Devo Product Update 7.17 Released!

All of Devo is happy to present Devo Platform release 7.17. This December release comes with two goals! We added two new user-facing functionalities to the platform.  We also made important internal improvements that provide the platform with greater scalability, uniformity and maintainability. Region Status CA Pending US Pending EU Released APAC Pending    New Features Data Search X.509 Certificates Improvements Lookups Data Search Depreciated Bug Fixes Activeboards Alerts Roles Data Search  Note: EU users are benefiting from double upgrades as all the upgrades in 7.16 are now available to you First!New Features Data Search A new filter allows you to search for a keyword inside of the entire raw event. You can search for a keyword in any of the event fields and it is available in both view modes.X.509 CertificatesA new column named “Expiration date” is now available. This makes it easier to see if the generated certificates are close to expiration.  Improvements LookupsSome Lookups can remain in “Updating”  status for a long time, you can now refresh a lookup that is taking more than 1 hour to be updated. The lookup will then change back to "Available". Data SearchSensitivity Filter - We’ve removed the “Sensitivity” filter from the “Create field” and “Filter” tabs in the Operations over fields form. Regular Expressions - Functions that require any of its arguments to be regular expressions can now be “regexp” and “str” types. DepreciatedLINQ Operation - MaxMind GeoIPv1 operations are now deprecated. We ask you to use MaxMind GeoIPv2 operations instead. Bug FixesActiveboardsEmpty Table Widgets - There was a case where the Table widget’s visual tab displayed an empty screen and generated console errors. This only occurred following a specific sequence of steps with a grouping query when it returned no events before the grouping clause. Ambiguous Table Widget entries - There was an issue with the Table widget displaying ambiguous values in the exported CSV file when the column values contain commas. AlertsXSS - It was possible to insert cross-site scripting in alert annotations. From now on, XSS aren’t allowed. RolesPermissions pop up - The pop-up info message for permissions displayed the text without proper margins. Data SearchCopy Field Names - In List view, if you selected a whole event and copied it⸺regardless of the values for the “Show field names” and “Show null values” toggles⸺the field names were always missing and the null values were always shown. Selecting Events - In List view, with the “Show field names” toggle off, it wasn’t possible to select events. Copying Event - In List view, selecting and copying part of an event wouldn’t always result in the copied text matching the selected text. Expanding Query Editor - If the Query editor was embedded, there were problems expanding it when clicking on it. This was notably problematic because the button to run the query is hidden until the editor is expanded.Query Editor Reset - There was a problem with the Query editor resetting when the user clicked on the realtime button. Group By Error - When a user grouped a query by a non-existent field, the Query editor wouldn’t react. From now on an error will be displayed with the aforementioned field underlined in red. Extracting multiple fields - If you opened the JSON parser and selected a number of fields to be extracted, the parser would only extract the first selected field. ● When editing a breadcrumb that has nested operations, if said breadcrumb didn’t fit in the “Operations over columns” form, then the query editor wouldn’t open. Sub Filter Blank - There was a case where, if you ran a second filter you would get a blank screen. This was because the first filter was applied to a non-asterisk field. No Operation Called error - Existing Lookups were randomly failing in queries, with an error message “No operation called lu/<Lookup_name>/<Lookup_field>”. Link to Release 7.17 Documentation page

Related products:Devo Platform

Devo Exchange: AWS Alert Pack

A new Alert Pack has been released on Devo Exchange! Alert Pack: AWSThis out of the box alert pack brings you alerts that can help you quickly obtain quick coverage of your AWS environment. This Alert pack contains over 50 Alerts!Security Operations Application is not required for this pack.  However if you do have the Security Operations Application you can download these alerts from the Content Manager and benefit from additional data enrichments. Learn more in our Documentation Portal! Download Directly from Devo Exchange! Here is a sample of 5 of the alerts included in this packSecOpsAWSCreateaccesskey - This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user.SecOpsAWSUpdateloginprofile - A user has updated the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user which login profile has been updated.SecOpsAwsRoleCreated - Detects actions taken to create new IAM roles in AWS.SecOpsAWSIAMPolicyAppliedToRole - It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.SecOpsLog4ShellVulnerabilityCloudAWS - Checks for attempts of exploiting CVE-2021-44228 as known as Log4shell. The query contained in this alert can generate high volumes of events due to the nature of the attack pattern. Tunning the alert to your environment is recommended.

Related products:Devo Exchange

Devo Exchange: Credential Access Alert Pack

A New Alert Pack is available on Devo Exchange! Alert Pack: Credential AccessThis out of the box alert pack bundles critical alerts that can help detect when an adversary has been sing the credential access MITRE Tactic (TA0006) and has tried to use keylogging or credential dumping methods to access your systems. What is Credential Access?Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Learn more in our Documentation Portal! Download directly from Devo Exchange! Here is a sample of 5 of the new alerts! SecOpsPanAuthFailMultipleUserSingleIP - Detects brute force attacks via the Palo Alto firewalls. A source IP address attempted and failed to authenticate multiple times while providing multiple usernames.SecOpsGCPSecretsManagerHighActivity - An attacker could be attempting to access, or modify, the Secret Manager serviceSecOpsAWSSamlAccess - This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.SecOpsAwsGetSecretFromNonAmazonIp - Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space.SecOpsWinDcShadowDetected - Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates.

Related products:Devo Exchange

Security Operations : Out of the Box Alerts Release 9

Hello All!The Devo Threat Research Team has just released their November OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 15 new detections and a couple of updates to existing ones.  This includes our first EDR detections!   EDR (End Point Detection and Response) is very important to monitor and detect because endpoints are used in all facets of the business and can be used to store critical information.Read the full release notes in our Documentation portal! [ Release notes 9 ] Alert analyzed/updated:  Detection name  Changes made SecOpsWinWmiExecVbsScript  Updated the alert to have an enhanced detection condition. SecOpsWinWmiScriptExecution  Fixed an error where the entity source IP was not properly mapped.  Details on the new detections released can be seen below:  Detection name  Devo table/Data  Detection description  source/Category SecOpsBroRdpBruteFor ceSuccessHydraNcrack Detects a successful RDP connection via  Hydra or Ncrack hacking tools. ids.bro.rdp SecOpsBroWinLsatUser Enumeration Detects actors utilizing MS-LSAT Remote  protocol to map security SIDs to user  accounts. ids.bro.dce_rpc SecOpsBroWinDceRpc eServiceCall Detects the creation or deletion of services via  RPC remote administration. Actors may  create/delete services to establish a greater  foothold once inside a network. ids.bro.dce_rpc SecOpsBroWinDceRpc SamrEnumeration  SecOpsBroSmbFirstSeenShare Detects actors enumerating user accounts in  Active Directory via Security Account Manager  Remote Protocol (SAMR). ids.bro.dce_rpc  Detects the first seen SMB share for an entity.  Adversaries may utilize SMB shares to  transport files; while not inherently malicious,    this event should be reviewed for legitimacy. ids.bro.notice  Detects interesting hostname login events. SecOpsBroSshInteresin gHostNameLogin See Bro/Zeek reference for context around interesting hostnames. ids.bro.notice SecOpsBroHttpRequest Detects HTTP requests that contain only a ids.bro.http SingleHeader  single header. SecOpsBroSelfSignedC ert Detects servers responding via SSL or TLS  services using self-signed certificates. ids.bro.ssl SecOpsWinMemoryCorr uptionVulnerability Detects exploitation of Microsoft Office  Memory Corruption Vulnerability  (CVE-2015-1641) allowing remote code  execution. SecOpsWinFakeProces ses Detects instances of known Windows  processes executing outside of standard  directories. Malware authors often utilize  masquerading to hide malicious executables  behind legitimate Windows executable names. SecOpsWinDnsExeParentProcess Detects DNS.EXE program spawning other  processes. SecOpsLinuxNOPASS WDSudoers  SecOpsEDRCrowdStrik eOverwatchNotification  SecOpsEDRCylanceSc oreUnsafe Detects suspicious command lines that may  add an entry to /etc/sudoers with NOPASSWD  attribute in Linux platform. This requires auditd  be installed and configured. box.unix  Falcon Overwatch has identified suspicious  activity. This has been raised for your  awareness and should be investigated as  edr.crowdstrike.falco  normal.  n  An unsafe file is one that has attributes that  greatly resemble malware. edr.cylance.threats SecOpsO365PSTExport Alert This detection is triggered when a user has  performed an Ediscovery or exported a pst file  cloud.office365.mana  with sensitive information.  gement   

Related products:Security Operations

Devo Exchange: MITRE ATT&CK Adviser v1.2

The MITRE ATT&CK Advisor has been updated to version 1.2!  I love this tool and it is the main element in my Attack Analysis features, so I hope you are as excited as I am!New Features! Sub-Techniques Install Alert Multiple Tactics & Techniques Deep dive into Sub-TechniquesNew Features!Sub-TechniquesYou can now view sub-techniques within the matrix to understand where more coverage can be added.Install AlertNew ability to take action directly from the application to improve coverage.Multiple Tactics & TechniquesYou now have the ability to have coverage go from a single alert to multiple techniques. Deep dive into Sub-TechniquesSub-techniques have been added to the application for informational purposes within the MITRE ATT&CK Matrices that are displayed within the application.  The new display enables users to understand more about the sub-techniques behind the parent techniques and identify areas where additional protection for their organization might be required.  MITRE ATT&CK Techniques outline a particular way to achieve the goal of a Tactic.  A MITRE ATT&CK Technique may also include Sub-Techniques.  These are particular ways to carry out the action outlined in the parent Technique.  For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four Sub-Techniques: Password Guessing Password Cracking Password Spraying Credential Stuffing All of these Sub-Techniques are ways to carry out the main Technique (i.e. a brute-force password guessing attack), but take advantage of different mechanisms to do so.See the full details in our Documentaiton! Download the MITRE ATT&ACK Advisor directly from Devo Exchange

Related products:Devo Exchange

Devo Platform 7.16 Released!

We are very proud to announce Devo Platform Release 7.16 with two long awaited and requested features! Region Status CA Released US Released EU Rolled into 7.17 APAC Released  New Features Data Search: List View Data Search: New Smart Query Code Editor Data Search: New Copy Option Application: Auto Admin Role  New Features Data Search: List ViewList View!This alternative data view displays information of an event as a list of keys and values known as pills.  This new view displays the information in two columns: the eventdate and the list of keys and values.  You can freely switch between both views with a speed that must be experienced!See this new view in use in this short video! Data Search: New Smart Query Code EditorSmart Query BuildingWe have simplified the task of writing LINQ queries with this new smart editor.  As you type it will autocomplete table names, field names and much more! Building a search will be easier, faster and more convenient than ever! Data Search: New Copy OptionNew Copy OptionsBoth Tabular and List views can take advantage of new copy options when you right click on the data.  You can see it in action here in this video.New Copy functions in Action! Application: Auto Admin RoleThis quality of life improvement will apply admin role to any new applications installed automatically.  Previously it was necessary to assign the the role manually. Additional Improvements to the UI, and Bug Fixes can be found in the full release notes.Documentation page for 7.16 full release notes Let us know what you like about this release!

Related products:Devo Platform

Devo Exchange Use Cases: DoS, McAfee and Port Scan

Devo Exchange has a new content type called Use Cases. Use Cases combine a data injection with an Activeboard or Alert to reproduce a particular use case.  You can use it to gain experience, fine tune your alerts and increase your workflow efficiency.Watch the Use Case Launch Video! Each component of a Use Case can be downloaded separately as well if you have your own data already or want to test your own Activeboard creations. Launching with 3 initial use cases,  the team will be updating this section of Devo Exchange with more use cases in the future.  Please let us know if you have a use case you want them to create!Denial of Service Use Case McAfee Monitoring Use Case Port Scan Use CaseDenial of Service Use CaseA Denial of service attack (DoS) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. This Use Case includes a Firewall Data Injection for DoS and the DoS Detection Alert Pack. Download it from Devo Exchange! McAfee Monitoring Use CaseGet experience with the McAfee Activeboard in this Use Case.  This use case allows you to visualize the full McAfee Activeboard, gain experience and see where to fine tune your reporting.This Use Case includes Proxy data Injection for McAfee and the Proxy McAfee Monitoring Active Board.Watch the Guided tour! Download it from Devo Exchange!  Port Scan Use CaseA port scan is a common technique hackers use to discover open doors or weak points in a network. A port scan attack helps cyber criminals find open ports and figure out whether they are receiving or sending data. It can also reveal whether active security devices like firewalls are being used by an organization. This Use Case includes a Firewall Data Injection for Port Scan and Port Scan Detection Alert Pack.Download it from Devo Exchange! Please let us know if you have a use case you want the team to create!

Related products:Devo Exchange

Devo Product 7.15 Released!

We are pleased to announce the Devo Platform Release 7.15 is now starting to roll out to all Geos!   We have a lot of great stuff in this release, so lets go over it all.  See the full release notes in our Docs here. Currently Available in :Region Status CA Released US Released EU Released APAC Pending  Multitenancy Data Access across domains Activeboards gets New Widget and API New Timelapse Widget: Timelapse Query Activeboards API: Additional Activeboard Updates Copying Widgets to other Activeboards New Predefined Global Variables Usability Improvements User Identification via email addresses Improved Activeboard role-sharing reporting New Relay API: New Provisioning API Methods Advanced password processing: Also in this ReleaseMultitenancy Data Access across domainsThe Devo Platform’s multitenancy capability enables users to centrally provision, monitor, manage, and query an unlimited number of tenants. MSSPs and large enterprises can maintain complete visibility into the data they manage while safeguarding its privacy and security, maintaining the residency and compliance requirements of their data.Watch this video to learn more about Devo’s multitenancy capability. Activeboards gets New Widget and APINew Timelapse Widget:Timelapse in action The Timelapse widget gives users the ability to capture data across specific timeframes. Users can graphically compare different time ranges in one data series, which helps them visually analyze and predict behaviors, improving incident detection and resolution times.Watch this video for a more detailed description of how it works. Timelapse QueryThe timelapse query defines the series to be analyzed. The query consists of a timestamp column, the event time reference, and a numeric column containing the value to be compared.  Activeboards API:Devo users can now build and export Activeboards via a web-based REST API, which enables customization and portability. Users can quickly share Activeboards and generate reports, increasing productivity and improving customer satisfaction. View all the details in our Docs. Additional Activeboard UpdatesCopying Widgets to other ActiveboardsUsers now can copy a widget into a clipboard and paste it into the same Activeboard, a different Activeboard, or another program as configurable text.New Predefined Global Variables The Activeboard language contains the following variables, which are helpful for widget queries. Domain_name Domain_id User_name User_email User_id Activeboard_name Activeboard_id Locale Timezone Isolated  Usability Improvements User Identification via email addressesUsers are now identified in the Activeboard manager by their email addresses. This simplifies administration capabilities since email names are unique.Improved Activeboard role-sharing reportingAdministrators can now view and set permissions that enable users to view and edit Activeboards across predefined roles in the organization. New Relay API:Users can access relays via a REST API to manage relays and check their status. This gives users access to relays without having to log into the Devo domain. Additionally, users can use the API to clone relay rules from one domain to another, which improves efficiency.Read more about the Relay API in our Docs. New Provisioning API MethodsDevo has added new methods in the Provisioning API. This is meant to make administering multiple domains easier for MSSPs. Now users can manage domain limits and domain preferences via API using: Manage domain limits: user limits, cert limit, key limit Manage domain preferences: Generic preferences: default language, session expiration timeout Data search preferences: real-time ON/OFF, default time frame, default case sensitivity Advanced password processing:Improved complexity requirements have been added for new passwords. These updated validation rules apply when recovering, changing, or setting new passwords, which improves the security of your Devo domain. Also in this ReleaseDevo Platform Release 7.15 also contains new Activeboards features such as enhanced user identification, improved data formatting, and additional accessibility settings, which enhance usability and boost productivity.  See the full release notes in our Docs here.

Related products:Devo Platform

Alert Pack: Command and Control Released for Devo

The Devo SciSec Team (Devo’s Threat Research Team) has released this latest alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.  Alert Pack - Command and ControlThis alert pack focuses on providing coverage for the most commonly used attacks for the Command and Control Mitre Attack tactic.  Command and control is used when the adversary has your system under control and is trying to steal, or disrupt. information from your company. These alerts will let our customers know when the attacker tries to seize control, use their control, or try to control more systems. Here's more information from the Mitre website: Complete information on this threat vector. "Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses." Download now directly from Devo Exchange by clicking here. Full release notes and details of every alert in this Alert Pack. Here is a sample of a few of the alerts included:SecOpsFWSMBTrafficOutbound - Detects SMB traffic from internal to external sources allowed through the firewall.SecOpsFWTrafficOnUnassignedLowPort - Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic.SecOpsFWExcessFirewallDeniesOutbound - Detects excessive firewall blocks for outbound traffic from a single IP in a short period of time; this activity may be indicative of C2 traffic and should be reviewed.SecOpsFWIcmpExcessivePackets - Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration.SecOpsFWRdpTrafficUnauthorized - Detects RDP traffic to hosts, not within an allowed list. Full list alerts available here in our docs! 

Related products:Devo Platform

Alert Technology Pack: Proxy Released for Devo

The Devo SciSec Team (Devo’s Threat Research Team) has released this technology alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.  Download now directly from Devo Exchange by clicking here. Alert Technology Pack - ProxyThis Proxy pack provides our customers with detections to help them from even the most dangerous of threats. This pack is extremely important based on the role that the Proxy plays in most organizations. That's why we knew that we needed to have alerts dedicated to alerting when an attacker has disabled or gotten past the proxy.   Full release notes and details of every alert in this Alert Pack.  SecOpsNonStandardHTTPMethod - HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. It is necessary to monitor the non-standard methods used in web servers queries because this could indicate an attack.SecOpsMultipleHTTPMethodsUsed - There are more than ten HTTP Methods but usually clients use a few only. If a client uses all of them or a large number of methods, this could be recon, probing, or enumeration.SecOpsUserBlockedbyProxy - It is considered suspicious that a user is blocked by a proxy server on many occasions in a short period of time.SecOpsProxyLargeFileUpload - Identifies file uploads above 50 MB in size. Excessive file uploads may indicate exfiltration by an adversary or insider. The size threshold should be tuned per organization.SecOpsPortIntoURL - During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port could be seen as suspicious behavior when combined with other factors. Full list available in our docs here.

Related products:Devo Platform