The area you first see when you access the Security Operations application is the Dashboard, which offers at-a-glance monitoring information. The green top bar at the top area includes 4 icons to navigate through the different areas of the application, explained in detail in the following articles.
You can also check the items you have added to your investigation list by clicking the paper clip icon at the top right corner.
The Security Operations application has three main purposes: alert triage, user investigations, and threat hunting. All these activities are summarized in the Dashboard, which is the entrance point of the app.
These are the four different areas of the application:
Dashboard - This is the first area you see when you enter the application, and offers a general overview of the system condition through a series of default widgets.
Triage - This area allows analysts to filter and pivot both alerts and investigations by different parameters (type, name, keywords...)
Investigations - Create and manage investigations based on suspicious alerts and assign them to the required users.
Hunting - This area allows users to perform a global search in order to identify suspicious events.
Investigation list
All the elements that you add to an investigation from those areas go to the investigation list, where you can review and manage all the alerts and entities before defining the investigation. To access the Investigation list, just click the paper clip icon that you can find at the top right corner of the application.
Click Content manager in the menu icon at the top right corner of the application to access the content manager, where you can check information about different resources related to your environment: alerts, lookups, and capabilities.
This area is divided into three main sections:
The top area of this window shows a series of informative graphs that inform users about the alerts and lookups in your environment. Each group of alerts shows the total number of alerts and the ones that are activated. Next to this, you can check the total percentage of activated alerts in a group.
In the capture below, the first graph represents the Secops alerts in our environment. Currently, we have a total of 307 alerts, and 143 of them are activated. This represents 43% of the total number of alerts, as we can see in the graph.
These are the different groups of alerts:
Built-in alerts installed - Default alerts in the Security Operations application.
Custom alerts installed - Custom alerts defined for a specific client.
Active alerts - Active alerts in your system.
Main lookups - Lookups in the client domain.
Multi-lookup - Generic lookups in the Multilookups domain.
Dynamic lookups - Dynamic lookups are generated in the Security Operations application.
In the middle area of the window, you'll find three different tabs:
Alerts installed
Check the list of alerts installed in your SecOps environment.Â
Activate or deactivate alerts by switching on/off the toggle at the left side of each alert.
Remove an alert by clicking the Delete button on the right side of the alert.
You can also check these alerts in the Administration → Alert Configuration area of the Devo application.
Some of the alerts in this area may be marked with a star icon next to their name. This means that these alerts are custom alerts that have been defined specifically for a client and are not included in the default SecOps alert catalog.
Lookups
As explained in this section, there are 3 types of lookups in the Security Operations application: main lookups, multi-lookups, and dynamic lookups. In this tab, you can check the lookups of each type that you have installed in your environment.
Check the lookups that are installed in your environment (they will be marked with the word Installed). Lookups that are not installed are marked with the word Missing in red.
Apart from the status, dynamic lookups also show the number of entries (shown in orange if there are few entries), its size, and its update date.
Capabilities
Capabilities are Flow contexts that relate SecOps data to other external systems and perform specific operations.
Activate or deactivate capabilities by switching on/off the toggle at the left side of each capability.
Check if they are loaded and running in the info next to their name.
These are all the available capabilities:
Capability
Description
Capability
Description
Investigations to Cortex XSOAR
Activate this capability to create a case in the platform Cortex XSOAR every time you define a new investigation in SecOps. This capability must be configured in the Application settings section. Learn more below.
Investigations to Phantom
Send investigations to the Phantom platform. This capability must be configured in the Application settings section. Learn more below.
Entities
This capability allows the creation of entities in the system.
Send investigation to email
Send closed investigations to a specific email address or addresses.
User agent distance
This capability calculates the user-agent distance. You can use it to check differences between user agents that use a browser, or two users in the system entities.
Finally, in the bottom area of this window, we have the Alerts Filters and Alerts Configurator sections. These sections appear at the bottom area no matter the tab in the above section we select. In the Alerts Filter, select the required filters and check the results in the Alerts Configuration area, where you can select any number of required alerts and install them.
Unlike the alerts that appear in the Alerts installed tab above, these alerts do not appear in the Administration → Alert Configuration area of the Devo application. These are default alerts defined in the SecOps application that can be installed by users in their domains in the Alerts Configuration area.
Alerts filter
Below are the available filters in the Alerts Filter section. Select the required ones and click Filter to see the results.
Filter
Description
Filter
Description
Installable alerts
Activate this toggle if you want to filter only installable alerts, or deactivate alerts to filter non-installable alerts.
Apply white listing
Toggle this switch if you want to consider white-listing alerts.
Priority
Choose the required alert priority(ies)
ATT&CK Tactic
Select the required Mitre ATT&CK tactics.
ATT&CK Technique
Select the required Mitre ATT&CK techniques.
Tables
Specify the source tables of the queries that define the filtered alerts.
Tags
Choose the required alert tags.
Alerts configurator
In the Alerts Configurator section, you will see the alerts matching the filter criteria selected.Â
In this area, you can check any number of filtered alerts you need to install, and then click the Install alerts button that appears on the right side to install them. After installation, these alerts will appear in the Administration → Alert Configuration area of the Devo app.
Application settings
Click the menu icon at the top right corner of the application and select Settings to access the following groups of configuration options:
Group
Description
Group
Description
Enrichment
The Security Operations application is automatically enriched by different threat platforms to get the data required to analyze and label the alerts. However, if you have your own account on one of the available platforms, you can click it, switch off its Use default toggle and specify your URL to get data from your service.
Click Save to apply any modifications.
Capabilities services
Configure the Cortex XSOAR and Phantom connection.
Click Save to apply any modifications.
File artifact storage
Switch off the toggles if you want to specify the location where you want to store the files attached to investigations. Learn more in Investigations.
Click Save to apply any modifications.
DNS
The application resolves names using default DNS. Add server names here if you want to use custom DNS.
Click Save to apply any modifications.
Location
This is a view of the location lookup used to resolve locations and geolocations from IP addresses.
Impact calculation
Activate this option if you want to display the impact calculation for all the entities in your environment. Note that alert performance will be slower when this is activated.