• Support
  • Forums
  • Blogs

Plugins Feed Update - July 17, 2018

AVPluginsAVPlugins

AlienVault Employee
+5
Plugins Feed Update - 2018-07-17
2018-07-17

USM Appliance Plugins Feed Release Notes

Warning: This plugin feed release needs AlienVault 5.1 or greater.
New plugins available
  • Added new plugin for Arcon Arcos (arcos).
  • Added new plugin for SoftEther VPN Project (softether).

HIDS rules and decoders

How to enable new HIDS rules
  • Added new rules to generate alarms for each access mask value.
  • Updated windows USB rules to change wmic command.

Issues fixed

  • Updated SecureAuth (secureauth) plugin to support new log format.
  • Updated HP Switch (hp-switch) plugin to parse logs that were matching with generic rule.
  • Updated Cylance CylancePROTECT (cylance) plugin to handle new fields.
  • Updated Cisco Router (cisco-router) plugin to parse username for SYS events.
  • Updated Check Point FireWall (fw1-alt) plugin to add a missing SID and to support new logs.
  • Updated Huawei IPS (huawei-ips) plugin to match new logs.
  • Updated AlienVault-HIDS (ossec-single-line) plugin to support new wmic command and to parse new logs format.
  • Updated zScaler Nanolog (zscaler) plugin to support new log format.
  • Updated Peplink Balance Multi-WAN Router (peplink-balance) plugin to parse new log lines.

Share post:

Comments

  • Since this plugin feed update, many of our machines are being inundated with:

    AlienVault HIDS: FIM: Windows file access with the right to write file attributes. (DS 7006/EVE 12020)
    AlienVault HIDS: FIM: Windows file access with the right to read file data (or list directory). (DS 7006/ EVE 12014)

    How can we prevent or or at least limit these new messages and prevent future updates from overwhelming the SIEM?
  • Hi thanks for the comment!
    You could just disable alienvault-windows-FIM_rules or edit it and set to level 0 those noisy events, will not generate alarm and hence events.
    If the issue persist we could create a tickets and try to find a better solution.
    Regards!

Sign In or Register to comment.