/
Release 14 - Out-of-the-box alerts
Document toolboxDocument toolbox

Release 14 - Out-of-the-box alerts

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Feb 12, 2024
1 min read

Detection name

Detection description

Devo table / Data source / Category

Update

SecOpsO365AuthExcessiveFailedLoginsSingleSource

Detects multiple failed authentications from a single IP in Office365.

auth.all

New alert

SecOpsAccountsCreatedRemovedWithinFourHours

Detects user accounts that are created and delete within a four time period.

box.all.win

Updated logic to prevent false positives using strict ordering

SecOpsAWSPublicS3BucketExposed

This alert filters PutBucketAcl cloudtrail events that come from the S3 service. The alert then extracts each URI and Permission pair from the raw event message. The alert then checks if the URI is equal to http://acs.amazonaws.com/groups/global/AllUsers or http://acs.amazonaws.com/groups/global/AuthenticatedUsers and if the permission is READ, READ_ACP, WRITE, WRITE_ACP, or FULL_CONTROL. The alert will trigger if any of these pairs meet both criteria. This alert will only extract the first five permissions and URIs of a message.

cloud.aws.cloudtrail

Updated logic to prevent false positives

Related content

Release 13 - Out-of-the-box alerts
Release 13 - Out-of-the-box alerts
Devo latest
More like this
Platform alert pack: Office 365
Platform alert pack: Office 365
Devo latest
More like this
Release 17 - Out-of-the-box alerts
Release 17 - Out-of-the-box alerts
Devo latest
More like this
Release 10 - Out-of-the-box alerts
Release 10 - Out-of-the-box alerts
Devo latest
More like this
Release 22 - Out-of-the-box alerts
Release 22 - Out-of-the-box alerts
Devo latest
More like this
Release 23 - Out-of-the-box alerts
Release 23 - Out-of-the-box alerts
Devo latest
More like this