2. New features and improvements¶
2.1. WebUI - New NDR interfaces and options¶
2.1.1. Home page and global overview table¶
2.1.2. Alert dashboard¶
2.1.3. User dashboard¶
2.1.4. Host Dashboard¶
2.1.5. Relationship Mapping¶
2.1.6. Investigation dashboards¶
2.1.7. Creating Tags¶
2.1.8. Creating Notes¶
2.1.9. Managing association rules¶
2.1.10. Limiting metadata¶
2.1.11. Dark Mode¶
2.2. WebUI – Administration¶
2.2.1. Configuring GCap probes¶
2.3. Analysis / CTI features¶
2.3.1. Host Detection¶
2.3.2. User detection¶
2.3.3. Aggregate risk calculation per host¶
2.3.4. Unified risk calculation¶
2.3.5. Identifying the type of host¶
2.3.6. Host Identity persistence and enrichment¶
Host name
Related IP address
Assigned MAC address
Operating system
Protocols in use and their proportion
Details of detected threats
Associated MITRE tactics
Aggregated risk score
Risk score timeline
Top 10 URLs visited
Top 10 IP addresses contacted
Tags
Notes
2.3.7. User identity persistence and enrichment¶
Host name
Assigned IP address
Last seen
Protocols in use and their proportion
Details of detected threats
Associated MITRE tactics
Aggregated risk score
Risk score timeline
Top 10 URLs visited
Top 10 IP addresses contacted
Tags
Notes
2.3.8. Connectivity with the CTI¶
2.3.9. Retro-Hunting and CTI¶
2.3.10. Re-directing to the CTI platform¶
2.3.11. Alerts: help with investigating and responding¶
Redirecting to different dashboards for investigation
Downloading files (samples)
Displaying details of the threat
Sending the sample to a sandbox
Downloading the report generated by the sandbox
2.3.12. Associating with the MITRE ATTACK repository¶
2.4. Detection¶
2.4.1. DGA detection engine¶
An optimised algorithm to reduce false positives
Dedicated DGA events with the same alerts as the command and control “C&C” type
The ability to add domains from a generated alert to a white list or black list
2.4.2. Shellcode detection engine¶
Quota and automatic cleaning added to avoid saturation
Code is optimised to increase stability and performance
New Windows features and patches implemented
The hash (SHA256, md5) in the alerts no longer corresponds to the content of the “.data”, but to the analysis results enabling to recognize identical shellcodes in different network frames
Shellcode alerts include a “Display Data” action to show the hexdump of the “.data”
2.4.3. Powershell detection engine¶
Quota and automatic cleaning added to avoid saturation
Code is optimised to increase stability and performance
Improved extraction, analysis, and scoring to reduce false positives
The hash (SHA256, md5) in the alerts no longer corresponds to the content of the “.data”, but to the analysis results enabling to recognize identical powershell commands in different network frames
Powershell alerts include a “Display Data” action to show the hexdump of the “.data”
2.4.4. Malcore detection engine¶
An orchestrator has been added to detect failures and perform automatic actions to correct them
16 detection engines are now activated if the licence so enables
Improvement of the alert and metadata content that are now extracted from the fileinfo
2.4.5. Yara Rules¶
2.4.6. Improved processing of suspicious files¶
2.5. API¶
2.5.1. API and Swagger¶
2.6. System¶
2.6.1. Change of operating system¶
2.6.2. Update of the kernel¶
2.6.3. Optimising the communication between the GCap and the GCenter¶
2.6.4. File processing mechanism redesign¶
improve the reliability of enrichment
obtain all the information related to a reconstructed file
be able to systematically find a file from a flow-id