Product Updates

Devo Exchange has released the  SecOpsFWAuthorized Lookup! It adds whitelisting functionality to your Devo Detections from the Security Operations application by allowing them to reference a list of permitted hosts, their associated users, and zone information to help carve out certain hosts and users that need to be whitelisted from everyday alerts. This Lookup will lower your false positive rate when properly configured and help make your alerts more actionable. Learn more from our Documentation page Download directly from Devo Exchange

Devo Exchange has released the new  SecOpsAuthAuthorizedAccess Lookup.  It adds more whitelisting functionality to your Devo Detections from the Security Operations application by allowing them to reference a  list  of permitted hosts, their associated users, and zone information within your authentication services. This can be used to help carve out certain hosts and users that need to be whitelisted from everyday alerts - helping to lower your false positive rate when properly configured and can help make your alerts more actionable. Learn more from our Documentation page Download directly from Devo Exchange

Devo Exchange has released the  SecOpsWinPermittedLocalAccounts Lookup!  It adds more whitelisting functionality to your Devo Detections from the Security Operations application by allowing them to reference a list of permitted accounts that your employees, users, or admins use on a regular basis. This Lookup will lower your false positive rate when properly configured and help make your alerts more actionable. Learn more from our Documentation page Download directly from Devo Exchange

Devo Exchange has released a new Lookup for you!   The SecOpsWinPermittedDomains Lookup adds whitelisting functionality to your detections by referencing a list of permitted domains.  Using this Lookup will lower your false positive rate when properly configure and can help make your alerts more actionable. Learn more in our Docs! Download now from Devo Exchange  Note: This look up require Security Operations.

Devo Exchange has released a new lookup: SecOpsDomestricCountries Lookup!  You can reference this lookup of expected countries within your domestic space.  Use it to lower your false positive detection rate and it is excellent for use in the impossible traveler scenario! Learn more in our Docs! Download Directly from Devo Exchange  Check out this Customer Usecase about the Impossible Traveler Scenario. Note: This Lookup does require Security Operations.

Devo is proud to introduce DeepTrace with version 7.19 along with many requested improvements and fixes!Geo Release AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsDevo DeepTrace Integrations SSO integration with Devo Platform Search integration Alert Integration To learn more about DeepTrace Product Release post DeepTrace Documentation Page DeepTrace Interactive launch page Video: New Alert capability No Sending Policy Api Improvements New API PROBIO API improvements NASS Improvements Service Registry Bug Fixes Devo DeepTrace IntegrationsThis release adds integrations to the DeepTrace product just released!  There are 3 main integrations added.SSO integration with Devo PlatformYou can launch DeepTrace directly from Devo Platform using Single Sign On Authentication.Search integrationYou can right click on an event and select “investigate in Deeptrace.  You can also find it under the tools menu.Also available from the tools menu: Alert IntegrationYou can automatically investigate triggered alerts by defining this property in  the new alert creation window. A new option in the Alerts definition window called Auto-Investigate in DeepTrace is now available.To learn more about DeepTraceProduct Release postDeepTrace Documentation PageDeepTrace Interactive launch pageVideo:  New Alert capabilityNo Sending PolicyYou can now create and define alerts to have no send policy. Api ImprovementsNew APIAdded for aggregation tasks managementPROBIO API improvementsThe PROBIO API now allows the downloading of MSSP certificates. NASS ImprovementsService RegistryAdded the Service Registry feature in NASS, this feature provides a complete picture of all components deployed in an environment. Bug FixesBugs have been squashed in the Finder, Search, Lookups, Alerts, tables, NASS and OData! Full Release notes are available in our Documentation   

Devo DeepTrace is Now Generally Available to Devo Customers.  Introducing Devo Deeptrace! DeepTrace is an autonomous alert investigation and threat hunting solution that advances how security teams identify attacks, investigate threats, and secure their organization. With rapidly expanding attack surfaces and increasing amounts of data, today’s SOCs face a never-ending stream of alerts while leveraging manual investigative processes. This results in higher frustration levels and slower response times. Devo created DeepTrace to arm and empower you with the tools and insights needed to rapidly investigate alerts and proactively respond to threats. With DeepTrace, you will spend less time performing repetitive, manual tasks and instead focus on investigating the highest priority threats to your business.    How does Devo DeepTrace work?   Devo DeepTrace helps analysts identify the root cause of every attack. By performing autonomous alert investigation and threat hunting using attack-tracing AI, DeepTrace advances how you identify attacks and investigate threats. DeepTrace augments the work analysts do by building complete traces of suspicious activity detected across an organization’s infrastructure, which alleviates much of their mundane, repetitive tasks. DeepTrace AI enables you to trace the root of suspicious events and investigate alerts. DeepTrace builds traces that identify and isolate the root cause of every attack.USE CASE: Autonomous Investigations  The challenge: the volume of data ingested by the SOC results in a deluge of alerts. Each alert requires manual repetitive steps to understand, which can negatively impacts response time and overwhelms the team.  The Devo DeepTrace solution: DeepTrace autonomously investigates suspicious events and alerts using attack-tracing AI. It identifies each step in the attack chain, providing a full, evidence-based timeline of the attack that you can leverage to nullify the threat.DeepTrace flags alerts that warrant further investigation. USE CASE: Autonomous Threat Hunting  The Challenge: Proactively hunting for threats is a challenge due to limited team capacity. Analysts on the team with the most advanced skills must perform iterative manual threat hunting.  The Devo DeepTrace solution: DeepTrace helps threat hunters quickly construct and configure new hunts that map to MITRE ATT&CK framework tactics and techniques. Once refined and validated with the use of autonomous investigations, these can be converted to new cadence-based threat detections.DeepTrace enables the creation of new threat detection signals and alerts.  USE CASE: Optimized Incident ResponseThe Challenge: Given that an intrusion’s average dwell time can be months, analysts need to mine through petabytes of telemetry data over a period of weeks to fully understand what the adversary has done and where they have been throughout the organization. The Devo DeepTrace solution: Devo DeepTrace harnesses the organization’s endpoint log data to perform retroactive hunts that find attacks and malicious activity. Once an actual attack is identified, DeepTrace produces interactive traces and reports documenting the attacker’s footsteps.DeepTrace produces a graphical, interactive story that documents the attacker’s footprint across the entire organization. Interested in learning more about DeepTrace? Contact your CSM today to start your journey and request a demo of DeepTrace. Additionally, you can learn more here:  Devo Deeptrace Interactive Experience  Devo Documentation  Community Content: Anatomy of a Trace  → An all encompassing guide to “traces,” the key foundational element of Devo DeepTrace AI Assisted Hunting → Everything you need to know about hunting in DeepTrace   How to Reduce Manual Investigative Processes with DeepTrace How to Trace Every Attack from Start to Finish with DeepTrace 

New End Point Agent is now available! What’s in this release:New version of OSquery Agent based in Osquery 5.7.0 Support for Alma Linux 8 and Alma Linus 9 Support for Amazon Linux 2 OS Supported as of v1.4.0: Red Hat 7 Red Hat 8 Alma Linux 8 Alma Linux 9 Ubuntu 20 Ubuntu 22 Amazon Linux 2 Depreciated OS: Debian 9 Debian 10 Centos 7 Ubuntu 18 EA Manager may still work correctly in deprecated OS’s but only supported ones are used to certify new releases.  It is recommended usage of supported OS to ensure a smooth deployment process. Bug FixesDEA deployment fails in Ubuntu 20 due to old python3-openssl package dependency. Agent packages unavailable by nginx if some parent paths are not created with access for other by default. Permissions fixed during deployment for secret folders

Devo Exchange team is proud to present version 1.4 of the Content Marketplace!   This release comes with major features as well as many improvements.Table of Contents Content Submission Tool Alerts installed in OFF mode TAGs Reorder Resilience in Exchange Bug Fixes   Content Submission ToolYes you can share the content you create with your peers!  You can find the Content Submission tool at the top of the right man page for Devo Connect.Watch the Video! Types of Content you can share:Activeboards Applications Alerts Lookups Synthetic DataOnce you share your content the team will review it and recreate it if need be into a shareable form and publish it for you!   Alerts installed in OFF modeA popular user request, Alerts are now installed in OFF mode.  Users wanted to change parameters, policies and delivery methods before activating alerts.  Now you can! TAGs ReorderMain category tags have been reordered for increased discovery.  All the subcategories and tags have been reviewed, with new categories added to increased discovery. Resilience in ExchangeManagement of API errors is greatly improved.  Exchange can manage errors from external API’s.  Error notifications will be available on the top right! Bug Fixes Fixed Filter Selection Fixed Search acting on Blank : Sometimes when you searched for part of a word and then deleted it, the search attempted to filter by blank. Improved Image handling Improved design handling on lower resolutions 

The Devo Exchange team has released the Google Cloud Platform (GCP) Cloud Audit Active Board!  This Activeboard summarizes information about the most relevant fields contained in GCP Cloud Audit log entries related to GCP Services audited API calls for a selected period of time.If you are using Google Cloud Platform in your environment, download this Activeboard! Find this Activeboard on Devo Exchange! Learn more about his update on Devo Docs!

The Devo Exchange team has release a new Lookup that will provide you with an up to date list of embargoed countries to enrich your data with and help you filter out the noise from attacks originating from  the countries on this list. Embargoed Country DataThe lookup pulls information from different government sources, predominantly from the Export Administration Regulations (EAR) department and is limited to the United States of America.  You can modify the information to adapt to your particular company’s needs based on the information provided for each region. What is EAR?The Export Administration Regulations (EAR) are a set of regulations found at 15 C.F.R. § 730 et seq. They are administered by the Bureau of Industry and Security, which is part of the US Commerce Department. The EAR regulates export and export restrictions: whether a person may export something from the U.S.; re-export something from a foreign country; or transfer something from one person to another in a foreign country. The EAR apply to physical objects as well as intellectual property such as technology and software. Can I use this Lookup if I do not use Security Operations?Yes!  This lookup started in Security Operations but has been made available to all our clients independent of Security Operations. Download from Devo Exchange. Learn more in our Documentation.

The Devo Exchange team has released a new version of the MITRE ATT&CK Adviser today.  This release brings you new functionality in the form of the Enterprise filter. Enterprise FilterThis new filter allows you to check your alert coverage per enterprise similar to how you can do this on the MITRE website.If you haven’t downloaded the MITRE ATT&CK Adviser, what are you waiting for?! Download from Devo Exchange If you have already installed the MITRE ATT&CK Adviser, you already have the latest version!  Try it out and let us know what you think!

Devo Exchange has released a new Use Case, Windows Activity simulating a complete DoS Attack.  Use Cases use synthetic sample data to generate events in real-time.   You can download the Complete Use Case or the individual components of the Use Case if you find that useful. What’s in this Use case? Content Name Type Injector Injection for Windows Activity AB Synthetic data Receptor Windows Activity Monitoring Activeboard  Download now on Devo Exchange Learn more on Devo Docs  

Devo Exchange has released a new Use Case, this time for IDS Suricata data.  Use Cases use synthetic sample data to generate events in real-time.   You can download the Complete Use Case or the individual components of the Use Case if you find that useful. What’s in this Use Case? Content Name Type Injector Injection for Suricata IDS AB Synthetic data Receptor Suricata IDS Attacks Overview Activeboard  Download now on Devo Exchange Learn more on Devo Docs

The Devo Threat Research Team has just released their January OOTB Alerts for you! This release, available now from the Security Operations Content Manager and brings the total of OOTB Alerts to a whopping 480!  With this release the team added proxy and Windows detections providing more coverage for the following MITRE tactics and Techniques:MITRE Tactic MITRE Technique Execution System Services Command and Control Application Layer Protocol Command and Control Ingress Tool Transfer Defense Evasion Valid Accounts Collection Data from Local System Defense Evasion Masquerading Exfiltration Exfiltration Over Web Services Exfiltration Exfiltration Over Alternative Protocol  These alerts were created with our new research process which should decrease false positives and allow for more actionable alerts.Read the full release notes here! Sample of 5 Alerts include din this release:SecOpsOutboundTrafficToDeviceFlaggedAsThreat A record flagged a destination host from a threat intelligence match list.SecOpsLolbinDatasvcutil Detects a potentially malicious execution of DataSvcUtil binary.SecOpsWinSensitiveFiles Detects a new process which involves a Windows local system sensitive file.SecOpsWinTFTPExecution Detects a potentially malicious execution of TFTP.SecOpsWinWebclientClassUse Detects a potentially malicious WebClient method execution.

Hello Everyone!  The Team is happy to present the Devo Platform Release 7.18 version which includes a ton of Activeboard and User Interaction improvements and features!Geo Availability Region Status CA Released US Released EU Released APAC Released   Table of contentsActiveBoard Updates Scheduled Reports (PDF) Query Optimization User Experience Improvements Table Widget Heatmap / Markersmap Widget Notable bug fixesView the full documentation of this release here.  ActiveBoard UpdatesScheduled Reports (PDF)Check out the launch video describing this feature!  Each Activeboard can have it’s own unique schedule.  Future releases will let you schedule multiple Activeboards at once. Scheduled Reports functionality is available from View and Edit modes as well as from the WEB and Activeboards API. New UI and notifications supporting Scheduled Reports. New Role Permissions for Activeboards Report ScheduleQuery OptimizationYou can now optimize your Activeboard queries with aggregation tasks directly from the Activeboard UI.-New UI indicating when an Activeboard query can be accelerated with an aggregation task.User Experience ImprovementsTable WidgetAdded new field “Align Items” that will allow for left, right or center alignment of data! Added Column data type and column name. Added Null Values improved readability.Heatmap / Markersmap WidgetImproved Readability of the Type field Notable bug fixesFixed Timelapse Widget - timezone being ignored in some cases.Fixed Activeboard “Snap to” operations ignoring timezone in some cases.Fixed Missing heading with Pie/Donut widgetFixed in Data → Free text query the dragable button someitmes remained enabled.

Devo Relay 2.3.0 has been deployed in all environments!This release has a selection of core and background improvements to Devo Relay resulting in a marked increase speed.Table of ContentsNew Feature Multiple output connections New FeatureMultiple output connectionsWe have made Improvements to the NG Relay sending engine. Devo Relay allows data to be sent via multiple sockets.Devo Relay can maximize usage of server resources, improving the number of EPS supported by a single Relay.  

The Devo Threat Research Team has just released their December OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 39 new Windows  detections, 1 additional Office 365 alert and 9 updated Alerts.  The team also made great progress in updating older detections, updating 76 Alerts to match our current schema and documentation.These alerts have the same power as before but now integrate better with our other Devo products. If you use the MITRE Attack Advisor App, or like to edit your alerts in Loxcope, these detections can now seamlessly integrate with those products. They have also been updated to work better with our SecOps enrichments like the SecOpsAlertDescription lookup, and can now accurately show the MITRE tactics and techniques associated with the alerts.Read the full release notes here. Sample 5 Alerts included in this releaseSecOpsWinRegistryModificationHideSCAPower - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinRegistryModificationHideClockGroupPolicyFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinActivateNoCloseGroupPolicyFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinRegistryModificationNoFindGroupPolicyFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.SecOpsWinRegistryModificationDisableLockWSFeature - Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Devo is proud to present Devo SOAR.What’s going on?Devo SOAR has been released, along with a first for Devo a product Trial is now available as well!How do I get my hands on it?Visit the Devo SOAR Trial page.I got the trial now what?Visit Devo Connect’s SOAR How-to’s to get started!  Post your question on the Community Section and let us know how we can help!  Experts and peers are here to answer all your questions.OMG I Love it!  I need this who can I contact?That’s great! Visit the Trial page, for the interest question select “I have an immediate need” then make sure you check box to be contacted by the Sales team and they will get you started. As always let me know how we can help!  If you need a particular tutorial or any questions you may have!

Hello Everyone!  The Relay team brings you exciting new capabilities in this update!Table of Contents: New Features Relay API on Internet Miscellaneous  New Features Relay API on InternetRelay API is now exposed to the internet, allowing you to programmatically operate over relay configurations. Permitted Operations:Activate relay De-activate relay Get relay configuration Modify relay configuration Get relay rules Create delay rules Modify relay rules Delete relay RulesMiscellaneous Relay- prefix depreciated -  As part of the API exposure work, the identifier for relays has changed and none of the relays have the prefix “relay-”. This doesn’t have any impact on existing deployments other than relay names showing up without that prefix.Enhancement to “show config” - We have added the relay version number to the “show config” command.

All of Devo is happy to present Devo Platform release 7.17. This December release comes with two goals! We added two new user-facing functionalities to the platform.  We also made important internal improvements that provide the platform with greater scalability, uniformity and maintainability.Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of Contents:New Features Data Search X.509 Certificates Improvements Lookups Data Search Depreciated Bug Fixes Activeboards Alerts Roles Data Search  Note: EU users are benefiting from double upgrades as all the upgrades in 7.16 are now available to you First!New Features Data Search A new filter allows you to search for a keyword inside of the entire raw event. You can search for a keyword in any of the event fields and it is available in both view modes.X.509 CertificatesA new column named “Expiration date” is now available. This makes it easier to see if the generated certificates are close to expiration.  Improvements LookupsSome Lookups can remain in “Updating”  status for a long time, you can now refresh a lookup that is taking more than 1 hour to be updated. The lookup will then change back to "Available". Data SearchSensitivity Filter - We’ve removed the “Sensitivity” filter from the “Create field” and “Filter” tabs in the Operations over fields form. Regular Expressions - Functions that require any of its arguments to be regular expressions can now be “regexp” and “str” types. DepreciatedLINQ Operation - MaxMind GeoIPv1 operations are now deprecated. We ask you to use MaxMind GeoIPv2 operations instead. Bug FixesActiveboardsEmpty Table Widgets - There was a case where the Table widget’s visual tab displayed an empty screen and generated console errors. This only occurred following a specific sequence of steps with a grouping query when it returned no events before the grouping clause. Ambiguous Table Widget entries - There was an issue with the Table widget displaying ambiguous values in the exported CSV file when the column values contain commas. AlertsXSS - It was possible to insert cross-site scripting in alert annotations. From now on, XSS aren’t allowed. RolesPermissions pop up - The pop-up info message for permissions displayed the text without proper margins. Data SearchCopy Field Names - In List view, if you selected a whole event and copied it⸺regardless of the values for the “Show field names” and “Show null values” toggles⸺the field names were always missing and the null values were always shown. Selecting Events - In List view, with the “Show field names” toggle off, it wasn’t possible to select events. Copying Event - In List view, selecting and copying part of an event wouldn’t always result in the copied text matching the selected text. Expanding Query Editor - If the Query editor was embedded, there were problems expanding it when clicking on it. This was notably problematic because the button to run the query is hidden until the editor is expanded.Query Editor Reset - There was a problem with the Query editor resetting when the user clicked on the realtime button. Group By Error - When a user grouped a query by a non-existent field, the Query editor wouldn’t react. From now on an error will be displayed with the aforementioned field underlined in red. Extracting multiple fields - If you opened the JSON parser and selected a number of fields to be extracted, the parser would only extract the first selected field. ● When editing a breadcrumb that has nested operations, if said breadcrumb didn’t fit in the “Operations over columns” form, then the query editor wouldn’t open. Sub Filter Blank - There was a case where, if you ran a second filter you would get a blank screen. This was because the first filter was applied to a non-asterisk field. No Operation Called error - Existing Lookups were randomly failing in queries, with an error message “No operation called lu/<Lookup_name>/<Lookup_field>”. Link to Release 7.17 Documentation page

A new Alert Pack has been released on Devo Exchange! Alert Pack: AWSThis out of the box alert pack brings you alerts that can help you quickly obtain quick coverage of your AWS environment. This Alert pack contains over 50 Alerts!Security Operations Application is not required for this pack.  However if you do have the Security Operations Application you can download these alerts from the Content Manager and benefit from additional data enrichments. Learn more in our Documentation Portal! Download Directly from Devo Exchange! Here is a sample of 5 of the alerts included in this packSecOpsAWSCreateaccesskey - This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user.SecOpsAWSUpdateloginprofile - A user has updated the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user which login profile has been updated.SecOpsAwsRoleCreated - Detects actions taken to create new IAM roles in AWS.SecOpsAWSIAMPolicyAppliedToRole - It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.SecOpsLog4ShellVulnerabilityCloudAWS - Checks for attempts of exploiting CVE-2021-44228 as known as Log4shell. The query contained in this alert can generate high volumes of events due to the nature of the attack pattern. Tunning the alert to your environment is recommended.

A New Alert Pack is available on Devo Exchange! Alert Pack: Credential AccessThis out of the box alert pack bundles critical alerts that can help detect when an adversary has been sing the credential access MITRE Tactic (TA0006) and has tried to use keylogging or credential dumping methods to access your systems. What is Credential Access?Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Learn more in our Documentation Portal! Download directly from Devo Exchange! Here is a sample of 5 of the new alerts! SecOpsPanAuthFailMultipleUserSingleIP - Detects brute force attacks via the Palo Alto firewalls. A source IP address attempted and failed to authenticate multiple times while providing multiple usernames.SecOpsGCPSecretsManagerHighActivity - An attacker could be attempting to access, or modify, the Secret Manager serviceSecOpsAWSSamlAccess - This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.SecOpsAwsGetSecretFromNonAmazonIp - Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space.SecOpsWinDcShadowDetected - Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates.

Devo Exchange has released a new Activeboard for you to get more out of your data! User ActivityDevo Web Activity Monitoring Activeboard allows you to monitor Devo Web Activity for all users in your Devo domain.  With it you can track:User logins, location, activity, change of role, etc. Alert changes and edits Relay, Lookups, Aggregation tasks, Synthesis Tables and Reinjection activity You will find this Activeboard full of useful widgets that will give you a complete picture of Devo Web Activity.  Download it now! Download directly from Devo Exchange Learn more at our Devo Documentation Portal

Hello All!The Devo Threat Research Team has just released their November OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 15 new detections and a couple of updates to existing ones.  This includes our first EDR detections!   EDR (End Point Detection and Response) is very important to monitor and detect because endpoints are used in all facets of the business and can be used to store critical information.Read the full release notes in our Documentation portal! [ Release notes 9 ] Alert analyzed/updated:  Detection name  Changes made SecOpsWinWmiExecVbsScript  Updated the alert to have an enhanced detection condition. SecOpsWinWmiScriptExecution  Fixed an error where the entity source IP was not properly mapped.  Details on the new detections released can be seen below:  Detection name  Devo table/Data  Detection description  source/Category SecOpsBroRdpBruteFor ceSuccessHydraNcrack Detects a successful RDP connection via  Hydra or Ncrack hacking tools. ids.bro.rdp SecOpsBroWinLsatUser Enumeration Detects actors utilizing MS-LSAT Remote  protocol to map security SIDs to user  accounts. ids.bro.dce_rpc SecOpsBroWinDceRpc eServiceCall Detects the creation or deletion of services via  RPC remote administration. Actors may  create/delete services to establish a greater  foothold once inside a network. ids.bro.dce_rpc SecOpsBroWinDceRpc SamrEnumeration  SecOpsBroSmbFirstSeenShare Detects actors enumerating user accounts in  Active Directory via Security Account Manager  Remote Protocol (SAMR). ids.bro.dce_rpc  Detects the first seen SMB share for an entity.  Adversaries may utilize SMB shares to  transport files; while not inherently malicious,    this event should be reviewed for legitimacy. ids.bro.notice  Detects interesting hostname login events. SecOpsBroSshInteresin gHostNameLogin See Bro/Zeek reference for context around interesting hostnames. ids.bro.notice SecOpsBroHttpRequest Detects HTTP requests that contain only a ids.bro.http SingleHeader  single header. SecOpsBroSelfSignedC ert Detects servers responding via SSL or TLS  services using self-signed certificates. ids.bro.ssl SecOpsWinMemoryCorr uptionVulnerability Detects exploitation of Microsoft Office  Memory Corruption Vulnerability  (CVE-2015-1641) allowing remote code  execution. box.all.win SecOpsWinFakeProces ses Detects instances of known Windows  processes executing outside of standard  directories. Malware authors often utilize  masquerading to hide malicious executables  behind legitimate Windows executable names. box.all.win SecOpsWinDnsExeParentProcess Detects DNS.EXE program spawning other  processes. box.all.win SecOpsLinuxNOPASS WDSudoers  SecOpsEDRCrowdStrik eOverwatchNotification  SecOpsEDRCylanceSc oreUnsafe Detects suspicious command lines that may  add an entry to /etc/sudoers with NOPASSWD  attribute in Linux platform. This requires auditd  be installed and configured. box.unix  Falcon Overwatch has identified suspicious  activity. This has been raised for your  awareness and should be investigated as  edr.crowdstrike.falco  normal.  n  An unsafe file is one that has attributes that  greatly resemble malware. edr.cylance.threats SecOpsO365PSTExport Alert This detection is triggered when a user has  performed an Ediscovery or exported a pst file  cloud.office365.mana  with sensitive information.  gement