Document toolboxDocument toolbox

Release 25 - Out-of-the-box alerts

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 07, 2024
1 min read
[ 1 Overview ] [ 2 Alert updates ]

Overview

In this latest update, we're thrilled to introduce a suite of enhancements to our SIEM detection capabilities. Benefit from enhanced performance with improved default filtering, ensuring faster and more precise threat identification. Our source_ipv4 field parsing has undergone a significant update, enhancing accuracy in pinpointing IP addresses within your network.

Additionally, we've revamped our Windows endpoint tools, equipping you with the latest features for robust threat monitoring and response. Furthermore, our field extraction methods have been fine-tuned, enabling more efficient extraction of actionable insights from your logs. Stay ahead of threats effortlessly with these comprehensive improvements.

Alert updates

Alert name

Update

SecOpsWinAttackerToolsOnEndpoint

Updated tools that are detected on the endpoint using the alert 

SecOpsWinPotentialPassTheHash

Updated field extraction login based on logging parsing change 

SecOpsFWEmbargoedCountryInboundTrafficDetected

Improved default filtering 

SecOpsFWPortScanInternalSource

Improved default filtering 

SecOpsFWExcessFirewallDenies

Improved default filtering 

SecOpsIPInsteadADomainInURL

Improved default filtering 

SecOpsFWPortScanExternalSource

Improved default filtering 

SecOpsADAccountNoExpires

SecOpsADPasswdNoExpires

SecOpsBlackKingdomWebshellInstalation

SecOpsFailLogOn

SecOpsFsutilSuspiciousInvocation

SecOpsGenericRansomwareBehaviorIpScanner

SecOpsMaliciousPowerShellCommandletNames

SecOpsMaliciousPowerShellPrebuiltCommandlet

SecOpsMultipleMachineAccessedbyUser

SecOpsNewAccountCreated

SecOpsNtdsditDomainHashExtractionActivity

SecOpsPassTheHashActivityLoginBehaviour

SecOpsPersistenceAndExecutionViaGPOScheduledTask

SecOpsPsExecToolExecution

SecOpsRansomwareBehaviorMaze

SecOpsRansomwareBehaviorNotPetya

SecOpsRansomwareBehaviorRyuk

SecOpsResetPasswordAttempt

SecOpsSeveralPasswordChanges

SecOpsShadowCopiesDeletion

SecOpsStoneDrillServiceInstall

SecOpsStopSqlServicesRunning

SecOpsSuspiciousEventlogClearUsingWevtutil

SecOpsTurlaPNGDropperService

SecOpsTurlaServiceInstall

SecOpsUserAccountChanged

SecOpsWannaCryBehavior

SecOpsWinAdminShareSuspiciousUse

SecOpsWinExcessiveUserInteractiveLogin

SecOpsWinNetworkShareCreated

SecOpsCDHuntFWdstIpIsPossibleIoc

Update source_ipv4 to source_ip in the group to match latest version of box.all.win tableÂ