...
There are several columns in the table: Behavior Model (the name of the model), Required Table (the required Devo table for deploying the model), status Status (started / paused / stopped), and state State (Running / Learning). Initially all models are stopped by default. Each model must be started in order to begin learning and running.
Additionally, the Behavior Models table shows a Signals column with a micro trend chart displaying the signal volume during the last 7 days for each behavior model. Clicking on a model’s chart will open Devo’s Search window with the signals table (entity.behavior.signals.filtered) in a separate browser tab, so that you can browse the details of that model’s signals as needed.
...
Note that each of these sections is optional. If desired, the user may simply click the Start button at the bottom of the editor, in which case the default values for the configuration options will be applied.
| Info |
|---|
...
For optimal performance and memory usage, stagger the deployment of your models rather than deploying all the models at once. |
Signals
The Signals section of the configuration editor enables users to assign a risk score for each signal from the selected model. The risk score must be a number from zero to 100. This risk score will subsequently be used to compute the entity risk scores by the risk calculator. Note that the same risk score is applied to every signal from the selected model.
...
By default, a risk score of 20 is assumed for every model. This implies that every model is given equal weight by default. The user may adjust the signal risk scores of their models in order to give certain models more or less weight than other models.
Whitelist
The Whitelist section of the configuration editor enables users to specify lists of entities to be excluded from triggering signals by the selected model. Each model can be configured with 3 separate optional whitelists: users, devices, and domains.
...
Each of the 3 whitelists can be either entered manually or uploaded from a text file. The whitelist entries should be separated by carriage returns. The format for these entries is as follows:
...
Select the file by either clicking Browse or dropping the file into the gray File box (left). Once a file has been selected, the start of the file’s contents will be shown in the Preview area (right).
...
Use the Values Column drop down to choose which column contains the values that you wish to whitelist. (Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV.)
Use the Header Row option to specify whether the CSV has a header row or not. If so, the first row in the CSV file will be ignored when adding it to the whitelist.
Use the Add / Replace option to specify how the prior whitelist values should be handled. If “Add” is selected then all the uploaded values will be appended to the prior whitelist values; if “Replace” is selected then the prior whitelist values will be removed and the entire whitelist will be overwritten by the uploaded values.
Note that User, Device, and Domain whitelists are included in each model configuration whether or not they are present in the model’s logic. If the model logic does not include ones of the 3 entity types then a warning message like the one below is displayed:
...
Alerts
The Alerts section of the configuration editor enables users to optionally trigger an alert for each of the model’s signals. By default, when a behavior model detects anomalous behavior it will produce only a behavior signal, not an alert. These so-called “behavior alerts” are not required for risk calculation; the behavior signals are sufficient. Nevertheless, behavior alerts can be useful for triaging, or simply for notifying the security analyst every time that a signal is generated by the selected behavior model.
...
To configure a new alert for each new signal from the selected model, choose the “Yes, trigger an alert” option.
You may then choose a priority for the behavior alert (Very high, high, medium, low, or very low).
If desired, you may also apply an additional level of whitelisting to the behavior alert. Check the Apply SecOps Asset Whitelisting option to prevent assets in your SecOps global whitelist lookup (
SecOpsGWL) from triggering this behavior alert. (Note that for this feature to be enabled, you must install theSecOpsGWLandSecOpsAssetRolelookups from Devo exchange.)
Advanced
The Advanced section enables users to tune the model’s resources and performance. Internally, Devo behavior models operate in a distributed system of drivers and executors with flexible deployment configurations. The options in the Advanced section enable users to tune those configurations if needed. However, this is typically not necessary and only done in conjunction with guidance from Devo technical support. In most cases, the default values should suffice and should be left unmodified.
Working with models
Once a behavior model has been started, it begins a learning period. During the learning period, the model will monitor data without outputting any behavior signals. The model’s state will be shown as Learningduring this time, as well as when the model was started and how much time remains in the model’s learning period.(The length of the learning period varies per model. “First Time” models typically require a 30 day learning period, whereas “Auth Impossible Travel” only requires 24 hours.) Once the learning period is over, the model’s state will be shown as Running to indicate that the model is ready to produce behavior signals.
...
The table below enumerates the behavior models that are provided out of the box in Behavior Analytics.
Name | Description | Data Source | |
|---|---|---|---|
1 | WS ec2 first time action for AMI | This finds first time AWS ec2 actions per AMI events compared to the given time period (default 30 days). |
|
2 | AWS ec2 first time action for instance type | This finds first time AWS ec2 actions per instance type per user events compared to the given time period (default 30 days). |
|
3 | AWS ec2 first time action for region | This finds first time AWS ec2 actions per region events compared to the given time period (default 30 days). |
|
4 | AWS ec2 first time action for user | This finds first time AWS ec2 actions per user events compared to the given time period (default 30 days). |
|
5 | AWS first time action | This finds first time AWS actions per user events compared to the given time period (default 30 days). |
|
6 | AWS provisioning first time action in region | This finds first time AWS actions per user per region events compared to the given time period (default 30 days). |
|
7 | AWS provisioning first time city | This finds first time AWS provisioning actions per user per city events compared to the given time period (default 30 days). |
|
8 | AWS provisioning first time country | This finds first time AWS provisioning events per user per country compared to the given time period (default 30 days). |
|
9 | AWS provisioning first time IP | This finds first time AWS provisioning events per user per ip compared to the given time period (default 30 days). |
|
10 | Azure App Service First Time Action | This finds first time Azure App Service user actions compared to the given time period (default 30 days). |
|
11 | Azure App Service First Time Country | This finds first time Azure App Service events from a country compared to the given time period (default 30 days). |
|
12 | Azure app service first time user | This finds first time Azure App Service users compared to the given time period (default 30 days). |
|
13 | Azure storage first time action | This finds first time Azure Storage action events compared to the given time period (default 30 days). |
|
14 | Azure storage first time country | This finds first time Azure Storage events from a country compared to the given time period (default 30 days). |
|
15 | Azure storage first time user | This finds first time Azure Storage users compared to the given time period (default 30 days). |
|
16 | Azure VM first time action | This finds first time Azure VM action events compared to the given time period (default 30 days). |
|
17 | Azure VM first time country | This finds first time Azure VM events from a country compared to the given time period (default 30 days). |
|
18 | Azure VM first time user | This finds first time Azure VM users compared to the given time period (default 30 days). |
|
19 | First time access to domain from user | Identifies first time Domain is accessed over the proxy by a user compared to the past 30 days. |
|
20 | First time authentication or authorization from a country | Identify if this is the first authentication or authorization request for a user from a country in the past 30 days. |
|
21 | First time authentication or authorization from a organization | Identify if this is the first authentication or authorization request for a user from a organization in the past 30 days. |
|
22 | First time authentication to a Windows domain | Identify if this is the first authentication to a Windows domain by a user in the past 30 days. |
|
23 | First time domain accessed by internal IP | Identifies first time internal IP accessed a domain over the proxy compared to the past 30 days. |
|
24 | First time login to device/asset | Identifies first time logins to devices compared to the past 30 days. |
|
25 | GitHub organization first time access protocol events | This finds first time GitHub Organization user activity with a protocol compared to the given time period (default 30 days). |
|
26 | GitHub organization first time action events | This finds first time GitHub Organization user actions compared to the given time period (default 30 days). |
|
27 | GitHub organization first time country events | This finds first time GitHub Organization user activity from a country compared to the given time period (default 30 days). |
|
28 | GitHub organization first time repo access | This finds first time GitHub Organization repo access compared to the given time period (default 30 days). |
|
29 | GitHub organization first time user access | This finds first time GitHub Organization user access compared to the given time period (default 30 days). |
|
30 | GSuite admin first time action | This finds first time GSuite Admin actions per user compared to the given time period (default 30 days). |
|
31 | O365 first time action | This finds first time O365 actions per user compared to the given time period (default 30 days). |
|
32 | Proxy first-time outbound connection to country | This detects first time connections from a given proxy to a country that is new compared to historical data (default 30 days). |
|
33 | Auth Impossible Travel | Detects impossible traveler situations from successful logins on a rolling 24-hour window. |
|