- The updated Anomaly Detection and Behavioural Clustering engines allow faster detection of threats (within 5 to 10 minutes) and with increased time specificity (within a 5-minute time window). The documentation has been updated (Anomaly Detection alerts and Behavioural Clustering alerts).
- Extended event types support for Radware WAF devices: Management events and System events and now supported (documentation)
- Usability and reliability improvements:
- Report types now include a description field.
- User input is now supported when resolving and acknowledging an alert (using the “Alert Details” screen) allowing to fill in the reason for the performed action.
- The alerts list now includes two new attributes (“resolved_by” and “acknowledged”) displaying the email of the user that performed a specific action.
- The device status changes to offline when locked by a user.
- Miscellaneous performance and reliability improvements on the alerting subsystems.
- Optimization on the log size and log count calculation routine.
- ThreatDB alerting and alerts screen revamp (documentation)
- In screens with contain listed items (e.g. threatdb alerts page), the total number of items is added next to the number of pages on the top of the list
- Fixed a bug regarding the “clone report-type” feature that affected report templates
- Revamp in Juniper SRX firewall integration. Juniper SRX filters have been implemented and deployed for MOREAL according to current PoC samples. For a list of supported log IDs please refer to the documentation
- You many now lock a device to stop monitoring and receiving logs (documentation)
- Custom IP ranges with distinct names can be now added for enhanced functionality. (documentation)
- The IP Profiles view has been revampled for better navigation (documentation)
- The Alerts Overview screen has been redesigned with new functionality including multiple alerts selection and management (documentation)
- The liveness checking functionality has been improved and now includes more informative states (documentation)
- The display pages for devices, users and organizations are enriched with new attributes including registration dates
- Customizable size options in pie charts (chart examples)
- Descriptions can now be included when adding whitelisted IPs
- Vendor integration
- Various bug fixes
- acknowledge/resolve now works properly in custom-rules alerts
- “relevant events” links now retain the device context
- fixed report collections in device live monitoring
- whitespace now is ignored on event filtering
- Custom rules for the threat sensor with “default” criticality are now properly handled
- Miscellaneous performance and reliability improvements including streamlined mail delivery and query handling
- Network graph & GraphIQ v1.0. At branch level, an interactive network graph is provided to show the most significant interactions (edges) and entities (nodes) in the monitored network. (technical overview, documentation)
- Decision Maker v.1.0 reasoning component and corresponding alerts (technical overview, generated alerts description)
- Organization level mitigation suggestions through downloadable SNORT signatures file (documentation)
- Additional Custom Rules functionality (min & max functions)
- Minor widgets improvements in MOREAL dashboards
- Virtual Device support (documentation)
- ThreatDB TRI model & computation component v.2.0
- Custom Rules Back-end Engine v.2.0
- New version popup notification
*The new Anomaly Detection and Behavioral Clustering engines and the new IP-Profiles dashboard utilize aggregated metrics which are documented here.
- Added case insensitive Full Text Search functionality to alerts
- Filtering by alert type was added to alerts screen
- Sorting by alert occurrences was added to alerts screen
- Refresh button on alerts screen allows user to see new alerts generated
- Refresh button on events screen fetches new log records when relative time context is selected
- Top-left menu alerts counter was replaced by dropdown menu presenting alerts breakdown by alert type
- Performance improvement on alerts and events screens
- On-screen help popover notifications were added for all dashboard elements
- Alerts have been reset to accommodate for the new alert grouping mechanism (old alerts still available on demand)
- New grouping backend mechanism implemented, ensuring incidents of the same reasoning are stored under one alert that is unique on daily basis
- Added HIPAA Compliance Reporting. HIPAA Compliant Organizations can now print reports that respect selected compliance standards.
- Implementation of Vulnerability Assessment – a new alerting mechanism that checks events against existing CVEs (Common Vulnerabilities Exposures) and reports alerts per asset based on criticality. Currently only Nessus CSV files supported.
- New Dashboard features provide the user with live feed of critical network information for the last 24 hours
- The new Dashboards revolve around the point of view a user chooses to focus upon
- Organization Dashboard provides an organization wide view of network information
- Branch Dashboard provides a physical network view of information
- Device Dashboard breaks down to the lowest level possible providing network feed and device health status of a single device
- New map that can been seen inside Organization Dashboard show where the alert occurs , so an engineer can better focus upon
- Network graph found inside Branch Dashboard provides a graph visualization of alert related traffic
- Fixed a bug where users would see duplicates if they tried to add a new ip range inside an organization and then saved it.
- Some devices were misplaced on the dashboard maps. This has now been fixed.
- Acknowledge and resolve buttons in the alerts page are now working as expected.
- Map and graph zoom has been optimized for touch devices.