• Support
  • Forums
  • Blogs

Best Recent Content

  • What We’re Working On – USM Anywhere

    Product teams should be like restaurants with open kitchens.

    Rather than bring your next meal or software update from behind a mysterious curtain, we’d like to give you a sneak peek into what we’re up to. So here are a few things you can expect in an upcoming release:

    Improved Vulnerability Management: Enable you to better track vulnerabilities by being able to apply labels to show status, for instance, to indicate if a vulnerability is open or has been remediated.

    Predefined Views for PCI DSS: Assist organizations that need to comply with Payment Card Industry Data Security Standards (PCI DSS) by providing predefined views that map to specific requirements.

    Predefined Views for HIPAA: Enable organizations that need to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements by providing predefined views that map to specific requirements.

    Predefined Views for ISO 27002: Enable organizations that need to comply with International Organization for Standardization (ISO) requirements by providing predefined views
    that map to specific ISO27002 requirements.

    Predefined Views for CSC Top 20: Provide predefined views that map to specific Center for Internet Security Critical Security Controls (CSC) Top 20

    AWS RDS: Provide activity events related to the AWS Relational Database Service (RDS).

    Improved AlienVault Open Threat Exchange™ (OTX) Integration: Enable USM Anywhere to evaluate incoming Events against the latest Indicators of Compromise (IOCs) synchronized from your OTX account.

    Unauthenticated Vulnerability Scans: We plan to provide an alternative method of vulnerability scanning that works for cloud and on-premise environments.

    Improved Docker Container Support: USM Anywhere can currently collect logs from applications running within a Docker container in AWS deployed using the Amazon EC2 Container Service (ECS) using AWS CloudWatch to aggregate the logs from each container. But we are looking to improve our Docker support through a direct integration with the Docker API which will provide additional information about the containers themselves. 

    G Suite (formerly Google Apps) Integration: Allow you to monitor user activity in Google Apps including logins and file updates. (Delivered in the 2017-04-25 Update)

    Office 365 Integration: Allow you to monitor user activity in the Microsoft Office 365 suite of cloud applications, including Exchange, SharePoint, OneDrive, and Azure Active Directory. (Delivered in the 2017-04-04 Update)

    Alarm Notification Link to More Details: Support a link in alarm notification to a product page that you can login to for more details. (Delivered in the 2017-03-27 Update)

    Alarm Labels: Support better alarm management by allowing you to create and apply labels to indicate status or assignment. (Delivered in the 2017-03-27 Update)

    Improved Group Credentials: VMs and instances come and go in cloud environments, so we plan to make it easier to manage credentials for dynamic Asset Groups used for authenticated asset scans. This will enable automatic assignment of Asset Group credentials to Assets that join the Group after the credentials were assigned. (Delivered in the 2017-03-27 Update)

    Export Dashboards as Reports: Export dashboards as as HTML reports with custom descriptions. (Delivered in the 2017-02-20 Update)

    Support for Higher Tiers of Service: We released USM Anywhere with 2 tiers: 250GB and 500GB per month. As expected, we’re seeing demand for higher capacity so we plan to provide additional tiers beyond a TB. (Delivered in the 2017-02-13 Update)

    Improved Activity View Exports: Export custom Alarm, Asset, Event and Vulnerability table views as HTML reports with user-defined descriptions. (Delivered in the 2017-02-13 Update)

    Simplified Collection of Linux Host Logs using AWS CloudWatch: CloudWatch is a great way to streamline log collection in AWS. So, we’re going to be making it easier to collect Linux host logs using the osquery agent by automating the setup and configuration of agent install and configuration. (Delivered in the 2017-01-30 Update)

    Azure Windows Event Generation: We plan to add the ability to collect Azure Windows Events by enabling Azure Diagnostics through automatic discovery using the Azure Storage API. (Delivered in the 2017-01-19 Update)

    Azure Security Center Integration: We’re also extending our Azure capabilities by integrating with Azure Security Center, allowing USM Anywhere to produce Alarms from Security Center Alerts. (Delivered in the 2017-01-12 Update)


    AlienVault considers various features and functionality prior to any final generally available release. As such, comments given in this forum are not (nor should they be interpreted to be) a commitment from AlienVault that it will deliver any specific feature or, if it delivers such feature, any time frame when that feature will be delivered. AlienVault is always trying to improve and enhance its products. All discussions herein are based upon product team current interests, and product team plans and priorities can change at any time.
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: Week of May 7, 2017

    New Detection Technique - WannaCry

    WannaCry, also known as WannaCrypt, WanaCrypt0r 2.0 or wCry, is a new ransomware variant that utilizes the EternalBlue and DoublePulsar exploits to spread in a worm-like fashion. Researchers located a "kill switch" in the ransomware in the form of a domain lookup, which prevents the ransomware from running. Due to WannaCry's simplistic architecture, it has resulted in numerous copycat variants in the wild.

    We've updated the 'Malware Infection – Ransomware' correlation rule to detect WannaCry activity.

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5915db384da2585b4feaf2f6/

    New Detection Technique - Jaff

    Jaff is a new ransomware variant which is being distributed by the Necurs bonnet in a global malicious email campaign that peaked at nearly 5 million emails per hour. The emails contain a malicious PDF with an embedded DOCM file in the the macro script, which downloads and runs Jaff.

    We've updated the 'Malware Infection – Ransomware' correlation rule to detect Jaff activity.

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/59152852e159ed10ba8631ec/

    New Detection Technique - OSX/Proton

    OSX/Proton, the newest variant of the Proton family, has most recently been distributed via embedding in a popular piece of software called HandBrake. Upon execution, it displays a fake authentication popup in an attempt to elevate its privileges. Proton is currently being sold on the dark web for 40 BTC. 

    We've updated the 'Malware Infection – Trojan' correlation rule to detect OSX/Proton activity.

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/590eec86bde63467444719a4/

    New Detection Technique - Ransomware

    In the past week, we've seen an uptick in ransomware activity in the wild. 

    We've updated the 'Malware Infection – Ransomware' correlation rule to detect new Ransomware activity from FrozrLock and NewHT, as well as to better detect Cerber, Hidden-Tear, and Serpent. 

    New Detection Technique - Equation Group Leaks

    Shadow Brokers have leaked more of the Equation Group's hacking tools stolen from the NSA. The four-year-old exploits attempt to hijack critical Microsoft Windows systems, from Windows 2000 up through Server 2012 as well as Windows 7 and 8. The leaked files range from Windows exploits to tools for monitoring SWIFT interbank payments.

    We've updated multiple 'Vulnerable Software Exploitation – Microsoft Windows' correlation rules to detect the exploit activity from these tools.

    Microsoft/Adobe Patch Tuesday

    This week's updates include Microsoft/Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products. Multiple correlation rules were updated to detect this activity, covering the following CVE's:

    • CVE-2017-0221, CVE-2017-0227, CVE-2017-0228, CVE-2017-0234, CVE-2017-0236, CVE-2017-0238, CVE-2017-0240, CVE-2017-0259, CVE-2017-0263, CVE-2017-0266, CVE-2017-3069, CVE-2017-3070, CVE-2017-0171
    New Detection Techniques

    We have updated the following correlation rules as a result of recent exploit and malicious activity:

    • 'Malware Infection – Trojan,' 'Malware – Exploit Kit,' 'Exploit – Web Attack – Code Execution,' 'Exploit – Code Execution,' 'Exploit – Credentials Access,' ‘Exploit – Web Attack – Directory Traversal,' 'Exploit – Web Attack – Arbitrary File Upload,' and 'Exploit – Login Attempt.'
    Updated Detection Technique - Remote Access Tools

    The typical attack pattern starts by exploiting a vulnerability and then installing malware, which often includes a Remote Administration Toolkit (RAT) to gain control of the compromised machine.

    We've updated the 'Malware Infection – Remote Access Trojan' correlation rule to detect the exploit activity from these tools, including Babylon RAT and Netwire.

    Updated Detection Technique - Greenbug Ismdoor

    The Greenbug cyberespionage group was discovered by Symantec while investigating reports of a new attack in the Middle East targeting various companies in the government, aviation, investment, and energy sectors. The group uses a custom Remote Access Trojan (RAT) known as Ismdoor as well as additional hacking tools to steal sensitive credentials from the compromised organizations.

    We've updated the 'Malware Infection – Trojan' correlation rule to better detect this activity.

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/58862b1d066f9d7608a08593/

    Updated Detection Technique - Felismus

    Felismus is a recently-discovered piece of malware that appears to have been active for a number of months. Felismus is a modular malware that exhibits multiple techniques to hinder both analysis efforts and discovery of the content of its communications. Given that few samples are available in the wild, it is likely that Felismus is being used in targeted campaigns. It utilizes filenames mimicking that of Adobe's Content Management System and offers a range of commands typical of Remote Access Tools, including file upload, file download, file execution, and command execution.

    We've updated the 'Malware Infection – Trojan' correlation rule to better detect this activity.

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/58de8b5b7d7fda024f0080c6/

    Updated Detection Technique - DarkHotel

    The DarkHotel threat actor has been refining its malware and expanding its target demographic. DarkHotel continues to spear-phish and has recently incorporated Hacking Team's zero-day Flash exploit into some of its attacks.

    We have updated the 'Malware Infection – Trojan' correlation rule to better detect this activity.

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/57adbda96262900135dc3923/

    Updated Correlation Rules

    Additional correlation rules were updated as a result of recent malicious activity.