Release 20 - Out-of-the-box alerts

Our December release improves our library for multiple technologies. We used various research and pen-testing techniques to help close some gaps in coverage, so these alert improvements are extra important to have in your library. These are the following MITRE tactics that we have improved:

Discovery
Credential Access
Exfiltration
Command and Control

Install these alerts today! Also, feel free to install the MITRE Attack Advisor App from Devo Exchange to ensure that your company is properly covered.

For our next release, we will continue to improve alerts and cover more techniques to help your company stay protected.

Detection name	Detection description	Devo table / Data source / Category	Changes made
SecOpsAwsCloudTrailReconEvent	Analytical detection of a reconnaissance type behavior from AWS CloudTrail logs.	`cloud.aws.cloudtrail`	Fix column references and some cleanup on the query to make it easier.
SecOpsActivityAnonymousIPAddressesO365	This alert shows a anonymous IP detection made by MCAS	`cloud.office365.siem_agent_alert`	Minor changes.
SecOpsWinMimikatzLsadump	An adversary may attempt to dump credentials to obtain account login and credential material in the form of hashes or clear text passwords.	`box.all.win`	Improve filtering on the query to cover more cases.
SecOpsWinLsassMemDump	Detects and attempt to access lsass using mimikatz and/or a possible mimikatz driver load	`box.all.win`	Improve filtering on the query to cover more cases.
SecOpsFWTrafficForeignDestination	Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes.	`firewall.all.traffic`	Fix dependencies.
SecOpsFWEmbargoedCountryOutboundTrafficDetected	Detects outbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes.	`firewall.all.traffic`	Fix dependencies.
SecOpsFWEmbargoedCountryInboundTrafficDetected	Detects inbound traffic sent to an embargoed country. The lookup table SecOpsEmbargoCountries should be modified to fit the organizations needs.	`firewall.all.traffic`	Fix dependencies.