Versions Compared

Old Version 2

changes.mady.by.user Anthony Shevlin

Saved on

compared with

New Version Current

changes.mady.by.user Anthony Shevlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The SciSec team has also made some progress in updating our older detections to match our current schema and documentation. You can see this in the the Updated Legacy Alert section which is below the new alerts.

These alerts have the same power as before but now integrate better with our other Devo products. If you use the MITRE Attack Advisor App, or like to edit your alerts in Loxcope, these detections can now seamlessly integrate with those products. They have also been updated to work better with our SecOps enrichments like the SecOpsAlertDescription lookup, and can now accurately show the MITRE tactics and techniques associated with the alerts.

Try them out, and let us know what you think! . As always, all feedback is welcome and helps us to improve our content. For our next release, we will continue to update these alerts with the goal to complete the migration and use Q1 to assess the validity of all our alerts. Stay tuned!

Alerts updated

Detection name

Detection description

Devo table/Data source

Changes made

SecOpsAWSPermissionsBoundaryLiftedtoUser

A permission boundary has been lifted against an IAM user was detected. This action could be used by an attacker to escalate privileges within an AWS account.

cloud.aws.cloudtrail

Fixed unknown identifier

SecOpsAWSIAMPolicyAppliedToGroup

A policy that had been attached to a group was detected. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

cloud.aws.cloudtrail

Fixed unknown identifier

SecOpsWinSchtasksForcedReboot

Alerts when flags are passed to schtasks.exe on the command-line that indicate that a forced system reboot is scheduled.

box.all.win

Fixed installation failure

SecOpsWinScheduledTaskCreation

Detects when a scheduled task is created in Windows.

box.all.win

Fixed installation failure, casting issue, fixed overall performance

SecOpsFWTrafficForeignDestination

Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes.

firewall.all.traffic

Fixed installation failure

SecOpsAwsDbSnapshotCreated

Creating a snapshot is a common technique utilized by malicious actors to download databases in a stealthy manner. This alert should be considered when other signals could indicate that an account has been compromised.

cloud.aws.cloudtrail

Fixed installation failure

SecOpsFWExcessFirewallDenies

Detects excessive firewall blocks within a short time frame. The threshold should be adjusted in accordance with normal traffic patterns in an organization's environment.

firewall.all.traffic

Fixed casting issue

SecOpsWinAttemptToAddCertificateToStore

Detects a user attempting to add a certificate to the store via certutil.exe -addstore.

box.all.win

Corrected the description to show appropriate tags

SecOpsAWSPermissionsBoundaryModifiedToUser

A permission boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role.

cloud.aws.cloudtrail

Reworked query filter

...