Versions Compared

Old Version 1

changes.mady.by.user Anthony Shevlin

Saved on

compared with

New Version 2

changes.mady.by.user Anthony Shevlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Deploying Behavior Alerts: 

...

Table of Contents
minLevel1
maxLevel2
typeflat

Introduction

The content manager is where the behavioral models can be deployed. To get to the content manager, click the ‘Content Manager’ Content Manager button in the far right of the application. Once you open the content manager, a list of all models that can be deployed will be are displayed. By default, there are 10 models default per page and the user you can toggle between the different pages to find more models. 

...

In order to deploy a model, go ahead and click the three dots ellipsis to the right of the status of the model. From here, a drop down menu with an option that shows ‘Configure Configure and Enable’ Enable will appear. A new screen providing options for configuring the alert will appear. Historic Time Period, Risk Score, and Alert Priority are shown by default. Go ahead and set Set the time period you would like the model to track against, the minimum risk threshold for alerting, and the minimum alert priority you’d like to see for the alerts. In addition, there is an advanced functionality option that allows you to override a table. This allows you to deploy the model on a different table if the naming configuration within your org is different than default. If using the table override, make sure that the field names and types in your table match those of the original Devo table. 

If you stop a model, simply go to the same three dots ellipsis at the right hand side of the model. There is a ‘disable’ disable option that allows you to pause the model. Note: Please DO NOT

Note

Do not deploy all the models at once to ensure that performance does not suffer.

  • Deploying Behavior Alerts: 

...

Name

Description

Historical time period

...

The time period in which the model can baseline data from. 

Risk

...

score

A threshold the user can set to exclude alerts below this score.

...

Alert Priority

...

Only displays alerts of this priority and higher.

...

  • Content Manager SecOps Alerts: 

...

As seen in the photo image above, all SecOps alerts enabled in your domain will show up in the Behavior Analytics App. Any time these alerts are set off, they will be correlated to the associated entity. Users You can tune the risk score of a specific SecOps alert (ie. if the user wants if you want to set a risk score of 55 for the SecOpsLoginFailAttempts alert, for example) if desired.

To do this, go to the action menu to the very right of the alert name to find the ‘Edit’ Edit option, where you can set a risk score for the specific SecOps alert. Once the risk score is added to the SecOps alert, the alert’s contribution to the risk score of an entity will increase. If you wish to remove the risk score, there is also a ‘Remove Remove Risk Score’ Score option in the action menu.