Document toolboxDocument toolbox

Release 23 - Out-of-the-box alerts

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Mar 05, 2024
2 min read

We're thrilled to announce the latest updates and additions to our alerting system with Release 23. This release brings enhancements to alert logic, and improved summaries, and introduces new alerts to bolster your security operations.

Improved alerts

  • SecOpsWinUserAddedToLocalSecurityEnabledGroup

    • Enhanced alert logic for detecting user additions to local security-enabled groups on Windows systems.

    • Improved summary for better understanding and faster response.

  • SecOpsLinuxIrregularLoginSsh

    • Updated alert logic to identify irregular login activities via SSH on Linux systems.

    • Refined summaries to provide clearer insights into potential security threats.

  • SecOpsO365AuthExcessiveFailedLoginsSingleSource

    • Updates to mmcity operation for Office 365 authentication alerts related to excessive failed logins from a single source.

    • Streamlined summaries to facilitate quicker identification of suspicious activities.

  • SecOpsO365ImpossibleTravel

    • Revised alert logic for Office 365 impossible travel scenarios.

    • Improved operation of mmcity for more accurate detection.

    • Enhanced summaries to highlight impossible travel incidents effectively.

New alerts

  • SecOpsSlackPossibleSessionHijacking

    • Introducing a new alert to detect potential session hijacking in Slack environments.

    • Monitors for suspicious activities indicating unauthorized access to Slack accounts.

    • Provides detailed insights into possible session compromise for swift remediation.

  • SecOpsWinPowerSettings for MITRE Technique T1653:

    • Brand new alert targeting MITRE technique T1653 focusing on Windows power settings manipulation.

    • Alerts on suspicious changes to power settings indicative of potential adversary actions.

    • Enables proactive defense against tactics aiming to manipulate power configurations for malicious purposes.

Stay vigilant with these upgraded alerts and leverage the new additions to strengthen your security posture. For further details, consult the documentation or reach out to our support team for assistance. Upgrade to Release 23 now and fortify your defenses against evolving threats.

 

Alerts updated:

Detection name

Detection description

Devo table/Data source/Category

Changes made

SecOpsWinUserAddedToLocalSecurityEnabledGroup

Attackers may attempt to escalate privileges to a user account by adding it to a local security-enabled group. This could indicate privilege abuse or potentially malicious activity.

box.all.win 

Improved alert summary 

SecOpsO365ImpossibleTravel

This detection will identify users who have had successful logins in two geographically different locations within an hour.

cloud.office365 

Updated mmcity operation 

SecOpsO365AuthExcessiveFailedLoginsSingleSource

Detects multiple failed authentications from a single IP in Office365.

auth.all 

Updated mmcity operation 

SecOpsLinuxIrregularLoginSsh

Detects attempted login at a forbidden time.

auth.unix 

Logic Improvement 

SecOpsSlackPossibleSessionHijacking

Detects the same session ID used from a new IP for the same user in a short period of time.

app.slack.audit

New Alert! 

SecOpsFWIpScanExternal

Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts.

firewall.all.traffic 

Field Naming Update

SecOpsWinPowerSettings

Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.

box.all.win

New Alert! 

 

Â