Product Updates

The Devo Exchange team just made available the Devo 360 for CrowdStrike application! This is a pre-built collection of activeboards and alerts that deliver real-time visibility and expedites analysis of Devo users' entire CrowStrike infrastructure!If you use CrowdStrike in your environment, you should absolutely check this out! Full details in our Documentation Download directly from Devo Exchange!  

Devo Exchange Team brings you a new Devo 360 application! Devo 360 for Palo Alto brings you a collection of pre-built activeboards and alerts that deliver real-time visibility and expedites analysis of Devo users’ entire Palo Alto environment. This Application automatically aggregates Palo Alto threat definitions for use by the Devo Platform to optimize resources and detect threats. This increases analysts’ efficiency and reduces fatigue as they address alerts.See the full release notes and guides in our Documentation Download directly from Devo Exchange If you do not have Security Operations, you can still use this Application!  The team has made available the individual alerts in these modules.  Install them first!Secops Alert Description Secops Location Secops GWL SecOpsAssetRole

The MITRE ATT&CK Advisor has been updated to version 1.2!  I love this tool and it is the main element in my Attack Analysis features, so I hope you are as excited as I am!New Features! Sub-Techniques Install Alert Multiple Tactics & Techniques Deep dive into Sub-TechniquesNew Features!Sub-TechniquesYou can now view sub-techniques within the matrix to understand where more coverage can be added.Install AlertNew ability to take action directly from the application to improve coverage.Multiple Tactics & TechniquesYou now have the ability to have coverage go from a single alert to multiple techniques. Deep dive into Sub-TechniquesSub-techniques have been added to the application for informational purposes within the MITRE ATT&CK Matrices that are displayed within the application.  The new display enables users to understand more about the sub-techniques behind the parent techniques and identify areas where additional protection for their organization might be required.  MITRE ATT&CK Techniques outline a particular way to achieve the goal of a Tactic.  A MITRE ATT&CK Technique may also include Sub-Techniques.  These are particular ways to carry out the action outlined in the parent Technique.  For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four Sub-Techniques: Password Guessing Password Cracking Password Spraying Credential Stuffing All of these Sub-Techniques are ways to carry out the main Technique (i.e. a brute-force password guessing attack), but take advantage of different mechanisms to do so.See the full details in our Documentaiton! Download the MITRE ATT&ACK Advisor directly from Devo Exchange

 One of the many tools included​​​The Devo Exchange team presents Devo 360 for AWS, a collection of pre-built knowledge base of dashboard & alerts that deliver real-time visibility and expedites analysis of Devo users' entire AWS infrastructure.This application brings centralized insights to an array of AWS security products including:CloudTrail CloudWatch S3 VPC Security HubLearn the full details in our Documentation ! Download directly from Devo Exchange now! If you do not have Security Operations, you can still use this Application!  The team has made available the individual alerts in these modules.  Install them first!Secops Alert Description Secops Location Secops GWL SecOpsAssetRole 

As part of Devo Platform Release 7.16, Flow recieved some new features and updates!   Flow is Devo’s powerful correlation engine, this update will help you work faster and smarter!New Features Add unit from workspace Add time zone in DevoSource Improvements New Menu Toolbar Additional Improvements New FeaturesAdd UnitAdd unit from workspaceYou can now right click on your workplace and add units through the new dropdown menu that appears.  You can also search for a specific unit from the list using the new search bar. Add Time ZoneAdd time zone in DevoSourceNew time Zone field in DevSource unit.  Choose from the drop down to select the desired time zone.ImprovementsNew Menu ToolbarAll of Flow’s options are not grouped together under the new File and Edit Dropdowns including the NEW Zoom option and status Icon.Additional ImprovementsEach flow now has a default canvas before you add any units. The welcome page has been tweaked, with a new icon on the header page and links to useful resources added. Create the endpoints to read the templates. Changes to the format of tabs. We’ve improved the REST API documentation. New template endpoints added to the Flow load balancer. Check Devo Platform Release 7.16 post for updates on availability in your Geo!

Devo Documentation team has updated to include past release notes on all our releases.   This is useful information for historical knowledge and provide a great reference point for the evolution of your favorite Devo Features! Enter the Release notes section of Devo Docs!  You can also reach the past release notes directly for each of the following Feature Products.Devo Platform Release NotesFlow Release NotesRelay Release NotesService Operations Release NotesSecurity Operations Release NotesEndpoint Agent Release NotesExchange Release Notes Thank you Docs team!

We are very proud to announce Devo Platform Release 7.16 with two long awaited and requested features! Region Status CA Released US Released EU Rolled into 7.17 APAC Released  New Features Data Search: List View Data Search: New Smart Query Code Editor Data Search: New Copy Option Application: Auto Admin Role  New Features Data Search: List ViewList View!This alternative data view displays information of an event as a list of keys and values known as pills.  This new view displays the information in two columns: the eventdate and the list of keys and values.  You can freely switch between both views with a speed that must be experienced!See this new view in use in this short video! Data Search: New Smart Query Code EditorSmart Query BuildingWe have simplified the task of writing LINQ queries with this new smart editor.  As you type it will autocomplete table names, field names and much more! Building a search will be easier, faster and more convenient than ever! Data Search: New Copy OptionNew Copy OptionsBoth Tabular and List views can take advantage of new copy options when you right click on the data.  You can see it in action here in this video.New Copy functions in Action! Application: Auto Admin RoleThis quality of life improvement will apply admin role to any new applications installed automatically.  Previously it was necessary to assign the the role manually. Additional Improvements to the UI, and Bug Fixes can be found in the full release notes.Documentation page for 7.16 full release notes Let us know what you like about this release!

Hello Everyone!   SecOps version 3.7.1 has been released with some great quality of life updates!  Lets take a look!Check out the full details in our Documentation Page. Region Status CA Released US Released EU Released APAC Released  Note: SightingDB has been depreciated and removed due to limited usage of this enrichment. It is no longer shown in settings. Key FeaturesImpact Calculation Multiple Priority Selection Bulk Changes in Alert Status Impact CalculationYou can now disable Impact Calculations to improve performance. Multiple Priority SelectionYou can now select two or more priorities at the same time to filter alerts! Bulk Changes in Alert StatusYou can now change the status of a given alert group, including Add to Investigation & Change Status actions.  And more importantly Closed Status! Enjoy!

Hello All!The Devo Threat Research Team has just released their October OOTB Alerts for you! This release, available now from the SecOps Content Manager, provides 13 new Linux, Mimecast and Google Workplace out-of-the-box detections.One alert has been updated as well!Get the full details in our Documentation Page! Devo is committed to providing high quality alerts for all customer environments.  In our upcoming release we will continue to take a closer look at some of our more “noisy” alerts and tune them to help with performance.  

Devo Exchange has a new content type called Use Cases. Use Cases combine a data injection with an Activeboard or Alert to reproduce a particular use case.  You can use it to gain experience, fine tune your alerts and increase your workflow efficiency.Watch the Use Case Launch Video! Each component of a Use Case can be downloaded separately as well if you have your own data already or want to test your own Activeboard creations. Launching with 3 initial use cases,  the team will be updating this section of Devo Exchange with more use cases in the future.  Please let us know if you have a use case you want them to create!Denial of Service Use Case McAfee Monitoring Use Case Port Scan Use CaseDenial of Service Use CaseA Denial of service attack (DoS) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. This Use Case includes a Firewall Data Injection for DoS and the DoS Detection Alert Pack. Download it from Devo Exchange! McAfee Monitoring Use CaseGet experience with the McAfee Activeboard in this Use Case.  This use case allows you to visualize the full McAfee Activeboard, gain experience and see where to fine tune your reporting.This Use Case includes Proxy data Injection for McAfee and the Proxy McAfee Monitoring Active Board.Watch the Guided tour! Download it from Devo Exchange!  Port Scan Use CaseA port scan is a common technique hackers use to discover open doors or weak points in a network. A port scan attack helps cyber criminals find open ports and figure out whether they are receiving or sending data. It can also reveal whether active security devices like firewalls are being used by an organization. This Use Case includes a Firewall Data Injection for Port Scan and Port Scan Detection Alert Pack.Download it from Devo Exchange! Please let us know if you have a use case you want the team to create!

The Endpoint Agent monitoring Activeboard provides visibility of the data received from the Endpoint Agent fleet deployed in your environment. The Endpoint Agent solution builds on top of Osquery and FleetDM, and providing real time visibility and rich information that span through configuration, execution status or performance. The Activeboard implements four use cases:  Fleet overview: Active of endpoints and managers, configuration and status Data retrieval processes: Configured packs, queries and associated ingestion data (events, volumes, etc.) Alerts: Summary of alerts triggered on Endpoint Agent data Endpoints status drill-down: latest events and configuration details  The Activeboard is configured to generate a consolidated view of the agents fleet, but also permits a highly granular access to the data through the usage of multi-criteria filtering options. Download now from Devo Exchange!

The Devo Exchange Team in collaboration with Devo’s SciSec Team have published a new Alert Pack as part of the coordinated response to the ProxyNotShell 0-Day Vulnerability in Microsoft Exchange.This pack contains 3 Alerts hand crafted by the SciSec Team to check your environment for this dangerous exploit. These areSecOpsProxyNotShellHashIoc SecOpsProxyNotShell SecOpsProxyNotShellIpIocDownload this Alert Pack directly from Devo Exchange. Learn more about This Alert pack in our docs! Additional Resources Devo SciSec Team Blog on ProxyNotShell.MITRE ATT&CK Analysis on this type of attack

New ActiveBoard released in Devo Exchange! Firewall MonitoringThis Activeboard is based on firewall.all.traffic table and allows you to analyze and monitor firewall traffic logs from different angles. In this activeboard you will be able to:Get data insights about Action, Protocol, Source Zone, Source IP, Source Port, Device Name, Application, Destination Zone, Destination IP, Destination Port and you will be able to filter the widgets by those Track Traffic Volume and Actions Have access to Traffic Reputation heatmaps by Source and Destination Compare the top 10 connections by source IP, the top 10 data volume for each source IP and each destination IP, and the top Talkers by connection and by data transfer... Get details about the most used Firewall rules Analyze denied firewall traffic and most rejected source IPsNote:  This Activeboard processes a large amount of data.  It is highly recommended you use aggregation tasks to speed up loading and processing.  Learn more here: https://docs.devo.com/space/latest/95207931/Manage+widgetsDownload it today! Download directly from Exchange. How to install Exchange content.

We are pleased to announce the Devo Platform Release 7.15 is now starting to roll out to all Geos!   We have a lot of great stuff in this release, so lets go over it all.  See the full release notes in our Docs here. Currently Available in :Region Status CA Released US Released EU Released APAC Pending  Multitenancy Data Access across domains Activeboards gets New Widget and API New Timelapse Widget: Timelapse Query Activeboards API: Additional Activeboard Updates Copying Widgets to other Activeboards New Predefined Global Variables Usability Improvements User Identification via email addresses Improved Activeboard role-sharing reporting New Relay API: New Provisioning API Methods Advanced password processing: Also in this ReleaseMultitenancy Data Access across domainsThe Devo Platform’s multitenancy capability enables users to centrally provision, monitor, manage, and query an unlimited number of tenants. MSSPs and large enterprises can maintain complete visibility into the data they manage while safeguarding its privacy and security, maintaining the residency and compliance requirements of their data.Watch this video to learn more about Devo’s multitenancy capability. Activeboards gets New Widget and APINew Timelapse Widget:Timelapse in action The Timelapse widget gives users the ability to capture data across specific timeframes. Users can graphically compare different time ranges in one data series, which helps them visually analyze and predict behaviors, improving incident detection and resolution times.Watch this video for a more detailed description of how it works. Timelapse QueryThe timelapse query defines the series to be analyzed. The query consists of a timestamp column, the event time reference, and a numeric column containing the value to be compared.  Activeboards API:Devo users can now build and export Activeboards via a web-based REST API, which enables customization and portability. Users can quickly share Activeboards and generate reports, increasing productivity and improving customer satisfaction. View all the details in our Docs. Additional Activeboard UpdatesCopying Widgets to other ActiveboardsUsers now can copy a widget into a clipboard and paste it into the same Activeboard, a different Activeboard, or another program as configurable text.New Predefined Global Variables The Activeboard language contains the following variables, which are helpful for widget queries. Domain_name Domain_id User_name User_email User_id Activeboard_name Activeboard_id Locale Timezone Isolated  Usability Improvements User Identification via email addressesUsers are now identified in the Activeboard manager by their email addresses. This simplifies administration capabilities since email names are unique.Improved Activeboard role-sharing reportingAdministrators can now view and set permissions that enable users to view and edit Activeboards across predefined roles in the organization. New Relay API:Users can access relays via a REST API to manage relays and check their status. This gives users access to relays without having to log into the Devo domain. Additionally, users can use the API to clone relay rules from one domain to another, which improves efficiency.Read more about the Relay API in our Docs. New Provisioning API MethodsDevo has added new methods in the Provisioning API. This is meant to make administering multiple domains easier for MSSPs. Now users can manage domain limits and domain preferences via API using: Manage domain limits: user limits, cert limit, key limit Manage domain preferences: Generic preferences: default language, session expiration timeout Data search preferences: real-time ON/OFF, default time frame, default case sensitivity Advanced password processing:Improved complexity requirements have been added for new passwords. These updated validation rules apply when recovering, changing, or setting new passwords, which improves the security of your Devo domain. Also in this ReleaseDevo Platform Release 7.15 also contains new Activeboards features such as enhanced user identification, improved data formatting, and additional accessibility settings, which enhance usability and boost productivity.  See the full release notes in our Docs here.

The Security Operations team is happy to announce the release of version 3.4 of the Security Operations Application for the Devo Platform.Region Status CA Released US Released EU Released APAC Released  Primary focus for this release has been on bug fixes, as well as accelerating the retrieval of the results in the Associations workbench between events and reducing the amount of latency in visualizing the information requested. This is the first of the many backend improvements planned by SecOps to provide the SOC team with the right capabilities to perform their job quickly and efficiently. Full Release notes available in Docs here. SummaryImprovements to Enigma: Entities and Vertical Applications: Adaptations for Entities.Bug FixesList of Multi Lookups contained several entries which where no longer in use. The MISP indicator has been added to the Content Manager.  

Hello Everyone! We are glad to announce that the Devo Threat Research team has released the latest batch of detections to the SecOps content manager. In this release, we have created new detections for one of the most popular operating systems; Linux. Linux is very important to have monitored because it is used by 50% (more than Mac) of professional developers worldwide and is an asset to most companies. These alerts will help our customers become notified of any potential attacker or modification to basic directories and production level servers, including the creation of hidden directories and files. Click here to view the full release notes in our Docs portal. With this release we are now at a total of 401 out of the box detections, with our goal of hitting 500 by end of the year.The Devo Threat Research team is committed to keeping its monthly cadence of releases to deliver new and exciting content to our security customers.  More from the team soon!

The Devo SciSec Team (Devo’s Threat Research Team) has released this latest alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.  Alert Pack - Command and ControlThis alert pack focuses on providing coverage for the most commonly used attacks for the Command and Control Mitre Attack tactic.  Command and control is used when the adversary has your system under control and is trying to steal, or disrupt. information from your company. These alerts will let our customers know when the attacker tries to seize control, use their control, or try to control more systems. Here's more information from the Mitre website: Complete information on this threat vector. "Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses." Download now directly from Devo Exchange by clicking here. Full release notes and details of every alert in this Alert Pack. Here is a sample of a few of the alerts included:SecOpsFWSMBTrafficOutbound - Detects SMB traffic from internal to external sources allowed through the firewall.SecOpsFWTrafficOnUnassignedLowPort - Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic.SecOpsFWExcessFirewallDeniesOutbound - Detects excessive firewall blocks for outbound traffic from a single IP in a short period of time; this activity may be indicative of C2 traffic and should be reviewed.SecOpsFWIcmpExcessivePackets - Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration.SecOpsFWRdpTrafficUnauthorized - Detects RDP traffic to hosts, not within an allowed list. Full list alerts available here in our docs! 

We are glad to announce that Python SDK v4.0.2 has been released. This is a patch release and includes the following:Add a new command-line option for escaping double quotes with -eq or --escape_quotes. Add a check and shows a warning if the file contains double quotes and the option -eq is not used. Add a new command-line option in tests for testing just one module with -m <module_name> or --module <module_name>.Check the package at https://pypi.org/project/devo-sdk/The source code is available on GitHub: https://github.com/DevoInc/python-sdk

The Devo SciSec Team (Devo’s Threat Research Team) has released this technology alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.  Download now directly from Devo Exchange by clicking here. Alert Technology Pack - ProxyThis Proxy pack provides our customers with detections to help them from even the most dangerous of threats. This pack is extremely important based on the role that the Proxy plays in most organizations. That's why we knew that we needed to have alerts dedicated to alerting when an attacker has disabled or gotten past the proxy.   Full release notes and details of every alert in this Alert Pack.  SecOpsNonStandardHTTPMethod - HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. It is necessary to monitor the non-standard methods used in web servers queries because this could indicate an attack.SecOpsMultipleHTTPMethodsUsed - There are more than ten HTTP Methods but usually clients use a few only. If a client uses all of them or a large number of methods, this could be recon, probing, or enumeration.SecOpsUserBlockedbyProxy - It is considered suspicious that a user is blocked by a proxy server on many occasions in a short period of time.SecOpsProxyLargeFileUpload - Identifies file uploads above 50 MB in size. Excessive file uploads may indicate exfiltration by an adversary or insider. The size threshold should be tuned per organization.SecOpsPortIntoURL - During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port could be seen as suspicious behavior when combined with other factors. Full list available in our docs here.

The Devo SciSec Team (Devo’s Threat Research Team) has released our fourth alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.  Alert Pack - ImpactWe have another alert pack focused on the MITRE Attack tactic Impact. Impact is a tactic that is used by attackers to disrupt and incur damages to a company. Worst of all these attacks can cause reputational damages which can take years to recover from. That's why we knew we had to create an alert pack to protect our customers from these issues. Here's more information from the MITRE organization. Complete information on this threat vector. "Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach." Download now directly from Devo Exchange by clicking here. Full release notes and details of every alert in this Alert Pack. Here is a sample of a few of the alerts included:SecOpsAzureNWDeviceModified - This alert identifies when a user has modified a network device such as network virtual appliance, virtual hub or virtual router. Although this is a common operation, it should be checked since it could be undermining the security posture of the Azure account.SecOpsAzureAutomationRunbookDeleted - This alert identifies when a user has deleted an Azure Automation runbook. This could be indicative that an attacker may be trying to disrupt the normal behavior of the automated processes within an azure account or deleting a runbook used in order to gain persistence.SecOpsGCPSQLDatabaseModification - An attacker could intend to modify, or gain, privileges on a Cloud SQL Database.SecOpsGCPPrivateCloudNetworkDeletion - An attacker could delete a Virtual Private Cloud Network (VPC) to interrupt availability of systems and network resources.SecOpsGCPIAMServiceAccountDisabled - An adversary could disable an IAM Service Account to manipulate the service account and maintain access to the systems. Full list alerts available here in our docs!

We are glad to announce that Python SDK v4.0.1 has been released. This is a patch release and includes the following:Running tests whenever a pull request is created, recreated, or synchronized in GitHub. Running a task to publish in PyPI when a new release is made in GitHub. Deprecation of unsupported Python versions. Verification of some CSV cases. Automatization of badges shown in GitHub and PyPI.Check the package at https://pypi.org/project/devo-sdk/The source code is available on GitHub: https://github.com/DevoInc/python-sdk

The Devo SciSec Team (Devo’s Threat Research Team) has released this Technology alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.  Full release notes and details of every alert in this Alert Pack. Alert Technology Pack: AzureMicrosoft Azure is used for all kinds of projects and initiatives for our customers, the importance of being aware of any potential issues cannot be understated.Devo is one of the market leaders in Out Of The Box Azure alerts with one of the highest number of detections at highest levels of alert quality.  These detections protect all aspects of Azure ranging from Active Directory to DevOps. We want to ensure that our customers are accurately covered and can rest assured that these detections will alert them for most attacks they face. Download now directly from Devo Exchange by clicking here. Here is a sample of 5 of the alerts in this pack:SecOpsAzureExternalUserInvited - An adversary could create an invitation for an external user to create a new account in Azure AD. This may be a routine activity but could be used as a vector for an adversary to gain access or persistence.SecOpsAzureUserInformationDownload - An adversary may attempt to get a listing and more information about accounts on a system or within an environment.SecOpsAzureImpossibleTravel - An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Compromised credentials may be used to bypass access controls and for persistent access to remote systems and external services.SecOpsAzureUserCreated - An adversary could attempt to persist by creating a user account in Azure AD.SecOpsAzureUserLoginSuspiciousRisk - An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

The Devo SciSec Team (Devo’s Threat Research Team) has released this Technology Alert Pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.  Full release notes and details of every alert in this Alert Pack. Technology Alert Pack - FirewallInside this alert pack you will find a plethora of detections that will alert when an attacker is attacking or trying to bypass a firewall.  These alerts are incredibly important to let our customers know when they could be a breach!Firewalls are one of the last bastions of defense for your company, and any firewall that gets compromised can lead to an open highway for attackers to use to gain entry into your environments. In order to ensure a more comprehensive security outlook, Devo’s detections provide the extra assurance that any crack in the wall will be made aware to your SOC and your company. Download now directly from Devo Exchange by clicking here. Here is a sample of 5 of the alerts in this pack.SecOpsFWIpScaninternal - Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts.SecOpsFWSigned - Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by monitoring for suspicious outbound DNS traffic over TCP. The destination name server should be examined for legitimacy.SecOpsFWRdpTrafficUnauthorized - Detects RDP traffic to hosts, not within an allowed list.SECOpsVNCPortOpen - Possible VNC Connections.SecOpsFWRDPExternalAccess - Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network.

Announced during BlackHat, the Devo Collector Software Development Kit is now available to our customers.    Devo has a large collection of already built Data Collectors ready for your data ingestion needs, with more on the way.   You don’t have to wait however, with the Collector SDK you can write your own collector and address any unique needs your data may have today! To get access to the Collector SDK contact Support now! To learn more about Data Ingestion and how Collectors work check out this webinar:Ingest with the Best: An overview of the Devo Endpoint Agent, Relay and Cloud Collector 

Sec-Ops is proud to present Release 6! Chock full of Out of the Box Alerts.The Devo Threat Research team has released a new set of detections to our customers. In Release 6, we are releasing new detections spread across Office 365, Microsoft Azure, Windows, and now Linux technologies. These data sources are among some of the largest ingested into Devo and help protect our customers against common attacks.  Release 6 brings the Security Operations Out Of The Box alerts total to 385 signature based detections with hundreds more on the way.    Full release notes and details of every alert in this Alert Pack. Here is a sample of 5 of the new Alerts:Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space. Detects the deletion of Web Server access logs. Detects the deletion of sensitive Linux system logs Detects the deletion of SSH Key. Detects for suspicious setcap utility execution to enable SUID bit.Check out the full release notes here.