Secure Cloud Analytics Release Notes

Microsoft Azure Integration Update: The Add API Permissions to an Application section has been added to the Settings > Integrations > Azure > About page. Enabling this new permission for your Azure application will allow Secure Cloud Analytics to support Entra ID detections. The page has also been updated to reflect the Microsoft Entra ID branding. For more information, see the Microsoft Azure Integration Quick Start Guide.

Silent Alerts: A new type of alert has been added to Secure Cloud Analytics. These alerts add more efficacy to existing alerts and incidents, however they can be noisy, which is why they will not be visible unless correlated with another relevant alert. These alerts are not available on the Alerts page or in the Alert Priorities table as the priority cannot be adjusted, and the alerts cannot be disabled. If an incident includes a silent alert, it will be included as an indicator for that incident with the other correlated alerts.

GCP Compute Engine Exfiltration Alert: This new alert indicates the Identity and Access Management (IAM) policies for a Compute Engine disk, image or snapshot have been changed by a user or service account that does not normally perform this action. Threat actors are known to perform this action in order to exfiltrate these resources to their own accounts. This alert requires Google Cloud Platform (GCP) Audit Logs and is disabled by default.

Potential LOLBin Download Activity Alert: This new silent alert indicates threat actors may be misusing Living Off the Land Binaries (LOLBins) to download additional tooling. While there are legitimate reasons to perform downloads using LOLBins, this behavior might be indicative of Ingress Tool Transfer. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and will not be visible unless correlated with another alert.

Potential Windows Management Instrumentation Lateral Movement Alert: This new silent alert indicates threat actors may be misusing Windows Management Instrumentation (WMI) for Lateral Movement. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and will not be visible unless correlated with another alert.

Repeated Metric and Profile Outliers Alert: This new silent alert indicates multiple different substantial changes in the typical behavioral profile of a device, such as the amount of traffic it exchanges with other hosts, may be suspicious. This may potentially be indicative of exploitation or post-exploitation behaviors. This alert requires NetFlow and will not be visible unless correlated with another alert.

SharpShares Network Discovery Alert: This new alert indicates the SharpShares tool was used enumerate accessible network shares within a Microsoft Active Directory domain. Adversaries may use this tool to provide detailed insight into which network shares are available and potentially accessible in a target environment. Once they have that information, they can use it to move laterally, escalate privileges, and exfiltrate sensitive data. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious Use of the ADWS Protocol Alert: This new alert indicates threat actors may be abusing Active Directory Web Services (ADWS) for enumerating Active Directory objects, extracting user and group information, and performing detailed queries on domain structure, computer accounts, trust relationships, and policies. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

WinRM Connection Alert: This new silent alert indicates a connection was seen being made over the Windows Remote Management (WinRM) port. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and will not be visible unless correlated with another alert.