Welcome to another edition of the USM Anywhere newsletter where we share what’s happening with the platform! Read on to get the scoop on exciting new machine learning and UEBA capabilities, our new and refreshed AlienApps, the latest Alien Labs threat feed updates, and more!

You can keep up with our regular product releases by reading the release notes in the USM Anywhere Product Forum, and you can direct any questions or support issues to the AT&T Cybersecurity Success Center.

We are excited to announce new machine learning (ML) capabilities within the USM Anywhere platform. While the platform has long utilized ML models for most of its curated threat intelligence, the new capabilities reinforce the existing behind-the-scenes security analytics and advanced correlations that power the AT&T Alien Labs threat intelligence feeds. The new ML capabilities provide more predictive identification of both insider and external threats and higher-confidence alerts with fewer false positives. Our dedicated Alien Labs research team and Data Science team are working to continuously refine current models as well as build new models that will deliver the most value to our customers and free up time for SOC analysts.

Combining ML and user entity and behavior analytics (UEBA) enables USM Anywhere to dynamically learn normal vs abnormal behavior and to automatically trigger alarms when anomalous activity is detected. Our UEBA threat detection models are used to automatically identify activity that deviates from a historical baseline. This helps us detect “invisible” threats such as zero-day threats where neither indicators of compromise (IOCs) nor signatures are available. These alarms utilize high-fidelity risk scoring based on deviations from normal activity instead of human-written static rules. The new models also help with detection of insider threats by monitoring the behavior of employees and contractors who have access to sensitive data and assets.

ML and UEBA help to reduce the analyst workload by identifying the highest priority risks, which allows human resources to be focused on more complex and strategic tasks. Feedback on the accuracy of the alarms can be provided from within the USM Anywhere platform. This helps to train the ML models: the more data an algorithm is fed, the more accurate the analysis will be. Additional time to establish a baseline of user behavior and feedback on whether the alarms were a credible threat all help to improve the models.

The new ML models include alarming on a broad set of use cases and behaviors that indicate credential compromise, lateral movement, suspicious execution, or data exfiltration. Each model looks at multiple parameters around a user’s activity, only triggering alarms on behavior that is statistically outside the normal baseline behavior for that user.

For more information on our new ML and UEBA models, read our latest blog post here, or watch a recording of our latest webinar here.

Great news – Custom apps and custom log parsers are now available to all customers. These two features allow customers to create their own API-driven log ingestion applications and create parsers for any S3 or syslog-driven log collection needs. Custom Apps allow you to configure your log data from any of your third-party applications and enable log collection, orchestration, and notification for your specific environment. You can find a video on the new Custom App feature here.

If you are looking to create a Custom AlienApp, please engage the MTDR ForCE team or your Customer Experience Manager to aid you in submitting a request for assistance from our dedicated AlienApps team. The ForCE team can also be reached at g20245@att.com. Once the Custom App is created, our MTDR operations team can assist in validating the parsing and creating custom rules where necessary.

Please note that while custom apps and log parsers allow for new data sources to feed logs in to the USM Anywhere platform, the MTDR team is not required to create alarms for every data source coming in, nor can the Managed SOC team provide coverage of all data types. Please work with your ForCE team to identify the security value of the data sources you’d like to include.

For additional configuration guides or instructions on where to start, please visit the Custom Apps Intercom page.

Ongoing AlienApps Refresh Project

Our AlienApps refresh project is well underway! The Crowdstrike, Qualys, Zscaler, and Microsoft Defender ATP Advanced AlienApps have all been successfully refreshed.

If you are a user of the Microsoft Defender ATP Advanced AlienApp, you’ll need to make some changes to ensure that you continue to get logs. Please visit here to learn which permissions are now required from Microsoft to use the app.

As a reminder, our key goals in this refresh project are as follows:

Cisco Duo

The Cisco DUO Advanced AlienApp is now available! This app gives users the ability to import Cisco DUO users into USM Anywhere and to collect events from the DUO cloud. The Cisco DUO App includes orchestration actions that can enable and disable DUO users as well as add or remove users from groups.

Jira Audit Log allows for audit log collection from Jira Software. This AlienApp is not the same as the Jira Advanced AlienApp and will need to be configured separately.

Visit our Documentation Center to get more information on how to deploy and configure these Advanced AlienApps.

Cisco Firepower Manager (Pending) – The Cisco Firepower Manager app will import events from Firepower Manager, whether in the cloud or on premises. You will be able to manage external block lists and add or remove a URL or IP from security policy groups through the orchestration actions or using an orchestration rule.

SentinelOne Mobile Security – The SentinelOne Singularity Mobile app will collect security incidents and admin data from mobile devices. The app will fetch devices injected into USM Anywhere as assets and will facilitate security response actions.

Palo Alto Prisma Cloud – The Prisma Access AlienApp will capture alerts and investigation data for security alerts. It will be able to manage actions with tags, addresses, address groups, and block lists. Additionally, the app will allow users to block files and change alert statuses.

In Q2, we released six threat feed updates that include 131 improvements and 164 new elements.

Here are a few examples of improvements made and new elements created:

Please visit the AT&T Cybersecurity Success Center for a full list of improvements, new elements, issues found, and tasks created.

Alien Labs Open Threat Exchange (OTX) is among the largest open threat intelligence communities in the world. We have more than 200,000 members who contributed near-real time threat intelligence to OTX, which is then enriched by AT&T Alien Labs. In March alone, Alien Labs generated over 100 OTX pulses to provide coverage for the latest threats and campaigns. You can go here to find out more about the new pulses or sign up to be part of the community.

AT&T Threat Detection and Response for Government will soon be available as a managed service! Managed Threat Detection and Response for Government (MTDR for Government) is built on our FedRAMP-authorized, industry-leading USM Anywhere platform.

Key Features include:

To have Release Notes emailed to you automatically, follow these steps:

1. Log in to the AT&T Cybersecurity Success Center.

2. Click on the announcement for the product you wish to follow.

3. Select the “Follow” button on the right-hand side.

4. Select the drop-down menu on the right-hand side and choose “Every Post” to enable receiving emails from leading security and IT tools.