Elements Endpoint Detection & Response Changelog

AnttiPi

EDR feature changes will be published under this announcement thread. Every time there is a change, an entry will be created under this announcement describing new functionalities, improvements or bug fixes.

📝 Click here to see the most recent change log and bookmark the discussion to be notified of any updates.

AnttiPi

Old change log items moved here:

January 2022

New features and improvements

• Advanced response actions: F-Secure Elements Endpoint Detection and Response now has 22 new types of response actions available for security administrators. New responses give new investigation, containment and mitigation features to respond to ongoing attacks. Full documentation is available here: https://help.f-secure.com/product.html#business/edr/latest/en/responseactions-latest-en.
• For more information, go to: https://community.f-secure.com/atp-en/kb/articles/9241-tens-of-new-response-actions-added-to-elements-edr.

August 2021

New features and improvements

• EDR portal to support manual subscription release for Policy Manager and EDR. EDR subscriptions related to Business Suite + EDR client can be done from EDR portal Device details view. This feature is developed to enable release of license for devices that have been removed from Policy Manager without successful uninstallation process.
• Broad Context Detection content can be filtered using detection severity. There is detection filter to select what is lowest detection severity shown. This is very useful when investing large Broad Context Detection with a lot of low severity activity. This new filtering option will affect Broad Context Detection Summary, Process tree and Log views.

May 2021

New features and improvements

• Rapid Detection and Response is now F-Secure Elements Endpoint Detection and Response. It is available under F-Secure Elements Security Center (elements.f-secure.com).
• Event search for threat hunting: A new capability to view and search events send by F-Secure Elements Agent (Endpoint client).
  • Read more from Event search documentation
• Scheduled reports have been updated to include an improved structure and a more visual presentation for Broad Context Detections and other EDR information.
• F-Secure Elements Security Center language support now includes English, Finnish, French, German, Italian, Japanese, Polish, Portuguese (Brazil), Spanish (Latin America), and Swedish.
  • The language selection is changed to be persistent and is kept over removal of browser data. It can now be found under the user Account settings in the page header (compared to earlier settings page. The language selection is common for the products in Elements Security Center and applies to the Dashboard, EDR, and Protection for Microsoft 365 views.
• Automatic recognition of the device profile types
  • "Virtualisation guest", "Virtualisation host", "LDAP server", "File server", "DNS server", "Microsoft Exchange Server", and "Mail server".
• The Software view offers more details by showing software component description and internal name metadata from executable files. This helps to differentiate between different software components that are parts of the same software.

April 2021

New features and improvements

• Device list view Broad Context Detection risk level filter introduced to list devices having open e.g. SEVERE risk incidents. Device list performance improved.
• Improved portal response time when going through list of Broad Context Detections using next and previous buttons.
• Portal login time improved.
• Process activities having info severity detections in Broad Context Detection summary and process tree views are now indicated using light blue color.

February 2021

New features and improvements

• New incident detection based on endpoint client memory scanning. Using memory scanning events we can identify threats/signs of attack that were done in endpoint and still active in memory when EDR client is activated. Detections

January 2021

New features and improvements

• Incident analysis: The Incident analysis feature in the portal allows administrators to add their own analysis for Broad Context Detections, for example, descriptions of root causes or implemented remediations. The analysis is included in the scheduled reports, which allows for a more efficient flow and better visibility in handling detections.

AnttiPi

December 2020

New features and improvements

• The menu items and terminology between the Protection Service for Business management portal and Rapid Detection and Response management portal are now aligned. RDR has adopted the use of the following terms: 'Device' (previously 'host') and 'software' (previously 'app'/'application').

November 2020

New features and improvements

• New indicators for process-injection activity highlight injected processes in the Summary view and process tree. This new functionality helps in identifying process-injection activities by linking between the injecting process and the process being injected.

October 2020

New features and improvements

• The new functionality of reviewing PowerShell script blocks gives visibility to executed scripts that are considered malicious or suspicious.
• In the Broad Context Detection summary view and process tree details, the color-coding for information-level activity has been changed from blue to gray. Information-level detections are generated to add visibility to activities originating from a process that includes severe detections (critical, high, medium).

September 2020

New features and improvements

• Added support for Linux. The RDR capabilities are now available also for the Linux operating system together with Linux Protection for Servers (Server Protection Premium and RDR). See the Linux client release notes: New Linux Security 64 Update has been Released (2020-09-29). 
• Decoding of the automatic PowerShell script block.
• The Broad Context Detection details view includes detection, process, and host overview with the capability of searching for processes and detections. This simplifies the incident analysis process by providing an incident overview with quick links to the related details.
• Integration with Radar, the F-Secure Vulnerability Management tool. Users who have both solutions can now move between them without additional logins.
• The Broad Context Detection (BCD) similarity model is a new machine learning-based feature that improves the visibility into the incident landscape. When incidents are being analyzed, identical or similar BCD incidents are clearly indicated compared to the incident under investigation. You can use the information in incident analysis by comparing the incidents and their similarity with the help of the similarity score (as a %).

Fixed issues

• The Broad Context Detection details view now scales to large screens.

August 2020

New features and improvements

• Support for virtualized environments. When installing the F-Secure endpoint client into virtual environments (see instructions: Installing Server Protection in persistent mode on Citrix servers)
• Broad Context Detection highlights the new content
  • Processes running with elevated privileges
  • Process injection details
  • Thread creation details
  • Process manipulation through Event Tracing for Windows (ETW) interfaces
  • Local environment process IDs (PID)

July 2020

New features and improvements

• New response action to remotely collect information that helps manual incident analysis and forensics. This feature automates information gathering from the device that has suspicious activity. Once the collection is triggered, a zipped file will become available in the portal for downloading the package for further analysis. The download link is available in the portal for 14 days.
• The Broad Context Detection log view includes detection information and links to details in the process tree. This improvement gives more detailed view and easier analysis of the Broad Context Detection life cycle.

June 2020

New features and improvements

• Visualization of Broad Context Detections that have multiple devices. Rapid Detection and Response engine combines related activities from multiple devices under a single Broad Context Detection. The Broad Context Detection "Process tree" view shows how activities in different devices are linked together.
• The coverage of the security software component tampering detection has been increased.
• Broad Context Detections include more details about suspicious activity, including clearly opened PowerShell script blocks, file accesses, and module loads.
• Broad Context Detection includes more details about parent activities leading to the suspicious activity.

Fixed issues

• Small improvements in the Broad Context Detection summary view process chain visualization.
• In some scenarios, the portal login failed with error 404.
• The issue with the host view search has been fixed.

May 2020

New features and improvements

• A new dashboard with Assets at risk widget
• A new dashboard with detection statistics
• A response walk-through that gives insight about detection types and guidance for investigation and response
• The response action to trigger full computer malware scan remotely in the endpoint protection
• A single installation package for all Computer Protection and Server Protection variants with or without RDR and RDR standalone installations.
• The BCD summary view includes clean parent visualization.

Fixed issues

• The selected organization was lost when browsing through the detection list.

April 2020

New features and improvements

• Email notifications are sent only for SEVERE, HIGH, and MEDIUM-risk Broad Context Detections.
• The target hash in the portal is turned into VT link.
• The dashboard performance has been improved for Application information.

Fixed issues

• Portal loading issue with older Edge browser versions.

AnttiPi

Dear Community,

Latest release of WithSecure Elements portal has following Detection and Response related improvements

- Customized device isolation notification message can be set in Elements Endpoint Protection device profile settings.

• Message is shown in endpoint when device is isolated manually or automatically.
• This setting is under Firewall -> Firewall rules for WithSecure profile: Network isolation -> A customized message about an isolated computer.

- Broad Context Detection list has new filtering options to filter incidents by

• risk, type, device id, detection time, modification time, status, resolution, elevate to WithSecure status, archive status and pinning state.
• Most advanced filtering option is "Data content". That can be used to list incidents with were defined value is seen in detection name or description, executable name or path, device name or IP address.

- Broad Context Detection list can be customized and own custom views can be saved.

• Rows per page can be selected 
• Shown columns can be customized (columns show, order of columns, number of rows per page)
• Views with advances filtering can be saved. For example one can create custom view with incidents detected in given time range or e.g. with specified type like lateral movement.

- New response action is introduced to "Retrieve event log entries" from Windows devices.

• Action can be used to retrieve e.g. only specified Windows event log id, or specified log name or log entries within given time range.
• More details can be found from admin guide: https://help.f-secure.com/product.html#business/edr/latest/en/concept_41F4F6089A0540CDB825811DEDDEDCF0-latest-en

- New version of response action Kill process has been introduced

• This response gives option to combine retrieving process memory dump with given flags and killing the process for more efficient response workflow.

- Software reputation listing now includes breakdown of components under software.

• From each component version, hash and reputation information is shown.
• Problem where component details could not be accessed when software name is undefined has been fixed.

AnttiPi

Dear community,

WithSecure Elements EDR feature update has introduced following improvements:

• Broad Context Detection list view supports opening of incidents in new tab. Option is available with mouse right click on top of Broad Context Detection ID field in the table.

• Some customer were experiencing "Waiting for connection" EDR status in Elements Endpoint Protection 'Devices' table view while EDR functionality in endpoints was normal. This issue has been addressed.

AnttiPi

Dear community,

WithSecure Elements EDR has launched new features and functionalities.

New Response actions

• New investigative response action: Enumerate WMI persistence
• New remediation response action: Delete WMI persistence

These actions are designed to determine whether Windows Management Instrumentation (WMI) persistence mechanisms are in use by an attacker and to delete specified WMI objects related to persistence.

You can find these new advanced features "Response" page "Create new" action wizard:

• Read more
  • Enumeration action: https://help.f-secure.com/product.html#business/edr/latest/en/concept_72E34BDECA40405CB473227EB498A0A6-latest-en
  • Delete action: https://help.f-secure.com/product.html#business/edr/latest/en/concept_6F111E12C01B4EFE8102DBE4ADFDE4CF-latest-en

Comments Broad Context Detection list view

• By clicking comment icon in Broad Context Detection view you can have quick view to latest comments without a need to move into details view. This enables efficient review of comments without additional page changes.

AnttiPi

WithSecure Elements EDR - Dashboard updates

Dear community,

WithSecure Elements EDR has launched new features and functionalities.

Dashboard has been renewed.

• Broad Context Detection information is the dashboard is actionable meaning that when clicked user can deep-dive into details behind the numbers.
  • For example when clicking section in a graph or the number in the legend you can get access to details of those 29 High risk level Broad Context Detections with a single click

• There is new information items available showing e.g. Broad Context Detection type and device operating system breakdown.

Following dashboard widgets were removed:

• 5 Latest BCDs
• Top destinations
• Top software components

AnttiPi

New and updated response actions

WithSecure Elements EDR has launched new and updated features response actions.

Retrieve Browser artefacts

This response action retrieves browser history from the device.

If a device is infected with malware, it is very likely because the user has downloaded it via their web browser. By retrieving the browser history, you can find out where the malware was downloaded from (i.e. the source URL).

This new action can be found from response wizard.

Action can be used to collect artefacts from various browsers. Artefacts can be collected for all user accounts (default) or for specified user only.

This one like all other responses can be run in multiple devices with one response definition and results from all selected devices will be available and stored in the management portal.

Delete files

Delete files response action has two new parameters.

When deleting files from devices there is now option to retrieve file before deleting it. This simplifies work flow by combining two actions into one. This response action automatically verifies/checks that file deletion was successful. Delay between executing delete and verifying the result can be configured. This can be used to verify that e.g. persistence mechanism did not restore it after deletion.

KarenF

Preview of new Broad Context Detection view now available

We are in the process of introducing a new Broad Context Detection (BCD) view to help improve viewing, navigating and filtering the data whilst investigating detections, and you can view the new BCD version by clicking on the link at the top right of the BCD page.

The new BCD view combines the summary process tree and the process details so they are visible together on the same page with no need to switch between the two tabs. Also, the process details are visible on whichever tab you are viewing making it easier to view the process data, for example, when writing up your findings.

This is still a work-in-progress and there is continued focus on improving usability - such as, selecting/de-selecting multiple data points - and the ‘Elevate’ service.  Check it out and give us your feedback to help us shape the final version for you - this can be done via our Elements Ideas portal: ideas.withsecure.com.

KarenF

New response actions released

WithSecure Elements EDR has launched new response actions.

The new response actions include:

• Retrieve Amcache
• Retrieve event log tracing entries
• Retrieve jumplist files
• Retrieve Prefetch
• Retrieve RDP cache files
• Retrieve Recently Accessed Files
• Retrieve System Resource Usage Monitor database

These new response actions focus on identifying if persistence has been achieved on endpoints and provides a quick way for detection teams to collect this information.

The new response actions can be easily found using the search functionality within the Response wizard.

Like with all other Response actions, these can run simultaneously on multiple devices with one response job definition, and results (from the selected devices) available and stored within the Elements portal.

KarenF

Release of new Automated Actions view

WithSecure Elements EDR has released a new view called 'Automated actions'.

This replaces the old 'Automated response' view.

What's changed?

The functionality stays the same and you can still configure ‘Device isolation’ rules that run 24/7 and specify the risk level, like with the original 'Automated response' view, however you can now create an action rule with ‘custom’ scheduling where you can input specific hours for when you want a rule to run, for example, outside of office hours.

The new 'Automated actions' view includes all existing Device Isolation rules, so there is no need to worry about having to re-create them.

It includes the new 'custom' scheduling, so specific days and times can be applied for when you want the rules to run, for example, from 17:00 until 09:00 the next morning.

Lastly, the existing 'Automated response' view is still available for the next two weeks, in read-only mode, so you have time to get used to the new view.

Why?

Not only does this new feature provide custom scheduling but it also starts to build towards our vision to include more automated actions within Elements – initially, with the co-monitoring service and the new email notifications with risk level selection, but also for more response actions in the future.

This new Automated Actions view is now available to use in Elements.

KarenF

Release of new Broad Context Detection details view

The new Broad Context Detection (BCD) details view has been fully released into production and is now the default view, replacing the old Broad Context Detection details view.

What's changed?

The new BCD details view has become the default view so when you click on the ‘Broad Context Detection’ menu option in Elements, you will now be presented with this new view.

The old BCD details view is still available to use to give you more time to familiarise yourself with the new BCD view. You can navigate to the old BCD view via the ‘Go to old Broad Context Detection view’ button in the top right corner of the page.

You are able to elevate BCDs from within the new BCD details view, unlike before when it was in ‘Preview’ mode where you had to navigate back to the old BCD view to elevate a detection. The new view supports both manual and automatic elevations and works exactly the same as the old view.

You are also able to change the default Elevation subscription token selected. The subscription expiring the soonest is selected by default, however you can now see all available subscriptions and change it to another one if you so wish.

Extra information has been added to the new view to help you interpret the information displayed.

Update: Please rest assured there are no immediate plans to remove the old BCD details view. Improvements to the new BCD details view are being made following user feedback, and plenty of warning will be given when the old BCD details view is removed.

KarenF

Portal performance improvements

WithSecure Elements EDR have released changes to the portal which significantly improves its performance.  This change should be noticeable for all users but especially for partners who have a large customer base - for example, improved performance should be seen when navigating between customers (using the scope selector) as there were some instances where the portal was slowing down when changing customer.

Due to this change, you may need to log out completely from Elements and clear your browser's cache, local storage and cookies.  This step is only necessary if you find the EDR portal getting stuck on loading and showing only a "spinner".

Note: If you are still having issues after carrying out the above steps then please raise a customer request ticket in the usual way.  Please remember to include a full HAR file and, if possible, a screen capture (or even better, a video recording!) of logging into the portal and the loading process, as this will help with troubleshooting the issue.

KarenF

Exporting data to CSV from the Event Search view

WithSecure Elements EDR has launched new functionality in the Event Search view where you can export the data from the view into a comma-separated value (CSV) file.

The exported data will align with how it is displayed in the portal – for example, if you have added/removed/reordered the columns then this will be the layout (of the data) in the CSV file.

Please note there is currently a maximum limit of 500 rows that can be exported at any one time.

Localisation is supported with this functionality.

Benefits

With this functionality, you now have more flexibility - for example, it allows you to share this information with fellow security analysts offline, combine it with telemetry from other systems, and/or carry out further analysis, such as, using pivot tables in Excel.

Jasmeet

New status "Waiting for customer" available for Broad Context Detections

User can now update the status for a BCD as “Waiting for customer”

'Waiting for Customer - The incident is now awaiting confirmation / response from the end customer before it can be progressed.'

The user can also filter the BCDs by this status:

The dashboard also gives an overview of the status: