Versions Compared

Old Version 26

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat
Warning

Status
colourRed
titleMaintenance mode

The SecOps solution is currently in maintenance mode. While we continue to support existing customers, no new features will be added.

New Devo customers are encouraged to explore Devo’s integrated case management capability. For more information, please contact your sales team or support representative.

Introduction

Devo Security Operations (SecOps) is a purpose-built, context-rich application framework that automates security expertise, speeds investigation and triage, reduces required resources, and magnifies response capability.

...

These are the minimum required permissions to use SecOps:

Permission

Access level

Description

Alerts → Triggered alerts

Manage

This will allow users to view and manage alerts in SecOps.

Data Search → Finders → Lookups

View

This will allow users to view lookups in SecOps.

Flow → Own Flows

Manage

This will allow users to view and manage contexts (Flows) in SecOps.

Security → API keys

Manage

This will allow users to generate API keys. Some SecOps endpoints require these keys to be used.

Applications tab

SecOps users may have access to SecOps applications with and without entities. Assign the following permissions as required:

...

Note

SecOps alert priorities VS Devo alert priorities

Please keep in mind that the priority levels used in SecOps alerts (shown above) do not correspond to the ones used in the common alerts defined in Devo. You can see the priority levels used in Devo when you create a new alert from the search window. As said, these priority levels do not correspond to the ones defined in SecOps.

...

Security Operations lookups

There are three two types of lookups in SecOps: main lookups , and multi-lookups, and dynamic lookups.

  • Main lookups are available only on the domain the SecOps app is installed. The installation of these files is performed by the Devo team and they could be watched and modified by Admin users. The most important lookup is SecOpsAlertDescription, which contains the list of predefined alerts used in SecOps.

  • Multi-lookups are available to all domains, but users cannot modify them. Some of them are SecOps configuration files, and some others store security information that comes from MISP services. This information is periodically updated in different ways. Some are static (for example CheckBackdoorConnection), some are updated weekly (for example SuspiciousFileExtension) and some others are updated daily (for example. farsight feeds).

  • Dynamic lookups are not-editable files that are periodically updated. The periodicity depends on the necessities of the alerts. These lookups contain values that are calculated with real data and are constantly changing. This data is used to improve the behavior of the alerts. For instance, we can calculate the daily or weekly average of DNS traffic detected by a firewall. This average is stored in the dynamic lookup and then we can trigger an alert when detecting peaks.

Devo SecOps provides customers with a set of predefined security alerts designed by experts, which are one of the basic aspects of the application. Users can tune these alerts attending to their necessities, or create new custom alerts to include them in the SecOps application.

...

. Go to Security Operations Lookups for detailed information.

User roles in the Security Operations app

...