Subscribe
We are thrilled to announce a major enhancement to the Query Builder that now supports Alerts and Cases in public Beta
! This significant upgrade empowers users to create more complex and insightful dashboards, seamlessly integrating data beyond just events.
This feature is a game changer for SOC managers and analysts. With these new capabilities, users can visualize operational data in ways that were previously unattainable.
Imagine creating dynamic dashboards that can showcase:
With these enhancements, the possibilities for data-driven decision-making are endless. Dive in, explore the new features, and start building dashboards that drive impactful security operations!
Happy querying! 📊
Dear Users,
To ensure you never miss a new feature release
, we’ve integrated changelogs
directly into the platform. This will keep you informed about important updates and demonstrate the continuous value we strive to deliver.
Click on the new menu What's new?
to get the latest updates about new features, integrations, detection rules and more.
Whenever the changelog is updated
, you will see a visual notification and also receive a mail
in your inbox.
You can disable mail
notifications at any time by turning off the E-Mail notifications parameter in the widget settings.
We hope you will appreciate this new improvement and enjoy a better visibility of the platform updates.
Sekoia Product team
Our integration with Netskope
was improved with new additional DLP fields:
The playbook actions isolate hosts and deisolate hosts for Crowdstrike
were added to our Automation library.
Accelerate your incident response by isolating the compromised hosts.
In the past three months many verified rules have been updated (54), and a lot of new rules (60) published to improve our detection capabilities!
Integrations to raise alerts based on the related security products:
Threats on:
Our rules changelog is available over there: https://docs.sekoia.io/xdr/features/detect/rules_changelog/
We are pleased to announce the release of Intake v2. The feature will deployed progressively in the coming weeks starting today.
This feature streamlines intake implementation and management by enabling organizations and MSSPs to set data source effortlessly and monitor the health state of their data pipeline. With Intake v2, organizations secure their Detection availability by ensuring less collection error, better parsing and improved visibility on event delivery.
Before Intake v2, Analysts could face a complex process in some scenarios when setting data collection. Monitoring data collection and parsing issues was proving difficult. Finally, searching for intakes was cumbersome when managing larges entities and many datasources.
This improvement concerns dashboards as we wanted to make the edition of widgets easier for you. Here is what you need to know:
Depending on the type of widgets you want to edit, here is what to expect:
This update simplifies your workflow, making it quicker and more intuitive to customize your dashboard.
We are pleased to announce the release of agent version 1.6.1!
This update brings enhanced efficiency by refining how we handle certain Windows events. We've added the ability to parse the Requester property in specific Windows events, while also optimizing event processing by ignoring some events with no security relevance.
We are happy to announce the release of our Query Builders in Dashboard feature! This long awaited update allows you to add and integrate existing query builders directly into your dashboards, simplifying the management of data visualizations and ensuring consistency across your projects.
Previously, dashboards were customizable only with built-in widgets, which restricted the flexibility and efficiency of data visualization. Integrating query builders into dashboards provides a more dynamic and consistent approach to managing your data insights.
AWS CloudFront is now available in General Availability.
Collect Web logs
from AWS CDN to enhance your Cloud Threat Detection, improve your Threat Hunting and gain unified visibility in Sekoia SOC platform (learn more)
alerts
from Canaries into Sekoia to detect intruders and block cyber-attacks (learn more)Integrations Fastly Next-Gen WAF Audit Logs and Veeam Backup & Replication are now available in GA.
Corp audit logs
and Site audit logs
to monitor unusual admin activity in your WAF (learn more)Application
, File
, Network
and Service
logs to monitor your critical backup and replication systems (learn more)Five new integrations entered our Intake catalog in BETA
.
alerts
and telemetry
into Sekoia to improve your visibility and monitor your endpoints closely (documentation)firewall
logs from Juniper Switches into Sekoia (documentation)access
and firewall
logs from Azure Application Gateway into Sekoia (documentation)dns
logs from EfficientIP SOLIDserver into Sekoia to leverage our CTI (documentation)logs
from Jizô NDR into Sekoia (documentation)We are excited to announce several significant improvements to our API key system, designed to enhance usability, security, and integration flexibility. Below are the details of the updates:
📏 Shorter API Keys
We have reduced the length of API keys. API keys are now less than 100 characters, making them easier to handle and reducing the likelihood of errors during integration.
⏳ API Key expiration dates
Users can now specify expiration dates for their API keys, adding an extra layer of security and control. Choose from predefined time frames or set a custom date within the maximum allowed duration of 1 year.
Users can easily filter and manage expired API keys from the UI.
🎛️ Transition from role-based to permission-based API keys
We have migrated from a role-based API key system to a more flexible and granular permission-based system.
Users can now define specific permissions for each API key, ensuring that keys only have the access needed for their intended purpose.
All existing API keys have been automatically migrated to the new permission-based system without any disruption to current integrations.
We are pleased to introduce Meta-Playbooks, now generally available to all our customers. This feature extends our Multi-Tenant architecture by enabling organisations and Managed Security Service Providers (MSSPs) to create a single playbook that supports multiple subsidiaries or MSSP clients (Sekoia communities).
Why Meta-Playbooks?
Before Meta-Playbooks, MSSP analysts faced the cumbersome task of manually copying and updating the same playbook for each subsidiary, leading to inefficiencies and potential errors.
This new feature streamlines the process, allowing for the creation of a single playbook that supports multiple subsidiaries, ensuring consistency and saving valuable time.
What You Can Do Now with Meta-Playbooks
New integrations Bitsight SPM and Mimecast Email Security have entered BETA phase.
findings
with vulnerability and asset details into Sekoia (documentation).email gateway logs
into Sekoia (documentation).We are excited to welcome 2 amazing French security products.
logs
from Daspren Parad into Sekoia (documentation)create an alert
in Nybble Hub when a new alert is raised in SEKOIA.IO (documentation)playbook template
is available to quickly setup an automation The API documentation for the Query Builder is now available.
You can interact directly with the API to explore your data and extract critical insights.
Today, we updated our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:
In order to avoid disruption of your cyber-security operations, we automatically updated your detection rules that were impacted. Playbooks were also updated, but only for fields in the "Duplicate Fields" section.
If you are still using impacted fields ouside of Sekoia (in scripts, automations, etc.), you also have to update this logic yourself.
The change is effective on FRA1 (our main region) and will be rolled out to all regions in the coming days.
All events contained duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio.
prefix are already available in events and should be used instead of the legacy fields.
The legacy fields listed in the table below are no longer available.
Legacy Field (deleted) | Prefixed Field (kept) |
---|---|
customer.community_uuid | sekoiaio.customer.community_uuid |
customer.intake_uuid | sekoiaio.intake.uuid |
entity.uuid | sekoiaio.entity.uuid |
event.dialect_uuid | sekoiaio.intake.dialect_uuid |
event.dialect | sekoiaio.intake.dialect |
The following fields are no longer available in events. The matching UUID fields should be used instead when needed.
Deleted field name | UUID field to use |
---|---|
customer.community_name | sekoiaio.customer.community_uuid |
sekoiaio.customer.community_name | sekoiaio.customer.community_uuid |
customer.id | sekoiaio.customer.community_uuid |
sekoiaio.customer.id | sekoiaio.customer.community_uuid |
customer.intake_key | sekoiaio.intake.uuid |
sekoiaio.intake.key | sekoiaio.intake.uuid |
customer.intake_name | sekoiaio.intake.uuid |
sekoiaio.intake.name | sekoiaio.intake.uuid |
entity.id | sekoiaio.entity.uuid |
sekoiaio.entity.id | sekoiaio.entity.uuid |
entity.name | sekoiaio.entity.uuid |
sekoiaio.entity.name | sekoiaio.entity.uuid |
If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.
We fixed 2 issues related to the parsing of DNS values to improve CTI Detection.
On MacOS, S1 CloudFunnel could return sometimes a DNS value that was incompatible with our CTI Detection.
Before: dns.question.name
= "type: 1 example.com"
Now: dns.question.name
= "example.com"
Cisco Umbrella DNS returned a DNS value that was not matching with our CTI detection because of the dot at the end.
Before: dns.question.name
= "example.com."
Now: dns.question.name
= "example.com"
We made some improvements to Office 365
intake format:
ParticipantInfo.HasForeignTenantUsers
field was added to detect that a chat conversation was created with external usersemail
field was not extracted in some specific casesWe made several improvements to Windows
intake format to easier the analyst's investigation:
The process.parent.pid
field was added to allow analysts to read the whole process tree.
The TargetLogonId
field was added to allow analysts to get the user session ID. With this ID, analysts can easily search for all actions made by an attacker.
The MessageNumber
and MessageTotal
fields were added to allow analysts to reconstitute a Poweshell script that was splitted.
The parsing of the field registry.key
was fixed.
Before: registry.key
= PATH\VALUE
Now: registry.key
= PATH
This field is now ECS compliant and aligned with other integrations like SentinelOne. It will easier investigation or creation of universal detection rules.
Finally, the detection pattern of related detection rules was updated accordingly (see changelog of June 21th 2024).
Effective July 2nd, we will be updating our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:
In order to avoid disruption of your cyber-security operations, we automatically updated your detection rules that were impacted today (2024-06-26).
Playbooks were also updated, but only for fields from the “Duplicate Fields” section.
If you are using impacted fields outside of Sekoia (in scripts, automations, etc.), you will also have to update this logic yourself since it is unknown to us.
All events currently contain duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio.
prefix are already available in events and should be used instead of the legacy fields.
The legacy fields listed in the table below are going to be deleted.
Legacy Field (deleted) | Prefixed Field (kept) |
---|---|
customer.community_uuid | sekoiaio.customer.community_uuid |
customer.intake_uuid | sekoiaio.intake.uuid |
entity.uuid | sekoiaio.entity.uuid |
event.dialect_uuid | sekoiaio.intake.dialect_uuid |
event.dialect | sekoiaio.intake.dialect |
The following fields will be deleted. The matching UUID fields should be used instead when needed.
Deleted field name | UUID field to use |
---|---|
customer.community_name | sekoiaio.customer.community_uuid |
sekoiaio.customer.community_name | sekoiaio.customer.community_uuid |
customer.id | sekoiaio.customer.community_uuid |
sekoiaio.customer.id | sekoiaio.customer.community_uuid |
customer.intake_key | sekoiaio.intake.uuid |
sekoiaio.intake.key | sekoiaio.intake.uuid |
customer.intake_name | sekoiaio.intake.uuid |
sekoiaio.intake.name | sekoiaio.intake.uuid |
entity.id | sekoiaio.entity.uuid |
sekoiaio.entity.id | sekoiaio.entity.uuid |
entity.name | sekoiaio.entity.uuid |
sekoiaio.entity.name | sekoiaio.entity.uuid |
If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.
The intake IBM iSeries is now available in [BETA] phase (formerly known as AS/400).
audit journal
, integrated file system
, message queues
, database
and history
events into Sekoia to monitor your critical systems (documentation).We are excited to announce the release of a new version of our agent, version 1.6.0
This release enhances functionality, security, and reliability across both Linux and Windows agents.
We recommend updating to version 1.6.0 to take advantage of these improvements.
Effective July 2nd, we will be updating our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:
All events currently contain duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio.
prefix are already available in events and should be used instead of the legacy fields.
The legacy fields listed in the table below are going to be deleted.
Legacy Field (deleted) | Prefixed Field (kept) |
---|---|
customer.community_uuid | sekoiaio.customer.community_uuid |
customer.intake_uuid | sekoiaio.intake.uuid |
entity.uuid | sekoiaio.entity.uuid |
event.dialect_uuid | sekoiaio.intake.dialect_uuid |
event.dialect | sekoiaio.intake.dialect |
The following fields will be deleted. The matching UUID fields should be used instead when needed.
Deleted field name | UUID field to use |
---|---|
customer.community_name | sekoiaio.customer.community_uuid |
sekoiaio.customer.community_name | sekoiaio.customer.community_uuid |
customer.id | sekoiaio.customer.community_uuid |
sekoiaio.customer.id | sekoiaio.customer.community_uuid |
customer.intake_key | sekoiaio.intake.uuid |
sekoiaio.intake.key | sekoiaio.intake.uuid |
customer.intake_name | sekoiaio.intake.uuid |
sekoiaio.intake.name | sekoiaio.intake.uuid |
entity.id | sekoiaio.entity.uuid |
sekoiaio.entity.id | sekoiaio.entity.uuid |
entity.name | sekoiaio.entity.uuid |
sekoiaio.entity.name | sekoiaio.entity.uuid |
In order to avoid disruption of your cyber-security operations, we will be automatically updating your detection rules that are currently using one of the fields that will be deleted.
Playbooks will also be updated, but only for fields from the “Duplicate Fields” section.
If you are using impacted fields outside of Sekoia (in scripts, automations, etc.), you will also have to update this logic yourself since it is unknown to us.
Once authenticated on the platform, you can click on the following links to list the changes for your workspace:
FRA1 (main region): Rule Changes / Playbook Changes
FRA2: Rule Changes / Playbook Changes
MCO1: Rule Changes / Playbook Changes
UAE1: Rule Changes / Playbook Changes
The migration will automatically apply changes to impacted rules. If you are using one of the deleted fields in the definition of an anomaly detection rule, the migration will trigger a recompilation of the rule. This means you will no longer be able to access parts of the rule history (such as past anomalies and predictions). The detection logic will still work as expected.
Rules that require changes will be reformatted automatically, comments will be lost.
2024-06-18: The reference fields are available in events and the links to review changes are available
2024-06-26: Automated migration is applied, changes can no longer be reviewed
2024-07-02: Legacy fields are no longer added to events
If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.
Authentications are an essential part of securing a perimeter. Analyzing all the authentications of an asset provides a comprehensive view of its security posture.
This feature introduces a dedicated view on all the authentication events that are related to the current asset.
New integrations Azure Key Vault and Ubika Cloud Protector Traffic have entered BETA phase.
Five Endpoint integrations are now in General Availability.
audit logs
into Sekoia to monitor your organization cryptographic keys and secrets (documentation).web logs
into Sekoia to leverage our CTI and built-in detection rules (documentation).alerts
into Sekoia to improve your visibility on mobile devices (documentation).telemetry
into Sekoia to monitor your endpoints closely (documentation).alerts
and telemetry
to improve your visibility and monitor your endpoints closely (documentation).telemetry
to monitor your endpoints closely (documentation).telemetry
to monitor your endpoints closely (documentation).We have introduced a new dedicated playbook action to support the version 5 of TheHive.
If you plan to migrate to TheHive v5, please update your playbooks with this new playbook action to automate your work in TheHive platform.
Simplify repetitive tasks and boost efficiency with our latest feature: one-click duplication for rules, playbooks, and queries!
This update empowers you to duplicate essential elements within the platform, saving you valuable time and effort.
Duplicate Rules: Always wanted to copy a verified rule and tweak produced alerts’ severity? Well now, you can! Find the rule, click the "Duplicate" button in the details panel, and customize detection patterns, alerts, assets, and more.
⚠️Warning: Duplicating a rule and enabling it severs the connection to the original. Edits to the original rule won't be reflected in your duplicate. Stay informed by checking the Rules Catalog changelog for updates.
Duplicate Playbooks: Building complex playbooks is important, but starting from scratch each time can be a hassle.
Now you can easily copy entire playbooks with just one click. No need to rebuild them anymore - just click the "Duplicate" button in the playbook panel or on the dedicated playbook page.
Duplicate Queries: The query builder is your secret weapon for crafting insightful data
aggregations. But what if you just need a minor adjustments to explore different angles? Gone are the days where you had to rebuild the query from scratch! With the new duplicate button, you can clone any query in the blink of an eye.