Version 6.4
New features
- Improved display of traffic capture for network events
- Additional information in SIEM syslog notifications
- Additional information in email notifications
- Persistent sensor and license selection
- Improved sensor selection in dashboard
- Similar events dropdown
Improved display of traffic capture for network events
Display of captured traffic has been improved. In alternative to viewing the raw captured traffic, the portal can now display application-layer information extracted from the traffic for common protocols such as HTTP.
Additional information in SIEM syslog notifications
Our SIEM syslog notifications have been extended with additional information.
Custom intelligence information:
- Custom rule message is sent out in the CEF/LEEF "msg" field
- Custom blacklist entry comment is sent out in the CEF/LEEF "msg" field
- Custom intel source is sent out in the CEF/LEEF "reason" field
- Custom rule identifier is sent out in the CEF/LEEF detectionId field
Active directory information:
- Information on the user logged in at the time of the alert is included in the CEF suser field and in the LEEF usrName field, if this information is available from the Windows Active Directory integration
File information:
- For alerts that refer to a file, a link to the analysis report for the file is included in the CEF/LEEF FileDetailLink field
- For HTTP file downloads, the HTTP host field is included in the CEF/LEEF dhost field
Missing fields in LEEF format
- Our LEEF notifications have been extended to include a few additional fields that were so far present only in CEF format.
Additional information in email notifications
Our email notifications have been extended with additional information.
Similarly to our SIEM notifications, they now include custom intelligence information, active directory information, as well as additional information on file alerts.
Persistent sensor and license selection
The portal now remembers what license or sensor was selected, and this selection persists across tabs and across sessions.
Improved sensor selection in dashboard
When selecting a sensor in the dashboard, it is now possible to select "all licenses" in the license dropdown and directly select any sensor from the sensor dropdown.
Similar events dropdown
The event details now include a "similar events" dropdown. This dropdown provides a shortcut for viewing other events from the same time frame as the selected one, based on one or more filter criteria, such as having the same source, destination, malware, or being detected by the same sensor.