Risk-based alerting
- Anthony Shevlin (Deactivated)
- Borja Moro Moreno
Overview
Risk-based alerting introduces a new “type” of alert that sets thresholds for alerts within the Devo Behavior Analytics application to alert on risk events for specific entities within an organization. Risk-based alerts are configured and managed within the Content Manager in the Devo Behavior Analytics application.
Within the content manager a user can navigate to the risk based alerts section and view all of the current risk based alerts that have been created through the application thus far. The user also has the option to create new risk based alerts from the content manager.
Risk-based alerts can be created by users through data search by creating alerts on the entity.behavior.risk.events table. These alerts will not show up within the application unless they use the same naming convention. The application enables a quick and easy way to create and manage these alerts in one place.
Risk-based alerts from within the application are also included inside of the entity dashboard within the alert trend graph. The trend graph enables users to view the 30-day trend of risk based alerts within their organization. The Recent risky entities on the main dashboard are also replaced with Risk-based alerts in the last 24 hours.
Creating risk-based alerts
To create a risk-based alert, click the New button a the top right. You can then enter the desired parameters in the window that pops up. Find all the parameters available below.
Parameters
Alert Name → name of the alert for Alert API.
Applies to → users, devices, or domains.
Alert Type → the criteria to configure the alert
Threshold → Alert will trigger when an entity’s risk score exceeds a given threshold.
Risk Threshold → use the slider to choose a threshold from 0 to 100.
Rate of Change → Alert will trigger when an entity’s risk score changes beyond a given amount.
Risk Score Change → write the change amount that must be observed to triggered the alert.
Evaluation Period (in hours) → write the length of the monitoring periods.
Alert priority → use the dropdown to chose a priority level.
Advanced (optional):
Maximum number of unique alerts → unique_alerts_threshold
Maximum number of unique tactics → unique_tactics_threshold
Maximum number of unique techniques → unique_techniques_threshold
Use cases
Each risk-based alert use case is described below, along with the corresponding parameters that you can enter and the alert template.
Entity’s risk score exceeds a fix threshold | Entity’s risk score changes more than a specified amount |
Parameters
Alert Template from entity.behavior.risk.events
where has(entity_type, [Entity_Type Adjusted by User])
where entity_risk > [Risk Threshold Entered By User]
group every [Evaluation Period Entered by User]m by entity, entity_type, entity_risk, total_risk, global_risk, related
where max(unique_tactics) > [unique_tactics_threshold - Threshold entered by user]
where max(unique_techniques) > [unique_techniques_threshold - Threshold entered by user]
where max(unique_alerts) > [unique_alerts_threshold - Threshold entered by user]Optional:
| Parameters
Alert Template from entity.behavior.risk.events
where in (entity_type, [Entity Type Adjusted by User])
where entity_risk > [Risk Threshold Entered By User]
group every [User selected time range] by entity, entity_type
select first(total_risk) as first_risk_score
select last(total_risk) as last_risk_score
select total_risk - last_risk as risk_rate_of_change//TUNE
Optional:
|