Home
%3CLINGO-SUB%20id%3D%22lingo-sub-104099%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20new%20in%20the%20WDATP%20Portal%3F%20June%206th%202017%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20color%3D%22%23993366%22%3E%3CSTRONG%3EAlert%20Suppression%20rules%20evolution%3C%2FSTRONG%3E%20%3C%2FFONT%3E%5BInternal%20Preview%5D%3CBR%20%2F%3EWe've%20created%20a%20new%20flow%20and%20added%20functionalities%20to%20the%20alert%20suppression%20feature.%20%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EFrom%20an%20alert%2C%20you%20can%20create%20a%20new%20suppression%20rule.%20No%20longer%20will%20you%20choose%20all%20or%20nothing.%20You%20can%20now%20suppress%20alerts%20based%20on%20specific%20alert%20attributes%3A%3CBR%20%2F%3E%E2%80%A2%26nbsp%3BFile%20hash%20%3CBR%20%2F%3E%E2%80%A2%26nbsp%3BFile%20name%20-%20wild%20card%20supported%3CBR%20%2F%3E%E2%80%A2%26nbsp%3BFile%20path%20-%20wild%20card%20supported%3CBR%20%2F%3E%E2%80%A2%26nbsp%3BIP%3CBR%20%2F%3E%E2%80%A2%26nbsp%3BURL%20-%20wild%20card%20supported%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EThe%20feature%20supports%20two%20actions%20that%20will%20be%20enforced%20on%20the%20alerts%3A%3CBR%20%2F%3E%E2%80%A2%26nbsp%3BAuto%20resolve%20-%20matching%20alerts%20will%20be%20resolved%20automatically%20and%20presented%20in%20the%20resolved%20section%20of%20the%20alerts%20queue%3CBR%20%2F%3E%E2%80%A2%26nbsp%3BHide%20-%20matching%20alerts%20will%20not%20be%20presented%20in%20the%20portal%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20637px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F22394i9C345FB46A6653B5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2250.png%22%20title%3D%2250.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CFONT%20color%3D%22%23993366%22%3E%3CSTRONG%3ENew%20suppression%20rules%20view%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3EWe've%20made%20the%20suppression%20rules%20tab%20more%20accessible%20and%20redesigned%20the%20suppression%20rules%20page%20so%20that%20you%20can%20see%20more%20details%20about%20the%20suppression%20rules%20and%20their%20scope.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F22395iDC6205A2146131F3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2251.jpg%22%20title%3D%2251.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23993366%22%3E%3CSTRONG%3ENew%20suppression%20rule%20page%3C%2FSTRONG%3E%20%3C%2FFONT%3E%3CBR%20%2F%3EWe've%20created%20a%20new%20suppression%20rule%20page%20where%20you'll%20be%20able%20to%20see%20additional%20details%20about%20the%20rule%2C%20such%20as%20the%20associated%20alerts%20that%20were%20hidden%20or%20auto%20resolved%20by%20this%20rule.%20The%20same%20page%20will%20also%20allow%20you%20to%20restore%20the%20alerts%2C%20disable%20or%20enable%20the%20rule.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F22397i5E93FAD3D7986986%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2252.jpg%22%20title%3D%2252.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23993366%22%3E%3CSTRONG%3ESIEM%20enhancements%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3ELogOnUsers%20exposed%20to%20SIEM%3C%2FSTRONG%3E%3CBR%20%2F%3EWe've%20exposed%20LogOnUsers%20data%20at%20time%20of%20the%20event%20to%20enrich%20the%20information%20sent%20to%20SIEM.%3CBR%20%2F%3EA%20new%20field%20LogOnUsers%20is%20now%20added%20to%20the%20alerts%20payload%20populated%20with%20the%20logon%20users%20and%20their%20domains%20at%20time%20of%20the%20alert.%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CSTRONG%3ESuppressed%20alerts%20will%20not%20be%20sent%20to%20SIEM%20tools%3C%2FSTRONG%3E%20%5BInternal%20Preview%5D%3CBR%20%2F%3EWe've%20fixed%20the%20issue%20of%20suppressed%20alerts%20being%20sent%20to%20SIEM%20tools.%20Suppressed%20alerts%20will%20no%20longer%20be%20sent%20to%20SIEM%20tools.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CSTRONG%3ENew%20ArcSight%20mapping%20file%3C%2FSTRONG%3E%3CBR%20%2F%3EWe've%20updated%20the%20mapping%20file%20between%20our%20schema%20and%20ArcSight%20fields%20to%20help%20you%20get%20the%20most%20out%20of%20the%20data%20exposed%20in%20the%20alerts%20API.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3ENew%20mapping%20file%20is%20available%20for%20download%20from%20the%20portal%3A%3CBR%20%2F%3EPreferences%20setup%20-%26gt%3B%20SIEM%20integration%20-%26gt%3B%20Choose%20HP%20ArcSight%20-%26gt%3B%20Save%20details%20to%20file.%20%3CBR%20%2F%3EIn%20the%20downloaded%20.zip%20file%2C%20you%20will%20find%20the%20new%20mapping%20in%20the%20WDATP-Connector.jsonparser.properties%20file.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23993366%22%3E%3CSTRONG%3EAlert%20process%20tree%20enhancements%3C%2FSTRONG%3E%20%3C%2FFONT%3E%5BInternal%20Preview%5D%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDecode%20PowerShell%20encoded%20commands%3C%2FSTRONG%3E%3CBR%20%2F%3EYou%20can%20now%20see%20the%20decoded%20PowerShell%20encoded%20commands%20in%20the%20side-pane%20of%20relevant%20processes.%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20492px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F22398i442C6E6F46E73798%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2253.jpg%22%20title%3D%2253.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELeaner%20%26amp%3B%20meaner%20process%20tree%3C%2FSTRONG%3E%3CBR%20%2F%3EThe%20alert%20process%20tree%20now%20goes%20up%20the%20attack%20chain%20showing%20processes%20and%20actions%20that%20were%20previously%20not%20visible%2C%20while%20showing%20fewer%20irrelevant%20processes.%3CBR%20%2F%3ETo%20clean-up%20the%20process%20tree%2C%20we%20no%20longer%20show%20children%20of%20known%20root%20processes%20(such%20as%20svchost.exe)%20if%20they%20are%20not%20associated%20with%20the%20alert.%3CBR%20%2F%3EThis%20enables%20us%20to%20show%20instead%20more%20events%20that%20are%20interesting.%20One%20of%20the%20changes%20that%20were%20done%20is%20to%20extend%20the%20time%20period%20displayed%20in%20the%20alert%20process%20tree%20from%2020%20minutes%20to%20up%20to%201.5%20hours.%20Another%20change%20includes%20showing%20process%20trees%20that%20were%20previously%20not%20shown%2C%20if%20they%20are%20related%20to%20the%20detected%20process%20trees.%20In%20the%20example%20below%2C%20we%20now%20also%20show%20the%20download%20of%20the%20malicious%20doc%2C%20although%20it's%20in%20a%20different%20tree%20than%20the%20one%20initially%20detected.%20Finally%2C%20we%20now%20display%20click-on-links%20from%20outlook%2C%20word%20and%20other%20programs%20-%20when%20they%20are%20done%20right%20before%20a%20browser%20download%20that%20is%20related%20to%20the%20alert.%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20978px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F19735i5A4BA7FD0435B30D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2224.jpg%22%20title%3D%2224.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Alert Suppression rules evolution [Internal Preview]
We've created a new flow and added functionalities to the alert suppression feature.
 
From an alert, you can create a new suppression rule. No longer will you choose all or nothing. You can now suppress alerts based on specific alert attributes:
• File hash
• File name - wild card supported
• File path - wild card supported
• IP
• URL - wild card supported
 
The feature supports two actions that will be enforced on the alerts:
• Auto resolve - matching alerts will be resolved automatically and presented in the resolved section of the alerts queue
• Hide - matching alerts will not be presented in the portal

 

50.png

New suppression rules view
We've made the suppression rules tab more accessible and redesigned the suppression rules page so that you can see more details about the suppression rules and their scope.


51.jpg

New suppression rule page
We've created a new suppression rule page where you'll be able to see additional details about the rule, such as the associated alerts that were hidden or auto resolved by this rule. The same page will also allow you to restore the alerts, disable or enable the rule.


52.jpg

SIEM enhancements
LogOnUsers exposed to SIEM
We've exposed LogOnUsers data at time of the event to enrich the information sent to SIEM.
A new field LogOnUsers is now added to the alerts payload populated with the logon users and their domains at time of the alert.

Suppressed alerts will not be sent to SIEM tools [Internal Preview]
We've fixed the issue of suppressed alerts being sent to SIEM tools. Suppressed alerts will no longer be sent to SIEM tools.

New ArcSight mapping file
We've updated the mapping file between our schema and ArcSight fields to help you get the most out of the data exposed in the alerts API.

New mapping file is available for download from the portal:
Preferences setup -> SIEM integration -> Choose HP ArcSight -> Save details to file.
In the downloaded .zip file, you will find the new mapping in the WDATP-Connector.jsonparser.properties file.


Alert process tree enhancements [Internal Preview]

Decode PowerShell encoded commands
You can now see the decoded PowerShell encoded commands in the side-pane of relevant processes.
53.jpg

Leaner & meaner process tree
The alert process tree now goes up the attack chain showing processes and actions that were previously not visible, while showing fewer irrelevant processes.
To clean-up the process tree, we no longer show children of known root processes (such as svchost.exe) if they are not associated with the alert.
This enables us to show instead more events that are interesting. One of the changes that were done is to extend the time period displayed in the alert process tree from 20 minutes to up to 1.5 hours. Another change includes showing process trees that were previously not shown, if they are related to the detected process trees. In the example below, we now also show the download of the malicious doc, although it's in a different tree than the one initially detected. Finally, we now display click-on-links from outlook, word and other programs - when they are done right before a browser download that is related to the alert.
24.jpg