Skip to main content

The Devo Threat Research Team has published OOTB Alerts Release 21! This release, available now from the Security Operations Content Manager, provides 7 updated detections and 1 new alert.  The updates focus on improved performance, easier installation and reduction in false positive results.  If you are using these detections, this update is a must have!

To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.

 

 

New Detection

Name Description Devo Table/Data Source/Category Change Log
SecOpsO365OneDriveDownload Detects high volume of OneDrive activity CLOUD.OFFICE365.MANAGEME New Alert!

 

Updated Detections

Name Description Devo Table/Data Source/Category Change Log
SecOpsAccountsCreatedRemovedWithinFTourHours Detects user accounts that are created and delete within a four time period. box.all.win Updated Alert Logic to reduce false positives
SecOpsFWRDPTrafficUnauthorized Detects RDP traffic to hosts, not within an allowed list. firewall.all.traffic Remove dependency for installation
SecOpsLinuxSuspciousExecutionCommand Detects relevant commands often related to malware or hacking activity. box.unix Updated to reduce false positives
SecOpsCDHuntFWdstIpIsPossibleIoc This search looks for Collective Defense matches in firewall data. firewall.all.traffic Field naming updates
SecOpsFWIcmpExcessivePackets Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration. firewall.all.traffic Field naming updates
SecOpsFWTrafficOnUnassignedLowPort Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic. firewall.all.traffic Field naming updates
SecOpsVNCPortOpen Used to identify the default port for VNC connections firewall.all.traffic Field naming updates

 

Subscribe to Product updates to stay informed about all updates from the Product Teams!

Awesome!!