New features
New endpoint agent installer for Windows ARM64 (.exe)
This release of XDR includes an installer for Endpoint agent for Windows ARM64. Use this installer for Windows devices that use the ARM64 architecture.
See Setting up Endpoint Protection for Devices.
Support for both Okta Preview and Okta simultaneously
You can now monitor both Okta and Okta Preview simultaneously.
To monitor both Okta and Okta Preview at the same time, integrate both options. See Integrating Okta and Integrating Okta Preview.
Improvements
Non-Rule Bug Fixes
Number | Description |
|---|---|
7369 | Resolved an issue where reports didn’t reflect color customizations selected by the user. |
7737 | Resolved an issue where the XDR Dashboard incorrectly displayed a failed/error state for Server Security when the user had Windows Server Security enabled and Linux Server Security disabled. |
8087 | Resolved an issue where the Data Sources link from the AI Summary failed. |
Rules
New rules
Windows Kerberos Brute Force Attempt This rule checks for 200 failed login attempts within a 15 minute period.
The following new detections use machine learning models implemented for the FortiGate Firewall:
FortiGate Isolated Traffic to Suspicious Destination
FortiGate Network Traffic to a Known C2 Destination
FortiGate Network Traffic Exhibiting Potential C2 Beaconing Behavior
The following are new STAR rules for Managed Endpoint Security. These rules have ATR incorporated. When triggered, these rules automatically kick off a response action to network isolate the effected endpoint.
Krueger EDR Evasion Detected
Akira Ransomware pre-encryption behaviors
Rule updates and bug fixes
Microsoft Office 365 User Added to Global Administrator Role
All events are now alerted on outside of deduplication, if the event does not pass the previously set conditions, it now sends as Medium severity, with a comment in the ticket body for the customer, instead of dropping the event.
Microsoft Office 365 Email Forwarding Rule Created Modified or Deleted
For readability, the Affected Mailbox ticket body value has been changed to object id name instead of the object id.
GLB.EB.EPP Cisco Umbrella Malware Detected And Not Blocked
Ticket Body and Additional Information has been reformatted to html structure that is easier to understand. The IP enrichment table has been added and Ticket recommendations have been added to the bottom of the ticket.
Microsoft Office 365 Suspicious New Inbox Rule Created Logic Updated
The rule logic has been expanded to strongly consider IP enrichments to identify if cloud hosting infrastructure or VPNs are being used abnormally.
This rule now takes into consideration the geo-location of the new inbox rule versus the user’s baseline.
High Number of Okta User Password Reset or Unlock Attempts
This rule has been tuned to avoid false positives and increase chance of more true positives.
Previously, the query triggered an alert when the
okta.actor.idandorganization.idfields had a count greater than 5 and other matching conditions were met.In the updated query, the alert evaluates the
okta.client.ipandorganization.idfields, requiring:A count of at least 10 for the
okta.client.ip+organization.idcombination.A unique count of 10 for
okta.target.alternate_id.
Note: The change to use
okta.client.ipwithorganization.idis based on the observation that threat actors often initiate multiple password reset requests from a single IP address targeting different user accounts.
Windows Potential Process Injection via PowerShell
A legitimate Defender Script that is often used in many organizations was generating lot of false positives, so the detection logic filter has been adjusted accordingly.
Windows Volume Shadow Copy Deletion via PowerShell
An issue with the query causing false positives due to insufficient escape characters has been fixed.
Rules Enhanced with SOAR
New Firewall Correlation Logic has been introduced
This rule now checks allowed and blocked traffic for different firewalls based on specific fields for each firewall (FortiGate, Palo Alto, CloudGen etc).