Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Filter as soon as you can and every time you are able. Just try to avoid “null” data and remove all “noisy” data during the query creation. That makes your query more efficient and decreases false positives. 

...

Query creation

Each alert is based on a query that is run continuously over the data stream. When an alert is triggered, it generates a record in the Devo table.

...

Info

For more information on each field per specific lookup, see here.

SecOps will parse this data, based on the kinds of information values SecOps expects, and create all the new data which makes up the application.

...

Entity

SecOps Entity

Hostname

entity_sourceHostname

entity_destinationHostname

Url

entity_sourceUrl

entity_destinationUrl

IP

entity_sourceIP

entity_destinationIP

MAC

entity_sourceMAC

entity_destinationMAC

Name

entity_sourceName

entity_destinationName

Location

entity_sourceLocation

entity_destinationLocation

Domain

entity_sourceDomain

entity_destinationDomain

Email

entity_sourceEmail

entity_destinationEmail

Account

entity_sourceAccount

entity_destinationAccount

Assign a role to the entity

Next, we need to add following detections using lookups:

To learn more about lookups, go to SecOps Lookups.

...

Code Block
select `lu/SecOpsAssetRole/role`(entity_sourceIP) as entity_sourceIP_AssetRole

Whitelisting

In order to avoid some events from some assets, customers can add whitelisting checks on alerts just adding an extra check based on data from a Lookup.

Here we will use the global whitelist lookup SecOpsGWL.

Example:

Code Block
AssetHyphenRole,reason,description
8.8.8.8-GoogleDNS,Mainstream DNS, Avoid alerts from public services
9.9.9.9,Company DNS,Avoid

The way we can use these two lookups is just getting the role from an asset and then compounding a string to know if the asset + role is the GWL lookup.

Here is an example query that contains three cases. 

  • First, we have an IP that it’s on SecOpsGWL lookup and has a role associated with SecOpsAssetRole.

Code Block
from web.all.access
where requestLength = 1200
select "8.8.8.8" as testIP // create a fake asset
select `lu/SecOpsRole/role`(testIP) as AssetRole // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRole),testIP,testIP+"-"+AssetRole) as AssetToCheck
select `lu/SecOpsGWL`(AssetToCheck) as GWL // Check Asset+Role in SecOpsGWL Lookup
  • Second, we have an IP that it’s on SecOpsGWL lookup, but has not a role associated with SecOpsAssetRole.

Code Block
select "9.9.9.9" as testIPAnother // create another fake asset
select `lu/SecOpsRole/role`(testIPAnother) as AssetRoleAnother // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRoleAnother),testIPAnother,testIPAnother+"-"+AssetRoleAnother) as AssetToCheckAnother
select `lu/SecOpsGWL`(AssetToCheckAnother) as GWLAnother // Check Asset+Role in SecOpsGWL Lookup
  • Third and last, we have an IP that is not on SecOpsGWL and has not a role associated with SecOpsAssetRole.

Code Block
select "4.4.4.4" as testIPNone // create another fake asset
select `lu/SecOpsRole/role`(testIPNone) as AssetRoleNone // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRoleNone),testIPNone,testIPNone+"-"+AssetRoleNone) as AssetToCheckNone
select `lu/SecOpsGWL`(AssetToCheckNone) as GWLNone // Check Asset+Role in SecOpsGWL Lookup
group every 1h by GWLNone, GWL, GWLAnother
every 1h

Using these two lookups allows customers to associate a role or not to an asset.  They can use SecOpsGWL as a simple whitelist or combine it with SecOpsAssetRole to give more context.

Enrichment using lookups

Using Lookups after aggregation ensures that the new columns created are available in SecOps. 

...