Threat Command / Oct 24, 2023

Oct 24, 2023

Threat Command

New

  • Simplified Case Creation
    Threat Command users with access to the Rapid7 Customer Support portal can now initiate a new support or intelligence case with the new “Customer Portal” button. Customers can choose the type of case to open or to view their open cases.
  • Automatic Alerts for Breach or Ransomware Leaks from Trusted Sources
    Alerts for indication of a breach or ransomware leak are now generated quicker to reduce latency between data exposure in the wild and customer notification. These automated alerts are generated from a curated list of trusted sources.
  • Alerts for Lookalike Domains with Different TLD
    Alerts will be generated for newly-registered domains that exactly match a Domains asset, but with a different TLD.
    Example: If the Domains asset is abc.com, alerts will be triggered for newly-registered domains like abc.sg, abc.tk, or abc.pl.
    This feature is only enabled for newly-registered domain assets.

Improved

  • ServiceNow SIR App | New Version (2.1.0)
    New version (2.1.0) is available on the ServiceNow store:

    • Added support for Utah and Vancouver releases

    • Updated Alert Attachment Support

    • Deprecated unused rolesAdded support for fetching updated alerts automatically

    • Minor bug fixes

      Users can continue to leverage Rapid7 Threat Command for Security Incident Response and Threat Intelligence on newer ServiceNow releases.

  • Ransomware Alert Profiler Examples
    Examples to trigger alerts for these common Alert Profiler uses were added to the online Help:

    • when a leak is published about a specific sector
    • when a specific ransomware group publishes a leak
    • when your assets are mentioned in any context (even if not deemed to be relevant)

  • Confidential Documents Degradation
    In an effort to continue Rapid7’s focus and commitment to our customers, Threat Command is initiating a degradation plan for the Confidential Documents threats and alerts.

    • On November 6, 2023, threats and alerts will no longer be generated from VirusTotal input. Historical threats and alerts will be permanently deleted.
    • Threats and alerts from Bing input will remain, and service will continue as-is.

Fixed

IDCaseAreaDescription
BS-3552-AlertsSSL threats and alerts are not generated.

TIP

Improved

  • IOC sources | ‘FireEye Intelligence’ Feed is Being Replaced by ‘Mandiant Intelligence’ feed
    Mandiant has declared that v2 credentials for the ‘FireEye Intelligence’ feed will be EOL at the end of October 2023. At that time, the feed will be disabled. Users can now use the ‘Mandiant Intelligence’ feed with their v4 credentials instead of the ‘FireEye Intelligence’ feed. Until the end of October, both feeds will be visible in the UI.

Platform

Improved

  • Alert Attributes Added to Policy Emails
    Customers can incorporate the alert ID, severity, and source URL in emails triggered by a policy.
    Incorporating these attributes into email subjects or descriptions gives more detailed notifications tailored to customer needs.