Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Current »

Devo Behavior analytics provides risk scores at two different levels:

  • Alert Technique Risk Score: a measure of risk for the specific MITRE ATT&CK technique that the alert is associated with on a scale from 0 to 100. 

  • Entity Risk Score: a calculated risk score that takes into account all of the alerts and behavior deviations for an entity on scale from 0 to 100 

Alert Risk Score

The Alert Technique Risk Score (TRS) is the out-of-the-box alert risk score framework that dictates the risk contribution of a specific alert or behavioral deviation. The TRS is determined by the Devo SciSec threat research team based on research conducted around common attack patterns for MITRE ATT&CK techniques. Through the research each technique has its technique awareness, cut vertex to other techniques, technique closeness, and technique actionability evaluated to determine the risk score. The Alert Technique Risk Score represents the default model of alert risk within Devo today and is available for all SecOps alerts out of the box. TRS is additionally modulated by the priority set with an alert to drive higher risk for what an organization says is higher priority for their environment.  

To take advantage of the Alert Technique Risk Score in a custom alert, you must include both the MITRE ATT&CK Technique ID and alert priority. Both of these values are used in the risk processor to calculate risk associated with an entity. To take advantage of the out-of-the-box risk score framework you can use the example alert LINQ provided below: 

select "T1548" as mitreTechniqueId

Select “4” as alertPriority 

Alternatively if you would like to set your own risk score for your alerts on a scale from 0 to 100, you can add the risk score as a value directly in the alert LINQ. An example of this can be seen below: 

select 50 as risk

If there is no risk score associated with an alert then a default risk score of 35 will be used if there is an entity mapped within the alert. The entity mapping at the bottom of the page must be present in order to make use of the default risk score.

If no values for technique ID, risk, or entity are listed in the alert then the alert will be ignored by the risk calculation process.

If you want to exclude an alert from the risk calculation since it alerts on data with the entity.behavior.risk.events table then add [select "Risk" as alertType] to the alert and it will be excluded. The risk alert type avoids positive feedback loops of entity risk over time:

select “Risk” as alertType

Entity Risk Score

On top of the risk score configuration, you must add SecOps alert entities to you alerts. These help associate the alerting TRS data to the specific entity and calculate the Entity Risk Score.

select userIdentity_arn as entity_sourceName

select userIdentity_accountId as entity_sourceAccount

select sourceIPAddress as entity_sourceIP

Once the Alert TRS or custom risk scores are configured within a Devo domain’s alerts and behavioral detections, risk can now accumulate on specific entities within the domain that are associated with those alerts and behavioral signals. The Entity Risk Score (ERS) is calculated from all the alerts and behavior signals within the domains over the last 7 days and aggregates the risk contribution from each of them on the specific entities involved.  From there the aggregate risk score is normalized against all entities within the domain, which results in the final ERS. 

The ERS calculation is done using a risk processor that is enabled within a Devo domain and calculates risk every hour on alerts and behavioral signals that have occurred over the last 7 days from the time that it was run. The ERS is output every hour into the entity.behavior.risk.events table and can be viewed via data search within a Devo domain.  

The ERS score is what is displayed around an entity through the Devo Behavior Analytics application and is used to help identify users, devices, and domains that are suspicious. The Alert TRS or customized risk score is displayed within the entity's alert history view to give context as to how much risk an individual alert or behavioral deviation contributed to the ERS.

In order to identify entities within your alerts and map them to users, devices, and/or domains, use the following mapping cheatsheet to do so: 

Users
-entity_sourceName
-entity_destinationName
-entity_sourceAccount
-entity_destinationAccount
-entity_sourceEmail
-entity_destinationEmail
Device
-entity_sourceIP
-entity_destinationIP
-entity_sourceHostname
-entity_destinationHostname
Domain
-entity_sourceDomain
-entity_destinationDomain
-entity_sourceUrl
-entity_destinationUrl

The above mapping allows the risk processor to identify the entities within the alerts to calculate the risk and then appropriately map them to the display in the application.

entity.behavior.risk.events overview

entity: Name of entity
total_risk: Culmunative (sum) risk score
related: All related entities observed
last_risk: Time of the most recent alert/anomaly signal observed
alert_metrics_secops: Total number of observed SecOps alerts
alert_metrics_ueba: Total number of observed anomaly signals
priority_metrics_high: Total number of observed SecOps alerts that were of severity "High"
priority_metrics_critical: Total number of observed SecOps alerts that were of severity "Critical"
entity_risk: Normalized risk score for this entity's type
entity_type: Type of entity
global_risk: Normalized risk score for all entities
unique_alerts: Unique or distinct number of alerts observed
unique_techiniques: Unique or distinct number of Mitre techniques observed
unique_tactics: Unique or distinct number of Mitre tactics observed

  • No labels