Introduction
The content manager is where the behavioral models can be deployed. To get to the content manager, click the Content Manager button in the far right of the application. Once you open the content manager, a list of all models that can be deployed are displayed. By default, there are 10 models default per page and you can toggle between the different pages to find more models.
There are three columns displayed for each model: behavior (the name of the model), table (the required Devo table for deploying the model), and status (enabled / disabled). If a model is not enabled, then it must be turned on in order to start running.
In order to deploy a model, click the Configure and Enable button. A new screen providing options for configuring the alert will appear. Historic Time Period, Risk Score, and Alert Priority are shown by default. Set the time period you would like the model to track against, the minimum risk threshold for alerting, and the minimum alert priority you’d like to see for the alerts. In addition, there is an advanced functionality option that allows you to override a table. This allows you to deploy the model on a different table if the naming configuration within your org is different than default. If using the table override, make sure that the field names and types in your table match those of the original Devo table.
If you stop a model there is a disable option that allows you to pause the model.
Do not deploy all the models at once to ensure that performance does not suffer.
Deploying Behavior Alerts:
Name | Description |
Final outcome output threshold | Threshold by which the behavior signal is added to the entity.behavior.signal.events table. Signals above the threshold are counted in entity risk scores. |
Create Alerts? | Select when an alert is created for the behavior signal for SOC analysts to triage. |
Final outcome alerting threshold | Threshold for the behavior signal alert that causes the alert to fire and be triaged by SOC analysts. |
Alert Priority | The priority of the alert that’s set on a scale of 1 - Informational through 5 - Critical. |
Risk score | Risk score given to the behavior signal that is sent back to Devo. Entity risk score is calculated based on the risk score value given. |
Advanced Configurations | Configuration options to only be used under special circumstances and Devo table configurations. Contact support to see if these options make sense. |
Table Override | The table that can be used to override the behavior signal query. The table must match specific fields in the original table used in order to function correctly. |
Content Manager SecOps Alerts:
As seen in the image above, all SecOps alerts enabled in your domain will show up in the Behavior Analytics App. Any time these alerts are set off, they will be correlated to the associated entity. You can tune the risk score of a specific SecOps alert (if you want to set a risk score of 55 for the SecOpsLoginFailAttempts alert, for example).
To do this, go to the action menu to the very right of the alert name to find the Edit option, where you can set a risk score for the specific SecOps alert. Once the risk score is added to the SecOps alert, the alert’s contribution to the risk score of an entity will increase. If you wish to remove the risk score, there is also a Remove Risk Score option in the action menu.