The Devo SciSec Team (Devo’s Threat Research Team) has released this technology alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.
Download now directly from Devo Exchange by clicking here.
Alert Technology Pack - Proxy
This Proxy pack provides our customers with detections to help them from even the most dangerous of threats. This pack is extremely important based on the role that the Proxy plays in most organizations. That's why we knew that we needed to have alerts dedicated to alerting when an attacker has disabled or gotten past the proxy.
Full release notes and details of every alert in this Alert Pack.
SecOpsNonStandardHTTPMethod - HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. It is necessary to monitor the non-standard methods used in web servers queries because this could indicate an attack.
SecOpsMultipleHTTPMethodsUsed - There are more than ten HTTP Methods but usually clients use a few only. If a client uses all of them or a large number of methods, this could be recon, probing, or enumeration.
SecOpsUserBlockedbyProxy - It is considered suspicious that a user is blocked by a proxy server on many occasions in a short period of time.
SecOpsProxyLargeFileUpload - Identifies file uploads above 50 MB in size. Excessive file uploads may indicate exfiltration by an adversary or insider. The size threshold should be tuned per organization.
SecOpsPortIntoURL - During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port could be seen as suspicious behavior when combined with other factors.