...
The SciSec team has also made some progress in updating our older detections to match our current schema and documentation. You can see this in the the Updated Legacy Alert section which is below the new alerts.
These alerts have the same power as before but now integrate better with our other Devo products. If you use the MITRE Attack Advisor App, or like to edit your alerts in Loxcope, these detections can now seamlessly integrate with those products. They have also been updated to work better with our SecOps enrichments like the SecOpsAlertDescription lookup, and can now accurately show the MITRE tactics and techniques associated with the alerts.
Try them out, and let us know what you think! . As always, all feedback is welcome and helps us to improve our content. For our next release, we will continue to update these alerts with the goal to complete the migration and use Q1 to assess the validity of all our alerts. Stay tuned!
Alerts updated
Detection name | Detection description | Devo table/Data source | Changes made |
SecOpsAWSPermissionsBoundaryLiftedtoUser | A permission boundary has been lifted against an IAM user was detected. This action could be used by an attacker to escalate privileges within an AWS account. |
| Fixed unknown identifier |
SecOpsAWSIAMPolicyAppliedToGroup | A policy that had been attached to a group was detected. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources. |
| Fixed unknown identifier |
SecOpsWinSchtasksForcedReboot | Alerts when flags are passed to |
| Fixed installation failure |
SecOpsWinScheduledTaskCreation | Detects when a scheduled task is created in Windows. |
| Fixed installation failure, casting issue, fixed overall performance |
SecOpsFWTrafficForeignDestination | Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes. |
| Fixed installation failure |
SecOpsAwsDbSnapshotCreated | Creating a snapshot is a common technique utilized by malicious actors to download databases in a stealthy manner. This alert should be considered when other signals could indicate that an account has been compromised. |
| Fixed installation failure |
SecOpsFWExcessFirewallDenies | Detects excessive firewall blocks within a short time frame. The threshold should be adjusted in accordance with normal traffic patterns in an organization's environment. |
| Fixed casting issue |
SecOpsWinAttemptToAddCertificateToStore | Detects a user attempting to add a certificate to the store via |
| Corrected the description to show appropriate tags |
SecOpsAWSPermissionsBoundaryModifiedToUser | A permission boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role. |
| Reworked query filter |
...