Browsing content in Exchange
Identifying content cards
Each piece of content is presented as an individual entity in the form of an interactive card. This card presents three different appearances depending on the interaction level triggered by the user and shows different amounts of information:
Card thumbnail
When the card has yet to be interacted with, you can see a card thumbnail with a summary of its content.
When you hover over the card thumbnail the bottom part expands to reveal a short description as well.
1 | Type of content (see section below to know more about content types). |
2 | Name assigned when published. |
3 | Creator of that content. |
4 | The Installed green sign appears as soon as the content is installed in your domain. In the case of Synthetic data and Use cases, you launch the content instead of installing it and the sign displayed is Running. For lookups, an Installing gray sign appears during the process before finally showing the Installed green sign. It will be substituted by the Update orange sign whenever there is a new version (see Manage content versions for more info). |
5 | Number of times the card has been liked in this cloud (US, EU…) and number of times it has been installed. When it comes to alerts, this indicates the number of alerts included in the pack compared to the number of alerts that are actually installed. |
Card expanded
When you click on a card thumbnail it will open in full size to display all the information related to its content.
1 | Name assigned when published. |
2 | Type of content (see section below to know more about content types). |
3 | Number of times the card has been liked by users in the cloud (US, EU…) and number of times it has been installed. When it comes to alerts, this indicates the number of alerts included in the pack compared to the number of alerts that are actually installed. |
4 | Install button (Launch in the case of Synthetic data and Use cases). If it is already installed, it will be substituted by the Open and Uninstall buttons (Open and Stop in the case of Synthetic data and Use cases). If there is a new version, the Update button will be displayed. To know more about installation visit Installing content. |
5 | Close button. |
6 | Autoplayed introductory video or still image. |
7 | The Overview tab contains the full description as well as additional info links. In the case of content consisting of several items, such as content packs or use cases, there will be also an Included content section with links to access each of the individual items (see Installing and working with content packs and Installing and working with use cases for more info). In the case of alert packs, there is a list with the different alerts inside the pack, as well as options to describe them, check their queries, and install them individually or in bulk (see Installing and working with alert packs for more info). |
8 | The Version history tab displays the complete list of versions this content has had. |
9 | Trough the Comments tab you can share your thoughts with your peers, as well as see theirs or even reply to them. |
10 | The Version shows the latest available, labeled as installed if your domain already has it. |
11 | Creator of that content. |
12 | The Required data sources section shows what data sources this content needs in order to show data once installed. Some of them are marked with an exclamation mark, which means it is mandatory and thus critical for the content to work correctly. They will be displayed in green only if they are available in your domain and they contain data, otherwise they will be displayed in red and a warning box will be displayed. For successful usage, it is highly unrecommended to install content without having at least the mandatory requirements in green. Be aware that this is an optional field which depends on the nature of the content and is specified by the owner when publishing it. |
13 | The Technologies involved with the use of this content. It will be shown when browsing by those technologies (we will see more about this in the sections below). |
14 | The Categories in which this specific content is included. It will be shown when browsing by those categories (we will see more about this in the sections below). |
15 | Share by copying link. You can send it to other people you think might be interested or to request an admin to install it for you. When accessing the link, you will be prompted to the login and domain selection screens to finally land into the open card. |
Identifying content types
There are several types of content, each of them presenting some specificities and fulfilling different purposes.
Activeboards: predefined Activeboards with a set of widgets and queries designed to show data to analyze specific contexts or use cases (more info here).
Alert packs: predefined sets of alerts, each to be installed individually for a needs-based usage, based on specific queries to warn you about anomalous situations in the context of specific use cases (more info here).
Applications: fully functional modules developed on top of Devo's Applications SDK (Software Development Kit) for a variety of purposes (more info here).
Content packs: sets of different components grouped together to address different aspects of a specific task or use case (more info here).
Lookups: predefined lookups designed to later enrich specific queries in the context of a given use case (more info here).
Synthetic data: data set designed to be injected into your domain to provide you with certain data you do not have. This can have a variety of uses (more info here).
Use cases: combinations of components designed to tackle specific situations, covering both data reception and usage (more info here).
Navigating through categories
In order to find what you are looking for, there are several ways of filtering content cards, and you can find them all at the top. There are five major categories and a number of filters that correspond to the technologies involved and the tags applied when published.
Discover
The default view when accessing Devo Exchange is Discover. In this view you can find:
Highlights: this is a dynamic section with looping content that displays a selection of what Devo recommends right now for all domains. This is useful for getting informed about specific events or valuable content.
Featured: this section displays the content Devo recommends for all domains. Additionally, it also recommends content suitable for your domain in terms of availability, that is content with the required data sources available, ordered by relevance.
Trending: the most visited content.
Newest: the most recently added content.
Recently visited: you will see the latest content you have viewed. To consider content as viewed you must have clicked it to display it in full size with all the information.
All content
When you select All content you will see all available content ordered by relevance, which is calculated using an algorithm that considers several parameters such as correlation and classification to recommend the most relevant content to the target audience.
For you
When you select For you you will see only the content with the data sources available for your specific domain. Remember that if the data sources in question have not been made available in Devo, the content in question will not show any data when installed.
Mitre
When you select Mitre, you will see content designed to work with MITRE ATT&CK to classify and describe cyberattacks and intrusions. Mitre content in Exchange is based on the MITRE ATT&CK matrix and can be content packs, alerts packs, and lookups.
Content packs correspond to tactics of the matrix and consist of several alert packs.
Alert packs correspond to techniques of the matrix and consist of several alerts, which correspond in turn to sub-techniques of the matrix.
Lookups are enrichments often required for the installation of certain alerts.
Only those items tagged with the Mitre label when published will be shown inside this category.
Use cases & data
When you select Use cases & data you will see a set of resources designed to help you with specific contexts and situations for which you might lack the necessary data. Note that this content is mostly intended for testing, demos, and training sessions.
Multitenant
This section appears in Exchange when your domain is part of a multitenant structure and is configured to see data from other tenants. It displays the content that is compatible with multitenant use, which means being specifically configured to show data across the enabled domains.
This becomes essential not only for successful data sharing and usage between the different tenants, but also for analysis of their interrelated data from a centralized place.
For example, in an Application or an Activeboard specifically designed for multitenancy, queries have been adapted to account for the domain providing the data. Furthermore, specific widgets have been included to deal with specific domain data, either individually or collectively.
Another example is the use of Alerts, which becomes pivotal in a multitenant structure. Queries are adapted to consider only the relevant data for each domain, ensuring seamless execution across all domains without manual interaction. Meanwhile, parent domains can see alerts in all their tenants and identify the specific one that registered it.
Filtering and sorting content
In any of the categories except for Discover you can filter by type with the options that appear below the categories.
You can also change the sorting criteria at the top right (you can choose between the options shown in the picture below).
Searching content
You can use the search field at the top left to introduce any string, which will be used to look for matches in any of the fields (name, content type, technology, category, etc.). Once you introduce a string, you will be brought to a different screen displaying the results at the bottom and more filters to further narrow down your search.
You can also access this screen without using a string by clicking the View all contents option that appears after clicking inside the search box.
In this screen you can use the content type filters but you also have several dropdown menus to filter content using different criteria, such as category, technology, data source, tactic, or technique.
These menus are cumulative, which means that several options can be selected in each of them to find the items containing any of them, and can be combined to further narrow down your search. These filters are independent from the search box but can be combined with it to keep narrowing down your search.
To remove your selection and clear the searching criteria, you can use the X for the whole group or for each individual item.
After you use the search, the string used will be saved and will appear in the Recent searches below for later use. The last 5 searches will be recorded so that you can easily repeat them by clicking them.
As mentioned above, search and filters are independent, so restoring a recent search will not restore the filters applied during the search.
Identifying available updates
As content continually evolves and multiple updates are regularly published in Exchange, it's essential to be able to identify them easily. This allows you to make informed decisions about whether to apply the updates or not. Find more information about updates in this article and in each content type in this article.
A bubble on the notification icon at the top right informs you about the number of available updates. Clicking on this icon will reveal the specific items that can be updated, and will allow you to directly access them to review the details of the update and apply it if deemed necessary.
Once clicked for the first time, the bubble will disappear, but clicking the notification icon will still reveal the items that can be updated. Those items will remain visible until you update them or until you manually dismiss them individually or collectively.
You can also use the sorting criteria explained above to select the Update available option. Once selected, the content will be sorted, showing you in the first positions those that can be updated.
Â