Devo Platform 7.19 Release

Devo is proud to introduce DeepTrace with version 7.19 along with many requested improvements and fixes!Geo Release AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsDevo DeepTrace Integrations SSO integration with Devo Platform Search integration Alert Integration To learn more about DeepTrace Product Release post DeepTrace Documentation Page DeepTrace Interactive launch page Video: New Alert capability No Sending Policy Api Improvements New API PROBIO API improvements NASS Improvements Service Registry Bug Fixes Devo DeepTrace IntegrationsThis release adds integrations to the DeepTrace product just released!  There are 3 main integrations added.SSO integration with Devo PlatformYou can launch DeepTrace directly from Devo Platform using Single Sign On Authentication.Search integrationYou can right click on an event and select “investigate in Deeptrace.  You can also find it under the tools menu.Also available from the tools menu: Alert IntegrationYou can automatically investigate triggered alerts by defining this property in  the new alert creation window. A new option in the Alerts definition window called Auto-Investigate in DeepTrace is now available.To learn more about DeepTraceProduct Release postDeepTrace Documentation PageDeepTrace Interactive launch pageVideo:  New Alert capabilityNo Sending PolicyYou can now create and define alerts to have no send policy. Api ImprovementsNew APIAdded for aggregation tasks managementPROBIO API improvementsThe PROBIO API now allows the downloading of MSSP certificates. NASS ImprovementsService RegistryAdded the Service Registry feature in NASS, this feature provides a complete picture of all components deployed in an environment. Bug FixesBugs have been squashed in the Finder, Search, Lookups, Alerts, tables, NASS and OData! Full Release notes are available in our Documentation   

Related products:Devo PlatformDevo DeepTrace

Devo DeepTrace is Now Available to Devo Customers!

Devo DeepTrace is Now Generally Available to Devo Customers.  Introducing Devo Deeptrace! DeepTrace is an autonomous alert investigation and threat hunting solution that advances how security teams identify attacks, investigate threats, and secure their organization. With rapidly expanding attack surfaces and increasing amounts of data, today’s SOCs face a never-ending stream of alerts while leveraging manual investigative processes. This results in higher frustration levels and slower response times. Devo created DeepTrace to arm and empower you with the tools and insights needed to rapidly investigate alerts and proactively respond to threats. With DeepTrace, you will spend less time performing repetitive, manual tasks and instead focus on investigating the highest priority threats to your business.    How does Devo DeepTrace work?   Devo DeepTrace helps analysts identify the root cause of every attack. By performing autonomous alert investigation and threat hunting using attack-tracing AI, DeepTrace advances how you identify attacks and investigate threats. DeepTrace augments the work analysts do by building complete traces of suspicious activity detected across an organization’s infrastructure, which alleviates much of their mundane, repetitive tasks. DeepTrace AI enables you to trace the root of suspicious events and investigate alerts. DeepTrace builds traces that identify and isolate the root cause of every attack.USE CASE: Autonomous Investigations  The challenge: the volume of data ingested by the SOC results in a deluge of alerts. Each alert requires manual repetitive steps to understand, which can negatively impacts response time and overwhelms the team.  The Devo DeepTrace solution: DeepTrace autonomously investigates suspicious events and alerts using attack-tracing AI. It identifies each step in the attack chain, providing a full, evidence-based timeline of the attack that you can leverage to nullify the threat.DeepTrace flags alerts that warrant further investigation. USE CASE: Autonomous Threat Hunting  The Challenge: Proactively hunting for threats is a challenge due to limited team capacity. Analysts on the team with the most advanced skills must perform iterative manual threat hunting.  The Devo DeepTrace solution: DeepTrace helps threat hunters quickly construct and configure new hunts that map to MITRE ATT&CK framework tactics and techniques. Once refined and validated with the use of autonomous investigations, these can be converted to new cadence-based threat detections.DeepTrace enables the creation of new threat detection signals and alerts.  USE CASE: Optimized Incident ResponseThe Challenge: Given that an intrusion’s average dwell time can be months, analysts need to mine through petabytes of telemetry data over a period of weeks to fully understand what the adversary has done and where they have been throughout the organization. The Devo DeepTrace solution: Devo DeepTrace harnesses the organization’s endpoint log data to perform retroactive hunts that find attacks and malicious activity. Once an actual attack is identified, DeepTrace produces interactive traces and reports documenting the attacker’s footsteps.DeepTrace produces a graphical, interactive story that documents the attacker’s footprint across the entire organization. Interested in learning more about DeepTrace? Contact your CSM today to start your journey and request a demo of DeepTrace. Additionally, you can learn more here:  Devo Deeptrace Interactive Experience  Devo Documentation  Community Content: Anatomy of a Trace  → An all encompassing guide to “traces,” the key foundational element of Devo DeepTrace AI Assisted Hunting → Everything you need to know about hunting in DeepTrace   How to Reduce Manual Investigative Processes with DeepTrace How to Trace Every Attack from Start to Finish with DeepTrace 

Related products:Devo DeepTrace

Devo Exchange 1.4 Released!

Devo Exchange team is proud to present version 1.4 of the Content Marketplace!   This release comes with major features as well as many improvements.Table of Contents Content Submission Tool Alerts installed in OFF mode TAGs Reorder Resilience in Exchange Bug Fixes   Content Submission ToolYes you can share the content you create with your peers!  You can find the Content Submission tool at the top of the right man page for Devo Connect.Watch the Video! Types of Content you can share:Activeboards Applications Alerts Lookups Synthetic DataOnce you share your content the team will review it and recreate it if need be into a shareable form and publish it for you!   Alerts installed in OFF modeA popular user request, Alerts are now installed in OFF mode.  Users wanted to change parameters, policies and delivery methods before activating alerts.  Now you can! TAGs ReorderMain category tags have been reordered for increased discovery.  All the subcategories and tags have been reviewed, with new categories added to increased discovery. Resilience in ExchangeManagement of API errors is greatly improved.  Exchange can manage errors from external API’s.  Error notifications will be available on the top right! Bug Fixes Fixed Filter Selection Fixed Search acting on Blank : Sometimes when you searched for part of a word and then deleted it, the search attempted to filter by blank. Improved Image handling Improved design handling on lower resolutions 

Related products:Devo Exchange

Devo Platform 7.18 Release

Hello Everyone!  The Team is happy to present the Devo Platform Release 7.18 version which includes a ton of Activeboard and User Interaction improvements and features!Geo Availability Region Status CA Released US Released EU Released APAC Released   Table of contentsActiveBoard Updates Scheduled Reports (PDF) Query Optimization User Experience Improvements Table Widget Heatmap / Markersmap Widget Notable bug fixesView the full documentation of this release here.  ActiveBoard UpdatesScheduled Reports (PDF)Check out the launch video describing this feature!  Each Activeboard can have it’s own unique schedule.  Future releases will let you schedule multiple Activeboards at once. Scheduled Reports functionality is available from View and Edit modes as well as from the WEB and Activeboards API. New UI and notifications supporting Scheduled Reports. New Role Permissions for Activeboards Report ScheduleQuery OptimizationYou can now optimize your Activeboard queries with aggregation tasks directly from the Activeboard UI.-New UI indicating when an Activeboard query can be accelerated with an aggregation task.User Experience ImprovementsTable WidgetAdded new field “Align Items” that will allow for left, right or center alignment of data! Added Column data type and column name. Added Null Values improved readability.Heatmap / Markersmap WidgetImproved Readability of the Type field Notable bug fixesFixed Timelapse Widget - timezone being ignored in some cases.Fixed Activeboard “Snap to” operations ignoring timezone in some cases.Fixed Missing heading with Pie/Donut widgetFixed in Data → Free text query the dragable button someitmes remained enabled.

Related products:Devo Platform

Security Operations: Out of the Box Alerts Release 10

The Devo Threat Research Team has just released their December OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 39 new Windows  detections, 1 additional Office 365 alert and 9 updated Alerts.  The team also made great progress in updating older detections, updating 76 Alerts to match our current schema and documentation.These alerts have the same power as before but now integrate better with our other Devo products. If you use the MITRE Attack Advisor App, or like to edit your alerts in Loxcope, these detections can now seamlessly integrate with those products. They have also been updated to work better with our SecOps enrichments like the SecOpsAlertDescription lookup, and can now accurately show the MITRE tactics and techniques associated with the alerts.Read the full release notes here. Sample 5 Alerts included in this releaseSecOpsWinRegistryModificationHideSCAPower - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinRegistryModificationHideClockGroupPolicyFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinActivateNoCloseGroupPolicyFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinRegistryModificationNoFindGroupPolicyFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinRegistryModificationDisableLockWSFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Related products:Security Operations

Devo Product Update 7.17 Released!

All of Devo is happy to present Devo Platform release 7.17. This December release comes with two goals! We added two new user-facing functionalities to the platform.  We also made important internal improvements that provide the platform with greater scalability, uniformity and maintainability.Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of Contents:New Features Data Search X.509 Certificates Improvements Lookups Data Search Depreciated Bug Fixes Activeboards Alerts Roles Data Search  Note: EU users are benefiting from double upgrades as all the upgrades in 7.16 are now available to you First!New Features Data Search A new filter allows you to search for a keyword inside of the entire raw event. You can search for a keyword in any of the event fields and it is available in both view modes.X.509 CertificatesA new column named “Expiration date” is now available. This makes it easier to see if the generated certificates are close to expiration.  Improvements LookupsSome Lookups can remain in “Updating”  status for a long time, you can now refresh a lookup that is taking more than 1 hour to be updated. The lookup will then change back to "Available". Data SearchSensitivity Filter - We’ve removed the “Sensitivity” filter from the “Create field” and “Filter” tabs in the Operations over fields form. Regular Expressions - Functions that require any of its arguments to be regular expressions can now be “regexp” and “str” types. DepreciatedLINQ Operation - MaxMind GeoIPv1 operations are now deprecated. We ask you to use MaxMind GeoIPv2 operations instead. Bug FixesActiveboardsEmpty Table Widgets - There was a case where the Table widget’s visual tab displayed an empty screen and generated console errors. This only occurred following a specific sequence of steps with a grouping query when it returned no events before the grouping clause. Ambiguous Table Widget entries - There was an issue with the Table widget displaying ambiguous values in the exported CSV file when the column values contain commas. AlertsXSS - It was possible to insert cross-site scripting in alert annotations. From now on, XSS aren’t allowed. RolesPermissions pop up - The pop-up info message for permissions displayed the text without proper margins. Data SearchCopy Field Names - In List view, if you selected a whole event and copied it⸺regardless of the values for the “Show field names” and “Show null values” toggles⸺the field names were always missing and the null values were always shown. Selecting Events - In List view, with the “Show field names” toggle off, it wasn’t possible to select events. Copying Event - In List view, selecting and copying part of an event wouldn’t always result in the copied text matching the selected text. Expanding Query Editor - If the Query editor was embedded, there were problems expanding it when clicking on it. This was notably problematic because the button to run the query is hidden until the editor is expanded.Query Editor Reset - There was a problem with the Query editor resetting when the user clicked on the realtime button. Group By Error - When a user grouped a query by a non-existent field, the Query editor wouldn’t react. From now on an error will be displayed with the aforementioned field underlined in red. Extracting multiple fields - If you opened the JSON parser and selected a number of fields to be extracted, the parser would only extract the first selected field. ● When editing a breadcrumb that has nested operations, if said breadcrumb didn’t fit in the “Operations over columns” form, then the query editor wouldn’t open. Sub Filter Blank - There was a case where, if you ran a second filter you would get a blank screen. This was because the first filter was applied to a non-asterisk field. No Operation Called error - Existing Lookups were randomly failing in queries, with an error message “No operation called lu/<Lookup_name>/<Lookup_field>”. Link to Release 7.17 Documentation page

Related products:Devo Platform

Devo Exchange: AWS Alert Pack

A new Alert Pack has been released on Devo Exchange! Alert Pack: AWSThis out of the box alert pack brings you alerts that can help you quickly obtain quick coverage of your AWS environment. This Alert pack contains over 50 Alerts!Security Operations Application is not required for this pack.  However if you do have the Security Operations Application you can download these alerts from the Content Manager and benefit from additional data enrichments. Learn more in our Documentation Portal! Download Directly from Devo Exchange! Here is a sample of 5 of the alerts included in this packSecOpsAWSCreateaccesskey - This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user.SecOpsAWSUpdateloginprofile - A user has updated the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user which login profile has been updated.SecOpsAwsRoleCreated - Detects actions taken to create new IAM roles in AWS.SecOpsAWSIAMPolicyAppliedToRole - It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.SecOpsLog4ShellVulnerabilityCloudAWS - Checks for attempts of exploiting CVE-2021-44228 as known as Log4shell. The query contained in this alert can generate high volumes of events due to the nature of the attack pattern. Tunning the alert to your environment is recommended.

Related products:Devo Exchange

Devo Exchange: Credential Access Alert Pack

A New Alert Pack is available on Devo Exchange! Alert Pack: Credential AccessThis out of the box alert pack bundles critical alerts that can help detect when an adversary has been sing the credential access MITRE Tactic (TA0006) and has tried to use keylogging or credential dumping methods to access your systems. What is Credential Access?Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Learn more in our Documentation Portal! Download directly from Devo Exchange! Here is a sample of 5 of the new alerts! SecOpsPanAuthFailMultipleUserSingleIP - Detects brute force attacks via the Palo Alto firewalls. A source IP address attempted and failed to authenticate multiple times while providing multiple usernames.SecOpsGCPSecretsManagerHighActivity - An attacker could be attempting to access, or modify, the Secret Manager serviceSecOpsAWSSamlAccess - This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.SecOpsAwsGetSecretFromNonAmazonIp - Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space.SecOpsWinDcShadowDetected - Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates.

Related products:Devo Exchange

Security Operations : Out of the Box Alerts Release 9

Hello All!The Devo Threat Research Team has just released their November OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 15 new detections and a couple of updates to existing ones.  This includes our first EDR detections!   EDR (End Point Detection and Response) is very important to monitor and detect because endpoints are used in all facets of the business and can be used to store critical information.Read the full release notes in our Documentation portal! [ Release notes 9 ] Alert analyzed/updated:  Detection name  Changes made SecOpsWinWmiExecVbsScript  Updated the alert to have an enhanced detection condition. SecOpsWinWmiScriptExecution  Fixed an error where the entity source IP was not properly mapped.  Details on the new detections released can be seen below:  Detection name  Devo table/Data  Detection description  source/Category SecOpsBroRdpBruteFor ceSuccessHydraNcrack Detects a successful RDP connection via  Hydra or Ncrack hacking tools. ids.bro.rdp SecOpsBroWinLsatUser Enumeration Detects actors utilizing MS-LSAT Remote  protocol to map security SIDs to user  accounts. ids.bro.dce_rpc SecOpsBroWinDceRpc eServiceCall Detects the creation or deletion of services via  RPC remote administration. Actors may  create/delete services to establish a greater  foothold once inside a network. ids.bro.dce_rpc SecOpsBroWinDceRpc SamrEnumeration  SecOpsBroSmbFirstSeenShare Detects actors enumerating user accounts in  Active Directory via Security Account Manager  Remote Protocol (SAMR). ids.bro.dce_rpc  Detects the first seen SMB share for an entity.  Adversaries may utilize SMB shares to  transport files; while not inherently malicious,    this event should be reviewed for legitimacy. ids.bro.notice  Detects interesting hostname login events. SecOpsBroSshInteresin gHostNameLogin See Bro/Zeek reference for context around interesting hostnames. ids.bro.notice SecOpsBroHttpRequest Detects HTTP requests that contain only a ids.bro.http SingleHeader  single header. SecOpsBroSelfSignedC ert Detects servers responding via SSL or TLS  services using self-signed certificates. ids.bro.ssl SecOpsWinMemoryCorr uptionVulnerability Detects exploitation of Microsoft Office  Memory Corruption Vulnerability  (CVE-2015-1641) allowing remote code  execution. SecOpsWinFakeProces ses Detects instances of known Windows  processes executing outside of standard  directories. Malware authors often utilize  masquerading to hide malicious executables  behind legitimate Windows executable names. SecOpsWinDnsExeParentProcess Detects DNS.EXE program spawning other  processes. SecOpsLinuxNOPASS WDSudoers  SecOpsEDRCrowdStrik eOverwatchNotification  SecOpsEDRCylanceSc oreUnsafe Detects suspicious command lines that may  add an entry to /etc/sudoers with NOPASSWD  attribute in Linux platform. This requires auditd  be installed and configured. box.unix  Falcon Overwatch has identified suspicious  activity. This has been raised for your  awareness and should be investigated as  edr.crowdstrike.falco  normal.  n  An unsafe file is one that has attributes that  greatly resemble malware. edr.cylance.threats SecOpsO365PSTExport Alert This detection is triggered when a user has  performed an Ediscovery or exported a pst file  cloud.office365.mana  with sensitive information.  gement   

Related products:Security Operations

Devo Exchange: MITRE ATT&CK Adviser v1.2

The MITRE ATT&CK Advisor has been updated to version 1.2!  I love this tool and it is the main element in my Attack Analysis features, so I hope you are as excited as I am!New Features! Sub-Techniques Install Alert Multiple Tactics & Techniques Deep dive into Sub-TechniquesNew Features!Sub-TechniquesYou can now view sub-techniques within the matrix to understand where more coverage can be added.Install AlertNew ability to take action directly from the application to improve coverage.Multiple Tactics & TechniquesYou now have the ability to have coverage go from a single alert to multiple techniques. Deep dive into Sub-TechniquesSub-techniques have been added to the application for informational purposes within the MITRE ATT&CK Matrices that are displayed within the application.  The new display enables users to understand more about the sub-techniques behind the parent techniques and identify areas where additional protection for their organization might be required.  MITRE ATT&CK Techniques outline a particular way to achieve the goal of a Tactic.  A MITRE ATT&CK Technique may also include Sub-Techniques.  These are particular ways to carry out the action outlined in the parent Technique.  For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four Sub-Techniques: Password Guessing Password Cracking Password Spraying Credential Stuffing All of these Sub-Techniques are ways to carry out the main Technique (i.e. a brute-force password guessing attack), but take advantage of different mechanisms to do so.See the full details in our Documentaiton! Download the MITRE ATT&ACK Advisor directly from Devo Exchange

Related products:Devo Exchange