Document toolboxDocument toolbox

Release 18 - Out-of-the-box alerts

Owned by Juan Tomás Alonso Nieto (Deactivated)
Feb 12, 2024
1 min read

Detection name

Detection description

Devo table / Data source / Category

Update 

SecOpsActivityAnonymousIPAddressesO365

This alert shows a anonymous IP detection made by MCAS

cloud.office365.siem_agent

Alert Logic Update 

SecOpsLinuxFileCreateProfile

Detects file creation in /etc/profile.d directory. Files created here can automatically execute scripts on the boot up of the machine.

Box.unix 

Alert Logic Update 

SecOpsPanAuthExcessiveFailedLoginIP

Detects excessive Palo Alto firewall authentication failures for a single IP within a short period of time.

 

firewall.paloalto.system

Fixed field naming 

SecOpsAuthPasswordSprayHost

Detects failed login attempts from a single host to two or more accounts in ten minutes. The account number threshold and time threshold should be adjusted to suit organizational needs.

Auth.all 

New Alert

SecOpsLogRelatedFileAccessAttempt

A log related file is stored in a directory or archive that is made accessible to unauthorized actors.

web.all.access

Alert Logic UpdatedÂ