Skip to main content
All CollectionsProduct Updates & NewslettersUSM Anywhere Newsletters
USM Anywhere Newsletter September 2024
USM Anywhere Newsletter September 2024
Updated over 5 months ago

USM Anywhere Newsletter

Welcome to another edition of the LevelBlue USM Anywhere newsletter! We’re excited to share what’s new in the platform as well as updates from our LevelBlue Labs threat intelligence unit.

You can keep up with our regular product releases by reading the release notes in the USM Anywhere Product Forum, and you can direct any questions or support issues to the LevelBlue Success Center.

New in USM Anywhere

Cloud Connectors – AWS Inventory and Webhooks

We have added cloud connectors to enable log ingestion without sensor deployment. The AWS Inventory connector uses an EC2 instance and automatically pulls in user information, which is updated every hour. For more information on the AWS Inventory connector, please visit here.

Webhooks enable users to push events to the USM Anywhere platform through authenticated HTTP requests. When creating a webhook, the platform provides an API key and an endpoint which can be used to code an integration between the platform and a third-party tool. Webhooks require a trigger or rule to push events and will send data in real time whenever an event happens instead of running jobs at scheduled times. When creating a webhook, users will choose a data source from available plugins to parse the information. If a plugin is not available or not chosen, the plugin will be either auto discovered or the events will be considered “generic,” and users can request for a plugin to be created once events start coming in. For a step-by-step guide on creating a webhook, please visit here.

Import and Export Playbooks

Users can now export and import playbooks between multiple USM Anywhere instances. This reduces the need for operators to create similar rules in multiple environments from scratch. Simply expand the playbook you would like to export and download the associated JSON file. Then toggle to the separate instance, select “Import Playbook,” and upload the same file.

Disable Correlation Rules

All users are now able to enable or disable correlation rules. They no longer need to create suppression rules to ignore correlation rules they don’t need; they can now just disable them. LevelBlue Labs will deploy some correlation rules in a disabled state, allowing customers to choose what they want to be alerted on. Only rules that alarm on suspicious activity and could be frequently triggered in certain environments will be released in a disabled state. This allows LevelBlue Labs to release correlation rules that may not be suitable for all environments and gives users the option to decide whether they want to enable them for their environment.

BlueApps

New Advanced BlueApps

SpyCloud – A new app has replaced the legacy app for limited trial users and is available to SpyCloud enterprise users. By the end of this year, USM Anywhere will no longer support the SpyCloud limited trial (demo) licenses. If users wish to continue using the service, they will need to purchase SpyCloud enterprise licenses. The advanced BlueApp for Dark Web Monitoring leverages SpyCloud technology to monitor the dark web for stolen user credentials, such as email addresses, usernames, and passwords. If stolen credentials are detected, USM Anywhere will provide alerts so that users can respond swiftly to the compromise. The app will include log collection and a response action to get historical breach records for verified watchlist domains and emails.

Recent BlueApp Improvements

Cloudflare – Now supports a new authentication method based on the API key instead of global token authentication

SentinelOne – An improvement allows for more CVEs to be fetched from a new endpoint.

Mimecast – Now supports additional endpoints:

  • uri = "/api/audit/get-audit-events" | Containing details of Mimecast admin activities.

  • uri = "/api/audit/get-siem-logs | Containing Email traffic logs

  • uri = "/api/ttp/threat-intel/get-feed" | Containing Mimecast threat intel logs

Cisco Duo – The following additional endpoints have been added as options:

  • Activity Logs

  • Administrator Logs

  • Telephony Logs

  • Offline Enrollment Logs

  • Authentication Logs

CustomApps

CustomApps now include a “History” Tab to view historical activity.

The following CustomApp templates are now available:

  • Trellix ePO Incidents & Threats

  • Druva InSync

  • Boomi AtomSphere

  • Tessian Email Security Service

  • Checkpoint Harmony Email & Collaboration

  • BitWarden

  • Cisco Secure Email Threat Defense

For documentation on how to configure these templates, please visit here.

LevelBlue Labs

OTX Enrichment

OTX Enrichment is a Grey Intelligence service that provides new capabilities for detection, hunting, and reporting. The intelligence will be delivered as OTX Pulses and will enrich Events and/or Alarms with additional context and insights for security events inside USM Anywhere.

Because not all Grey Intelligence is useful in every environment, we recommend users review and tune new detections to reduce noise. OTX enrichment may still be useful for driving threat hunts or periodic reports to evaluate new exposures.

OTX enrichment provides intelligence on:

  • Suspicious behavior and/or policy violations in a corporate environment, such as Tor nodes, pentest resources, BitLaunch, Cryptocurrency nodes

  • Indicators often leveraged by attackers and common users that will enable investigators to find additional activities performed by the attacker, such as anonymous file sharing sites, External Lookup IP services, remote access software

  • Indicators of vulnerability, such as vulnerable driver hashes

  • Grey activity that could break existing corporate policies or seem unusual in specific company environments, such as open proxies, benign scanners, VPN infrastructure

  • Apparently malicious scanning activity that could be discarded because it originates from benign scanners

  • Additional grey intelligence categories for legitimate infrastructure often associated with adversarial activities, e.g., Dynamic DNS services, Zip domains, URL shorteners, and sinkholes

LevelBlue Labs Monthly Newsletter

LevelBlue Labs has introduced a monthly newsletter featuring important threat news, recent updates to USM Anywhere detections, details on new OTX pulses, and more. These can be found here on the LevelBlue website. You can find the August newsletter here.

Need More Information?

To have Release Notes emailed to you automatically, follow these steps:

1. Log in to the LevelBlue Success Center.

2. Click on the announcement for the product you wish to follow.

3. Select the “Follow” button on the right-hand side.

4. Select the drop-down menu on the right-hand side and choose “Every Post” to enable receiving emails from leading security and IT tools.

Did this answer your question?