...
Expand | ||
---|---|---|
| ||
The top area of this window shows a series of informative graphs that inform users about the alerts and lookups in your environment. Each group of alerts shows the total number of alerts and the ones that are activated. Next to this, you can check the total percentage of activated alerts in a group. In the capture below, the first graph represents the SecOps alerts in our environment. Currently, we have a total of 307 alerts, and 143 of them are activated. This represents 43% of the total number of alerts, as we can see in the graph. These are the different groups of alerts:
|
Expand | ||||
---|---|---|---|---|
| ||||
In the middle area of the window, you'll find three different tabs: Alerts installedCheck the list of alerts installed in your SecOps environment.
LookupsAs explained in this section, there are 3 2 types of lookups in the Security Operations application: main lookups , and multi-lookups, and dynamic lookups. In this tab, you can check the lookups of each type that you have installed in your environment.
CapabilitiesCapabilities are Flow contexts that relate SecOps data to other external systems and perform specific operations.
|
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
Finally, in the bottom area of this window, we have the Alerts Filters and Alerts Configurator sections. These sections appear at the bottom area no matter the tab in the above section we select. In the Alerts Filter, select the required filters and check the results in the Alerts Configuration area, where you can select any number of required alerts and install them.
Alerts filterBelow are the available filters in the Alerts Filter section. Select the required ones and click Filter to see the results.
Alerts configuratorIn the Alerts Configurator section, you will see the alerts matching the filter criteria selected. In this area, you can check any number of filtered alerts you need to install, and then click the Install alerts button that appears on the right side to install them. After installation, these alerts will appear in the Administration → Alert Configuration area of the Devo app.
|
...
Click the menu icon at the top right corner of the application and select Settings to access the following groups of configuration options:
...
Group | Description |
---|---|
Enrichment | The Security Operations application is automatically enriched by different threat platforms to get the data required to analyze and label the alerts. However, if you have your own account on one of the available platforms, you can click it, switch off its Use default toggle and specify your URL to get data from your service. Click Save to apply any modifications. |
Capabilities services | Configure the Cortex XSOAR and Phantom connection. You can also set an email to send notifications when an investigation is closed. Click Save to apply any modifications. |
File artifact storage | Switch off the toggles if you want to specify the location where you want to store the files attached to investigations. Learn more in Investigations. Click Save to apply any modifications. |
DNS | The application resolves names using default DNS. Add server names here if you want to use custom DNS. Click Save to apply any modifications. |
Location | This is a view of the location lookup used to resolve locations and geolocations from IP addresses. |
Impact calculation | Activate this option if you want to display the impact calculation for all the entities in your environment. Note that alert performance will be slower when this is activated. This option is deactivated by default. |
User preferences | Use the Devo app date format or choose a custom one. |