Skip to main content

We're thrilled to announce the latest updates and additions to our alerting system with Release 29. This release introduces a large collection of updates to 24 Alert Packs covering all manner of MITRE Tactics and Techniques. Additionally we have updated Detections for Linux, Windows, Network and authentication. Below you will find links to exchange for all the alert packs in your respecting geo’s.

To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange.

 

Table of Contents

 

Updated Alert Packs


Linux_Log-Based_Threat_Detection_Suite

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Windows_Log_Threat_Detection_Suite

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Authentication_Log_Threat_Detection_Suite

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Abuse_Elevation_Control_Mechanism_(MITRE_Att&ck_Technique:_T1548)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Boot_or_Logon_Initialization_Scripts_(MITRE_Att&ck_Technique:_T1037)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Account_Manipulation_(MITRE_Att&ck_Technique:_T1098)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Command_and_Scripting_Interpreter_(MITRE_Att&ck_Technique:_T1059)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Brute_Force_(MITRE_Att&ck_Technique:_T1110)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Data_Encrypted_for_Impact_(MITRE_Att&ck_Technique:_T1486)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Data_Destruction_(MITRE_Att&ck_Technique:_T1485)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Create_Account_(MITRE_Att&ck_Technique:_T1136)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Domain_Policy_Modification_(MITRE_Att&ck_Technique:_T1484)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Exfiltration_Over_Alternative_Protocol_(MITRE_Att&ck_Technique:_T1048)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Event_Triggered_Execution_(MITRE_Att&ck_Technique:_T1546)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


File_and_Directory_Permissions_Modification_(MITRE_Att&ck_Technique:_T1222)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Ingress_Tool_Transfer_(MITRE_Att&ck_Technique:_T1105)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Indicator_Removal_on_Host_(MITRE_Att&ck_Technique:_T1070)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Impair_Defenses_(MITRE_Att&ck_Technique:_T1562)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


OS_Credential_Dumping_(MITRE_Att&ck_Technique:_T1003)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Modify_Registry_(MITRE_Att&ck_Technique:_T1112)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Obtain_Capabilities_(MITRE_Att&ck_Technique:_T1588)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Scheduled_Task_Job_(MITRE_Att&ck_Technique:_T1053)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Remote_Services_(MITRE_Att&ck_Technique:_T1021)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange


Valid_Accounts_(MITRE_Att&ck_Technique:_T1078)

Direct links on Devo Exchange

US Exchange CA Exchange EU Exchange APAC Exchange

 

 

Updated Detections

Linux

  • SecOpsLinuxAddFilestoCrontabDir.json
  • SecOpsLinuxAppendCommandToProfileConfig.json
  • SecOpsLinuxAppendCronjobEntry.json
  • SecOpsLinuxAuditdMaxFailedLoginAttempts.json
  • SecOpsLinuxExtNetworkviaTelnet.json
  • SecOpsLinuxFileCreateInitBoot.json
  • SecOpsLinuxFileOwnerNowRoot.json
  • SecOpsLinuxHighFileDeletesEtc.json
  • SecOpsLinuxIntNetworkviaTelnet.json
  • SecOpsLinuxNcUseDetected.json
  • SecOpsLinuxNOPASSWDSudoers.json
  • SecOpsLinuxPotentialDisableSELinux.json
  • SecOpsLinuxSetuidUsingChmod.json
  • SecOpsLinuxSudoFileModification.json
  • SecOpsLinuxSystemLogFileDeletion.json
  • SecOpsLinuxWebserverAccessLogsDeleted


Windows

  • SecOpsOsCredentialDumpingGsecdump.json
  • SecOpsRansomwareBehaviorMaze.json
  • SecOpsRansomwareBehaviorNotPetya.json
  • SecOpsRansomwareBehaviorRyuk.json
  • SecOpsResetPasswordAttempt.json
  • SecOpsWannaCryBehavior.json
  • SecOpsWinMimikatzLsadump
  • SecOpsWinAuditLogCleared.json
  • SecOpsWinDisableUac.json
  • SecOpsWinDisableAntispywareRegistry.json
  • SecOpsWinLockoutsEndpoint.json
  • SecOpsWinLsassMemDump.json
  • SecOpsWinRegistryModificationDisableChangePasswdFeature.json
  • SecOpsWinRegistryModificationNewTrustedSite.json
  • SecOpsWinUserAddedSelfToSecGroup.json
  • SecOpsWinUserAddedToLocalSecurityEnabledGroup.json
  • SecOpsWinUserCredentialDumpRegistry.json
  • SecOpsNewAccountCreated.json
  • SecOpsWinAdminRemoteLogon.json
  • SecOpsWinAnonymousAccountCreated.json
  • SecOpsWinExcessiveUserInteractiveLogin.json
  • SecOpsFailLogOn.json

Network

  • SecOpsFortinetCriticalAppUse.json
  • SecOpsSuspiciousConnectionToCoinminerDomain.json
  • SecOpsFortinetHighRiskAppUse.json

Authentication

  • SecOpsAuthPasswordSprayHost.json
  • SecOpsO365AuthExcessiveFailedLoginsSingleSource.json
  • SecOpsO365AuthExcessiveFailedLoginsUserAuthAll.json
  • SecOpsLoginFailCombinedSuccessed.json
  • SecOpsAuthPasswordSprayIp.json

 

 

Be the first to reply!