snypr 6.3.1 build 181059 0119 release notes
TRANSCRIPT
SNYPR 6.3.1 Build 190020_0610
Release Notes
Date Published: 7/8/2021
Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any
third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their
respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any
medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and
reference.
Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional
warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without
the written permission of Securonix.
Copyright © 2021 Securonix. All rights reserved.
Contact Information
Securonix
5080 Spectrum Drive, Suite 950W
Addison, TX 75001
(855) 732-6649
SNYPR Release Notes 2
Table of Contents
Introduction 4
Improvements 5
Bug Fixes 7
What's New in Content 12
New Connectors 12Contextual Connectors 16New Content 17Improved Content 33Deprecated Policies 53
SNYPR Release Notes 3
Introduction
IntroductionSNYPR 6.3.1 Build 190020_0610 includes improvements, bug fixes, connectors, and content.
Note: An INC number in the Summary column indicates a customer logged ticket
that was resolved in this release.
SNYPR Release Notes 4
Improvements
ImprovementsThis following table describes the improvements included in this release:
Component Summary
Analytics Service Improved out-of-the-box policies to be enabled by default.
Analytics ServiceImproved the processing time of the Violation Summary when
a policy has a high violation count.
Analytics ServiceImproved the behavior processing time for the Violation Extractor job. (INC-235167) (INC-235115)
Connector Improved the Prisma Cloud connector to retrieve policy severity details.
Connector Added an option to import user data from Splunk using RIN.
Hunting ServiceImproved reliability and availability by adding the Solr circuit breaker to process the number of resources needed to execute a task.
Response Service Improved the ServiceNow integration when logger is enabled.
Shared Service Added roles and group membership data fields in the audit
report download.
SNYPR Release Notes 5
Improvements
Component Summary
Shared Service - Job Monitor
Improved the performance of job monitor by allowing users to
select any of the following options to refresh the Job Monitor
screen:
l Live
l Do Not Auto-refresh
l Refresh on 30 seconds
l Refresh on 60 seconds
Note: By default, the Do Not Auto-refresh option is
enabled.
(INC-233512) (INC-239737)
SNYPR Release Notes 6
Bug Fixes
Bug FixesThe following table describes the bug fixes included in this release:
Component Summary
Analytics ServiceFixed the behavior violations to trigger as expected. (INC-
239489)
Analytics ServiceFixed the whitelist functionality in Spotter to work as expected for an account or attribute. (INC-237818)
Analytics ServiceFixed an issue that caused Individual Event Evaluator (IEE) job
to fail. (INC-242709) (INC-243768)
Analytics Service
Fixed an issue that caused the IEE job to fail when the
datetimelong value was parsed from raw events. (INC-241945)
(INC-242591)
Analytics ServiceFixed an issue that caused the Risk Scoring job to fail upon start
up.
Analytics Service Fixed an issue that caused the Traffic Analyzer job to fail.
Analytics ServiceFixed an issue that caused the Traffic Analyzer job to fail upon
restart.
Analytics ServiceFixed an issue that caused a null pointer exception error for the Traffic Analyzer job. (INC-242647) (INC-243146)
Analytics Service Fixed an issue where the Beaconing job was unable to restart.
Analytics Service Fixed the error that displayed for the Violation Extractor job.
Analytics ServiceFixed an issue that caused the Violation Extractor job to fail. (INC-240912)
Analytics ServiceFixed an issue in the job script that caused the Violation Extractor job to fail.
Analytics ServiceFixed an issue that caused the risk score job to fail when the
reading indexer counted the topic data. (INC-239528)
SNYPR Release Notes 7
Bug Fixes
Component Summary
Analytics ServiceFixed an issue when making changes to Policy Violations where
the new changes would not save. (INC-241319) (INC-238017)
Analytics ServiceFixed the Violation Summary view to display the beaconing
graph. (INC-240984)
Analytics ServiceFixed the Whitelist module to process firewall-based policies faster. (INC-236391)
Analytics ServiceFixed an issue that caused the Violation Summary to not display
for behavioral policies. (INC-232989)
Analytics Service Fixed the policy names to support Japanese characters.
Analytics Service Fixed the error sending fetch requests.
Analytics ServiceFixed an issue that caused the behavior ID to duplicate when an
event rarity policy was duplicated in SNYPR. (INC-237310)
Analytics Service Fixed the Policy Violations to trigger as expected. (INC-233735)
Analytics Service
Fixed an issue when adding entities to an active list where the
entity would not appear on the active list for two days. (INC-
238629)
Analytics ServiceFixed the error that occurred when a user tried to delete a
datasource from the UI. (INC-236501)
Analytics Service
Fixed an issue where the policy Category would not update
when a policy was deployed from Sandbox to production. (INC-
239358)
Analytics ServiceFixed the Sandbox functionality to update the policy category when a policy transitions to production. (INC-239358)
Analytics ServiceFixed the save functionality on a disabled policy to maintain the disabled value when a policy is saved. (INC-240829)
Analytics ServiceFixed the delete option to allow users to delete violations for
identity policies. (INC-241691)
ConnectorFixed the user import process so that records with special characters can be imported correctly from OKTA. (INC-241638)
SNYPR Release Notes 8
Bug Fixes
Component Summary
Hunting Service Fixed the connectivity issue with Spark job 3.
Hunting Service
Fixed an issue that caused reports to not export all records in
high availability mode from Spotter and Categorized Reports.
(INC-237759)
Hunting ServiceFixed an issue that caused the Spotter query to remove special characters when the query was saved. (INC-238778)
Hunting Service
Fixed an issue that caused the Spotter UI to display a different
count value compared to the exported Spotter report. (INC-
236645)
Hunting Service
Fixed an issue that caused the Spotter UI to display a different
count value compared to the data exported from archive. (INC-
242025)
Hunting ServiceFixed an issue that caused incorrect attribute names on the Spotter report.
Hunting ServiceFixed an issue that caused the indexer to fail due to inability to locate the SSL cert.
Hunting ServiceFixed an issue where aggregate Max(eventide) was blank in reports.
Hunting ServiceFixed an issue that caused the indexer to fail due to the long character length of the URL.
Ingestion ServiceFixed an error so that TPI files can be imported successfully
using RIN.
Response Service Fixed inaccuracies within Incident Management. (INC-239650)
Response ServiceFixed an issue that caused notes to not display on violation events. (INC-235889)
Response ServiceFixed an issue that caused the Available Tenants filter to display
incorrect tenants on Data Insight. (INC-235641)
Response Service
Fixed an issue in Incident Management that caused the Activity
Stream to disregard initial case comments. (INC-241807) (INC-
239491) (INC-237102)
SNYPR Release Notes 9
Bug Fixes
Component Summary
Response ServiceFixed the risk score functionality to reset to zero when a non-
concern action is set for a policy. (INC-236518)
Response Service
Fixed an issue where the bulk triage action would triage all
violators, regardless of the granular access control settings.
(INC-241679)
Response ServiceFixed an issue that caused an incorrect risk score to display on the Incident Management screen. (INC-241522)
Response ServiceFixed an issue that caused data protection violations to repeat
after post-review. (INC-237807) (INC-236411)
Response ServiceFixed an issue that prevented auto cases from displaying in the Incident Management view. (INC-241031)
Response Service
Fixed an issue that caused the ingested events to connect to a
closed incident instead of creating a new incident. (INC-
229026)
Response ServiceFixed an issue where new violations would populate in existing
incidents when a violation was closed. (INC-238763)
Response Service
Fixed an issue where the Incident Management search bar was
unable to find results when a partial policy or IP address was
used in the search bar. (INC-242793)
Response ServiceFixed the policy validation error that occurred with the
ServiceNow integration. (INC-236980)
Shared Service - Email
Fixed the email notification for activity import so that users are
notified based on the parameters configured. (INC-240498)
Shared Service
Ingestion Service
Fixed an error to display the correct time SNYPR ingests an event in the following modules: Activity Import, emails, and Notifications. (INC-239464)
Shared Service Fixed Users to display status codes for employees in User Details (INC-238354)
SNYPR Release Notes 10
Bug Fixes
Component Summary
Shared Service Fixed an issue to ensure scheduled reports are sent as an attachment to emails. (INC-237558)
Shared Service Fixed an expired SSL certificate. (INC-236996)
Shared ServiceFixed the Job Monitor screen to display correct data. (INC-242239) (INC 242880) (INC-243421)
Shared ServiceFixed an issue so that correct reports are merged when you
merge multiple Spotter reports in one report. (INC-242526)
SNYPR Release Notes 11
What's New in Content
What's New in ContentThis section lists the following updates to content:
l New and improved connectors
l Contextual connectors
l Beta connectors
l New and improved content
l Deprecated parsers and policies
New Connectors The following connectors for activity import are included in this release:
Vendor Functionality Device TypeCollection
Method
ActivIdentity / HID Global
Physical Security / Badging
ActivIdentity HID Global
Collection Method: Syslog
Format: JSON
Amazon IncCloud Services / Applications
AWS Cloud Trail
Collection Method: Awssqss3
Format: JSON
Amazon IncAWS Cloud Services / Applications
AWS Cloudwatch
Collection Method: Awssqss3
Format: Regex
AnaplanCloud Application Audit
Anaplan Audit
Collection Method: Anaplan
Format: JSON
Atlassian Corporation Plc
IT Service Management
Jira
Collection Method: Jira
Format: JSON
SNYPR Release Notes 12
What's New in Content
Vendor Functionality Device TypeCollection
Method
Atlassian Corporation Plc
Cloud Application Audit
Confluence Audit
Collection Method: Confluence
Format: JSON
BrivoPhysical Security / Badging
Brivo OnAir - Access
Collection Method: Brivoonair
Format: JSON
Carbon BlackEndpoint Management Systems
Carbon Black Defense - Audit
Collection Method: Carbonblack
Format: JSON
Carbon BlackEndpoint Management Systems
Carbon Black Defense - Alert
Collection Method: Carbonblack
Format: JSON
Carbon BlackEndpoint Management Systems
Carbon Black Defense - V2
Collection Method: Carbonblack
Format: JSON
Cloudflare Firewall Cloudflare
Collection Method: Cloudflarefirewall
Format: JSON
CloudKnoxAccess / Identity Management
CloudKnox Alerts
Collection Method: cloudknox
Format: JSON
CloudKnoxAccess / Privileged User
CloudKnox Activities
Collection Method: Googlereport2
Format: JSON
GoogleIdentity Access Management
Users Accounts
Collection Method: Googlereport2
Format: JSON
SNYPR Release Notes 13
What's New in Content
Vendor Functionality Device TypeCollection
Method
GoogleBusiness Collaboration Platforms
Google Chat
Collection Method: Googlereport2
Format: JSON
GoogleAuthentication / SSO / Single Sign-On
Google Token
Collection Method: Googlereport2
Format: JSON
GoogleAccess / Privileged User
Access Transparency
Collection Method: Googlereport2
Format: JSON
GoogleMobile Device Management
Google Mobile
Collection Method: Googlereport2
Format: JSON
GoogleBusiness Collaboration Platforms
Google Calendar
Collection Method: Googlereport2
Format: JSON
GoogleAccess / Identity Management
Google Groups Enterprise
Collection Method: Googlereport2
Format: JSON
GoogleAccess / Identity Management
Google Groups
Collection Method: Googlereport2
Format: JSON
GoogleBusiness Collaboration Platforms
Google GPlus
Collection Method: Googlereport2
Format: JSON
Cloud Authentication /SSO / Single Sign-On
Google SAML
Collection Method: Googlereport2
Format: JSON
SNYPR Release Notes 14
What's New in Content
Vendor Functionality Device TypeCollection
Method
GoogleData Loss Prevention / Network DLP
Google Rules
Collection Method: Googlereport2
Format: JSON
GoogleBusiness Collaboration Platforms
Google Meet
Collection Method: Googlereport2
Format: JSON
Imperva Inc.Web Application Firewall
Imperva Web Application Firewall
Collection Method: Impervacloudwaf
Format: CEF
InformaticaAuthentication / SSO / Single Sign-On
Informatica Authentication
Collection Method: Informatica
Format: JSON
Microsoft Corporation
Cloud Services / Applications
Azure Active Directory Sign In
Collection Method: Azurereport
Format: Key Value
Pair
OS QueryOperating System Instrumentation Framework
OS Query Logs
Collection Method: Syslog
Format: JSON
Pager DutyIT Infrastructure Monitoring
Pager Duty
Collection Method: pagerdutyincidents
Format: JSON
Palo Alto NetworksIDS / IPS / UTM / Threat Detection
Prisma Audit
Collection Method: Prismacloud
Format: JSON
ProofpointCloud Email / Email Security
Proofpoint Email Isolation
Collection Method: Proofpointisolation
Format: JSON
SNYPR Release Notes 15
What's New in Content
Vendor Functionality Device TypeCollection
Method
Proofpoint Inc.
Application AuditProofpoint Security Awareness Training
Collection Method: Proofpointsat
Format: JSON
SecurityScorecardSecurity Analytics Platform
Security Scorecard - Company Grade
Collection Method: Securityscorecard
Format: JSON
SecurityScorecardSecurity Analytics Platform
Security Scorecard - Company risk category score
Collection Method: Securityscorecard
Format: JSON
Symantec / Blue Coat Systems
Antivirus / Malware / EDR
Symantec Endpoint Protection
Collection Method: Symantecendpoint
Format: JSON
TenableVulnerability Scanners
Tenable Response
Collection Method: Tenable
Format: JSON
Verizon Digital Media Services
Web Application Firewall
Edgecast
Collection Method: Verizonedgecast
Format: JSON
Workday Inc.Access / Identity Management
Workday Audit
Collection Method: Workday
Format: Key Value
Pair
Contextual ConnectorsThis section lists connectors required to ingest the following types of data:
l Entity Metadata
l Lookup Data
SNYPR Release Notes 16
What's New in Content
l Third Party Intelligence
l Users
The following contextual connectors are included in this release:
Vendor Type
CSW Risksense Entity Metadata
FireEye Mandiant Third Party Intelligence
ZeroFox Third Party Intelligence
The following contextual connector is improved in this release:
Vendor Type
Splunk User Data
New ContentThe following new policies are added in this release:
Functionality Policy ID Policy Name
Access / Identity Management
ACI-ALL-800-ERR User changing job detection
Access / Identity Management
ACI-ALL-801-BPAbnormal number of inactivate organization activity
Access / Identity Management
ACI-ALL-802-ERR Business process definition edited
Access / Identity Management
ACI-ALL-803-ERR Rare user assigning roles
Access / Identity Management
ACI-ALL-804-PORare user assigning roles compared to peers
SNYPR Release Notes 17
What's New in Content
Functionality Policy ID Policy Name
Access / Identity Management
ACI-ALL-805-ERRRare user assigning user-based security groups for person
Access / Privileged User ACP-ALL-806-RU
Customer initiated access by Google to respond to a third party data request - Google access transparency
Access / Privileged User ACP-ALL-807-RUGoogle initiated service detected - Google Access Transparency
Access / Privileged User ACP-ALL-808-ERRGoogle initiated review - access detected from a rare geolocation
Access / Privileged User ACP-ALL-809-BPGoogle initiated review - account accessing multiple resources
Business Collaboration Platforms
BCP-ALL-801-DBAbnormal number of files downloaded from the chat - Gsuite
Business Collaboration Platforms
BCP-ALL-802-DBAbnormal number of files uploaded to the chat - Gsuite
Cloud Application Audit CAAU-SF-740-RU Account impersonation
Cloud Application Audit CAAU-SF-741-DBHuge Number Of Password Change
Cloud Application Audit CAAU-SF-738-RU Account activated tracking policy
Cloud Application Audit CAAU-SF-739-RURecently activated account de-activated within a short duration of time
Cloud Application Audit CAAU-SF-744-RUUser changing email to personal email
Cloud Application Audit CAAU-SF-743-RUUser changing email to non-business email
Cloud Application Audit CAAU-SF-759-RUUser changing email to non-internal email
SNYPR Release Notes 18
What's New in Content
Functionality Policy ID Policy Name
Cloud Application Audit CAAU-SF-746-RUUser changing email to a disposable email address
Cloud Application Audit CAAU-SF-792-BPAbnormal frequency of target accounts logged in as
Cloud Application Audit CAAU-SF-742-RUNon admin account logging in as admin account
Cloud Application Audit CAAU-SF-791-TAPhone number registered for multiple users
Cloud Application Audit CAAU-ALL-808-BPAbnormal number of login failures detected
Cloud Application Audit CAAU-ALL-809-ERR Login from a Rare geolocation
Cloud Application Audit CAAU-ALL-810-BPAbnormal number of distinct recipes stopped by an account
Cloud Application Audit CAAU-ALL-811-BPAbnormal number of distinct recipe deleted by an account
Cloud Application Audit CAAU-ALL-812-RUAccount was observed disabling multifactor authentication
Cloud Application Audit CAAU-ALL-813-ERR Rare account deleting API policy
Cloud Application Audit CAAU-ALL-814-ERRRare account disabling audit log streaming
Cloud Application Audit CAAU-ALL-815-LS Impossible Travel Alert Detected
Cloud Application Audit CAAU-ALL-816-ERRRare account delegating admin account access
Cloud Application Audit CAAU-ALL-817-DBRole creation followed by deletion within a short period
Cloud Application Audit CAAU-ALL-818-ERRRare account adding a new connection
Cloud Application Audit CAAU-ALL-819-DBAccount deleting multiple folders within a short period
SNYPR Release Notes 19
What's New in Content
Functionality Policy ID Policy Name
Cloud Application Audit CAAU-ALL-820-ERRRare account updating pub Sub topic
Cloud Application Audit CAAU-ALL-821-ERRRare account creating pub Sub topic
Cloud Application Audit CAAU-ALL-822-DBDelegated admin addition followed by deletion within a short period
Cloud Application Audit CAAU-ALL-823-ERRRare account updating delegated admin password
Cloud Application Audit CAAU-ALL-824-ERRConnection Disconnected by a Rare Account
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-847-BAAbnormal volume of file downloads from Salesforce-165
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-448-BAAbnormal volume of data egressed using REST API requests-165
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-449-BAAbnormal volume of data egressed via Visualforce requests-165
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-450-DBLarge number of target accounts used for delegated login-165
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-451-BPAbnormal number of target accounts used for delegated login-165
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-845-ERRare user performing delegated logon-165
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-846-ERInstallation of rare unmanaged package detected across organization-165
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-747-TASuccessful Logon of admin account from rare country compared to rest of the organization
SNYPR Release Notes 20
What's New in Content
Functionality Policy ID Policy Name
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-750-RUSuccessful login following a spike in failed logins for an Admin account
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-752-LSLandspeed anomaly detected for an account
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-846-BPAbnormal number of failed logons from Admin accounts
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-745-TA
Successful Logon detected for a Non-admin account from rare country compared to rest of the organization
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-848-BPAbnormal number of logon failures from Non-admin accounts
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-751-DBAccount logging in from multiple countries in a day
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-755-ERRRare Application Accessing SalesForceCom API
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-886-BPAbnormal Number of Login Failures
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-887-BPAbnormal Number of Admin Login Failures
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-888-DBPassword spraying attempt from an IP on multiple accounts
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-789-TARobotic Pattern Observed from an IP - Failed Login
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-790-ERRSuccessful Logon detected from rare country compared to rest of the organization
SNYPR Release Notes 21
What's New in Content
Functionality Policy ID Policy Name
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-792-ERR
Successful Logon detected from for an admin account in a rare country compared to rest of the organization
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-893-LSLandspeed anomaly detected for an admin account
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-794-RUUser changing email to non-business email
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-795-DBRecently activated account de-activated within a short duration of time
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-726-BPAbnormal number of Account Lockout events
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-723-TARobotic Pattern Observed - Failed Login
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-847-BAAbnormal volume of file downloads from Salesforce
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-727-ERR Rare User Agent Used For Log In
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-725-ERAuthentication from rare geolocation
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-748-BAAbnormal volume of data egressed using REST API requests
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-728-BPPossible User Enumeration Observed from an IPAddress
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-724-DB-SIEMHigh number of failed login attempts - SIEM
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-749-BAAbnormal volume of data egressed via Visualforce requests
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-734-BPAnomalous Number of Reports Exported
SNYPR Release Notes 22
What's New in Content
Functionality Policy ID Policy Name
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-750-DBLarge number of target accounts used for delegated login
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-722-LS Landspeed Anomaly
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-719-DB High Number of Reports Exported
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-729-DB-SIEMMultiple number of Failure followed by Success - SIEM
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-754-BPAbnormal number of target accounts used for delegated login
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-845-ERRRare user performing delegated logon
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-846-ERRInstallation of rare unmanaged package detected across organization
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-721-RULoginAs Activity was observed with access of other User
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-852-ERR
Rare combination of Country and State observed for user authenticating to multifactor device
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-808-DBAbnormal amount of login attempt detected on Duo MFA
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-812-RUAuthentication anomaly-Country Mismatch
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-811-RUAuthentication anomaly-State Mismatch
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-851-ERRRare combination of Country and State observed for user authenticating to access device
SNYPR Release Notes 23
What's New in Content
Functionality Policy ID Policy Name
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-809-LS Landspeed Anomaly detected
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-827-ERR Logon from a rare country
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-853-ERRAuthentication to access device observed from rare country across the organization
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-854-ERRAuthentication to MFA device observed from rare country for user
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-855-ERRAuthentication to MFA device observed from rare country across the organization
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-856-RUSuccessful inline enrollment on Duo by uncorrelated account
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-857-ERRUser performing inline enrollment on Duo from rare country compared to entire organization
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-858-TASuccessful inline enrollment of multiple accounts on a single device
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-859-ERRSuccessful login using bypass code from rare location compared to rest of organization
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-860-RUFailed Authentication attempt marked as fraud by account
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-861-DBMultiple failed Authentication attempts marked as fraud by account
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-850-RUUser enrolling from a country different from work location
SNYPR Release Notes 24
What's New in Content
Functionality Policy ID Policy Name
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-885-BPPassword spraying attempts for one account on multiple applications
Cloud Authentication / SSO / Single Sign-On
CSSO-DUO-831-RUSuccessful password spraying attempt from one account to multiple applications
Cloud Authentication / SSO / Single Sign-On
CSSO-SF-776-RUSuccessful login following a spike in failed logins for a Non-admin account
Cloud Content Management System
CCMS-ALL-840-BPAbnormal number of files downloaded
Cloud Services / Applications
CSA-ALL-854-ERRListBuckets API query on AWS S3 infrastructure from rare country
Cloud Services / Applications
CSA-ALL-855-ERRListBuckets API query from account with unusual Role
Cloud Services / Applications
CSA-ALL-856-BPAbnormal frequency of ListBuckets API queries for Account
Cloud Services / Applications
CSA-ALL-857-BPAbnormal frequency of GetObject API queries for Account
Cloud Services / Applications
CSA-ALL-858-ERRS3 bucket accessed from Rare User Agent
Cloud Services / Applications
CSA-ALL-856-ERRAWS Instance started or terminated from rare country
Content Management System
CMS-ALL-831-BPAbnormal number of files downloaded -CMS
Endpoint Management Systems
EDR-ALL-71-BP
Possible Ransomware infection involving use of staging commands on abnormally large number of hosts
SNYPR Release Notes 25
What's New in Content
Functionality Policy ID Policy Name
Endpoint Management Systems
EDR-ALL-881-RUSuspicious creation and execution of Batch file followed by immediate deletion
Endpoint Management Systems
EDR-ALL-883-ERRW3WP establishing network communication with rare external address
Endpoint Management Systems
EDR-ALL-882-RUSuspicious modification of SSP configuration via Registry
Endpoint Management Systems
EDR-ALL-884-ERRPossible Webshell created In Unusual file location
Endpoint Management Systems
EDR-ALL-885-RUPossible execution of China Chopper Web Shell via Command line
Endpoint Management Systems
EDR-ALL-886-RUMS Exchange unified messaging service spawning potentially suspicious child process
Endpoint Management Systems
EDR-ALL-887-RUProcess dump using COM Plus Service DLL via CommandLine
Endpoint Management Systems
EDR-ALL-888-BPAbnormal frequency of application errors in IIS worker process
Endpoint Management Systems
EDR-ALL-889-RUReverse shell connection established via Powershell on Host
Endpoint Management Systems
EDR-ALL-890-RU
Suspicious path of execution of Visual Studio Performance Monitor Executable on Hafnium Infected host
Endpoint Management Systems
EDR-ALL-891-RUSuspicious spawning of Opera Browser process on Hafnium infected host
SNYPR Release Notes 26
What's New in Content
Functionality Policy ID Policy Name
Endpoint Management Systems
EDR-ALL-892-RUSuspicious DLL Side loading attempt from Opera browser process on Hafnium infected host
Endpoint Management Systems
EDR-ALL-893-RUSuspicious use of Vssadmin List Shadows command on Hafnium infected host
Endpoint Management Systems
EDR-ALL-894-RUSuspicious Scheduled task created on Hafnium infected host
Endpoint Management Systems
EDR-ALL-895-RUSuspicious modification of ASPX file attributes
Endpoint Management Systems
EDR-ALL-896-RUSuspicious child process spawned by Microsoft Exchange
Endpoint Management Systems
EDR-ALL-897-RUEmail collection detected via Powershell
Endpoint Management Systems
EDR-ALL-185-ER
Potential use of suspicious stager - Rare destination port used by LOLBIN executable on host to establish outbound communication
Endpoint Management Systems
EDR-ALL-883-ERRW3WP establishing network communication with rare external address
Endpoint Management Systems
EDR-ALL-882-RUSuspicious modification of SSP configuration via Registry
Endpoint Management Systems
EDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic
Endpoint Management Systems
EDR-ALL-161-RUPossible Egregor Ransomware Rclone To Svchost LOL Rename Analytic
Endpoint Management Systems
EDR-ALL-162-RUPossible Malicious Certificate Export Analytic
SNYPR Release Notes 27
What's New in Content
Functionality Policy ID Policy Name
Endpoint Management Systems
EDR-ALL-163-RUPossible SUNSPOT Variant Dropped Artifact Analytic
Endpoint Management Systems
EDR-ALL-164-RUPossible Qakbot-Egregor Initial Access Broker Ransomware Deployment Analytic
Endpoint Management Systems
EDR-ALL-165-RUPossible Qakbot-Egregor Essential Usage Analytic
Endpoint Management Systems
EDR-ALL-166-RUPossible Qakbot-Egregor Rundll Load Analytic
Endpoint Management Systems
EDR-ALL-111-ERProxied execution of potentially suspicious process via binaries signed by trusted entities
Endpoint Management Systems
EDR-ALL-109-RUPossible use of renamed LOL helper tool payload by malware - executable and hash tracking
Endpoint Management Systems
EDR-ALL-110-RUPossible use of renamed LOL helper tool payload by malware - renamed payload executed
Endpoint Management Systems
EDR-ALL-3-BPAbnormal number of encrypted files created
File Integrity Monitoring FIM-ALL-801-ERRRare FIM WebServer or FS File Change Analytic
Identity Access Management
IAM-ALL-801-DBPassword spraying attempts from an IP
Identity Access Management
IAM-ALL-802-RUSuccessful Password spraying attack from an IP
Identity Access Management
IAM-ALL-803-BPAbnormal frequency of authentication failures for an account
SNYPR Release Notes 28
What's New in Content
Functionality Policy ID Policy Name
Identity Access Management
IAM-ALL-807-RUSuccessful authentication following an abnormal frequency of authentication failures
Identity Access Management
IAM-ALL-806-ERRAccount authenticating to Azure AD from rare country
Identity Access Management
IAM-ALL-804-ERRAccount authenticating to Azure AD from rare country across the organization
Identity Access Management
IAM-ALL-805-LSLandspeed anomaly detected on Azure AD
Identity Access Management
IAM-ALL-808-RUMulti Factor Authentication Disabled
Identity Access Management
IAM-ALL-809-RUAccount Recovery Information Changed
Identity Access Management
IAM-ALL-810-RUAdvance protection disabled for an account
Identity Access Management
IAM-ALL-811-DBAbnormal number of password change attempts
Microsoft Windows WEL-ALL-976-ERRUse of explicit credentials by a rare account - Account sharing or Password misuse
Microsoft Windows WEL-ALL-850-DBPossible Hexacorn-style Shellcode Execution Analytic
Microsoft Windows WEL-ALL-862-RUPossible Zerologon attack using tools
Microsoft Windows WEL-ALL-13-DBTicket Encryption and Ticket Options Analytic
Microsoft Windows WEL-ALL-30-BPPeak LsaRegisterLogonProcess Increase Analytic
Microsoft Windows WEL-ALL-15-BPPeak Distinct Account Change For Source User Analytic
SNYPR Release Notes 29
What's New in Content
Functionality Policy ID Policy Name
Microsoft Windows Powershell
PSH-ALL-116-RUUse of Powershell for email collection
Microsoft Windows Powershell
PSH-ALL-117-RUReverse shell connection established via Powershell on Host -Powershell Scriptblock logs
Microsoft Windows Powershell
PSH-ALL-118-RUUse of Powercat tool to establish reverse shell on Host
Microsoft Windows Powershell
PSH-ALL-115-RUPossible GoldenSAML Certificate Export Events Analytic
Microsoft Windows Powershell
PSH-ALL-7-RUPossible Reflection Assembly Weaponization Activity Analytic
Network Traffic Analytics
NTA-ALL-880-BAAbnormal amount of data aggregated from SMB ports - NTA
Network Traffic Analytics
NTA-ALL-881-BAAbnormal amount of data transmitted from DNS ports - NTA
Network Traffic Analytics
NTA-ALL-882-BAAbnormal amount of data transmitted from SMTP ports - NTA
Network Traffic Analytics
NTA-ALL-883-BAAbnormal amount of data transmitted over covert channels - NTA
Network Traffic Analytics
NTA-ALL-884-BPPossible host enumeration over system ports - Internal - NTA
Network Traffic Analytics
NTA-ALL-885-DBPossible host enumeration over system ports - External - NTA
Network Traffic Analytics
NTA-ALL-886-DBPossible port scan from external IP Address - NTA
Network Traffic Analytics
NTA-ALL-887-DBPossible port scan from internal IP Address - NTA
SNYPR Release Notes 30
What's New in Content
Functionality Policy ID Policy Name
Next Generation Firewall
NGF-ALL-800-BPPossible port scanning from internal IP Address - Next Gen Firewall
Physical Security / Badging
PHY-ALL-808-RUFailed access attempt detected from an user to the facility
Physical Security / Badging
PHY-ALL-809-RUHigh number of failed entry attempts detected from the user
Physical Security / Badging
PHY-ALL-810-ERRRare account making changes to the physical security device
Physical Security / Badging
PHY-ALL-811-RUBoard Communication Failure Cleared
Physical Security / Badging
PHY-ALL-812-DBUser had unauthorized attempts across multiple locations
Virtualization / Containers
VIR-ALL-801-DBMultiple virtual machines shutdown - vCenter
Virtualization / Containers
VIR-ALL-802-DBHigh number of virtual machines deleted - vCenter
Virtualization / Containers
VIR-ALL-803-DBHigh CPU usage on ESXi hosts during Non-Business hours - vCenter
Virtualization / Containers
VIR-ALL-804-DBHigh number of snapshots created - vCenter
Virtualization / Containers
VIR-ALL-805-DBBruteForce attempts on user account of VM or ESxi or vCenter
Virtualization / Containers
VIR-ALL-809-BPMultiple Virtual Machine Images Downloaded by an Account - vCenter
Virtualization / Containers
VIR-ALL-806-DBVM Snapshot creation followed by Snapshot Memory file or State file download - vCenter
SNYPR Release Notes 31
What's New in Content
Functionality Policy ID Policy Name
Virtualization / Containers
VIR-ALL-810-BPAbnormal number of virtual machines deleted - vCenter
Virtualization / Containers
VIR-ALL-807-DBHigh number of virtual machines cloned - vCenter
Virtualization / Containers
VIR-ALL-808-ERRNew account created on virtual machine
Virtualization / Containers
VIR-ALL-811-BPHost enumeration attempt detected from an account
Web Application Firewall
IFW-ALL-820-ER Possible LFI Detection
Web Application Firewall
IFW-ALL-821-DB Unusual URL Redirection
Web Application Firewall
IFW-ALL-822-RUSuspicious Process Observed Over URL
Web Application Firewall
IFW-ALL-823-RU Remote Command Execution
Web Application Firewall
IFW-ALL-824-RUCommunication to Malware OR Trojan Suspicious Port
Web Application Firewall
IFW-ALL-825-ER Rare Content Type Observed
Web Application Firewall
IFW-ALL-826-DBCircumvention over URL Response Code
Web Application Firewall
IFW-ALL-827-ER Unusual web requests
Web Application Firewall
IFW-ALL-828-DBPossible Server Outage by Multiple Request
Web Application Firewall
IFW-ALL-829-DBMultiple Allowed Attack Detection Over Insecure HTTP Version
SNYPR Release Notes 32
What's New in Content
Functionality Policy ID Policy Name
Web Servers WEB-ALL-810-RUPossible SolarWinds SUPERNOVA Auth Bypass Exploitation Analytic
Web Servers WEB-ALL-809-ERPossible SolarWinds SUPERNOVA i18n Malicious Activity Analytic
Improved Content The following content was improved in this release:
Functionality Signature ID Policy Name
Access / Identity Management
ACI-ALL-802-ERR Business Process definition Edited
Antivirus / Malware / EDR
EDR-ALL-769-BPSpike in number of Discovery Tactic Command Activity For Host Analytic - AVEDR
Antivirus / Malware / EDR
EDR-ALL-840-ERRRare file hashes for high severity endpoint alerts - EDR
Antivirus / Malware / EDR
EDR-ALL-838-BPAbnormal number of high severity endpoint alerts - EDR
Antivirus / Malware / EDR
EDR-ALL-844-RU Use of credential dumpers - EDR
Antivirus / Malware / EDR
EDR-ALL-747-RUMS EquationEditor process spawning child process - AVEDR
Antivirus / Malware / EDR
EDR-ALL-726-RUPotential use of Rubeus attack tool detected via command line - AVEDR
Antivirus / Malware / EDR
EDR-ALL-799-ERPossible Malicious Implant In-Memory Compilation Analytic - AVEDR
SNYPR Release Notes 33
What's New in Content
Functionality Signature ID Policy Name
Antivirus / Malware / EDR
EDR-ALL-740-RU
Suspicious Process Activity - Targeted - Known Credential Dumping Tools Use Analytic - AVEDR
Antivirus / Malware / EDR
EDR-ALL-654-BPAbnormal number of Self Worker Process Execution - AVEDR
Antivirus / Malware / EDR
EDR-ALL-762-ERPotential attempt to bypass UAC using Eventvwr - AVEDR
Authentication / VPN VPN-ALL-803-DBPassword Spraying Attack Detected VPN - SIEM
Authentication / VPN VPN-ALL-801-DBConcurrent VPN from Multiple city - SIEM
Authentication / VPN VPN-ALL-815-DBAccounts authenticating from multiple IP - SIEM
Cloud Antivirus / Malware / EDR
CEDR-ALL-839-BPAbnormal number of high severity endpoint alerts - Cloud EDR
Cloud Antivirus / Malware / EDR
CEDR-ALL-845-RUUse of credential dumpers - Cloud EDR
Cloud Antivirus / Malware / EDR
CEDR-ALL-19-RUPotential Mimikatz CommandLine Usage - Cloud EDR
Cloud Antivirus / Malware / EDR
CEDR-ALL-26-RUPotential use of Rubeus attack tool detected via command line - Cloud EDR
Cloud Antivirus / Malware / EDR
CEDR-ALL-47-RUMS EquationEditor process spawning child process - Cloud EDR
Cloud Antivirus / Malware / EDR
CEDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic - Cloud EDR
SNYPR Release Notes 34
What's New in Content
Functionality Signature ID Policy Name
Cloud Antivirus / Malware / EDR
CEDR-ALL-40-RU
Suspicious Process Activity - Targeted - Known Credential Dumping Tools Use Analytic - Cloud EDR
Cloud Antivirus / Malware / EDR
CEDR-ALL-154-BPAbnormal number of Self Worker Process Execution - Cloud EDR
Cloud Antivirus / Malware / EDR
CEDR-ALL-62-ERPotential attempt to bypass UAC using Eventvwr - Cloud EDR
Cloud Application Audit CAAU-ALL-800-RUPotential account compromise - Exchange
Cloud Authentication / SSO / Single Sign-On
CSSO-ALL-843-DBLogin failure to Deleted Account - SIEM - SSO
Cloud Content Management System
CCMS-ALL-805-BPAbnormal number of files shared with Competitor email address
Cloud Content Management System
CCMS-ALL-800-DBFile manipulation followed by egress
Cloud Content Management System
CCMS-ALL-802-ERRAccount Activity detected from Rare Country
Cloud Content Management System
CCMS-ALL-804-BPAbnormal number of files shared with personal account
Cloud Content Management System
CCMS-ALL-810-BPAbnormal number of files downloaded by an account
Cloud Content Management System
CCMS-ALL-807-RUFile activity performed by terminated user
Cloud Content Management System
CCMS-ALL-801-ERSuspicious Modification of Privileges for Documents
Cloud Content Management System
CCMS-ALL-816-BPAbnormal number of files deleted by an account
Cloud Content Management System
CCMS-ALL-812-ERRare Operation performed by an User
SNYPR Release Notes 35
What's New in Content
Functionality Signature ID Policy Name
Cloud Content Management System
CCMS-ALL-814-BPAbnormal Number of files Printed compared to past behavior
Cloud Content Management System
CCMS-ALL-815-DBRecovering Files along with Data Egress
Cloud Content Management System
CCMS-ALL-809-ERRAccount accessing file path never accessed before
Cloud Content Management System
CCMS-ALL-806-BPAbnormal number of files shared with Non Business account
Cloud Content Management System
CCMS-ALL-803-BPAbnormal number of document permission changes observed
Cloud Content Management System
CCMS-ALL-811-LSLandspeed Anomaly - Cloud Content Management System
Cloud Content Management System
CCMS-ALL-813-RUFile shared with Non business account
Cloud Content Management System
CCMS-ALL-835-BPAbnormal number of files downloaded compared to peers
Cloud Content Management System
CCMS-ALL-836-BPAbnormal number of files uploaded
Cloud Content Management System
CCMS-ALL-820-DBMultiple Files shared with Non Business Accounts
Cloud Content Management System
CCMS-ALL-837-RU File shared with personal account
Cloud Content Management System
CCMS-ALL-821-DBMultiple Files shared with Account having competitor domain
Cloud Content Management System
CCMS-ALL-822-RUCritical files shared with external Account
Cloud Content Management System
CCMS-ALL-823-RU Corporate documents made public
Cloud Content Management System
CCMS-ALL-838-BPAbnormal Number of Corporate documents made public
SNYPR Release Notes 36
What's New in Content
Functionality Signature ID Policy Name
Cloud Content Management System
CCMS-ALL-824-DBExternal account accessing multiple critical files
Cloud Content Management System
CCMS-ALL-825-DBExternal account downloading high number of files
Cloud Content Management System
CCMS-ALL-839-BPExternal account downloading abnormally high number of files
Cloud Content Management System
CCMS-ALL-826-RUActivity from personal account belonging to company employee
Cloud Content Management System
CCMS-ALL-827-DBAccount activity from multiple countries in a day
Cloud Content Management System
CCMS-ALL-828-ERRAccount activity from a country rare to the organization
Cloud Content Management System
CCMS-ALL-829-ERRAccount activity from a country rare for the user
Cloud Content Management System
CCMS-ALL-830-LSLandspeed anomaly detected for account
Cloud Content Management System
CCMS-ALL-831-RU Activity from suspicious IP
Cloud Content Management System
CCMS-ALL-832-RUUser Changing Document Visibility to Anyone with a link-240
Cloud Content Management System
CCMS-ALL-808-ERUser performing unusual activity compared to peers
Cloud Content Management System
CCMS-ALL-803-BPAbnormal number of document permission changes observed
Cloud Content Management System
CCMS-ALL-800-DBFile manipulation followed by egress
Cloud Content Management System
CCMS-ALL-806-BPAbnormal number of files shared with Non Business account
SNYPR Release Notes 37
What's New in Content
Functionality Signature ID Policy Name
Cloud Email / Email Security
CEML-ALL-820-BAAbnormal amount of data egressed to competitor domains compared to peer behavior - Cloud Email
Cloud Email / Email Security
CEML-ALL-830-BPAbnormal Number of Emails to Personal Email - Cloud Email
Cloud Email / Email Security
CEML-ALL-808-BPAbnormal Number of Email Forwards - Cloud Email
Content Management System
CMS-ALL-846-BPAbnormal number of files shared with Non Business account -CMS
Content Management System
CMS-ALL-847-BPAbnormal number of files downloaded by an account -CMS
Content Management System
CMS-ALL-846-BPAbnormal number of files shared with Non Business account -CMS
Cloud Services / Applications
CSA-ALL-848-BPAbnormal number of distinct Pods accessed - Kubernetes
Cloud Services / Applications
CSA-AWS-743-ERTemporary Credentials Generated by an User
Cloud Services / Applications
CSA-AWS-741-ER Account Created New LoginProfile
Data Loss Prevention / Endpoint DLP
EDLP-ALL-827-BAAbnormal amount of data egressed to competitor domains compared to peer behavior - Endpoint DLP
Data Loss Prevention / Endpoint DLP
EDLP-ALL-821-BA
Abnormal amount of data egressed to non-business domains compared to peer behavior - Endpoint DLP
Data Loss Prevention / Endpoint DLP
EDLP-ALL-828-BPAbnormal number of emails sent to competitor domains compared to peer behavior - Endpoint DLP
SNYPR Release Notes 38
What's New in Content
Functionality Signature ID Policy Name
Data Loss Prevention / Endpoint DLP
EDLP-ALL-802-BPAbnormal number of emails to non business domains compared to peer behavior - Endpoint DLP
Data Loss Prevention / Endpoint DLP
EDLP-ALL-804-BPAbnormal number of files printed compared to peer
Database Audit DBS-ALL-820-BPAbnormal number of tables dropped or truncated
Database Audit DBS-ALL-815-BPAbnormal number of alter or update statements executed on a database
DNS / DHCP DNS-ALL-805-TARandomly generated domain detected on dns response
Email / Email Security EML-ALL-816-RUFlight Risk Behavior Exhibited In Emails
Email / Email Security EML-ALL-805-BPAbnormal Number of Email Forwards
Email / Email Security EML-ALL-808-BPAbnormal Number of Emails to Personal Email
Endpoint Management Systems
EDR-ALL-880-ERRRare child process spawned by WMI Provider Host process
Endpoint Management Systems
EDR-ALL-79-ERSuspicious use of cradle - rare child process spawned from script interpreter
Endpoint Management Systems
EDR-ALL-57-ERRare process spawned by WMI Provider Host process
Endpoint Management Systems
EDR-ALL-89-RUPotential UAC bypass CSC executing payload from temp directory on host
Endpoint Management Systems
EDR-ALL-69-BPSpike in number of Discovery Tactic Command Activity For Host Analytic
SNYPR Release Notes 39
What's New in Content
Functionality Signature ID Policy Name
Endpoint Management Systems
EDR-ALL-11-RUPossible Wdigest downgrade via registry modification
Endpoint Management Systems
EDR-ALL-28-RUPotential Phishing URL received over an email
Endpoint Management Systems
EDR-ALL-32-RUSuspicious Process Activity - Sysmon Termination
Endpoint Management Systems
EDR-ALL-31-RU
Potential Phishing attack - Suspicious process spawned from MS office applications via infected attachment
Endpoint Management Systems
EDR-ALL-43-RUPotential DLL injection using LoadLibrary API call
Endpoint Management Systems
EDR-ALL-40-RU
Suspicious Process Activity - Targeted - Known Credential Dumping Tools Use Analytic
Endpoint Management Systems
EDR-ALL-846-ERRare file hash detected on the network - endpoint monitoring
Endpoint Management Systems
EDR-ALL-25-RUSuspicious Covertness Command Line Arguments
Endpoint Management Systems
EDR-ALL-48-ERUnusual process adding a file in Startup Menu
Endpoint Management Systems
EDR-ALL-66-RUSuspicious executable File creation - WebDAV File
Endpoint Management Systems
EDR-ALL-27-RUSuspicious use of UNC Path for credential stealing
Endpoint Management Systems
EDR-ALL-815-RUUse of credential dumpers - endpoint monitoring
Endpoint Management Systems
EDR-ALL-29-RUSuspicious Document Received over an email
SNYPR Release Notes 40
What's New in Content
Functionality Signature ID Policy Name
Endpoint Management Systems
EDR-ALL-19-RUPotential Mimikatz CommandLine Usage
Endpoint Management Systems
EDR-ALL-46-RUPossible Usage Of Keyloggers Abusing Nirsoft Tool Commands
Endpoint Management Systems
EDR-ALL-57-ERRare process spawned by WMI Provider Host process
Endpoint Management Systems
EDR-ALL-116-RUPossible SUNBURST Implant Activity Analytic
Endpoint Management Systems
EDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic
Endpoint Management Systems
EDR-ALL-96-ERPotential InstallUtil-based Attack Payload Staging Analytic
Endpoint Management Systems
EDR-ALL-97-ERPossible Stealthy Malicious Payload Assembly Unusual MSBuild Use Analytic
Endpoint Management Systems
EDR-ALL-98-RUPeak Ransomware Backup Process Termination Analytic
Endpoint Management Systems
EDR-ALL-92-RUPotential UACBypass CMSTP Inf Vector Analytic
Endpoint Management Systems
EDR-ALL-91-ERPotential CLR injection - Rare combination of Image and loaded DLL detected for Account
Endpoint Management Systems
EDR-ALL-93-RU
Suspicious Process Execution - Targeted - Possible Initial Infiltration Via Fake Chrome Update Analytic
Endpoint Management Systems
EDR-ALL-94-RUPotential attempt to modify Firewall Rules
Endpoint Management Systems
EDR-ALL-82-RUPotential use of Powershell stager to establish C2 communication
SNYPR Release Notes 41
What's New in Content
Functionality Signature ID Policy Name
Endpoint Management Systems
EDR-ALL-73-ERSuspicious Process Activity - Rare Executable File Or Script Creation Analytic
Endpoint Management Systems
EDR-ALL-69-BPSpike in number of Discovery Tactic Command Activity For Host Analytic
Endpoint Management Systems
EDR-ALL-33-RUPotential Golden and Silver Ticket Forging Attack Commands
Endpoint Management Systems
EDR-ALL-30-ERPossible Phishing document - Rare process spawned from Office Applications
Endpoint Management Systems
EDR-ALL-24-EREscalation of privilege via modification of AppInit DLL registry detected on host
Endpoint Management Systems
EDR-ALL-139-RUSuspicious Registry modification - Internal monologue attack via NTLM version downgrade
Endpoint Management Systems
EDR-ALL-164-RUPossible Qakbot-Egregor Initial Access Broker Ransomware Deployment Analytic
Endpoint Management Systems
EDR-ALL-165-RUPossible Qakbot-Egregor Esentutl Usage Analytic
Endpoint Management Systems
EDR-ALL-166-RUPossible Qakbot-Egregor Rundll Load Analytic
Endpoint Management Systems
EDR-ALL-40-BPPossible token enumeration - Peak process token access analytic
Endpoint Management Systems
EDR-ALL-101-BPPossible Meterpreter Process Enumeration Analytic
Endpoint Management Systems
EDR-ALL-42-ERRInternetExplorer Application DLL Loading Injection Analytic
SNYPR Release Notes 42
What's New in Content
Functionality Signature ID Policy Name
Endpoint Management Systems
EDR-ALL-64-ERRRare Unsigned DLL Load For Process Potential DLL Hijacking Side-Loading Analytic
Endpoint Management Systems
EDR-ALL-65-ERRRare Signed DLL Load For Process Potential DLL Hijacking Side Loading Analytic
Endpoint Management Systems
EDR-ALL-91-ERRPotential CLR injection Rare combination of Image and loaded DLL detected for Account
Endpoint Management Systems
EDR-ALL-105-ERRPossible Process Hollowing Herpaderping Rare Image Tampering Analytic
Endpoint Management Systems
EDR-ALL-114-RUPossible TEARDROP Malicious Payload Variant Analytic
Endpoint Management Systems
EDR-ALL-115-RURule Internet Explorer Application DLL Loading Injection Analytic
Endpoint Management Systems
EDR-ALL-61-RU Malicious Named Pipes Analytic
Endpoint Management Systems
EDR-ALL-114-ERRPossible ADFSDump Malicious Certificate Extraction Named Pipe Analytic
Endpoint Management Systems
EDR-ALL-117-ERRPossible RAINDROP Variant Artifact Analytic
Endpoint Management Systems
EDR-ALL-118-ERRPossible Cobalt Strike Beacon NamedPipe Use Artifact Analytic
Endpoint Management Systems
EDR-ALL-119-ERRWatching the Watchers - Possible Trojaned Vendor Executable Named Pipe Discrepancy Analytic
Endpoint Management Systems
EDR-ALL-884-ERRPossible Webshell created In Unusual file location
SNYPR Release Notes 43
What's New in Content
Functionality Signature ID Policy Name
Endpoint Management Systems
EDR-ALL-881-RUSuspicious creation and execution of Batch file followed by immediate deletion
Endpoint Management Systems
EDR-ALL-885-RUPossible execution of China Chopper Web Shell via Command line
Endpoint Management Systems
EDR-ALL-886-RUMS Exchange unified messaging service spawning potentially suspicious child process
Endpoint Management Systems
EDR-ALL-887-RUProcess dump using COM Plus Service DLL via CommandLine
Endpoint Management Systems
EDR-ALL-888-BPAbnormal frequency of application errors in IIS worker process
Endpoint Management Systems
EDR-ALL-71-BP
Possible Ransomware infection involving use of staging commands on abnormally large number of hosts
Endpoint Management Systems
EDR-ALL-154-BPAbnormal number of Self Worker Process Execution
Endpoint Management Systems
EDR-ALL-62-ERPotential attempt to bypass UAC using Eventvwr
Endpoint Management Systems
EDR-ALL-154-BPAbnormal number of Self Worker Process Execution
Endpoint Management Systems
EDR-ALL-47-RUMS EquationEditor process spawning child process
Endpoint Management Systems
EDR-ALL-54-ERRare Self Worker Process Execution
Endpoint Management Systems
EDR-ALL-20-RUFile Creation via PWDUMP or Mimikatz
Endpoint Management Systems
EDR-ALL-815-RUUse of credentialdumpers - endpoint monitoring
SNYPR Release Notes 44
What's New in Content
Functionality Signature ID Policy Name
Endpoint Management Systems
EDR-ALL-19-RUPotential Mimikatz CommandLine Usage
Endpoint Management Systems
EDR-ALL-2-ERPotential Mimikatz Use or Hash Passing
Endpoint Management Systems
EDR-ALL-26-RUPotential use of Rubeus attack tool detected via command line
Endpoint Management Systems
EDR-ALL-99-ERPossible Malicious Implant In-Memory Compilation Analytic
Endpoint Management Systems
EDR-ALL-42-ERRInternetExplorer Application DLL Loading Injection Analytic
Endpoint Management Systems
EDR-ALL-64-ERRRare Unsigned DLL Load For Process Potential DLL Hijacking Side-Loading Analytic
Endpoint Management Systems
EDR-ALL-65-ERRRare Signed DLL Load For Process Potential DLL Hijacking Side Loading Analytic
Endpoint Management Systems
EDR-ALL-91-ERRPotential CLR injection Rare combination of Image and loaded DLL detected for Account
Endpoint Management Systems
EDR-ALL-46-RUPossible Usage Of Keyloggers Abusing Nirsoft Tool Commands
Firewall IFW-ALL-700-BAAbnormal amount of data transmitted from DNS ports - Firewall
Firewall IFW-ALL-718-BAAbnormal amount of data aggregated from SMB ports - Firewall
Firewall IFW-ALL-701-BAAbnormal amount of data transmitted from known file transfer ports - Firewall
SNYPR Release Notes 45
What's New in Content
Functionality Signature ID Policy Name
Firewall IFW-ALL-720-BAAbnormal amount of data aggregated from FTP ports - Firewall
Firewall IFW-ALL-702-BAAbnormal amount of data transmitted over covert channels - Firewall
Firewall IFW-ALL-732-BAAbnormal amount of data transmitted over SMTP ports - Firewall
Firewall IFW-ALL-718-BAAbnormal amount of data aggregated from SMB ports - Firewall
Firewall IFW-ALL-700-BAAbnormal amount of data transmitted from DNS ports - Firewall
Firewall IFW-ALL-717-BPPossible host enumeration over system ports - Firewall
Firewall IFW-ALL-721-TATraffic to rare server on DHCP ports - Firewall
Firewall IFW-ALL-708-BPAbnormal number of connections on SMB or NETBIOS ports - Firewall
Flow FLW-ALL-833-BAAbnormal amount of data transmitted from DNS ports - Flow
Flow FLW-ALL-853-BAAbnormal amount of data transmitted over covert channels - Flow
Flow FLW-ALL-852-BAAbnormal amount of data transmitted from known file transfer ports - Flow
SNYPR Release Notes 46
What's New in Content
Functionality Signature ID Policy Name
Flow FLW-ALL-734-BAAbnormal amount of data transmitted over SMTP ports - Flow
Microsoft Windows WEL-ALL-967-ERExplicit login to high privileged account
Microsoft Windows WEL-ALL-860-BPpossible password spraying from an ipaddress
Microsoft Windows WEL-ALL-717-DBLarge frequency of usage for Ping utility
Microsoft Windows WEL-ALL-972-BPSuspicious Process Activity - Peak Netsh Execution For User Analytic
Microsoft Windows WOS-290-BPAbnormal number of kerberos pre authentication failures
Microsoft Windows WOS-214-BPAbnormal number of network share object access
Microsoft Windows WEL-ALL-906-BPSuspicious Account Activity - Peak Credential Validation Failure Increase For Host Analytic
Microsoft Windows WOS-295-BP
High number of accounts used from the same ipaddress for successful authentications or run as events
Microsoft Windows WOS-293-BPAbnormal number of hosts accessed - Logon Success
Microsoft Windows WOS-240-BPSpike in administrative shares accessed
Microsoft Windows WOS-202-BP Abnormal number of logon failures
Microsoft Windows WEL-ALL-710-ERRare scripting executables spawned from known processes
Microsoft Windows ALT-003-RU Use of default credentials
SNYPR Release Notes 47
What's New in Content
Functionality Signature ID Policy Name
Microsoft Windows WOS-288-BPSpike in Number of privileges enumerated
Microsoft Windows WEL-ALL-948-DBPossible Password Spraying Attack detected - SIEM
Microsoft Windows WEL-ALL-711-ERRare execution of Regsvr32 process
Microsoft Windows WOS-225-RUPossible Privilege Escalation - Self Escalation
Microsoft Windows WEL-ALL-714-RUPotential use of MSHTA executable to download malicious payload
Microsoft Windows WOS-318-RU Use of credential dumpers
Microsoft Windows WOS-291Abnormal number of host access attempts - Logon Failure
Microsoft Windows WOS-215-RU Password hash access
Microsoft Windows WEL-ALL-710-ERRare scripting executables spawned from known processes
Microsoft Windows WOS-292Abnormal number of account enumeration attempts on a host
Microsoft Windows WOS-220Abnormal number of accounts created
Microsoft Windows WOS-278-BPAbnormal number of account lockout events
Microsoft Windows WEL-ALL-970-BPAbnormal number of distinct kerberos tickets requested - Enumeration
Microsoft Windows WEL-ALL-959-ERRare admin share access for a user compared to peer behavior
Microsoft Windows WEL-ALL-860-BPPassword spraying attempts from an IP - Microsoft Windows
SNYPR Release Notes 48
What's New in Content
Functionality Signature ID Policy Name
Microsoft Windows WOS-225-RUPossible Privilege Escalation - Self Escalation
Microsoft Windows WEL-ALL-714-RUPotential use of MSHTA executable to download malicious payload
Microsoft Windows Powershell
PSH-ALL-106-RUUse of Powershell encodedcommand parameter on host
Microsoft Windows Powershell
PSH-ALL-108-RUUse of Powershell Invoke-Expression cmdlet on host
Microsoft Windows Powershell
PSH-ALL-109-RUPowershell Execution Policy modified on host
Microsoft Windows Powershell
PSH-ALL-26-RU
Suspicious Process Activity - Targeted - Potential Powershell Phanthom Event Log Thread Termination Covertness Analytic - A2B
Microsoft Windows Powershell
PSH-ALL-20-RU
Suspicious Process Activity - Rule - Potential Attack Tool PWDUMP or Mimikatz Usage File Creation Analytic - A2B
Microsoft Windows Powershell
PSH-ALL-1-RUSuspicious Powershell Activity Function - Targeted - Possible Bloodhound Attack Analytic
Network Traffic Analytics
NTA-ALL-804-BAAbnormal amount of data aggregated from FTP ports - NTA
Network Traffic Analytics
NTA-ALL-865-BAAbnormal amount of data transmitted from known file transfer ports - NTA
Network Traffic Analytics
NTA-ALL-880-BAAbnormal amount of data aggregated from SMB ports - NTA
SNYPR Release Notes 49
What's New in Content
Functionality Signature ID Policy Name
Network Traffic Analytics
NTA-ALL-881-BAAbnormal amount of data transmitted from DNS ports - NTA
Network Traffic Analytics
NTA-ALL-882-BAAbnormal amount of data transmitted from SMTP ports - NTA
Network Traffic Analytics
NTA-ALL-883-BAAbnormal amount of data transmitted over covert channels - NTA
Next Generation Firewall
NGF-733Abnormal amount of data transmitted from DNS ports - Next Gen Firewall
Next Generation Firewall
IFW-ALL-904-RURDP Access allowed from the internet - SIEM
Next Generation Firewall
IFW-ALL-919-BP Remote Database Scanner - SIEM
Next Generation Firewall
IFW-ALL-905-TPInbound Traffic from C2 Domains and IP addresses - SIEM
Next Generation Firewall
IFW-ALL-901-TPOutbound Traffic to C2 Domains and IP addresses - SIEM
Next Generation Firewall
NGF-763Possible port scan from internal IP Address - Next Gen Firewall
Next Generation Firewall
NGF-768Possible host enumeration over system ports - Internal - Next Gen Firewall
Next Generation Firewall
NGF-177Traffic to rare server on DHCP ports - Next Gen Firewall
Next Generation Firewall
NGF-011Abnormal amount of data aggregated from SMB ports - Next Gen Firewall
SNYPR Release Notes 50
What's New in Content
Functionality Signature ID Policy Name
Next Generation Firewall
NGF-071Abnormal amount of data aggregated from FTP ports - Next Gen Firewall
Next Generation Firewall
NGF-352Abnormal amount of data transmitted from known file transfer ports - Next Gen Firewall
Next Generation Firewall
NGF-733Abnormal amount of data transmitted from DNS ports - Next Gen Firewall
Next Generation Firewall
IFW-ALL-1110-BAAbnormal amount of data transmitted from SMTP ports - NGFW
Next Generation Firewall
NGF-353Abnormal amount of data transmitted over covert channels - Next Gen Firewall
Next Generation Firewall
NGF-ALL-801-BAAbnormal amount of data uploads to storage sites - Next Gen Firewall
Next Generation Firewall
IFW-ALL-876-DBUpload Attempt to Multiple Distinct Storage Sites - Next Gen Firewall
Next Generation Firewall
NGF-710Abnormal number of DNS zone transfers - Next Gen Firewall
Next Generation Firewall
NGF-177Traffic to rare server on DHCP ports - Next Gen Firewall
Next Generation Firewall
NGF-766Abnormal number of connections on SMB or NETBIOS ports - Next Gen Firewall
Next Generation Firewall
NGF-733Abnormal amount of data transmitted from DNS ports - Next Gen Firewall
SNYPR Release Notes 51
What's New in Content
Functionality Signature ID Policy Name
Next Generation Firewall
IFW-ALL-928-DBMultiple Exploit Types Against Single Destination - SIEM
Next Generation Firewall
PXY-ALL-864-TATraffic to randomly generated domains - TPI - NGFW
Print PRN-ALL-837-RU Unauthorized printer usage
Print PRN-ALL-838-BPAbnormal number of files printed compared to peer
Unix / Linux / AIX UNX-ALL-801-DBBrute Force Followed by a Successful Login from internal - SIEM
Unix / Linux / AIX UNX-ALL-814-DBAccount was created and acted suspiciously - SIEM
Vulnerability Scanners SCN-ALL-803-RU Unpatched Vulnerability
Vulnerability Scanners SCN-ALL-802-RU Target Attack on vulnerable asset
Web Proxy PXY-ALL-864-TATraffic to randomly generated domains
Web Proxy PXY-ALL-864-TATraffic to randomly generated domains
Web Proxy PXY-ALL-868-BAAbnormal amount of data uploads to external sites
Web Proxy PXY-ALL-816-BAAbnormal amount of data uploads to storage sites
Web Proxy PXY-ALL-911-RUDetection of Blocked Web Requests
Web Proxy PXY-ALL-889-ERSuspicious Proxy Activity - Double Extension Download From Rare host
Web Proxy PXY-ALL-869-RUDetection of possible proxy circumvention
SNYPR Release Notes 52
What's New in Content
Functionality Signature ID Policy Name
Web Proxy PXY-ALL-882-ER-SIEMRare teleconferencing application accessed by an account
Web Proxy PXY-ALL-830-RUBeaconing Traffic to proxy anonymizing websites
Web Proxy PXY-ALL-1-ER
Watching the watchers possible trojanized vendor executable establishing suspicious HTTP C2 communication
Web Server WEB-ALL-808-RUPossible Directory Traversal Attempt Detected
Deprecated Policies The following table lists the policies that are deprecated as part of this release:
Functionality Policy Name Reason
Antivirus / Malware / EDR
Medium Severity Endpoint Alert Detected - EDR
Removed the policy as it flagged low level events.
Antivirus / Malware / EDR
Repeat Attack-Network Intrusion Prevention System
Removed the policy as it flagged low level events.
Antivirus / Malware / EDR
Repeat Attack-Host Intrusion Prevention System
Removed the policy as it flagged low level events.
Authentication / SSO / Single Sign-On
Successful Login From Suspicious IP Address
These are replaced with the CRP policy.
Authentication / SSO / Single Sign-On
Robotic Pattern Observed from an IP - Failed Login
These are replaced with the CRP policy.
SNYPR Release Notes 53
What's New in Content
Functionality Policy Name Reason
AWS - Cloud Services / Applications
Cloud storage resource accessed from a rare IP address
Removed the policy as it flagged low level events.
AWS - Cloud Services / Applications
Suspicious cloud activity detected from a blacklisted IP address on cloud resources - TPI
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
IAM User Creation from a Rare Geolocation
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
AWS account root user activity detected
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Account Discovery Account lists all the AWS users in the region
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Recon activity detected from a rare geolocation
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Suspicious Data Access to S3 Buckets from Blacklisted IP address - TPI
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Abnormal volume of data transferred from cloud storage resource
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Disabling Cloudtrail Logging
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Account Enumerating on Cloud Storage Resources
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Recon Activity Detected on EC2 instances
Threat scenario covered as a part of another policy.
SNYPR Release Notes 54
What's New in Content
Functionality Policy Name Reason
AWS - Cloud Services / Applications
Landspeed Anomaly Detected-Cloud Services
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Detecting Implant Container Image
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Rare privileged transaction performed by an account over Cloud Infrastructure
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Privilege escalation through IAM instance profile
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Privilege Misuse-Account Deleting LoginProfile of Another User
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Rare Account Modifying Snapshot Attribute
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Abnormal number of denied transactions on cloud resources
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Defense Evasion-Audit Log Tampering
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Snapshot Created From a Rare Geolocation
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Abnormal Number of Cloud Storage Resources Deleted
Threat scenario covered as a part of another policy.
SNYPR Release Notes 55
What's New in Content
Functionality Policy Name Reason
AWS - Cloud Services / Applications
Detecting AWS activity from a User originating from Tor exit node- AWS
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Account modifying ACL of a cloud storage resource
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Privilege Escalation - Account authorizing high number of changes to security groups
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Lateral Movement - Detecting IAM role Enumeration
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Detection Evasion Attempt- AWS Cloud Trail
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Crypto Mining Attack-Multiple GPU Instances Spin Up
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Account Manipulating Customer Managed IAM Policy
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Rare Storage Service Deletion by an Account
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Privilege Escalation-Rare Account Updating Identity Policy
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Rare Account Creating New Identity Policy
Threat scenario covered as a part of another policy.
SNYPR Release Notes 56
What's New in Content
Functionality Policy Name Reason
AWS - Cloud Services / Applications
Possible Reconnaissance Attempt - Detect the usage of AWS Cloudtrail CreateTrail command
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
High Number of Objects Deleted-SIEM
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Temporary Credentials Generated by a User
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Suspicious Cloud Activity-Account Created New LoginProfile
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Credential Harvesting Activity on EC2 Windows infrastructure
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Crypto Mining Attack - Single GPU Instance Spin Up
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Privilege Misuse-Account Updating LoginProfile of Another Account
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Suspicious Cloud Activity-Rare Account Creating Accesskey
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Possible Defense Evasion-Rare Account Disabling Monitoring for an Instance
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Rare User Agent Detected for Assumed Role Events
Threat scenario covered as a part of another policy.
SNYPR Release Notes 57
What's New in Content
Functionality Policy Name Reason
AWS - Cloud Services / Applications
Possible Defense Evasion - Misusing Accesskey of an IAM User
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
AWS Console Sign In Without MFA
Threat scenario covered as a part of another policy.
AWS - Cloud Services / Applications
Data transfer detected on cloud storage from blacklisted IP address
Threat scenario covered as a part of another policy.
Cloud Antivirus / Malware / EDR
Low Severity Endpoint Alert Detected - Cloud EDR
Removed the policy as it flagged low level events.
Cloud Antivirus / Malware / EDR
Medium Severity Endpoint Alert Detected - Cloud EDR
Removed the policy as it flagged low level events.
Cloud Application AuditAbnormal Number of Distinct Emails Archived - Exchange
Removed the policy as it flagged low level events.
Cloud Content Management System
Landspeed anomaly detected for account
Removed the policy as it flagged low level events.
Cloud Content Management System
Abnormal number of files downloaded by an account
Duplicate - Threat scenario covered as part of another policy
Cloud Content Management System
Account Activity detected from Rare Geolocation
Threat scenario covered as a part of another policy.
Cloud Content Management System
Account accessing file share never accessed before
Threat scenario covered as a part of another policy.
Cloud PrintUnauthorized printer usage - Cloud Print
Threat scenario covered as a part of another policy.
SNYPR Release Notes 58
What's New in Content
Functionality Policy Name Reason
Cloud PrintAbnormal number of pages printed compared to peer - Cloud Print
Threat scenario covered as a part of another policy.
Cloud Services / Applications
Rare Cloud Storage Resource Deletion by an Account
Threat scenario covered as a part of another policy.
Content Management System
Abnormal number of files downloaded by an account -CMS
Threat scenario covered as a part of another policy.
Data Loss Prevention / Endpoint DLP
Abnormal number of pages printed compared to peer - Endpoint DLP
Threat scenario covered as a part of another policy.
Data Loss Prevention / Endpoint DLP
Abnormal number of pages printed compared to peer
Threat scenario covered as a part of another policy.
Data Loss Prevention / Endpoint DLP
Abnormal number of files printed compared to peer
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Suspicious Process Activity - Targeted - Potential ETW Disable Attempt Analytic
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Potential WMI Lateral Movement Rare WmiPrvSe Subprocess
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Rare USB device activity
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Rare ports used by a process for high severity endpoint alerts
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Rarity on system hardening monitor
Threat scenario covered as a part of another policy.
SNYPR Release Notes 59
What's New in Content
Functionality Policy Name Reason
Endpoint Management Systems
Suspicious Process Activity - Targeted - Executable File Creation Analytic
Threat scenario covered as a part of anothe policy.
Endpoint Management Systems
Abnormal number of file shares created
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Rare Executive Host Accessed
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Rare CD or DVD burning activity
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Abnormal number of file shares deleted
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Abnormal number of share folder creation on system
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Abnormal number of failed logons
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Abnormal number of low severity alerts
Threat scenario covered as a part of another policy.
Endpoint Management Systems
Rare login geo locationThreat scenario covered as a part of another policy.
Endpoint Management Systems
Suspicious Process Activity - Targeted - Potential ETW Disable Attempt Analytic
Threat scenario covered as a part of another policy.
Microsoft WindowsHigh number of failed login attempts from an IP - SIEM
Removed the policy as it flagged low level events.
SNYPR Release Notes 60
What's New in Content
Functionality Policy Name Reason
Microsoft Windows
High number of accounts using the same ipaddress for authentication failures or lockout events
Removed the policy as it flagged low level events.
Microsoft Windows
Usage of potential scriptable executable to run or access malicious payload
Removed the policy as it flagged low level events.
Microsoft Windows
Suspicious Account Activity for Potential pass-the-hash using Host Length Analytic
Threat scenario covered as a part of another policy.
Microsoft WindowsScheduled Task Creation activity
Threat scenario covered as a part of another policy.
Microsoft WindowsDetection of Possible remote interactive logon enumeration
Threat scenario covered as a part of another policy.
Microsoft WindowsHigh number of failed login attempts from an account- SIEM
Removed the policy as it flagged low level events
Microsoft WindowsRepeat Failure Authentication - SIEM
Removed the policy as it flagged low level events
Microsoft WindowsHigh number of service tickets requested - SIEM
Removed the policy as it flagged low level events
Microsoft WindowsDetection of Brute Force Attack To The Same Host - SIEM
Removed the policy as it flagged low level events.
SNYPR Release Notes 61
What's New in Content
Functionality Policy Name Reason
Microsoft Windows
Use of explicit credentials for a possible Account sharing or Password misuse
Removed the policy as it flagged low level events
Microsoft WindowsHigh number of host accessed - SIEM
Removed the policy as it flagged low level events.
Microsoft WindowsRare privileged level for a windows authentication
Removed the policy as it flagged low level events.
Microsoft Windows Powershell
Use of Powershell encode command by an account
Threat scenario covered as a part of another policy.
Microsoft Windows Powershell
Powershell execution policy changed by Account
Threat scenario covered as a part of another policy.
Microsoft Windows Powershell
Use of Powershell Invoke Expression Command by Account
Threat scenario covered as a part of another policy.
Network Traffic Analytics
Rare dns host resolved - NTA
Removed the policy as it flagged low level events.
Next Generation Firewall
Possible port scan from internal IP Address - Next Gen Firewall
Threat scenario covered as a part of another policy.
Next Generation Firewall
Internal system running port scan - horizontal siem
Legacy SIEM content. Removed the policy as it flagged low level events.
Next Generation Firewall
Non Mail server trying to send mails outside - SIEM
Legacy SIEM content. Removed the policy as it flagged low level events.
SNYPR Release Notes 62
What's New in Content
Functionality Policy Name Reason
Next Generation Firewall
Inbound Traffic from C2 Domains and IP addresses - SIEM
Removed the policy as it flagged low level events.
Next Generation Firewall
Outbound Traffic to C2 Domains and IP addresses - SIEM
Removed the policy as it flagged low level events.
Next Generation Firewall
Abnormal amount of data uploads to storage sites over firewall
Removed the policy as it flagged low level events.
PrintAbnormal number of pages printed compared to peer
Threat scenario covered as a part of another policy.
Single Sign-On / SSO / Authentication
Ascending Monotonic Pattern Detected
Threat scenario covered as a part of another policy.
SNYPR Release Notes 63