Overview
The area you first see when you access the Security Operations application is the Dashboard, which offers at-a-glance monitoring information. The green top bar at the top area includes 4 icons to navigate through the different areas of the application, explained in detail in the following articles.
You can also check the items you have added to your investigation list by clicking the paper clip icon at the top right corner.
Next to it, click the menu icon to check and configure your alerts, lookups, and capabilities in the content manager; and configure the application settings. Also, there’s direct accesses to the Users' administration and Role management areas in Devo.
The Security Operations application has three main purposes: alert triage, user investigations, and threat hunting. All these activities are summarized in the Dashboard, which is the entrance point of the app.
These are the four different areas of the application:
Dashboard - This is the first area you see when you enter the application, and offers a general overview of the system condition through a series of default widgets.
Triage - This area allows analysts to filter and pivot both alerts and investigations by different parameters (type, name, keywords...)
Investigations - Create and manage investigations based on suspicious alerts and assign them to the required users.
Hunting - This area allows users to perform a global search in order to identify suspicious events.
Investigation list
All the elements that you add to an investigation from those areas go to the investigation list, where you can review and manage all the alerts and entities before defining the investigation. To access the Investigation list, just click the paper clip icon that you can find at the top right corner of the application.
Learn more about this in this article.
Content manager
Click Content manager in the menu icon at the top right corner of the application to access the content manager, where you can check information about different resources related to your environment: alerts, lookups, and capabilities.
This area is divided into three main sections:
The top area of this window shows a series of informative graphs that inform users about the alerts and lookups in your environment. Each group of alerts shows the total number of alerts and the ones that are activated. Next to this, you can check the total percentage of activated alerts in a group.
In the capture below, the first graph represents the SecOps alerts in our environment. Currently, we have a total of 307 alerts, and 143 of them are activated. This represents 43% of the total number of alerts, as we can see in the graph.
These are the different groups of alerts:
Built-in alerts installed - Default alerts in the Security Operations application.
Custom alerts installed - Custom alerts defined for a specific client.
Active alerts - Active alerts in your system.
Main lookups - Lookups in the client domain.
Multi-lookup - Generic lookups in the Multilookups domain.
Dynamic lookups - Dynamic lookups are generated in the Security Operations application.
In the middle area of the window, you'll find three different tabs:
Alerts installed
Check the list of alerts installed in your SecOps environment.
Activate or deactivate alerts by switching on/off the toggle at the right side of each alert.
Uninstall an alert by clicking the bin icon on the right side of the alert.
You can also check these alerts in the Administration → Alert Configuration area of the Devo application.
Some of the alerts in this area may be marked with a Custom tag next to their priority and type. This means that these alerts are custom alerts that have been defined specifically for a client and are not included in the default SecOps alert catalog.
Lookups
As explained in this section, there are 3 types of lookups in the Security Operations application: main lookups, multi-lookups, and dynamic lookups. In this tab, you can check the lookups of each type that you have installed in your environment.
Check the lookups that are installed in your environment (they will be marked with the word Installed). Lookups that are not installed are marked with the word Missing in red.
Apart from the status, dynamic lookups also show the number of entries (shown in orange if there are few entries), its size, and its update date.
Capabilities
Capabilities are Flow contexts that relate SecOps data to other external systems and perform specific operations.
Activate or deactivate capabilities by switching on/off the toggle at the left side of each capability.
Check if they are loaded and running in the info next to their name.
Finally, in the bottom area of this window, we have the Alerts Filters and Alerts Configurator sections. These sections appear at the bottom area no matter the tab in the above section we select. In the Alerts Filter, select the required filters and check the results in the Alerts Configuration area, where you can select any number of required alerts and install them.
Unlike the alerts that appear in the Alerts installed tab above, these alerts do not appear in the Administration → Alert Configuration area of the Devo application. These are default alerts defined in the SecOps application that can be installed by users in their domains in the Alerts Configuration area.
Alerts filter
Below are the available filters in the Alerts Filter section. Select the required ones and click Filter to see the results.
Filter | Description |
|---|---|
Installable alerts | Activate this toggle if you want to filter only installable alerts, or deactivate alerts to filter non-installable alerts. |
Priority | Choose the required alert priority(ies) |
ATT&CK Tactic | Select the required Mitre ATT&CK tactics. |
ATT&CK Technique | Select the required Mitre ATT&CK techniques. |
Tables | Specify the source tables of the queries that define the filtered alerts. |
Tags | Choose the required alert tags. |
Trigger type | Select the trigger method of the filtered alerts. |
Alerts configurator
In the Alerts Configurator section, you will see the alerts matching the filter criteria selected.
In this area, you can check any number of filtered alerts you need to install, and then click the Install alerts button that appears on the right side to install them. After installation, these alerts will appear in the Administration → Alert Configuration area of the Devo app.
Note that you'll only be able to install alerts that you filtered with the Installable alerts toggle activated. If you did not have the toggle activated, the alerts filtered will not be installable, and you will only be able to download their requirements in an Excel sheet.
Application settings
Click the menu icon at the top right corner of the application and select Settings to access the following groups of configuration options:
Group | Description |
|---|---|
Enrichment | The Security Operations application is automatically enriched by different threat platforms to get the data required to analyze and label the alerts. However, if you have your own account on one of the available platforms, you can click it, switch off its Use default toggle and specify your URL to get data from your service. Click Save to apply any modifications. |
Capabilities services | Configure the Cortex XSOAR and Phantom connection. You can also set an email to send notifications when an investigation is closed. Click Save to apply any modifications. |
File artifact storage | Switch off the toggles if you want to specify the location where you want to store the files attached to investigations. Learn more in Investigations. Click Save to apply any modifications. |
DNS | The application resolves names using default DNS. Add server names here if you want to use custom DNS. Click Save to apply any modifications. |
Location | This is a view of the location lookup used to resolve locations and geolocations from IP addresses. |
Impact calculation | Activate this option if you want to display the impact calculation for all the entities in your environment. Note that alert performance will be slower when this is activated. This option is deactivated by default. |
User preferences | Use the Devo app date format or choose a custom one. |