The Devo Threat Research team has released 23 detections through the Devo Security Operations Content Stream, making them available for installation instantly within your Devo instance. Release 2 continues Devo’s emphasis on Cloud Security Monitoring as a key use case, containing additional detections for Amazon Web Services and now expanding signature based detections for Google Cloud Platform. Devo ingests data from any cloud provider or SaaS based application quickly and easily, and now Devo provides instant out of the box value for common cloud use cases.
Additionally, the prevalence of windows as an endpoint operating system is still on about 75% desktop and laptop computers. Devo Security Operations offers 45 detections for Windows endpoint threats, and now with Release 2 is bringing that number to over 50. Threats on windows come in many shapes and sizes and now Devo provides even more protection against these threats out of the box. Windows will continue to be a focus in the coming releases for the Devo Threat Research team.
Documentation page link:
https://docs.devo.com/confluence/ndt/v7.10.0/devo-security-content
Details on the detections released can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
AWS CloudTrail - Multiple Failed Console Logins From a User | Multiple failed logins were detected from the same user within a short period of time. It is important to note that AWS CloudTrail does not log failed authentications for the root account user. | cloud.aws.cloudtrail |
AWS CloudTrail - Public S3 Bucket Exposed | An AWS request occurred to either create a new public bucket or to add a bucket access control list (ACL) to an existing bucket to make it public. While there are some use cases for AWS S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public. | cloud.aws.cloudtrail |
AWS CloudTrail - Logging Configuration Change Observed | Changing the configuration of logging to any mission-critical service or platform should be closely monitored. This signal identifies when AWS logging configurations have been changed. The severity of signals increases depending on the type of action observed. For instance disabling/deleting logs is a higher severity than enabling logs. | cloud.aws.cloudtrail |
AWS Create Policy Version To Allow All Resources | This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account | cloud.aws.cloudtrail |
AWS Createaccesskey | This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) | cloud.aws.cloudtrail |
AWS Excessive Security Scanning | This search looks for AWS CloudTrail events and analyzes the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. | cloud.aws.cloudtrail |
AWS Detect Users Creating Keys With Encrypt Policy Without MFA | This search provides detection of KMS keys whose action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.
| cloud.aws.cloudtrail |
GCP Audit ListQueues | This could indicate that an adversary is attempting to collect information for later attack. When successful, the List Queues event returns all queues that may be valid targets for further probing/attack. | cloud.gcp |
GCP Bucket Enumerated | Detects when a service account lists out GCS buckets. | cloud.gcp |
GCP Bucket Modified | Detects when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. | cloud.gcp |
GCP Bucket Open | A GCP request occurred to either create a new public or open bucket. While there are some use cases for GCP S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public. | cloud.gcp |
GCP Port Scan | Attackers will often perform reconnaissance against customer environments to better understand resources on the network. This rule looks for a single source IP scanning for different ports across the same destination. | cloud.gcp |
GCP Port Sweep | Attackers will often perform reconnaissance against customer environments to better understand resources on the network. This rule looks for a single source IP scanning for the same port across multiple destinations. | cloud.gcp |
GCP Audit Reconnaissance Activity | This signal identifies GCP API GET and LIST actions that when observed in combination could indicate an actor's intent to enumerate the environment. These events are generally benign, and occur during normal operations. Use this signal as context around an unfolding security story. | cloud.gcp |
GCP Audit Secrets Manager Activity | Administrative changes to the GCP Secrets Manager aren't overtly hostile, but are generally low volume and can be considered sensitive. These signals highlight when these actions occur and can be used in context of other suspicious activity to raise the risk of a hostile entity. Several Secrets Manager API actions are included and assessed as sensitive. | cloud.gcp |
GCP Audit IAM CreateServiceAccount Observed | This signal fires for all observances of the CreateServiceAccount action in the IAM event source. Hostile actors will create service accounts to persist access. Use this signal in context of other activity to determine intent. | cloud.gcp |
GCP Audit Key Deleted or Disabled | Deleting cryptographic key material managed by KMS can be risky. The risk is that after key material is deleted, cypher text may remain that is now indecipherable. This signal indicates that a key has been scheduled or canceled for deletion. This signal in context of other signals around this entity may describe a hostile pattern of attack. | cloud.gcp |
GCP Audit KMS Activity | GCP KMS is an encryption and key management web service. Besides encrypting and decrypting data, users and administrators can use this service to create keys, manage keys etc. This signal indicates activity that enables and disables keys explicitly. This activity has been surveyed to be a low volume event and could be considered suspicious given other activity involving the entity. Additionally, monitoring for these events is required to achieve certain industry audit compliance. | cloud.gcp |
Kubernetes GCP Detect Sensitive Object Access | This search provides information on Kubernetes accounts accessing sensitive objects such as configmaps or secrets. | cloud.gcp |
GCP Audit Unauthorized API Calls | An IAM account sent multiple requests to perform a wide distinct number of GCP Cloud actions in a short time frame while receiving the error codes. This could indicate an account attempting to enumerate their access across the GCP account. | cloud.gcp |
LSASS Memory Dump | Detects memory dumping from LSASS. For this rule to work, Microsoft SysInternal Sysmon must be running on the endpoint. | box.all.win |
Grabbing Sensitive Hives via Reg Utility | Dump sam, system or security hives using REG.exe utility. | box.all.win |
Windows - Remote System Discovery | Suspicious Remote System Discovery Activity - T1018 | box.all.win |
Script Execution Via WMI | This rule looks for scripts launched via WMI. | box.all.win |