Release 14 - Out-of-the-box alerts
- Juan Tomás Alonso Nieto (Deactivated)
Detection name | Detection description | Devo table / Data source / Category | Update |
| Detects multiple failed authentications from a single IP in Office365. |
| New alert |
| Detects user accounts that are created and delete within a four time period. |
| Updated logic to prevent false positives using strict ordering |
| This alert filters PutBucketAcl cloudtrail events that come from the S3 service. The alert then extracts each URI and Permission pair from the raw event message. The alert then checks if the URI is equal to http://acs.amazonaws.com/groups/global/AllUsers or http://acs.amazonaws.com/groups/global/AuthenticatedUsers and if the permission is READ, READ_ACP, WRITE, WRITE_ACP, or FULL_CONTROL. The alert will trigger if any of these pairs meet both criteria. This alert will only extract the first five permissions and URIs of a message. |
| Updated logic to prevent false positives |