The Devo Threat Research Team has just released their November OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 15 new detections and a couple of updates to existing ones. This includes our first EDR detections!
EDR (End Point Detection and Response) is very important to monitor and detect because endpoints are used in all facets of the business and can be used to store critical information.
[ Release notes 9 ]
Updated the alert to have an enhanced detection condition.
Fixed an error where the entity source IP was not properly mapped.
Details on the new detections released can be seen below:
Detects a successful RDP connection via
Hydra or Ncrack hacking tools. ids.bro.rdp
Detects actors utilizing MS-LSAT Remote
protocol to map security SIDs to user
Detects the creation or deletion of services via
RPC remote administration. Actors may
create/delete services to establish a greater
foothold once inside a network. ids.bro.dce_rpc
Detects actors enumerating user accounts in
Active Directory via Security Account Manager
Remote Protocol (SAMR). ids.bro.dce_rpc
Detects the first seen SMB share for an entity.
Adversaries may utilize SMB shares to
transport files; while not inherently malicious,
this event should be reviewed for legitimacy. ids.bro.notice
Detects interesting hostname login events.
See Bro/Zeek reference for context around
interesting hostnames. ids.bro.notice
SecOpsBroHttpRequest Detects HTTP requests that contain only a ids.bro.http
Detects servers responding via SSL or TLS
services using self-signed certificates. ids.bro.ssl
Detects exploitation of Microsoft Office
Memory Corruption Vulnerability
(CVE-2015-1641) allowing remote code
Detects instances of known Windows
processes executing outside of standard
directories. Malware authors often utilize
masquerading to hide malicious executables
behind legitimate Windows executable names. box.all.win
Detects DNS.EXE program spawning other
Detects suspicious command lines that may
add an entry to /etc/sudoers with NOPASSWD
attribute in Linux platform. This requires auditd
be installed and configured. box.unix
Falcon Overwatch has identified suspicious
activity. This has been raised for your
awareness and should be investigated as
An unsafe file is one that has attributes that
greatly resemble malware. edr.cylance.threats
This detection is triggered when a user has
performed an Ediscovery or exported a pst file
with sensitive information.