Devo Behavior Analytics 1.9.0
- Juan Tomás Alonso Nieto (Deactivated)
RELEASE DATE: APRIL 9, 2024
Devo Behavior Analytics v1.9 introduces a new and improved use case configuration part of the application. Within the configuration there is now a step for the whitelist configuration, which enables the user to input the values for Users, Devices, and Domains into the use cases that will be filtered out of the results. A user can enter usernames, domains, ip addresses, ranges of ip addresses, and CIDR blocks. Once the user hits enable these entities will be filtered from the use case output from that point onwards.
The whitelist can also be updated without changing anything else about the configuration of the use case by returning to the configure screen below and adding additional values. Users can also upload CSVs into the UI and configure them to fit into the whitelist (see the second image below).
Whitelisting is critically important for behavior analytics models to be able to remove well known or noisy entities from the detection and find the true threat lingers as changes in behavior.
The new Whitelist section of the Behavior Analytics application
Name | Description |
Users | Displays all of the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV. Users are all direct match string values. Example users:
|
Devices | Displays all of the current devices that are whitelisted from the current use cases. Additionally devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses, and CIDR blocks. Example hostname:
Example IP Address Entries:
Example IP Address Range:
Example CIDR Block:
|
Domains | Displays all of the current domains that are whitelisted from the current use cases. Additionally domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values. Example domain:
|
User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case. If the use case does not include ones of entity types then a warning message like the one below is displayed:
The upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them. The upload section provides a couple of tools to make working CSVs easier. The CSV can be dropped in and previewed within the screen. If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist. Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV. The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist. The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values.
Devo Behavior Analytics v1.9 also has a use case update based on some parsing changes that have been included in the base platform. The following Behavior Alert Definitions in the Content Manager should be deleted and then “Configure & Enabled” again in order to pick up the latest changes:
Abnormal Login Activity
Failed Login Activity Detection on Internal Traffic
Login Activity Lateral Movement
Login Activity Peer Group Movement
First Time Authentication or Authorization from a Country
First Time Login to Device/ Asset
First Time Authentication or Authorization from a Organization
Simply go to the content manager and click “Configure & Enable” next to the Behavior Alert Definitions in the above list and then within the modal below click “Enable” to pick up the latest changes.