Release 21 - Out-of-the-box alerts
- Juan Tomás Alonso Nieto (Deactivated)
Detection name | Detection description | Devo table / Data source / Category | Updates |
SecOpsAccountsCreatedRemovedWithinFourHours | Detects user accounts that are created and delete within a four time period. |
| Updated Alert Logic to reduce false positives |
SecOpsFWRDPTrafficUnauthorized | Detects RDP traffic to hosts, not within an allowed list. |
| Removed dependency for installation |
SecOpsO365OneDriveDownload | Detects high volume of OneDrive activity |
| New Alert! |
SecOpsLinuxSuspciousExecutionCommand | Detects relevant commands often related to malware or hacking activity. |
| Updated to reduce false positives |
SecOpsCDHuntFWdstIpIsPossibleIoc | This search looks for Collective Defense matches in firewall data. |
| Field naming updates |
SecOpsFWIcmpExcessivePackets | Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration. |
| Field naming updates |
SecOpsFWTrafficOnUnassignedLowPort | Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic. |
| Field naming updates |
SecOpsVNCPortOpen | Used to identify the default port for VNC connections |
| Field naming updates |