...
Rw ui textbox macro | ||
---|---|---|
| ||
Multitenancy When accessing the parent domain in a multitenant structure, there is a dropdown where you can select the different domains at any moment in case you want to check their specific activity . |
Using the application
Rw ui tabs macro | ||||
---|---|---|---|---|
Alert coverage overviewFor Alert coverage, you are greeted by the MITRE ATT&CK matrix, which maps Devo's out-of-the-box detection library. The tactic tiles are color-coded according to the number of techniques that have some alerts installed for them in the Devo domain. The technique tiles are color-coded according to the number of alerts that are installed for that given technique in the Devo domain out of all the alerts that are available for installation. Located in the top-right corner is the coverage scale percentage. This allows you to understand your alert and log source coverage at a glance with a percentage calculation. This percentage varies according to the different filters that are applied. The coverage scale in the Alert coverage page works using the % of installed alerts compared to available alerts to color code as follows: | ||||
Between 0% - 24.99% | ||||
25% - 75% | ||||
75.01% - 99.99% | ||||
100% |
Info |
---|
The application also supports the mapping of custom alerts through the SecOpsAlertDescription lookup. Simply add your detections to the system via Data search or Alert configuration and then add the necessary fields to the lookup for that alert. |
The application now supports alerts being mapped to multiple tactics and techniques. The application pulls and maps them to the matrix, correctly displaying the coverage. Use the MitreAlertsExtendedDefinition lookup to add the additional entries. It is available to download below:
View file | ||
---|---|---|
|
Note |
---|
In order to use the MitreAlertsExtendedDefinition the alert must also be inside of the SecOpsAlertDescription lookup. |
Furthermore, the table at the bottom of the Alert coverage screen shows multiple tactics and techniques by expanding the field within that column for an alert. Viewing the information in the table improves coverage across the matrix.
Rw tab | ||
---|---|---|
|
Alert heatmap overview
The Alert Heatmap allows you to see the concentration of fired alerts per technique and tactic for a specific period of time.
The matrix will use the technique, tactic or alert with the most alerts as the basis to calculate the density and color coding for the fired alerts. See the following examples.
Technique example 1
In this example, the highest number of alerts fired for all techniques is 300.
Technique A
300
100.00%
between 75% and 100% of the technique with the most alerts
Technique B
250
83.33%
between 75% and 100% of the technique with the most alerts
Technique C
200
66.67%
between 50% and 74.99% of the technique with the most alerts
Technique D
150
50.00%
between 50% and 74.99% of the technique with the most alerts
Technique E
100
33.33%
between 25% and 49.99% of the technique with the most alerts
Technique F
50
16.67%
between 0% and 24.99% of the technique with the most alerts
Technique G
25
8.33%
between 0% and 24.99% of the technique with the most alerts
Technique H
10
3.33%
between 0% and 24.99% of the technique with the most alerts
Technique example 2
In this example, the highest number of alerts fired for all techniques is 1000.
Technique A
1000
100.00%
between 75% and 100% of the technique with the most alerts
Technique B
500
50.00%
between 50% and 74.99% of the technique with the most alerts
Technique C
400
40.00%
between 25% and 49.99% of the technique with the most alerts
Technique D
300
30.00%
between 25% and 49.99% of the technique with the most alerts
Technique E
100
10.00%
between 0% and 24.99% of the technique with the most alerts
Technique F
50
5.00%
between 0% and 24.99% of the technique with the most alerts
Technique G
25
2.50%
between 0% and 24.99% of the technique with the most alerts
Technique H
10
1.00%
between 0% and 24.99% of the technique with the most alerts
Tactic example
In this example, the highest number of alerts fired for all tactics is 1000.
Tactic A
1000
100.00%
between 75% and 100% of the tactic with the most alerts
Tactic B
500
50.00%
between 50% and 74.99% of the tactic with the most alerts
Tactic C
300
30.00%
between 25% and 49.99% of the tactic with the most alerts
Tactic D
150
15.00%
between 0% and 24.99% of the tactic with the most alerts
Tactic E
100
10.00%
between 0% and 24.99% of the tactic awith the most alerts
Alerts example
In this example, the highest number of alerts fired for individual alerts is 100.
Tactic A
100
100.00%
between 75% and 100% of the alert with the most alerts
Tactic B
80
80.00%
between 75% and 100% of the alert with the most alerts
Tactic C
50
50.00%
between 50% and 74.99% of the alert with the most alerts
Tactic D
26
26.00%
between 25% and 49.99% of the alert with the most alerts
Tactic E
2
2.00%
between 0% and 24.99% of the alert with the most alerts
Rw tab | ||
---|---|---|
|
Log source coverage overview
Under the Log source coverage page you can assess your coverage against the MITRE ATT&CK matrix based on the log sources you are currently ingesting. The log sources are mapped based on alert definitions in the system, so that if an alert has a “Persistence” tactic and an “Account Manipulation” technique, the corresponding log sources / Devo table used by the alert is mapped to that tactic and technique in the Log source coverage section of the application.
Coverage in the Log source coverage page is done by measuring the total number of log sources currently ingesting data compared with the total number of log sources for the current tactic or technique. The coverage scale works as follows:
Between 0% - 24.99%
25% - 75%
75.01% - 99.99%
100%
Export coverage to PDF
You can export a PDF of your log source coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.
Available log sources
The bottom of the Log Source Coverage screen displays all the available log sources and whether they are ingesting or not. You can view current or new tactics and techniques that would be covered if they were to add specific log sources.
Enterprise matrix
You can also use the Enterprise Matrix filter to narrow down to a specific platform (windows, macOS, etc).
info here).
Using the application
Child pages (Children Display) | ||
---|---|---|
|