EventTracker 8.0 – Release Notes

The EventTracker engineering team continues to monitor changes in operation management, enterprise applications, and regulation compliance standards. Version upgrades are made based on customer feedback and experience in the field, providing you the best solution possible.

EventTracker 8.0 (Build 29)

  • Detection of TCP Flow tuple (5-Tuple) from various log sources.
  • A new dashboard for Product announcements, news and Local broadcast messages.
  • Enhanced process monitoring events with additional metadata including MD5 hash and code signing status of the executable file.
  • Enhanced network connection monitoring events with communication direction and MD5 hash of the executable file.
  • USB monitoring feature to allow the user to disable all devices except HID class devices. (ET80U15-017)
  • Enhanced Date Time parsing support in Direct Log Archiver.
  • Usability enhancements in EventTracker Agent Configuration UI.
  • Change Audit: Configuration policy editor can detect and add registry values of type QWORD, Multi-String and Expanded String.
  • Support for NOT operator in agent filters for “user” and “Source” fields.
  • Support for specifying CPU and memory threshold values at the process level.
  • Enhancement in Export/Import utility to provide schedule options while importing scheduled report(s).
    Editable date time control.
  • Option to search an alert by name, event id or description.
  • Tear away menu items and tabs.
  • Resolving IPs in background process.
  • Grouping of token templates.
  • Added ETIDS menu item in Tools. URL can be configured in manager configuration.
  • Deletion of multiple behavior rules.
  • Token template: Increased length of regular expression from 100 to 1000 while creating Template.
  • The enhanced network connection monitoring module generates events in range 3512-3516 instead of events in range 3223-3227.
  • By default setting the asset value of EventTracker console system to “Serious”.
  • Moved StatusTracker link from Main Menu to Tools.
  • Made following changes to default agent filters.
    • Modified default filter exception for event ids 528, 538 and 540 of of Event Type “Audit Success” to not consider events if user name contains $
    • Added default Advanced filter and DLA filter to drop event id 4625 of source “Microsoft-Windows-Security-Auditing” with description containing “S-1-0-0” (NULL SID).
    • Added default DLA filter to drop event id 4663 of source “Microsoft-Windows-Security-Auditing” with description containing “$”.
    • Removed default filter exception for event ids 100 and 102 of source “Microsoft-Windows-TaskScheduler”
    • Removed default filter exception for event ids 592 and 593 of Event Type “Audit Success”
    • Removed default filter exception for event ids 4688 and 4689 of Event Type “Audit Success”
    • Modified default filter exception for event ids 4660 and 5136 of Event Type “Audit Success”, to not consider events if account name contains $
    • Added default Advanced filter for event id 1002 of source “Microsoft-Windows-KnownFolders” with description “occurred while verifying known folder”.
    • Added default Advanced filter for event id 3404 of source “EventTracker”
    • Added default Advanced filter for event id 4100 of source “Microsoft-Windows-PowerShell”
    • Added default DLA filters to drop event ids 528, 538, 540, 560, 565 & 566 of Log Type “Security” with $ user.
    • Added default DLA filter to drop event id 560 of Event Type “Audit Success” with description “$Window||.tmp||$$_||~”
    • Added default DLA filters to drop event ids 3225 & 3404 of source “EventTracker”.
    • Added default DLA filter to drop event id 4100 of source “Microsoft-Windows-PowerShell”
    • Added default DLA filter to drop event id 4673 of source “Microsoft-Windows-Security-Auditing”.
    • Added default DLA filters to drop event ids 4660, 4661, 4662, 5136, 5137, 5138 & 5139 of source “Microsoft-Windows-Security-Auditing” with description “$”.
    • Added default DLA filter to drop event id 4656 & 5145 of source “Microsoft-Windows-Security-Auditing” with description “$Window||.tmp||$$_||~||$.
    • Modified default filter exception for event ids 4624 & 4634 of source “Microsoft-Windows-Security-Auditing” to not consider events with user name as “IUSER”, “SYSTEM”, “Classic .NET AppPool”, “DefaultAppPool”, “ANONYMOUS LOGON”, “NETWORK SERVICE”, “LOCAL SERVICE”.
    • Modified default DLA filter for event ids 4624 & 4634 of source “Microsoft-Windows-Security-Auditing” to drop events with user name as “IUSER”, “SYSTEM”, “Classic .NET AppPool”, “DefaultAppPool”, “ANONYMOUS LOGON”, “NETWORK SERVICE”, “LOCAL SERVICE”.
    • Modified default filter exception for event ids 3221 and 3222 of source “EventTracker” to not consider events with description containing “sendtrap.exe” or “powershell”
    • Added default DLA filter for event ids 3221 and 3222 of source “EventTracker” to drop events with description containing “sendtrap.exe” or “powershell”
    • Updated default network connection monitor setting to not monitor communication with private IPv4 addresses.
  • Made following changes in Workstation agent configuration filters.
    • Added default Advanced filter to drop event id 4663 of source “Microsoft-Windows-Security-Auditing” with description containing “$”.
    • Added default Advanced filters to drop event ids 560, 565 & 566 of Log Type “Security” with $ user.
    • Added default Advanced filter to drop event id 560 of Event Type “Audit Success” with description “$Window||.tmp||$$_||~”
    • Added default Advanced filters to drop event ids 3225 & 3404 of source “EventTracker”.
    • Added default Advanced filter to drop event id 4100 of source “Microsoft-Windows-PowerShell”
    • Added default Advanced filter to drop event id 4673 of source “Microsoft-Windows-Security-Auditing”.
    • Added default Advanced filters to drop event ids 4660, 4661, 4662, 5136, 5137, 5138 & 5139 of source “Microsoft-Windows-Security-Auditing” with description “$”.
    • Added default Advanced filter to drop event id 4656 & 5145 of source “Microsoft-Windows-Security-Auditing” with description “$Window||.tmp||$$_||~||$.
    • Added default Advanced filter for event ids 3221 and 3222 of source “EventTracker” to drop events with description containing “sendtrap.exe” or “powershell”.
    • Modified default filter exception for event ids 4624 & 4634 of source “Microsoft-Windows-Security-Auditing” to not consider events with user name as “IUSER”, “SYSTEM”, “Classic .NET AppPool”, “DefaultAppPool”, “ANONYMOUS LOGON”, “NETWORK SERVICE”, “LOCAL SERVICE”.
  • License feature check fails in EventTracker Agent for certain licenses. (ET80U15-010)
  • Incorrect license usage warning while opening EventTracker Agent configuration UI. (ET80U15-014)
  • Intermittent cache processing delays in EventVault service. (ET80U15-017)
  • EventTracker Agent configuration is getting corrupted. (ET80U15-017)
  • Activity data mismatch in behavior. (ET80U15-017)
  • Admin activity was not getting detected sometimes. (ET80U15-017)
  • Behavior stops with unhandled exception while processing events with long user names. (ET80U15-017)
  • Event-o-Meter file is not transferring if CP fails to send Behavior DB. (ET80U15-017)
  • If Checkpoint and VMware is configured then Apply Agent configuration comes with Runtime Error. (ET80U15-017)
  • Source device name is not listed in logsearch and reports if traps are sent through network devices.
  • Agent LFM issue in parsing time field for CSV format log files. (ET80U15-019)
  • Handle leak in receiver while performing remedial action.
  • Receiver fails to perform console remedial action if configured path length is more than 256.
  • Agent-less subscription of some remote channels incorrectly fails with configuration error.
  • Behavior engine stops processing when a corrupt archive file is encountered.
  • List Lookup for default behavior rule against class users always comes up with no record found.
  • TLS dashboard: Notes icon not displaying after adding notes.
  • Flex excel generated report: Fixed header highlighting issue related to summary sheet.
  • Unable to Edit the extracted Token value by Pipe (|).
  • Reports:’volume label & volume serial” comes as unknown for “USB device disabled report’.
  • Behavior module: Incorrect WhoIs Url on New IP Address activity.
  • System manager: System report is not generating for select by “group”.
  • Issue in Log Search for IP Pair on targets window.
  • Targets:Count mismatch in attacks and Targets window for same IP with different port.
  • New behavior rule added:
    • Windows Network Processes
    • Windows Network Connections
  • New Alert included:
    • EventTracker: Connection to bad IP reputation process lookup.
    • EventTracker: New windows network process IP reputation lookup.
    • Critical Potential Breach: A new process connecting to low reputation ip address.
    • Critical Potential Breach: Unknown process connected to a bad reputed remote site across firewall.
ETIDS GUI included in the package (Integrated with Snorby)

EventTracker 8.0 (Build 19)

  • Log4xml option in Manager DLA.
  • Threshold based monitoring of handle and thread usage of the system.
  • Threshold based monitoring of handle and thread usage of a running process.
  • Change Audit: Ability to create rules for enabling checksum tracking.
  • Top level summary reports
  • Ability to initiate remedial actions (like run scripts kill process, add firewall rule etc) from the Console on remote agent system.
  • Utility to apply scripts and data on Agent systems
  • Dashboard>Attackers: Geolocation page to represent bad reputation IPs.
  • Monitoring of Log volume surge. (ET76U15-2000)
  • Dashboard: Widget configuration
  • EventTracker v8 has a complete revamped User Interface, with added features and enhancements, making it more user-friendly and device-friendly. It will now have a changed color theme and layout with most of the standard features getting replaced with icons.
  • Additional parameters including incident number are passed to “Console Remedial Action” script.
  • Change Audit: The manager name can be configured remotely.
  • Change Audit: Sending snapshots to manager can be disabled.
  • Support for extracting field names from header of log file in Direct Log Archiver. (ET76U15-033)
  • EventTracker agent should provide an option to block all type of USB devices. (Update ET76U15-035)
  • Ability in behavior engine to consider the combination of activity name and breakup name as a new activity instead of activity name itself for custom rules.
  • Allow user to set Run time for scheduled reports
  • Agent service flushes the event count to “evtViewerLog.etw” on stop/restart request.
  • Notification when an Agent stops reporting and starts reporting again (Enhancement in Agent Health Check monitoring.)
  • Support for transferring cabs from collection point on scheduled basis. (Update ET76U15-038)
  • List management UI enhancement
  • Show Asset value and Installation time in exported excel of systems report and system detail page.
  • Option to disable storage of notification status for an alert.
  • Implemented support for providing system environment variables in receiver custom action path.
  • Added new option in diagnostics utility to provide disk space threshold.
  • In license manager, added a new option to save license details in a text file.
  • Provide option to persist flex report data only in SQL server database.
  • Added option to disable generation of Agent file transfer events (2046 and 3503).
  • Added new default behavior rules “Windows user location affinity” and “Unique process hash”.
  • Admin.Report Settings: Provide configuration to show or not the Disk cost information in Report/Analysis wizard
  • Logsearch: In pivot table selection, token selection should not be made as mandatory.
  • Reports/web modules: Change Excel reports theme
  • Admin.Manager configuration: Provide ETVAS site link
  • List management – Increased the pattern length
  • Change Audit: Checksum tracking is enabled by default for all executable files (*.exe, *.dll etc.).
  • Network connection monitoring is enabled by default for new TCP connections.
  • Updated default Change Audit agent configuration to monitor only *.exe, *.dll, *.ocx, *.sys, *.drv, *.vxd, *.msc and *.cpl files.
  • Updated default Change Audit agent configuration to not monitor registry changes.
  • Behavior engine considers an IP address as new if it is detected after a “No activity” period greater than the default purge frequency. Behavior engine purges/deletes IP addresses that do not have any activity for last 15 days (Default purge frequency).
  • Added default DLA filters to drop some PowerShell events (Event Id 400, 403 and 600).
  • Added default DLA filters to drop 4662 and 566 Audit Success events except those that contain object type “groupPolicyContainer”.
  • Added default DLA filters to drop event id 5152 to 5158 with source “Microsoft-Windows-Security-Auditing”.
  • Event id 2008 is generated for non-reporting syslog devices.
  • Event id 2009 is generated to indicate that a non-reporting system/device has started to report again.
  • Description of event ids 2006-2009 changed to contain additional system details including asset value.
  • Updated the description of NCM events (3223 to 3227) to indicate both IP address and resolved hostname.
  • Event id 3221 is generated to track process creation on windows Vista and above.
  • Behavior engine is updated to combine all unique processed columns to create activity name for custom rules.
  • Updated the description of service monitoring events (3202, 3203, 3204 and 3214) to include additional information including service startup type.
  • Parsing rule: The Index column is not displayed in parsing rule.
  • Beep functionality is not available as alert action.
  • Receiver peak memory cut-off check does not work for cut-off values more than 700 MB.
  • Notification status for “Agent Remedial Action” is not getting stored in database.
  • Unable to delete system from System Manager UI if the system is having lot of system activity behavior data.
  • Fix for the issue where some of syslog messages received in TCP mode were getting truncated.
  • Fix for the issue where incorrect DLA system is added if VMware agent is configured using IP address in the URL.
  • Checkpoint DLA license is getting considered in both DLA as well as in Checkpoint license count. (ET76U15-034)
  • Fix for issue where EventVault service fails to process some DLA cab files. (ET76U15-036)
  • Fix for issue where Collection Master is unable to create behavior database of Collection Point. (ET76U15-025)
  • Fix for the issue where handle leak was happening because of the excess usage of license. (ET76U15-035)
  • Fix for the issue where DLA thread was not getting launched when unable to get the license count from the server. (ET76U15-035)
  • Opening port configuration utility it throws popup error.
  • Fix for the issue where some of the events are not getting translated correctly for agent less systems. (Update ET76U15-SP1)
  • Fix for the issue where user was unable to configure LFM for DHCP logs in 64 Bit OS.
  • Fix for the issue where agent service was getting stopped with unhandled exception on certain events. (Update ET76U15-SP1)
  • Fix for the issue where Manager DLA was getting terminated when multiple w3c files exists. (Update ET76U15-SP1)
  • Fix for the issue where NetApp device exported EVTX file are not processed without Metadata file in Direct Log Archiver. (Update ET76U15-040)
  • Fix for the issue where failed to get the metadata for snort Event description, now are updated with XML part of event description. (Update ET76U15-035)
  • Fix for issue where Collection Point is unable to send cabs if database transfer is interrupted. (Update ET76U15-042)
  • Reporter is unable to process all cabs for multisite reports.
  • Direct Log Archiver fails to parse time field if it contains milliseconds part. (Update ET76U15-044)
  • Agent LFM not getting parse all the fields and values from NCSA configured file
  • Fix for the issue where Agentless DLA port is updated with the manager DLA port, in case of different port is configured for agentless DLA manager.
  • Change audit: change audit engine fails to recognize the default registry key
  • Fix for issue where Collection Master is unable to create behavior database if site name of Collection Point contains space. (ET76U15-046)
  • EventTracker Agent fails to send events in TCP mode if target name resolution is restored after failing initially.
  • Direct Log Archiver fails to parse time field if it contains comma separated milliseconds part.
  • Fix for the issue where EventTracker Agent is unable to assign the correct DLA port after CAB extraction.
  • Sometimes upgrading evaluation license with another evaluation license fails.
  • ET Control Panel: On saving the Diagnostics it is observed that the saved diagnostics dialogue box will be shown in the background.
  • Control Panel Diagnostics: User is not able to restore the backup file from diagnostics.
  • On System Details window under Type drop down, it is showing too many checkpoint(s) instead only one checkpoint should be shown.
  • If the license count gets exceeded than the available limit, then the User Name and Password fields will be graded out due to which the user will be unable to login.
  • List management: Creation of new group is allowed using special characters
  • Status Tracker: Remove monitoring from group option doesn’t work.
  • The correlation port is not considered on search and report for the selected CP on CM.
  • Log search is not getting launched from behavior
  • The user is unable to do a log search for the custom behavior rules on Behavior Dashboard.
  • Pivot Table: Token column name is over lapping on Drag and drop to re-order pane, if the length of the column is too long.
  • When the VMware license usage gets exceeded than the allowed limit then user will be unable to login.
  • List management – The user is not able to edit the custom class.
  • Admin -> Windows Agent Config: The user is unable to add a new item in the Include list of Network Connection Monitor.
  • Log Search: On editing the saved log search, it is not retaining the Log Type and Event Type of previously saved search.
  1. Microsoft
    • Internet Explorer 9
    • Internet Explorer 10
    • Internet Explorer 11
    • Office 2013
    • Windows 8.1
    • Windows 2012 R2
  2. DISA
    • Windows 8
  • “User location affinity” is added to detect unauthorized system access.
  • Bad ip reputation lookup
  • Detect Known-Bad and Unknown process
  • Automatic Emerging Threat Blocked IPList Import (abuse. ch Feodo Tracker, Palevo Tracker,CI Army)
  • Automatic Bogon IPList Import
  • Automatic Iblocklist BlueTack Hijacked IPList Import
  • Automatic Iblocklist BlueTack SpyWare List Import
  • Automatic Iblocklist BlueTack Proxy IPList Import
  • Automatic Autoshun bad ip list feed import
  • NCM-Browser connecting to non webserver port
  • NCM-Non browser exe connecting to known webserver port
  • NCM-Browser connecting to non webserver port
  • NCM-Non browser exe connecting to known webserver port
  • NCM-All new network connection report
  • EventTracker-All windows process activity with checksum
  • EventTracker-New windows process activity with checksum
  • Access Control
    The access control features were comprehensively extended.

    • Groups: For access permissions users can now be associated with Groups. The web interface allows full management of these groups for users with Administrator role.
    • Roles: Roles are now freely configurable and users can be associated with roles. A new pre-configured role “Info” was added.
    • Permissions: Under menu “Configuration” there is now a new item “Permissions”. Here the user has a comfortable overview on all of his access permissions and opportunities to manage them.
    • Roles can now be dynamically configured.
    • New default roles “Monitor”, “Guest” and “Super Admin”.
    • New Permissions “Super” that allows for example to define an administrator for a group.
    • Results are now an explicit part of the scan management.

The new section “Results” under menu “Scan Management” offers an object management for all of the scan results in the database a user has permission for. In other words, searching and filtering for results is now possible independent of a scan report

    • Solution Type

NVTs are now associated with a solution type like for example “VendorFix”. This allows to group or identify NVTs or results where for example a simple solution exists or no solution is currently available.
The Feed content is updated over time to add a solution type for all of the NVTs. At the time of writing, 3.6% of the NVTs own a Solution Type.

    • Quality of Detection (QoD)

The QoD is a value between 0% and 100% describing the reliability of the executed vulnerability detection or product detection.
One of the main reasons to introduce this concept was to handle the challenge of potential vulnerabilities properly. The goal was to keep such in the results database but only visible on demand.
New SecInfo object type “CERT-Bund” introduced: These are advisories published by the German federal CERT.

  • Credentials
    • The public key of SSH credentials is not required anymore because it is extracted from the private key.
    • Credentials for ESXi target systems can now be configured directly with the Target object instead of in the Scan Configuration object.
    • When a task is requested to stop, the scanner will now be advised to switch immediately into the final phase of scanning. Activity and did not return so far collected host details. With OpenVAS-8 this is now transferred to the the database.
    • Dropped support for pausing of tasks entirely (was removed from GUI before, now removed from OMP level).
  • OpenVAS Scanning Protocol (OSP)

This new protocol allows to control the vulnerability scanner. The main elements are to set parameters, start a scan and retrieve results. OSP is designed in the same way as OMP, therefore it is a non-permanent request-response connection based on XML.
It is possible to configure and control OSP-compliant Scanner via the user interface.

  • Vulnerability Scanning
    • Alive-Test (Up-Test, Ping-Test): The type of test that determines whether a system is active is now adjustable as a property of the object “Target”. Which means it can be changed without the need to change Tasks or Scan Configurations. Possible methods are the same as before: ICMP, TCP and ARP.
      The default setting for the Alive-Test changes from ICMP&TCP&ARP to just ICMP. Hence it can happen that results change for some of your Tasks because some systems are not regarded as alive anymore. But in most cases where larger IP ranges are scanned the scan duration will significantly drop down while getting the same results. However, you do not need to change a Scan Configuration or Task to get back to the previous state; you just need to adjust the Alive-Test method for the respective Target.
    • New pre-configure Scan Configuration “Host Discovery”. This Scan Configuration simply searches for real systems for the given target addresses. No vulnerability tests are executed. The result is just a list of hosts that are regarded active.
    • New pre-configure Scan Configuration “System Discovery”. This Scan Configuration applies any NVTs that discover operating system types and/or hardware device types. No vulnerability tests are executed. The main result is an overview on the found operating system and devices.
    • New pre-configure Scan Configuration “Discovery”. This Scan Configuration applies any NVTs that discover as many details about the target system, installed services and applications, as possible. No vulnerability tests are executed.
    • Tasks: New class “Alterable Task” allows to change Target and Scan Config even if there are already reports for this task. This allows to have a playground task not designed to grant consistency between its reports.
    • Problems with DNS resolving during scan: Each failed resolving of a target system name is now listed in section “Errors” of the report browser.
  • Graphical User Interface
    • Dynamic charts are introduced, using the Javascript library “d3”. The first chart types (bar, donut, bubbles, line) are used for the SecInfo section in order to demonstrate some of the capabilities.
    • The chart objects allow to download the data as CSV table or SVG graphics. Also, a HTML table can be opened and some of the charts are interactive.
      For the SecInfo Management, a first dashboard is integrated which assembles four of the charts and can be configured individually.
    • The charting feature is entirely optional: Without enabling Javascript support in the browser no core functionality is lost. Also, the chart view can be collapsed so that only the traditional table view is shown.
    • Timezones:
      The configuration of timezones was changed so that now there is offered a drop down list of available timezones instead of a entry field for specifying the timezone in text form.
    • Users are now allowed to have multiple simultaneous sessions, as long as the sessions are on different browsers.
    • For any web interface page, the duration of the backend operation will be shown at the bottom.
    • New wizard for modifying a task.
  • Architecture
    • redis (mandatory):
      The OpenVAS Scanner now uses a redis backend to share the knowledge base among the scanning processes.
    • The memory consumption of the OpenVAS Scanner was reduced by about 50%.
    • Snort version included in ETIDS is Snort 2.9.7.2
    • Emerging Threat open rules for snort is used by default.
    • Option to use Emerging Threat Pro rules with snort (customer require to subscribe for same).