Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

The Devo Threat Research team has released 23 detections through the Devo Security Operations Content Stream, making them available for installation instantly within your Devo instance.   Release 2 continues Devo’s emphasis on Cloud Security Monitoring as a key use case, containing additional detections for Amazon Web Services and now expanding signature based detections for Google Cloud Platform.   Devo ingests data from any cloud provider or SaaS based application quickly and easily, and now Devo provides instant out of the box value for common cloud use cases.  

Additionally, the prevalence of windows as an endpoint operating system is still on about 75% desktop and laptop computers.  Devo Security Operations offers 45 detections for Windows endpoint threats, and now with Release 2 is bringing that number to over 50.   Threats on windows come in many shapes and sizes and now Devo provides even more protection against these threats out of the box.  Windows will continue to be a focus in the coming releases for the Devo Threat Research team.  

Details on the detections released can be seen below: 

Detection name

Detection description

Devo table/Data source/Category

AWS CloudTrail - Multiple Failed Console Logins From a User

Multiple failed logins were detected from the same user within a short period of time. It is important to note that AWS CloudTrail does not log failed authentications for the root account user.

cloud.aws.cloudtrail

AWS CloudTrail - Public S3 Bucket Exposed

An AWS request occurred to either create a new public bucket or to add a bucket access control list (ACL) to an existing bucket to make it public. While there are some use cases for AWS S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public.

cloud.aws.cloudtrail

AWS CloudTrail - Logging Configuration Change Observed

Changing the configuration of logging to any mission-critical service or platform should be closely monitored. This signal identifies when AWS logging configurations have been changed. The severity of signals increases depending on the type of action observed. For instance disabling/deleting logs is a higher severity than enabling logs.

cloud.aws.cloudtrail

AWS Create Policy Version To Allow All Resources

This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account

cloud.aws.cloudtrail

AWS Createaccesskey

This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)

cloud.aws.cloudtrail

AWS Excessive Security Scanning

This search looks for AWS CloudTrail events and analyzes the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.

cloud.aws.cloudtrail

AWS Detect Users Creating Keys With Encrypt Policy Without MFA

This search provides detection of KMS keys whose action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.

 

cloud.aws.cloudtrail

GCP Audit ListQueues

This could indicate that an adversary is attempting to collect information for later attack. When successful, the List Queues event returns all queues that may be valid targets for further probing/attack.

cloud.gcp

GCP Bucket Enumerated

Detects when a service account lists out GCS buckets.

cloud.gcp 

GCP Bucket Modified

Detects when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock.

cloud.gcp

GCP Bucket Open

A GCP request occurred to either create a new public or open bucket. While there are some use cases for GCP S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public.

cloud.gcp

GCP Port Scan

Attackers will often perform reconnaissance against customer environments to better understand resources on the network. This rule looks for a single source IP scanning for different ports across the same destination.

cloud.gcp

GCP Port Sweep

Attackers will often perform reconnaissance against customer environments to better understand resources on the network. This rule looks for a single source IP scanning for the same port across multiple destinations.

cloud.gcp

GCP Audit Reconnaissance Activity

This signal identifies GCP API GET and LIST actions that when observed in combination could indicate an actor's intent to enumerate the environment. These events are generally benign, and occur during normal operations. Use this signal as context around an unfolding security story.

cloud.gcp

GCP Audit Secrets Manager Activity

Administrative changes to the GCP Secrets Manager aren't overtly hostile, but are generally low volume and can be considered sensitive. These signals highlight when these actions occur and can be used in context of other suspicious activity to raise the risk of a hostile entity. Several Secrets Manager API actions are included and assessed as sensitive.

cloud.gcp

GCP Audit IAM CreateServiceAccount Observed

This signal fires for all observances of the CreateServiceAccount action in the IAM event source. Hostile actors will create service accounts to persist access. Use this signal in context of other activity to determine intent.

cloud.gcp

GCP Audit Key Deleted or Disabled

Deleting cryptographic key material managed by KMS can be risky. The risk is that after key material is deleted, cypher text may remain that is now indecipherable. This signal indicates that a key has been scheduled or canceled for deletion. This signal in context of other signals around this entity may describe a hostile pattern of attack.

cloud.gcp

GCP Audit KMS Activity

GCP KMS is an encryption and key management web service. Besides encrypting and decrypting data, users and administrators can use this service to create keys, manage keys etc. This signal indicates activity that enables and disables keys explicitly. This activity has been surveyed to be a low volume event and could be considered suspicious given other activity involving the entity. Additionally, monitoring for these events is required to achieve certain industry audit compliance.

cloud.gcp

Kubernetes GCP Detect Sensitive Object Access

This search provides information on Kubernetes accounts accessing sensitive objects such as configmaps or secrets.

cloud.gcp

GCP Audit Unauthorized API Calls

An IAM account sent multiple requests to perform a wide distinct number of GCP Cloud actions in a short time frame while receiving the error codes. This could indicate an account attempting to enumerate their access across the GCP account.

cloud.gcp

LSASS Memory Dump

Detects memory dumping from LSASS. For this rule to work, Microsoft SysInternal Sysmon must be running on the endpoint.

box.all.win

Grabbing Sensitive Hives via Reg Utility

Dump sam, system or security hives using REG.exe utility.

box.all.win

Windows - Remote System Discovery

Suspicious Remote System Discovery Activity - T1018

box.all.win

Script Execution Via WMI

This rule looks for scripts launched via WMI.

box.all.win

  • No labels