on 09-11-201803:24 AM - last edited on 12-28-201805:14 PM by ploera
Palo Alto Networks Live Community gives an in-depth look at the new applications for September 2018. Find an updated list of 20 new App-ID releases, including five App-IDs for msrpc and two functional App-IDs for Active Directory. Read more about these App-IDs and join the discussion on Live today.
Palo Alto Networks releases New App-IDs on every 3rdTuesday of the month. As a way of letting our customers know well in advance what new App-IDs are being released, we publish the list here: New Apps for September 19 Release. We highly encourage customers to look at this link and understand what new applications are being released, and if they would like to use these in their policy, to safely enable them.
We are releasing five functional App-IDs formsrpcand two functional App-IDs for Active Directorythat can be used to get visibility and can be used in a security policy to block lateral movement for an attacker.
ms-remote-registry, ms-scheduler – Attackers tend to use these operations to enumerate remote hosts and run commands on remote machines. By default computers do not use these rpc services, so you can allow only specific sources (management servers or vulnerability scanners) or specific destinations that require these rpc services.
ms-local-user-management , ms-local-security-management – You can use these App-IDs to be allowed only to DCs and between DCs. This will reduce the attack surface for attackers using bloodhound and other automatic enumeration methods to find a way to gain domain controller access.
ms-dc-replication- attackers might abuse this rpc service to dump active directory data using dcsync or shadow DC techniques. By whitelisting these App-IDs only to DCs (as sources and destinations), you can reduce the attack surface.
We are adding functional App-IDs for SaaS applications likeyahoo-mail to provide more granularity. This can help in controlling aspects like file downloads, uploads and sharing for this popular SaaS application.
We are adding a few App-IDs for code management softwares—coverity,crucible,Jfrogandsonarqube.
We are releasing App-IDs forcrypto-lootandjsecointo detect and block crypto mining activity in your network.
The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users\' web servers, allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG) for their Let\'s Encrypt service. The protocol, based on passing JSON-formatted messages over HTTPS, has been published as an Internet Draft by its own chartered IETF working group.
Crucible is a collaborative code review application by Atlassian. Crucible is a Web-based application primarily aimed at enterprise, and usually integrated with Fisheye service from Atlassian.
Grammarly is a cloud-based English-language writing-enhancement platform.Grammarly\'s proofreading and plagiarism-detection resources check against more than 250 grammar rules.
JFrog Artifactory is a Universal Repository Manager supporting all major packaging formats, build tools and CI servers. This app-id controls traffic between a client and an on-premise or cloud jfrog artifactory instance.
DC-Replication (Domain Controller Replication) is the process by which the changes that are made on one domain controller are synchronized with all other domain controllers in the domain or forest that store copies of the same information.
Directory Service Setup provides a remote procedure call (RPC) interface for querying domain-related computer state and configuration data. The client end of the Directory Services Setup Remote Protocol is an application that issues method calls on the RPC interface. The server end of the Directory Services Setup Remote Protocol obtains and replies to the client with the requested data about the computer on which the server is running.
Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log.
The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies.
The Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups.
Microsoft Windows Remote Registry Service is a DCE/RPC based protocol used by CIFS hosts to access the registry across a network.
The Workstation Service Remote Protocol is designed for remotely querying and configuring certain aspects of an SMB network redirector on a remote computer.
Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Mssql-db-encrypted identifies mssql-db traffic with encryption.
Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Mssql-db-unencrypted identifies mssql-db traffic without encryption.
SonarQube (formerly Sonar) is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. This app-id controls traffic between a client and an on-premise or cloud sonarqube instance.
This App-ID detects the downloading attachments activity by users on Yahoo-mail.
This App-ID detects the sending emails activity by users on yahoo mail.
This App-ID detects the uploading attachments activity by users on Yahoo mail.