Activeboard: Collective Defense Overview

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open Activeboard ] [ 4 Use Activeboard ]

Purpose

Collective Defense is a threat intelligence feed that Devo provides to all of its customers that looks for trending threats across 1000s of customers and enriches them to provide early threat warnings and accelerate investigations.

The Collective Defense Activeboard gives an organization wide visualization of the hits against major log sources in an organization against the threat intelligence feed. If no hits are found then no actions are required, if there are hits then further investigation would be required.

Users can use the Activeboard as an example to build their own dashboards or add widgets to existing threat intelligence visualizations they have built.

Here's how to interpret the results:

If there are no findings, then Congratulations you have no malicious Collective Defense findings in your environment.
If there are findings with no enrichment, then multiple customers are seeing activity from the same source, but open source feeds have not found it to be malicious
If there are findings with enrichments then multiple customers are seeing activity from the same source and they have been found in open sources feeds. These require attention.

Authentication Src IP Hunt Findings: Simple value	Firewall Src IP Findings: Simple value	Firewall Dst IP Findings: Simple value	Proxy URL Findings: Simple value
Proxy Dst Hostname Findings: Simple value	Web Access IP Findings: Simple value	o365 Src IP Findings: Simple value	GSuite Src IP Findings: Simple value
Netflow Src IP Hunt Findings: Simple value	Netflow Dst IP Findings: Simple value	AWS Src IP Findings: Simple value	EDR Threats sha256 Findings: Simple value
Explanation: Simple value
Fired Alerts: Source IP: Table widget	Fired Alerts: Destination IP: Table widget	Fired Alerts: Source Hostname: Table widget	Fired Alerts: Destination Hostname: Table widget
Fired Alerts: Source Domain: Table widget	Fired Alerts: Destination Domain: Table widget	Fired Alerts: Source URL: Table widget	Fired Alerts: Destination URL: Table widget
Fired Alerts: Source File Hash: Table widget	Fired Alerts: Destination File Hash: Table widget	Authentication Src IP Hunt: Table widget	Firewall Src IP Hunt: Table widget
Firewall Dst IP Hunt: Table widget	Proxy URL Hunt: Table widget	Proxy Dst Hostname Hunt: Table widget	EDR Threats sha256 Hunt: Table widget
Web Access IP Hunt: Table widget	o365 Src IP Hunt: Table widget	AWS Src IP Hunt: Table widget	GSuite Src IP Hunt: Table widget
Netflow Src IP Hunt: Table widget	Netflow Dst IP Hunt: Table widget

Prerequisites

To use this Activeboard, you must have the following data sources available in your domain:

auth.all ^{learn more}
firewall.all.traffic ^{learn more}
siem.logtrust.alert.info ^{learn more}
proxy.all.access ^{learn more}
web.all.access ^{learn more}

edr.all.threats ^{learn more}
cloud.aws.cloudtrail ^{learn more}
cloud.office365.management ^{learn more}
cloud.gsuite.reports ^{learn more}

Open Activeboard

Once you have installed the Activeboard, you can use the Open button at the top right of the card in Exchange to access it and see the different widgets populated with the relevant data. You can also access the Activeboard area via the Navigation pane.

Data loading takes too long?

Sometimes some widgets take time to upload the data, it is possible to speed up the process by creating aggregation tasks. Refer to the Aggregation tasks article to learn how to do it.

Use Activeboard

After installing and opening the Activeboard, you can use its widgets to visualize and monitor data. To do this, each widget offers a variety of customization and visualization options. Refer to Using widgets and Using inputs to know them all.