Released on : 25 January 2021
Applies to Version : 9.3 Build 5
Download

Summary
EventTracker Service Pack 1 for v9.3 Build 5

New Features

  • Offer EventTracker Endpoint Security - a deep-learning-based, fully managed endpoint threat protection solution as an add-on to our EventTracker Essentials or EventTracker Enterprise offering, or as a standalone managed service.
  • Integrate EventTracker Threat Center as an IP address reputation provider. Configuration-Guide
  • Provide Two-factor Authentication (2FA) using the Google Authenticator application as an added layer of security. Configuration-Guide
  • Updated EventTracker platform to support the automatic updating of EventTracker Sensors.
  • MITRE ATT&CK Rules - Improvement to MITRE ATT&CK framework integration that enables permitted/exclusion (filtering) lists for MITRE ATT&CK techniques. Configuration-Guide
  • Threat Protection Performance Report - A business value report, designed for MSP/MSSP users, that will provide our partners with a means to convey key cybersecurity and compliance metrics to their customers in an easy-to-digest manner

New Enhancement

  • New and improved system selection interface in MITRE ATT&CK dashboard.User Guide
  • New and improved system selection interface in Log Search and Report configuration.User Guide
  • Enhancement in Syslog Receiver to extract Device ID/Name and assign Device type.User Guide
  • Add filter for Anomalous Login Detection to reduce false positives.Configuration Guide
  • Enhancements in event transfer protocol for windows and syslog messages to improve the overall throughput of the sensor.
  • Collection Master Performance Improvements - Improves the performance of the Incidents and My dashboard modules.
  • Performance improvements in Machine learning.
  • Performance improvements in Incident bulk acknowledgement.
  • Performance enhancements in Cab detail storage via SQL partitioning.
  • Performance improvements when search is performed for entire group(s).
  • Implement database shrinking and diagnostic warning for database exceeding threshold limit.
  • Provide installation status (Success or Failure) in the screen that lists applied product updates.
  • Provide private IP address and public IP address support for Anomalous Login Detection.
  • Onboarding UI - Option provided to send the report from CP to CM.
  • Enhancements in Eventvault UI.
  • Enhancements in cases created from incidents.
  • Adding filter to ignore all syslog events from IP address activity ML job.
  • Enhancement in checking health status in EventTracker Elasticsearch indexer service.
  • Support for regular expression in EventTracker agent filters.
  • Diagnostic changes to handle the Elasticsearch cluster health checkup.
  • Provide octet count framing in syslog over TCP/TLS (RFC 5425 compliant).
  • Enhancements in Security and Compliance report – Only 100 records in HTML.
  • Incidents email to contain notes/comments.
  • Provide bulk deletion support for groups (groups cannot be deleted if systems are mapped).
  • Added the parent process hash field to Event description of 3524 and 3519.
  • Added the reason field to Event description for events 3524 and 3519.
  • Generate event when hash is auto approved.
  • Based on the configuration, send/forward the safe and unsafe list to sensors.
  • Based on the configuration, move the Pending Analyst Review data to research process.
  • Generate unique event 3524 per new process observed at sensor level.
  • Changes in Configuration synchronization from Manager to Agent is based on registry key.
  • Enabling “Archiver at group level” flag will enable group level flag in EDR database.
  • Included source description in Event ID 8028.
  • Support for new system type enumerations in TrapTracker.

Bug Fixes

  • Fix for the issue where MITRE ATT&CK indexing was failing for few new rules.
  • Fix for the issue where duplicate port number was showing in Log Volume widget in Home dashboard.
  • Fix for the issue where Collection Master was crashing when configured report name is long.
  • Fix for the issue where Alert short description was getting wrongly updated during CP to CM transfer in a rare condition.
  • Fix for the issue where archived cabs were getting stored with virtual group name in a rare condition.
  • Fix for issue where user is unable to redirect to EDR.
  • Event computer detail is missing for dormant generated events 2074, 2075 and 2076.
  • Working icon keeps on displaying once user exports the data from Machine Learning Trend page.
  • In Email incident, Message text field is blank for a CP incident in CM console.
  • Syslog over TLS receiver memory leak.
  • Fix for the issue where CP to CM report transfer getting failed when file name is wrong/empty in database or file is not present in physical location.
  • Fix for the issue where .ec2 cache buildup was happening if Archiver at group level is enabled and group name is having leading or trailing space character.
  • Fix where anomaly activity event getting generated on behalf of non-reporting system where Machine Learning group level is enabled.
  • Fix for HTML formatting issue in Logon banner.
  • Fix for News URL redirection.
  • Fix for the issue where alert short description was not getting transferred from CP to CM.
  • Fix for Office 365 integration memory leak issue.
  • Fix for the issue where Report Dashboard takes more time to load for Non-Admin user.
  • Fix for the issue where audit log writes the wrong information while deleting an Alert.
  • Fix for the issue where Elastic indexer is crashing if duplicate system name exists in System Group Master.
  • Fix for the issue where some part of the description is getting deleted when the Alert Event description contains Regex.
  • Fix for the issue where system name comes with special character.
  • Fix for the issue where agent deployment is failing from system manager.
  • TLS 1.2 support for EventTracker (fix for ConnectWise and IT Glue integrations)
  • Tearaway window to show data for CP–CM.
  • Fix for the issue where backlog was getting created in Elasticsearch cab indexing when IPV6 messages are received.
  • Fix for the issue where source/destination IP address and port indexing were not happening in IPV6/IPV4 messages.
  • Fix for the issue where incident is getting failed to update in the Database.
  • Fix for the issue where event description format was lost in incident tabular view.
  • Fix for the issue in compliance dashboard to address different screen resolutions.
  • Fix for the issue where log search comes no result even if the data is available for few techniques which constructs Lucene query with other platforms.
  • Incorrect duration passed from MITRE dashboard to log search.
  • Unable to show data in detail page for Windows Audit Policy and Acct Mgt rule when machine learning at group level is enabled.
  • Width is removed from description column in incident tabular view.
  • Fix for the casebook related issues for non-admin users in case of friendly CP name.
  • Fix for the issue where Critical Potential Breach remedial action script was failing to run when PowerShell SQL 32-bit module was not available.
  • Fix for the issue where log parser fails to add system type when the cabs are getting created through the external DLA.
  • Syslog port crashes when syslog LFM (relay) is configured with wrong pattern regex.
  • Fix for the issue where server license count was incorrectly shown for Windows Server OS 2016 and 2019.
  • Fix for the issue where TLS receiver was not handling the AWS forwarded log from an integrator.
  • Fix for the issue where Manager Direct log archiver configuration window fails to open.
  • Fix for the issue where summary data is unable to show in Excel viewer for Flex report.
  • Fix for the issue where Elastic data indices are not purging when license for MITRE ATT&CK feature is not enabled.
  • Fix for the data export issue in Incident tiles dashboard.
  • Fix for the issue where Machine learning was capturing the incorrect IP address data.
  • Fix for the issue where cache data getting copied to default path even though custom location is configured if it fails to read the path from database.
  • Fix for the issue where jet.tmp files are getting retained after temporary MDB operation.
  • Fix for the issue where offline archives are not getting updated as DLA where cache MDB has multiple days data.
  • Fix for the reporter service getting struck in rare condition.
  • MITRE ATT&CK Dashboard - Included/Excluded technique ID filter is not getting cleared until session is closed.
  • MITRE ATT&CK Dashboard - Cookie related issues are fixed in google chrome browser.
  • MITRE ATT&CK Dashboard - System tree doesn't load the system list properly when user perform multiple actions on refresh button.
  • MITRE ATT&CK Dashboard - Group/System selection tree displays "No Records" for a profile users when there is an empty system in a group.

Who should read this document
Customers who use 9.3 Build 5

Severity
Medium

Affected software
EventTracker Web,EventTracker Reports, EventTracker Agent, EventTracker Alerter, EventTracker Daemon, EventTracker Elasticsearch Indexer, EnterpriseActivity, EventTracker EventVault, EventTracker Receiver, EventTracker Remote Installer

Non-affected software
EventTracker Scheduler, Event Correlator

Process to apply Update

  1. Download Update
  2. Place the Update ET93U21-043.exe in the destination computer.
  3. Execute the exe.