Skip to content

Release notes

Release 10-14-24: MFA Support

The AZ defense portal has fully transitioned to app-based MFA. SMS-based MFA is no longer supported.

Release 09-23-24: New Pass-through investigations added from Office 365

After updating our backend parser, we have enabled additional pass-through investigations based on customer-configured policies within Office 365’s Security & Compliance Center.

By default, alerts generated by new customer-configured policies will automatically pass through to the ActZero portal, provided they are:

  • High severity for 'Custom' alerts
  • High or Medium severity for 'System' alerts

Customers wishing to mute these pass-through investigations can request exclusions.

Release 08-28-24: Date Format Adjustments Based on Location

The date format within the portal has been adjusted to better align with regional standards:

  • For users outside North America: Dates are now displayed in the format DD-MM-YY.
  • For users in North America: Dates are displayed in the format MM-DD-YY (No changes in the portal).

Release 04-25-24: MTD Push Notifications

ActZero is introducing push notifications to the MTD app. These notifications are designed to prompt end-users to interact with the app after periods of inactivity, ensuring that the app remains active and engaging for users.

Release 4-18-24: Crowdstrike AutoResponse - Enablement

In the web portal, a new component has been added under the onboarding --> Endpoint section allowing you to enable auto response for CrowdStrike-based critical detections.

Caveat: Currently there are no options in the portal to exclude specific workstations or servers from isolation.

Release 04-18-24: ZeroIn™

ActZero has released a new tool called ZeroIn™ which is a knowledge graph that shows an overview of the customers environment, including endpoints, cloud, detections, and vulnerabilities.

Why/When to use ZeroIn™?

  • Comprehensive Cybersecurity Solution: Leverages Generative AI and integrates diverse data sources for a complete security landscape overview.
  • Diverse Cyber Defense Tools: Offers a variety of tools to enhance defense capabilities against evolving cyber threats.
  • Gen AI-Driven Summaries and Search: Utilizes Generative AI to construct graph summaries, enabling quick and clear understanding of complex security events. Generative AI also allows users to ask questions in plain English instead of complex queries, streamlining the investigation process.
  • Proactive Extended Activity Focus: Capable of zeroing in on specific extended activities based on initial notifications from ActZero, facilitating proactive responses.

Release 4-10-24: Multi-tenant Dashboard

In this release, we have added a new multi-tenant dashboard that summarizes KPIs, endpoint deployments, vulnerability trends and security events for all partner tenants.

Release 4-10-24: Onboarding Section Update and Service Status Page Enhancement

  • We've revamped the onboarding section, now referring to 'firewall' as 'network' for enhanced clarity and alignment with broader network management concepts. It's now explicitly stated on what ActZero operates exclusively for security monitoring and analysis.
  • In our service status page, we've simplified the terminology by replacing 'firewall' with 'network'. Furthermore, all devices that are forwarding logs to ActZero will now appear under the 'network' section, reflecting their status. Refer to the tooltip for additional details.

Release 4-9-24: Network Page

In this release, a new network activity page in the portal is introduced that overlays aggregated network statistics on a world map to visualize where the network traffic is originating from and going to.

Release 3-19-24: Risk Management Notification Enhancements

In this release, we've updated our vulnerability notification system to better address open vulnerabilities & missing patches . This enhancement includes stronger, more detailed monthly notifications post-scan, emphasizing the urgency of remediation. This initiative aims to improve security collaboration and response efficiency with our customers.

Release 3-11-24: Improved Office 365 Coverage

This release extends our Office 365 coverage in several ways:

  • One new rule-based Investigation that addresses a recent common attack vector
  • Improved anomalous login location Investigation
  • An O365-specific anomaly detection tool based on our Sixth Sense AI to aid our SOC in threathunting and emerging threats
  • Pass-through Investigations based on customer-configured policies within Office 365’s Security & Compliance Center

One new rule-based Investigation

O365 Anomalous New Inbox Rule

  • This Investigation triggers upon creation of an unusual new O365 Inbox rule. An attacker may be trying to hide their activity in this email account, in preparation for data exfiltration, spam, or phishing.

Improved anomalous login location Investigation

We have redesigned and rebuilt our Office 365 anomalous login location Investigation. This Investigation alerts when a user logs in from a country that they have never logged in from before.

Our new algorithm relearns normal login countries for each user every two weeks, using the previous two months of benign successful login activity.

If a user has recently relocated, the model will learn their new location within two weeks, and no action is required.

If the user is on vacation in a new country, this Investigation will continue to fire until either they return, or the next cycle of biweekly model training occurs. In this case, we recommend you respond to notify us of the expected return date, and leave the ticket open. Future logins with this user and country will not generate new Investigations while the ticket remains open.

AI-enabled Office 365 threathunting

We are releasing an O365-specific version of an Investigation that looks for patterns of sustained elevated Sixth Sense anomaly scores. This interpretable AI model provides our SOC with a seed for efficient threathunting, allowing us to stay ahead of evolving attacker methods and emerging threats.

Pass-through Investigations from Office 365

Many of our customers have configured security policies within their Office 365 Security & Compliance Center. These generate security events, which we receive as part of our data ingest pipelines. In the past, our SOC would use these for additional context during analysis, but we did not consistently pass along these security events via our own alerting channel.

Starting now, you will receive these events as pass-through Investigations from us (as well as being able to see them within your Office 365 portal). Because we do not have control over how these policies are configured in your environment, our service here differs in several important ways:

  • These Investigations go direct-to-customer, without SOC review. If you respond to a ticket with questions, our SOC can assist. They cannot help with reconfiguring your policies, though.
  • Because we do not create or control your alert policies, our understanding of how they work is more limited. The automated messages we send you will be more terse, with fewer remediation instructions.
  • We cannot tune and denoise these Investigations, so they may be more frequent than our own in-house Investigations. If this activity is benign but the Investigation is generated repeatedly, consider adjusting your Office 365 security policies to remove the unnecessary alerting.
  • Alternatively, we can add an exclusion to our pass-through Investigations. If you no longer wish to receive these Investigations, contact us with the specific exclusion criteria. Office 365 will still generate the security event, and our SOC will still see these events as context for other analysis, but we will stop passing them along to you automatically.

Release 2-28-24: Support Ticketing - Fixes

This release fixes the issue where attachments sent with tickets via email were not appearing in the portal. Attachments now show up in the portal when tickets are submitted by email.

Release 2-21-24: Support Ticketing

We’re introducing a new ticketing system in the portal (Help --> Support) that allows users to submit and view their support tickets online. This offers an additional way to reach out for support, alongside the existing option to send emails to support@actzero.ai

Caveat: if you submit tickets via email with attachments, the attachments won’t appear in the portal. It will be part of the future releases

Release 8-21-23: IIS Detections

In this release, we add new detections for several IIS threats. Each one looks for specific Indicators of Attack (IOAs).

Detection Details:

ProxyShell IOAs

  • ProxyShell is a vulnerability that allows an attacker to execute commands on unpatched Exchange servers via powershell or a webshell.

MOVEit IOAs

  • A recent vulnerability in the MOVEit Transfer software that could lead to escalated privileges and potential unauthorized access to the environment.

Telerik IOAs

  • A recent vulnerability in the Progress Telerik user interface (UI) for AJAX that exploits a .NET deserialization vulnerability and allows for remote code execution.

Release 5-1-23: Additional Office 365 Cloud Detections

In this release, we expand our Office 365 cloud coverage to include additional data exfiltration and privilege escalation detections.

Detection Details:

O365 MFA Disabled by New Admin

  • Multifactor authentication has been disabled on an Office 365 account, by an account that was recently given admin privileges.

O365 Account Enabled by New Admin

  • An Office 365 account was enabled, by an account that was recently given admin privileges.

O365 Admin Account Creation

  • A new Office 365 account has been created, and then given administrator privileges within a short period of time.

O365 Elevate to High-Level Administrator

  • We have detected log lines indicating that a user was added to a new high-level administrator role: Global, Exchange, Sharepoint, or User administrator.

O365 Elevate to Low-Level Administrator

  • We have detected log lines indicating that a user was added to a new administrator role. This role is not Global, Exchange, Sharepoint, or User administrator.

O365 eDiscovery Manager Changed

  • We have detected log lines indicating that an eDiscovery case admin or manager was recently changed.

O365 eDiscovery Search Exported by New Admin

  • An eDiscovery search result was exported, by an account that was recently given admin privileges.

Release 4-3-23: Okta Coverage

In this release, we add coverage for Okta. To add Okta logging and enable these detections, please contact your TAM.

Documentation for the Okta connector can be found here: https://docs.actzero.ai/cloud-connections/connect-okta.

Detection Details:

Account Login Failure Anomaly

  • An anomalously large number of Multi-Factor Authentication (MFA) user login failures was observed for an account.

Account Login Failure Anomaly with Password as Factor

  • An anomalously large number of Multi-Factor Authentication (MFA) user login failures was observed for an account using Password as Factor verification.

External Account Login Failure Anomaly

  • An anomalously large number of user login failures was observed for an account.

External Brute-Forced Successful User Login

  • A successful login was detected from an IP address that had previously seen a large number of login failures.

Bad Reputation Login

  • A successful login was detected from an IP address with a history of malicious activity.

External Credential Stuffing

  • An anomalously large amount of username/password testing was detected.

Internal Account Login Failure Anomaly

  • An anomalously large number of login failures from an internal source IP address to an internal destination IP address was observed for an account.

Internal Brute-Forced Successful User Login

  • A successful login to an internal IP address was detected from another internal IP address that had previously seen a large number of login failures.

Login Time and Impossible Travel Anomaly

  • A user logged in at an abnormal time and from locations that are geographically impossible to travel between in the time frame.

Login Location and Impossible Travel Anomaly

  • A user logged in from an anomalous location and from locations that are geographically impossible to travel between in the time frame.

Release 01-16-23: Agent 8.4.9 release

  • Timeout change when sending check-in data allowing more time

  • Signing certificate update for Windows

  • Updates to components.json file to reflect security changes from Go 1.19

  • Updates to Microsoft Defender Antimalware object

    • Includes found threats and related details

    • Support for Windows 7/10/11 and Windows Server 2012R2/2016/2019/2022

  • Bugfix to resolve communications issues for some endpoints when checking for missing Microsoft patches

  • Bugfix to address incorrect firewall state returns

Release 10-05-22: Agent 8.4.7 release

  • Bugfix regarding collection of third-party firewall status for Windows Workstations.

Release 09-21-22: Additional Data Exfiltration Detections

In this release, we expand our data exfiltration coverage to include additional malware and cloud storage platforms.

Detection Details:

Ngrok and Large Archived Files

  • This detection looks for the use of Ngrok and the creation of over 10GB of archived files in a 4-hour window.

StealBit Data Exfiltration Process

  • This detection looks for the use of StealBit malware.

Handy Backup Data Exfiltration Process

  • This detection looks for the use of the cloud storage tool Handy Backup.

pCloud and Large Archived Files

  • This detection looks for the use of cloud storage tool pCloud and the creation of over 10GB of archived files in a 4-hour window.

Exmatter and Large Archived Files

  • This detection looks for the use of Exmatter/Fendr malware and the creation of over 10GB of archived files in a 4-hour window.

Sendspace and Large Archived Files

  • This detection looks for the use of Sendspace or connection to the Sendspace cloud, and the creation of over 10GB of archived files in a 4-hour window.

Dropmefiles Connection and Large Archived Files

  • This detection looks for connection to the cloud storage site Dropmefiles and the creation of over 10GB of archived files in a 4-hour window.

Anonfiles Connection and Large Archived Files

  • This detection looks for connection to the cloud storage site Anonfiles and the creation of over 10GB of archived files in a 4-hour window.

Ufile Connection and Large Archived Files

  • This detection looks for connection to the cloud storage site Ufile and the creation of over 10GB of archived files in a 4-hour window.

Release 09-08-22: Additional Active Directory & Credential Dumping Detections

This expanded set of detections looks for the use of attack tools, or native Windows processes used as attack tools. It adds to our current coverage in two areas:

  • Active Directory attacks: scanning networks, enumerating resources, and abusing AD functions and relationships in order to escalate privileges and move laterally.

  • Credential dumping attacks: obtain cached credentials, such as hashed passwords, for the purpose of privilege escalation.

Detection Details:

New Active Directory detections:

Active Directory scan via nltest

  • NLtest can be used to do recon (gathering a list of domain controllers), force a shutdown, and force a database sync.

Active Directory scan via AdFind

  • AdFind is a free command-line query tool that can be used for gathering information from Active Directory.

Active Directory scan via BloodHound

  • Attackers utilize BloodHound to import exported data collected by SharpHound. SharpHound.exe is the data collector to dump available information on an AD environment. AzureHound.exe is the Azure AD equivalent to dump info about an Azure AD environment.

Active Directory attack via CrackMapExec

  • The "swiss army knife" tool for attacking Active Directory environments for enumeration and abuse of built-in AD functions, and for post-exploitation activities.

Kerberos attack via Rubeus

  • The Rubeus executable can perform AS-REP roasting that allows retrieving password hashes for users that have the "Do not require Kerberos preauthentication property" set in AD.

Active Directory scan via ShareFinder

  • ShareFinder is a tool used to enumerate any available network shares.

New Credential Dumping detections:

Credential dumping via Lsassy

  • Lsassy can be used to dump credentials remotely from the lsass.exe process.

Credential dumping via Nanodump

  • Nanodump is a credential dumping tool.

Credential dumping via Windows Credentials Editor

  • WCE is a tool used for authentication-type attacks via kerberos, NTLM, and digest.

Credential dumping via Gsecdump

  • Gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.

Credential dumping via Lazagne

  • Lazagne is a tool used to retrieve stored passwords on a local host.

Credential dumping via LSASS

  • Procdump can be used to dump all cached credentials on a system via the lsass.exe process.

Release 08-16-22: Agent 8.4.6 release

  • Bugfix regarding collection of third-party firewall status for Windows Workstations.
  • Updated winlogbeat.yml file to collect Windows Event Logs relevant to endpoint security.

Release 07-27-22: Customer Portal Release

  • Added support for CSPM (Cloud Security Posture Management) scanning and reporting
  • CSPM provides security assessment and guidance against the AWS environment which executes multiple benchmarking tests as laid out by CIS. Additionally, checks related to IAM, Logging, GDPR, HIPAA, etc are also executed.
  • Introduced Cloud tab on the Hygiene dashboard
  • Renamed Endpoint tabs to differentiate between endpoint and cloud security hygiene

Release 05-16-22: Customer Portal Release

Added two tabs with additional information on the Security Related Events Page.

  • On the Endpoints table, added "Suspicious Processes," which provides more information about the processes that led to the selected detection.
  • On the Cloud table, added "Recent Activity," which provides more information about the user and IP address for a selected Office 365 detection.

Release 04-26-22: Connection dashboard

  • Added Connection dashboard to the customer portal to view total number, bytes transfered and number of incidents by source (Firewall, Endpoint, AWS, Salesforce, Google Workspace, O365).

Release 04-07-22: Security release

Added protection for mobile devices (Android, iOS, Chrome).

Coverage includes:

  • Activity-based detections
  • Settings-based detections and vulnerability scanning
  • Phishing and malicious URL protection

Response includes:

  • Automatic on-device response for a subset of detections, including WiFi disconnect, Bluetooth disconnect, or network sinkhole
  • Escalation via Jira ticket including detailed remediation instructions and SOC notification

Detection details:

Activity-Based Detections

Possible Device Tampering

  • Possible tampering may have occurred with the Android device. The device is not certified by Google, and may have been additionally compromised, e.g. a rooted device.

App Tampering

  • Existing app libraries may have been modified, or a foreign library may have been injected into the app.

Man In The Middle Attack

  • A man-in-the-middle attack occurred where a malicious attacker can hijack traffic, steal credentials, and deliver malware to the device.
  • Automatic on-device response: Disconnect WiFi.

Pegasus Spyware

  • The Pegasus spyware has been detected on the device. Pegasus is a surveillance tool that is used to monitor and collect information from the device.
  • Automatic on-device response: Network Sinkhole.

Phishing Link Visited

  • A user tapped a potentially malicious URL on the device. The user was warned of potential danger with the linked site, and chose to continue to the website after the warning.
  • Automatic on-device response: Disconnect WiFi.

Risky Site Visited

  • A user tapped a potentially malicious link on the device. The user was warned of potential danger with the linked site, and chose to continue to the website after the warning.
  • Automatic on-device response: Disconnect WiFi.

Unapproved Site Visited

  • A user tapped on website content not approved by your organization. The user was warned the website content does not comply with your organization's policies and chose to continue to the website after the warning.
  • Automatic on-device response: Disconnect WiFi.

Rogue Access Point

  • Rogue access points exploit a device vulnerability to connect to a previously known Wi-Fi network by masking preferred and known networks.
  • Automatic on-device response: Disconnect WiFi.

Suspicious Android App

  • A known malicious app is detected and can attempt to take control of the device in some manner, such as elevation of privileges or spyware.

System Tampering

  • System tampering is a process of removing security limitations that are in place by the device manufacturer, and it indicates that the device is fully compromised and can no longer be trusted.

Abnormal Process Activity

  • Detected abnormal activity in the low-level device processes. This could indicate an exploit attempt, or be triggered by an app crashing.

Elevation Of Privileges

  • Detected a malicious process that results in the elevation of privileges on the mobile device allows an attacker to take full control of the device.

Sideloaded App

  • A sideloaded app is installed independently of an official app store and may present a security risk.

Settings-based Detections and Vulnerability Scanning

Device Jailbroken Or Rooted

  • Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may not have been apparent or undermine the device's built-in security measures.

SELinux Disabled

  • Security-enhanced Linux (SELinux) is a security feature in the operating system that helps maintain the operating system's integrity. If SELinux has been disabled, the operating system's integrity may be compromised and should be investigated immediately.

Android Debug Bridge Apps Not Verified

  • Apps installed via ADB are not required to be verified. This may allow malicious apps to be installed on the device.

App Debug Enabled

  • An app with debugging enabled can pose a risk and allow an attacker to control and manipulate the underlying app functions.

BlueBorne Vulnerability

  • The device is vulnerable to a BlueBorne attack, which leverages Bluetooth connections to penetrate and take control of targeted devices.
  • Automatic on-device response: Disconnect BlueTooth.

Device Storage Not Encrypted

  • Encryption is not set up on the device and is needed to protect the device's content.

Device Pin Disabled

  • The device is not set up to use a PIN code or password to control access to the device.

Google Play Protect Disabled

  • Google Play Protect has been disabled on this device. Google Play Protect helps protect the device from malicious apps and needs to be re-enabled.

Stagefright Vulnerability

  • The device is vulnerable to the Stagefright exploit, which allows remote code execution and privilege escalation.

Unknown Sources Enabled

  • App downloads from locations other than the Google Play store are enabled. Harmful apps may be installed.

USB Debugging Mode

  • USB debugging is an advanced configuration option intended for development purposes only, and decreases the device's security posture. By enabling USB debugging, the device can accept commands from a computer when plugged into a USB connection.

Developer Options Enabled

  • Developer Options is an advanced configuration option intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings.

Vulnerable Android Version

  • The Android version installed on the device is not up to date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors.

Vulnerable iOS Version

  • The iOS version installed on the device is not up to date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors.

Release 03-29-22: Security release

Added the following information to automated detection alerts:

Endpoint detections:

  • Detection description
  • Event time
  • Additional information about the parent and grandparent processes

O365 detections:

  • IP address location
  • Recent connections - Information on whether the IP address seen in the detection has been seen for other users in your environment recently, and recent examples if so

Release 03-28-22: Security release

Added the following cloud (Salesforce) detection:

Brute-Force Successful User Login

  • This detection is triggered when a successful Salesforce login is detected from an IP address that had previously seen a large number of login failures.

Release 03-28-22: Customer Portal release

Added the following features to the portal:

Under the "Security Related Events" tab on the Dashboard landing page, we’ve added 3 new features; Endpoint, Cloud and Network incident dashboards

  • Endpoint - The intent of this view is to provide more details around endpoint centric detection events, as well as the ability to search and filter events .
  • Cloud - The intent of this view is to provide more details around cloud detection events, the ability to search and filter those events, as well as an Admin Activity view detailing activity logs from your cloud services (currently Office 365 and Google Workspace only).
  • Network - The intent of this view is to provide more details around network related detection events, the ability to search and filter those events, and a set of geo-location based allow-deny traffic views.

Release 01-12-22 Customer Portal release

Added the following features to the portal:

  • Ability to export dashboards as a PDF

Added the following pages to the portal:

  • Executive Summary Dashboard - A wholistic view across all of your security concerns
  • Vulnerability Scans Dashboard - A place to see your current vulnerabilities, prioritize, and fix them.
  • Hygiene Scans Dashboard - See your current level of security hygiene across your devices and what to focus on.
  • Missing Patches Dashboard - Which devices need to be updated

Release 12-06-21: Security release

Added the following endpoint detections:

Sixth Sense Data Exfiltration Heuristics

MegaSync and Large Archived Files

  • This detection looks for the use of cloud storage app MegaSync and the creation of over 10GB of archived files in a 4-hour window.

RClone and Large Archived Files

  • This detection looks for the use of cloud storage app RClone and the creation of over 10GB of archived files in a 4-hour window.

FileZilla and Large Archived Files

  • This detection looks for the use of FileZilla FTP software and the creation of over 10GB of archived files in a 4-hour window.

WinSCP and Large Archived Files

  • This detection looks for the use of WinSCP FTP software and the creation of over 10GB of archived files in a 4-hour window.

Vsftpd and Large Archived Files

  • This detection looks for the use of vsftpd and the creation of over 10GB of archived files in a 4-hour window.

PuTTY and Large Archived Files

  • This detection looks for the use of PuTTY SSH software and the creation of over 10GB of archived files in a 4-hour window.

MegaSync from Unusual Path

  • This detection looks for the process MegaSync running from an unusual filepath.

MegaSync and RClone

  • This detection looks for the execution of both MegaSync and RClone in a 4-hour window.

MegaSync and Common FTP

  • This detection looks for the use of MegaSync along with a more common FTP process (FileZilla, WinSCP, vsftpd, or PuTTY) in a 4-hour window.

RClone and Common FTP

  • This detection looks for the use of RClone along with a more common FTP process (FileZilla, WinSCP, vsftpd, or PuTTY) in a 4-hour window.

URSA (Unauthorized Remote System Access) Heuristics

Netscan Use

  • This detection looks for netscan, a tool that can be used for recon (for example to get a list of services running on remote hosts).

Tscon Use

  • This detection looks for tscon, a tool that can be used for lateral movement through a network using RDP without the need for credentials.

Winrm Use

  • This detection looks for winrm, a tool that can be used for lateral movement.

Tor browser Use

  • This detection looks for the tor browser, which can be used to access the dark web.

Active Directory Recon Use

  • This detection looks for adrecon, a tool that can be used to gather information on Active Directory.

NLtest Admin Use

  • This detection looks for admin use of nltest, a tool that can be used to do recon, force a shutdown, and force a database sync.

Keylogger Installation

  • This detection looks for the installation of keyloggers, which can be used for credential gathering.

Ntfs Query Ea Exploit Attempt

  • This detection looks for a Crowdstrike indicator event around suspicious processes linked to the download of files.

Suspicious Module Credential Load

  • This detection looks for a Crowdstrike indicator event fired when suspicious module activity is detected, which means the process opened a handle to the LSASS process and loaded one of it's DLLs for symbolic resolution of protected LSASS resources.

Suspicious User Remote APC Attempt

  • This detection looks for a Crowdstrike indicator event indicating that a remote APC (Asynchronous Procedure Call) that is classified as potentially suspicious was queued on the target process by the context process.

Unusual Active Directory Activity

  • This detection looks for a collection of Crowdstrike indicator events indicating unusual Active Directory behaviors.

Zerologon Exploit Attempt

  • This detection looks for a Crowdstrike indicator event suggesting that an unauthenticated attacker may have network access to a domain controller.

Release 11-24-21: Security release

Added the following endpoint response:

Automatic workstation network contain for endpoints

  • This response cuts network connectivity when there is a critical CrowdStrike detection. The customer and SOC are automatically notified and the SOC immediately works with the customer to investigate the detection. The SOC can easily restore network access to the machine. This response is optional and requires the customer to opt in.

Release 11-18-21: Security release

Added the following cloud (AWS) detections:

Config changes

  • This detection looks for modifications to AWS Config that may be related to defense evasion.

DeleteFlowLogs

  • This detection looks for deletion of Flow Logs, which an attacker may do to cover their tracks.

Disable log file validation

  • This detection looks for disabling of log file validation, which prevents a user from verifying that CloudTrail logs have not been tampered with.

Disable multiregion logging

  • This detection looks for disabling of multiregion logging for a CloudTrail trail, which an attacker may do to evade defenses.

DeleteDetector

  • This detection looks for deletion of a GuardDuty detector.

DeleteAccountPublicAccessBlock

  • This detection looks for deletion of the Public Access Block for S3 buckets at the account level.

DeleteBucketPublicAccessBlock

  • This detection looks for deletion of the Public Access Block for S3 buckets at the bucket level.

DisableEbsEncryptionByDefault

  • This detection looks for disabling default encryption for EBS volumes.

DB snapshot made public

  • This detection looks for database snapshots made public.

Public S3 bucket

  • This detection looks for publicly accessible S3 buckets.

DeleteSubnet

  • This detection looks for subnet deletion.

DeleteVpc

  • This detection looks for Virtual Private Cloud (VPC) deletion.

DeleteDBCluster

  • This detection looks for deletion of an Aurora database cluster.

ACL ingress anywhere

  • This detection looks for creation of an Accesss Control List (ACL) that allows network ingress from any IPV4 address.

Release 11-09-21: Security release

Created new Office 365 responses in which actions are taken when a threat is detected

Automated Office 365 response

  • Automatic actions are taken on event detection, before review by the customer and threat hunters.

On-demand Office 365 response

  • A link is included in the detection alert so the customer can easily respond.

The action for both automated and on-demand response is the following

  • When a detection in this set is triggered, the password for the affected account is reset if there is an alternate email, otherwise the account is temporarily locked.

These responses are available for customers to opt in to for the following detections

  • DLP Compliance Policy or Rule Removed (Automatic, On-demand)
  • Audit Log Disabled (Automatic, On-demand)
  • Safe Links Disabled (Automatic, On-demand)
  • Safe Attachments Disabled (Automatic, On-demand)
  • AntiSpam Rule or Policy Disabled or Removed (On-demand)
  • Malware Filter Rule or Policy Disabled or Removed (Automatic, On-demand)
  • AntiPhishing Rule or Policy Disabled or Removed (On-demand)

Release 10-25-21: Agent 8.4.2 release

Updated Sysmon Binary

  • Sysmon binary has been updated to version 13.24. This addresses BSOD issues that were observed during some CrowdStrike deployments.

Removed CrowdStrike EDR Sensor

  • The download of the CrowdStrike EDR sensor during installation has been removed.

Removed AutoUpdater

  • The built-in auto-update process and related files have been removed.

Update collected Windows Event Logs

  • Updated winlogbeat.yml file to collect Windows Event Logs relevant to endpoint security.

Release 10-12-21: Security release

Added the following network detection:

Emerging Threat

  • This detection looks for IPs associated with emerging threats (e.g., new ransomware) in network traffic.

Release 10-05-21: Security release

Added the following endpoint (CrowdStrike) detection:

Hardware-Enhanced Exploit Detection

  • This detection makes use of an Intel Skylake (or greater) CPU in a non-virtualized environment feature to detect classes of exploits such as those that use return oriented programming (ROP), jump oriented programming (JOP), or call oriented programming (COP).

Release 09-23-21: Security release

Added the following Google Workspace and AWS detections:

Google Workspace unauthorized login

Brute-Force Successful User Login

  • This detection looks for an anomalously large number of failed login attempts followed by at least one successful login.

Login Time and Impossible Travel Anomaly

  • This detection looks for anomalous login times for a particular user and a login from a location that is too far from the previous login to indicate human movement by any means of transportation.

User Login Location and Impossible Travel Anomaly

  • This detection looks for logins from an anomalous location for a particular user and from a location that is too far from the previous login to indicate human movement by any means of transportation.

Bad Reputation Login

  • This detection looks for logins from known malicious IPs based on fifteen threat intelligence feeds.

Google Workspace post-login suspicious behavior

Attack Warning

  • This is a detection from Google that looks for a government-backed attack on a user account.

User suspended

  • This detection looks for cases where Google suspended a user due to account compromise, spamming activity, or other suspicious activity.

Advanced Protections unenroll

  • Google offers an Advanced Protection Program that provides additional security measures for users with high-visibility and/or sensitive information. This detection looks for unenrollment of a user from the program, which could indicate that they are being targeted by an attack.

Out of domain email forwarding enabled

  • This detection is triggered when a user enables forwarding of their email to an out-of-domain address.

AWS detections

StopLogging

  • This detection looks for an event where logging for AWS CloudTrail has been stopped.

DeleteTrail

  • This detection is set up to look for an event where an AWS CloudTrail has been deleted.

Root Login

  • This detection looks for an event where the root account was used to perform a console login.

S3 Ransomware

  • This detection looks for an event where an attacker uses AWS key management service to change the encryption on objects within AWS S3 buckets.

AWS AMI made Public

  • The detection looks for an event where an Amazon Machine Image (AMI) was shared publicly, thus exposing potentially sensitive information.

User Login Time Anomaly and Impossible Travel Anomaly

  • This detection looks for anomalous login times for a particular user and a login from a location that is too far from the previous login to indicate human movement by any means of transportation.

Account Login Failure and Impossible Travel Anomaly

  • This detection looks for logins associated with recent failed logins and locations too far from recent login locations to indicate real travel.

Impossible Travel Anomaly Greater Than 500 Miles

  • This detection looks for logins associated with locations too far from recent login locations to indicate real travel and at least 500 miles from one another.

User Login Location Anomaly

  • This detection looks for an event where a user logged in from an anomalous location i.e. a location where they would not have logged in from in the past.

Credential Stuffing

  • This detection is triggered when an anomalously large amount of username/passwords were used during attempted logins to AWS.

Brute-Force Successful User Login

  • This detection is triggered when a successful AWS login was detected from an IP address that had previously seen a large number of login failures.

Release 08-10-21: Customer Portal release

Improvements were made to the hosts dashboard in the customer portal (https://portal.actzero.ai/hosts). The following additions were made to the existing dashboard:

  • All endpoints currently under the protection of our EDR now include hygiene scan data (if available):
    • Scan date
    • Native encyption enabled
    • Local firewall enabled
    • The list of user accounts on the host
    • Missing Updates
    • Password Policy

Release 08-04-21: Security release

Added the following Office 365 and AzureAD detections:

Unauthorized Login

Brute-Force Successful User Login:

  • This detection looks for an anomalously large number of failed login attempts followed by at least one successful login.

User Login Location and Impossible Travel Anomaly:

  • This detection looks for logins from an anomalous location for a particular user and from a location that is too far from the previous login to indicate human movement by any means of transportation.

Login Time and Impossible Travel Anomaly:

  • This detection looks for anomalous login times for a particular user and a login from a location that is too far from the previous login to indicate human movement by any means of transportation

(Improved) Bad Reputation Login:

  • This detection looks for logins from known malicious IPs based on fifteen threat intelligence feeds.

Post Login Suspicious Changes (O365 only)

Multiple File Restore:

  • This detection looks for multiple deleted files being restored in a short period of time. This may be indicative of an attacker evading file quarantine policies for malware.

Sharing Policy Changed:

  • This detection looks for changes in sharing policies, which are uncommon and can be indicative of file sharing with threat actors.

Access Governance Anomaly:

  • This detection looks for a change in Exchange admin privileges.

Data Exfiltration Attempt Anomaly:

  • This detection looks for anomalously large amounts of data being exfiltrated (sent out) of O365.

Elevate User to Administrator:

  • This detection looks for privilege escalation of an account.

AntiSpam Rule or Policy Disabled or Removed:

  • This detection looks for the disabling or removal of Microsoft’s antispam protections.

New Management Role Assigned:

  • This detection looks for new management roles in an account.

DLP Compliance Policy or Rule Removed:

  • This detection looks for removal of data loss prevention policy, used to protect against exfiltration.

Release 07-20-21: Customer Portal release

A new page was added to the customer portal (https://portal.actzero.ai/hosts). The page enables customer's to self serve host information collected from their environments. The new dashboard makes the following data available:

  • All endpoints currently under the protection of our EDR with the following details:
    • Hostnames
    • When the host was last seen
    • The platform and OS version of the hosts
    • The version of the EDR software running on the host

Release 07-06-21: Security release

Added suspicious network connection detections for firewall data that look for suspicious activity. These detections were previously threat hunts. This represents an improvement because these detections occur on a continuous basis, thus providing the customer with more rapid response times than threat hunting allows. They are also based on fifteen sources of threat intelligence whereas previously intelligence was based on only eight threat intelligence feeds.

The detections cover the following activity:

  • Inbound and outbound connections to known malicious IPs based on fifteen threat intelligence feeds.
  • Anomalous Intrusion Detection System (IDS) matches. An IDS typically triggers an alert every time a signature is matched, even if that signature is normal network behavior. In contrast, ML-IDS learns the rate of signature matching for your network, and only generates an event when that rate changes.
  • Legacy IDS matches that match suspicious signatures based off of firewall IDS.

These detections are reviewed by the SOC and will be escalated to the customer if appropriate.

Release 06-30-21: Security release

Added account takeover detections for Office 365 and AzureAD that look for the following suspicious activity:

Account level suspicious login activity based on user behavior analytics and suspicious behavioral signals including, unusual login time, unusual login location, unusual browser or operating system, a large number of unsuccessful login attempts, login lockout errors. Suspicious post-login activity indicating defense evasion. These detections look for

  • Disabling or Removal of Anti-Phish Protections
  • Turning off the URL scanning of links present in a mailbox
  • Turning off the auto-checking of attachments before they are delivered into a mailbox
  • Disabling or Removal of Malware protections
  • Turning off the logging of Unified Audit Logs, which record user and admin O365 account activity

These detections will automatically send the customer an email notification within five minutes of detection, containing information about the detection and guidance of how to investigate and respond to the potential threat.