New Features
Microsoft Sentinel Add-on
The biggest news in this release is the Microsoft Sentinel add-on. Something we've been working on for 4 years, requiring a massive amount of backend work — summarising it under a single heading almost feels disrespectful to ourselves ;)
With this addition to the Attic for Microsoft 365 solution, Attic becomes your SOC-as-a-Service. Check out our product page and share it with your network!
Attic SOC-as-a-Service
Microsoft Sentinel is a component that Microsoft 365 subscribers can install at no extra cost from Microsoft. More information about Sentinel can be found on our blog: zolder.io/microsoft-sentinel/
In Sentinel, Attic will activate a number of rules to detect and follow up on suspicious behaviour, just as you'd expect from Attic. The rules we're launching now are listed further down in these release notes. From here on, we'll be significantly increasing the frequency of new content (checks, rules and fixes)!
The add-on is available on top of Attic for Microsoft 365 Premium at a per-active-user price. In the lowest tier (1–250 employees), the cost is €1 per month per active user, on top of the Premium subscription. For example: with 25 users you get a SOC function for 80 + 25 = €105 per month — handy if you need to comply with NIS2!
Until December 31 we're offering Early Birds a special introductory discount. Purchase the add-on for 1 year and get the first 3 months free — that's 25% off. Use discount code SENTINELEARLYBIRD in our webshop, or let us know if you'd like a quote. Offer valid through 31 December 2023.
New Incident View
We've thoroughly overhauled the incidents page in both the mobile and web version of Attic. The direct reason was that with the introduction of Sentinel, it becomes more likely that a single incident will recommend multiple fixes — for example, removing a specific artifact combined with disabling a user account.
To keep that scenario clear, we needed to rework the interface. Our goal was to make the 'normal' flow crystal clear: review the proposed fixes and accept them. At Attic we want to keep things as simple as possible while keeping you safe, and that's simply the intended flow. If you want to decline or ignore, you can of course. The following screenshot speaks for itself:
General Usability
Since we were reworking the app anyway, we applied a few styling, usability and other general fixes along the way. The app doesn't work differently because of them, and chances are you won't even notice. But we're still proud that the app looks just a bit better than before.
Security Content
This release adds these rules to the Sentinel Add-on. We've been careful to create rules that genuinely match today's threats (particularly abuse of leaked credentials for BEC/CEO fraud or ransomware), while avoiding rules that generate lots of false-positive detections. False positives are the great enemy of a SOC function, and quality means avoiding them.
All rules are documented in the Attic Help Center: support.atticsecurity.com
- RULE-1020 : Mailboxrule Forwarding
- RULE-1022 : Mailboxrule Keywords
- RULE-1023 : Mailbox Auto-Forwarding
- RULE-1024 : Transportrule Forwarding
- RULE-1026 : Transportrule Keywords
- RULE-1123 : Guest Account High Privileges
- RULE-1138 : Guest Invite High Privileges
- RULE-1129 : Emergency Admin Account Used
- RULE-1520 : Public SharePoint Site
- RULE-1521 : Malware Detected on SharePoint
- RULE-1522 : Malware Downloaded from SharePoint
