Hello everyone! Our December release improves our library for multiple technologies. We used various research and pen-testing techniques to help close some gaps in coverage, so these alert improvements are extra essential to have in your library.
Table of contents
Updated Alert packs
Cloud Infrastructure Discovery (MITRE Att&ck Technique: T1580)
Updated content in this Pack:
| Detection | Description | Data Source | Change Log |
|---|---|---|---|
| SecOpsAwsCloudTrailReconEvent | Analytical detection of a reconnaissance type behavior from AWS CloudTrail Log | cloud.aws.cloudtrail | Fix column references and some cleanup on the query to make it easier. |
Quick Link on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Alert Pack: Office 365
Updated content in this Pack:
| Detection | Description | Data Source | Change Log |
|---|---|---|---|
| SecOpsActivityAnonymousIPAddressesO365 | This alert shows an anonymous IP detection made by MCAS | cloud.office365.siem_agent_alert | Minor Changes |
Quick Link on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Automated Exfiltration (MITRE Att&ck Technique: T1020)
Updated content in this Pack:
| Detection | Description | Data Source | Change Log |
|---|---|---|---|
| SecOpsFWTrafficForeignDestination | Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes. | firewall.all.raffic | Fix dependencies. |
Quick Link on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
OS Credential Dumping (MITRE Att&ck Technique: T1003)
Updated content in this Pack:
| Detection | Description | Data Source | Change Log |
|---|---|---|---|
| SecOpsWinMimikatzLsadump | An adversary may attempt to dump credentials to obtain account login and credential material in the form of hashes or clear text passwords. | box.all.win | Improve filtering on the query to cover more cases |
Quick Link on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Windows Log Threat Detection Suite
Updated content in this Pack:
| Detection | Description | Data Source | Change Log |
|---|---|---|---|
| SecOpsWinLsassMemDump | Detecs and attempts to access lsass using mimikatz and/or a possible mimikatz driver load | box.all.win | Improve filtering on the query to cover more cases. |
Quick Link on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Remote Access Software (MITRE Att&ck Technique: T1219)
Updated content in this Pack:
| Detection | Description | Data Source | Change Log |
|---|---|---|---|
| SecOpsFWEmbargoedCountryOutboundTrafficDetected | Detects outbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes. | firewall.all.traffic | Fix dependencies. |
| SecOpsFWEmbargoedCountryInboundTraffiDetected | Detects inbound traffic sent to an embargoed country. The lookup table SecOpsEmbargoCountries should be modified to fit the organization's needs. | firewall.all.traffic | Fix dependencies. |
Quick Link on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Updated Lookup
SecOpsDomesticCountries
The DomesticCountries lookup adds more whitelisting functionality to your Devo Detections by allowing them to reference this lookup of expected countries within your domestic space, often used for impossible traveler-like use cases. Using this lookup will lower your false positive rate when properly configured and can help make your alerts more actionable!
Quick Link on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
How to update
Navigating to the content on Devo Exchange you can verify the Version date on the top right corner:
Date format is in Day-Month-Year and updated alerts will show the latest version date in December of 2023.
You should also see an Upgrade button on alerts with an upgrade available to install.