Document toolboxDocument toolbox

Devo ThreatLink Overview

Owned by Alvaro de la Serna Martinez
Dec 16, 2024
8 min read

What is Devo ThreatLink? 

Devo ThreatLink is a centralized, automated case management solution, that empowers your team to efficiently navigate the complexities of incident response. Devo ThreatLink is an alert triage playbook that intelligently correlates and enriches alerts to generate high-fidelity cases, dramatically reducing analyst workload. This simplified case correlation algorithm enables customers to automatically prioritize investigations based on risk, severity, and business impact and diminish alert fatigue. With integrations available to 100s of security and IT tools, Devo ThreatLink enables you to swiftly respond and automate incident response.


How does ThreatLink work? 

ThreatLink works by conducting the following steps: 

  1. Gather Alerts - ThreatLink starts by reading all of your organization’s Devo alerts into the playbook every 15 minutes or less, based on stream parameters.

  2. Extract Alert Entity Data - If an alert does match with an existing case, its entities are extracted from the alert. If it does not match then a new case is created.

  3. Link with Existing Cases - Once the alerts from the last 15 minutes are retrieved, the alerts are cross-referenced with the existing cases from the last 7 days.  If a match is found then the alert is added to the existing case. 

  4. Build New Case - With all of the alert data parsed and normalized, the alerts are then correlated with each other through the explicit matching of the alert entities.  All of the data from each of the alerts is organized into a human-readable format that is displayed within the case template. 

 

The explicit matching of the entities between alerts is done by taking the hash of all the entities within an alert and then comparing that hash to all the alerts currently tracked by the playbook and the ones recently fetched.  If there is a match for all the entity values for a set of alerts then a case is created with that set of alerts.  If there is no set and no previous cases were created then a case with just that single alert is created.  

 

NOTE

In order for the correlation to work, the alerts in Devo must have the entities mapped in the alert definition.  Entity mapping is defined by adding lines such as this one to each alert:

select sourceIPAddress as entity_sourceIP

The full list of entity mappings is below: 

Users

Device

Domain

Users

Device

Domain

entity_sourceName 

entity_sourceIP 

entity_sourceDomain 

entity_destinationName 

entity_destinationIP

entity_destinationDomain 

entity_sourceAccount 

entity_sourceHostname 

entity_sourceUrl 

entity_destinationAccount

entity_destinationHostname 

entity_destinationUrl

entity_sourceEmail 

 

 

entity_destinationEmail 

 

 

ThreatLink can also support additional custom entities, refer to How to Customize ThreatLink for additional detail.

What is a ThreatLink case?

A ThreatLink case is the output of the ThreatLink playbook and takes the information from the alerts that have been correlated into a single case.  The process makes cases the work unit of the SOC.  Within each case, all the relevant information is included to investigate and take further action.   An example case can be seen in the below image: 

Screenshot 2024-10-24 at 10.43.11 AM.png

The case template includes the following information:

  • Summary: All of the details of the alerts that have been added to the case include the tactic, technique, alert context, entities, etc. 

  • History: All of the actions taken on a case, including the user that completed the action, the change that was made, and the time of completion

  • Alert Queries: The Devo SIEM alert query definitions that created the case

  • Case Details: The basic fields to manage the case such as Status, Priority, Assigned To

  • Workflow: Additional fields to track the status and manage the case, all customizable by the team

  • Tasks: The actions available for the analyst to take when managing a case, all customizable by the team including manual tasks, automated forms, and integrations

  • Linked Alerts:  All of the correlated alerts and the detailed information about each alert in a list format for user context 

  • Additional / Extract Fields:  The entity correlation hash and the extracted entity fields.  

How to get started with ThreatLink

Prerequisites

  • Devo Alerts must include at least one entity mapping value. Review your Devo Alerts and ensure the proper entities are mapped in your alerts, a sample Devo Alert with entities mapped is below:

Screenshot 2024-10-24 at 11.04.33 AM.png

  • The Devo Support team has an entity validation script that can be run to support the updating of your Devo Alerts to meet the prerequisites.

ThreatLink Installation

  • Please contact Devo Support or your Customer Success team and place a request to have ThreatLink installed.

  • Provide the Devo team with a Query API Authentication token and an Alert API Authentication token from the Devo SIEM for the installation.

How to Customize ThreatLink? 

ThreatLink Case Types and Settings

ThreatLink has several case templates that can be used as the basis for customizing case workflows and tasks for different use cases. In addition to the default case template, ThreatLink can be cloned to create additional templates for Phishing, Password Reset, User Account Lockout, Firewall Block, Endpoint Isolation, and more. It is important to note that only one case template is included in the initial ThreatLink installation, so it is recommended that your team configures their tasks and workflows accordingly.

Custom Lists

ThreatLink can be customized without any changes to the playbook to tune how well it runs for specific environments.  This can be accomplished out of the box, using Custom Lists under My Library.

Case Correlation Variables

The tuning parameters for the case correlation playbook are located in the “Devo_Case_Creator_Variables” custom list with the following parameters: 

  • Lookback_Days - defines the time window for related alerts to be grouped under the same case. Once a new time period begins, ThreatLink will create a new case and start looking for matches within that time period’s timeframe.

Alert Routing to Case Types

In addition, customers who want to have customized case types assigned to specific Alerts, can edit the custom list, ‘ThreatLink_CaseTemplateAssigner’ to link an alert name to a specific type.

Here is a simple example of how to link the SecOpsVpcNetworkScan AlertName to the case type “VPCCaseTemplate”

High-Value Target Custom List

A custom list called High_Value_Targets can be used to add additional risk information to cases. An example of the scheme is below. This list can include users, IP addresses, or hostnames.

Type,Entity,Enabled,Risk_Score User,carlos@devo.com,True,7 IP,192.168.10.150,True,2 Host,MachineName,True,50

Add Additional Tasks To a Case Template

Take advantage of Devo ThreatLink’s 100s of integrations to Security and IT tools, and add additional tasks to your cases for automated incident response.

  • Navigate to Case Settings, open the ThreatLink Case Type, and select the Tasks tab.

To learn how to Create Tasks, such as manual tasks, User Input forms, and integrations to other tools, additional documentation can be found here.

Trouble-shooting

  • One issue that may occur is that a case can get malformatted (see screenshot below). This tends to happen when fired alerts are not getting matched back up to their alert definitions correctly. This can happen for a number of reasons, including but not limited to:

    • If MSSP they need to make sure all of the child domains that have alerts firing are set up correctly in the Domain Connection List

    • If they are using unusual characters in their alert names this could be causing correlation issues and the blocks around where we normalize/match alerts needs to be reviewed

    • If not MSSP the main Alert Definition Connection needs to be configured and working as the playbook runs

Release Notes:

  • 1.3

    • Changes:

      • Updated the ThreatLink Dashboard to improve resource utilization on v1.0.6

      • Modified the lhub_score value placement to reintroduce the color-coded values In the alert populator streams.

    • Enhanced support for MSSPs

      • Upgraded Devo_Alert_Populator to v2.2

      • Added a new custom list called Domain Connection List with domain and connection name fields

      • Improved logic conditions where the alert summary and/or definition are missing from the alert definition.

      • Support was added for case creation from third-party SIEMs.

      • Added Alert Source to the dedupe key

      • Added a new Alert Client field to help MSSPs see which tenant triggered an alert.

      • Support for UEBA v2 alerts triggered in a child domain.

  • 1.2

    • Fixes:

      • Number of unique alerts added

      • Case priority fixed

      Changes:

      • Added new field unique_num_linked_alerts

      • Updated combine_alert_counts.py script combine_alert_countsV2.py

      • Updated Threatlink Case Creator playbook from v1.0.1 to v1.2

  • 1.1

    • ENHANCEMENTS

      • Devo_Alert_Populator_v2 - Improves Alert processing speed by x2

      • Closed_Linked_Cases command will now set the Analysis Stage, Resolution, and Alert Validation for all of the linked cases.

      • Fixed python alert decoding issues.

  • 1.0.0

    • ENHANCEMENTS

      • Fixed missing entities “entity_sourceEmail” and “entity_destinationEmail“.

      • Updated entity mapping error for “entity_sourceHostname”.

      • Added mapping for “-” in alert names to correct for an invalid alert name condition.

      • Added mapping to better handle special characters in alert names to correct for a failure with invalid alert values.

      • Improved alert description logic to include better readability.

      • Case search results optimized to reduce compute overhead.

      • Updated the lookback logic to improve performance.

      • Fixed issue where alert priority was not being carried through to cases correctly.

      • Removed the last block of the alert populator playbook so that the alerts in Devo no longer get marked as watched.

      • Removed Mitre info from the summary page, as it was redundant in the additional fields section, and added new multivalue fields.

      • Renamed the SecOps_Alert_Populator playbook to Devo_Alert_Populator

      • Renamed the custom list SecOps_Case_Creator_Variable to Devo_Case_Creator_Variable

      • Renamed Alert Context in the case summary page to "Initial Alert Context"

      • Updated field names “tactic” and “technique” to “MITRE Tactic(s)“ and “MITRE Technique(s)“.

      • Updated the decode_extraData.py script to account for changes in how new alerting engine handles null values.

    • NEW FEATURES and FUNCTIONALITY

      • Auto updating of case priority - New logic was added to automatically update the case priority if a new alert with a higher value was added to an existing case. This only affects cases with a status of “New”.

      • LINQ Queries - Added LINQ queries for any triggered alert to the case template as a new tab.

      • New case template - A new tab for system fields has been added.

      • New case summary - Now the case summary is easier to read and provides the user with better information regarding the number and order of triggered alerts.

      • Enhanced Parsing of the extra data field - The new case template will also parse the extra data fields to make it easier to read the alert details.

      • MSSP Master Tenant - Added a “client” field so that cases are created per client, and so the case and alert page can be sorted by clients.

      • MSSP Master Tenant - Add additional logic to ensure correct alert grouping by client name.

  • 01.13

    • Optimized how new alerts are processed to reduce memory utilization.

    • Removed a split array causing performance issues.

    • Optimized batch performance

  • 01.12

    • Fixed an issue causing memory spikes

    • Added Case workflow with Analysis Stage, Resolution type, Alert Validation, Escalation

  • v01.11

    • Fixed issue with malformed Devo alerts that contain spaces in the alert name

    • Fixed Alert grouping. It was only grouping on the last batch, not based on the custom list setting.

    • Reduced number of steps in the playbook

    • Added a command to close linked cases

    • Added # of linked alerts field, that can now be made visible and sortable in the case home page

    • Introduced ThreatLink Dashboard v1