Release 6 - Out-of-the-box alerts
- Former user (Deleted)
The Devo SciSec team is proud to announce that we have released more out-of-the-box content. This release not only includes 33 new OOTB detections, but includes our newest detection technology: Linux.
This release brings more detections through the Devo Security Operations Content Stream, bringing our total to 388 detections, and making them available for installation instantly within your Devo instance. The SciSec team continues on the journey twardo 500 detections. Release 6 has an emphasis on Cloud Security Monitoring as a key use case, containing a large number of detections for Azure, Proxies, and Office 365.
Additionally, Devo has expanded its out of the box coverage for Windows, and AWS, which are commonly ingested into Devo and critical for maintaining security monitoring. Devo is committed to providing high quality alerts for all customer environments, we will continue to deliver these out of the box detections during the next release, focusing on a variety of technologies, including Linux and EDR technologies. All the new and modified alerts as part of Release 6 can be seen in the below tables.
Details on existing detections that were updated can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsAWSOpenNetworkACLs | The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. | cloud.aws.cloudtrail |
SecOpsAWSMultipleFailedConsoleLogins | Multiple failed login attempts from the same user were detected. This could indicate an attacker could be trying to brute force access to that specific user account. | cloud.aws.cloudtrail |
SecOpsAWSIAMAssumeRolePolicyBruteForce | Detection of events with errorCode "MalformedPolicyDocumentException.” A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. | cloud.aws.cloudtrail |
SecOpsAwsGetSecretFromNonAmazonIp | Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space. | cloud.aws.cloudtrail |
SecOpsSimultaneouslyLoginbyIP | In order to prevent possible misuse of access credentials, it's important to control simultaneous users used on systems from the same IP addresses. | auth.all |
SecOpsAWSMultipleFailedConsoleLoginsFromASourceIP | The Describe permissions event retrieves a description of permissions for a specified stack. This could be used by an attacker to collect information for further attacks. | cloud.aws.cloudtrail |
Details on the new detections released can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsAzureDevOpsProjectVisibilityChanged | This alert identifies when an Azure DevOps project visibility has been set to public. This action should be reviewed since it could be undermining the security posture of the company. | cloud.azure.vm.unknown_events |
SecOpsLinuxWebserverAccessLogsDeleted | Detects the deletion of Web Server access logs. | box.unix |
SecOpsLinuxSysLogFileDeletion | Detects the deletion of sensitive Linux system logs | box.unix |
SecOpsLinuxSudoFileModification | Detects modification to the sudoers file. The sudoers file determines which users have the ability to run with superuser permission. | box.unix |
SecOpsLinuxRestrictedShellBreakoutSSH | Detects potential Linux binary SSH abuse to break out from restricted environments by spawning an interactive system shell. | box.unix |
SecOpsLinuxAuditdMaxFailedLoginAttempts | Detects the maximum number of failed login attempts for a user on a Linux host. | box.unix |
SecOpsLinuxDeletionSSHKey | Detects the deletion of SSH Key. | box.unix |
SecOpsLinuxSetuiSecapUtility | Detects for suspicious setcap utility execution to enable SUID bit. | box.unix |
SecOpsLinuxHijackLibraryCalls | Detects a command that could hijack a library function. This detection looks for the use of LD_PRELOAD command to hijack library functions. | box.unix |
SecOpsLinuxInsertKernelInsmod | Detects insertion of linux kernel module using insmod utility function. This could indicate the installation of a rootkit or other malicious kernel modules. | box.unix |
SecOpsLinuxDoasToolExec | Detects the use of the doas tool. Doas allows users to run commands as another account, commonly used for root privileges. | box.unix |
SecOpsAzureDevOpsSecretNotSecured | This alert identifies when a user has insecurely stored a new variable in Azure Devops that could be containing credentials. | cloud.azure.vm.unknown_events |
SecOpsO365NewFederatedDomain | The addition of a new Federated domain may be a normal activity. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities. | cloud.office365.management.exchange |
SecOpsO365ExcessiveSSOLoginFailures | Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. | cloud.office365.management.azureactivedirectory |
SecOpsO365ExcessiveAuthFailureAttempts | This detection is triggered when a user account attempts an excessive number of authentication attempts with a failed status result in a short time window. | cloud.office365.management.azureactivedirectory |
SecOpsO365DisableMFA | Adversaries may modify authentication mechanisms and processes to access user credentials, bypass authentication mechanisms or enable otherwise unwarranted access to accounts. | cloud.office365.management.azureactivedirectory |
SecOpsO365BypassMFAviaIP | This activity is not necessarily malicious. However, these events need to be followed closely. Attackers are often known to use this technique so that they can bypass the MFA system. | cloud.office365.management |
SecOpsO365AddedServicePrincipal | This detection is triggered when new Service Principal credentials have been added in Azure. | cloud.office365.management.azureactivedirectory |
SecOpsO365MailboxAuditBypass | The mailbox audit is responsible for logging specified mailbox events. Attackers may attempt to bypass this mechanism to conceal actions taken. | cloud.office365.management.exchange |
SecOpsAzureDevOpsPATMisuse | This alert identifies specific actions that are not usually performed using a PAT. | cloud.azure.vm.unknown_events |
SecOpsAzureDevOpsAuditDisabled | This alert identifies when a user has disabled an Azure audit stream within the Azure Devops service. This could indicate that an attacker is trying to hide malicious activity. | cloud.azure.vm.unknown_events |
SecOpsAzureHybridHealthADFSDelete | This alert identifies when a user has deleted an Azure AD Hybrid health AD FS service instance. A malicious user could have been using a fake AD FS service to spoof AD FS signing logs and is deleting it since it is no longer needed. | cloud.azure.others.administrative |
SecOpsAzureHybridHealthADFSNewServer | This alert identifies when a user has updated or created a server instance in an Azure AD Hybrid health AD FS service, this should be checked since it could be undermining the security posture of the environment. | cloud.azure.others.administrative |
SecOpsGSuiteDriveExternallyShared | Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. | cloud.gsuite.reports.drive |
SecOpsWinSysInternalsActivityDetected | Checks for the Accepted Sysinternals EULA from the registry key "HKCU\Software\Sysinternals\[TOOL]\”. When a Sysinternals tool is first run on a system, the EULA must be accepted. This writes a value called EulaAccepted under that key. | box.all.win |
SecOpsProxyLargeFileUpload | Identifies file uploads above 50 MB in size. Excessive file uploads may indicate exfiltration by an adversary or insider. The size threshold should be tuned per organization. | proxy.all.access |
SecOpsWinUserAddedSelfToSecGroup | Identifies when a user account has added themselves to the Windows security group. This could indicate a user attempting to escalate their privileges. | box.all.win |
SecOpsWinSysTimeDiscovery | Detects use of various commands to query the system time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. | box.all.win |
SecOpsWinSamStopped | Detects when the Windows Security Account Manager (SAM) is stopped via command-line. This is consistent with ransomware infections across a fleet of endpoints | box.all.win |
SecOpsWinRunasCommandExecution | Detects the use of runas.exe process. Adversaries can abuse the runas.exe process to gain elevated privileges in the target host. | box.all.win |
SecOpsWinDefenderDownloadActivity | Detects the use of Microsoft Defender to download files. | box.all.win |
SecOpsWinCmstpNetworkConnectionDetected | Detects CMSTP.exe creating external connections. Actors can bypass application control defenses by leveraging CMSTP to download and execute DLLs or scripts from remote servers. | box.all.win |
SecOpsAzureConditionalAccessPolicyUpdated | This alert identifies when a user has modified a conditional access policy, this should be checked since it could be undermining the security posture of the environment. | cloud.azure.eh.events |