Document toolboxDocument toolbox

Mitre/SecOps lookup: SecOpsAssetRole

Owned by Former user (Deleted)
Last updated: Aug 07, 2024 by Borja Moro Moreno
2 min read
[ 1 Purpose ] [ 2 Open lookup ] [ 3 Use lookup ]

Purpose

The SecOpsAssetRole is a lookup that matches an asset with a role - a string. You can edit the lookup to introduce the Assets to be considered. Otherwise, it will just create an empty lookup.

Used in combination with the SecOps Global White List (GWL), this lookup allows you to edit the information in the Lookup manager with a whitelist of assets that come originally from the Security Operations application.

The way we can use these two lookups is just getting the role from an asset and then compounding a string to know if the asset + role is the GWL lookup. Here is an example query that contains three cases. 

  • First, we have an IP that it’s on SecOpsGWL lookup and has a role associated with SecOpsAssetRole.

from web.all.access where requestLength = 1200 select "8.8.8.8" as testIP // create a fake asset select `lu/SecOpsRole/role`(testIP) as AssetRole // Get asset role from SecOpsRole Lookup select ifthenelse(isnull(AssetRole),testIP,testIP+"-"+AssetRole) as AssetToCheck select `lu/SecOpsGWL`(AssetToCheck) as GWL // Check Asset+Role in SecOpsGWL Lookup

  • Second, we have an IP that it’s on SecOpsGWL lookup, but has not a role associated with SecOpsAssetRole.

select "9.9.9.9" as testIPAnother // create another fake asset select `lu/SecOpsRole/role`(testIPAnother) as AssetRoleAnother // Get asset role from SecOpsRole Lookup select ifthenelse(isnull(AssetRoleAnother),testIPAnother,testIPAnother+"-"+AssetRoleAnother) as AssetToCheckAnother select `lu/SecOpsGWL`(AssetToCheckAnother) as GWLAnother // Check Asset+Role in SecOpsGWL Lookup

  • Third and last, we have an IP that is not on SecOpsGWL and has not a role associated with SecOpsAssetRole.

select "4.4.4.4" as testIPNone // create another fake asset select `lu/SecOpsRole/role`(testIPNone) as AssetRoleNone // Get asset role from SecOpsRole Lookup select ifthenelse(isnull(AssetRoleNone),testIPNone,testIPNone+"-"+AssetRoleNone) as AssetToCheckNone select `lu/SecOpsGWL`(AssetToCheckNone) as GWLNone // Check Asset+Role in SecOpsGWL Lookup group every 1h by GWLNone, GWL, GWLAnother every 1h

Using these two lookups allows customers to associate a role or not to an asset. They can use SecOpsGWL as a simple whitelist or combine it with SecOpsAssetRole to give more context.

 

Devo 360 Applications

You need to install this Lookup if you want to work with Devo 360 for AWS, Devo 360 for Crowdstrike, or Devo 360 for Palo Alto applications.

Discovery Tactic content pack

This lookup is needed for the Discovery Tactic content pack.

Open lookup

Once you have installed the lookup, you can use the Open button at the top right of the card in Exchange to access the Lookup Management area, where you can apply filters to find it and later manage it as required. You can also access the Lookup Management area via the Navigation pane (Data Search area → Lookup Management tab).

Use lookup

After installing the lookup, you can use it in the related application mentioned above for their specific purposes. Apart from that, you can use it anywhere in the platform to enrich values when applicable. To do this, you must use the adequate syntax in queries to correlate values, as explained in this article.

Â