Contents and detection

  • Introduced the new SIGN:DUALUSE-DETECTED alert type, with default risk set to 5. Updated the default risk for SIGN:PUA-DETECTED from 8 to 5. Introduced support for a Yara meta property called `nn_priority` (string) that the user can leverage to set a custom risk for alert types SIGN:MALWARE-DETECTED, SIGN:DUALUSE-DETECTED, SIGN:PUA-DETECTED triggered by the Yara rule containing it.
  • Introduce support for negated PCRE options in packet rules.
  • The vulnerabilities list now offers the possibility to filter for Known Exploited Vulnerability (KEV) items.
  • Threat Intelligence can now perform an offline lookup of STIX indicators, using an on-disk database and thus reducing the memory consumption. Please refer to the User Manual for instructions to enable the feature. Note: XML STIX contents are not supported by the Database Provider; only custom contents are affected since all Update Service contents are deployed in JSON format.
  • Added size sliders for all columns in the List tab of the Vulnerabilities page.
  • Packet rules now implement the multiplier option for the byte_math and byte_jump options.
  • Guardian now assigns End-of-Life CPEs to unmaintained versions of known software, giving higher visibility to outdated software components that could represent a threat for the environment.
  • The level of recursion employed by Guardian when extracting macros from documents captured passively can now be configured, balancing detection abilities and preservation of system resources. The user guide contains details about this configuration option.
  • Improved documentation for the commands that can be sent via the Command Line Interface to the VA service. NOTE: the legacy index and microsoft hotfixes engines have been deprecated and are no longer documented. They will be completely removed in a future version of N2OS.