We have finally hit 400 detections! Thanks to the help of our SciSec team we have released 17 new out-of-the-box detections, mostly for Linux. This release brings more detections through the Devo Security Operations Content Stream. Linux is extremely important for our customers to have monitored. Linux is used in most cloud vms, developer computers, and used in most supercomputers around the world. SciSec understands this, and that is why we have created this release. Not only does it put us over 400 detections, with a total of 402, but it also improves our inventory of Linux detections.
We also implemented our alert-tuning process this release and took a look at one of our more “noisy” alerts. The details have been provided below.
Devo is committed to providing high quality alerts for all customers' environments, we will continue to deliver these out-of-the-box detections during the next release, focusing on a variety of technologies, including IDS and EDR technologies.
All the new and modified alerts as part of Release 7 can be seen in the below tables.
Alert Analyzed:
Detection name | Changes made |
SecOpsVNCPortOpen | Updated to the newest alert template and reduced the alerting threshold |
Details on the new detections released can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsAzureConditionalAccessPolicyUpdated | This alert identifies when a user has modified a conditional access policy, this should be checked since it could be undermining the security posture of the environment. | cloud.azure.eh.events |
SecOpsLinuxAddFilestoCrontabDir | Detects potentially suspicious file creation in cron table directories. | box.unix |
SecOpsLinuxBashShellProfileMod | Detects when modifications are made to a bash shell profile. Bash shell profiles could be modified to execute malicious scripts on machine reboot, or whenever a user logs into the machine. | box.unix |
SecOpsLinuxMaxSessionsPerUser | Detects whenever a user reaches the maximum number of login sessions. | box.unix |
SecOpsLinuxFileCreateProfile | Detects file creation in /etc/profile.d directory. Files created here can automatically execute scripts on the boot up of the machine. | box.unix |
SecOpsLinuxDoasConfigCreate | Detects the creation of doas.conf file on Linux host. This allows the use of the doas utility tool, which permits users to execute commands as other accounts. | box.unix |
SecOpsLinuxInitDaemonDeletion | Detects deletion of init daemon script in Linux. Deletion of daemon scripts could be used to disable security features on a Linux machine. | box.unix |
SecOpsLinuxFileDDOverwrite | Detects for the dd command being used to overwrite a file. This is a powerful tool that can be abused for data destruction purposes, and could potentially render data irrecoverable. | box.unix |
SecOpsLinuxAppendCronjobEntry | Detects appends to existing cronjob files. | box.unix |
SecOpsLinuxStrangeProcessExec | Detects process execution in a temporary folder. | box.unix |
SecOpsLinuxFileOwnerNowRoot | Detected the file owner being changed to root using the chown command. | box.unix |
SecOpsLinuxInstallKernelModprobe | Detects installation of a Linux kernel module using modprobe utility function. | box.unix |
SecOpsLinuxDeletionofSslCert | Detects deletion of SSL certificate on Linux host. Deletion of an SSL certificate could indicate a compromised Linux machine. | box.unix |
SecOpsLinuxIrregularLogin | Detects attempted login at a forbidden time. | box.unix |
SecOpsLinuxHiddenFilesCreated | Detects for creation of files or folders that begin with "." or "/." by a user. This could indicate an attacker attempting to hide files on the system that are easily overlooked. | box.unix |
SecOpsLinuxSetuidUsingChmod | Detects chmod utility execution to enable setuid bit. This bit allows a user to run with the privileges of the owner of the file. | box.unix |
SecOpsLinuxSvcEnabled | Detects for services being enabled in Linux. It's important to look for who created the the service, and the service path. It is possible an administrator could create a legitimate service that may be detected. | box.unix |