Release notes for 4.1.0 release

CrossRealms · Jul 14, 2023 · ab6acb2 · ab6acb2
1 parent 3ba4393
commit ab6acb2
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 51 deletions.
diff --git a/docs/install_configure/configuration.md b/docs/install_configure/configuration.md
@@ -16,7 +16,7 @@ For optimal performance, it is recommended to enable the data model acceleration
 |--------|--------|-------------|
 | Endpoint | 7 days (Minimum) |
 | Network Traffic | 7 day (Minimum) |
-| Authentication | 1 month (Minimum) |
+| Cyences_Authentication | 1 month (Minimum) |
 | Network Resolution (DNS) | 7 day (Minimum) |
 | Cyences_Vulnerabilities | 1 month (Minimum) |
 | Cyences_Assets |  1 month (Minimum) |

diff --git a/docs/release_notes/old_release_notes.md b/docs/release_notes/old_release_notes.md
@@ -7,6 +7,75 @@ parent: Release Notes
 ---
 
 
+
+
+## Version 4.0.0 (June 2023)
+
+* ### Notable Event Assignment
+    * User can assign notable events to the user on Splunk for further investigation of the incident. User can also update the status of the notable event based on the investigation phase.
+    * Added the new SOC Dashboard to get overview of notable events by the alert, assignee, status and severity.
+    * Updated Overview dashboard to filter the result based on the Status value.
+
+![alt]({{ site.baseurl }}/assets/notable_event_assignment.png)
+
+* ### New Cyences Settings Page
+    * Users can use Cyences' new App Configuration page to customize the dashboards they want to see/hide and the alerts they want to enable/disable.
+    * The new Cyences App Configuration page also allows you to see if the data-source configuration (index macro) is accurate and if your Splunk environment has data for it or not and modify the configuration if required.
+    * All the old configurations (Cyences default email configuration, Macro Setup, Sophos endpoint data collection creds, etc) are migrated to the new Cyences App Configuration Page.
+
+![alt]({{ site.baseurl }}/assets/data_source_macros.png)
+
+* ### Alerts for Logins from Unusual Country
+    * O365 - Login Failure From Unusual Country Due To Multi Factor Authentication
+    * O365 - Successful Login From Unusual Country
+    * Authentication - Successful VPN Login From Unusual Country (Enhanced)
+
+* ### Added "Vulnerability - Detected Vulnerabilities" alert and updated overview dashboard to show Vulnerability related notable event count. 
+
+* ### Enhancements
+    * Enhanced MultiSelect functionality
+        * MultiSelect input will automatically select/unselect All option based on the user selection in all the dashboards.
+
+    * Support for email messagetrace event using Splunk Add-on for Office 365. 
+        * Updated Email related alerts to support email messagetrace event collected using Splunk Add-on for Office 365..
+
+    * Reduced severity level for the already blocked events for Palo High Threat alert.
+
+    * Windows - Windows Process Tampering Detected alert
+        * Added internal filter macro to reduce the false positives.
+
+    * Added ApplicationId field in the all O365 Login related alerts.
+
+    * Improved "O365 - Login From Unknown User" alert to consider both Unknown and "Not Available" user values.
+
+    * Improved "O365 Daily Login Failure" alert readability.
+
+    * Excluded TriggerBrowserCapabilitiesInterrupt error events from "O365 - Daily Login Failure" alert to reduce false positives.
+        * More information for the error: https://login.microsoftonline.com/error?code=501314
+
+    * Improved severity logic for "Email - Hourly Increase In Emails Over Baseline" alert to reduce false positives.
+
+* ### Bug Fixes
+    * Fixed minor issue in the DNS Tracker dashboard for zero event.
+
+    * Fixed windows decommissioned host reappearing issue.
+
+    * Fixed "Windows Defender RealTime Protection Disabled or Failed" alert search query.
+
+    * Fixed severity inconsistency between alert and overview dashboard for antivirus service stop alerts.
+
+    * Fixed Cyences logo issue.
+
+
+## Upgrade Guide from 3.1.0 to 4.0.0
+
+* ### Cyences Settings
+    * Go through the [Cyences App Configuration]({{ site.baseurl }}/install_configure/configuration/#products-setup-data-source-macros) and make required changes
+
+    * The "Microsoft 365 Defender Add-on for Splunk" is deprecated. Use "Splunk Add-on for Microsoft Security" addon for O365 Defender ATP data collection. 
+
+
+
 ## Version 3.1.0 (March 2023)
 
 * ### Monitor Linux Groups & Users (Linux/Unix)

diff --git a/docs/release_notes/release_notes.md b/docs/release_notes/release_notes.md
@@ -9,67 +9,33 @@ has_children: true
 # Release Notes
 
 
-## Version 4.0.0 (June 2023)
+## Version 4.1.0 (July 2023)
 
-* ### Notable Event Assignment
-    * User can assign notable events to the user on Splunk for further investigation of the incident. User can also update the status of the notable event based on the investigation phase.
-    * Added the new SOC Dashboard to get overview of notable events by the alert, assignee, status and severity.
-    * Updated Overview dashboard to filter the result based on the Status value.
+* ### Added "Network Compromise - DDoS Behavior Detected" new alert.
 
-![alt]({{ site.baseurl }}/assets/notable_event_assignment.png)
+* ### Enhancements  
+    * Improved all the O365 Login related alerts and dashboards to show more information using the O365 Audit Signin Logs.
 
-* ### New Cyences Settings Page
-    * Users can use Cyences' new App Configuration page to customize the dashboards they want to see/hide and the alerts they want to enable/disable.
-    * The new Cyences App Configuration page also allows you to see if the data-source configuration (index macro) is accurate and if your Splunk environment has data for it or not and modify the configuration if required.
-    * All the old configurations (Cyences default email configuration, Macro Setup, Sophos endpoint data collection creds, etc) are migrated to the new Cyences App Configuration Page.
+    * Enhanced "Windows - Windows Process Tampering Detected" alert to show the source process details that tempered the process.
 
-![alt]({{ site.baseurl }}/assets/data_source_macros.png)
+    * Updated field order in the Digest Email to show notable_event_id field as last column.
 
-* ### Alerts for Logins from Unusual Country
-    * O365 - Login Failure From Unusual Country Due To Multi Factor Authentication
-    * O365 - Successful Login From Unusual Country
-    * Authentication - Successful VPN Login From Unusual Country (Enhanced)
+    * Improved cyences_severity logic for "Ransomware - Calculate UpperBound for Spike in File Writes" alert.
 
-* ### Added "Vulnerability - Detected Vulnerabilities" alert and updated overview dashboard to show Vulnerability related notable event count. 
+    * Added raw filter macro for "Network Compromise - Basic Scanning" alert.
 
-* ### Enhancements
-    * Enhanced MultiSelect functionality
-        * MultiSelect input will automatically select/unselect All option based on the user selection in all the dashboards.
-
-    * Support for email messagetrace event using Splunk Add-on for Office 365. 
-        * Updated Email related alerts to support email messagetrace event collected using Splunk Add-on for Office 365..
+    * Enhanced "Email - Hourly Increase In Emails Over Baseline" alert to show domain wise recipient information.
 
-    * Reduced severity level for the already blocked events for Palo High Threat alert.
+    * Improved "Linux - User Added/Updated/Deleted" and "Linux - Group Added/Updated/Deleted" alerts to show exact changes detail.
+        * Deprecated "Linux - Change in Sudo Access of Local Linux Account" alert.
 
-    * Windows - Windows Process Tampering Detected alert
-        * Added internal filter macro to reduce the false positives.
-
-    * Added ApplicationId field in the all O365 Login related alerts.
-
-    * Improved "O365 - Login From Unknown User" alert to consider both Unknown and "Not Available" user values.
-
-    * Improved "O365 Daily Login Failure" alert readability.
-
-    * Excluded TriggerBrowserCapabilitiesInterrupt error events from "O365 - Daily Login Failure" alert to reduce false positives.
-        * More information for the error: https://login.microsoftonline.com/error?code=501314
-
-    * Improved severity logic for "Email - Hourly Increase In Emails Over Baseline" alert to reduce false positives.
+    * Updated threshold value for the "Network Compromise - Basic Scanning" alert.
 
 * ### Bug Fixes
-    * Fixed minor issue in the DNS Tracker dashboard for zero event.
-
-    * Fixed windows decommissioned host reappearing issue.
-
-    * Fixed "Windows Defender RealTime Protection Disabled or Failed" alert search query.
-
-    * Fixed severity inconsistency between alert and overview dashboard for antivirus service stop alerts.
-
-    * Fixed Cyences logo issue.
-
+    * Fixed fetching first 50 records multiple times issue for sophos endpoint custom command.
 
-## Upgrade Guide from 3.1.0 to 4.0.0
+    * Fixed the permission issue to allow normal user to use notable event assignment functionality.
 
-* ### Cyences Settings
-    * Go through the [Cyences App Configuration]({{ site.baseurl }}/install_configure/configuration/#products-setup-data-source-macros) and make required changes
 
-    * The "Microsoft 365 Defender Add-on for Splunk" is deprecated. Use "Splunk Add-on for Microsoft Security" addon for O365 Defender ATP data collection. 
+## Upgrade Guide from 4.0.0 to 4.1.0
+    * New Cyences_Authentication Data model is added. User should accelerate Cyences_Authentication with minimum 1 month period to improve search performance.