Release 4 - Out-of-the-box alerts
- Anthony Shevlin (Deactivated)
The Devo Threat Research team has released 65 detections through the Devo Security Operations Content Stream, making them available for installation instantly within your Devo instance. Release 4 continues Devo’s emphasis on Cloud Security Monitoring as a key use case, containing a large number of detections for Azure, AWS and GCP. Additionally, Devo has expanded its out of the box coverage for firewalls, Windows, proxies, and logs, which are commonly ingested into Devo and critical for maintaining security monitoring. Â
All the new and modified alerts as part of Release 4 can be seen in the below tables.
Details on existing detections that were updated can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsLog4ShellVulnerabilityOverWebServerConnections | Alert that checks attempts to exploit CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the url, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning. | web.all.access |
SecOpsLog4ShellVulnerabilityCloudAWS | This alert checks for the CVE-2021-44228 exploit (Log4shell). The query looks for payload patterns associated with Log4shell including payloads in the url, user-agent header, referer header, or POST and PUT HTTP bodies. | cloud.aws.cloudtrail |
SecOpsLog4ShellVulnOverDomainsUnionTableConnections | Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the URL, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning. | domains.all |
SecOpsLog4ShellVulnerabilityGCP | Alert that checks attempts to exploit CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the URL, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning. | cloud.gcp |
SecOpsLog4ShellVulnerabilityOverProxyConnections | Alert that checks attempts to exploit CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the URL, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning. | proxy.all.access |
SecOpsLog4ShellVulnOverFirewallTrafficConnections | Alert that checks traffic logs on firewalls if a connection against a server related to recent CVE-2021-4428 (Log4Shell) attacks has been performed. It makes use of a lookup table containing the IP of servers related with these malicious activities. | firewall.all.traffic |
SecOpsAWSECRContainerScanningFindingsHigh | Scanning from an ECR container detected at least one high risk finding. | cloud.aws.cloudtrail |
SecOpsAWSECRContainerScanningFindingsLowInformationalUnknown | Scanning from an ECR container detected at least one low or informational risk. | cloud.aws.cloudtrail |
SecOpsAWSECRContainerScanningFindingsMedium | Scanning from an ECR container detected at least one medium risk finding. | cloud.aws.cloudtrail |
SecOpsAWSECRContainerUploadOutsideBusinessHours | Upload of a new ECR container was performed outside normal business hours. This is during weekend or between 20:00 and 8:00 | cloud.aws.cloudtrail |
SecOpsHostNameSubdomainLength | Too long subdomains could be part of Application Layer Protocols. | network.dns |
SecOpsAwsVpcLargeOutboundTrafficBlock | Actions observed as blocked for sending large amounts of data from AWS out to the internet. | vpc.aws.flow |
SecOpsAWSUpdateloginprofile | A user has updated the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user which login profile has been updated. | cloud.aws.cloudtrail |
Details on the new detections released can be seen below:Â
Detection Name | Detection Description | Devo Table/Data Source/Category |
SecOpsGCPSQLDatabaseModification | An attacker could intend to modify, or gain, privileges on a Cloud SQL Database. | cloud.gcp |
SecOpsAzureUserAddedToGlobalAdminRole | An adversary could escalate privileges or attempt to persist by adding an account to a Global Administrator role in Azure AD. | cloud.azure.ad.audit |
SecOpsAzureUserCreated | An adversary could attempt to persist by creating a user account in Azure AD. | cloud.azure.ad.audit |
SecOpsAzureExternalUserInvited | An adversary could create an invitation for an external user to create a new account in Azure AD. This may be a routine activity but could be used as a vector for an adversary to gain access or persistence. | cloud.azure.ad.audit |
SecOpsAzureExternalUserInvitationRedeemed | An adversary can create a new Azure AD account by redeeming an invitation for an external user. This may be a routine activity, but could be used as a vector for an adversary to gain access or persistence. | cloud.azure.ad.audit |
SecOpsAzureUserHighRiskSignIn | An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Compromised credentials may be used to bypass access controls and for persistent access to remote systems and externally services. | cloud.azure.ad.signin |
SecOpsAzureUserHighAggregateRiskSignIn | An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Compromised credentials may be used to bypass access controls and for persistent access to remote systems and external services. | cloud.azure.ad.signin |
SecOpsAzureUserConfirmedCompromised | An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Compromised credentials may be used to bypass access controls and for persistent access to remote systems and external services. | cloud.azure.ad.signin |
SecOpsAzureGroupInformationDownload | An adversary could download group information to learn about the environment. | cloud.azure.ad.audit |
SecOpsAzureUserInformationDownload | An adversary may attempt to get a listing of accounts on a system or within an environment. | cloud.azure.ad.audit |
SecOpsAzureUserLoginSuspiciousRisk | An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. | cloud.azure.ad.signin |
SecOpsAzureUserAddedOutsidePIMRole | An adversary could escalate privileges or attempt to persist by adding an account to a role outside of Privilege Identity Management (PIM) in Azure AD. | cloud.azure.ad.audit |
SecOpsAzureUserAddedNonAdminRole | An adversary could escalate privileges by adding an account to a role. | cloud.azure.ad.audit |
SecOpsWinADDomainEnumeration | Detects potential attempts to enumerate active users on the network. | box.all.win |
SecOpsWinAttemptToAddCertificateToStore | Detects a user attempting to add a certificate to the store via certutil.exe -addstore. | box.all.win |
SecOpsWinDisableUac | Detects users modifying registry keys that control the enforcement of Windows User Account Control (UAC). | box.all.win |
SecOpsWinMsiExecInstallWeb | Detects when a suspicious MsiExec process starts with a web address as a parameter. | box.all.win |
SecOpsWinWifiCredHarvestNetsh | Detects the harvesting of WIFI credentials using netsh.exe. | box.all.win |
SecOpsWinAdminShareSuspiciousUse | Detects when a user pivots to an internal host from another internal host via Windows Admin shares. | box.all.win |
SecOpsFWSMBInboundScanningDetected | Identifies a host scanning other hosts for open SMB shares. Triggers when a single source IP connects to more than 25 destinations using SMB. | firewall.all.traffic |
SecOpsFWEmbargoedCountryOutboundTrafficDetected | Detects outbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes. | firewall.all.traffic |
SecOpsFWIpScanExternal | Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts. | firewall.all.traffic |
SecOpsFWIpScanInternal | Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts. | firewall.all.traffic |
SecOpsFWIrcTrafficExternalDestination | Detects outbound traffic over IRC (TCP on ports 194 or 6697). Compromised hosts can utilize IRC for command and control operations. | firewall.all.traffic |
SecOpsFWPortScanExternalSource | Identifies a host external to the monitored network showing behavior consistent with a scan for a port on multiple destination addresses in a short time. | firewall.all.traffic |
SecOpsFWPortScanInternalSource | Detects scanning activity from an internal IP address to multiple ports on other internal IP addresses. The time threshold and a number of destination ports threshold should be tuned to fit organizational needs. | firewall.all.traffic |
SecOpsFWPortSweepInternalSource | Detects port scanning activity from an internal IP address to multiple other internal IP addresses on the same destination port which may indicate an attacker enumerating the network for lateral movement. | firewall.all.traffic |
SecOpsFWSMBInternalScanningDetected | Identifies a host scanning other hosts for open SMB shares. Triggers when a single source IP connects to more than 25 destinations using SMB. | firewall.all.traffic |
SecOpsFWTrafficOnUnassignedLowPort | Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic. | firewall.all.traffic |
SecOpsProxyHttpSingleCharacterFileNameRequest | Detects the download of a file with a single character filename. | proxy.all.access |
SecOpsAwsECRContainerScanningFindingsCritical | Scanning from an ECR container detected at least one critical risk finding. | cloud.aws.cloudtrail |
SecOpsWinSchtasksForcedReboot | Alerts when flags are passed to schtasks.exe on the command-line that indicate that a forced system reboot is scheduled. | box.all.win |
SecOpsWinSchtasksRemoteSystem | Detects flags passed to schtasks.exe on the command-line that indicate a job is being scheduled on a remote system. | box.all.win |
SecOpsFWEmbargoedCountryInboundTrafficDetected | Detects inbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes. | firewall.all.traffic |
SecOpsFWExcessFirewallDenies | Detects excessive firewall blocks within a short time frame. The threshold should be adjusted in accordance with normal traffic patterns in an organization's environment. | firewall.all.traffic |
SecOpsFWExcessFirewallDeniesOutbound | Detects excessive firewall blocks for outbound traffic from a single IP in a short period of time; this activity may be indicative of C2 traffic and should be reviewed. | firewall.all.traffic |
SecOpsFWSigred | Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by monitoring for suspicious outbound DNS traffic over TCP. The destination name server should be examined for legitimacy. | firewall.all.traffic |
SecOpsFWIcmpExcessivePackets | Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration. | firewall.all.traffic |
SecOpsFWTrafficForeignDestination | Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes. | firewall.all.traffic |
SecOpsFortinetCriticalAppUse | Fortinet Firewall detected a critical risk application within the environment. | firewall.fortinet.traffic.forward |
SecOpsWinLockoutsEndpoint | Multiple Windows account lockouts were detected on the same endpoint. | box.all.win |
SecOpsAWSMultipleFailedConsoleLoginsFromASourceIP | The Describe permissions event retrieves a description of permissions for a specified stack. This could be used by an attacker to collect information for further attacks. | cloud.aws.cloudtrail |
SecOpsO365PhishAttempt | Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. | cloud.office365.management.securitycompliancecenter |
SecOpsFWRdpTrafficUnauthorized | Detects RDP traffic to hosts, not within an allowed list. | firewall.all.traffic |