We're thrilled to announce the latest updates and additions to our alerting system with Release 32. This release enhances the functionality and accuracy of several firewall and threat detection alerts. A key improvement is the addition of sourceIP and hostname fields, improving the contextual information available for faster incident triage and response.
Updated alerts include FWIpScanInternal, FWPortScanExternalSource, FWSMBTrafficOutbound, and advanced threat detection rules like REvilKaseyaWebShellsUploadConn and HAFNIUMWebShellsTargetingExchangeServers. These changes enhance the detection capabilities for network scans, unauthorized SMB traffic, RDP external access, and specific threats like REvil and HAFNIUM.
To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts. To update or install new alerts visit Devo Exchange.
Table of Contents
Alerts Updated
Firewall Alerts
The following Alerts are available in Alert Pack: Firewall
| US Exchange | US3 Exchange | CA Exchange | EU Exchange | APAC Exchange |
FWIpScanInternal
FWIrcTrafficExternalDestination
FWPortScanInternalSource
FWPortSweepInternalSource
FWExternalSMBTrafficDetectedFirewall
FWPortScanExternalSource
FWRDPExternalAccess
FWSMBTrafficOutbound
FwTftpOutboundTraffic
Proxy Alerts
The following alerts are available in Alert Pack: Proxy
| US Exchange | US3 Exchange | CA Exchange | EU Exchange | APAC Exchange |
REvilKaseyaWebShellsUploadConn
REvilKaseyaWebShells
Public Facing Application Exploit Alert
This alert is available in Alert Pack: Exploit Public-Facing Application
| US Exchange | US3 Exchange | CA Exchange | EU Exchange | APAC Exchange |
HAFNIUMHttpPostTargetingExchangeServers
External Remote Services Alert
This alert is available in Alert Pack: Exploit Public-Facing Application
| US Exchange | US3 Exchange | CA Exchange | EU Exchange | APAC Exchange |
HAFNIUMWebShellsTargetingExchangeServers