What's New in Samurai MDR!

• 1: Samurai MDR Release Notes

1 - Samurai MDR Release Notes

October 2024

(Deployment 7 October 2024)

Samurai MDR portal

Alert View

We are excited to announce the first iteration of our new Alert View feature. The Alert View gives you visibility to security detections made by the Samurai platform and also from your vendor integrations with wider visibility into the service for transparency and insight into potential threats. You do not need to review or act upon alerts as the Samurai platform and Security Operations Center (SOC) analysts triage and investigate alerts which may lead to a reported security incident.

For more information please refer to:

• Alert Overview
• Alerts View

We plan on expanding this feature so look out for updates!

Alerts Dashboard

In support of Alert View, a new Alerts dashboard is available that provides useful insights showcasing Samurai MDR’s scale and effectiveness at identifying threats to your organization.

For more information please refer to:

• Alert Dashboard

News Feed

We want to keep you updated on what the Samurai SOC analysts are working on, therefore will now provide a news feed within the Samurai MDR portal. This feed will be used by the Samurai SOC to deliver real-time security updates and announcements that may include news such as how the SOC is dealing with the ongoing and emerging threats, issues we may be experiencing or notifying you of new releases.

We have updated the following article accordingly:

• Management

Telemetry Monitoring Improvements

We’ve made some improvements to Telemetry Monitoring to provide clarity on monitored integrations and notifications, this includes:

• the ability to disable email notifications by hiding an integration (also useful for unsupported integrations displayed as unknown).
• info on unsupported telemetry integrations where we do not notify you in the event of telemetry ingestion problems.
• info on telemetry integrations that do not generate enough events for us to monitor effectively.
• toggle on/off monitored integrations where the Samurai platform does not send notifications in the event of telemetry ingestion problems.
• Bar graph for log sources showing events over a specified time period allowing you to identify drops or spikes in events.

For more information please refer to:

• Telemetry Monitoring
• Integration Actions

Upload Evidence

You can now upload Evidence in relation to a Security Incident. We’ve made a minor update to the following article:

• The Situation Room

Language Support

We now support Swedish and Japanese language within the Samurai MDR portal - you can toggle between the languages as required.

We have updated the following article:

• Management

Samurai Documentation

• We have updated nomenclature to avoid confusion, moving forward we refer to the ‘Samurai MDR portal’ in all articles.
• To align with the updates withinin this release we have restructred the section Samurai MDR Portal User Guide within the main menu.
• Fixed formatting and errors found in articles.

Supported Integrations

Find links to the newly supported telemetry sources and integration guides:

• Microsoft Defender Advanced Hunting
• Samba Active Directory
• F5 BIG-IP LTM

We’ve made some updates to the following integration guides:

• Microsoft EntraID

  • Updated the log category as:
    • NoninteractiveUserSignin Logs (with may cause high log volume - We have seen with some clients high log volume so be cautious when enabling!)

• VMWare Carbon Black Cloud Enterprise EDR

  • Updated permissions required in the API Access steps

• Crowdstrike Falcon Insight

  • Added a Crowdstrike authorization form for access to Crowdstrike Falcon Host by the Samurai SOC.

• Squid Cache

  • Renamed to Squid Cache from Squid Proxy and updated steps to configure log forwarding

Other new or updated documentation

• We have updated the Samurai Local Collector guide to reflect an update made to break out the cloud-init files from the ISO image. For AWS and Azure you no longer need to download the ISO image and extract the relevant cloud-init file as they can now be downloaded directly from the Samurai MDR portal.

June 17 2024

Samurai MDR portal

Advanced Query

There is now no need save your KQL queries offline!

• You can now save your KQL queries within a personal or shared library across MDR portal users within your organization.
• We have created a standard library of useful queries which is populated by our SOC analysts that you can re-use. Expect to see this library updated regularly.
• You can now view the last 50 queries you have run and add them to a library as needed.

In support of this update we have updated the following article with addtional sections to reflect this update:

• Advanced Query Functionality
  • Query History
  • Query Library
    • Save new query
    • Edit/Duplicate/Delete

Security Incident Dashboard

Following the launch of the Situation Room in March, a new dashboard is available that provides useful security incident summary information over the past 12 months. Please review the following article:

• Security Incident Dashboard

To accomodate this update we renamed the existing dashboard to Telemetry Dashboard and updated the following article:

• Telemetry Dashboard

Save Views

You can now save filters you define for Collectors or Integrations using views, this is useful if, for example, you have a large number of integrations and wish to group them to view..

We have updated the following article to reflect this update:

• Integration Actions

General Improvements / Bug Fixes

• Mitigate excessive Security Incident Report PDF content.
• Align Security Incident Report PDF content - content was not always handled as expected in PDF version.
• Invite user bug fixed - if user was invited and did not complete registration and then invited again, the second registration would fail.
• UTC timezone clarity in all applicable areas.

Supported Integrations

Find links to newly supported telemetry sources and integration guides:

• Squid Proxy
• GestioIP IPAM (Note this integration only provides contextual data for use by the MDR SOC. No data from this integration will be visible in the Samurai MDR portal)

April 2024

Samurai MDR portal

Following our announcement on 29 April 2024 we shall launch in application ticketing on May 2nd 2024. This allows you to create tickets and view all historical tickets within the Samurai MDR portal.

The update is intuitive however please review the following articles if needed:

• Getting Help

To accomodate this update we have also amended our Dynamic Block List Configuration Guides outlining what information is required should you should raise a request for DBL onboarding

Samurai Documentation

We have launched our new Samurai Documentation Platform, hosted in GitHub Pages this allows us to manage our documentation just as we do with our code development! Expect to see alot more technical content in the coming months!

Supported Integrations

Find a link to the newly supported telemetry source and integration guide:

• Trend Micro Vision One

March 2024

Samurai MDR portal

The Situation Room

Following our announcement on February 16 2024 we have now launched The Situation Room! Through this launch, all Security Incident and associated details are found within the Samurai MDR portal. We no longer support Security Incident notifications with PDF reports attached, all notifications now provide a link to the Security Incident within the Samurai MDR portal. Security Incidents in PDF format can be downloaded within the associated Situation Room.

Please review the following articles:

• Security Incidents
• The Situation Room

Reports

We have updated the Executive Overview Report to align with data shown within the Security Monitoring funnel in relation to Alerts.

You will now find two additional sections within the report:

• Alerts analyzed per vendor (graph)
• Alerts analyzed (table)

Depicted within the additional sections are vendor based alerts but also includes alerts generated by the Samurai platform based on ingested data.

Supported Integrations

We are constantly expanding our list of supported integrations, see links to the newly supported telemetry sources and Integration guides:

• Microsoft Entra ID
• Microsoft Azure Activity Logs
• Microsoft Azure Firewall
• ESET Protect
• Linux Apache HTTP Server Logs

Other new or updated documentation

Microsoft Azure Management Plane

We have deprecated the Microsoft Azure Management Plane configuration guide as we now leverage individual guides listed above and a Cloud Native Collector.

January 2024

Samurai MDR portal

2FA Update

Following our announcement on January 11 2024 we have now deprecated support for SMS-based two factor authentication (2FA) and updated access to the Samurai MDR portal through Time-based One-Time Passwords (TOTP) through authenticator apps. Please review the article if you require more information.

We have also updated Getting Started with Samurai Managed Detection & Response (MDR) to reflect this change. 

Other new or updated documentation

Incident Response Retainer Service Description

We have made some updates to the Incident Response Retainer Service Description to include Emergency IR capabilities. Additional information can be found on our website Incident Response Services.

Supported Integration Categorization

We have updated Supported Integrations to include detection categories we define to provide clarity and set expectations on threat detection capabilities from each telemetry data source. You can read more on the categorization in Telemetry Data Source Categorization.

Microsoft Windows Defender

We have deprecated the dedicated Microsoft Windows Defender configuration guide as we now leverage the Microsoft Graph (Security).

Integration Actions

We have updated the Integration Actions article to include the Cloud Native Collector.

December 2023

Supported Integrations

See links to the newly supported telemetry sources and Integration guides:

• Azure Virtual Networks (NSG Flow)
• Cisco Identity Services Engine (ISE)

Other new or updated documentation

We have updated the Local Collector Deployment guide to include deployment to an Azure Virtual Machine. View the updated article:

• Samurai Local Collector

November 2023

Supported Integrations

We are constantly expanding our list of supported integrations, see links to the newly supported telemetry sources and Integration guides:

• Aruba Networks Clearpass
• Claroty xDome
• Trellix Endpoint Security (ENS)
• Microsoft Graph Security API
  • Please review the guide for supported Microsoft products/services.

We have renamed FireEye HX to Trellix Endpoint Security (HX) to avoid any confusion.

October 2023

Samurai MDR portal

Reports

Get valuable insights into your MDR service through the reporting feature!

You can now generate reports based on a time period you define which utilizes a standard template. This template has been designed to provide various metrics based on security incidents reported, requests you have submitted and also your data ingested into the Samurai platform. Refer to Samurai MDR Reporting for additional information.

Telemetry Monitoring Notifications

Receive notifications of telemetry data ingestion issues we encounter whilst providing you the MDR service!

Users of your Samurai MDR portal can now receive email notifications of telemetry health issues. Refer to Telemetry Monitoring for additional information.

We are improving our notifications functionality in coming releases - for example self service, user profile based selection of notifications…..watch this space!

Integration Descriptions

The integration description field has been extended to a larger multi-line text box of 256 characters and you can now edit the description field as required after an integration is complete.

Cloud Native Collector

We have released a new Collector type - we call it a Cloud Native Collector!

The Cloud Native Collector is effectively a new transport method to ingest telemetry from cloud based storage. It is built to monitor storage accounts and is completely agnostic to the data, it simply picks up any files for ingestion into the Samurai platform.

We currently support Azure Blob storage. Configuration is completed through an Azure Resource Manager (ARM) template in your subscription with a key to register with the Samurai platform.

The Cloud Native Collector will be used to support specific Azure products/services (for example Azure Firewall) and any supported third parties, therefore anticipate associated configuration guides that will utilize the new Collector type (we are currently in the process of writing the guides).

For more information on the Cloud Native Collector refer to Samurai Collectors and Samurai Cloud Native Collector.

Support for Amazon Web Services (AWS) S3 is coming soon.

Release Notes

You’ve already found them if you are reading this article!

We want to ensure you are aware of any new features, bug fixes and enhancements therefore all will be documented here in future. You can easily find the release notes from a link that is now displayed within the Samurai MDR portal Main Menu under Documentation.

What’s been fixed/enhanced?

• Case sensitivity when searching for products/vendors when completing an integration.
• Telemetry monitoring indicator in the main menu that displays the number of integrations with potential issues.

Supported Integrations

We are constantly expanding our list of supported integrations, see links to the newly supported telemetry sources and Integration guides:

• Infoblox DDI
• Google Workspace
• WatchGuard Firebox
• Microsoft IIS

Other new or updated documentation

We have updated some Microsoft integration guides in support of our preferred method of using Beat agents. See the updated integration guides for more information:

• Microsoft DNS Server
• Microsoft DHCP Server
• Microsoft Windows Event Log

We have updated the Local Collector Deployment guide to include deployment to an Amazon EC2 instance. View the updated article:

• Samurai Local Collector

Samurai MDR Add-on: Dynamic Block List Support

We have added support for Cisco FirePower.

Please review Dynamic Blocklist and the associated configuration guide.

If you want to onboard your devices then submit a DBL Onboarding request via the Samurai MDR portal.