The Devo Threat Research Team has published OOTB Alerts Release 21! This release, available now from the Security Operations Content Manager, provides 7 updated detections and 1 new alert. The updates focus on improved performance, easier installation and reduction in false positive results. If you are using these detections, this update is a must have!
To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.
New Detection
| Name | Description | Devo Table/Data Source/Category | Change Log |
|---|---|---|---|
| SecOpsO365OneDriveDownload | Detects high volume of OneDrive activity | CLOUD.OFFICE365.MANAGEME | New Alert! |
Updated Detections
| Name | Description | Devo Table/Data Source/Category | Change Log |
|---|---|---|---|
| SecOpsAccountsCreatedRemovedWithinFTourHours | Detects user accounts that are created and delete within a four time period. | box.all.win | Updated Alert Logic to reduce false positives |
| SecOpsFWRDPTrafficUnauthorized | Detects RDP traffic to hosts, not within an allowed list. | firewall.all.traffic | Remove dependency for installation |
| SecOpsLinuxSuspciousExecutionCommand | Detects relevant commands often related to malware or hacking activity. | box.unix | Updated to reduce false positives |
| SecOpsCDHuntFWdstIpIsPossibleIoc | This search looks for Collective Defense matches in firewall data. | firewall.all.traffic | Field naming updates |
| SecOpsFWIcmpExcessivePackets | Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration. | firewall.all.traffic | Field naming updates |
| SecOpsFWTrafficOnUnassignedLowPort | Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic. | firewall.all.traffic | Field naming updates |
| SecOpsVNCPortOpen | Used to identify the default port for VNC connections | firewall.all.traffic | Field naming updates |