Document toolboxDocument toolbox

Alert Pack: Discovery Tactic

Purpose

Discovery Tactic (MITRE Att&ck Tactic: TA0007) is often the first step an attacker uses to leverage vulnerabilities across various platforms and organizations. That is why Devo has constructed its first alert exchange pack with these five alerts to help your organization become more secure around attackers trying to use this tactic.

To ensure you have proper coverage, these alerts span multiple areas alerting teams to file access attempts across databases, logs, software, malware, and credentials.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsMalwareFileAccessAttempt

SecOpsCredentialsFileAccessAttempt

SecOpsLogRelatedFileAccessAttempt

SecOpsSoftwareInfoAccessAttempt

SecOpsDatabaseFileAccessAttempt

 

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

  • web.all.access

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

 

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.