Document toolboxDocument toolbox

Release 15 - Out-of-the-box alerts

Owned by Juan Tomás Alonso Nieto (Deactivated)
Feb 12, 2024
2 min read

Detection name

Detection description

Devo table / Data source / Category

Update 

SecOpsVNCPortOpen

Used to identify the default port for VNC connections

firewall.all.traffic

Logic updated

SecOpsFWIpScanInternal

Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts.

firewall.all.traffic

Updated to be viewable in Data Search 

SecOpsFwTftpOutboundTraffic

Detects TFTP to an external network address. TFTP is rared used externally and has been observed as a means to stage data remotely for exfiltration.

firewall.all.traffic

New Alert

SecOpsProxyHighRiskFileExtension

Detects users downloading high risk files via requests without hostnames or referrers. Most legitimate downloads will have a valid hostname and referrer.

proxy.all.access

New Alert! 

SecOpsLinuxHiddenFilesCreated

Detects for creation of files or folders that begin with "." or "/." by a user. This could indicate an attacker attempting to hide files on the system that are easily overlooked. [NOTICE] Requires the auditing of 'execve'.

 

box.unix

Requires the auditing of 'execve'. 

SecOpsOutboundTrafficToDeviceFlaggedAsThreat

A record flagged a destination host from a threat intelligence match list.

proxy.all.access

Fixed field naming

SecOpsAccountsCreatedRemovedWithinFourHours

Detects user accounts that are created and delete within a four time period.

box.all.win

Updated alert logic 

SecOpsBlackByteRansomwareRegistryChanges

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Microsoft-Windows-Sysmon required.

box.all.win

Updated alert Logic 

SecOpsBlackByteRansomwareRegChangesPowershell

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Box.all.win 

Alert Logic Updated 

SecOpsWinSensitiveFiles

Detects a new process which involves a Windows local system sensitive file.

box.all.win

Alert Logic Updated 

SecOpsPassTheHashActivityLoginBehaviour

 

box.all.win

Alert Logic Updated 

SecOpsWinOfficeBrowserLaunchingShell

Detects a shell launched by an Office product or browser that should not be spawning shell processes. Attackers may inject code into Office documents or abuse Windows utilities to spawn shells that will execute malicious commands.

box.all.win

Alert Logic Updated 

SecOpsAnonymousConnection

Control over the navigation of the users and systems of the networks is considered essential to avoid risks. Access to anonymous navigation networks must be monitored.

firewall.all.traffic

Alert Logic UpdatedÂ