We're thrilled to announce the latest updates and additions to our alerting system with Release 31. This release introduces a significant enhancement to our alerting system. First, alert templates were updated to ensure more accurate and comprehensive notifications. Second, we developed a Ransomware MOVEit Vulnerability alert pack to detect and respond to potential exploitation attempts, covering the key attack vectors related to this threat.
To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts. To update or install new alerts and alert packs visit Devo Exchange.
Table of Contents
New Alert Pack: Ransomware MOVEit
To help detect and mitigate the threat posed by CL0P, we are offering a comprehensive set of alerts designed to identify key indicators of compromise (IOCs) and suspicious activities linked to this ransomware. These alerts are tailored to detect behaviors such as unusual file modifications, exfiltration attempts, and known malicious binaries, giving security teams the ability to respond rapidly to potential incidents.
Devo Exchange links by Domain
| US Exchange | US3 Exchange | CA Exchange | EU Exchange | APAC Exchange |
Updated Alerts available in the Ransomware MOVEit Vulnerability Alert Pack:
MoveitPotentialNetworkActivityExploitation
PotentialThreatConnectionRansomBehaviour
RansomBehaviorShadowCopyDeletionAndResizing
MoveitWindowsEvtxFileCreation
SuspiciousCmdExecDirChangeUserReconn
StopWindowsServiceViaNet
DomainReconnADEnumerationAndTrustMapping
PhishingEmailRansomDistributionCampaign
VolumeShadowCopyDeletion
HighVolumeFileDeletion
BcdModificationRecoveryAndBootFailureSuppression
MoveitCmdlineFileCreation
MoveitDynamicCompilationViaCscExe
MoveitFilePotentialActivityTransferExploitation
Additionally updated Alerts
AzureUserLoginSuspiciousRisk
Available in the Azure Alert Pack & Valid Accounts Alert Pack
LinuxMaxSessionsPerUser
Available in Linux Log-Based Threat Detection Suite Alert Pack & Valid Accounts Alert Pack
TLDFromDomainNotInMozillaTLD
Available in the Dynamic Resolution Alert Pack
WinAdminRemoteLogon
Available in the Windows Log Threat Detection Suite Alert Pack & Valid Accounts Alert Pack
Find them directly on Devo Exchange!