Release Notes
Version 6.1.0 (July 2026)
-
New Integration for Microsoft Defender for Cloud
-
New Integration for Mimecast
-
Alerts
- Mimecast - Multiple High Risk Score Emails Delivered by a Sender
- Mimecast - Multiple Failed Logins
- Mimecast - Same Email Sent To Multiple Users
- Mimecast - Same Email Sent To Multiple Users Detected by TAP
- Mimecast - Suspicious Large Email Activity to Multiple Recipients by a Sender
-
Dashboard Panels
- Delivered Email Details
- Suspicious Large Email Activity by a Sender
-
-
New Integration for PostgreSQL
-
New Integration for Web (WAF/Web Application)
-
New Integration for Tanium
- Added Tanium support for Device Inventory and Vulnerability data collection.
- Device inventory and vulnerability data from Tanium is now visible in the Asset Intelligence and Vulnerability dashboards.
-
New Azure Cloud Services Alerts
- Azure Cloud Services - Security Alerts
- Azure Cloud Services - Many CRUD Operations Performed
- Azure Cloud Services - Logon Activities
- Azure Cloud Services - VM Alerts
-
New Azure PIM (Privileged Identity Management) Alerts
- Azure AD - Disabled PIM Alerting
- Azure AD - External User Activated PIM Role
- Azure AD - Global Administrator Assigned
- Azure AD - High Privilege Role Activation
- Azure AD - Multiple Roles Activated in a Short Period of Time
- Azure AD - Role Activation Outside of Business Hours
- Azure AD - Role Activation from Unusual Country
- Azure AD - Role Assignment followed by Multiple High Severity Actions
- Azure AD - Role Settings Changed
-
New alerts for Defender ATP
- Defender ATP - MITRE Tactic Alert
- Defender ATP - Communication with Suspicious Domain
- Defender ATP - DNS Tunnel Detected
- Defender ATP - Digital Currency Mining
- Defender ATP - Malicious URL Click
- Defender ATP - OAuth Token Abuse
- Defender ATP - Device Code Phishing
- Defender ATP - Delivered Phishing Attempts
-
New alerts for Sophos Endpoint Protection
- Sophos - Malware or Threat Detected
- Sophos - EDR Security Event
-
New alerts for Trendmicro
- Trendmicro - Suspicious Attachment Detected
- Trendmicro - Suspicious Process Detection
- Trendmicro - Suspicious URL Detection
- Trendmicro - Web Policy Violation
- Trendmicro - Device Access Violation
- Trendmicro - Intrusion Detection
- Trendmicro - Malware Detection
- Trendmicro - Suspicious Connection Detected
-
New alerts for O365
- O365 - Impossible Travel
- O365 - Login Failure from Unusual User Agents
- O365 - PST File Downloads
- O365 - Malicious URL Click (AIR)
- O365 - Account Enabled by Administrator
- O365 - Bulk Email Deletion
- O365 - SharePoint Site Owner Changed
- O365 - Bulk Account Operations
- O365 - Email from Spoofed Domain
- O365 - Exchange Transport Rule Changed
- O365 - External Forwarding Rules
- O365 - Mailbox Changes
- O365 - Multiple Failed Logins due to MFA
- O365 - Password Changes Outside Working Hours
- O365 - Suspicious Mailbox Rule Created
- O365 - Successful Login from Unusual UserAgent/IP
- O365 - Too Many Emails Accessed
- O365 - User Password Reset
- O365 - Management Activity Data Missing
-
New alerts for Azure AD
- Azure AD - User Deleted Security Info
-
New alerts for Cisco IOS
- Cisco IOS - New Connection For User
- Cisco IOS - Device Failed Login
-
New alerts for FortiGate Firewall
- Fortigate - DoS Policy Alerts
- Fortigate - High Severity Admin Action
- Fortigate - Spike in Traffic
- Fortigate - Admin Authentication Outside Working Hours
-
New alerts for Palo Alto Firewall
- Palo Alto - Configuration Changes Outside Working Hours
- Palo Alto - Traffic on Non-Standard SSH Port
- Palo Alto - Spike in Traffic from One Source IP
-
New alerts for Sophos Firewall
- Sophos Firewall - CLI Failed Logins
- Sophos Firewall - Anti-Virus Alert
- Sophos Firewall - Sandbox Alert
- Sophos Firewall - Multiple Failed Logins
-
New alerts for F5 BIGIP
- F5 BIGIP - Spike in Attacks from One Source IP
- F5 BIGIP - Suspicious HTTP Tool Detected
-
New alerts for Cloudflare
- Cloudflare - High Volume DDoS Indicator
- Cloudflare - Spike in Bots Detected
- Cloudflare - Multiple Requests with High Bot Score
- Cloudflare - Suspicious HTTP Tool Detected
-
New alerts for Cisco Meraki
- Cisco Meraki - Blocked URLs
- Cisco Meraki - Cameras Stopped
-
New alerts for Imperva WAF
- Imperva WAF - Spike in Attack Type
-
New alerts for Network
- Network - Spike in Traffic from One Source IP
- Network - Spike in Traffic on SSH
- Network - Spike in Traffic over SMB
-
New alerts for DNS
- DNS - Suspicious DNS Server Outbound Connections
- DNS - Suspicious High NXDOMAIN Rate
- Note: “Windows DNS” product has been renamed to “DNS” to support broader DNS data sources.
-
New alerts for Windows
- Windows - Suspicious Script Host Execution Detected
- Windows - Suspicious Privilege Escalation Command Detected
- Windows - Network Reconnaissance or Packet Capture Tool Execution
- Windows - Ransomware Behaviour Detected
- Windows - PowerShell or CMD by End User
- Windows - Application Installation
- Windows - New Service Installation
- Windows - Multiple Failed Logins from One Source IP
- Windows - Logins to Multiple Systems by Same User
- Windows - Successful Logins Across Multiple Hosts
- Windows - Admin Successful Logon Across Multiple Hosts
- Windows - Direct Logins to PCs from Admin Accounts
- Windows - Login to Disabled Account
- Windows - Registry Value Modified
- Windows - EDR Service Stopped
- Windows - NTLM Authentication Detection
- Windows - Lateral Movement via PsExec or WMI
- Windows - PsTools Detection
- Windows - SMB Lateral Movement to Multiple Hosts
- Windows - RMM and External Device Detected
- Windows - Suspicious Process Execution from Temp
- Windows - Malicious Process from Office Applications
- Windows - Suspicious File Execution
- Windows - Null Session Detected
- Windows - System Info Gathering via CMD
- Windows - AD CS Certificate Anomaly
- Windows - Remote Service Creation
- Windows - Encryption File Detected
- Windows - Lateral Movement to Multiple Hosts via NTLM
- Windows - System Startup and Shutdown
- Windows - Multiple Modifications on File Servers
- Windows - Uninstall Attempt for Software or Agent
- Windows - Privileged Network shared object was Accessed
-
New alerts for Active Directory
- AD - User Added to a Security Enabled Group
- AD - Bulk Account Creation, Update, and Deletion
- AD - Abnormal Volume of LDAP Queries
- AD - LDAP Enumeration Detected
- AD - High Volume of LDAPS Bind Activity
- AD - Privilege Escalation
- AD - User Password Set to Never Expire
- AD - Changes Outside Working Hours
- AD - Multiple Kerberoasting Attempts Detected
- AD - Approved Certificate Request
-
New alerts for Sysmon
- Sysmon - Network Reconnaissance or Packet Capture Tool Execution
- Sysmon - PowerShell Encoded Command Detection
- Sysmon - Suspicious Privilege Escalation Command Detected
- Sysmon - Suspicious Script Host Execution Detected
-
New alerts for Linux
- Linux - Failed Logins Across Multiple Hosts
- Linux - PAM Multiple Failed Logins
- Linux - Successful SSH Login from New IP
- Linux - Suspicious Service Stop Scripts
- Linux - Unexpected Service Started
- Linux - User Access and Privilege Activity Monitor
- Linux - Changes in the /etc Directory
-
New alerts for MSSQL
- MSSQL - Role Changes
-
New alerts for Oracle
- Oracle - Multiple Failed Logins
- Oracle - Table DDL Changes
-
SOAR Alert Action Enhancements
- SOAR integration now available: Cyences alerts can now automatically forward notable events to your SOAR platform (e.g., Splunk SOAR / Phantom) via a new built-in SOAR alert action. When an alert fires, the event is forwarded to the configured SOAR URL as a CEF-formatted artifact.
- SOAR configuration UI: A dedicated SOAR Configuration page has been added under the Cyences Configuration menu. Configure the SOAR URL, authentication token, event label, and sensitivity classification, and enable or disable the integration — all without editing configuration files.
- Automatic retry for failed SOAR events: A new scheduled search (
Cyences SOAR Retry) automatically retries events that failed to forward on the first attempt, ensuring no alert is silently dropped due to transient SOAR connectivity issues. - Expanded CIM-to-CEF field mapping: The field mapping table used when forwarding events to SOAR has been significantly expanded. New vendor-alias mappings cover Windows Security Events (Subject/Target account fields, Creator Process Name), Azure AD and O365 (ClientIP, userPrincipalName, userName variants), Defender/Sysmon (DeviceName, ComputerName), and asset/vulnerability alerts (ip, mac_address). This ensures that alert result fields for new and existing integrations are correctly translated to CEF before forwarding.
- Collision resolution for duplicate CEF fields: When multiple source fields in the same alert result map to the same CEF destination key, the forwarder now resolves the conflict deterministically. Canonical CIM fields (e.g.,
src_user) take priority over raw vendor aliases, and empty or null values never overwrite a real value. This prevents silent, order-dependent data loss in the forwarded artifact.
-
Enhancements
- Product Setup page major redesign: The Data Reviewer dashboard has been removed and its functionality has been fully integrated into the Product Setup page. Each product now shows live data review panels directly in the configuration UI, including field coverage, source latency (color-coded by severity), datamodel acceleration status, and lazy-loading for performance.
- Qualys vulnerability index: The
cs_vulnerabilities_indexesmacro now usescs_qualysinstead ofcs_qualys_vuln. - Windows DNS renamed to DNS: The “Windows DNS” product has been renamed to “DNS” and now supports a broader range of DNS data sources beyond Windows DNS logs.
- Threshold-based alert names clarified: Several existing alerts were renamed to make their count/threshold-based detection logic clear from the name alone. The upgrade step automatically migrates any customized filter macro values and enabled/disabled state to the renamed alerts.
- AWS - Failed Login From Unusual Country → AWS - Multiple Failed Logins From Unusual Country
- Authentication - Failed VPN Login From Unusual Country → Authentication - Multiple Failed VPN Logins From Unusual Country
- Google Workspace - Failed Login From Unusual Country → Google Workspace - Multiple Failed Logins From Unusual Country
- O365 - Failed Login From Unusual Country → O365 - Multiple Failed Logins From Unusual Country
- AD - Bulk User Creation or Deletion → AD - Bulk Account Creation, Update, and Deletion
-
Removed Features
- BlockShield integration removed: The BlockShield IP reputation integration has been removed from Cyences. Related configuration UI, API keys, and commands have been removed. Customers using BlockShield should contact support for alternatives.
- Data Reviewer dashboard removed: Replaced by integrated data review panels in the Product Setup page.
-
Removed Alerts
The following alerts have been removed (not renamed or replaced). If any of these were customized in your environment’s local
savedsearches.conf, the upgrade step automatically disables them to prevent stale or erroring scheduled searches.- Active Directory / Azure AD: AD - Group Changes, AD - Group Membership Changes, AD - Group Policy Changes, AD - User Changes, Azure AD - Application Changes, Azure AD - Group Changes, Azure AD - GroupMembership Changes, Azure AD - Policy Changes, Azure AD - Role Changes, Azure AD - ServicePrincipal Changes, Azure AD - User Changes
- Database: MSSQL - User Changes, MSSQL - Database Changes, Oracle - User Changes
- O365: O365 - Daily Login Failure, O365 - Login From Unknown User, O365 - O365 Service is Not Operational
- Network: Calculate UpperBound for Spike in Network Traffic, Calculate UpperBound for Spike in Outbound Network Traffic, DDoS Behavior Detected on the Network, Unusual Outbound Traffic
- Email: Daily Spam Emails
- Firewalls: Fortigate - High System Alert, Palo Alto - High System Alert, Palo Alto Firewall - Commits, Sophos Firewall - Lost Connection to Sophos Central, Sophos Firewall - VPN Tunnel Down, Sophos Firewall - Gateway Down
- Windows: Windows - Certificate is Expiring Soon, Windows - Host is Missing Windows Updates
- VPN: Authentication - Long Running VPN Session Disconnected
Upgrade Guide from 6.0.0 to 6.1.0
- Configure the SOAR integration (if you use a SOAR platform): After upgrading, navigate to Cyences Configuration → SOAR Configuration, enter your SOAR URL and authentication token, set the event label and sensitivity, and enable the integration. Without this step, alerts will not be forwarded to SOAR. Refer to the SOAR Configuration guide for details.
- BlockShield integration has been removed. Remove any BlockShield API key configuration from your environment.
- Onboard Mimecast logs to utilize the new Mimecast alerts. Refer to Mimecast Data Onboarding for details.
- Onboard PostgreSQL audit logs to utilize the new PostgreSQL alerts. Refer to PostgreSQL Data Onboarding for details.
- Onboard Microsoft Defender for Cloud data (via Microsoft Graph Security API Add-On for Splunk) to utilize the new Microsoft Defender for Cloud alert. Refer to Microsoft Defender for Cloud Data Onboarding for details.