📢 Introducing changelog directly in Sekoia

Dear Users,

To ensure you never miss a new feature release, we’ve integrated changelogs directly into the platform. This will keep you informed about important updates and demonstrate the continuous value we strive to deliver.

What's new menu

Click on the new menu What's new? to get the latest updates about new features, integrations, detection rules and more.

Sep-25-2024 11-45-11.gif-1580

New changelog notification

Whenever the changelog is updated, you will see a visual notification and also receive a mail in your inbox.

Capture d’écran 2024-10-02 à 16.04.21.png-1126

How to disable mail notifications

You can disable mail notifications at any time by turning off the E-Mail notifications parameter in the widget settings.

Capture d’écran 2024-09-25 à 12.10.13.png-5588

We hope you will appreciate this new improvement and enjoy a better visibility of the platform updates.

Sekoia Product team

What do you think about this update?
Rules Catalog updates! (ArubaOS, AWS, Bitsight, Broadcom, Cato Networks, Claroty, Cyberwatch, Dapren, Datadome, EfficientIP, ESET, Fastly, Forcepoint, Gatewatcher, Google, Lacework, Microsoft, SecurityScorecard, Trend Micro, Varonis, Veeam, Zscaler)

In the past three months many verified rules have been updated (54), and a lot of new rules (60) published to improve our detection capabilities!

Integrations to raise alerts based on the related security products:

  • ArubaOS Switch, 1 rule to detect Login Brute-Force Successful.
  • AWS CloudTrail, 2 rules to detect EC2 Enable Serial Console Access, S3 Bucket Replication.
  • Bitsight SPM, 4 rules to detect Minor/Moderate/Severe/Material Vulnerability.
  • Broadcom Edge Secure Web Gateway, 2 rules to detect High Threat, Anomaly TCP Denied.
  • Cato Networks SASE, 1 rule to detect High Risk Alert.
  • Claroty xDome, 1 rule to detect Network Threat Detection Alert
  • Cyberwatch Detection, 1 rule to detect Critical Vulnerability.
  • Daspren Parad, 1 rule to detect Malicious Behavior.
  • Datadome Protection: 1 rule to detect Intrusion Detection.
  • EfficientIP SOLIDServer, 1 rule to detect Suspicious Behavior.
  • ESET Protect, 5 rules to detect Intrusion Detection, Malware, Set Policy, Vulnerability Exploitation Attempt, Remote Action.
  • Fastly Next-Gen WAF, 1 rule to detect Audit Threat Alert.
  • Forcepoint Secure Web Gateway, 2 rules to detect Compromised Websites, Malicious Websites.
  • Gatewatcher AionIQ, 2 rules to detect Malware/Network Alert.
  • Google Workspace, 2 rules to detect Account Warning, Blocked Sender.
  • Lacework Cloud Security, 4 rules to detect Low/Medium/High/Critical Severity Alert.
  • Microsoft 365, 1 rule to detect Authenticated Activity From Tor IP Address.
  • Microsoft Entra ID, 4 rules to detect Consent Attempt to Suspicious OAuth Application, Sign-In Via Known AiTM Phishing Kit Generic/Tycoon 2FA/RED0046.
  • SecurityScorecard Vulnerability Assessment Scanner, 1 rule to detect New Issues.
  • Trend Micro Cloud One, 3 rules to detect Low/Medium/High Intrusion.
  • Varonis Data Security, 1 rule to detect Network Alert.
  • Veeam Backup & Replication, 1 rule for Malware Detection.
  • Zscaler ZIA, 2 rules to detect Malicious/Suspicious Threat Outbreak.

Threats on:

  • Windows, 16 rules: Anomaly Bruteforce Disabled Users, Cookies Deletion, Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying, Correlation Multi Service Disable, Correlation Suspicious Authentication Coercer Behavior, Credential Harvesting Via Vaultcmd.exe, Disabling SmartScreen Via Registry, DNS Query For Iplookup, Gpresult Usage, Openfiles Usage, Netscan Share Access Artefact, Njrat Registry Values, PowerShell Commands Invocation, Suspicious Certificate Request-adcs Abuse, Suspicious Commands From MS SQL Server Shell.

Our rules changelog is available over there: https://docs.sekoia.io/xdr/features/detect/rules_changelog/

What do you think about this update?
⭐ Sekoia agent v.1.6.1

We are pleased to announce the release of agent version 1.6.1!

This update brings enhanced efficiency by refining how we handle certain Windows events. We've added the ability to parse the Requester property in specific Windows events, while also optimizing event processing by ignoring some events with no security relevance.

What do you think about this update?
New integration Thinkst Canary [BETA]

Thinkst Canary [BETA]

  • Thinkst Canary is a deception technology that helps detect attackers on your network before they can do any damage
  • Collect accurate alerts from Canaries into Sekoia to detect intruders and block cyber-attacks (learn more)
What do you think about this update?
Integrations Fastly Next-Gen WAF Audit Logs and Veeam Backup & Replication in GA

Integrations Fastly Next-Gen WAF Audit Logs and Veeam Backup & Replication are now available in GA.

Fastly WAF

  • Collect Corp audit logs and Site audit logs to monitor unusual admin activity in your WAF (learn more)

Veeam Backup & Replication

  • Collect Application, File, Network and Service logs to monitor your critical backup and replication systems (learn more)
What do you think about this update?
New integrations available for ESET, Juniper, Azure, EfficientIP and Sesame it 🎉

Five new integrations entered our Intake catalog in BETA.

ESET Protect / Inspect [BETA]

  • This integration available for Cloud and On-prem versions.
  • Collect alerts and telemetry into Sekoia to improve your visibility and monitor your endpoints closely (documentation)

Juniper Switches [BETA]

  • Collect firewall logs from Juniper Switches into Sekoia (documentation)

Azure Application Gateway [BETA]

  • Collect access and firewall logs from Azure Application Gateway into Sekoia (documentation)

Efficient IP [BETA]

  • Collect dns logs from EfficientIP SOLIDserver into Sekoia to leverage our CTI (documentation)

Sesame it Jizô NDR [BETA]

  • Jizô NDR is a network observability platform that enables decision-makers to anticipate, identify and block cyber-attacks
  • Collect logs from Jizô NDR into Sekoia (documentation)
What do you think about this update?
New integrations: Bitsight and Mimecast

New integrations Bitsight SPM and Mimecast Email Security have entered BETA phase.

Bitsight SPM [BETA]

  • Collect findings with vulnerability and asset details into Sekoia (documentation).

Mimecast Email Security [BETA]

What do you think about this update?
New integrations: Daspren Parad 🇫🇷 and Nybble Security 🇫🇷

We are excited to welcome 2 amazing French security products.

Daspren Parad [BETA]

  • Daspren is the only Data Detection and Response (DDR) that integrates detection and blocking of cyber attacks
  • Collect logs from Daspren Parad into Sekoia (documentation)

Nybble Security

  • Nybble is a Community based cyberdefense that provides an alert triage and incident management service thanks to the world’s first qualified analyst network
  • Automatically create an alert in Nybble Hub when a new alert is raised in SEKOIA.IO (documentation)
  • A playbook template is available to quickly setup an automation
What do you think about this update?
Reducing the noise in your events

Today, we updated our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:

  • Simplified Investigations: Focus more easily on critical signals by reducing metadata overhead.
  • Stability in Detection Rules: Utilize immutable fields (UUIDs) to improve the reliability of detection rules and automations.
  • Performance Boost: Enhance the performance of event searches and API calls.

In order to avoid disruption of your cyber-security operations, we automatically updated your detection rules that were impacted. Playbooks were also updated, but only for fields in the "Duplicate Fields" section.

If you are still using impacted fields ouside of Sekoia (in scripts, automations, etc.), you also have to update this logic yourself.

The change is effective on FRA1 (our main region) and will be rolled out to all regions in the coming days.

Description of Changes

Duplicate Fields

All events contained duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio. prefix are already available in events and should be used instead of the legacy fields.

The legacy fields listed in the table below are no longer available.

Legacy Field (deleted) Prefixed Field (kept)
customer.community_uuid sekoiaio.customer.community_uuid
customer.intake_uuid sekoiaio.intake.uuid
entity.uuid sekoiaio.entity.uuid
event.dialect_uuid sekoiaio.intake.dialect_uuid
event.dialect sekoiaio.intake.dialect

Deleted Fields

The following fields are no longer available in events. The matching UUID fields should be used instead when needed.

Deleted field name UUID field to use
customer.community_name sekoiaio.customer.community_uuid
sekoiaio.customer.community_name sekoiaio.customer.community_uuid
customer.id sekoiaio.customer.community_uuid
sekoiaio.customer.id sekoiaio.customer.community_uuid
customer.intake_key sekoiaio.intake.uuid
sekoiaio.intake.key sekoiaio.intake.uuid
customer.intake_name sekoiaio.intake.uuid
sekoiaio.intake.name sekoiaio.intake.uuid
entity.id sekoiaio.entity.uuid
sekoiaio.entity.id sekoiaio.entity.uuid
entity.name sekoiaio.entity.uuid
sekoiaio.entity.name sekoiaio.entity.uuid

If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.

What do you think about this update?
[Intakes] DNS bug fixes

We fixed 2 issues related to the parsing of DNS values to improve CTI Detection.

SentinelOne CloudFunnel

On MacOS, S1 CloudFunnel could return sometimes a DNS value that was incompatible with our CTI Detection.
Before: dns.question.name = "type: 1 example.com"
Now: dns.question.name = "example.com"

Cisco Umbrella DNS

Cisco Umbrella DNS returned a DNS value that was not matching with our CTI detection because of the dot at the end.
Before: dns.question.name = "example.com."
Now: dns.question.name = "example.com"

What do you think about this update?
[Action Required] Reducing the Noise in Your Events (Reminder)

Effective July 2nd, we will be updating our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:

  • Simplified Investigations: Focus more easily on critical signals by reducing metadata overhead.
  • Stability in Detection Rules: Utilize immutable fields (UUIDs) to improve the reliability of detection rules and automations.
  • Performance Boost: Enhance the performance of event searches and API calls.

UPDATE: Required Actions

In order to avoid disruption of your cyber-security operations, we automatically updated your detection rules that were impacted today (2024-06-26).

Playbooks were also updated, but only for fields from the “Duplicate Fields” section.

If you are using impacted fields outside of Sekoia (in scripts, automations, etc.), you will also have to update this logic yourself since it is unknown to us.

Description of Changes

Duplicate Fields

All events currently contain duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio. prefix are already available in events and should be used instead of the legacy fields.

The legacy fields listed in the table below are going to be deleted.

Legacy Field (deleted) Prefixed Field (kept)
customer.community_uuid sekoiaio.customer.community_uuid
customer.intake_uuid sekoiaio.intake.uuid
entity.uuid sekoiaio.entity.uuid
event.dialect_uuid sekoiaio.intake.dialect_uuid
event.dialect sekoiaio.intake.dialect

Deleted Fields

The following fields will be deleted. The matching UUID fields should be used instead when needed.

Deleted field name UUID field to use
customer.community_name sekoiaio.customer.community_uuid
sekoiaio.customer.community_name sekoiaio.customer.community_uuid
customer.id sekoiaio.customer.community_uuid
sekoiaio.customer.id sekoiaio.customer.community_uuid
customer.intake_key sekoiaio.intake.uuid
sekoiaio.intake.key sekoiaio.intake.uuid
customer.intake_name sekoiaio.intake.uuid
sekoiaio.intake.name sekoiaio.intake.uuid
entity.id sekoiaio.entity.uuid
sekoiaio.entity.id sekoiaio.entity.uuid
entity.name sekoiaio.entity.uuid
sekoiaio.entity.name sekoiaio.entity.uuid

If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.

What do you think about this update?
[Action Required] Reducing the Noise in Your Events

Effective July 2nd, we will be updating our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:

  • Simplified Investigations: Focus more easily on critical signals by reducing metadata overhead.
  • Stability in Detection Rules: Utilize immutable fields (UUIDs) to improve the reliability of detection rules and automations.
  • Performance Boost: Enhance the performance of event searches and API calls.

Description of Changes

Duplicate Fields

All events currently contain duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio. prefix are already available in events and should be used instead of the legacy fields.

The legacy fields listed in the table below are going to be deleted.

Legacy Field (deleted) Prefixed Field (kept)
customer.community_uuid sekoiaio.customer.community_uuid
customer.intake_uuid sekoiaio.intake.uuid
entity.uuid sekoiaio.entity.uuid
event.dialect_uuid sekoiaio.intake.dialect_uuid
event.dialect sekoiaio.intake.dialect

Deleted Fields

The following fields will be deleted. The matching UUID fields should be used instead when needed.

Deleted field name UUID field to use
customer.community_name sekoiaio.customer.community_uuid
sekoiaio.customer.community_name sekoiaio.customer.community_uuid
customer.id sekoiaio.customer.community_uuid
sekoiaio.customer.id sekoiaio.customer.community_uuid
customer.intake_key sekoiaio.intake.uuid
sekoiaio.intake.key sekoiaio.intake.uuid
customer.intake_name sekoiaio.intake.uuid
sekoiaio.intake.name sekoiaio.intake.uuid
entity.id sekoiaio.entity.uuid
sekoiaio.entity.id sekoiaio.entity.uuid
entity.name sekoiaio.entity.uuid
sekoiaio.entity.name sekoiaio.entity.uuid

Required Actions

In order to avoid disruption of your cyber-security operations, we will be automatically updating your detection rules that are currently using one of the fields that will be deleted.

Playbooks will also be updated, but only for fields from the “Duplicate Fields” section.

If you are using impacted fields outside of Sekoia (in scripts, automations, etc.), you will also have to update this logic yourself since it is unknown to us.

Where can I review the changes that will be applied?

Once authenticated on the platform, you can click on the following links to list the changes for your workspace:

FRA1 (main region): Rule Changes / Playbook Changes

FRA2: Rule Changes / Playbook Changes

MCO1: Rule Changes / Playbook Changes

UAE1: Rule Changes / Playbook Changes

Are there known limitations to the automated migration?

  • The migration will automatically apply changes to impacted rules. If you are using one of the deleted fields in the definition of an anomaly detection rule, the migration will trigger a recompilation of the rule. This means you will no longer be able to access parts of the rule history (such as past anomalies and predictions). The detection logic will still work as expected.

  • Rules that require changes will be reformatted automatically, comments will be lost.

Planning

2024-06-18: The reference fields are available in events and the links to review changes are available

2024-06-26: Automated migration is applied, changes can no longer be reviewed

2024-07-02: Legacy fields are no longer added to events

If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.

What do you think about this update?
Integration catalog updates 🎉

New integrations Azure Key Vault and Ubika Cloud Protector Traffic have entered BETA phase.
Five Endpoint integrations are now in General Availability.

Azure Key Vault [BETA]

  • Collect audit logs into Sekoia to monitor your organization cryptographic keys and secrets (documentation).

Ubika Cloud Protector Traffic [BETA]

  • Collect web logs into Sekoia to leverage our CTI and built-in detection rules (documentation).

Checkpoint Harmony Mobile [GA]

  • Collect alerts into Sekoia to improve your visibility on mobile devices (documentation).

Crowdstrike Falcon Telemetry [GA]

  • Collect telemetry into Sekoia to monitor your endpoints closely (documentation).

Palo Alto Cortex EDR [GA]

  • Collect alertsand telemetry to improve your visibility and monitor your endpoints closely (documentation).

SentinelOne Cloud Funnel 2.0 [GA]

  • Collect telemetry to monitor your endpoints closely (documentation).

Stormshield SES [GA]

  • Collect telemetry to monitor your endpoints closely (documentation).
What do you think about this update?
Duplicate rules, queries and playbooks ➿

Simplify repetitive tasks and boost efficiency with our latest feature: one-click duplication for rules, playbooks, and queries!

This update empowers you to duplicate essential elements within the platform, saving you valuable time and effort.

What's New?

  • Duplicate Rules: Always wanted to copy a verified rule and tweak produced alerts’ severity? Well now, you can! Find the rule, click the "Duplicate" button in the details panel, and customize detection patterns, alerts, assets, and more.
    ⚠️Warning: Duplicating a rule and enabling it severs the connection to the original. Edits to the original rule won't be reflected in your duplicate. Stay informed by checking the Rules Catalog changelog for updates.

  • Duplicate Playbooks: Building complex playbooks is important, but starting from scratch each time can be a hassle.
    Now you can easily copy entire playbooks with just one click. No need to rebuild them anymore - just click the "Duplicate" button in the playbook panel or on the dedicated playbook page.

  • Duplicate Queries: The query builder is your secret weapon for crafting insightful data
    aggregations. But what if you just need a minor adjustments to explore different angles? Gone are the days where you had to rebuild the query from scratch! With the new duplicate button, you can clone any query in the blink of an eye.

What do you think about this update?