Improved display of “Observed Data” on alert page
Work on the detail page of an alert continued, always with the aim of facilitating the analysis of an alert and minimizing the presence of « noise » on the page.
Differentiated display according to the types of SCO (STIX Cyber-observable Objects)
The objects (SCO) that make up an « Observed Data » now have a separate display according to their type. Thus, an object of type network-traffic is better laid out and some extensions, such as http-request-ext, are displayed in a more readable way.
Display of raw events formatted in JSON
It is now possible to display the raw events in a dedicated window from the display of an «Observed Data». If the raw event is in JSON format, then the latter is formatted to make it easier to read.
Adding and modifying « Alert Filters »
When developping detection rules, it is now possible to add and modify « Alert Filters ». These filters, written in STIX patterning, make it possible to prevent the raising of alerts when certain criteria are met by an « observed data ». In the example below, the rule is used to raise an alert as soon as network traffic is detected by sysmon and the « alert filters » are used to indicate which are the legitimate processes to carry network traffic, for which there must be no raised alert.
You can now activate two-factor authentication to strengthen the security of your user account on SEKOIA.IO. All you have to do is go to the management page of your user account (accessible by clicking on the icon at the top right of the application, choose 'Settings'). As a second factor of authentication, you can use a TOTP (time-based one-time password) application such as Google Authenticator, Authy, LastPass Authenticator or 1Password.