SES Evolution 2.7.1 new features and enhancements
Warning
CAUTION
To be able to update SES Evolution to version 2.7.1, first update the backoffice components to version 2.6.
Pool protection
New built-in rule sets
Since version 2506a of the security policies, the following shared rule sets have been added.
| Protection against EDR bypass |
This rule set allows the detection of attacks aimed at disabling the EDR detection modules. |
| Protections against targeted threats |
This rule set blocks threats generically thanks to protections integrated to the product. |
Detection of malicious behavior by Sigma rules
The Sigma format is a standard unified language for describing log-based incident detection rules. In particular, Sigma collaborative rules can be used to create and share standardized detection rules, which can be used regardless of the SIEM or system.
Stormshield has developed two import scripts for sending Sigma rules to the SES Evolution API, converting them to SES Evolution rules, and deploying them to agents. Malicious behavior identified by Sigma rules is detected and generates logs.
To enable Sigma rules in SES Evolution, use the new Stormshield – Sigma Protection rule set, or Sigma Advanced Protection in your security policy.
Exception creation wizard
A new wizard makes it easy to create and manage custom exception rules from logs you consider false positives. The wizard allows you to:
-
Select one or more logs for creating exception rules,
-
Choose the rule set that will accommodate the exception rules,
-
View and if necessary modify the exception rules that will be created by SES Evolution,
-
Delete the rules you do not want to create.
Protection against execution flow hijacking
To avoid false positives due to this protection, you can now fine-tune it by declaring executables or DLLs (callers) and/or functions that can be authorized or blocked.
Global update of all rule sets of a policy
You can now simultaneously update all the rule sets in a policy to the latest version. The operation can be applied to all sets or only to Stormshield integrated sets.
Folder deletion during remediation
A new remediation action, Remove Folder, is now proposed from a folder creation or modification log.
Protection against threats
Built-in threat protections now allow multiple rules to be defined for each threat.
Exception rule sets
It is now possible to manually create exception rule sets or transform an existing protection rule set into an exception rule set.
SES Evolution agents
Agent status information
The SES Evolution agents are now able to export their status to the operating system via a WMI class. This feature allows third party applications, for example workstation compliance systems, to consider the status of SES Evolution agents to apply security policies. The features provided are as follows:
-
Software version of the SES Evolution agent,
-
Operating status,
-
Name and version of the security policy applied,
-
Agent group name,
-
Maintenance mode status (enabled/disabled),
-
Date and time of last connection to the agent handler.
As an administrator, run one of the following Powershell commands to retrieve such information:
-
Get-CimInstance -Namespace ROOT\Stormshield\SES -ClassName SES_GeneralInformation
-
Get-WmiObject -Namespace ROOT\Stormshield\SES -ClassName SES_GeneralInformation
You must have Powershell version 3 or higher to use these commands.
Agent communication over HTTPS
SES Evolution agents now communicate with the backoffice using HTTPS on port 443. If you have SES Evolution agents in versions 2.6 and lower, you can enable the Enable old communication protocol setting. It enables these agents to communicate with the back office via TCP on port 17000.
Administration console
Sharing information on security events
To facilitate the analysis of SES Evolution security events, you can now share log information with your colleagues. Sharing takes the form of a link that is then pasted by the employee into their administration console. The shared elements are logs or log groups, attack graphs, and agent log filtering.
Importing an LTSB version for SES Evolution agents
In the Agents panel, you can now import and distribute an SES Evolution LTSB version to agents on workstations that have operating systems not supported as standard. For further information, see the SES Evolution product life cycle document.
To get help to install an LTSB version of the agent, contact the Stormshield Technical Assistance Center.
Multi-user management of policies and rule sets
Multiple users can now edit policies and rule sets in parallel.
For example, while user 1 is editing policy A, user 2 cannot edit it, but can edit policy B and the rule sets contained in policy A.
The same behavior applies to agent groups, Yara or IoC scan units, and agent handler groups.
Deleting logs from the Agent logs panel
In the Agent logs panel, the new Actions > Delete events menu allows you to delete events and all the logs they contain. You can choose to delete either selected, displayed, or filtered events.
Log deletion criteria
The automatic or manual log deletion wizard now offers the following criteria to filter the logs to be deleted:
-
Target or source applications,
-
Log categories,
-
Event types.
Removal of disconnected agents
Support reference: STORM-97
The default value of the agent parameter Automatic deletion after n days is now 180 days (6 months) and no longer 30 days. Therefore the agents are removed from the Agents pane after 6 months without connection to the agent handler.
Trusted devices
Support reference: STORM-4156
The Allow device identification agent parameter allows the trust level to be chosen, 0 or 1, to be granted to a USB device connected to a workstation.
Search links on an IP address in agent logs
In the details of a log emitted by an agent, two new links allow the reputation of the remote IP address to be checked on the VirusTotal and Stormshield IP Reputation sites.
Copying information in the agent logs
In the main agent log pane, you can now select the following information to copy it: Dates, Agent, Host name, User name, IP Address and Message.
Backoffice
By default, the “Syslog hostname” field in the syslog frame header is defined with the name of the agent.SES Evolution This affects the performance of the Syslog server if there are many agents.
You can now edit the contents of the header in the database and choose the name of the log relay agent handler. This setting is not available in the administration console and can be changed via a script. For more information, see the Knowledge base article.
Installation center
Removing Demonstration mode
The Installation center no longer offers to install SES Evolution in demonstration mode.
Installing additional administration consoles
The Installation Center now allows an administrator not registered with SES Evolution to install an additional administration console. For this, the administrator must provide the installation key in the menu Backoffice > System > General.