Versions Compared

Old Version 50

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 51

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleInformative graphs

The top area of this window shows a series of informative graphs that inform users about the alerts and lookups in your environment. Each group of alerts shows the total number of alerts and the ones that are activated. Next to this, you can check the total percentage of activated alerts in a group.

In the capture below, the first graph represents the SecOps alerts in our environment. Currently, we have a total of 307 alerts, and 143 of them are activated. This represents 43% of the total number of alerts, as we can see in the graph.

Image RemovedImage Added

These are the different groups of alerts:

  • Built-in alerts installed - Default alerts in the Security Operations application.

  • Custom alerts installed - Custom alerts defined for a specific client.

  • Active alerts - Active alerts in your system.

  • Main lookups - Lookups in the client domain.

  • Multi-lookup - Generic lookups in the Multilookups domain.

  • Dynamic lookups - Dynamic lookups are generated in the Security Operations application.

Image Added
Expand
titleAlerts installed, lookups and capabilities

In the middle area of the window, you'll find three different tabs:

Check the list of alerts installed in your SecOps environment. 

  • Activate or deactivate alerts by switching on/off the toggle at the left right side of each alert.

  • Remove Uninstall an alert by clicking the Delete button bin icon on the right side of the alert.

Image RemovedImage Added
Info

You can also check these alerts in the Administration → Alert Configuration area of the Devo application.

Note

Some of the alerts in this area may be marked with a star icon Custom tag next to their namepriority and type. This means that these alerts are custom alerts that have been defined specifically for a client and are not included in the default SecOps alert catalog.

As explained in this section, there are 3 types of lookups in the Security Operations application: main lookups, multi-lookups, and dynamic lookups. In this tab, you can check the lookups of each type that you have installed in your environment.

  • Check the lookups that are installed in your environment (they will be marked with the word Installed). Lookups that are not installed are marked with the word Missing in red.

  • Apart from the status, dynamic lookups also show the number of entries (shown in orange if there are few entries), its size, and its update date.

Image RemovedImage Added

Capabilities are Flow contexts that relate SecOps data to other external systems and perform specific operations.

  • Activate or deactivate capabilities by switching on/off the toggle at the left side of each capability.

  • Check if they are loaded and running in the info next to their name.

Image Removed

These are all the available capabilities:

Capability

Description

Investigations to Cortex XSOAR

Activate this capability to create a case in the platform Cortex XSOAR every time you define a new investigation in SecOps. This capability must be configured in the Application settings section. Learn more below.

Investigations to Phantom

Send investigations to the Phantom platform. This capability must be configured in the Application settings section. Learn more below.

Entities

This capability allows the creation of entities in the system.

Send investigation to email

Send closed investigations to a specific email address or addresses.

User agent distance

This capability calculates the user-agent distance. You can use it to check differences between user agents that use a browser, or two users in the system entities.

Expand
titleAlert filter and configurator

Finally, in the bottom area of this window, we have the Alerts Filters and Alerts Configurator sections. These sections appear at the bottom area no matter the tab in the above section we select. In the Alerts Filter, select the required filters and check the results in the Alerts Configuration area, where you can select any number of required alerts and install them.

Note

Unlike the alerts that appear in the Alerts installed tab above, these alerts do not appear in the Administration → Alert Configuration area of the Devo application. These are default alerts defined in the SecOps application that can be installed by users in their domains in the Alerts Configuration area.

Below are the available filters in the Alerts Filter section. Select the required ones and click Filter to see the results.

Image RemovedImage Added

Filter

Description

Installable alerts

Activate this toggle if you want to filter only installable alerts, or deactivate alerts to filter non-installable alerts.

Apply white listing

Toggle this switch if you want to consider white-listing alerts.

Priority

Choose the required alert priority(ies)

ATT&CK Tactic

Select the required Mitre ATT&CK tactics.

ATT&CK Technique

Select the required Mitre ATT&CK techniques.

Tables

Specify the source tables of the queries that define the filtered alerts.

Tags

Choose the required alert tags.

Trigger type

Select the trigger method of the filtered alerts.

In the Alerts Configurator section, you will see the alerts matching the filter criteria selected. 

In this area, you can check any number of filtered alerts you need to install, and then click the Install alerts button that appears on the right side to install them. After installation, these alerts will appear in the Administration → Alert Configuration area of the Devo app.

Note

Note that you'll only be able to install alerts that you filtered with the Installable alerts toggle activated. If you did not have the toggle activated, the alerts filtered will not be installable, and you will only be able to download their requirements in an Excel sheet.

...