Secure Cloud Analytics Release Notes

AWS CloudWatch Logs Exfiltration Alert: This new alert indicates a single user initiated a bulk download of CloudTrail logs in a short time interval. This alert requires AWS CloudTrail Logs and is disabled by default.

AWS EC2 Private SSH Keys Upload Alert: This new alert indicates a private SSH key was uploaded to AWS EC2 instances, which could lead to its abuse in case of compromise. Additionally, the key is stored in raw CloudTrail logs, making it accessible to anyone with sufficient permissions. This alert requires AWS CloudTrail Logs and Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM), and is disabled by default.

DLL File Connected to a Raw IP Address Alert: This new alert indicates a Dynamically Linked Library (DLL) file was used to connect to a raw public IP address. While legitimate libraries exhibit this behavior in some cases, threat actors have been known to use DLLs to download malware from raw public IPs. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Long Lasting Network Connection from a System Binary Alert: This new alert indicates long-standing network flows towards public IP's have been detected and might indicate Command and Control (C2) or Exfiltration stage of an attack, if they are initiated by system binaries. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.