New features
Automated Threat Response (ATR) for Meraki CrowdStrike Automated Threat Response is now live
For CrowdStrike users, Barracuda Managed XDR can now automatically isolate an endpoint from the network when a threat is detected.
ATR support includes the following rules, upon which devices are isolated given a high confidence event:
CrowdStrike Attempted to Quarantine a Malicious File\
CrowdStrike Detection Summary Event
Users who can also manually isolate or un-isolate an endpoint via Host Name or Host ID.
This broadens the scope of XDR’s Endpoint ATR offerings beyond:
ATR for Managed Endpoint with SentinelOne
Monitored Endpoint with MS Defender for Endpoint
For more information, see Setting up ATR for Cisco Meraki Firewall.
Managed Endpoint Security self-service exclusions for SentinelOne
Partners can now manually enter file path-based exclusions in the XDR Dashboard, to exclude by site or group.
Integration detection rules available in the XDR Dashboard
We've added the new Detection List page, which displays all current XDR detection rules for XDR integrations. For each rule, this page displays the:
Rule name
Description
MITRE ATT&CK classification
Category
Data source
Detection observables
To view the detection list, in the Barracuda Managed XDR Dashboard Navigation menu, click Administration > Detection List.
Wildcard Search
When searching throughout the XDR Dashboard, you can now use wildcard characters.
Use | To find |
|---|---|
? | Single characters |
* | Multiple characters |
Resolved issues
Resolved issues |
|---|
Resolved an issue where Zendisk tickets were duplicated on the Dashboard. |
Resolved an issue where users were not able to initiate a Full Disk Scan from the Dashboard. |
Resolved an issue where certain users couldn’t use the Crowdstrike test. |
Resolved an issue where the graph sizes in custom reports weren’t consistent. |
New rules
Sonicwall
Sonicwall Outgoing Traffic To Potentially Malicious IP Address
Sonicwall Successful Login From Suspicious IP
Cloudgen
Cloudgen Management Access from Suspicious IP Address
Cloudgen IPS Large Scanning Activity Detected
Rule tuning and rule bug fixes
Office 365 Anomalous Login & Impossible Travel Release Notes
Recently, we released an upgraded version of our machine learning model, designed to improve the detection of Anomalous Login and Impossible Travel activities in Office 365. Guided by invaluable feedback, we have proactively implemented substantial enhancements to our detection capabilities.
Our model has improved its recognition of geo-location and device consistency for user logins, eliminating unnecessary alerts for those with frequently changing IPs.
We now better distinguish low, medium, and high alerts to assist in prioritizing alert review.
Reduced overall alert volume and refactored customer alert content.
Updated the ATR workflow to run the block action before the unblock action when clicking the Test button in the Dashboard, since it can emit block and unblock events simultaneously. This is achieved by generating an SHA-256 hash from simple_name, module, instance, ip_to_block/ip_to_unblock, and domain_to_block/domain_to_unblock, and grouping events by this hash within 10 seconds.
The alert for the Palo Alto Grayware Traffic Allowed detection rule now includes the potentially malicious URL in the alert body. The domain is extracted from the URL, enriched, and the alert is generated only if either the domain enrichment or IP enrichment indicates malicious activity.
Duo - Correlated the login on the device_access EP Key against historical logs to determine if the current login is using a known device.
Windows Suspicious Scheduled Task Creation - Implemented 10-minute deduplication on the scheduled task name to decrease mass ticket spam when a task is created on many hosts at once.