Document toolboxDocument toolbox

Risk-based alerting

Overview

Risk-based alerting introduces a new “type” of alert that sets thresholds for alerts within the Devo Behavior Analytics application to alert on risk events for specific entities within an organization. Risk-based alerts are configured and managed within the Content Manager in the Devo Behavior Analytics application.

5_Risk-based alerting.png

Within the content manager a user can navigate to the risk based alerts section and view all of the current risk based alerts that have been created through the application thus far. The user also has the option to create new risk based alerts from the content manager.

Risk-based alerts can be created by users through data search by creating alerts on the entity.behavior.risk.events table. These alerts will not show up within the application unless they use the same naming convention. The application enables a quick and easy way to create and manage these alerts in one place.

10_Risk-based alerting.png

Risk-based alerts from within the application are also included inside of the entity dashboard within the alert trend graph. The trend graph enables users to view the 30-day trend of risk based alerts within their organization. The Recent risky entities on the main dashboard are also replaced with Risk-based alerts in the last 24 hours.

Creating risk-based alerts

To create a risk-based alert, click the New button a the top right. You can then enter the desired parameters in the window that pops up. Find all the parameters available below.

Parameters

  • Alert Name → name of the alert for Alert API.

  • Applies to → users, devices, or domains.

  • Alert Type → the criteria to configure the alert

    • Threshold → Alert will trigger when an entity’s risk score exceeds a given threshold.

      • Risk Threshold → use the slider to choose a threshold from 0 to 100.

    • Rate of Change → Alert will trigger when an entity’s risk score changes beyond a given amount.

      • Risk Score Change → write the change amount that must be observed to triggered the alert.

      • Evaluation Period (in hours) → write the length of the monitoring periods.

  • Alert priority → use the dropdown to chose a priority level.

  • Advanced (optional):

    • Maximum number of unique alerts → unique_alerts_threshold

    • Maximum number of unique tactics → unique_tactics_threshold 

    • Maximum number of unique techniques → unique_techniques_threshold

Use cases

Each risk-based alert use case is described below, along with the corresponding parameters that you can enter and the alert template.

Entity’s risk score exceeds a fix threshold

Entity’s risk score changes more than a specified amount

Parameters

  • Alert name → enter one as desired

  • Applies to → select one as desired

  • Threshold → the default value is 75

  • Alert priority → select one as desired

  • Advanced (optional)

Alert Template

from entity.behavior.risk.events where has(entity_type, [Entity_Type Adjusted by User])  where entity_risk > [Risk Threshold Entered By User]  group every [Evaluation Period Entered by User]m by entity, entity_type, entity_risk, total_risk, global_risk, related where max(unique_tactics) > [unique_tactics_threshold - Threshold entered by user] where max(unique_techniques) > [unique_techniques_threshold - Threshold entered by user] where max(unique_alerts) > [unique_alerts_threshold - Threshold entered by user]

Optional:

  • Unique Risk check 

  • Unique MITRE Tactics 

  • Unique MITRE Techniques 

Parameters

  • Alert name → enter one as desired

  • Applies to → select one as desired

  • Risk score change → the default value is 10

  • Evaluation Period (every X hours) → the default value is 2 hours

  • Alert priority → select one as desired

  • Advanced (optional)

Alert Template

from entity.behavior.risk.events where in (entity_type, [Entity Type Adjusted by User])  where entity_risk > [Risk Threshold Entered By User]  group every [User selected time range] by entity, entity_type select first(total_risk) as first_risk_score select last(total_risk) as last_risk_score select total_risk - last_risk as risk_rate_of_change

//TUNE

  • where risk_rate_of_change != 0 

  • where risk_rate_of_change > [Rate of Change Enter by User] 

  • where max(unique_tactics) > [Threshold entered by user]

  • where max(unique_techniques) > [Threshold entered by user]

  • where max(unique_alerts) > [Threshold entered by user]

Optional:

  • Unique Risk check 

  • Unique MITRE Tactics 

  • Unique MITRE Techniques