Alert whitelisting
Overview
Alert whitelisting enables customers to attach Devo’s standard out-of-the-box whitelisting capabilities to the alerts that are created as part of the behavior alert definition configuration.
The whitelist that is used is the combination of the SecOpsAssetRole and SecOpsGWL lookups that are available from the Devo Exchange (see the links below). These lookups are used in conjunction with the Behavior Alert Definition and the underlying model to identify the entities involved in a detection and check that they are not within the whitelist. If the entities are in the whitelist then the alert will not fire for that particular entity.
SecOpsAssetRole: https://us.devo.com/#/exchange/51
SecOpsGWL: https://us.devo.com/#/exchange/49
Alert whitelisting can help SOCs manage the volume of behavior alerts they are receiving for known entities or behaviors that they expect from specific entities in their environment.Â
How does it work?
In order to enable the alert whitelisting, you must go to the Content Manager and select to Configure & Start on an already deployed model. From there you will find the option Apply Whitelisting?. If the option is checked then whitelisting syntax will be added to the alert, otherwise nothing will happen.Â
If the lookups mentioned above do not exist in the domain then the alert configuration section will display a warning message as can be seen below:
The whitelisting syntax for an alert can be seen below for Abnormal Login behavior model.
select `lu/SecOpsAssetRole/class`(entity_sourceAccount) as entity_sourceAccount_AssetRole // Get asset role from SecOpsRole Lookup
// Start Filtering Section
select ifthenelse(isnull(entity_sourceAccount_AssetRole),entity_sourceAccount,entity_sourceAccount+"-"+entity_sourceAccount_AssetRole) as entity_sourceAccount_AssetToCheck
select `lu/SecOpsGWL`(entity_sourceAccount_AssetToCheck) as entity_sourceAccount_GWL // Check Asset+Role in SecOpsGWL Lookup
where isnull(entity_sourceAccount_GWL)
select `lu/SecOpsAssetRole/class`(entity_sourceIP) as entity_sourceIP_AssetRole // Get asset role from SecOpsRole Lookup
// Start Filtering Section
select ifthenelse(isnull(entity_sourceIP_AssetRole),entity_sourceIP,entity_sourceIP+"-"+entity_sourceIP_AssetRole) as entity_sourceIP_AssetToCheck
select `lu/SecOpsGWL`(entity_sourceIP_AssetToCheck) as entity_sourceIP_GWL // Check Asset+Role in SecOpsGWL Lookup
where isnull(entity_sourceIP_GWL)
Â