At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum.
Let’s take a look at the highlights from our October and November releases:
Mac OS Support for the AlienVault Agent
In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements.
In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts.
AlienVault Agent Queries as Response Actions
USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.)
To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule.
Launch AlienVault Agent Queries from Agents Page
In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed.
Asset Group Enhancements for the AlienVault Agent
Asset Groups help USM Anywhere users group similar assets for specific purposes. For example, you might want to assign assets to the PCI DSS asset group to keep track of the assets in scope of your CDE.
We’ve added a new “Assets with Agents” dynamic asset group containing all assets that have the AlienVault Agent deployed. We’ve also expanded asset group functionality by adding the ability to assign AlienVault Agent profiles to asset groups. You can do this by selecting the “Assign Agent Profile” option from the Actions menu for a specific asset group.
Improved Ability to View Suppressed Alarms
We’ve improved the filtering options available on the Alarms page to support the display of only suppressed alarms. This change has no effect the default Alarms view, which does not include suppressed alarms.
Certificate Upload for TLS-Encrypted Syslog
In addition to the digital certificate provided through USM Anywhere, customers can now upload their own server certificate and CA certificate to enable the SSL connection for TLS-encrypted syslog transport. Certificates can be uploaded from a new Settings tab in the Syslog App configuration page located at Data Sources/Integrations/Sensor Apps. In addition, a new Actions tab has been added to the Syslog App configuration, allowing customers that use the AlienVault TLS Certificate to regenerate that certificate on demand.
Threat Intelligence Highlights
As part of the Threat Intelligence Subscription built into USM Anywhere, the AlienVault Labs Security Research Team delivers continuous threat intelligence updates to the platform to ensure you're always ready to detect emerging threats. Security experts on the AlienVault Labs Team perform extensive research into the global threat landscape and update your deployment with new correlation rules and endpoint queries, enabling you to detect and respond to the latest signatures, higher-level attack tools, tactics, and procedures.
Each week, the AlienVault Labs Team produces a Threat Intelligence Newsletter to share the threat intelligence updates they’re building into your USM Anywhere deployment. You can read the Threat Intelligence Newsletter here.
Recently, the AlienVault Labs Team has also produced the following blog posts based on their research: