Release 7 - Out-of-the-box-alerts

We have finally hit 400 detections! Thanks to the help of our SciSec team we have released 17 new out-of-the-box detections, mostly for Linux. This release brings more detections through the Devo Security Operations Content Stream. Linux is extremely important for our customers to have monitored. Linux is used in most cloud vms, developer computers, and used in most supercomputers around the world. SciSec understands this, and that is why we have created this release. Not only does it put us over 400 detections, with a total of 402, but it also improves our inventory of Linux detections.

We also implemented our alert-tuning process this release and took a look at one of our more “noisy” alerts. The details have been provided below.

Devo is committed to providing high quality alerts for all customers' environments, we will continue to deliver these out-of-the-box detections during the next release, focusing on a variety of technologies, including IDS and EDR technologies.

All the new and modified alerts as part of Release 7 can be seen in the below tables.

Alert analyzed:

Detection name	Changes made
SecOpsVNCPortOpen	Updated to the newest alert template and reduced the alerting threshold

Details on the new detections released can be seen below:

Detection name	Detection description	Devo table/Data source/Category
SecOpsAzureConditionalAccessPolicyUpdated	This alert identifies when a user has modified a conditional access policy, this should be checked since it could be undermining the security posture of the environment.	cloud.azure.eh.events
SecOpsLinuxAddFilestoCrontabDir	Detects potentially suspicious file creation in cron table directories.	box.unix
SecOpsLinuxBashShellProfileMod	Detects when modifications are made to a bash shell profile. Bash shell profiles could be modified to execute malicious scripts on machine reboot, or whenever a user logs into the machine.	box.unix
SecOpsLinuxMaxSessionsPerUser	Detects whenever a user reaches the maximum number of login sessions.	box.unix
SecOpsLinuxFileCreateProfile	Detects file creation in /etc/profile.d directory. Files created here can automatically execute scripts on the boot up of the machine.	box.unix
SecOpsLinuxDoasConfigCreate	Detects the creation of doas.conf file on Linux host. This allows the use of the doas utility tool, which permits users to execute commands as other accounts.	box.unix
SecOpsLinuxInitDaemonDeletion	Detects deletion of init daemon script in Linux. Deletion of daemon scripts could be used to disable security features on a Linux machine.	box.unix
SecOpsLinuxFileDDOverwrite	Detects for the dd command being used to overwrite a file. This is a powerful tool that can be abused for data destruction purposes, and could potentially render data irrecoverable.	box.unix
SecOpsLinuxAppendCronjobEntry	Detects appends to existing cronjob files.	box.unix
SecOpsLinuxStrangeProcessExec	Detects process execution in a temporary folder.	box.unix
SecOpsLinuxFileOwnerNowRoot	Detected the file owner being changed to root using the chown command.	box.unix
SecOpsLinuxInstallKernelModprobe	Detects installation of a Linux kernel module using modprobe utility function.	box.unix
SecOpsLinuxDeletionofSslCert	Detects deletion of SSL certificate on Linux host. Deletion of an SSL certificate could indicate a compromised Linux machine.	box.unix
SecOpsLinuxIrregularLogin	Detects attempted login at a forbidden time.	box.unix
SecOpsLinuxHiddenFilesCreated	Detects for creation of files or folders that begin with "." or "/." by a user. This could indicate an attacker attempting to hide files on the system that are easily overlooked.	box.unix
SecOpsLinuxSetuidUsingChmod	Detects chmod utility execution to enable setuid bit. This bit allows a user to run with the privileges of the owner of the file.	box.unix
SecOpsLinuxSvcEnabled	Detects for services being enabled in Linux. It's important to look for who created the the service, and the service path. It is possible an administrator could create a legitimate service that may be detected.	box.unix