...
The Credentials section contains the following parameters:
Name | Description |
API Key | The API Key identifier from the Devo domain. |
API Secret | The API key secrete from the Devo Domain. |
...
The Signals section contains the following parameters:
Name | Description |
Signal Threshold | Threshold by which the behavior signal is added to the entity.behavior.signal.events table. Signals above the threshold are counted in entity risk scores. |
Signal Risk Score | Risk score given to the behavior signal that is sent back to Devo. Entity risk score is calculated based on the risk score value given. |
Advanced Configurations | Configuration options to only be used under special circumstances and Devo table configurations. Contact support to see if these options make sense. |
Table Override | The table that can be used to override the behavior signal query. The table must match specific fields in the original table used in order to function correctly. |
...
The Whitelist section contains the following sections:
Name | Description |
Users | Displays all of the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV. Users are all direct match string values. Example users: David Dark Ddark |
Devices | Displays all of the current devices that are whitelisted from the current use cases. Additionally devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses, and CIDR blocks.
|
|
|
|
|
|
| |
Domains | Displays all of the current domains that are whitelisted from the current use cases. Additionally domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values.
|
|
|
User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case. If the use case does not include ones of entity types then a warning message like the one below is displayed:
...
The upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them. The upload section provides a couple of tools to make working CSVs easier. The CSV can be dropped in and previewed within the screen. If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist. Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV. The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist. The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values.
...
Name | Description |
Yes, trigger an alert | Select whether to trigger an alert when a signal is created for SOC analysts to triage. |
Alert Threshold | The threshold for signal that causes the alert to fire and be triaged by SOC analysts. (Not always present) |
Alert Priority | The priority of the alert that’s set on a scale of 1 - Informational through 5 - Critical. |
Apply Whitelisting | Add the SecOpsGWL whitelist lookup to the alert that is created such globally whitelisted entities will not trigger behavior signal alerts. |
Content manager SecOps alerts
...