Document toolboxDocument toolbox

Release 24 - Out-of-the-box alerts

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Mar 21, 2024
2 min read

Overview

This release introduces a significant enhancement to our SIEM detections framework, focusing on improving threat detection accuracy and simplifying threat hunting for users. The key highlights of this release include the introduction of a new alert, SecOpsWinDnsExcessiveEmptyOrRefusedQueries, and the migration of existing alerts to the Devo Cyber Data Model, a common information model designed to streamline threat investigation processes.

New alerts

  • SecOpsWinDnsExcessiveEmptyOrRefusedQueries

    • A new alert has been added to detect instances of excessive empty or refused DNS queries on Windows systems. This alert aims to provide proactive detection of potential malicious activities related to DNS, enhancing overall threat visibility.

Updates

  • Migration to Devo Cyber Data Model:

    • Existing alerts have been migrated to the Devo Cyber Data Model. This migration aims to standardize data representation across alerts, facilitating easier correlation and analysis of threat data. Users can now benefit from a unified schema for conducting comprehensive threat investigations.

New alerts

Detection name

Detection description

Devo table / Data source / Category

Changes made

SecOpsWinDnsExcessiveEmptyOrRefusedQueries

Detects excessive empty or refused Windows DNS queries which may be a sign of DNS tunneling. The threshold for excessive query count should be modified to suit organizational needs.

dns.windows

New alert

 

Alert Updated to adhere to the Devo Cyber Data Model:

SecOpsAuthPasswordSprayHost

Updated to use Devo Cyber Data Model fields for union tables 

SecOpsAuthPasswordSprayIp

SecOpsCDPossibleIocIpFoundInAuthData

SecOpsLoginFailAttempts

SecOpsLoginFailCombinedSuccessed

SecOpsO365AuthExcessiveFailedLoginsSingleSource

SecOpsSimultaneouslyLoginbyIP

SecOpsEntityBehaviorEntropyUser

SecOpsEntityNewServer

SecOpsAzureUserAddedToRoleNonPIM

SecOpsAzureUserInfoDownload

SecOpsAWSInstancesCreatedOrDeletedO365

SecOpsActivityInfrequentCountryO365

SecOpsActivityPerformedByTerminatedUserO365

SecOpsAdministrativeActivityFromNonCorporateIPO365

SecOpsAnomalousBehaviorDiscoveredUsersO365

SecOpsArrowAdminFailedLogonO365

SecOpsAzureADThreatIntelligenceO365

SecOpsCloudDiscoveryAnomalyDetectionO365

SecOpsGroupMembershipModifiedO365

SecOpsMFADisabledAlertO365

SecOpsMaliciousOAuthAppConsentO365

SecOpsMalwareDetectionO365

SecOpsMultipleDeleteVMO365

SecOpsMultipleStorageDeletionActivitiesO365

SecOpsMultipleVMCreationActivitiesO365

SecOpsPermissionsAddedMailboxFolderO365

SecOpsRansomwareActivityO365

SecOpsSuspiciousEmailDeletionActivityO365

SecOpsSuspiciousInboxForwardingO365

SecOpsSuspiciousInboxManipulationRuleO365

SecOpsSuspiciousOAuthAppFileDownloadO365

SecOpsUnusualAdministrativeActivityO365

SecOpsUnusualFileDeletionActivityO365

SecOpsUnusualFileDownloadO365

SecOpsUnusualImpersonatedActivityO365

 

SecOpsHAFNIUMUserAgentsTargetingExchangeServers

SecOpsLog4ShellVulnOverDomainsUnionTableConnections

SecOpsPossibleDnsEncodingQuery

SecOpsTLDFromDomainNotInMozillaTLD

SecOpsUnusualUseragentLength

SecOpsAnonymousConnection

SecOpsCDFWSrcIpIsPossibleIoc

SecOpsCDHuntFWdstIpIsPossibleIoc

SecOpsFWEmbargoedCountryInboundTrafficDetected

SecOpsFWEmbargoedCountryOutboundTrafficDetected

SecOpsFWExcessFirewallDenies

SecOpsFWExcessFirewallDeniesOutbound

SecOpsFWExternalSMBTrafficDetectedFirewall

SecOpsFWIcmpExcessivePackets

SecOpsFWIpScanExternal

SecOpsFWIpScanInternal

SecOpsFWIrcTrafficExternalDestination

SecOpsFWPortScanExternalSource

SecOpsFWPortScanInternalSource

SecOpsFWPortSweepInternalSource

SecOpsFWRDPExternalAccess

SecOpsFWSMBInboundScanningDetected

SecOpsFWSMBInternalScanningDetected

SecOpsFWSMBTrafficOutbound

SecOpsFWSigred

SecOpsFWTrafficForeignDestination

SecOpsFWTrafficOnUnassignedLowPort

SecOpsFwTftpOutboundTraffic

SecOpsHAFNIUMNetworkActivityTargetingExchangeServers

SecOpsLog4ShellVulnOverFirewallTrafficConnections

SecOpsPossibleTrafficMirroring

SecOpsRevilKaseyaNetworkActivity

SecOpsVNCPortOpen

SecOpsPossiblePortKnocking

SecOpsCDIocUrlSuspiciousProxyData

SecOpsCDProxyDstIp

SecOpsCDProxySrcIp

SecOpsDynamicDNSDetected

SecOpsIPInsteadADomaInInURL

SecOpsLog4ShellVulnerabilityOverProxyConnections

SecOpsMultipleHTTPMethodsUsed

SecOpsNonStandardHTTPMethod

SecOpsOutboundTrafficToDeviceFlaggedAsThreat

SecOpsOutcomingUnauthenticatedArbitraryFileReadInVMwareVCenter

SecOpsPortIntoURL

SecOpsProxyHighRiskFileExtension

SecOpsProxyHttpSingleCharacterFileNameRequest

SecOpsREvilKaseyaWebShellsUploadConn

SecOpsSeveralAccessByProxy

SecOpsUserBlockedbyProxy

SecOpsHAFNIUMHashFoundFileTargetingExchangeServers

SecOpsREvilKaseyaHashFound

SecOpsRemoteDesktopProtocolScan

SecOpsBackupFileAccessAttempt

SecOpsCDIocIpSuspiciousWebData

SecOpsCDWebSrcIp

SecOpsConfigurationFileAccessAttempt

SecOpsCredentialsFileAccessAttempt

SecOpsDatabaseFileAccessAttempt

SecOpsDiscoveringPasswordFiles

SecOpsExplotationAttemptF5BigIp

SecOpsHAFNIUMHttpPostTargetingExchangeServers

SecOpsHAFNIUMWebShellsTargetingExchangeServers

SecOpsHTTPQueryNonStandardMethod

SecOpsHTTPQueryUserAgentLengthOutsize

SecOpsIncomingUnauthenticatedArbitraryFileReadInVMwareVCenter

SecOpsLog4ShellVulnerabilityOverWebServerConnections

SecOpsLogRelatedFileAccessAttempt

SecOpsMalwareFileAccessAttempt

SecOpsPossibleFuzzingAttack

SecOpsPossibleInjectionUserAgent

SecOpsPossiblePathTrasversalInjection

SecOpsPossiblePhishingKitByReferer

SecOpsREvilKaseyaWebShells

SecOpsRobotFileAskingByNoRobot

SecOpsSeveralError4xx

SecOpsSoftwareInfoAccessAttempt

SecOpsWebShellFileSuspicious

SecOpsADAccountNoExpires

SecOpsADPasswdNoExpires

SecOpsAPT29byGoogleUpdateServiceInstall

SecOpsAccountsCreatedRemovedWithinFourHours

SecOpsAppInitDLLsLoaded

SecOpsBlackByteRansomwareRegChangesPowershell

SecOpsBlackByteRansomwareRegistryChanges

SecOpsBlackKingdomWebshellInstalation

SecOpsBlankPasswordAsk

SecOpsBypassUserAccountControl

SecOpsChangesAccessibilityBinaries

SecOpsDLLWithNonUsualPath

SecOpsDeletingMassAmountOfFiles

SecOpsFailLogOn

SecOpsFsutilSuspiciousInvocation

SecOpsGenericRansomwareBehaviorIpScanner

SecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServers

SecOpsIntegrityProblem

SecOpsLocalUserCreation

SecOpsLolbinBitsadminTransfer

SecOpsLolbinCertocexecution

SecOpsLolbinCertreq

SecOpsLolbinCertutil

SecOpsLolbinConfigsecuritypolicy

SecOpsLolbinDatasvcutil

SecOpsLolbinMshta

SecOpsMaliciousPowerShellCommandletNames

SecOpsMaliciousPowerShellPrebuiltCommandlet

SecOpsMaliciousServiceInstallations

SecOpsMultipleMachineAccessedbyUser

SecOpsNewAccountCreated

SecOpsNtds

SecOpsOsCredentialDumpingGsecdump

SecOpsPassTheHashActivityLoginBehaviour

SecOpsPersistenceAndExecutionViaGPOScheduledTask

SecOpsPsExecToolExecution

SecOpsRansomwareBehaviorMaze

SecOpsRansomwareBehaviorNotPetya

SecOpsRansomwareBehaviorRyuk

SecOpsRareServiceInstalls

SecOpsResetPasswordAttempt

SecOpsRevilKaseyaRegistryKey

SecOpsSIGRedExploitMicrosoftWindowsDNS

SecOpsSecurityEnabledLocalGroupChanged

SecOpsSeveralPasswordChanges

SecOpsShadowCopiesDeletion

SecOpsStoneDrillServiceInstall

SecOpsStopSqlServicesRunning

SecOpsSuspiciousBehaviorAppInitDLL

SecOpsSuspiciousEventlogClearUsingWevtutil

SecOpsSuspiciousWMIExecution

SecOpsTurlaPNGDropperService

SecOpsTurlaServiceInstall

SecOpsUserAccountChanged

SecOpsWINWmiMOFProcessExecution

SecOpsWannaCryBehavior

SecOpsWermgrConnectingToIPCheckWebServices

SecOpsWinADDomainEnumeration

SecOpsWinActivateNoCloseGroupPolicyFeature

SecOpsWinActivateNoControlPanelGroupPolicyFeature

SecOpsWinActivateNoFileMenuGroupPolicyFeature

SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature

SecOpsWinActivateNoSetTaskbarGroupPolicyFeature

SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork

SecOpsWinAdminRemoteLogon

SecOpsWinAdminShareSuspiciousUse

SecOpsWinAnonymousAccountCreated

SecOpsWinAppInstallerExecution

SecOpsWinAttackerToolsOnEndpoint

SecOpsWinAttemptToAddCertificateToStore

SecOpsWinAuditLogCleared

SecOpsWinAutomatedCollectionCmd

SecOpsWinAutomatedCollectionPowershell

SecOpsWinBackupCatalogDeleted

SecOpsWinCompressEncryptData

SecOpsWinCredentialDumpingNppspy

SecOpsWinCritServiceStopped

SecOpsWinCurl

SecOpsWinDcShadowDetected

SecOpsWinDefenderDownloadActivity

SecOpsWinDisableAntispywareRegistry

SecOpsWinDisableUac

SecOpsWinDnsExeParentProcess

SecOpsWinDomainTrustActivity

SecOpsWinExcessiveUserInteractiveLogin

SecOpsWinExternalDeviceInstallationDenied

SecOpsWinFTPScriptExecution

SecOpsWinFakeProcesses

SecOpsWinFsutilDeleteChangeJournal

SecOpsWinGatherVictimIdentitySAMInfo

SecOpsWinGoldenSamlCertificateExport

SecOpsWinIISWebRootProcessExecution

SecOpsWinIcmpExfiltration

SecOpsWinInvokewebrequestUse

SecOpsWinKerberosUserEnumeration

SecOpsWinLocalSystemExecuteWhoami

SecOpsWinLockoutsEndpoint

SecOpsWinLsassKeyModification

SecOpsWinLsassMemDump

SecOpsWinMapSmbShare

SecOpsWinMemoryCorruptionVulnerability

SecOpsWinMimikatzLsadump

SecOpsWinModifyShowCompressColorAndInfoTipRegistry

SecOpsWinMsiExecInstallWeb

SecOpsWinNetworkShareCreated

SecOpsWinNewPsDrive

SecOpsWinOfficeBrowserLaunchingShell

SecOpsWinPermissionGroupDiscovery

SecOpsWinPotentialPassTheHash

SecOpsWinPowerSettings

SecOpsWinPowershellKeyloggin

SecOpsWinPowershellProcessDiscovery

SecOpsWinPowershellSetExecutionPolicyBypass

SecOpsWinRcloneExecution

SecOpsWinRegUtilityHiveExport

SecOpsWinRegistryModificationActivateNoRunGroupPolicy

SecOpsWinRegistryModificationDisableCMDApp

SecOpsWinRegistryModificationDisableChangePasswdFeature

SecOpsWinRegistryModificationDisableLockWSFeature

SecOpsWinRegistryModificationDisableLogOffButton

SecOpsWinRegistryModificationDisableNotificationCenter

SecOpsWinRegistryModificationDisableRegistryTool

SecOpsWinRegistryModificationDisableShutdownButton

SecOpsWinRegistryModificationDisableTaskmgr

SecOpsWinRegistryModificationGlobalFolderOptions

SecOpsWinRegistryModificationHideClockGroupPolicyFeature

SecOpsWinRegistryModificationHideSCAHealth

SecOpsWinRegistryModificationHideSCANetwork

SecOpsWinRegistryModificationHideSCAPower

SecOpsWinRegistryModificationHideSCAVolume

SecOpsWinRegistryModificationIExplorerSecZone

SecOpsWinRegistryModificationNewTrustedSite

SecOpsWinRegistryModificationNoDesktopGroupPolicy

SecOpsWinRegistryModificationNoFindGroupPolicyFeature

SecOpsWinRegistryModificationPowershellLoggingDisabled

SecOpsWinRegistryModificationRunKeyAdded

SecOpsWinRegistryModificationStoreLogonCred

SecOpsWinRegistryQuery

SecOpsWinRemoteSystemDiscovery

SecOpsWinRunasCommandExecution

SecOpsWinSamStopped

SecOpsWinScheduledTaskCreation

SecOpsWinSchtasksForcedReboot

SecOpsWinSchtasksRemoteSystem

SecOpsWinSensitiveFiles

SecOpsWinServiceCreatedNonStandardPath

SecOpsWinShadowCopyDetected

SecOpsWinSmtpExfiltration

SecOpsWinSpoolsvExeAbnormalProcessSpawn

SecOpsWinSuspiciousExternalDeviceInstallation

SecOpsWinSuspiciousWritesToRecycleBin

SecOpsWinSysInfoGatheringUsingDxdiag

SecOpsWinSysInternalsActivityDetected

SecOpsWinSysTimeDiscovery

SecOpsWinTFTPExecution

SecOpsWinUserAddedPrivlegedSecGroup

SecOpsWinUserAddedSelfToSecGroup

SecOpsWinUserAddedToLocalSecurityEnabledGroup

SecOpsWinUserCreationAbnormalNamingConvention

SecOpsWinUserCredentialDumpRegistry

SecOpsWinWMIPermanentEventSubscription

SecOpsWinWMIReconRunningProcessOrSrvcs

SecOpsWinWebclientClassUse

SecOpsWinWifiCredHarvestNetsh

SecOpsWinWmiExecVbsScript

SecOpsWinWmiLaunchingShell

SecOpsWinWmiProcessCallCreate

SecOpsWinWmiScriptExecution

SecOpsWinWmiTemporaryEventSubscription

SecOpsWinWmiprvseSpawningProcess

SecOpsMoveitWebShell

SecOpsWinDnsExcessiveEmptyOrRefusedQueries

Â