Cyfin Archives - Page 2 of 4 - Wavecrest Knowledge Base

v9.6.5 Release Notes for Cyfin

Category: Administration, Data Manager, Release Notes

Enhancements

Health
- Added new Health status page to display the current state of different components in the product through Health Modules. These modules can be configured to trigger notification alert emails when an error is detected. The following modules are currently available:
  - License Expiration – Checks the number of days left on the license and can trigger warning and error notifications based on days left.
  - Syslog Inactivity – Checks active syslog ports for data being sent and triggers alert when no data is received in a configurable time period. Module also checks for valid data being received instead of just any data and triggers different error alert accordingly.
Reporting
- Dashboard
  - Visualizer
    - Added an extensive library of preconfigured charts for users to select when creating new panels.
Library
- Updated product to use most recent MySQL library (8.0.33).

Corrections

Dashboard
- Removed “AVG Daily Usage” and “AVG Daily Ingestion” tiles because metric is not useful when combined with metric data removal as it is currently. Results include large possible negative numbers.

v9.6.4.b Release Notes for Cyfin

Category: Release Notes

Enhancements

Visualizer
- Added support for Microsoft defender reporting.

Corrections

- Data Management
  - Syslog
    - Corrected issue that could cause direct syslog imports to stop working upon a service restart. The file writer continued to work, just the metric server stop receiving the data directly. This was caused by the syslog server attempting to start before the importer had been initialized.
- Visualizer
  - Corrected aggregation on nested fields

Defender Data Source Field Definitions

Category: Visualizer

An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Field Name	Definition
incidentId	Unique identifier to represent the incident
redirectIncidentId	Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
incidentName	String value available for every incident.
createdTime	Time when incident was first created.
lastUpdateTime	Time when the incident was last updated on the backend.This field can be used when you’re setting the request parameter for the range of time that incidents are retrieved.
assignedTo	Owner of the incident, or null if no owner is assigned.
classification	The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive
determination	Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other
detectionSource	Specifies source of detection.
status	Categorize incidents (as Active, or Resolved). It can help you organize and manage your response to incidents.
severity	Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.One of the following values: Informational, Low, *Medium, and High.
tags	Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
comments	Array of comments created by secops when managing the incident, for example additional information about the classification selection.
alerts	Array containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts.
alertId	Unique identifier to represent the alert
incidentId	Unique identifier to represent the incident this alert is associated with
serviceSource	Service that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, or Microsoft Defender for Office 365.
creationTime	Time when alert was first created.
lastUpdatedTime	Time when alert was last updated at the backend.
resolvedTime	Time when alert was resolved.
firstActivity	Time when alert first reported that activity was updated at the backend.
title	Brief identifying string value available for each alert.
description	String value describing each alert.
category	Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the MITRE ATT&CK™ framework.
status	Categorize alerts (as New, Active, or Resolved). It can help you organize and manage your response to alerts.
severity	Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. One of the following values: Informational, Low, Medium, and High.
investigationId	The automated investigation ID triggered by this alert.
investigationState	Information on the investigation’s current status. One of the following values: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert.
classification	The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive, or null
determination	Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
assignedTo	Owner of the incident, or null if no owner is assigned.
actorName	The activity group, if any, the associated with this alert.
threatFamilyName	Threat family associated with this alert.
mitreTechniques	The attack techniques, as aligned with the MITRE ATT&CK™ framework.
devices	All devices where alerts related to the incident were sent.
DeviceId	The device ID as designated in Microsoft Defender for Endpoint.
aadDeviceId	The device ID as designated in Azure Active Directory. Only available for domain-joined devices.
deviceDnsName	The fully qualified domain name for the device.
osPlatform	The OS platform the device is running.
osBuild	The build version for the OS the device is running.
rbacGroupName	The role-based access control (RBAC) group associated with the device.
firstSeen	Time when device was first seen.
healthStatus	The health state of the device.
riskScore	The risk score for the device.
entities	All entities that have been identified to be part of, or related to, a given alert.
entityType	Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry
sha1	Available if entityType is File. The file hash for alerts associated with a file or process.
sha256	Available if entityType is File. The file hash for alerts associated with a file or process.
fileName	Available if entityType is File. The file name for alerts associated with a file or process
filePath	Available if entityType is File. The file path for alerts associated with a file or process
processId	Available if entityType is Process.
processCommandLine	Available if entityType is Process.
processCreationTime	Available if entityType is Process.
parentProcessId	Available if entityType is Process.
parentProcessCreationTime	Available if entityType is Process.
ipAddress	Available if entityType is Ip. IP address for alerts associated with network events, such as Communication to a malicious network destination.
url	Available if entityType is Url. Url for alerts associated to network events, such as, Communication to a malicious network destination.
accountName	Available if entityType is User.
domainName	Available if entityType is User.
userSid	Available if entityType is User.
aadUserId	Available if entityType is User.
userPrincipalName	Available if entityType is User/MailBox/MailMessage.
mailboxDisplayName	Available if entityType is MailBox.
mailboxAddress	Available if entityType is User/MailBox/MailMessage.
clusterBy	Available if entityType is MailCluster.
sender	Available if entityType is User/MailBox/MailMessage.
recipient	Available if entityType is MailMessage.
subject	Available if entityType is MailMessage.
deliveryAction	Available if entityType is MailMessage.
securityGroupId	Available if entityType is SecurityGroup.
securityGroupName	Available if entityType is SecurityGroup.
registryHive	Available if entityType is Registry.
registryKey	Available if entityType is Registry.
registryValueType	Available if entityType is Registry.
registryValue	Available if entityType is Registry.
deviceId	The ID, if any, of the device related to the entity.

Microsoft Defender Data Source Settings

Category: Administration, Data Manager, Reporting

To configure access for Cyfin to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API

The procedure to create an application is found on the below link:

Create a new Azure Application

When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.

After the application has been created, it should contain 3 values that you need to apply to the module configuration.

These values are:

Client ID
Tenant ID
Client Secret

In Cyfin go to Data Management -> Setup and select Microsoft Defender

Now input the 3 values gathered from the previous steps

v9.6.4 Release Notes for Cyfin

Category: Release Notes

Enhancements

Reporting
- Firewall Reporting
  - Palo Alto Firewall reporting now available in addition to Web data. Both types of data can be seamlessly imported and reported on in the Visualizer which has been updated to include pre-configured Firewall dashboards. * Firewall Reporting requires an upgraded license, but evaluation periods are available.
Data Management
- Log Data Setup
  - Updated the location of the wizard buttons for clarity and optimized flow.
- Log Date Types
  - Updated Sonicwall VPN to include ability to parse NetExtender VPN data.

Web Data Source Field Definitions

Category: Panel, Visualizer

Field Name	Definition
appsite	Friendly name for a Website or Application
authtype
blocked	This occurs because the user is not authorized to access the site, that is, his access has been “blocked.” However, it can also be caused by technical anomalies, for example, “page not found by server.”
bytes	Number of total bytes (transmit and receive) for the session.
category	Describes the content of a Web page that was visited.
classification	User defined classification for the website content that was visited. Values could be any of the following: Acceptable, Unacceptable and Neutral
clientin
clientout
contenttype	Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetime	Date time stamp associated with each recrod hit
domain	A fully qualified domain name (FQDN) is a complete and unambiguous domain name that specifies the exact location of a specific resource on the internet.
group	Organizational groups are structured in a hierarchical manner, forming a tree-like structure.
hit	Number of records (represents a record count)
identity
ip	Source IP Address
network
outboundip	Destination IP Address
proxyport
refererdomain	HTTP header field that indicates the URL or domain from which a user navigated to the current page.
resultcode	HTTP status codes that are used to indicate the result or status of an HTTP request made to a web server. Some commonly encountered codes are: 200 OK, 404 Not Found, etc.
searchterms	Search query or keyword, refers to the specific words or phrases that a user enters into a search engine to find information on a particular topic.
serverin
serverout
source
timeonline	An approximation of the time that a user spends on the Internet. Wavecrest’s Smart Engine algorithms can produce the most accurate time online measurement.
user	Field refers to the information recorded about the user associated with a specific network connection or traffic event.
useragent	HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.
visit	A click action for the purpose of visiting a Web site. One click equals one request for a Web page.

Palo Alto Data Source Field Definitions

Category: Panel, Visualizer

Field Name	Definition
action	Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
action_source	Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
application	Application associated with the session.
application_category	The application category specified in the application configuration properties.
application_risk	Risk level associated with the application (1=lowest to 5=highest).
application_saas	Displays yes if a SaaS application or no if not a SaaS application.
application_subcategory	The application subcategory specified in the application configuration properties.
application_technology	The application technology specified in the application configuration properties.
bytes	Number of total bytes (transmit and receive) for the session.
category	Describes the content of a Web page that was visited.
contenttype	Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetime	Date time stamp associated with each recrod hit
dest_country	Destination country or Internal region for private addresses.
dest_ip	Original session destination IP address.
dest_zone	Zone the session was destined to.
deviceLogType
direction	Indicates the direction of the attack, client-to-server or server-to-client
group	Organizational groups are structured in a hierarchical manner, forming a tree-like structure.
hit	Number of records (represents a record count)
http2_connection	Identifies if traffic used an HTTP/2 Connection or not
identity
ip	Original session source IP address.
ip_protocol	IP protocol associated with the session.
port	Destination port utilized by the session.
recordName
referrer
results
rule	Name of the rule that the session matched.
severity
source
source_zone	Zone the session was sourced from.
threat_category	Describes threat categories used to classify different types of threat signatures.
Threat_contenttype	Subtype of the threat and traffic log
threat_id	Palo Alto Networks identifier for known and custom threats.
type	Specifies the type of log;
url
user	Field refers to the information recorded about the user associated with a specific network connection or traffic event.
useragent	HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.

v9.6.3 Release Notes for Cyfin

Category: Release Notes

Enhancements

Data Managements
- Log Data Setup
  - Added Microsoft Defender as a configuration option. This feature only available for Cyfin in VM environment.
Reporting
- Dashboard
  - Visualizer
    - Added Dashboard level filters. This allows a filter to be applied to all panels with matching data source on the configured dashboard.
Usage statistics
- Added periodic anonymous usage statistics gathering to improve customer experience.

Corrections

Data Management
- Import
  - Disabled auto importing of syslog enabled log configurations because stream is already automatically imported.

v9.6.2.a Release Notes for Cyfin

Category: Release Notes

Enhancements

Logon Accounts
- Added ability to add additional group permissions to imported logon accounts from Active Directory.
Reporting
- Visit Filter
  - Updated algorithm for determining hit versus visit to include additional portions of URL.

v9.6.2 Release Notes for Cyfin

Category: Release Notes

Enhancements

System
- Added ability to import Groups and IDs through Directory Agent.
System Status
- Messages
  - Visualizer
    - Added screen to view Visualizer profiling information.
Reporting
- Dashboard
  - Visualizer
    - Added preconfigured dashboard templates for users to select when creating new dashboards.
    - Updated timeframe selection to always be relative when creating/editing dashboards. Modifying the timeframe in the dashboard view page is only temporary and a button is added to reset back to default timeframe selection. Navigating away also resets the timeframe back to dashboard default.

Corrections

Reporting
- Dashboard
  - Visualizer
    - Corrected visualizer link in product menu when user account does not have a valid email address by redirecting to logon accounts modification screen.