...
Filter as soon as you can and every time you are able. Just try to avoid “null” data and remove all “noisy” data during the query creation. That makes your query more efficient and decreases false positives.
...
Query creation
Each alert is based on a query that is run continuously over the data stream. When an alert is triggered, it generates a record in the Devo table.
...
Info |
---|
For more information on each field per specific lookup, see here. |
SecOps will parse this data, based on the kinds of information values SecOps expects, and create all the new data which makes up the application.
...
Entity | SecOps Entity |
---|---|
Hostname | entity_sourceHostname entity_destinationHostname |
Url | entity_sourceUrl entity_destinationUrl |
IP | entity_sourceIP entity_destinationIP |
MAC | entity_sourceMAC entity_destinationMAC |
Name | entity_sourceName entity_destinationName |
Location | entity_sourceLocation entity_destinationLocation |
Domain | entity_sourceDomain entity_destinationDomain |
entity_sourceEmail entity_destinationEmail | |
Account | entity_sourceAccount entity_destinationAccount |
Assign a role to the entity
Next, we need to add following detections using lookups:
Assign it a role using lookup SecOpsAssetRole.
Add a description using SecOpsAlertDescription.
Add a location using SecOpsLocation.
To learn more about lookups, go to SecOps Lookups.
...
Code Block |
---|
select `lu/SecOpsAssetRole/role`(entity_sourceIP) as entity_sourceIP_AssetRole |
Whitelisting
In order to avoid some events from some assets, customers can add whitelisting checks on alerts just adding an extra check based on data from a Lookup.
Here we will use the global whitelist lookup SecOpsGWL.
Example:
Code Block |
---|
AssetHyphenRole,reason,description
8.8.8.8-GoogleDNS,Mainstream DNS, Avoid alerts from public services
9.9.9.9,Company DNS,Avoid |
The way we can use these two lookups is just getting the role from an asset and then compounding a string to know if the asset + role is the GWL lookup.
Here is an example query that contains three cases.
First, we have an IP that it’s on SecOpsGWL lookup and has a role associated with SecOpsAssetRole.
Code Block |
---|
from web.all.access where requestLength = 1200 select "8.8.8.8" as testIP // create a fake asset select `lu/SecOpsRole/role`(testIP) as AssetRole // Get asset role from SecOpsRole Lookup select ifthenelse(isnull(AssetRole),testIP,testIP+"-"+AssetRole) as AssetToCheck select `lu/SecOpsGWL`(AssetToCheck) as GWL // Check Asset+Role in SecOpsGWL Lookup |
Second, we have an IP that it’s on SecOpsGWL lookup, but has not a role associated with SecOpsAssetRole.
Code Block |
---|
select "9.9.9.9" as testIPAnother // create another fake asset
select `lu/SecOpsRole/role`(testIPAnother) as AssetRoleAnother // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRoleAnother),testIPAnother,testIPAnother+"-"+AssetRoleAnother) as AssetToCheckAnother
select `lu/SecOpsGWL`(AssetToCheckAnother) as GWLAnother // Check Asset+Role in SecOpsGWL Lookup |
Third and last, we have an IP that is not on SecOpsGWL and has not a role associated with SecOpsAssetRole.
Code Block |
---|
select "4.4.4.4" as testIPNone // create another fake asset
select `lu/SecOpsRole/role`(testIPNone) as AssetRoleNone // Get asset role from SecOpsRole Lookup
select ifthenelse(isnull(AssetRoleNone),testIPNone,testIPNone+"-"+AssetRoleNone) as AssetToCheckNone
select `lu/SecOpsGWL`(AssetToCheckNone) as GWLNone // Check Asset+Role in SecOpsGWL Lookup
group every 1h by GWLNone, GWL, GWLAnother
every 1h |
Using these two lookups allows customers to associate a role or not to an asset. They can use SecOpsGWL as a simple whitelist or combine it with SecOpsAssetRole to give more context.
Enrichment using lookups
Using Lookups after aggregation ensures that the new columns created are available in SecOps.
...