Document toolboxDocument toolbox

Alert whitelisting

Overview

Alert whitelisting enables customers to attach Devo’s standard out-of-the-box whitelisting capabilities to the alerts that are created as part of the behavior alert definition configuration.

The whitelist that is used is the combination of the SecOpsAssetRole and SecOpsGWL lookups that are available from the Devo Exchange (see the links below). These lookups are used in conjunction with the Behavior Alert Definition and the underlying model to identify the entities involved in a detection and check that they are not within the whitelist. If the entities are in the whitelist then the alert will not fire for that particular entity.

SecOpsAssetRole: https://us.devo.com/#/exchange/51

SecOpsGWL: https://us.devo.com/#/exchange/49

Alert whitelisting can help SOCs manage the volume of behavior alerts they are receiving for known entities or behaviors that they expect from specific entities in their environment. 

How does it work?

In order to enable the alert whitelisting, you must go to the Content Manager and select to Configure & Start on an already deployed model. From there you will find the option Apply Whitelisting?. If the option is checked then whitelisting syntax will be added to the alert, otherwise nothing will happen. 

If the lookups mentioned above do not exist in the domain then the alert configuration section will display a warning message as can be seen below:

10_alertwhitelisting.png

The whitelisting syntax for an alert can be seen below for Abnormal Login behavior model.

select `lu/SecOpsAssetRole/class`(entity_sourceAccount) as entity_sourceAccount_AssetRole // Get asset role from SecOpsRole Lookup // Start Filtering Section select ifthenelse(isnull(entity_sourceAccount_AssetRole),entity_sourceAccount,entity_sourceAccount+"-"+entity_sourceAccount_AssetRole) as entity_sourceAccount_AssetToCheck select `lu/SecOpsGWL`(entity_sourceAccount_AssetToCheck) as entity_sourceAccount_GWL // Check Asset+Role in SecOpsGWL Lookup where isnull(entity_sourceAccount_GWL) select `lu/SecOpsAssetRole/class`(entity_sourceIP) as entity_sourceIP_AssetRole // Get asset role from SecOpsRole Lookup // Start Filtering Section select ifthenelse(isnull(entity_sourceIP_AssetRole),entity_sourceIP,entity_sourceIP+"-"+entity_sourceIP_AssetRole) as entity_sourceIP_AssetToCheck select `lu/SecOpsGWL`(entity_sourceIP_AssetToCheck) as entity_sourceIP_GWL // Check Asset+Role in SecOpsGWL Lookup where isnull(entity_sourceIP_GWL)

Â