Skip to main content
All CollectionsProduct Updates & NewslettersMTDR Newsletters
MTDR Newsletter Q1 2023
MTDR Newsletter Q1 2023
Updated over 7 months ago

Some exciting new features and functionality have been added to the USM Platform, and there’s more to come! Three Advanced AlienApps have recently launched and the platform’s new playbooks are just a couple of exciting features.

You can keep up with our regular product releases by reading the release notes in the USM Anywhere Product Forum, and you can direct any questions or support issues to the AT&T Cybersecurity Success Center.

Ongoing AlienApps Refresh Project

Last year, we began an initiative to update and improve the functionality of all AlienApp integrations in the USM Anywhere platform. Since mid-2022, we have completed updates on the Sophos Central, Google Workspace, Microsoft 365, Okta, and SentinelOne AlienApps. Updates to the Qualys and Crowdstrike apps are currently underway. Our key goals in this refresh project are as follows:

  • Make the apps more operations-ready by significantly increasing the quality of our audit logs

  • Capture all return codes/values from the APIs to create more clarity and unlock automated playbooks in the future

  • Provide more clarity about the logs collected and the actions available with the app

  • Add more actions to apps where possible

  • Update apps to the latest versions of third-party APIs and authentication schemes

  • Support Gov Cloud versions of third-party APIs where they are supported

We expect to complete 5-8 app refreshes per quarter and will continue to provide updates to our customers on this project.

New in USM Anywhere

SOAR Playbooks

Playbooks are now in general availability! Playbooks streamline remediation by arming security analysts with quick and repeatable processes for addressing different alarm types. The fully customizable playbooks feature removes the need for analysts to reference documents or try and remember the steps they took to triage similar alarms several months ago. Once a playbook has been built and assigned to an alarm type, it can be selected when analysts encounter future alarms. With the click of a button, they can run their custom playbook to quickly execute the designed set of actions.

Playbooks allow for a combination of actions to be taken together that can include system actions such as adding an alarm to an investigation, changing alarm status, additional manual actions to be performed by the analyst, and AlienApp response actions supported by the installed apps in an instance. Additionally, playbooks can be set up to show up in a single alarm type, multiple alarm types, or all alarms. Each action in the playbook is manually initiated by the user but allows analysts to take quick action on alarms, removing the need to reference documentation or remember which steps they took to triage a similar alarm several months back.

Our MTDR SOC analysts follow a standardized alarm triage process outside of the playbooks, but this new feature really paves the way for future automation improvements to the platform and is something we’re looking forward to!

This video provides a basic walkthrough of the playbooks feature.

Advanced AlienApps

New Advanced AlienApps

Cisco Meraki – The Cisco Meraki Advanced AlienApp has been released and is now available in all USM instances for any Cisco Meraki customer to use. The app works to collect all event types from Meraki and supports response actions such as changing device network configuration and updating security policies. The app also allows for asset discovery and syncs Meraki device inventory information with USM.

Sophos – The Sophos Advanced AlienApp has been improved to include the following response actions:

  • Lift isolation of endpoint

  • Initiate scans

  • Isolation of endpoint

  • Turn on tamper-protection for endpoint

  • Update checks

  • Turn off tamper-protection for endpoint

ServiceNow – You can now generate ServiceNow change requests within the USM Anywhere platform to streamline your incident response workflow. When threats and vulnerabilities are detected in USM Anywhere, you can open an incident ticket or a change request in ServiceNow, automatically or manually from an alarm or an investigation.

Visit our Documentation Center to get more information on how to deploy and configure these Advanced AlienApps.

AlienApps Coming Soon!

Cisco Duo – This AlienApp will give the ability to import Cisco Duo users into USM Anywhere and collect events from the Duo cloud. Orchestration actions such as enabling and disabling Cisco Duo users and adding or removing users from a group will also be enabled and can be accomplished manually or via an orchestration rule.

Cisco Firepower Manager – The Cisco Firepower Manager app will import events from Firepower Manager, whether in the cloud or on premises. You will be able to manage external block lists and add or remove a URL or IP from security policy groups through the orchestration actions or using an orchestration rule.

Platform Improvements

So far this year, we have released five Threat Feed Updates that include 105 improvements and 36 new elements. The releases include user interface improvements and parts of our AlienApp refresh including Google Workspace, Okta, Palo Alto Networks Panorama, Cisco Duo, SentinelOne, and many more.

Here are a few examples of improvements made:

  • We addressed an issue with Microsoft 365 where analysts were receiving alarms whenever a user reported an email as spam, and which was causing an excess of noisy alarms that were not actionable since the end user had already completed the necessary response.

  • An adjustment to SentinelOne alarms allows for the suppression of malware detections that have been determined to be false positives or that have been auto-mitigated. While this helps to reduce noise, the primary goal of the improvement was to ensure alignment with a customer's pre-defined blacklist to enable further scrutiny of how a malicious file was placed on an asset

  • To proactively address the concerns about TikTok and the recent US policy change, we addressed a feature request to create a correlation rule that causes an alarm to be generated when activities are detected that indicate employee access of TikTok on a company network.

Please visit the AT&T Cybersecurity Success Center for a full list of improvements, new elements, issues found, and tasks created.

Alien Labs Open Threat Exchange

Alien Labs Open Threat Exchange (OTX) is among the largest open threat intelligence communities in the world. We have more than 200,000 members who contributed near-real time threat intelligence to OTX, which is then enriched by AT&T Alien Labs. In March alone, Alien Labs generated over 100 OTX pulses to provide coverage for the latest threats and campaigns. You can go here to find out more about the new pulses or sign up to be part of the community.

Need More Information?

To have Release Notes emailed to you automatically, follow these steps:

  1. Log in to the AT&T Cybersecurity Success Center.

  1. Click on the announcement for the product you wish to follow.

  1. Select the “Follow” button on the right-hand side.

  1. Select the drop-down menu on the right-hand side and choose “Every Post” to enable receiving emails from leading security and IT tools.

Did this answer your question?