In June, we introduced two powerful new detection filter operators - Regex and Between - to give you greater precision when tuning detections, including the ability to filter full IP ranges. We also added parsing for 1Password logs, unlocking new reporting capabilities for audit, sign-in, and item usage events. On the detection front, we released two new Windows rules, including one that identifies potential installer interference, and updated two Microsoft 365 rules to improve accuracy and clarity. We also resolved several bugs, including issues with data mismatches in reports, incorrect endpoint usage calculations, and log duplication in Mimecast.
Detection Filters:
Regex Operator: We added the Regex operator to our detection filter options, which requires re2 syntax, and is the same operator many users already use in Report Builder.
Between Operator: We introduced the Between operator, making it easier to filter entire IP ranges without relying the Contains operator to filter multiple IP values within a range.
1Password Parsing: We added parsing for the 1Password integration, and the following data types are now available for reporting:
1Password Audit
1Password Item Usage
1Password Signin
| Log Type | Details |
|---|---|
| Windows | NEW - Unexpected Taskkill on MSIEXEC by User This detection monitors for when a user unexpectedly runs the taskkill command to terminate the Windows Installer process MSIEXEC, which may be an indicator of attackers interrupting legitimate installers. This tactic has been observed in attempts to interrupt SentinelOne installers during installs or upgrades. Default state: Enabled |
| Windows |
NEW - Remote Access Tool: UltraViewer This new detection rule triggers a finding whenever the remote access tool UltraViewer is seen being used on a device. If your organization does not use UltraViewer as part of its approved remote management toolkit, the activity needs to be investigated as potentially malicious. Default state: Enabled |
| Microsoft 365 | UPDATE - Enabling of Forwarding Setting to External Domain in M365 We updated this detection rule to account for log formatting changes that were causing missed true positives. |
| Microsoft 365 | UPDATE - MS365 Sharepoint 100 or more file deletions in X minutes We renamed the "MS365 Sharepoint 100 or more file deletions in X minutes" detection rule to "Microsoft 365: Sharepoint 100 or more file deletions in X minutes" for clarity and adjusted the logic to reduce false positives and provide responders with more detailed information about the file names. |
Future-Dated Timestamps - We resolved an issue where future-dated timestamps in some JumpCloud logs were causing integration failures.
Data Mismatch - We fixed a bug that was causing a discrepancy between the data shown on the “Top Threat Types” chart in the Security Dashboard and what appears upon click-thru to the full report in Report Builder.
Byte Management - We fixed an issue that was causing incorrect calculations in "Blumira: Endpoints By Data Generated" and "Top Endpoints By Data Generated" reports after moving from using the compressed raw_zlib_bytes to raw_log file size.
Mimecast Log Duplication - We fixed a log duplication issue that was occurring in the v2 Mimecast integration.
Truncated Findings - We fixed an issue with truncated findings showing [object Object] on the Summary Dashboard.
In case you missed the April updates, you can find and review those notes here.