November 2020

The following are the new and improved features available with the Xshield version released on the 10th of November, 2020:

Filter, search, and download audit logs

  • Filter the audit logs for your Xshield instance by the following log categories - Access Parameter, Access Policy, API Auth Key Generator, Authentication, Corporate Policy Template, Groups, Managed Endpoint, Managed Workload, Network Group, Quarantine Template, Instances, Security Policy Template, Security Sightings Report, System, and Users.

  • With the log category filters applied (optional), enter the search text in the Search box to filter the audit logs further.

  • Download all or selected (filter by log categories and/or search text) audit logs for the instance, as a CSV file. 

These features are available on the Settings > Audit logs page. See Audit logs for more details.

Alert categories and Severity levels for Xshield alerts

Xshield alerts are now categorized into the Appliance, Asset, and Traffic Alert categories and assigned the following Severity levels - Critical, High, Medium, and Low.

The following are the alerts in the Alert categories and the Severity levels assigned to these alerts.

Appliance alerts

  • Appliance Deletion - Info 

  • Appliance Operational Status - Info 

  • Appliance Reachability Status - Critical (when appliances go Offline), Info (when appliances go Online) 

  • Appliance Software Upgrade - Info 

  • Remote Access Connection - Info

Asset alert

  • Workload Status - Critical (when workloads go Offline), Info (when workloads go Online)

Traffic alerts

  • Cross-Environment Communications - Medium 

  • Exfiltration - Critical 

  • Inbound Scan - Critical 

  • Unsafe Internet Communication - Medium 

  • Unauthorized Access to DB Servers - Info

All Xshield alerts for your instance are listed on the Alerts page. You can see the Alert categories and Severity levels of the alerts, on this page. See Alerts reported on Xshield for more details

Enable and disable alerts by Alert categories and Severity levels

The Settings > Configuration > Alerts Config page is redesigned to facilitate the following:

  • Enable or disable alerts by the Alert categories ( Appliance, Asset, and Traffic). For example, enabling the Traffic alerts category enables all applicable Traffic alerts (depending on the Severity level you set for the Alert category).

  • Set the Severity levels ( Critical, High, Medium, or Low) for the Alert categories. For example, setting the Severity level of the Traffic alerts category to Medium, generates all Traffic alerts with the exception of Info-level Traffic alerts.

To reduce clutter on the Alerts page, by design, only 'Critical' alerts are generated for a new Xshield instance. See Enable alerts for more details.

Use ColorTokens vulnerability scanner to find CVE vulnerabilities on 'managed' Windows assets

On the Settings > Risk assessment tools page, activate the ColorTokens vulnerability scanner to find the (Common Vulnerabilities and Exposures) CVE vulnerabilities associated with the software packages found on the assets. Colortokens vulnerability scanner uses the 'software packages' data collected by the agents on the assets and the integration with vFeed's Vulnerability Intel service to report the list of CVE vulnerabilities on the assets.

A few minutes after activating the ColorTokens vulnerability scanner, you will see vulnerabilities data for assets in the:

  • Vulnerabilities and CVSS Score columns on the Assets page

  • Vulnerability tab in the fly panel of the assets

  • Click the Download icon in the fly panel of an asset, to download the list of vulnerabilities as a CSV file.

The following is the expected behavior after upgrading the Xshield instances to the version released on the 9th of November 2020:

  • For existing instances - for existing instances that have integrated a Nessus vulnerability scanner, the integration is undisturbed. However, the Vulnerabilities and CVSS Score columns on the Assets page, do not display data until the Xshield's next fetch schedule (12 AM GMT) is run to fetch the Nessus scan results. If you want to see data in these columns immediately, go to the fly panel of an asset and click Fetch Now to fetch the Nessus scan results for all the assets managed from the instance.

    For existing instances that did not use Nessus vulnerability scanner, the behavior is same as that for new instances.

  • For new instances - for Xshield instances created after this release, ColorTokens vulnerability scanner is activated by design. You can see the CVE vulnerabilities on the managed assets in less than a few minutes after you install the agents on the assets.

See Find vulnerabilities using ColorTokens vulnerability scanner for more details.

Policy Builder to build policies for groups managed from Xshield

On the Visualizer > Policy Builder page, search and select a managed group to add group-centric policies. Selecting a group in the Policy Builder helps you add policies between the selected group and multiple other groups.

Some of the features that are available with Policy Builder are:

  • Visual and Tabular views to see the selected group and add, edit, or delete policies with other applicable managed groups.

  • Policy recommendations for all groups, for traffic to other applicable groups.

  • Key indicators for a selected group to see the key metrics of the selected group.

  • Change policy enforcement status, add Security policy templates and role-based policy rules, and inbound and outbound policies for Workload groups.

See Use Policy Builder to create policies for more details.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.