Release 3 - Out-of-the-box alerts
- Former user (Deleted)
The Devo Threat Research team has released 42 detections through the Devo Security Operations Content Stream, making them available for installation instantly within your Devo instance. Release 3 continues Devo’s emphasis on Cloud Security Monitoring as a key use case, containing a large number of detections for Google Cloud Platform.  Additionally, Devo has expanded its out of the box coverage for Windows and Firewall logs, which are commonly ingested into Devo and critical for maintaining security monitoring. Â
All the new and modified alerts as part of Release 3 can be seen in the below tables.Â
Details on existing detections that were updated can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsSeveralDNSConnections | The systems usually make name resolution (DNS Protocol) requests to a reduced number of IPs. Any system that makes requests to many different servers in a certain period of time is suspected of being compromised. | firewall.all.traffic |
SecOpsLocalUserCreation | The creation of a new Windows user has been detected. Although this could be a legitimate action, It should be reviewed. | box.all.win |
Details on the new detections released can be seen below:Â
Detection name | Detection description | Devo table/Data source/Category |
SecOpsGCPNewPublicStorageBucket | An attacker could intend to collect data, making public the data from a GCP Storage Bucket. | cloud.gcp |
SecOpsGCPKubernetesClusterPodScanDetection  | An adversary may attempt to enumerate the cloud services running on GCP Kubernetes cluster’s pods | cloud.gcp |
SecOpsGCPGCEFirewallRuleCreation | This alert detects any attempt to create a firewall rule in Google Cloud Compute Engine. | cloud.gcp |
SecOpsGCPGCEFirewallRuleDeletion | An attacker may have tried to bypass perimeter security by deleting a firewall rule. | cloud.gcp |
SecOpsGCPGCEFirewallRuleModification | An attacker may have tried to bypass perimeter security by modifying a firewall rule. | cloud.gcp |
SecOpsGCPIAMCustomRoleCreation | An attacker may have created a new Role to gain persistence. | cloud.gcp |
SecOpsGCPIAMServiceAccountKeyDeletion | An adversary could delete a IAM Service Account Key to manipulate the service account and maintain access to the systems. Â | cloud.gcp |
SecOpsGCPLoggingBucketDeletion | An adversary could remove a Google Cloud Logging Bucket to impair event aggregation and analysis mechanisms. | cloud.gcp |
SecOpsGCPPubSubSubscriptionCreation | An adversary could create a Google Cloud Pub/Sub Subscription to collect data. | cloud.gcp |
SecOpsGCPPubSubSubscriptionDeletion | An adversary could delete a Google Cloud Pub/Sub subscription to impair event aggregation and analysis mechanisms. | cloud.gcp |
SecOpsGCPPubSubTopicCreation | An adversary could create a Google Cloud Pub/Sub topic to collect data. | cloud.gcp |
SecOpsGCPPubSubTopicDeletion | An adversary could delete a Google Cloud Pub/Sub topic to impair event aggregation and analysis mechanisms. | cloud.gcp |
SecOpsGCPIAMServiceAccountDeletion | An attacker could delete a Service Account to interrupt the availability of systems and network resources by inhibiting access to accounts utilized by legitimate users. | cloud.gcp |
SecOpsGCPIAMServiceAccountDisabled | An adversary could disable a IAM Service Account to manipulate the service account and maintain access to the systems. | cloud.gcp |
SecOpsGCPIAMServiceAccountKeyCreation | An adversary could create a IAM Service Account Key to manipulate a service account and maintain access to the systems. | cloud.gcp |
SecOpsGCPStorageBucketDeletion | An adversary could delete a Google Cloud Storage Bucket to destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. | cloud.gcp |
SecOpsGCPStorageBucketPermissionsModification | An adversary may modify Storage Bucket Permissions to evade access control lists (ACLs) and access protected files. | cloud.gcp |
SecOpsGCPDetectAccountsWithHighRiskRolesByProject | A high risk role have been assigned to a user, this could indicate that a malicious actor could be trying to escalate privileges within the project. | cloud.gcp |
SecOpsGCPPrivateCloudRouteDeletion | An attacker may have deleted a VPC Route to interrupt the availability of systems and network resources. | cloud.gcp |
SecOpsGCPPrivateCloudRouteCreation | An attacker may have created a new Route to bypass restrictions on traffic routing segregating trusted and untrusted networks. | cloud.gcp |
SecOpsGCPPrivateCloudNetworkDeletion | An attacker could delete a Virtual Private Cloud Network (VPC) to interrupt availability of systems and network resources. | cloud.gcp |
SecOpsGCPLoggingSinkModification | An attacker could be modifying a logging sink to avoid detection, or redirect logs to a different destination. | cloud.gcp |
SecOpsGCPLoggingSinkDeletion | An attacker could be deleting a logging sink to avoid detection. | cloud.gcp |
SecOpsWinLockoutsEndpoint | Multiple Windows account lockouts were detected on the same endpoint. | box.all.win |
SecOpsWinAnonymousAccountCreated | Detects the creation of suspicious user accounts similar to ANONYMOUS LOGON. These accounts can be created as a means to evade defenses and monitoring by masquerading as a third party service. | box.all.win |
SecOpsWinDisableAntispywareRegistry | Detects users enabling the DisableAntiSpyware registry key. Attackers may utilize this technique for evasion. | box.all.win |
SecOpsWinWmiprvseSpawningProcess | Detects child processes spawned by WMIPRVSE. Adversaries can use this to obscure parent child relationships or launch cmd.exe or PowerShell. | box.all.win |
SecOpsWinExcessiveUserInteractiveLogin | Detects when a user performs a significant number of Windows interactive logins to multiple destination hosts in 24 hours period. | box.all.win |
SecOpsWinLocalSystemExecuteWhoami | Detects a local system executing whoami.exe on the command prompt. Adversaries often run this command to understand account privileges. Investigate the parent process and user account for other related, suspicious activity. | box.all.win |
SecOpsWinLsassKeyModification | Monitors for changes to lsass.exe related registry keys that are often edited to enable or obfuscate activity related to dumping the process. | box.all.win |
SecOpsWinRegistryQuery | Identifies queries to the registry. Adversaries often query the registry to gather information about the system, configuration, and installed software. | box.all.win |
SecOpsWinScheduledTaskCreation | Detects when a scheduled task is created in Windows. | box.all.win |
SecOpsWinUserCredentialDumpRegistry | Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. | box.all.win |
SecOpsWinWmiProcessCallCreate | Detects usage of WMI to create processes on the local or remote hosts. WMI is a native Windows tool and can be used to bypass application whitelisting. | box.all.win |
SecOpsWinWmiLaunchingShell | Detects WMI creating a child process of cmd.exe or PowerShell. An attacker can use WMI to launch a shell on the local or remote host to bypass application whitelisting, since WMI is a native Windows management tool. | box.all.win |
SecOpsWinBackupCatalogDeleted | Detects suspicious usage of wbadmin.exe (Windows Backup Administrator Tool) to delete backup files. | box.all.win |
SecOpsWinUserAddedToLocalSecurityEnabledGroup | Attackers may attempt to escalate privileges to a user account by adding it to a local security enabled group. This could indicate privilege abuse or potential malicious activity. | box.all.win |
SecOpsWinWmiExecVbsScript | Detects suspicious file execution by wscript and cscript. Adversaries can use this mechanism to execute malicious code for persistence or privilege escalation. | box.all.win |
SecOpsFWExternalSMBTrafficDetectedFirewall | Identifies SMB traffic from external sources allowed through the firewall. Due to known vulnerabilities with the SMB protocol, this type of external traffic falls outside best practices. | firewall.all.traffic |
SecOpsFWSMBTrafficOutbound | Detects SMB traffic from internal to external sources allowed through the firewall. | firewall.all.traffic |
SecOpsFWRDPExternalAccess | Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network. | firewall.all.traffic |
SecOpsFortinetHighRiskAppUse | Alerts when Fortinet Firewall detects a high risk application within the environment. | firewall.fortinet.traffic.forward |
SecOpsFortinetCriticalRiskAppUse | Fortinet Firewall detected a critical risk application within the environment. | firewall.fortinet.traffic.forward |
SecOpsPanAuthExcessiveFailedLoginIP | Detects excessive Palo Alto firewall authentication failures for a single IP within a short period of time. | firewall.paloalto.system |
SecOpsPanAuthExcessiveFailedLoginUser | Detects excessive Palo Alto firewall authentication failures for a single user account within a short period of time. | firewall.paloalto.system |
SecOpsPanAuthFailMultipleUserSingleIP | Detects brute force attacks via the Palo Alto firewalls. A source IP address attempted and failed to authenticate multiple times while providing multiple usernames. | firewall.paloalto.system |