Current Release - Release Notes Ransomware Defender AWS
| Release Date | Version |
|---|---|
| 09/09/2023 | 3.2.0 |
- What’s New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.2.1
- Fixed in 3.2.1
- RWDAWS-728 FSx - Audit events can not be read in Eyeglass if the share has space in the name
- New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.2.0(09/09/2023)
- New in 3.2.0
- FSx lockout
- Fixed in 3.2.0
- RWDAWS-744 [Multi Account Support] : FSx - permissions to add in cloudformation template for fsx cross account lockout/restore functionality
- New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.1.1 (06/29/2023)
- Fixed in 3.1.1
- RWDAWS-386 [Webhooks] : RSW event - do not send Security guard events
- RWDAWS-377 [Webhooks] : RSW event - remove MINOR option from event severity filter
- RWDAWS-419 [Cyber Recovery Manager] : Ransomware event gets triggered when recovery job moves file to quarantine directory
- RWDAWS-416 [Cyber Recovery Manager] : Bucket versioning status is not shown correctly on UI
- RWDAWS-482 [Cyber Recovery Manager] Bucket versioning enabled - file objects are not restored to the most recent version
- RWDAWS-491 [Active Auditor] : Can not trigger CRTA policy events
- RWDAWS-231 Security Guard Log Viewer - Copy to Clipboard doesn't work
- RWDAWS-434 Add Managed Device UI - when select 'show protected buckets only' option, no data is shown
- RWDAWS-236 UI hang issues plus unrelated error messages are shown randomly
- RWDAWS-355 Able to trigger TD15 when bytes match percent tolerance is greater than default value
- RWDAWS-417 [Cyber Recovery Manager] : Missing S3 permissions for CloudFormation template
- What’s New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.1.0 (05/03/2023)
- Fixed in 3.1.0
- RWDAWS-235 [Ignored List] : able to generate TD events from paths added to the ignored list
- RWDAWS-233 Remove 'Create/Delete Snapshot' option from Actions menu for an active or archived event
- RWDAWS-182 False alarm about eca node version doesn't match eyeglass version
- RWDAWS-98 Uploading files to s3 buckets triggers TD15
- RWDAWS-240 [Monitor Only Settings] : events from path added to the monitor only settings should be in monitor mode
- RWDAWS-241 Cluster up may get stuck sometimes at Initializing hbase schema step
- RWDAWS-179 [Active Auditor]: Monitor only mode - generic TD's can be raised as a warning, major and critical
- RWDAWS-239 Data Start and end times on easy audit reports are sometimes inaccurate
- Known Issues
- RWDAWS-723 [FSx Agent]: lockout job is stuck when SupernaFSxService is not running
- RWDAWS-749 [Active Auditor] : S3 - unable to trigger DLP events in eyeglass
- RWDAWS-672 [Stack Deployment] : unable to delete FSx event capture stack
- RWDAWS-787 [Stack Deployment] : unable to delete rwdaws stack as the EC2Role fails to delete
- RWDAWS-722 [Fsx Agent]: Unable to install FSx agent installer using the wizard
- RWDAWS-852 [Monitor Only Settings] : FSx - path format supported is not correctly shown in the info section
- RWDAWS-853 [Monitor Only Settings] : FSx - Edit path ui not working correctly
- RWDAWS-854[Monitor Only Settings] : FSx - Add new user UI issues
- RWDAWS-871 [Monitor Only Settings] : FSx - path is case sensitive
- RWDAWS-869 [Security Guard] : S3 - sg gets triggered on delete of existing files
- RWDAWS-872 [Ignored List] : FSx - 'Convert Entries to Monitor Only' - events from path and user are not in monitor mode
- RWDAWS-874 [Inventory View] : sometimes information for added NE is missing
- RWDAWS-877 [Auditing] : FSX - not all regions are listed on Report Query Builder page
- RWDAWS-876 [Auditing] : Report Query Builder - user name field is case sensitive
- RWDAWS-878 [Ignored List]: S3 - able to generate TD events from paths/user/clientIP added to the ignored list
- RWDAWS-879 [Monitor Only Settings] : S3 - events from path/user added to the monitor only settings should be in monitor mode
What’s New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.2.1
Fixed in 3.2.1
RWDAWS-728 FSx - Audit events can not be read in Eyeglass if the share has space in the name
FSx - Audit events can not be read in Eyeglass if the share has space in the name.
Workaround: None.
New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.2.0(09/09/2023)
New in 3.2.0
FSx lockout
The FSx agent is a Windows service that runs on a Windows EC2 instance. The customer provides this instance and must be joined to the same Active Directory Domain as the FSx server.
Fixed in 3.2.0
RWDAWS-744 [Multi Account Support] : FSx - permissions to add in cloudformation template for fsx cross account lockout/restore functionality
FSx - permissions to add in cloudformation template for fsx cross account lockout/restore functionality.
Workaround:
- Delete the FSx-event-capture stack if already added
- Add missing permissions manually to EC2Role of the stack
- And then add the FSx filesystem to eyeglass
- FSx event detection/lockout/restore works as expected
New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.1.1 (06/29/2023)
Fixed in 3.1.1
RWDAWS-386 [Webhooks] : RSW event - do not send Security guard events
SG events are sent to webhook endpoint if matches filter criteria.
RWDAWS-377 [Webhooks] : RSW event - remove MINOR option from event severity filter
For RSW events, severity can only be WARNING, MAJOR and CRITICAL.
There is no MINOR severity
RWDAWS-419 [Cyber Recovery Manager] : Ransomware event gets triggered when recovery job moves file to quarantine directory
Ransomware event gets triggered when recovery job moves file to quarantine directory
RWDAWS-416 [Cyber Recovery Manager] : Bucket versioning status is not shown correctly on UI
In AWS, when bucket version = disabled , on GUI its shows ERROR_GETTING_STATUS
RWDAWS-482 [Cyber Recovery Manager] Bucket versioning enabled - file objects are not restored to the most recent version
Bucket versioning enabled - file objects are not restored to the most recent version
RWDAWS-491 [Active Auditor] : Can not trigger CRTA policy events
CRTA policy events can not be triggered in eyeglass
RWDAWS-231 Security Guard Log Viewer - Copy to Clipboard doesn't work
Security Guard Log Viewer - Copy to Clipboard doesn't work
RWDAWS-434 Add Managed Device UI - when select 'show protected buckets only' option, no data is shown
When select “show protected buckets only“ on ‘Add Managed Device’ UI, it shows no data (even though protected buckets are added)
RWDAWS-236 UI hang issues plus unrelated error messages are shown randomly
Noticing that sometimes eyeglass UI hangs or takes time to load UI elements OR randomly triggers user logoff from GUI. In between also see some random error messages pop up window
RWDAWS-355 Able to trigger TD15 when bytes match percent tolerance is greater than default value
Able to trigger TD15 when bytes match percent tolerance is greater than default value
RWDAWS-417 [Cyber Recovery Manager] : Missing S3 permissions for CloudFormation template
Missing S3 permissions for CloudFormation template
What’s New in Superna Eyeglass Ransomware Defender AWS Edition Release 3.1.0 (05/03/2023)
Fixed in 3.1.0
RWDAWS-235 [Ignored List] : able to generate TD events from paths added to the ignored list
- UI element not shown properly
- path hint shows as “<Bucket>/Path/To/Object“. Close UI, re-open again, path shows as “/ifs/“.
- rsw event should not be generated for paths added to ignored paths list.
RWDAWS-233 Remove 'Create/Delete Snapshot' option from Actions menu for an active or archived event
For any active or archived TD events, still seeing option to create/delete snapshot.
RWDAWS-182 False alarm about eca node version doesn't match eyeglass version
Seeing informational alarm raised about “ECA node version does not match the Eyeglass version“
RWDAWS-98 Uploading files to s3 buckets triggers TD15
Observing that TD15 if just triggered by uploading files to AWS s3 bucket. For upload the event type is OBJECT_WRITE.
RWDAWS-240 [Monitor Only Settings] : events from path added to the monitor only settings should be in monitor mode
For a path added to Monitor Only Settings, TD events should be generated in monitor mode and warning severity. But currently able to get events as WARNING/MAJOR/CRITICAL.
RWDAWS-241 Cluster up may get stuck sometimes at Initializing hbase schema step
Eca cluster up may get stuck at Initializing hbase schema step.
RWDAWS-179 [Active Auditor]: Monitor only mode - generic TD's can be raised as a warning, major and critical
Monitor only mode - generic TD's can be raised as a warning, major and critical.
RWDAWS-239 Data Start and end times on easy audit reports are sometimes inaccurate
When running an audit report, the timestamps of the resulting dataset's first and last audit records are displayed on the UI.
Known Issues
RWDAWS-723 [FSx Agent]: lockout job is stuck when SupernaFSxService is not running
The lockout job is stuck in this case and keeps running. Unable to cancel this job.
The event will expire at a set time, but the lockout job will keep running.
Workaround:
Restart SCA service on eyeglass → systemctl restart sca
RWDAWS-749 [Active Auditor] : S3 - unable to trigger DLP events in eyeglass
S3 - unable to trigger DLP events in Eyeglass.
Workaround: None.
RWDAWS-672 [Stack Deployment] : unable to delete FSx event capture stack
Unable to delete FSx event capture stack.
Workaround:
Login to AWS console where fsx-event-capture stack is deployed
Open Amazon Kineses → Data streams and then delete the created data stream manually
Next, delete the superna-fsx-event-capture stack manually
RWDAWS-787 [Stack Deployment] : unable to delete rwdaws stack as the EC2Role fails to delete
When trying to delete the RWDAWS stack manually from the AWS console, the stack fails to delete because the EC2Role logical ID fails to delete.
RWDAWS-722 [Fsx Agent]: Unable to install FSx agent installer using the wizard
Unable to install FSx agent installer using the wizard
RWDAWS-852 [Monitor Only Settings] : FSx - path format supported is not correctly shown in the info section
The format to enter monitor-only paths for Fsx shares is not shown correctly in the info section. It shows to enter the path as share/path/subpaths.
This path shown under the info section is not supported for Fsx - “**.java - Matches any object name ending in .java on any path in any share. “
Workaround: Enter the path using a backward slash as supported by Windows. E.g., \share\path\** (instead of "/")
RWDAWS-853 [Monitor Only Settings] : FSx - Edit path ui not working correctly
Unable to edit Fsx paths on the monitor-only settings page. The NE information is missing when editing paths, and the save button won't enable it.
Workaround: On the Edit path window, switch between the ‘target NE types’ field to populate NE information for Fsx server and then can edit paths successfully.
RWDAWS-854[Monitor Only Settings] : FSx - Add new user UI issues
For Monitor only settings page - Add New User UI:
- The new user field does not provide a hint for the only user format we support for AD;
- AD information is not populated.
Workaround:
The user name should be entered in the format: user@domainname;
Select NE first to populate AD information.
RWDAWS-871 [Monitor Only Settings] : FSx - path is case sensitive
The path has to be entered in all lowercase to trigger events in monitor mode.
Workaround: Save Monitor Only settings paths in lowercase.
RWDAWS-869 [Security Guard] : S3 - sg gets triggered on delete of existing files
When running SG against a S3 bucket with a lot of existing files, SG triggers a lockout during the “delete objects” phase. There is an active event in eyeglass in lockout state.
Workaround: For an active event in locked_out, state, manually restore user access.
RWDAWS-872 [Ignored List] : FSx - 'Convert Entries to Monitor Only' - events from path and user are not in monitor mode
The events from the path and user added to the Monitor Only Settings page using the option Ignored List -> 'Convert Entries to Monitor Only' are not raised in monitor mode. They are raised as WARNING/MAJOR/CRITICAL as per the set threshold under the configuration page.
Workaround: To get events in MONITOR mode, set user/path from the Monitor Only Settings page.
RWDAWS-874 [Inventory View] : sometimes information for added NE is missing
When multiple NE's are added to eyeglass, sometimes the inventory view is not populated properly. It will show the network element added to eyeglass and the information underneath is missing.
Workaround:
ssh to eyeglass vm
Information about added NE, S3 buckets and FSx file systems added to eyeglass can be found in files /opt/superna/sca/data/ecasettings/aws.json and /opt/superna/sca/data/ecasettings/windowsFSX.json
RWDAWS-877 [Auditing] : FSX - not all regions are listed on Report Query Builder page
When filesystems from different AWS accounts and regions are added to eyeglass, the Region field may not list the correct region for the selected Account on the Report Query Builder page.
Workaround
Create a custom FSx query by selecting storage type FSx and Account WindowsFSX_awsaccountid
Run above query to get the report of audit events for all filesystems from the selected account
RWDAWS-876 [Auditing] : Report Query Builder - user name field is case sensitive
On the report query build page, the user name field is case-sensitive.
Workaround: Enter the username exactly as created in AWS AD or IAM.
RWDAWS-878 [Ignored List]: S3 - able to generate TD events from paths/user/clientIP added to the ignored list
For S3 buckets, events from paths, users and client IP added to the Ignored List are still generated in eyeglass. However, the expected behaviour is they should be ignored.
RWDAWS-879 [Monitor Only Settings] : S3 - events from path/user added to the monitor only settings should be in monitor mode
For S3 buckets, events from the path and user added to the Monitor Only Settings are generated as WARNING/MAJOR/CRITICAL. However, the expected behaviour is events should be in monitor mode.