Document toolboxDocument toolbox

Security Operations lookups

 

Introduction

There are two types of lookups in SecOps: main lookups and multi-lookups.

  • Main lookups are available only on the domain the SecOps app is installed. The installation of these files is performed by the Devo team and they could be watched and modified by Admin users. The most important lookup is SecOpsAlertDescription, which contains the list of predefined alerts used in SecOps.

  • Multi-lookups are available to all domains, but users cannot modify them. Some of them are SecOps configuration files, and some others store security information that comes from MISP services. This information is periodically updated in different ways. Some are static (for example CheckBackdoorConnection), some are updated weekly (for example SuspiciousFileExtension) and some others are updated daily (for example. farsight feeds).

Devo SecOps provides customers with a set of predefined security alerts designed by experts, which are one of the basic aspects of the application. Users can tune these alerts attending to their necessities, or create new custom alerts to include them in the SecOps application.

The SecOps Alert description Lookup contains all the alerts and their definitions considered by the Security Operations application. Learn how to install it in this article.

SecOps Lookups in Exchange

Lookups can be valuable for SecOps to enrich security data with threat-related information, which may be vital to ultimately prevent any harm. To save time and optimize your workflow, you have at your disposal a set of predefined lookups designed for SecOps and published in Devo Exchange:

 

 

Enrichment

Security Operations comes with additional enrichments. Either static lookups or dynamic lookups can be used, from what ships with SecOps or is created with dynamic lookups via LINQ.

Some of these lookups are created inside the multilookups domain (controlled by SecOps team). They can be used inside queries from the customer domains, but are not specific to the customer domain, and therefore are not visible in the lookup list of the domain.

Name

Description

Source

Fields

Name

Description

Source

Fields

1

blackkingdom

Black KingDom is a ransomware variant, which targets on-premises Exchange servers that are not updated and are exposed to ProxyLogon vulnerabilities.

Devo Cybersecurity Team

ip

delivery

orchestrated

2

DynamicDNS

Created using public domain information.

This list has moved to the repo https://github.com/neu5ron/dynamic_dns_lists  

domain

str

provider

str

3

HTTPMethods

List of all HTTP Methods described in the protocol. Created and maintained by Devo Cyber Threats Team.

Devo Cybersecurity Team

knownMethod

str

known

str

4

isPHPWebshell

List of webshell files used.

Devo Cybersecurity Team

isPHPWebshell

str

webshell

str

5

log4shell

List of IPs exposed to the Log4Shell vulnerability

Devo Cybersecurity Team

domain

indicator_type

6

MacAddressAge

Created using public domain information.

https://raw.githubusercontent.com/hdm/mac-ages/master/data/mac-ages.csv 

macPrefix

str

date

str

7

MacAddressVendor

Created based on data from the Wireshark project.

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf;hb=HEAD 

macPrefix

str

vendorName

str

8

mispIndicator

Daily updated lookup created from Devo MISP instance. https://misp.devo.com/ 

Devo Cybersecurity Team

indicator

str

distribution

str

type

str

object_id

str

to_ids

str

disable_correlation

str

deleted

str

event_id

str

sharing_group_id

str

comment

str

category

str

timestamp

str

9

MozillaTLDList

Curate list of all Top level domains supported by Mozilla project.

https://publicsuffix.org/list/effective_tld_names.dat 

tld

str

status

str

10

msfhafnium0day

 

 

 

11

OpenRankTop10M

Open Rank top domains list.

https://www.domcop.com/files/top/top10milliondomains.csv.zip 

domain

str

position

str

openrank

str

12

revilKaseya

 

 

 

13

SecOpsCountriesLocation

 

 

 

14

SecOpsIanaAssignedPorts

 

 

 

15

SecOpsPortAssignment

 

 

 

16

sunburst

 

 

 

17

sunburstHash

 

 

 

18

sunburstIP

 

 

 

19

sunburstProc

 

 

 

20

SuspiciousTLD

Most common top-level domains related threats.

The Spamhaus Project - The Top 10 Most Abused TLDs  

tld

str

TLDType

str

21

SuspiciousWebPath

 

 

 

22

TrancoTop1M

 

 

 

23

UmbrellaTop1M

Most-seen domains in Cisco Umbrella.

http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip 

domain

str

position

int8