Document toolboxDocument toolbox

Custom SecOps detections

Owned by Sarah Bigault (Deactivated)
Last updated: Nov 28, 2023
2 min read

SecOps includes a series of native enrichments, which help detect anomalies in the customers’ network activity data. These enrichments are managed as a service and updated automatically.

In addition, customers can add their own alerts, contexts, and other enrichments to their domain. The organization will add these as it matures its knowledge of the product and of its own system.

We will explain in the following sections how new alerts can be added aside from existing standard Security Operations alerts.

Each alert is based on a query that is run continuously over the data stream. When an alert is triggered, it generates a record in the siem.logtrust.alerts.info Devo table.

This table is a read-only table. Devo SecOps then enriches the alerts, adding information based on the ‘ExtraData’ field at the end of the alert record.

There are some requirements that we have to follow to create compatible alerts:

SecOps will parse this data, based on the kinds of information values SecOps expects, and create all the new data which makes up the application.

Field name

Data type

Value description

Field name

Data type

Value description

SecOps Prefix mandatory

string

Devo SecOps alerts start with “SecOps…

alertPrioritymandatory

integer

Priority value, between 1-5:

  • 1-Info

  • 5-Critical

alertTypemandatory

string

One of the following:

  • analytics

  • detections

  • observation

  • model

Entities (at least one)mandatory

string

 

SecOps Subcategory

string

 

alertMitreTechniques

string

Obtained from https://attack.mitre.org/techniques/

alertMitreTactics

string

Obtained from https://attack.mitre.org/tactics/

Enrichments

string

 

Field name

Data type

Value description

Field name

Data type

Value description

country

string

Country of the hostname host field.

city

string

City of the hostname host field.

state

string

State of the key field hostname.

lon

string

Longitude of the key field hostname.Lat and long are of type float8

lat

string

Latitude of the key field hostname.

 

Field name

Data type

Value description

Field name

Data type

Value description

Class mandatory

string

Class based on the classes defined below.

Categorymandatory

string

Category based on the categories defined below.

alertTypemandatory

string

system or user.

SecOpsAssetRole follows the terminology used by the SecOps app to populate the Entity Graph with known definitions of class (role) and category (entity type).

In order to avoid some events from some assets, customers can add whitelisting checks on alerts just adding an extra check based on data from a Lookup.

SecOpsGWL has to be filled to start filtering events on alerts.

Field name

Data type

Value description

Field name

Data type

Value description

reason

string

The reason why you want to white list.

description

string

Detailed reason.

See the following article(s) for a step-by-step guide on how to create an alert: