Skip to main content
MTDR Newsletter Dec 2023
Updated over 7 months ago

Welcome to another edition of the Managed Threat Detection and Response newsletter! Get the scoop on exciting new orchestration, custom AlienApp templates, our new and refreshed AlienApps, the latest Alien Labs threat feed updates, and more!

You can keep up with our regular product releases by reading the release notes in the USM Anywhere Product Forum in the AT&T Cybersecurity Success Center.

New in USM Anywhere

Embedded rule logic – multi-level orchestration rules

Embedded rule logic allows users to write custom orchestration rules that would allow for multiple events to be correlated with each other. Users can now create an alarm, notification, or response action rule that triggers when two to three different types of events match the rule criteria defined. While this functionality was already leveraged by our Alien Labs team for our out-of-the-box correlation rules, it has now been extended to all users so that they can create their own multi-level orchestration rules. Please work with the ForCE team for assistance leveraging this feature.

Previously, user-made orchestration rules allowed for simple rules based on a single event type. Embedded rule logic allows users to create rules leveraging up to three different event types.

For more information, please visit here.

New AWS Regions available for sensor deployment

USM Anywhere deploys the Amazon Web Services (AWS) Sensor within customer AWS environments to aggregate, normalize, and forward logs to the platform. We have just released two additional AWS endpoint regions where a sensor can be deployed and supported: Singapore and Dubai. They are notated as ap-southeast-1 and me-central-1, respectively.

For a full list of the AWS endpoint regions that a sensor can be deployed in, visit the documentation page here.

AlienApps

Custom AlienApp templates are live

We are excited to announce the early availability of the first edition of our Custom AlienApp template feature. The goal is to make it easier for customers to quickly add logs from the SaaS services they use in their environment. The templates eliminate the need to understand SaaS APIs in order to configure a custom AlienApp for data collection. Simply find the app you need, import it into your instance, click through the wizard, add your authentication information, and data collection will begin.

A screenshot of a computer

Description automatically generated

We are adding new templates at a rate of about one per week. If you don’t find the template you are looking for, contact the support team through any of their channels, and they will help you file a request to get one added. We have a team working to build these for customers, and soon we will add the template into the Custom Templates tab so you can start your customization and log collection process.

Templates are built on the Custom AlienApps feature, which means that in addition to log collection, you can also modify the key mappings during setup if your organization has specific needs.

For additional configuration guides or instructions on where to start, please visit the Custom Apps Intercom page. Please work with the ForCE team or Support if you need assistance with configuration of any Custom AlienApps.

New advanced AlienApps

Palo Alto Networks Prisma Cloud – We would like to announce the general availability of a new advanced AlienApp supporting Palo Alto Networks Prisma Access. This SaaS service is Palo Alto Networks’ entry into the secure access service edge (SASE) market and replaces older VPN offers while also providing cloud firewall services. The app is designed to meet the needs of customers that directly manage their own Prisma environment as well as customers of the AT&T managed security service powered by Palo Alto Networks.

The app provides more than 30 total actions, including a robust set of actions that can be used to change firewall policy to respond to security incidents. Being able to add and remove IP addresses, URLs, and tags in block lists, address groups, and other policy constructs enables security analysts to secure their networks without having to pivot into other security tools.

This app does not extract logs from the Prisma service. Palo Alto Networks does not provide a logging service as part of Prisma. Instead, the vendor uses its Cortex Data Lake to deliver relevant logs via the syslog service. USM Anywhere already includes a basic AlienApp for Cortex, which is even auto discoverable, simplifying deployment.

VMware Carbon Black Cloud – This advanced AlienApp collects event logs and surfaces them for analysts in the USM Anywhere Alarms page. It also collects information about all endpoints that are running the Carbon Black endpoint agent and adds them to your device inventory for visibility and asset scanning.

The app also supports a few powerful response actions. These can be grouped into two categories: quarantine and update policy. Quarantine allows analysts to isolate an endpoint running Carbon Black so that it can only connect to a handful of resources to be used to further investigate or remediate an endpoint. Unquarantine reverses this when it is time for the endpoint to resume normal operations.

Update policy forces the endpoint agent to fetch a new policy from its cloud management system. This is useful when trying to change the security stance of an endpoint by giving it less access because it is in violation of policy or because it has been hacked. Fetching policy means that it will immediately get a new policy and implement it instead of waiting for its programmed check-in interval, which could be set to minutes or even hours.

AlienApps coming soon!

Cisco Firepower Manager – The Firepower Manager app allows customers to use response actions to control their entire fleet of Cisco Firepower next-generation firewalls. As a device manager, the Firepower manager doesn’t collect log messages, so logs are input via our existing AlienApp for Cisco Firepower firewalls.

The app ships with over 20 response actions. Note however that we are actively working with Cisco to fix an issue with the external block list feature. Once the issue has been remedied, this feature will be supported. The app will stay in early access until the feature is confirmed as working.

Additional app updates: Salesforce and ServiceNow ticketing

In the latest release of USM Anywhere, we have added significant new capabilities to two ticketing advanced AlienApps: ServiceNow and Salesforce.

Both apps now add all log and event information into the tickets they create. This enables security operations center analysts and help desk personnel to collaborate without having to go back into USM Anywhere to get the issue details. Additionally, we have added an “update incident” capability to both apps. This allows customers to create a complete view of a USM Anywhere security incident inside ServiceNow and Salesforce and to put any alarms or events relevant to the investigation directly into the case. Both apps include support for searching the ticketing system for incident names and numbers, making it easy to find the relevant ticket.

Alien Labs threat feed updates

In Q3 2023, we released seven threat feed updates that include 77 improvements and 143 new elements.

Here are a few examples of improvements made and new elements created:

  • Added a new detection for obscure indications of denial-of-service attacks where SQL servers are being prompted to shut down

  • Created rules to aid in the detection of Kerberoasting activity validated through attempted exploits and penetration tests from existing managed customers

  • Created a rule to aid in the detection of command-and-control activity directing to Google Sheets by focusing on artifacts within the events that appear anomalous and would indicate that they are not aligned with business activity

Please visit the AT&T Cybersecurity Success Center and click “USM Anywhere” under the Product Announcements section for a full list of improvements, new elements, issues found, and tasks created.

Alien Labs Open Threat Exchange

The Alien Labs Open Threat Exchange (OTX) is among the largest open threat intelligence communities in the world. We have more than 200,000 members who contribute near-real time threat intelligence to OTX, which is then enriched by AT&T Alien Labs. Go here to find out more about the new pulses or to sign up to be part of the community!

Did this answer your question?