Security Operations : Out of the Box Alerts Release 9

Related products: Security Operations

Hello All!

The Devo Threat Research Team has just released their November OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 15 new detections and a couple of updates to existing ones.  This includes our first EDR detections!   

EDR (End Point Detection and Response) is very important to monitor and detect because endpoints are used in all facets of the business and can be used to store critical information.

Read the full release notes in our Documentation portal!


[ Release notes 9

Alert analyzed/updated: 

Detection name 

Changes made


Updated the alert to have an enhanced detection condition.


Fixed an error where the entity source IP was not properly mapped.


Details on the new detections released can be seen below: 

Detection name 

Devo table/Data 

Detection description 


SecOpsBroRdpBruteFor ceSuccessHydraNcrack

Detects a successful RDP connection via 

Hydra or Ncrack hacking tools. ids.bro.rdp

SecOpsBroWinLsatUser Enumeration

Detects actors utilizing MS-LSAT Remote 

protocol to map security SIDs to user 

accounts. ids.bro.dce_rpc

SecOpsBroWinDceRpc eServiceCall

Detects the creation or deletion of services via 

RPC remote administration. Actors may 

create/delete services to establish a greater 

foothold once inside a network. ids.bro.dce_rpc

SecOpsBroWinDceRpc SamrEnumeration 


Detects actors enumerating user accounts in 

Active Directory via Security Account Manager 

Remote Protocol (SAMR). ids.bro.dce_rpc 

Detects the first seen SMB share for an entity. 

Adversaries may utilize SMB shares to 

transport files; while not inherently malicious, 


this event should be reviewed for legitimacy. ids.bro.notice


Detects interesting hostname login events. 

SecOpsBroSshInteresin gHostNameLogin 

See Bro/Zeek reference for context around 

interesting hostnames. ids.bro.notice 

SecOpsBroHttpRequest Detects HTTP requests that contain only a ids.bro.http


single header.

SecOpsBroSelfSignedC ert

Detects servers responding via SSL or TLS 

services using self-signed certificates. ids.bro.ssl

SecOpsWinMemoryCorr uptionVulnerability

Detects exploitation of Microsoft Office 

Memory Corruption Vulnerability 

(CVE-2015-1641) allowing remote code 


SecOpsWinFakeProces ses

Detects instances of known Windows 

processes executing outside of standard 

directories. Malware authors often utilize 

masquerading to hide malicious executables 

behind legitimate Windows executable names.


Detects DNS.EXE program spawning other 


SecOpsLinuxNOPASS WDSudoers 

SecOpsEDRCrowdStrik eOverwatchNotification 

SecOpsEDRCylanceSc oreUnsafe

Detects suspicious command lines that may 

add an entry to /etc/sudoers with NOPASSWD 

attribute in Linux platform. This requires auditd 

be installed and configured. box.unix 

Falcon Overwatch has identified suspicious 

activity. This has been raised for your 

awareness and should be investigated as 



An unsafe file is one that has attributes that 

greatly resemble malware. edr.cylance.threats

SecOpsO365PSTExport Alert

This detection is triggered when a user has 

performed an Ediscovery or exported a pst file 


with sensitive information. 




@juan.delrio Thank you for the info about Out of the Box Alerts Release 9.

I noticed this alert pack is the first one out of the bunch that links the release notes on Google Drive rather than the documentation page.  Is it possible to include the alert details on the Devo Docs documentation link?  Our organization blocks access to Google Drive so I can’t view the Release Notes without jumping through some hoops.  If Devo plans to publish future release notes on Google Drive I can work with out proxy team to get access but I just thought I’d ask first.

We’ll get that fixed for you!

I included the full release notes here for you as well @tkachouba 

Thanks @juan.delrio!  Very much appreciated!