Introduction
The content manager is where the behavioral models can be deployed. To get to the content manager, click the Content Manager button in the far right of the application. Once you open the content manager, a list of all models that can be deployed are displayed. By default, there are 10 models default per page and you can toggle between the different pages to find more models.
There are three columns displayed for each model: behavior (the name of the model), table (the required Devo table for deploying the model), and status (enabled / disabled). If a model is not enabled, then it must be turned on in order to start running.
In order to deploy a model, click the ellipsis to the right of the status of the model. From here, a drop down menu with an option that shows Configure and Enable will appear. A new screen providing options for configuring the alert will appear. Historic Time Period, Risk Score, and Alert Priority are shown by default. Set the time period you would like the model to track against, the minimum risk threshold for alerting, and the minimum alert priority you’d like to see for the alerts. In addition, there is an advanced functionality option that allows you to override a table. This allows you to deploy the model on a different table if the naming configuration within your org is different than default. If using the table override, make sure that the field names and types in your table match those of the original Devo table.
If you stop a model, go to the same ellipsis at the right hand side of the model. There is a disable option that allows you to pause the model.
Do not deploy all the models at once to ensure that performance does not suffer.
Deploying Behavior Alerts:
Name | Description |
|---|---|
Historical time period | The time period in which the model can baseline data from. |
Risk score | A threshold the user can set to exclude alerts below this score. |
Alert Priority | Only displays alerts of this priority and higher. |
Content Manager SecOps Alerts:
As seen in the image above, all SecOps alerts enabled in your domain will show up in the Behavior Analytics App. Any time these alerts are set off, they will be correlated to the associated entity. You can tune the risk score of a specific SecOps alert (if you want to set a risk score of 55 for the SecOpsLoginFailAttempts alert, for example).
To do this, go to the action menu to the very right of the alert name to find the Edit option, where you can set a risk score for the specific SecOps alert. Once the risk score is added to the SecOps alert, the alert’s contribution to the risk score of an entity will increase. If you wish to remove the risk score, there is also a Remove Risk Score option in the action menu.