Versions Compared

Old Version 2

changes.mady.by.user Anthony Shevlin

Saved on

compared with

New Version 3

changes.mady.by.user Anthony Shevlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In order to deploy a model, click the ellipsis to the right of the status of the model. From here, a drop down menu with an option that shows Configure and Enable will appear button. A new screen providing options for configuring the alert will appear. Historic Time Period, Risk Score, and Alert Priority are shown by default. Set the time period you would like the model to track against, the minimum risk threshold for alerting, and the minimum alert priority you’d like to see for the alerts. In addition, there is an advanced functionality option that allows you to override a table. This allows you to deploy the model on a different table if the naming configuration within your org is different than default. If using the table override, make sure that the field names and types in your table match those of the original Devo table. 

If you stop a model , go to the same ellipsis at the right hand side of the model. There there is a disable option that allows you to pause the model. 

...

  • Deploying Behavior Alerts: 

...

Name

Description

Historical time period

The time period in which the model can baseline data from. 

Risk score

A threshold the user can set to exclude alerts below this score.

Alert Priority

Only displays alerts of this priority and higher.

Final outcome output threshold 

Threshold by which the behavior signal is added to the entity.behavior.signal.events table.  Signals above the threshold are counted in entity risk scores.  

Create Alerts? 

Select when an alert is created for the behavior signal for SOC analysts to triage. 

Final outcome alerting threshold 

Threshold for the behavior signal alert that causes the alert to fire and be triaged by SOC analysts. 

Alert Priority

The priority of the alert that’s set on a scale of 1 - Informational through 5 - Critical. 

Risk score 

Risk score given to the behavior signal that is sent back to Devo.  Entity risk score is calculated based on the risk score value given. 

Advanced Configurations

Configuration options to only be used under special circumstances and Devo table configurations.  Contact support to see if these options make sense.  

Table Override

The table that can be used to override the behavior signal query.  The table must match specific fields in the original table used in order to function correctly. 

  • Content Manager SecOps Alerts: 

...