall covered as part of another Foreign policy
SNYPR Release Notes 69 What's New in Content
Functionality Policy Name Categorization
Duplicate - Threat scenario Web Proxy Beaconing Traffic Detected covered as part of another policy
Duplicate - Threat scenario Detection of possible proxy Web Proxy covered as part of another circumvention-125 policy
Detection of possible proxy Web Proxy Low fidelity circumvention-134
Detection of possible proxy Web Proxy Low fidelity circumvention-135
Rare domain visited by Web Proxy Low fidelity account
Uploads to news or media Web Proxy Low fidelity websites
Attempted connection to Web Proxy Low fidelity botnet domain - SIEM
Duplicate - Threat scenario Beaconing traffic to known Web Proxy covered as part of another black list site policy
Communication with Duplicate - Threat scenario Web Proxy Suspicious External IP from covered as part of another internal network - SIEM policy
Connection attempt to Zeus Web Proxy Domain or IP Address - Low fidelity SIEM Proxy
Connection to known Web Proxy Low fidelity ransomware IP - SIEM
Duplicate - Threat scenario Detection of Web Requests Web Proxy covered as part of another to Rare Blocked Domains policy
SNYPR Release Notes 70 What's New in Content
Functionality Policy Name Categorization
Internal Host Communicating to Bad Web Proxy TPI - Consolidation Reputed Domain - Proxy SIEM
Internal Host Web Proxy Communicating to Bad TPI - Consolidation Reputed IP - Proxy SIEM
Internal Host Duplicate - Threat scenario Web Proxy Communicating to Bad covered as part of another Reputed URL - Proxy SIEM policy
Internal Traffic for Blocked Web Proxy TPI - Consolidation Domain - Proxy SIEM
Multiple sources Web Proxy connection to A botnet TPI - Consolidation domain - SIEM
Outbound Spamhaus Web Proxy observed Traffic - Proxy TPI - Consolidation SIEM
Duplicate - Threat scenario Outbound TOR Traffic - Web Proxy covered as part of another Proxy SIEM policy
Outbound Traffic to Fraud Web Proxy TPI - Consolidation sites - SIEM
Web Proxy Phishing detected - SIEM TPI - Consolidation
Rare User Agent Used by Web Proxy TPI - Consolidation Account
Duplicate - Threat scenario Remote Desktop or Private Web Proxy covered as part of another VPN Accessed - SIEM policy
Same User Connecting to Web Proxy multiple botnet domains - TPI - Consolidation SIEM
SNYPR Release Notes 71 What's New in Content
Functionality Policy Name Categorization
Suspicious connection PUT Web Proxy TPI - Consolidation using HTTP - SIEM
Suspicious Connections to Web Proxy Low fidelity URL contains “Trojan”
Suspicious downloads to Web Proxy Low fidelity URL contains wget - SIEM
Web Proxy Traffic to Phishing Site Low fidelity
Traffic to rare domain on Web Proxy Low fidelity DNS ports - Firewall
Duplicate - Threat scenario Circumvention of URL Web Server covered as part of another Controls policy
Web Server Rare User Agent Used TPI - Consolidation
Circumvention of Directory Web Server Low fidelity Controls
Circumvention of Directory Web Server TPI - Consolidation Controls-124
Possible Web Crawling Web Server Low fidelity Detected
Duplicate - Threat scenario Possible Web Crawling Web Server covered as part of another Detected-124 policy
Duplicate - Threat scenario Rare HTTP Request Web Server covered as part of another Method Used policy
SNYPR Release Notes 72