Evident Updates - July 11, 2018 (and prior)

Evident Updates - July 11, 2018 (and prior)

16213
Created On 09/26/18 13:44 PM - Last Modified 06/08/23 00:51 AM


Resolution


Weekly Scheduled Deploy - July 11 2018

 

The following updates are scheduled to take effect on the Evident service on 7/11/2018:

 

Enhancements

  • New Signature: AWS:EC2-043 - Security Groups With Open Private CIDRs Description: This signature checks all of your EC2 security groups and returns an alert if any inbound rules are found that allow access from IP address ranges specified in RFC-1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). Risk: Low
  • New Signature: AWS:EC2-044 - EC2 Instance Scheduled Events Description: This signature checks to see if your Amazon EC2 instances have a supported scheduled event. If the AWS scheduled event is scheduled for more than 7 days in advance, it triggers a Warning. If AWS scheduled event is planned for within 7 days, this signature triggers a FAIL alert. Risk: Medium
  • New Signature: AWS:EFS-001 - EFS Encryption Enabled Description: This signature checks your elastic filesystems to verify encryption is enabled and triggers an alert if they are not.Risk: Medium
  • New Signature: AWS:ELB-011 - Network Load Balancer Global Admin Port Description: This signature triggers an alert when global permission is defined on a range of ports, grants access to one or more administrative ports, and is detected in a security group that could be circumvented by Networked Load Balancer. Risk: High
  • New Signature: AWS:ELB-012 - ELB (Classic) Cross-Zone Load Balancing Description: This signature checks all of your classic Load Balancer nodes for cross-zone load balancing and triggers an alert if you have one that isn't properly configured. Risk: Low
  • New Signature: AWS:IAM-020 - IAM SSL Server Certificates Check Description: This signature checks all SSL server certificates stored in AWS IAM to verify that they are up-to-date and triggers an alert if they are not. Risk: Medium
  • New Signature: AWS:IAM-021- Deprecated IAM Managed Policies in Use Description: This signature checks for any usage of deprecated AWS IAM managed policies and returns an alert if it finds one in your cloud resources. Risk: High
  • New Signature: AWS:ELB-009 - ELB (Classic) Connection DrainingDescription: This signature scans all Classic Load Balancer requests and returns an alert if the instance is de-registering or unhealthy. Risk: High
  • New Signature: AWS:RDS-010 - RDS Instance Multi-AZ enabled Description: This signature checks all RDS instances for Multi-AZ settings and generates a FAIL alert if RDS is not deployed in Multi-AZ. Risk: Medium
  • New Feature:Scheduled Signature Export Description:
  • New Feature:New Dashboard (Beta) Description: The Evident Programable Dashboard now empowers you to choose exactly what threat data you want to see.  You can select from a range of data visualizations and custom filters.
  • New Feature:Scan interval updates Description: Users may now schedule report intervals for times that best suit their business needs.
  • New Feature: Azure Upgrade 
  1. Azure Regional Names on the ESP Dashboard were edited for clarity and readability.
  2. To avoid readability issues, channel group names now trim leading spaces.
  3. Reports now cannot be created until 5 minutes have passed since the last one to avoid spam.
  4.  

 

Bugs

  • Addressed a problem with Signature AWS: IAM-004 not picking up the "Disable MFA" events for User Attribution data.
  • Corrected known issue where an organization is not deleted when it only had one user and that user has self-deleted the account.
  • Revised Signature AWS:CLT-004 to address missing metadata information.
  • Revolved an issue with the S3 Signatures (AWS:SSS-0010 to 013) not processing all of the buckets on the list and generating additional alerts.
  • Fixed a problem where signature AWS:RDS-001 checks RDS reader replicas when it should not.
  • Addressed a bug with AWS:CLT-006 and ASW:SSS-003 sporadically generate AuthorizationHeaderMalformed error.
  • Addressed a bug with AWS:RDS-012 where it was looking for internet routes in all subnets within the VPC, as opposed to only the subnets within the defined subnet group.  In addition, metadata now only includes only include Route Tables that contains a failing (open to internet) rule.
  • Updated Signature: AWS:EC2-038 now only passes if a default VPC security group has no inbound and outbound rule (which would restrict all access).
  • Edited AWS:LAMBDA-003 to no longer generate INFO alerts when a function has environmental variables, and generates PASS/FAIL alerts when it doesn't. 
  • Corrected a problem with AWS:EC2-031 that substantially increased the number of EC2 API calls and thus throttling instances to occur.
  • Addressed an intermittent issue where users may land on an error 404 page after creating a custom signature.
  • Addressed an issue where RDS-related signatures are not generating alerts if there are too many RDS instances.

  

----------------------------------------------------------------------------------------------

 

 

Weekly Scheduled Deploy - June 06 2018


The following updates will take effect in the Evident Management Console on 5/30/2018:


Enhancements

  • Upgraded custom signature engine’s AWS SDK version.
  • Signature’s Copy & Customize function will now also copy the base signature’s description and remediation steps to the custom signature.
  • Improved External Accounts page performance.

 

Bug Fixes

 

  • Addressed an error preventing users from editing the Custom Compliance Standard.
  • Addressed an issue where Azure External Account can be created with insufficient permissions for Evident Monitoring to generate alerts.
  • Fixed an issue with New User Invite emails not displaying correctly on mobile devices.
  • Corrected an issue with New User Invite emails not functioning properly in Microsoft Outlook.
  • Addressed an issue with AWS:EC2-031 where it will fail to generate alerts when a Security Group is referenced by an Application Load Balancer
  • Addressed an issue with AWS:SSS-014 where it will generate a ServerSideEncryption error even if it generates a PASS alert.


Weekly Scheduled Deploy - May 23 2018

 

The following updates will take effect in the ESP Management Console on 5/23/2018:


Evident.io’s Automation and Custom Signatures GitHub Repository will be moved to Palo Alto Networks’ Repository on June 6th.  More details will be provided when the move occurs.

 

----------------------------------------------------------------------------------------------



The following updates will take effect in the Evident Management Console on 5/3/2018:


Enhancements

 

Bug Fixes

 

  • Signature AWS:IAM-019 was edited to ensure it works for templates which include “NotAction”.
  • Signature AWS:LAMBDA-003 was revised to ensure it includes tags.
  • Signature: AWS:SQS-002 was revised to include KMS Key Id in metadata information.
  • Resolved a problem with AWS:VPC-009 throwing errors for some VPCs.
  • Fixed a problem with AWS:EC2-031 throwing errors if a security group is assigned to an EMR.
  • Corrected a problem with multiple S3 signatures changing the field CreationDate randomly.
    • AWS:SSS-001
    • AWS:SSS-004
    • AWS:SSS-005
    • AWS:SSS-006
    • AWS:SSS-007
    • AWS:SSS-008
    • AWS:SSS-009
    • AWS:SSS-010
    • AWS:SSS-011
    • AWS:SSS-012
    • AWS:SSS-013
    • AWS:SSS-014
    • AWS:SSS-015

  • Edited Signature AWS:SSS-014 and Signature AWS:SSS-015 to work with various capitalization in condition clause.
  • Revised Signature: AWS:IAM-017 to include more metadata information.
  • Edited Signature: AWS:R53-001 to generate one alert per account, as opposed to one alert per region.
  • Fixed a problem with Signature: AWS:CFM-001 throwing errors for CloudFormationTemplate that are in certain states.
  • Revised Signature: AWS:CLT-003 to ensure bucket policy in metadata information is properly formatted.
  • Edited Signature: AWS:EC2-034 to ensure it checks all CloudWatch alarms.
  • Edited Signature: AWS:CLT-001 with proper fail alert messages and relevant metadata.



----------------------------------------------------------------------------------------------

 

Weekly Scheduled Deploy - May 2 2018

The following updates will take effect in the Evident Management Console on 5/2/2018:


Enhancements

 

Bug Fixes

 

  • The link to the Azure CLI Onboarding documentation has been fixed on the Azure Onboarding Wizard.
  • Addressed a problem that occurred during the creation of Custom Signatures. If a user submitted large amounts of markup text to describe the signature, an exception would on occasion be thrown.
  • Fixed an issue with using the integrations API and trying to change the page size resulting in an error.
  • Resolved a failed authorization check error when users were attempting to export reports via the API.



----------------------------------------------------------------------------------------------



Weekly Scheduled Deploy - April 25 2018

The following updates will take effect in the Evident Management Console on 4/25/2018:

Enhancements

  • To reduce the number of status flips, AWS:RDS-002 will generate fail alerts if the last backup was made more than 10 minutes ago.
  • AWS:SSS-014 has been enhanced to support "aws:kms" attribute for Server-side Encryption.  The signature will also now pass if the bucket's default encryption option is enabled.

Bug Fixes 

  • AWS:IAM-004 alerts with User Attribution data can now end as expected.

 

 

 

Weekly Scheduled Deploy - April 18 2018

The following updates will take effect in the Evident Management Console on 4/18/2018:

Enhancements

  • The Copy & Customize templates have been be populated to allow for customizing these default signatures:

 

Bug Fixes 

  • Corrected an issue with the User Attribution job failing to retry every 30 minutes if it fails to find any relevant CloudTrail events.

 

 

Weekly Scheduled Deploy - April 11 2018

The following updates will take effect in the Evident Management Console on 4/11/2018: 

Enhancements

----------------------------------------------------------------------------------------------

 

Bug Fixes

 

  • Fixed timeout error when reordering a large number of controls on custom compliance domain.
  • Fixed an error that would occur when attempting to add an Azure account to a custom signature via the API.
  • Addressed a rare problem with showing the extra compliance standard which is not enabled for this organization.
  • Added a new retry mechanism before ESP marks an Integration as failed due to STS assume role error.

 

Weekly Scheduled Deploy - March 28 2018

The following updates will take effect in the Evident Management Console on 3/28/2018: 

Enhancements

----------------------------------------------------------------------------------------------

 

Weekly Scheduled Deploy - March 21 2018

The following updates will take effect in the ESP Management Console on 3/21/2018:

Enhancements

     The Copy & Customize template has been be populated to allow for customizing these default signatures:

  • AWS:CLT-002 CloudTrail log not encrypted with SSE-KMS
  • AWS:CLT-003 S3 Bucket Policy allows public access to CloudTrail logs
  • AWS:CLT-004 CloudTrail logs not integrated with CloudWatch
  • AWS:CLT-005 Log file validation not enabled for CloudTrail Log File
  • AWS:CF-003 Insecure Ciphers in CloudFront Distribution
  • AWS:CF-004 Enable CloudFront Access Logging
  • AWS:CF-005 CloudFront Viewer Protocol Policy to require HTTPS
  • AWS:EC2-035 Unencrypted AMI
  • AWS:EC2-036 Public AMI Detected
  • AWS:EC2-037 EBS Volume not Encrypted with Customer Managed Key
  • AWS:EC2-038 Default VPC Security Group Allows Traffic


     Note: Reference links to customizing signatures:


     Added searching capability by compliance controls to Alerts API.

     Updated the Azure Setup Real-Time Alerts Wizard to streamline the required steps and to adapt to latest Azure updates.

     The All risk level options for Integrations can now be toggled on and off independent of individual signature settings..

Bugs

 

  • Fixed an error on the ESP dashboard that caused some Azure regions to go missing.
  • Addressed a problem with Signature: AWS:IAM-004 where User Attribution data will cause the alert to become stale with the wrong region.
  • Addressed a problem with Signature: AWS:IAM-010 where certain Deny statements are not accurately processed.
  • The alert threshold for Signature: AWS:RDS-002 Set to 10 minutes
  • to resolve an issue with lag-time.
  • Signature: AWS:SSS-014 has been revised to support aws:kms attribute for SSE.

 

Weekly Scheduled Deploy - February 28 2018


The following updates will take effect in the ESP Management Console on 2/28/2018:

Enhancements

  • The load time for the ESP dashboard has been reduced by improving caching and displaying current total view for each page as it loads.

Bugs

  • Corrected an error that prevented a suppression build for both signatures and custom signatures from suppressing an alert.
  • Fixed an error that prevented a region suppression from suppressing an alert.
  • Addressed an error causing signatures to create duplicate alerts under load.
  • Addressed an error causing signatures to not update alerts status under load.

----------------------------------------------------------------------------------------------

 

Weekly Scheduled Deploy - February 21 2018


The following updates will take effect in the ESP Management Console on 2/21/2018:

Enhancements

  • New signature: AWS:REDSHIFT-004 (Redshift Cluster communication through SSL). This signature is currently disabled and will be activated for general use on March 7th, 2018.
  • New signature: AWS:EC2-042 (EBS Snapshot set with Public Permissions). This signature is currently disabled and will be activated for general use on March 7th, 2018.


Bugs

 

  • Signature AWS:LAMBDA-003 no longer attempts to read the environmental variables to check if any exist because it indirectly attempts to decrypt the variables. Since the SecurityAudit role doesn't allow KMS:decrypt, this caused Access Denied errors.
  • Addressed problem with Signature AWS:RDS-005 throwing NullPointerException errors.
  • Modified SIgnatures: AWS:RDS-006 and AWS:RDS-009 to take into account event subscriptions configured for all source types.
  • Modified SIgnatures: AWS:RDS-006 and AWS:RDS-009 to generate one alert per region.
  • Modified Signature AWS:EC2-031 to also check for AWS Lambda and Application Load Balancer.
  • Corrected Signature AWS:CFM-001 to avoid receiving multiple alerts.

 

----------------------------------------------------------------------------------------------


Weekly Scheduled Deploy - January 31 2018


The following updates will take effect in the ESP Management Console on 1/31/2018:

 

Enhancements

  • New Signature: Enable CloudFront Access Logging (AWS:CF-004)
  • New Signature:  SQS Dead Letter Queue Check (AWS:SQS-003)
  • New Signature: CloudFront Viewer Protocol Policy using HTTPS (AWS:CF-005)
  • New Signature: Ensure IAM Master and IAM Manager roles are active (CIS 1.1 - 1.18) (AWS:IAM-019)
  • Custom Signature GitHub Repository will be reorganized to provide a more intuitive and informative layout.  Note that once the new layout is in effect, the old file links will no longer lead to a valid page.

 

Bugs

  • Fixed an issue where disabled signatures could not be re-enabled via ESP.
  • Edited Signature: AWS:CF-002 to address custom origins not parsing origins properly.
  • Revised Signature: AWS:EC2-031 to verify that a Security Group is not referenced by another Security Group.
  • Updated Signature: AWS:CLT-001 to verify if log delivery is successful
  • Edited Signature: AWS:IAM-014 to ensure error messages possessed correct information.
  • Revised Signature: AWS:IAM-010 to remove a gap when checking Resources.
  • Revised Signature: AWS:KMS-001 to correct trigger for external KMS keys.
  • (GovCloud) all S3 signatures were edited to properly trigger alerts.
  • (GovCloud) Revised Signature: AWS:EC2-034 to ensure that it properly monitors Cloudwatch alarms on EC2 instances.
  • Edits have been made to some S3 signatures to ensure that false PASS alerts were not generated when “Full Control” was granted to all users.  The signatures modified were:

----------------------------------------------------------------------------------------------



Weekly Scheduled Deploy - January 17 2018

 

The following updates will take effect in the ESP Management Console on 1/17/2017:

 

Enhancements

  • Added a redundancy to ensure that when a signature is disabled that it ends all future alerts from said signature.

Bugs

  • Fixed an issue where disabled signatures could not be re-enabled via ESP.

 

--------------------------------------------------------------------------------------------

 

Weekly Scheduled Deploy - January 10 2018

 

The following updates will take effect in the ESP Management Console on 1/10/2017:

 

Enhancements

  • Added the ability to resend invites for SSO users.
  • Upgraded Custom Signature engine’s SDK to enhance existing services and also add support for the following AWS services:
    • AlexaForBusiness
    • AppSync
    • Cloud9
    • Comprehend
    • CostExplorer
    • GuardDuty
    • IoTJobsDataPlane
    • KinesisVideo
    • KinesisVideoArchivedMedia
    • KinesisVideoMedia
    • MQ
    • MediaLive
    • MediaStore
    • MediaStoreData
    • MediaConvert
    • MediaPackage
    • Pricing
    • ResourceGroups
    • SageMaker
    • SageMakerRuntime
    • ServerlessApplicationRepository
    • Translate

Bugs

  • Resolved a problem with Integrations where disabling an 'orphaned' integration did not generate an error.  Note: an active “orphaned” integration must be modified to associate with at least one external account before it can be disabled.
  • Fixed a problem with Custom Signature external account selection showing Azure accounts.
  • Corrected a problem causing special characters like ’ (stylized apostrophe) to be allowed in some places but not others.

----------------------------------------------------------------------------------------------

 

Weekly Scheduled Deploy - December 20 2017

 

The following updates will take effect in the ESP Management Console on 12/20/2017:

 

Enhancements

  • New signature: AWS S3 Server Side Encryption (AWS:SSS-014).
  • New signature: S3 Secure Data Transport Policy Violation Discover (AWS:SSS-015).
  • New signature: SQS Server Side Encryption Check (AWS:SQS-002).
  • New signature: Lambda Environment Variables Encrypted At-rest Using CMK (AWS:LAMBDA-003).
  • New signature: ElasticSearch Open Access Policy Discovered (AWS:ES-001).
  • New signature: ElasticSearch Cluster in VPC (AWS:ES-002)
  • The S3 Bucket Fitness report has a new Encryption Controls domain with controls to check for encryption at rest and encryption in transit.
  • ESP updated the custom signature engine's AWS SDK.
  • Signature: Unused IAM Access Keys ( AWS:IAM-015) now produces WARN alerts instead of INFO alerts when inactive access key found but has not been used within the last 90 days.
  • Signature: VPC Egress ELB  (AWS:VPC-007) has been edited to reduce its risk level from High to Medium.

Bugs

  • Signature: RDS Database Publicly Accessible (AWS:RDS-005) has been edited for clarity.
  • Signature: RDS Event Subscription Not Enabled (for DB Security Group events) (AWS:RDS-009) has been temporarily disabled until a bug could be addressed with it.
  • The following signatures were edited to generate an alert even if S3 bucket cannot be retrieved:
  • The following signatures were updated to improve pagination results:
  • Addressed a problem where the signature: AWS:ELB-001 did not always validate against the correct SSL Security Policy.
  • Fixed a problem with signature: AWS:Config-001 where it was not always checking to see if a delivery was successful.
  • The following signature was revised to improve coverage in Principal clause:
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmuCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language