Security Insights lookups

Overview

The Security Insights application uses a series of lookup tables that are pre-installed in every Devo domain. Users don't need to create them or enable them in the application. However, you can use them to enrich your data after running a search, in the same way as lookups defined by users.

To do it, you must access the required data table, then select Create column in the query window toolbar. Enter the name of the required lookup in the drop-down menu search box to locate the required one. Every column in the lookup apart from the key field will appear as an operation that you can use to add a new column correlating the data in the lookup key column with the matching values in your table.

Open

Learn more about lookups in the Data enrichment article, and read Create columns to learn more about adding new columns to your tables.

List of Security Insights lookups

Below is the list of lookups used in the Security Insights application, including how to use them to enrich your query data.

isTorNode

This lookup contains a list of IP addresses that are part of the anonymity network TOR.

Use the isTorNode operation to check if your IP addresses are part of the TOR network. You will get TorNode when your IPs are also included in the lookup key column. This operation needs one argument: 

HTTPMethods

Includes a set of request methods used on HTTP protocol.

Use the known operation to enter a column containing status codes and check if they are recognizable methods. You will get known when your methods are also included in the lookup key column. This operation needs one argument:

SuspiciousTLD

A list of the top-level domains with the highest level of malicious activity.

Use the isSuspicious operation to check for suspicious top-level domains within your table data. You will get suspicious when your domains are also included in the lookup key column. This operation needs one argument:

CDNProviders

Content distribution networks are geographically distributed networks of proxy servers. This list is used as a whitelist in the Security Insights application.

Use the CDNProvider operation to get the CDN provider corresponding to the indicated domains. This operation needs one argument:

DynamicDNS

Sometimes used in combination with OpenVPN, or SSH tunneling to access restricted content and/or bypass security controls on your network.

Use the provider operation to get the DNS provider corresponding to the indicated domains. This operation needs one argument:

StatusCode400Text

List of status code 4xx messages. 

Use the text operation to get the descriptions of the selected status codes. This operation needs one argument:

PortsInformation

List of most used port numbers. This lookup includes 4 different fields that you can use to enrich your data:

Get the standard name of the ports that match the ones in the lookup key column. This operation needs one argument:

CheckP2PConnection

This lookup includes a complete list of ports used by Peer To Peer services.

Use the isP2P operation to check if your ports are used by Peer to Peer services. You will get p2p when your ports match the ones in the lookup key column. This operation needs one argument:

IsPHPWebshell

A webshell is a script that can be uploaded to a web server to enable remote administration of the machine. This lookup includes the names of the most common files associated with this type of threat. 

Use the webshell operation to check if the URI path file names you enter are webshells. You will get webshell when your URI path file name match the ones in the lookup key column. This operation needs one argument:

CheckBackdoorConnection

A complete list of all ports used by malware threats.

Use the isBackdoor operation to check if the ports you enter are related to malware threats. You will get backdoor when your ports match the ones in the lookup key column. This operation needs one argument: