Release 9 - Out-of-the-box alerts
- Former user (Deleted)
This latest release brings more alerts across various technologies, adding a total of 15 new detections for Windows, Office 365, and Endpoint Detection (EDR)—our latest technology to be covered.
Endpoints can cause quite the headache for SOC analysts when involved in an incident, as Endpoints communicate with various important assets within companies and can be used for all sorts of attacks. Endpoints also store your company's most restricted data.
For our upcoming releases we will continue to take a closer look at some of our more “noisy” alerts and tune them to help with our performance. We also plan on expanding our EDR detections, as well as working with some use cases that were provided by our customers.
We urge you to continue to reach out with any questions, thoughts, or concerns about our detections. We love getting feedback and this flow of information helps us create detections or security content that improves your SOC and the product as a whole.
Alert Analyzed/Updated:
Detection name | Changes made |
SecOpsWinWmiExecVbsScript
| Updated the alert to have an enhanced detection condition. |
SecOpsWinWmiScriptExecution | Fixed an error where the entity source IP was not properly mapped. |
Details on the new detections released can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsBroRdpBruteForceSuccessHydraNcrack | Detects a successful RDP connection via Hydra or Ncrack hacking tools. | ids.bro.rdp |
SecOpsBroWinLsatUserEnumeration | Detects actors utilizing MS-LSAT Remote protocol to map security SIDs to user accounts. | ids.bro.dce_rpc |
SecOpsBroWinDceRpceServiceCall | Detects the creation or deletion of services via RPC remote administration. Actors may create/delete services to establish a greater foothold once inside a network. | ids.bro.dce_rpc |
SecOpsBroWinDceRpcSamrEnumeration | Detects actors enumerating user accounts in Active Directory via Security Account Manager Remote Protocol (SAMR). | ids.bro.dce_rpc |
SecOpsBroSmbFirstSeenShare | Detects the first seen SMB share for an entity. Adversaries may utilize SMB shares to transport files; while not inherently malicious, this event should be reviewed for legitimacy. | ids.bro.notice |
SecOpsBroSshInteresingHostNameLogin | Detects interesting host name login events. See Bro/Zeek reference for context around interesting hostnames. | ids.bro.notice |
SecOpsBroHttpRequestSingleHeader | Detects HTTP requests that contain only a single header. | ids.bro.http |
SecOpsBroSelfSignedCert | Detects servers responding via SSL or TLS services using self-signed certificates. | ids.bro.ssl |
SecOpsWinMemoryCorruptionVulnerability | Detects exploitation of Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641) allowing remote code execution. | box.all.win |
SecOpsWinFakeProcesses | Detects instances of known Windows processes executing outside of standard directories. Malware authors often utilize masquerading to hide malicious executables behind legitimate Windows executable names. | box.all.win |
SecOpsWinDnsExeParentProcess | Detects DNS.EXE program spawning other processes. | box.all.win |
SecOpsLinuxNOPASSWDSudoers | Detects suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in Linux platform. This requires auditd installed and configured. | box.unix |
SecOpsEDRCrowdStrikeOverwatchNotification | Falcon Overwatch has identified suspicious activity. This has been raised for your awareness and should be investigated as normal. | edr.crowdstrike.falcon |
SecOpsEDRCylanceScoreUnsafe | An unsafe file is one that has attributes that greatly resemble malware. | edr.cylance.threats |
SecOpsO365PSTExportAlert | This detection is triggered when a user has performed an Ediscovery or exported a pst file with sensitive information. | cloud.office365.management |