I had this question come up today, but I’ve been asked a few times before recently, so I believe it’s prudent to supply and explanation and guidance on what to do with these.
Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.
Here’s an example of one in Microsoft Sentinel…
Original Post: New Blog Post | What are DEV-#### indicator designations for detections? - Microsoft Tech Community
