Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Current »

Overview

This guide walks you through the building blocks of Devo SOAR and how to build your own playbook.

By the end of this, you will be able to build your own playbook using connections and event types, streams and case management to schedule and track the cases respectively.

Requirements

All you need is the latest version of the Google Chrome browser to explore the Devo SOAR application.

Explore Devo SOAR

Check out our Free Edition to explore the application. Enter your details and click Submit. A message will be displayed that download instructions will be sent to your email address. Once you receive the download instructions, go to the URL and sign in.

For Enterprise Edition set up, see Enterprise OVA Set Up.

Building blocks of Devo SOAR

Let’s look at the building blocks of the Devo SOAR product. To automate your data, you need to understand some of the basic terms used in Devo SOAR.

 Playbooks

Playbooks are the graphical representations of the logic that the security analyst goes through to make decisions about events. Playbook execution ranks security events such that the critical events at the top.
Playbooks allow you to automate the process of identifying undesirable events and responding to them.

For more information, refer to Playbooks.

To build a playbook, you need:

  • Connection

  • Event types

 Connection

Connections allow you to ingest data into Devo SOAR from your security information and event management (SIEM) environment. A connection creates a link between Devo SOARand an external system such as a SIEM environment. Connections are how you connect to a SIEM such as Devo, Elasticsearch, Splunk, SumoLogic.

For more information on connections, refer to Create Connections.

 Event types

Event types are the queries that get specific events from your connections and yield the results for analysis and scoring. The queries are the same native queries that you would run on your SIEM.
Event types can draw from any of the following source types: results of a query on an external source, such as Splunk, SumoLogic, or Elasticsearch.

For more information on event types, refer to Create Event Types.

 Stream

Streams allow you to automate the analysis logic codified in the playbooks and apply it to upcoming events on a fixed interval, creating batches of results. You can set up streams to run at a set interval (such as every 30 minutes), and apply a playbook to each. Within each stream, you can drill down to see why alerts were scored in a particular way, and what portions of the playbook contributed to the scoring.

For more information on streams, refer to Create a Stream.

 Case management

Devo SOAR provides an integrated case management capability for you to track activity related to investigations of threats and other security issues.

For more information on how to create cases, refer to Create Cases to Track Work in Devo SOAR.

 Dashboard

Devo SOAR allows you to create your own custom dashboard to monitor any metric. When you log in to the Devo SOAR application, a System Overview page opens up as the landing page that provides detailed information on the data ingested, time saved, return on investment, integrations used, alerts triaged, cases by status, cases created, mean time to resolve, and playbook executed.

For more information on dashboards, refer to Dashboards.

  • No labels