Overview
We will explain in the following sections how new alerts can be added aside from existing standard Security Operations alerts.
The first thing to do is to apply all the filtering you can before you start to define your logic. We’re looking to reduce the amount of data to process.
Filter as soon as you can and every time you are able. Just try to avoid “null” data and remove all “noisy” data during the query creation. That makes your query more efficient and decreases false positives.
Query creation
Each alert is based on a query that is run continuously over the data stream. When an alert is triggered, it generates a record in the Devo table.
This table is a read-only table. Devo SecOps then enriches the alerts, adding information based on the ‘ExtraData’ field at the end of the alert record.
There are some requirements that we have to follow to create compatible alerts. There are two types of requirements: Mandatory and optional.
Mandatory | Optional |
|---|---|
SecOps Prefix | SecOps Subcategory |
alertPriority | alertMitreTechniques |
alertType | alertMitreTactics |
Entities (at least one) | Enrichments |
Example
Let's say we want to analyze the requests made to our web server.
Firstly, we apply filters to obtain the requests where the source IP is not a null value and also that the IP belongs to a public range.
from web.all.access where ispublic(srcIp) where isnotnull(srcIp)
Then, we want to group by srcIp with one hour as the grouping period. In this case, we're adding a count operation that we use to filter based on the amount of data grouped.
group every 30m by srcIp every 1h select count() as count where count > 5000
Entity creation
In this step, we will start to deal with SecOps requirements. SecOps needs to fit with a pre-defined nomenclature to detect and process the entities. Here we create the entities and optionally we can apply the whitelisting procedure. Click here to learn more about entities.
In our example, we’re using just one entity, srcIp., so we create a new field following the nomenclature.
select str(srcIp) as entity_sourceIP
SecOps uses a Common Information Model for entity naming. It’s needed to track entities over the SecOps app. If you want to include more entities please contact Devo Support.
Entity | SecOps Entity |
|---|---|
Hostname | entity_sourceHostname entity_destinationHostname |
Url | entity_sourceUrl entity_destinationUrl |
IP | entity_sourceIP entity_destinationIP |
MAC | entity_sourceMAC entity_destinationMAC |
Name | entity_sourceName entity_destinationName |
Location | entity_sourceLocation entity_destinationLocation |
Domain | entity_sourceDomain entity_destinationDomain |
entity_sourceEmail entity_destinationEmail | |
Account | entity_sourceAccount entity_destinationAccount |
Next, we need to add following detections using lookups:
Assign it a role using lookup SecOpsAssetRole.
Add a description using SecOpsAlertDescription.
Add a location using SecOpsLocation.
To learn more about lookups, go to SecOps Lookups.
Using Lookups after aggregation ensures that the new fields created are available in SecOps.
It is necessary to activate the server mode in the Data Search area to be able to use Lookups after grouping.
The following example shows how to add to an IP a DNS role with a category server and type system:
asset,class,category,type 8.8.8.8,DNS,server,system
SecOpsAssetRole follows the terminology used by the SecOps app to populate the Entity Graph with known definitions of class (role) and category (entity type).
The end query will look like this:
from web.all.access
where ispublic(srcIP)
where isnotnull(srcIP)
group every 30m by srcIP
every 1h select count() as count
where count > 5000
select str(srcIP) as entity_sourceIP
select `lu/SecOpsAssetRole/role`(entity_sourceIP) as entity_sourceIP_AssetRole
select `lu/SecOpsLocation/country`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCountry
select `lu/SecOpsLocation/city`(entity_sourceIP) as enrichStream_entity_sourceIP_locationCity
select `lu/SecOpsLocation/state`(entity_sourceIP) as enrichStream_entity_sourceIP_locationState
select `lu/SecOpsLocation/lat`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLat
select `lu/SecOpsLocation/lon`(entity_sourceIP) as enrichStream_entity_sourceIP_locationLon
select `lu/SecOpsAlertDescription/alertType`("SecOpsDenialOfService") as alertType select `lu/SecOpsAlertDescription/alertMitreTactics`("SecOpsDenialOfService") as alertMitreTactics
select `lu/SecOpsAlertDescription/alertMitreTechniques`("SecOpsDenialOfService") as alertMitreTechniques
select `lu/SecOpsAlertDescription/alertPriority`("SecOpsDenialOfService") as alertPriority
Naming
Finally, as an alert creator, have to fill the last four fields answering the who, the what, the when, the where, and how much. Be as descriptive in the description and message as possible to provide the analyst with the most information in SecOps alert data.
Summary: Could include column values using $ + column name.
Description: Could include column values using $ + column name.
Subcategory: Have to be SecOps
Alert name: Have to start with “SecOps” prefix and be Upper Camel Case
