Release 5 - Out-of-the-box-alerts
- Former user (Deleted)
The Devo Threat Research team has released more out-of-the-box detections through the Devo Security Operations Content Stream, bringing our total to 355 detections, and making them available for installation instantly within your Devo instance. Release 5 continues Devo’s emphasis on Cloud Security Monitoring as a key use case, containing a large number of detections for Azure, Office 365, and Google Workspace. With these new detections, we have become a market leader for out-of-the-box Azure detections. Additionally, Devo has expanded its out of the box coverage for Windows, and AWS, which are commonly ingested into Devo and critical for maintaining security monitoring. Â
Devo is committed to providing high quality alerts for all customers' environments, we will continue to deliver these out of the box detections during the next release, focusing on a variety of technologies, including Office 365 and Google Workplace.
All the new and modified alerts as part of Release 5 can be seen in the below tables.Â
Details on existing detections that were updated can be seen below:
Detection name | Detection description | Devo table/Data dource/Category |
SecOpsAWSECRContainerScanningFindingsLowInformationalUnknown | Scanning from an ECR container detected at least one LOW or UNDEFINED risk finding. | cloud.aws.cloudtrail |
SecOpsAWSSamlAccess | This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider | cloud.aws.cloudtrail |
SecOpsAWSPermissionsBoundaryModifiedToUser | A Permission Boundary has been modified on a role. This could grant all the actions in the permissions of the policies attached to that role. | cloud.aws.cloudtrail |
SecOpsAWSPermissionsBoundaryModifiedToRole | A Permission Boundary has been modified on a role. This could grant all the actions in the permissions of the policies attached to that role. | cloud.aws.cloudtrail |
SecOpsAWSMultipleFailedConsoleLoginsFromASourceIP | The Describe permissions event retrieves a description of permissions for a specified stack. This could be used by an attacker to collect information for further attacks. | cloud.aws.cloudtrail |
SecOpsAWSLoggingConfigurationChangeObservedStopLogging | A trail within the Cloudtrail service has been stopped. This event should be checked since it could indicate that an attacker may be trying to hide suspicious activity within an AWS account. | cloud.aws.cloudtrail |
Details on the new detections released can be seen below:Â
Detection name | Detection description | Devo table/Data source/Category |
SecOpsAzureConditionalAccessPolicyAdded | This alert identifies when a user has added a conditional access policy, this should be checked since it could be undermining the security posture of the environment. | cloud.azure.eh.events |
SecOpsAzureConditionalAccessPolicyDeleted | This alert identifies when a user deletes a conditional access policy, this should be checked since it could be undermining the security posture of the environment. | cloud.azure.eh.events |
SecOpsGSuite2SVDisabled | An adversary may attempt to disable the second factor authentication in order to weaken an organization’s security controls. | cloud.gsuite.reports.admin |
SecOpsGSuiteAcessTransparencyEvent | A Google Access Transparency log event has been generated. Google is accessing your data. | cloud.gsuite.reports.access_transparency |
SecOpsGSuiteExcessiveOAuthPermissionsRequest | An adversary may steal application access tokens as a means of acquiring credentials to access remote systems and resources. | cloud.gsuite.reports.token |
SecOpsGSuiteGovernmentAttackWarning | A government-backed attacker could try to steal a password or other personal information of one of your users by sending an email containing a harmful attachment, links to malicious software or to fake websites. | cloud.gsuite.alerts |
SecOpsGSuiteLoginAccountWarning | An attacker could steal the credentials of one of your users. | cloud.gsuite.reports.login |
SecOpsGSuiteMobileSuspiciousActivity | An attacker could steal the credentials or the mobile device of one of your users. | cloud.gsuite.reports.mobile |
SecOpsGSuiteUnauthorizedOAuthApp | Detects authentications from OAuth apps outside of your predefined list of approved OAuth applications. | cloud.gsuite.reports.token |
SecOpsGSuiteDriveOpenToPublic | An attacker may access data objects from improperly secured cloud storage. | cloud.gsuite.audit.drive |
SecOpsAPT29byGoogleUpdateServiceInstall | Monitor service creation through changes in the Registry and common utilities using command-line invocation ir order to detect Russian nation-state attackers APT29. | box.all.win |
SecOpsAzureAutoAccountCreated | This alert identifies when a user has created a new Azure automation account, this could be leveraged by an attacker in order to gain persistence in an Azure environment. | cloud.azure.eh.events |
SecOpsAzureVMCmdEXE | This alert identifies a command execution on a virtual machine. This should be checked in order to verify that the command is not undermining the security posture of the virtual machine. | cloud.azure.eh.events |
SecOpsAzureFWPolicyDeletion | This alert identifies when a user has deleted a firewall policy. Although this is a common operation, it should be checked since it could be undermining the security posture of the Azure account. | cloud.azure.eh.events |
SecOpsAzureFrontDoorWafPolicyDeletion | This alert identifies when a user has deleted a web application firewall policy. Although this is a common operation, it should be checked since it could be undermining the security posture of the Azure account. | cloud.azure.activity.events |
SecOpsAzureNWDeviceModified | This alert identifies when a user has modified network device such as network virtual appliance, virtual hub or virtual router. Although this is a common operation, it should be checked since it could be undermining the security posture of the Azure account. | cloud.azure.activity.events |
SecOpsO365SusMailboxDelegation | Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. | cloud.office365.management.exchange |
SecOpsAzureAutomationRunbookCreatedOrMofidied | This alert identifies when a user has created or modified an Azure Automation runbook. This could be used by an attacker in order to gain persistence on the Azure environment. | cloud.azure.activity.events |
SecOpsAzureAutomationRunbookDeleted | This alert identifies when a user has deleted an Azure Automation runbook. This could be indicative than attacker may be trying to disrupt the normal behaviour of the automated processes within an azure account or deleting a runbook used in order to gain persistence. | cloud.azure.activity.events |
SecOpsAzureAutomationWebhookCreated | This alert identifies when an Azure Automation webhook has been created. This could be leveraged by an attacker in order to execute arbitrary code on the Azure environment. | cloud.azure.eh.events |
SecOpsWinAuditLogCleared | Detects attempts to clear the Windows Security event log, which is a known adversary defense evasion technique. | box.all.win |
SecOpsWinAuthLocalInteractiveLogin | Detects local logins from unallowed accounts or local logins to unallowed domains. Organizations must populate the permitted local accounts lookup and permitted domains lookup (case sensitive). | box.all.win |
SecOpsWinCritServiceStopped | Detects various sc.exe or net.exe critical services being stopped via the command line. | box.all.win |
SecOpsWinDcShadowDetected | Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates. | box.all.win |
SecOpsWinDomainTrustActivity | Detects when a user has attempted to gather information on the domain trust. | box.all.win |
SecOpsWinExternalDeviceInstallationDenied | Detects hardware installation failures due to policy. Device installation logging must be configured (see logging related reference links). | box.all.win |
SecOpsWinPermissionGroupDiscovery | Detects when a user attempts to gather information about local and domain groups as well as permission settings. | box.all.win |
SecOpsWinPowershellProcessDiscovery | Detects the use of various Get-Process PowerShell commands to discover information about running processes. | box.all.win |
SecOpsWinUserAddedPrivlegedSecGroup | Alerts when an unprivileged account is added to a global security group like domain administrators. | box.all.win |
SecOpsWinUserCreationAbnormalNamingConvention | Detects new user accounts that do not match a user-specified naming convention. The `namePattern` selector value should be populated with a regular expression that matches the organization's naming convention. | box.all.win |
SecOpsAuthUnauthorizedAccessAttempt | The login attempt failed due to the machine user being unauthorized. This can indicate malicious intent. | auth.all |
SecOpsWinAdminRemoteLogon | Detects remote logins by an administrative user account. Administrative account names are tailored to the organization's specific naming conventions. | box.all.win |
SecOpsAuthPasswordSprayIp | Detects when a single IP fails to log in to two or more accounts in ten minutes. The account number threshold and time threshold should be adjusted to suit organizational needs. | auth.all |
SecOpsAzureConditionalAccessPolicyUpdated | This alert identifies when a user has modified a conditional access policy, this should be checked since it could be undermining the security posture of the environment. | cloud.azure.eh.events |
SecOpsAzureImpossibleTravel | An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Compromised credentials may be used to bypass access controls and for persistent access to remote systems and external services. | cloud.azure.ad.signin |
SecOpsWinDcShadowDetected | Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates. | box.all.win |
SecOpsWinPowershellProcessDiscovery | Detects the use of various Get-Process PowerShell commands to discover information about running processes. | box.all.win |
SecOpsADAccountNoExpires | The monitoring of policies related to passwords is a fundamental part of keeping systems and users safe. This alert helps to ensure policies are applying properly. | box.all.win |
SecOpsWinWmiScriptExecution | Detects the WMI standard event consumer launching a script. Validate the running script as this is a rare occurrence in Windows environments. | box.all.win |
Â