...
All the new and modified alerts as part of Release 7 can be seen in the below tables.
Alert Analyzedanalyzed:
Detection name | Changes made |
SecOpsVNCPortOpen | Updated to the newest alert template and reduced the alerting threshold |
Details on the new detections released can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsAzureConditionalAccessPolicyUpdated | This alert identifies when a user has modified a conditional access policy, this should be checked since it could be undermining the security posture of the environment. | cloud.azure.eh.events |
SecOpsLinuxAddFilestoCrontabDir | Detects potentially suspicious file creation in cron table directories. | box.unix |
SecOpsLinuxBashShellProfileMod | Detects when modifications are made to a bash shell profile. Bash shell profiles could be modified to execute malicious scripts on machine reboot, or whenever a user logs into the machine. | box.unix |
SecOpsLinuxMaxSessionsPerUser | Detects whenever a user reaches the maximum number of login sessions. | box.unix |
SecOpsLinuxFileCreateProfile | Detects file creation in /etc/profile.d directory. Files created here can automatically execute scripts on the boot up of the machine. | box.unix |
SecOpsLinuxDoasConfigCreate | Detects the creation of doas.conf file on Linux host. This allows the use of the doas utility tool, which permits users to execute commands as other accounts. | box.unix |
SecOpsLinuxInitDaemonDeletion | Detects deletion of init daemon script in Linux. Deletion of daemon scripts could be used to disable security features on a Linux machine. | box.unix |
SecOpsLinuxFileDDOverwrite | Detects for the dd command being used to overwrite a file. This is a powerful tool that can be abused for data destruction purposes, and could potentially render data irrecoverable. | box.unix |
SecOpsLinuxAppendCronjobEntry | Detects appends to existing cronjob files. | box.unix |
SecOpsLinuxStrangeProcessExec | Detects process execution in a temporary folder. | box.unix |
SecOpsLinuxFileOwnerNowRoot | Detected the file owner being changed to root using the chown command. | box.unix |
SecOpsLinuxInstallKernelModprobe | Detects installation of a Linux kernel module using modprobe utility function. | box.unix |
SecOpsLinuxDeletionofSslCert | Detects deletion of SSL certificate on Linux host. Deletion of an SSL certificate could indicate a compromised Linux machine. | box.unix |
SecOpsLinuxIrregularLogin | Detects attempted login at a forbidden time. | box.unix |
SecOpsLinuxHiddenFilesCreated | Detects for creation of files or folders that begin with "." or "/." by a user. This could indicate an attacker attempting to hide files on the system that are easily overlooked. | box.unix |
SecOpsLinuxSetuidUsingChmod | Detects chmod utility execution to enable setuid bit. This bit allows a user to run with the privileges of the owner of the file. | box.unix |
SecOpsLinuxSvcEnabled | Detects for services being enabled in Linux. It's important to look for who created the the service, and the service path. It is possible an administrator could create a legitimate service that may be detected. | box.unix |