Document toolboxDocument toolbox

Navigating the application

Overview

The area you first see when you access the Security Operations application is the Dashboard, which offers at-a-glance monitoring information. The green top bar at the top area includes 4 icons to navigate through the different areas of the application, explained in detail in the following articles.

You can also check the items you have added to your investigation list by clicking the paper clip icon at the top right corner.

Next to it, click the menu icon to check and configure your alerts, lookups, and capabilities in the content manager; and configure the application settings. Also, there’s direct accesses to the Users' administration and Role management areas in Devo.

The Security Operations application has three main purposes: alert triage, user investigations, and threat hunting. All these activities are summarized in the Dashboard, which is the entrance point of the app.

These are the four different areas of the application:

  • Dashboard - This is the first area you see when you enter the application, and offers a general overview of the system condition through a series of default widgets.

  • Triage - This area allows analysts to filter and pivot both alerts and investigations by different parameters (type, name, keywords...)

  • Investigations - Create and manage investigations based on suspicious alerts and assign them to the required users.

  • Hunting - This area allows users to perform a global search in order to identify suspicious events.

Investigation list

All the elements that you add to an investigation from those areas go to the investigation list, where you can review and manage all the alerts and entities before defining the investigation. To access the Investigation list, just click the paper clip icon that you can find at the top right corner of the application.

Learn more about this in this article.

Content manager

Click Content manager in the menu icon at the top right corner of the application to access the content manager, where you can check information about different resources related to your environment: alerts, lookups, and capabilities.

This area is divided into three main sections:

The top area of this window shows a series of informative graphs that inform users about the alerts and lookups in your environment. Each group of alerts shows the total number of alerts and the ones that are activated. Next to this, you can check the total percentage of activated alerts in a group.

In the capture below, the first graph represents the SecOps alerts in our environment. Currently, we have a total of 307 alerts, and 143 of them are activated. This represents 43% of the total number of alerts, as we can see in the graph.

These are the different groups of alerts:

  • Built-in alerts installed - Default alerts in the Security Operations application.

  • Custom alerts installed - Custom alerts defined for a specific client.

  • Active alerts - Active alerts in your system.

  • Main lookups - Lookups in the client domain.

  • Multi-lookup - Generic lookups in the Multilookups domain.

In the middle area of the window, you'll find three different tabs:

Alerts installed

Check the list of alerts installed in your SecOps environment. 

  • Activate or deactivate alerts by switching on/off the toggle at the right side of each alert.

  • Uninstall an alert by clicking the bin icon on the right side of the alert.

You can also check these alerts in the Administration → Alert Configuration area of the Devo application.

Some of the alerts in this area may be marked with a Custom tag next to their priority and type. This means that these alerts are custom alerts that have been defined specifically for a client and are not included in the default SecOps alert catalog.

Lookups

As explained in this section, there are 2 types of lookups in the Security Operations application: main lookups and multi-lookups. In this tab, you can check the lookups of each type that you have installed in your environment.

  • Check the lookups that are installed in your environment (they will be marked with the word Installed). Lookups that are not installed are marked with the word Missing in red.

Capabilities

Capabilities are Flow contexts that relate SecOps data to other external systems and perform specific operations.

  • Activate or deactivate capabilities by switching on/off the toggle at the left side of each capability.

  • Check if they are loaded and running in the info next to their name.

Finally, in the bottom area of this window, we have the Alerts Filters and Alerts Configurator sections. These sections appear at the bottom area no matter the tab in the above section we select. In the Alerts Filter, select the required filters and check the results in the Alerts Configuration area, where you can select any number of required alerts and install them.

Unlike the alerts that appear in the Alerts installed tab above, these alerts do not appear in the Administration → Alert Configuration area of the Devo application. These are default alerts defined in the SecOps application that can be installed by users in their domains in the Alerts Configuration area.

Alerts filter

Below are the available filters in the Alerts Filter section. Select the required ones and click Filter to see the results.

Filter

Description

Filter

Description

Installable alerts

Activate this toggle if you want to filter only installable alerts, or deactivate alerts to filter non-installable alerts.

Priority

Choose the required alert priority(ies)

ATT&CK Tactic

Select the required Mitre ATT&CK tactics.

ATT&CK Technique

Select the required Mitre ATT&CK techniques.

Tables

Specify the source tables of the queries that define the filtered alerts.

Tags

Choose the required alert tags.

Trigger type

Select the trigger method of the filtered alerts.

Alerts configurator

In the Alerts Configurator section, you will see the alerts matching the filter criteria selected. 

In this area, you can check any number of filtered alerts you need to install, and then click the Install alerts button that appears on the right side to install them. After installation, these alerts will appear in the Administration → Alert Configuration area of the Devo app.

Application settings

Click the menu icon at the top right corner of the application and select Settings to access the following groups of configuration options:

Group

Description

Group

Description

Enrichment

The Security Operations application is automatically enriched by different threat platforms to get the data required to analyze and label the alerts. However, if you have your own account on one of the available platforms, you can click it, switch off its Use default toggle and specify your URL to get data from your service.

Click Save to apply any modifications.

Capabilities services

Configure the Cortex XSOAR and Phantom connection. You can also set an email to send notifications when an investigation is closed.

Click Save to apply any modifications.

File artifact storage

Switch off the toggles if you want to specify the location where you want to store the files attached to investigations. Learn more in Investigations.

Click Save to apply any modifications.

DNS

The application resolves names using default DNS. Add server names here if you want to use custom DNS.

Click Save to apply any modifications.

Location

This is a view of the location lookup used to resolve locations and geolocations from IP addresses.

Impact calculation

Activate this option if you want to display the impact calculation for all the entities in your environment. Note that alert performance will be slower when this is activated.

This option is deactivated by default.

User preferences

Use the Devo app date format or choose a custom one.

Â