07/01/2021: Expanded Third Party Endpoint Security Incidents

Alert Logic security content centered around log sources is now available for five additional vendors and has been expanded for Office 365. This new coverage allows Managed Detection & Response Professional and Enterprise customers to continuously monitor alerts and logs from these market-leading Endpoint vendors and Office 365. Having an increasingly mobile workforce means that companies need to monitor devices on and off of their networks, and the addition of endpoint logs and expansion of Office 365 coverage will provide expanded visibility to your environment and more extensive threat coverage. The five additional Endpoint sources include:

• Carbon Black
• SentinelOne
• Cisco Endpoint (formerly AMP for Endpoints)
• Cylance
• Sophos

New Security Content Incidents

This new security content offers additional visibility into your environment. See the following incidents that will be generated in the Incident console - found within the Alert Logic console at (navigation menu) > Respond > Incidents - for each of the new detection sources:

Cylance

• Exploit Attempts
• Ransomware Detected
• Known Hacktool Detected

Cisco Endpoint

• Possible Ransomware TTPs Detected
• Exploit Prevented

Sophos

• Ransomware Detected

Carbon Black

• Endpoint: Known malware detected
• Endpoint: Ransomware detected
• Endpoint Outbreak: Potential new malware or suspicious event detected

SentinelOne

• Outbreak: Non-mitigated suspicious threat across multiple hosts
• Outbreak: Non-mitigated malicious threat across multiple hosts
• Outbreak: Malicious threat mitigated across multiple hosts
• Agent - Agent failed to remediate
• Agent - High severity alert (malicious) (non-mitigated)

Office 365

• Unusual Addition of Credentials to OAuth App
• Multiple Failed Login Attempts
• Infrequent Country Activity
• Impossible Travel Activity

Endpoint Log Configuration 

You must configure log collection for the above new endpoint applications you want log data collected and incidents generated from within the Alert Logic Application Registry. The Application Registry is found in the Alert Logic console at > Configure > Application Registry. The Application Registry is a catalog with all available applications from which Alert Logic can receive log data. You can add multiple log collection instances to each application you configure.

Additional Resources

For more information related to log sources that Alert Logic collects and analyzes, see the Application Registry Platforms knowledge base article.

For more technical details on endpoint incidents, see our Endpoint Security Incidents documentation.