What are DEV-#### indicator designations for detections?

I had this question come up today, but I’ve been asked a few times before recently, so I believe it’s prudent to supply and explanation and guidance on what to do with these.

Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Here’s an example of one in Microsoft Sentinel…

But more of these will be experienced in the Defender products.

The one in question today, and the one that reminded me to talk about this, was DEV-0612. This is a relatively new one that you will find in Defender for Endpoint.

If you get alerted to a DEV-#### designation in your environment, report it to Microsoft.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]


Leave a Reply