Document toolboxDocument toolbox

ThreatLink

Owned by Jonas Gonzalez
Nov 29, 2024
8 min read
[ 1 About ThreatLink ] [ 2 How it Works  ] [ 3 What is a ThreatLink case? ] [ 4 Get started with ThreatLink ] [ 5 Customizing ThreatLink  ] [ 6 Add Additional Tasks To a Case Template ] [ 7 Troubleshooting ] [ 8 Release Notes ]

About ThreatLink

Devo ThreatLink is a centralized, automated case management solution that empowers organizations to efficiently navigate the complexities of incident response by leveraging integrations to hundreds of security and IT tools.

ThreatLink consists in an alert triage playbook that intelligently correlates and enriches alerts to generate high-fidelity cases, dramatically reducing analyst workload. This simplified case correlation algorithm enables automatic prioritization of investigations based on risk, severity, and business impact, while also helping to reduce alert fatigue.

How it Works 

ThreatLink works by conducting the following steps: 

  1. Gather Alerts: ThreatLink starts by reading all of your organization’s Devo alerts into the playbook every 15 minutes or less, based on stream parameters.

  2. Extract Alert Entity Data: If an alert does match with an existing case, its entities are extracted from the alert. If it does not match, a new case is created.

  3. Link with Existing Cases: Once the alerts from the last 15 minutes are retrieved, the alerts are cross-referenced with the existing cases from the last 7 days.  If a match is found, the alert is added to the existing case. 

  4. Build New Case: With all of the alert data parsed and normalized, the alerts are then correlated with each other through the explicit matching of the alert entities.  All of the data from each of the alerts is organized into a human-readable format that is displayed within the case template.

Explicit entity matching between alerts is achieved by hashing all entities within an alert and comparing this hash to those of alerts currently tracked by the playbook, as well as newly fetched alerts. If there is a complete match across all entity values for a set of alerts, a case is created for that group. If no matching set is found and no prior cases exist, a case with just that single alert is created.

Note:

In order for the correlation to work, the alerts in Devo must have the entities mapped in the alert definition. Entity mapping is defined by adding lines like the following to each alert:

select sourceIPAddress as entity_sourceIP

The full list of entity mappings is shown below: 

Users

Device

Domain

Users

Device

Domain

entity_sourceName 

entity_sourceIP 

entity_sourceDomain 

entity_destinationName 

entity_destinationIP

entity_destinationDomain 

entity_sourceAccount 

entity_sourceHostname 

entity_sourceUrl 

entity_destinationAccount

entity_destinationHostname 

entity_destinationUrl

entity_sourceEmail 

 

 

entity_destinationEmail 

 

 

ThreatLink can also support additional custom entities, refer to Customizing ThreatLink section below for additional detail.

What is a ThreatLink case?

A ThreatLink case represents the output of the ThreatLink playbook and the work unit of the SOC. The information from the alerts that have been correlated is taken into a single case. Within each case, all the relevant information is included to investigate and take further action.  

An example case can be seen in the image below:

Img0.png

 The case template includes the following information:

  • Summary: All of the details of the alerts that have been added to the case include the tactic, technique, alert context, entities, etc. 

  • History: All of the actions taken on a case, including the user that completed the action, change that was made, and time of completion.

  • Alert Queries: The Devo SIEM alert query definitions that created the case.

  • Case Details: The basic fields to manage the case such as ‘Status’, ‘Priority’, or ‘Assigned To’.

  • Workflow: Additional fields to track the status and manage the case, all customizable by the team.

  • Tasks: The actions available for the analyst to take when managing a case, all customizable by the team including manual tasks, automated forms, and integrations.

  • Linked Alerts:  All of the correlated alerts and the detailed information about each alert in a list format for user context.

  • Additional / Extract Fields:  The entity correlation hash and the extracted entity fields.  

Get started with ThreatLink

Prerequisites

Ensure the proper entities are mapped in your Devo alerts, as they must include at least one entity mapping value. A sample alert with entities mapped is shown below:

Img2.png

The Devo Support team has an entity validation script that can be run to support the updating of your Devo alerts to meet the prerequisites.

Installation

  • Please contact Devo Support or your Customer Success Team and place a request for ThreatLink installation.

  • Provide us with a Query API Authentication token and an Alert API Authentication token from the Devo SIEM to initiate the installation process.

Customizing ThreatLink 

Case Types and Settings

ThreatLink has a large number of templates that can be used as the basis for customizing workflows and tasks for different use cases. In addition to the default case template, ThreatLink can be cloned to create additional templates for Phishing, Password Reset, User Account Lockout, Firewall Block, Endpoint Isolation, and more.

It is important to note that only one case template is included in the initial ThreatLink installation, so it is recommended that your team configures their tasks and workflows accordingly.

Custom Lists

ThreatLink can be customized to optimize its performance for specific environments without requiring any changes to the playbook. This can be accomplished out of the box by selecting the option ‘Custom Lists’ under the ‘My Library’ menu.

Case Correlation Variables

The tuning parameters for the case correlation playbook are located in the Devo_Case_Creator_Variables custom list with the following parameters: 

  • Lookback_Days - Defines the time window for related alerts to be grouped under the same case.
    Once a new time period begins, ThreatLink will create a new case and start looking for matches within that time period’s timeframe.

Alert Routing to Case Types

In addition, customers that require customized case types assigned to specific alerts can edit the custom list ThreatLink_CaseTemplateAssigner to link an alert name to a specific type.

Here is a simple example of how to link the SecOpsVpcNetworkScan AlertName to the case type VPCCaseTemplate.

High-Value Target Custom List

A custom list called High_Value_Targets can be used to add additional risk information to cases. An example of the scheme is below. This list can include users, IP addresses, or hostnames.

Type,Entity,Enabled,Risk_Score User,carlos@devo.com,True,7 IP,192.168.10.150,True,2 Host,MachineName,True,50

Add Additional Tasks To a Case Template

Take advantage of hundreds of Devo ThreatLink’s integrations to Security and IT tools, and add additional tasks to your cases for automated incident response by navigating to ‘Case Settings’, opening up the ThreatLink Case Type, and selecting the Tasks tab.

To learn how to create Tasks, User Input forms, and integrations to other tools, please check additional documentation in this page.

Troubleshooting

One potential issue is that a case may become misformatted (see screenshot below). This typically occurs when fired alerts are not correctly matched to their alert definitions. Several factors can contribute to this, including but not limited to:

  • For MSSPs: Ensure that all child domains with active alerts are properly configured in the Domain Connection List.

  • Alert Naming: If unusual characters are used in alert names, this may cause correlation issues. In such cases, review the blocks responsible for normalizing and matching alerts.

  • For Non-MSSPs: Verify that the main Alert Definition Connection is properly configured and functioning as expected when the playbook runs.

The following image shows an example of a misformatted case.

Release Notes

  • Changes:

    • Updated the ThreatLink Dashboard to improve resource utilization on v1.0.6

    • Modified the lhub_score value placement to reintroduce the color-coded values In the alert populator streams.

  • Enhanced support for MSSPs

    • Upgraded Devo_Alert_Populator to v2.2

    • Added a new custom list called Domain Connection List with domain and connection name fields

    • Improved logic conditions where the alert summary and/or definition are missing from the alert definition.

    • Support was added for case creation from third-party SIEMs.

    • Added Alert Source to the dedupe key

    • Added a new Alert Client field to help MSSPs see which tenant triggered an alert.

    • Support for UEBA v2 alerts triggered in a child domain.

  • Fixes:

    • Number of unique alerts added

    • Case priority fixed

  • Changes:

    • Added new field unique_num_linked_alerts

    • Updated combine_alert_counts.py script combine_alert_countsV2.py

    • Updated Threatlink Case Creator playbook from v1.0.1 to v1.2

  • Enhancements

    • Devo_Alert_Populator_v2 - Improves Alert processing speed by x2

    • Closed_Linked_Cases command will now set the Analysis Stage, Resolution, and Alert Validation for all of the linked cases.

    • Fixed python alert decoding issues.

  • Enhancements

    • Fixed missing entities “entity_sourceEmail” and “entity_destinationEmail“.

    • Updated entity mapping error for “entity_sourceHostname”.

    • Added mapping for “-” in alert names to correct for an invalid alert name condition.

    • Added mapping to better handle special characters in alert names to correct for a failure with invalid alert values.

    • Improved alert description logic to include better readability.

    • Case search results optimized to reduce compute overhead.

    • Updated the lookback logic to improve performance.

    • Fixed issue where alert priority was not being carried through to cases correctly.

    • Removed the last block of the alert populator playbook so that the alerts in Devo no longer get marked as watched.

    • Removed Mitre info from the summary page, as it was redundant in the additional fields section, and added new multivalue fields.

    • Renamed the SecOps_Alert_Populator playbook to Devo_Alert_Populator

    • Renamed the custom list SecOps_Case_Creator_Variable to Devo_Case_Creator_Variable

    • Renamed Alert Context in the case summary page to "Initial Alert Context"

    • Updated field names “tactic” and “technique” to “MITRE Tactic(s)“ and “MITRE Technique(s)“.

    • Updated the decode_extraData.py script to account for changes in how new alerting engine handles null values.

  • New Features and Functionality

    • Auto updating of case priority - New logic was added to automatically update the case priority if a new alert with a higher value was added to an existing case. This only affects cases with a status of “New”.

    • LINQ Queries - Added LINQ queries for any triggered alert to the case template as a new tab.

    • New case template - A new tab for system fields has been added.

    • New case summary - Now the case summary is easier to read and provides the user with better information regarding the number and order of triggered alerts.

    • Enhanced Parsing of the extra data field - The new case template will also parse the extra data fields to make it easier to read the alert details.

    • MSSP Master Tenant - Added a “client” field so that cases are created per client, and so the case and alert page can be sorted by clients.

    • MSSP Master Tenant - Add additional logic to ensure correct alert grouping by client name.

  • Optimized how new alerts are processed to reduce memory utilization.

  • Removed a split array causing performance issues.

  • Optimized batch performance