We're thrilled to announce the latest updates and additions to our alerting system with Release 24. This release introduces a significant enhancement to our SIEM detection framework, focusing on improving threat detection accuracy and simplifying threat hunting for users. The key highlights of this release include the introduction of a new alert, SecOpsWinDnsExcessiveEmptyOrRefusedQueries, and the migration of existing alerts to the Devo Cyber Data Model, a common information model designed to streamline threat investigation processes.
To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts. To update or install new alerts visit Devo Exchange.
Table of Contents
New Detections
SecOpsWinDnsExcessiveEmptyOrRefusedQueries
A new alert has been added to detect instances of excessive empty or refused DNS queries on Windows systems. This alert aims to provide proactive detection of potential malicious activities related to DNS, enhancing overall threat visibility.
| Detection | Description | Devo Tables/ Data Src /Category | Changes made |
|---|---|---|---|
| SecOpsWinDnsExcessiveEmptyOrRefusedQueries | Detects excessive empty or refused Windows DNS tunneling. The threshold for excessive query count should be modified to suit organizational needs. | dns.windows | New Alert |
Updated Detections
Migration to Devo Cyber Data Model
Existing alerts have been migrated to the Devo Cyber Data Model. This migration aims to standardize data representation across alerts, facilitating easier correlation and analysis of threat data. Users can now benefit from a unified schema for conducting comprehensive threat investigations.
SecOpsAuthPasswordSprayHost
SecOpsAuthPasswordSprayIp
SecOpsCDPossibleIocIpFoundInAuthData
SecOpsLoginFailAttempts
SecOpsLoginFailCombinedSuccessed
SecOpsO365AuthExcessiveFailedLoginsSingleSource
SecOpsSimultaneouslyLoginbyIP
SecOpsEntityBehaviorEntropyUser
SecOpsEntityNewServer
SecOpsAzureUserAddedToRoleNonPIM
SecOpsAzureUserInfoDownload
SecOpsAWSInstancesCreatedOrDeletedO365
SecOpsActivityInfrequentCountryO365
SecOpsActivityPerformedByTerminatedUserO365
SecOpsAdministrativeActivityFromNonCorporateIPO365
SecOpsAnomalousBehaviorDiscoveredUsersO365
SecOpsArrowAdminFailedLogonO365
SecOpsAzureADThreatIntelligenceO365
SecOpsCloudDiscoveryAnomalyDetectionO365
SecOpsGroupMembershipModifiedO365
SecOpsMFADisabledAlertO365
SecOpsMaliciousOAuthAppConsentO365
SecOpsMalwareDetectionO365
SecOpsMultipleDeleteVMO365
SecOpsMultipleStorageDeletionActivitiesO365
SecOpsMultipleVMCreationActivitiesO365
SecOpsPermissionsAddedMailboxFolderO365
SecOpsRansomwareActivityO365
SecOpsSuspiciousEmailDeletionActivityO365
SecOpsSuspiciousInboxForwardingO365
SecOpsSuspiciousInboxManipulationRuleO365
SecOpsSuspiciousOAuthAppFileDownloadO365
SecOpsUnusualAdministrativeActivityO365
SecOpsUnusualFileDeletionActivityO365
SecOpsUnusualFileDownloadO365
SecOpsUnusualImpersonatedActivityO365
SecOpsHAFNIUMUserAgentsTargetingExchangeServers
SecOpsLog4ShellVulnOverDomainsUnionTableConnections
SecOpsPossibleDnsEncodingQuery
SecOpsTLDFromDomainNotInMozillaTLD
SecOpsUnusualUseragentLength
SecOpsAnonymousConnection
SecOpsCDFWSrcIpIsPossibleIoc
SecOpsCDHuntFWdstIpIsPossibleIoc
SecOpsFWEmbargoedCountryInboundTrafficDetected
SecOpsFWEmbargoedCountryOutboundTrafficDetected
SecOpsFWExcessFirewallDenies
SecOpsFWExcessFirewallDeniesOutbound
SecOpsFWExternalSMBTrafficDetectedFirewall
SecOpsFWIcmpExcessivePackets
SecOpsFWIpScanExternal
SecOpsFWIpScanInternal
SecOpsFWIrcTrafficExternalDestination
SecOpsFWPortScanExternalSource
SecOpsFWPortScanInternalSource
SecOpsFWPortSweepInternalSource
SecOpsFWRDPExternalAccess
SecOpsFWSMBInboundScanningDetected
SecOpsFWSMBInternalScanningDetected
SecOpsFWSMBTrafficOutbound
SecOpsFWSigred
SecOpsFWTrafficForeignDestination
SecOpsFWTrafficOnUnassignedLowPort
SecOpsFwTftpOutboundTraffic
SecOpsHAFNIUMNetworkActivityTargetingExchangeServers
SecOpsLog4ShellVulnOverFirewallTrafficConnections
SecOpsPossibleTrafficMirroring
SecOpsRevilKaseyaNetworkActivity
SecOpsVNCPortOpen
SecOpsPossiblePortKnocking
SecOpsCDIocUrlSuspiciousProxyData
SecOpsCDProxyDstIp
SecOpsCDProxySrcIp
SecOpsDynamicDNSDetected
SecOpsIPInsteadADomaInInURL
SecOpsLog4ShellVulnerabilityOverProxyConnections
SecOpsMultipleHTTPMethodsUsed
SecOpsNonStandardHTTPMethod
SecOpsOutboundTrafficToDeviceFlaggedAsThreat
SecOpsOutcomingUnauthenticatedArbitraryFileReadInVMwareVCenter
SecOpsPortIntoURL
SecOpsProxyHighRiskFileExtension
SecOpsProxyHttpSingleCharacterFileNameRequest
SecOpsREvilKaseyaWebShellsUploadConn
SecOpsSeveralAccessByProxy
SecOpsUserBlockedbyProxy
SecOpsHAFNIUMHashFoundFileTargetingExchangeServers
SecOpsREvilKaseyaHashFound
SecOpsRemoteDesktopProtocolScan
SecOpsBackupFileAccessAttempt
SecOpsCDIocIpSuspiciousWebData
SecOpsCDWebSrcIp
SecOpsConfigurationFileAccessAttempt
SecOpsCredentialsFileAccessAttempt
SecOpsDatabaseFileAccessAttempt
SecOpsDiscoveringPasswordFiles
SecOpsExplotationAttemptF5BigIp
SecOpsHAFNIUMHttpPostTargetingExchangeServers
SecOpsHAFNIUMWebShellsTargetingExchangeServers
SecOpsHTTPQueryNonStandardMethod
SecOpsHTTPQueryUserAgentLengthOutsize
SecOpsIncomingUnauthenticatedArbitraryFileReadInVMwareVCenter
SecOpsLog4ShellVulnerabilityOverWebServerConnections
SecOpsLogRelatedFileAccessAttempt
SecOpsMalwareFileAccessAttempt
SecOpsPossibleFuzzingAttack
SecOpsPossibleInjectionUserAgent
SecOpsPossiblePathTrasversalInjection
SecOpsPossiblePhishingKitByReferer
SecOpsREvilKaseyaWebShells
SecOpsRobotFileAskingByNoRobot
SecOpsSeveralError4xx
SecOpsSoftwareInfoAccessAttempt
SecOpsWebShellFileSuspicious
SecOpsADAccountNoExpires
SecOpsADPasswdNoExpires
SecOpsAPT29byGoogleUpdateServiceInstall
SecOpsAccountsCreatedRemovedWithinFourHours
SecOpsAppInitDLLsLoaded
SecOpsBlackByteRansomwareRegChangesPowershell
SecOpsBlackByteRansomwareRegistryChanges
SecOpsBlackKingdomWebshellInstalation
SecOpsBlankPasswordAsk
SecOpsBypassUserAccountControl
SecOpsChangesAccessibilityBinaries
SecOpsDLLWithNonUsualPath
SecOpsDeletingMassAmountOfFiles
SecOpsFailLogOn
SecOpsFsutilSuspiciousInvocation
SecOpsGenericRansomwareBehaviorIpScanner
SecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServers
SecOpsIntegrityProblem
SecOpsLocalUserCreation
SecOpsLolbinBitsadminTransfer
SecOpsLolbinCertocexecution
SecOpsLolbinCertreq
SecOpsLolbinCertutil
SecOpsLolbinConfigsecuritypolicy
SecOpsLolbinDatasvcutil
SecOpsLolbinMshta
SecOpsMaliciousPowerShellCommandletNames
SecOpsMaliciousPowerShellPrebuiltCommandlet
SecOpsMaliciousServiceInstallations
SecOpsMultipleMachineAccessedbyUser
SecOpsNewAccountCreated
SecOpsNtds
SecOpsOsCredentialDumpingGsecdump
SecOpsPassTheHashActivityLoginBehaviour
SecOpsPersistenceAndExecutionViaGPOScheduledTask
SecOpsPsExecToolExecution
SecOpsRansomwareBehaviorMaze
SecOpsRansomwareBehaviorNotPetya
SecOpsRansomwareBehaviorRyuk
SecOpsRareServiceInstalls
SecOpsResetPasswordAttempt
SecOpsRevilKaseyaRegistryKey
SecOpsSIGRedExploitMicrosoftWindowsDNS
SecOpsSecurityEnabledLocalGroupChanged
SecOpsSeveralPasswordChanges
SecOpsShadowCopiesDeletion
SecOpsStoneDrillServiceInstall
SecOpsStopSqlServicesRunning
SecOpsSuspiciousBehaviorAppInitDLL
SecOpsSuspiciousEventlogClearUsingWevtutil
SecOpsSuspiciousWMIExecution
SecOpsTurlaPNGDropperService
SecOpsTurlaServiceInstall
SecOpsUserAccountChanged
SecOpsWINWmiMOFProcessExecution
SecOpsWannaCryBehavior
SecOpsWermgrConnectingToIPCheckWebServices
SecOpsWinADDomainEnumeration
SecOpsWinActivateNoCloseGroupPolicyFeature
SecOpsWinActivateNoControlPanelGroupPolicyFeature
SecOpsWinActivateNoFileMenuGroupPolicyFeature
SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature
SecOpsWinActivateNoSetTaskbarGroupPolicyFeature
SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature
SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork
SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork
SecOpsWinAdminRemoteLogon
SecOpsWinAdminShareSuspiciousUse
SecOpsWinAnonymousAccountCreated
SecOpsWinAppInstallerExecution
SecOpsWinAttackerToolsOnEndpoint
SecOpsWinAttemptToAddCertificateToStore
SecOpsWinAuditLogCleared
SecOpsWinAutomatedCollectionCmd
SecOpsWinAutomatedCollectionPowershell
SecOpsWinBackupCatalogDeleted
SecOpsWinCompressEncryptData
SecOpsWinCredentialDumpingNppspy
SecOpsWinCritServiceStopped
SecOpsWinCurl
SecOpsWinDcShadowDetected
SecOpsWinDefenderDownloadActivity
SecOpsWinDisableAntispywareRegistry
SecOpsWinDisableUac
SecOpsWinDnsExeParentProcess
SecOpsWinDomainTrustActivity
SecOpsWinExcessiveUserInteractiveLogin
SecOpsWinExternalDeviceInstallationDenied
SecOpsWinFTPScriptExecution
SecOpsWinFakeProcesses
SecOpsWinFsutilDeleteChangeJournal
SecOpsWinGatherVictimIdentitySAMInfo
SecOpsWinGoldenSamlCertificateExport
SecOpsWinIISWebRootProcessExecution
SecOpsWinIcmpExfiltration
SecOpsWinInvokewebrequestUse
SecOpsWinKerberosUserEnumeration
SecOpsWinLocalSystemExecuteWhoami
SecOpsWinLockoutsEndpoint
SecOpsWinLsassKeyModification
SecOpsWinLsassMemDump
SecOpsWinMapSmbShare
SecOpsWinMemoryCorruptionVulnerability
SecOpsWinMimikatzLsadump
SecOpsWinModifyShowCompressColorAndInfoTipRegistry
SecOpsWinMsiExecInstallWeb
SecOpsWinNetworkShareCreated
SecOpsWinNewPsDrive
SecOpsWinOfficeBrowserLaunchingShell
SecOpsWinPermissionGroupDiscovery
SecOpsWinPotentialPassTheHash
SecOpsWinPowerSettings
SecOpsWinPowershellKeyloggin
SecOpsWinPowershellProcessDiscovery
SecOpsWinPowershellSetExecutionPolicyBypass
SecOpsWinRcloneExecution
SecOpsWinRegUtilityHiveExport
SecOpsWinRegistryModificationActivateNoRunGroupPolicy
SecOpsWinRegistryModificationDisableCMDApp
SecOpsWinRegistryModificationDisableChangePasswdFeature
SecOpsWinRegistryModificationDisableLockWSFeature
SecOpsWinRegistryModificationDisableLogOffButton
SecOpsWinRegistryModificationDisableNotificationCenter
SecOpsWinRegistryModificationDisableRegistryTool
SecOpsWinRegistryModificationDisableShutdownButton
SecOpsWinRegistryModificationDisableTaskmgr
SecOpsWinRegistryModificationGlobalFolderOptions
SecOpsWinRegistryModificationHideClockGroupPolicyFeature
SecOpsWinRegistryModificationHideSCAHealth
SecOpsWinRegistryModificationHideSCANetwork
SecOpsWinRegistryModificationHideSCAPower
SecOpsWinRegistryModificationHideSCAVolume
SecOpsWinRegistryModificationIExplorerSecZone
SecOpsWinRegistryModificationNewTrustedSite
SecOpsWinRegistryModificationNoDesktopGroupPolicy
SecOpsWinRegistryModificationNoFindGroupPolicyFeature
SecOpsWinRegistryModificationPowershellLoggingDisabled
SecOpsWinRegistryModificationRunKeyAdded
SecOpsWinRegistryModificationStoreLogonCred
SecOpsWinRegistryQuery
SecOpsWinRemoteSystemDiscovery
SecOpsWinRunasCommandExecution
SecOpsWinSamStopped
SecOpsWinScheduledTaskCreation
SecOpsWinSchtasksForcedReboot
SecOpsWinSchtasksRemoteSystem
SecOpsWinSensitiveFiles
SecOpsWinServiceCreatedNonStandardPath
SecOpsWinShadowCopyDetected
SecOpsWinSmtpExfiltration
SecOpsWinSpoolsvExeAbnormalProcessSpawn
SecOpsWinSuspiciousExternalDeviceInstallation
SecOpsWinSuspiciousWritesToRecycleBin
SecOpsWinSysInfoGatheringUsingDxdiag
SecOpsWinSysInternalsActivityDetected
SecOpsWinSysTimeDiscovery
SecOpsWinTFTPExecution
SecOpsWinUserAddedPrivlegedSecGroup
SecOpsWinUserAddedSelfToSecGroup
SecOpsWinUserAddedToLocalSecurityEnabledGroup
SecOpsWinUserCreationAbnormalNamingConvention
SecOpsWinUserCredentialDumpRegistry
SecOpsWinWMIPermanentEventSubscription
SecOpsWinWMIReconRunningProcessOrSrvcs
SecOpsWinWebclientClassUse
SecOpsWinWifiCredHarvestNetsh
SecOpsWinWmiExecVbsScript
SecOpsWinWmiLaunchingShell
SecOpsWinWmiProcessCallCreate
SecOpsWinWmiScriptExecution
SecOpsWinWmiTemporaryEventSubscription
SecOpsWinWmiprvseSpawningProcess
SecOpsMoveitWebShell
SecOpsWinDnsExcessiveEmptyOrRefusedQueries