We're thrilled to announce the latest updates and additions to our alerting system with Release 23. This release brings enhancements to alert logic, and improved summaries, and introduces new alerts to bolster your security operations.
Improved Alerts:alerts
SecOpsWinUserAddedToLocalSecurityEnabledGroup
Enhanced alert logic for detecting user additions to local security-enabled groups on Windows systems.
Improved summary for better understanding and faster response.
SecOpsLinuxIrregularLoginSsh
:Updated alert logic to identify irregular login activities via SSH on Linux systems.
Refined summaries to provide clearer insights into potential security threats.
SecOpsO365AuthExcessiveFailedLoginsSingleSource
:Updates to mmcity operation for Office 365 authentication alerts related to excessive failed logins from a single source.
Streamlined summaries to facilitate quicker identification of suspicious activities.
SecOpsO365ImpossibleTravel
:Revised alert logic for Office 365 impossible travel scenarios.
Improved operation of mmcity for more accurate detection.
Enhanced summaries to highlight impossible travel incidents effectively.
New Alerts:alerts
SecOpsSlackPossibleSessionHijacking
:Introducing a new alert to detect potential session hijacking in Slack environments.
Monitors for suspicious activities indicating unauthorized access to Slack accounts.
Provides detailed insights into possible session compromise for swift remediation.
SecOpsWinPowerSettings
for MITRE Technique T1653:Brand new alert targeting MITRE technique T1653 focusing on Windows power settings manipulation.
Alerts on suspicious changes to power settings indicative of potential adversary actions.
Enables proactive defense against tactics aiming to manipulate power configurations for malicious purposes.
Stay vigilant with these upgraded alerts and leverage the new additions to strengthen your security posture. For further details, consult the documentation or reach out to our support team for assistance. Upgrade to Release 23 now and fortify your defenses against evolving threats.
Alerts updated:
Detection name | Detection description | Devo table/Data source/Category | Changes made |
| Attackers may attempt to escalate privileges to a user account by adding it to a local security-enabled group. This could indicate privilege abuse or potentially malicious activity. |
| Improved alert summary |
| This detection will identify users who have had successful logins in two geographically different locations within an hour. |
| Updated mmcity operation |
| Detects multiple failed authentications from a single IP in Office365. |
| Updated mmcity operation |
| Detects attempted login at a forbidden time. |
| Logic Improvement |
| Detects the same session ID used from a new IP for the same user in a short period of time. |
| New Alert! |
| Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts. |
| Field Naming Update |
| Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity. |
| New Alert! |