Hello there,

Please find below our monthly newsletter that focuses on integrations, upcoming events, and other relevant information.

In this latest edition, we have 1 new integrations, 3 new features and 6 updates to share with you and these, along with all of the previous enhancements, are available in our latest m40 release.

  • Features (3 new):
    • LogicHub Free Edition (New)
    • Audit Log (New)
    • On-Demand Streams (Existing)
    • Import/Export Commands (Existing)
    • Relayout Flow (Existing)
    • Malicious PowerShell Detection (New)
  • Integrations (1 new):
    • Joe Security Sandbox (New)
    • ServiceNow (Existing)
    • ElasticSearch (Existing)
    • IBM OMNIbus (Existing)
  • Events
    • CyberNext Summit 2019

We hope you find this useful! Questions? Please reach out to us at: questions@logichub.com


Logichub Free Edition (New):

For the first time, the Free Edition of Logichub is available and can be downloaded as an OVA to be deployed locally on your ESXi server. The bundled features include three users, five playbooks, unlimited integrations, as well as the Case Management feature. This gives interested parties the opportunity to quickly get their hands on and experience the full power of SOAR+ with Logichub.

For more information, visit https://www.logichub.com/product/free-edition.


Audit Log (New):

The brand new Audit Log feature is exactly as it sounds, all of the important events which occur in Logichub are now logged and individually timestamped. Here’s a list of the event coverage broken down by the type of event.

  • User Events:
    • User Login Success/Failure
    • User Creation Success/Failure
    • Password has expired
    • User Privilege has been modified
    • User Deletion Success/Failure
  • Stream Execution:
    • Batch Execution - short summary including start/end time, rows of data processed, and number of nodes in the flow
    • Events Ingested - summarized in bytes ingested
  • Integrations:
    • Current status of integrations - number of connections created and number of integrations with connections
  • Case Management:
    • Case Closed
    • Case Created

On Demand Streams (Enhancement)

Rather than requiring a user to set the authentication token for On Demand Streams in a configuration file within the Logichub Host. The new version of On Demand Streams will automatically provide a UUID token as a portion of the On Demand URL that we provide. Users will also be able to regenerate their token if they wish to do so.

To avoid overloading the On Demand endpoints, a rate limit can be defined. We will begin to queue the requests being received by the endpoint once the incoming request limit has crossed a certain threshold. This gives you the ability to define and control normal operational boundaries for these automated On Demand actions.


Import/Export Commands

You can now export and import Case Commands from your local computer and use them in different types of cases being managed by Logichub.


Relayout Flow

When utilizing the Relayout tool in the Flow Builder, the Node which is currently selected will be utilized as a reference for the center point when re-rendering the graph. The zoom level will also be adjusted based on this selection, ensuring the entire Flow is visible within the viewing area.


Malicious PowerShell Detection

This is one of our first automated detection flows which can be mapped to the MITRE ATT&CK Framework. The intent is to detect malicious one-liners in PowerShell. We will monitor your historical PowerShell logs to obtain a sense of what is considered normal and what is not normal within your environment. From there, we have compiled a list of 200+ malicious PS technique and command patterns which are able to automatically catch commonly used powershell functionality and modules to initially compromise an environment and begin establishing a foothold.

The express intent of this Flow is to examine malicious one-liners used in initial breaches, as well as post-compromise steps like disabling Windows Defender or other security tools and creating new backdoor accounts for persistence. As attackers move on from the initial compromise and transition into exploration, a common tactic is to disable Windows Defender, due to its efficacy at preventing malware from being executed locally.


New Actions:

  1. Analysis Info
  2. Submit File
  3. Submit URL
  4. Download Report
  5. Download Sample
  6. Is Online
  7. List Analyses
  8. Search Analyses

With the Joe Security Sandbox you’ll be able to leverage their expertise in sandboxing to automatically submit and retrieve reports on submitted samples. You can submit a URL or file for analysis, download historical reports and samples, as well as query for historical reports. For example, in a Phishing Triage flow, you would be able to automatically submit any URLs or attachments in the e-mails to be analyzed by Joe Security Sandbox.


Enhanced Action:

  1. Query Ticket v2

This enhancement enables users to query tickets by a partial string match, rather than requiring an exact match. The option to input a Jinja template was also added, giving users the ability to dynamically query by one or more ServiceNow fields.


This update enables you to query all of the results in a given ElasticSearch index.


Enhanced Action:

  • Call Postemsg

The IBM Tivoli Netcool/OMNIbus integration allows you to leverage postemsg to send an event to OMNIbus and automatically create a ticket. You can utilize this action to generate an audit trail of Stream activity. Near the final branch of any flow, you can create a dynamic text template for the ticket and have this action automatically spawn tickets whenever your flow is automatically executed.


Events

CyberNext Summit 2019
The National Press Club in Washington, D.C.

Kumar, our CEO, will be speaking on October 9, 2019 at 3:00pm on Decision Automation: Teaching Machines to Hunt
https://www.kuppingercole.com/events/cns2019/speakers/2277

We have more exciting features coming next month, so look out for the November edition of our Customer Newsletter which we will send out the first week of November.

Regards,

Hamish Talbot
Director Customer Success
LogicHub, Inc.

Questions? Please email us at: questions@logichub.com
Technical Support: support@logichub.com