SNYPR 6.4 Release Notes Date Published: 8/12/2021 Securonix Proprietary Statement This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third party, nor used by the recipient except under the terms and conditions prescribed by Securonix. The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their respective owners. Securonix Copyright Statement This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any medium, without the prior written authorization of Securonix. However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of Securonix. Copyright © 2021 Securonix. All rights reserved. Contact Information Securonix 5080 Spectrum Drive, Suite 950W Addison, TX 75001 (855) 732-6649 SNYPR Release Notes 2 Table of Contents Introduction 4 What's New in this Release 5 Improvements 12 Bug Fixes 22 New and Improved Content 32 New Content 32 Improved Content 58 Decommissioned Content 71 Known Issues 148 SNYPR Release Notes 3 Introduction Introduction The Release Notes include the new features, improvements, bug fixes, and content updates for the SNYPR Jupiter release (6.4). Note: You can check if your ticket is fixed in this release by referring to the Summary section. The Summary section includes a description and customer logged ticket number, if applicable. Access to SNYPR 6.4 The Securonix team provides an access to the SNYPR 6.4 application. You have to install the RIN application from https://downloads.securonix.com for data ingestion. Note: For information on how to install RIN, refer to the RIN Installation Guide. SNYPR Release Notes 4 What's New in this Release What's New in this Release This section offers a brief summary of the following new and improved features for the SNYPR 6.4 release: SNYPR Services New and Improved Features l Content Management l Data Dictionary l Phishing Analyzer Analytics l Publish Content Updates to Tenants (Multi- tenant) l Policy Enhancements l EDR Playbook Response Actions l Response Management Detection and Response l Incident Assignee Chain l On-Demand Incident l Sandbox Widget l Live Channel Hunting l Tabular View l Timedifference Function l Autodiscovery of Datasources Ingestion l Ingestion Improvements l Activity Monitor Shared l Data Masking for Multi-Tenant For more information about each feature, see the SNYPR6.4 What's New Guide. SNYPR Release Notes 5 What's New in this Release Content Management The Content Management feature introduces the ability to seamlessly deploy and manage content maintained by the Securonix content team. This feature gives you access to the most up-to-date threat content so you can maintain the highest level of security detection. For more details about this feature, see the Content Management section in the What's New Guide. Data Dictionary The Data Dictionary feature provides an ability to create your own labels for data ingested by SNYPR from datasources. These labels simplifies the ingestion, analytics, and hunting processes by providing consistent and easy to understand labels for data. Content developers can use these mapped labels to perform data ingestion and create policies, and security analysts can use these labels to search Spotter. For more details about this feature, see the Data Dictionary section in the What's New Guide. Phishing Analyzer Technique The Phishing Analyzer detection technique allows the customer's content team and security analysts team to create policies to detect phishing attacks. Using this policy, you can check email senders against comparators and detect emails pretending to be from reputable companies. For more details about this feature, see the Phishing Analyzer section in the What's New Guide. SNYPR Release Notes 6 What's New in this Release Publish Content Updates to Tenants A new capability has been added that allows detection engineers to publish parsers and enrichment changes to other tenants instantly. This capability provides scalability and saves detection engineers time by avoiding manual updates for each tenant. For more details about this feature, see the Publish Content Updates to Tenants section in the What's New Guide. Policy Enhancements The release includes the following key enhancements to analytics: l Policy Labels: Includes the capability to tag policies so that security analysts can build reports, create dashboard, and search violations using specific labels. l Risk Score Aggregation for all Entities: Provides aggregate risk scores for all entit- ies so that security analysts can have a unified view and a better risk profile for each entity. For more details about this feature, see the Policy Enhancements section in the What's New Guide. EDR Playbook Response Actions CrowdStrike playbook response actions are now offered as part of the SNYPR native response actions. The CrowdStrike and Cylance playbook response actions are configured and run from the SNYPR user interface for single or multiple Remote Ingestion Nodes (RINs). For more details about this feature, see the CrowdStrike Playbook Response Actions section in the What's New Guide. SNYPR Release Notes 7 What's New in this Release Response Management The Response Management feature provides a new, centralized user interface UI to configure third-party automated response connections and manage playbook access per tenant. In addition to the new centralized UI configurations, administrators have the flexibility to manage separate connections for each tenant, while isolating playbooks per tenant. For more details about this feature, see the Response Management section in the What's New Guide. Incident Assignee Chain The Incident Assignee Chain controls incident visibility across specific users. Only users listed on the Incident Assignee Chain have access to discuss, contribute, coordinate, and download incident information. This is especially helpful for larger enterprises and multi-tenant deployments that manage multiple incidents across different teams. For more details about this feature, see the Incident Assignee Chain section in the What's New Guide. On-Demand Incident The On-Demand Incident feature allows analysts and threat hunters to create new incidents and add context around those incidents from various locations in the SNYPR UI. Analysts and threat hunters can now create a new incident using a new global UI icon, add events to new or existing incidents from the Spotter Search Results view, and manage activity from the Incident Management dashboard to better manage emerging threats that might previously have gone unnoticed. For more details about this feature, see the On-Demand Incident section in the What's New Guide. SNYPR Release Notes 8 What's New in this Release Sandbox Widget The Sandbox widget enables security analysts to test policy violations in an isolated environment to identify issues before making them public. With the ability to run threat models in Sandbox at scale, the Sandbox widget significantly reduces alert noise, improving detection time and enabling more focus for analysts. For more details about this feature, see the Sandbox Widget section in the What's New Guide. Live Channel Live Channel is a new detection mechanism that enables search and detection of new threats, and provides the ability to search via regex across data sources and channels. For more details about this feature, see the Live Channel section in the What's New Guide. Tabular View Tabular View provides an easy-to-use UI for arranging and viewing event attributes, improving investigation and search efficiency. For more details about this feature, see the Tabular View section in the What's New Guide. Timedifference Function The Timedifference function calculates the difference between two time fields in a human readable format. With this new feature, you'll simply provide two time fields in Spotter, and the Timedifference function will quickly calculate and return the result as a time value. For more details about this feature, see the Timedifference section in the What's New Guide. SNYPR Release Notes 9 What's New in this Release Autodiscovery of Datasources SNYPR 6.4 provides auto-discovery of syslog based datasources that simplifies and automates the onboarding process. This new workflow improves the time to value for onboarding datasources. Once you have configured your datasource to send events to the RIN, SNYPR discovers those events and suggests a parser for it. For more details about this feature, see the Ingestion 2.0 section in the What's New Guide. Ingestion Improvements The release includes the following key enhancements to ingestion: l Improved Activity Import: Provides an improved and intuitive User interface (UI). The new visual layout of Activity Import consists of an updated color pallet, grid view, font, and information design. l Simplified Lookup Table Management for Multi-Tenant: Allows content developers to create a single policy that can be applied to all tenants without the need to duplicate the policy and customize it for each tenant. For more details on other improvement, see the Ingestion Improvements section in the What's New Guide. Activity Monitor The Activity Monitor tool provides a crucial, real-time view of events ingested by SNYPR.