Security Operations lookups
- Sarah Bigault (Deactivated)
- Borja Moro Moreno
- Juan Tomás Alonso Nieto (Deactivated)
Â
Introduction
There are two types of lookups in SecOps: main lookups and multi-lookups.
Main lookups are available only on the domain the SecOps app is installed. The installation of these files is performed by the Devo team and they could be watched and modified by Admin users. The most important lookup is SecOpsAlertDescription, which contains the list of predefined alerts used in SecOps.
Multi-lookups are available to all domains, but users cannot modify them. Some of them are SecOps configuration files, and some others store security information that comes from MISP services. This information is periodically updated in different ways. Some are static (for example CheckBackdoorConnection), some are updated weekly (for example SuspiciousFileExtension) and some others are updated daily (for example. farsight feeds).
Devo SecOps provides customers with a set of predefined security alerts designed by experts, which are one of the basic aspects of the application. Users can tune these alerts attending to their necessities, or create new custom alerts to include them in the SecOps application.
The SecOps Alert description Lookup contains all the alerts and their definitions considered by the Security Operations application. Learn how to install it in this article.
SecOps Lookups in Exchange
Lookups can be valuable for SecOps to enrich security data with threat-related information, which may be vital to ultimately prevent any harm. To save time and optimize your workflow, you have at your disposal a set of predefined lookups designed for SecOps and published in Devo Exchange:
Enrichment
Security Operations comes with additional enrichments. Either static lookups or dynamic lookups can be used, from what ships with SecOps or is created with dynamic lookups via LINQ.
Some of these lookups are created inside the multilookups domain (controlled by SecOps team). They can be used inside queries from the customer domains, but are not specific to the customer domain, and therefore are not visible in the lookup list of the domain.
Name | Description | Source | Fields | |
|---|---|---|---|---|
| 1 |
| Black KingDom is a ransomware variant, which targets on-premises Exchange servers that are not updated and are exposed to ProxyLogon vulnerabilities. | Devo Cybersecurity Team |
|
| 2 |
| Created using public domain information. | This list has moved to the repo https://github.com/neu5ron/dynamic_dns_lists  |
|
| 3 |
| List of all HTTP Methods described in the protocol. Created and maintained by Devo Cyber Threats Team. | Devo Cybersecurity Team |
|
| 4 |
| List of webshell files used. | Devo Cybersecurity Team |
|
| 5 |
| List of IPs exposed to the Log4Shell vulnerability | Devo Cybersecurity Team |
|
| 6 |
| Created using public domain information. | https://raw.githubusercontent.com/hdm/mac-ages/master/data/mac-ages.csv |
|
| 7 |
| Created based on data from the Wireshark project. | https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf;hb=HEADÂ |
|
| 8 |
| Daily updated lookup created from Devo MISP instance. https://misp.devo.com/Â | Devo Cybersecurity Team |
|
| 9 |
| Curate list of all Top level domains supported by Mozilla project. |
| |
| 10 |
| Â | Â | Â |
| 11 |
| Open Rank top domains list. | https://www.domcop.com/files/top/top10milliondomains.csv.zip |
|
| 12 |
| Â | Â | Â |
| 13 |
| Â | Â | Â |
| 14 |
| Â | Â | Â |
| 15 |
| Â | Â | Â |
| 16 |
| Â | Â | Â |
| 17 |
| Â | Â | Â |
| 18 |
| Â | Â | Â |
| 19 |
| Â | Â | Â |
| 20 |
| Most common top-level domains related threats. |
| |
| 21 |
| Â | Â | Â |
| 22 |
| Â | Â | Â |
| 23 |
| Most-seen domains in Cisco Umbrella. | http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip |
|