New features and changes
This release includes these changes.
Event forwarding:
Event forwarding is enhanced in this release to provide better usability and performance. Review all the Event Forwarder settings after the upgrade. Below are the important changes:
- Legacy formats have been consolidated into CEF (Common Event Format) and SEF (Standard Event Format). All other formats will be converted to these two formats on upgrade.
- Legacy Time format has been removed.
- The 10-device filter limit for an Event Forwarder has been removed.
- Each TESM appliance in a cluster will now forward directly to each forwarding destination. For SSH mode forwarders make sure the new Event Forwarding SSH key is added to each SSH destination. This new key is shared between all TESMs in the cluster.
- Event forwarding configuration changes are propagated to non-management TESMs by the nsync process; changes will take effect when the next nsync thread completes.
Enhanced the UBA content pack(v4.2.0) by adding the following rules:
- UBA - Multiple User Accounts Created
- UBA - User Account Created and Deleted Within a Short Time
- Hardware Health - Increase in Hardware Errors for Host
- UBA - Increase in unique hosts a system is communicating
- UBA - Increase in unique hosts a user is logging into
- UBA - Increase in Failures on Single Host
Resolved issues
This release provides resolution for the following issues.
| Category | Reference | Resolution |
|---|---|---|
| User Interface | SIEM-38530 | Resolved an error when creating a static watchlist with more than one entry. |
| ACE Device | SIEM-38469 | Resolved an issue that caused the ACE health check to return an ER234 error: Unable to execute a command on the device. |
| ESM Device | SIEM-38444 | Added Deviation from Baseline and Specified Event Rate alarms to be checked by the System Properties > Watchlists > Show Usage feature. |
| Certificates, User Interface | SIEM-38401 | Resolved an (ER354) error: Could not execute SSH command when generating a Signed Certificate Request. |
| User Interface | SIEM-37057 | Resolved an issue that caused the Streaming Event Viewer to not show events. |
| Security | SIEM-35241 | Updated Tomcat and associated libraries to resolve CVE-2022-25762. |
| User Interface | SIEM-38623 | Resolves an issue that caused the Trellix Threat Intelligence Exchange execution history UI to not load. |
For more details, please visit KB: https://docs.trellix.com/bundle/enterprise-security-manager-v11-6-x-update-release-notes/page/GUID-4C8E5F69-A011-45DC-965E-55A6CA884307.html