/
Alert whitelisting

Alert whitelisting

Overview

Alert whitelisting enables customers to attach Devo’s standard out-of-the-box whitelisting capabilities to the alerts that are created as part of the behavior alert definition configuration.

The whitelist that is used is the combination of the SecOpsAssetRole and SecOpsGWL lookups that are available from the Devo Exchange (see the links below). These lookups are used in conjunction with the Behavior Alert Definition and the underlying model to identify the entities involved in a detection and check that they are not within the whitelist. If the entities are in the whitelist then the alert will not fire for that particular entity.

SecOpsAssetRole: https://us.devo.com/#/exchange/51

SecOpsGWL: https://us.devo.com/#/exchange/49

Alert whitelisting can help SOCs manage the volume of behavior alerts they are receiving for known entities or behaviors that they expect from specific entities in their environment. 

How does it work?

In order to enable the alert whitelisting, you must go to the Content Manager and select to Configure & Start on an already deployed model. From there you will find the option Apply Whitelisting?. If the option is checked then whitelisting syntax will be added to the alert, otherwise nothing will happen. 

If the lookups mentioned above do not exist in the domain then the alert configuration section will display a warning message as can be seen below:

10_alertwhitelisting.png

The whitelisting syntax for an alert can be seen below for Abnormal Login behavior model.

select `lu/SecOpsAssetRole/class`(entity_sourceAccount) as entity_sourceAccount_AssetRole // Get asset role from SecOpsRole Lookup // Start Filtering Section select ifthenelse(isnull(entity_sourceAccount_AssetRole),entity_sourceAccount,entity_sourceAccount+"-"+entity_sourceAccount_AssetRole) as entity_sourceAccount_AssetToCheck select `lu/SecOpsGWL`(entity_sourceAccount_AssetToCheck) as entity_sourceAccount_GWL // Check Asset+Role in SecOpsGWL Lookup where isnull(entity_sourceAccount_GWL) select `lu/SecOpsAssetRole/class`(entity_sourceIP) as entity_sourceIP_AssetRole // Get asset role from SecOpsRole Lookup // Start Filtering Section select ifthenelse(isnull(entity_sourceIP_AssetRole),entity_sourceIP,entity_sourceIP+"-"+entity_sourceIP_AssetRole) as entity_sourceIP_AssetToCheck select `lu/SecOpsGWL`(entity_sourceIP_AssetToCheck) as entity_sourceIP_GWL // Check Asset+Role in SecOpsGWL Lookup where isnull(entity_sourceIP_GWL)

 

Related content

Risk-based alerting
Risk-based alerting
Read with this
Devo Behavior Analytics 1.6.0
Devo Behavior Analytics 1.6.0
More like this
Security Operations lookups
Security Operations lookups
More like this
Platform alert pack: Authentication
Platform alert pack: Authentication
More like this
Platform alert pack: IDS
Platform alert pack: IDS
More like this
Platform alert pack: Collective Defense
Platform alert pack: Collective Defense
More like this