Thoughts From The Nest

Blog, updates, and release notes

Release Notes

December 1, 2017


New
Group owners & admins: if you leave a community, all open alerts for that community will now be removed. A warning message to this effect has been added to the ‘Leave Community’ confirmation check.
New
Added scope and reason detail to suppressions display
Bugfix
Dashboard alert panel was trying to load 100 alerts, but only needs to show three - it should load much faster now.
Bugfix
Indicator history tabs - cleaned up display a bit and added missing loading spinners
Note
We’re close to releasing the changes to the public API for Perch alerts and bulk intel creation. We want it to be well documented and usable on release, we’re hoping you’ll think it was worth the wait!
Note
Our work on an internal CSV intel format and loading tool is finished and we’re working with a couple of customers to iterate on it before we release to everyone.

Release Notes

November 20, 2017


New
Alert History - alerts come in, get triaged, and closed - then you never see them again… until now! We’ve added a new tab on the Alert Review page where you can review all of your closed alerts. You’ll see additional information about the suppression that closed the alert and can jump to the indicator detail page.
New
Public API improvements: create bulk intel, list alerts, documentation, Python client library. We want people using and sharing our data, we’re listening closely to our users’ requests and are working on providing a simple, clear way to interact with Perch via API.
New
Minor improvement to Search so that it includes indicators that contain observables that contain the search term, instead of just searching the body of the indicator.
Bugfix
Application tour should now skip admin-only steps for non-admin users.
Bugfix
Clicking the comment delete button should now actually delete the comment.
Bugfix
Indicator history event ordering makes more sense now - we have to load the indicator before we can detect on it.
Bugfix
Alerts by Host - columns scroll independently so that picking an host far down the list doesn’t require you to scroll all the way back to the top to see the alerts for that host.
Note
We’re working on a CSV format and Python tool to bulk load intel into Perch

Release Notes

November 10, 2017


New
Login History now shows country flag with tooltip next to the IP address - Hey, wait a minute, when did Sally move to China?!?
New
Added company name to sensor health page - it’s not always easy to remember that ‘angry_carrot’ belongs to Acme Bank & Trust.
New
(Very Soon) Indicator detail history - shows a timeline of an indicator’s history, when the intel was produced, when it was first sighted in Perch, and when your group has alerted on and suppressed the indicator. Like a social media timeline, but with less propaganda and more threat intel.
Bugfix
Suppressions that would close multiple alerts now remove all of the affected alerts from the UI, instead of just the alert that the suppression was created from (affects Community/Global suppressions)
Bugfix
Improved but not completely fixed indicator detail page ‘produced’ and ‘first/last sightings’ timestamps not having values.
Bugfix
‘Content’ type observables now display a CSV list of content values instead of an empty value
Bugfix
Community Dashboard latest indicators was not showing the last page of the available indicators
Bugfix
Status update emails now show the name of the user that made the status change instead of always showing it was from Perch SOC.
Note
Indicator detail tabs re-ordered - supplies were running low
Note
We’re making adjustments to remove many of the scrolling panels on some of the pages. This should result in a more natural scrolling experience and improved scrolling navigation throughout the app.

Release Notes

October 20, 2017


New
Group users can change status on events, just like SOC - you can now change the status on an event by using a selector where the status appears
  • Remember: when you’re on the alert review page, alerts are grouped per-tab by status. Changing the status on an alert there will automatically move it to the appropriate tab; it’s not gone, just moved to a different tab.
New
Email notifications when someone first sights indicators you create!
  • Only sent the first time the intel is sighted.
  • If you’d prefer not to receive these notifications, you can turn them off in your user profile settings.
  • Periodic email reports about intel you’ve created is coming soon.
New
Indicator detail design pass
  • New graphs
  • Faster loading
  • More coming soon!
Bugfix
Removed SOC logins from team login history - they log in a LOT and it clutters up the view for actual group members
Bugfix
Assorted minor tweaks and fixes
Note
Community Dashboard recent indicators load much faster
Note
Improvements to rule creation monitoring and diagnostics

In late September, HITRUST and the American Medical Association announced a partnership to provide education on cyber risk management to healthcare organizations across the US. Their efforts focus on information security risk management, HIPAA compliance and cyber security; with recommendations specifically tailored for small practices, who often lack the resources and personnel that larger organizations have. Today I spoke with John Nelson, Systems Administrator / Security Officer for U.S. Expediters, Inc.

Read More

Release Notes

October 6, 2017


New
Palo Alto Firewall AddOn - Found a bad actor with Perch? Want to also block it on your firewall? Just check a box while you’re remediating and Perch will send it to the firewall for you.
  • Manage (including manually adding) firewall blocking through Perch admin panels
New
Perch.help - Having trouble getting around Perch town? We’ve launched a new site to bring together all the best tips and tricks for getting the most out of Perch. Have a topic not covered on the site that you’d love to know more about? Let us know.
New
(Very soon) User login history - Group admins have a menu item to see the login history for the team’s members; users have a new tab on their profile page to see their own login history.
Bugfix
Subnet tags are now displayed on public IPs
Bugfix
Community Dashboard - community files panel now updates correctly when you switch communities; this was purely a visual bug, no files were shared between communities.
Bugfix
Community Dashboard - top analysts panel no longer shows analysts with zero points; if there are no analysts with points, you’ll see a friendly, informative message.
Bugfix
General visual cleanup: aligned some buttons here, tweaked a message there.
Note
Snooze suppressions have been removed. We want to keep Perch simple and easy to use; Snooze suppressions weren’t pulling their weight in the relationship and we decided they needed to go. It’s not you Snooze suppressions, it’s us. We’re sure you’ll find somebody nice.
Note
Port numbers removed from alert Perchybana links: we found that just using the targets and time window gave the best visibility into the traffic relevant to investigating the alert.
Note
Infrastructure upgraded to Python 3.6; other third-party libraries updated to latest and greatest. Keeping Perchy healthy and well preened lets him focus on watching your networks with confidence.

Release Notes

September 29, 2017


New
Added intel produced or loaded time (depending on which is available) to the alert display
New
SOC/MSSP CRM: keep track of group contact info inside Perch, available to staff/MSSPs on the suppression modals, so that it’s handy if you need to escalate to the customer
New
(Very Soon) Palo Alto firewall integration - click a button in Perch to have an IP, url, or domain automatically sent to your firewall.
New
Better default sorting on admin pages - you mean sorting by database ID isn’t useful to users?!?
Bugfix
Added missing port columns to Perchybana links
Bugfix
Fixed dashboard most recent suppressions not always updating when they should
Bugfix
Fixed page styling to get rid of extra, but pointless scrollbars
Bugfix
Group settings should all be editable now
Bugfix
Sensor health detection count graph Y-Axis labels now show ‘file size’ (x.xGB) numbers, instead of raw byte counts
Bugfix
Indicators now show more observables, up to 1000 (up from 200).
Bugfix
API users no longer appear in the group’s user management list (you can still find your API user info on the group settings pages)
Bugfix
Fixed the group setup page in the signup flow showing the “This field is required” error as soon as the page shows, instead of only when the data needed to be validated
Bugfix
Fixed large, fixed size alert panel on the indicator detail page
Bugfix
Added a check and a useful error message when the user’s browser doesn’t support WebGL

Note
Performance pass, improved caching of frequently used data

Note
Sensor health diagnostic commands and raw health removed for non-staff. No one enjoys seeing how the sausage is made!

Note
Improved tracking and logging for failed logins; tweaks to how failed logins are communicated to staff

Note
Alert row visual tweaking: less vertical space between data, more vertical space between rows.

Note
Improved automatic staff notification when new users and groups join


Cisco’s Talos research team published a blog post Monday covering another supply chain attack involving CCleaner, the well-known and popular system maintenance software. According to Cisco: For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. Attacks like this against a trusted supply chain between the software manufacturer and the customer are a growing attack vector due to its potential effectiveness and impact.

Read More

Release Notes

August 28, 2017


New Perchybana really loves all the recent attention. To help you really appreciate her beauty, we’ve added a convenient button on each alert that will take you directly to Perchybana with the data filtered just to that alert’s details. Triage alerts just like the pros. New Paginate all the things! We’ve revamped how we handle larger data sets in Perch and how that data is fetched from our servers: Pagination added to: the Community Dashboard recent indicators so you can check out all that juicy community intel (last 10,000 indicators only, for now), not just the most recent 5.

Read More

Release Notes

August 11, 2017


New
Perchybana per-user saved searches - Decorating her nest with all manner of brightly colored bits of user configuration, now each of our users can have their very own Perchybana configuration - including their own saved searches.
New
Group selection on suppression review
  • Suppressions load slowly, we know; this is the first step in fixing that
  • More coming soon.
New
In this month’s edition of Sensor Health magazine:
  • New health details
  • Graph scales that make sense
  • CPU info display
  • And the displayed detection drop percentage precision increased by 100% (Re: now we show two decimal places instead of one.)
New
New end of signup flair - not so exciting for existing customers, but now every new sign up gets a free puppy! Ok, no free puppy, but there are some digital fireworks. And a sad Perchy if things go wrong.
New
Enhanced sensor health evaluation
  • No one is happy when sensors aren’t able to do their thing. We’re making our sensor reporting more robust and being more aggressive about what conditions we monitor. Our periodic sensor health reports contain more details and warn about more conditions.
New
Indicators you’ve created now link to the object detail page so that you can see all of the details about your creation. You’re proud of what you’ve created, you want to see it out there among all the other wild indicators doing its thing. We want those special moments with your indicator to be easier, so now you can jump right to the details page for indicators you’ve created, by clicking on their title from the Sharing ➔ Your Indicators page.
Bugfix
Improved load performance of object detail page, separated sections to load independently - same bat time, same bat channel, same bat data; just served up differently so that the page loads a little better/faster.
Bugfix
Community tags for the communities you’ve shared an indicator with can be clicked to take you to that community’s dash. Community tags should all work the same, but we keep finding the old ones hiding in corners. If you find one that you click on, but it doesn’t take you to the communtiy dashboard, report it!
Bugfix
Global/Community suppressions no longer appear under the ‘Unknown [null]’ group - As part of our No Suppression Left Behind campaign, we’ve ensured that every suppression gets a proper section title, regardless of socioeconomic background, race, creed, or actual group membership. #EqualityForAllSuppressions
Note
Improved internal tools to ensure our customers are having a positive Perchy experience. We’re looking for patterns that warn us that someone’s having a not-so-great experience with Perch, so that we can proactively reach out, figure out what’s not right, and get it fixed ASAP.