We're thrilled to announce the latest updates and additions to our alerting system with Release 29. This release introduces a large collection of updates to 24 Alert Packs covering all manner of MITRE Tactics and Techniques. Additionally we have updated Detections for Linux, Windows, Network and authentication. Below you will find links to exchange for all the alert packs in your respecting geo’s.
To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts. To update or install new alerts visit Devo Exchange.
Table of Contents
Updated Alert Packs
Linux_Log-Based_Threat_Detection_Suite
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Windows_Log_Threat_Detection_Suite
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Authentication_Log_Threat_Detection_Suite
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Abuse_Elevation_Control_Mechanism_(MITRE_Att&ck_Technique:_T1548)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Boot_or_Logon_Initialization_Scripts_(MITRE_Att&ck_Technique:_T1037)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Account_Manipulation_(MITRE_Att&ck_Technique:_T1098)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Command_and_Scripting_Interpreter_(MITRE_Att&ck_Technique:_T1059)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Brute_Force_(MITRE_Att&ck_Technique:_T1110)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Data_Encrypted_for_Impact_(MITRE_Att&ck_Technique:_T1486)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Data_Destruction_(MITRE_Att&ck_Technique:_T1485)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Create_Account_(MITRE_Att&ck_Technique:_T1136)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Domain_Policy_Modification_(MITRE_Att&ck_Technique:_T1484)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Exfiltration_Over_Alternative_Protocol_(MITRE_Att&ck_Technique:_T1048)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Event_Triggered_Execution_(MITRE_Att&ck_Technique:_T1546)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
File_and_Directory_Permissions_Modification_(MITRE_Att&ck_Technique:_T1222)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Ingress_Tool_Transfer_(MITRE_Att&ck_Technique:_T1105)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Indicator_Removal_on_Host_(MITRE_Att&ck_Technique:_T1070)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Impair_Defenses_(MITRE_Att&ck_Technique:_T1562)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
OS_Credential_Dumping_(MITRE_Att&ck_Technique:_T1003)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Modify_Registry_(MITRE_Att&ck_Technique:_T1112)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Obtain_Capabilities_(MITRE_Att&ck_Technique:_T1588)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Scheduled_Task_Job_(MITRE_Att&ck_Technique:_T1053)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Remote_Services_(MITRE_Att&ck_Technique:_T1021)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Valid_Accounts_(MITRE_Att&ck_Technique:_T1078)
Direct links on Devo Exchange
| US Exchange | CA Exchange | EU Exchange | APAC Exchange |
Updated Detections
Linux
- SecOpsLinuxAddFilestoCrontabDir.json
- SecOpsLinuxAppendCommandToProfileConfig.json
- SecOpsLinuxAppendCronjobEntry.json
- SecOpsLinuxAuditdMaxFailedLoginAttempts.json
- SecOpsLinuxExtNetworkviaTelnet.json
- SecOpsLinuxFileCreateInitBoot.json
- SecOpsLinuxFileOwnerNowRoot.json
- SecOpsLinuxHighFileDeletesEtc.json
- SecOpsLinuxIntNetworkviaTelnet.json
- SecOpsLinuxNcUseDetected.json
- SecOpsLinuxNOPASSWDSudoers.json
- SecOpsLinuxPotentialDisableSELinux.json
- SecOpsLinuxSetuidUsingChmod.json
- SecOpsLinuxSudoFileModification.json
- SecOpsLinuxSystemLogFileDeletion.json
- SecOpsLinuxWebserverAccessLogsDeleted
Windows
- SecOpsOsCredentialDumpingGsecdump.json
- SecOpsRansomwareBehaviorMaze.json
- SecOpsRansomwareBehaviorNotPetya.json
- SecOpsRansomwareBehaviorRyuk.json
- SecOpsResetPasswordAttempt.json
- SecOpsWannaCryBehavior.json
- SecOpsWinMimikatzLsadump
- SecOpsWinAuditLogCleared.json
- SecOpsWinDisableUac.json
- SecOpsWinDisableAntispywareRegistry.json
- SecOpsWinLockoutsEndpoint.json
- SecOpsWinLsassMemDump.json
- SecOpsWinRegistryModificationDisableChangePasswdFeature.json
- SecOpsWinRegistryModificationNewTrustedSite.json
- SecOpsWinUserAddedSelfToSecGroup.json
- SecOpsWinUserAddedToLocalSecurityEnabledGroup.json
- SecOpsWinUserCredentialDumpRegistry.json
- SecOpsNewAccountCreated.json
- SecOpsWinAdminRemoteLogon.json
- SecOpsWinAnonymousAccountCreated.json
- SecOpsWinExcessiveUserInteractiveLogin.json
- SecOpsFailLogOn.json
Network
- SecOpsFortinetCriticalAppUse.json
- SecOpsSuspiciousConnectionToCoinminerDomain.json
- SecOpsFortinetHighRiskAppUse.json
Authentication
- SecOpsAuthPasswordSprayHost.json
- SecOpsO365AuthExcessiveFailedLoginsSingleSource.json
- SecOpsO365AuthExcessiveFailedLoginsUserAuthAll.json
- SecOpsLoginFailCombinedSuccessed.json
- SecOpsAuthPasswordSprayIp.json