Alerts that match the criteria of the filters applied will appear at the top of the Triage area after clicking the Filter button. Filtered alerts are grouped by entities (IP addresses, users...) and ordered by priority and date.
After filtering alerts, users can perform the following actions:
Run an investigation from a filter
After applying a filter in the Triage area, you can create an investigation based on a group of suspicious alerts by clicking the Add to investigation button that appears at the top right corner of each group. All the alerts added to an investigation in this way will be stored in a bucket that you can access by clicking the paper clip icon at the top right of the application.
Note that the investigation will not be created until you click the paper clip icon, select the required elements, and define the required investigation. Learn more about this in the Investigations section.
Check the details of a group of alerts
After filtering alerts in the Triage area, you can get both individual alerts or groups of alerts that share entities, and are grouped to make the analysis easier. In the case of groups, you can see the number of alerts in the group checking the number in the lightning icon next to each group.
To obtain more details about the alerts in each group, click the name of the group in the Description column. You will access a window that shows a description in the top area, and 2 different areas: Timeline (the view that appears by default) and Associations (which you can access clicking the button at the top right corner).
When opening an alert in the Triage area clicking its Description name, we are actually opening a group of alerts (of course it could be only one alert in the group). These alerts are grouped by entities and by alert states. This state is UNREAD by default and it changes to WATCHED when we select one alert of the group.
It is important the difference between the state of the group and the state of each alert. If any of the alerts in a group are in UNREAD state, the group is also UNREAD. We can change the state of all the alerts of a group using the selector at the top right corner.
The top part of this area shows the entities related to the group of alerts, the type of alert (in the example above is Detection), the name of the alert (in the example, Power shell exec bypass), the table where the alert is defined, the corresponding MITRE techniques and tactics, the message and the description.
Next to the list of related entities, you have the Add to investigation button that you can use to add this group of alerts to a new or existing investigation.
You can also open the LINQ code of the alert by clicking this icon
Click Run query at the bottom of the window to access the Hunting area.
This section contains three different areas:
- The timeline itself, which shows the evolution of the alerts during the last 24 hours. You can indicate a different time period using the selector at the top right part of the area to show the alerts in that period. Click the refresh button next to it to update the timeline. Also, you can check the Related checkbox to see other alerts related to these entities.
- The list of individual alerts that belong to this group. Click on the alert to see the alert description at the right part. Use the buttons at the bottom to choose the number of alerts to show and navigate through the different pages.
- The individual description of the alert, which shows the name of the alert, its criticality, date when it was triggered, message and description, entities involved, and alert state (unread, false positive, new, etc). You can also check the extra data the alert contains.
You can find the Associations section in both alerts and investigations. Associations are related to entities, which are a basic concept in the Security Operations application. There's a background process in charge of getting all the IP addresses, hostnames, URLs, etc from the available sources (those are the entities) and adding them to a multi-model database. When a new entity is found, it won't have any association with other ones. However, when it is found again in the same source or in a different one, the system will start defining the relationships in the database. These relationships between entities can be checked in this area.
The processes that take this information are called context flows, and they are constantly executing queries against the union tables and also against the base tables. The configuration of these flows is performed by Devo security experts when first installing the Security Operation app on a new domain. Note that the initial entities loading process from the origin tables to the entities database will take some time, and this info will be updated as new data arrives at the tables.
Entities are divided into 2 different types, and each of them has 4 different types: System (hostname, IP, location and URL) and User (name, email, domain and account). Entities have a relatively short TTL (time to live): one week in case of User-type entities and 24 hours in case of System-type ones. After this period, entities are deleted from the database and won't be available in the application. However, if you access an entity, its TTL will be extended for another 24 hours or week, depending on the type.
When you click the Associations button in the alerts group description, you will find the associations that correspond to one of the entities with default values.
The graph in this area shows entities as nodes, and the relationships between them are represented with arrows. The nodes in the graph have different sizes depending on the impact. Hover over a node to see the following information:
|firstSeen||Date when the entity was first identified.|
|Impact||Magnitude value of the entity (1-100)|
|degree||The number of connections from nodes related to the entity, both incoming and outcoming.|
|ttl||Time until the entity is invalid beginning from first seen, and aging by last seen (time to live)|
|lastSeen||Last time the entity was detected.|
|Type||The type of the entity (system or user)|
There is a default query when you open the tab, and you can change the settings in the left section. These are the available visualization options of the graph, divided into two different tabs (Query filters and Graph visualization):
Choose to display Incoming or Outgoing associations or both.
Set the number of nodes you want to show.
Indicate the number of jumps.
Filter by impact, applying the operations to get the required results.
The impact is a value calculated for each entity at the moment it is stored in the entities database. It is based on an algorithm plus a combination with the number of connections an entity has. The values are from 1 to 100, when 100 is the highest impact and 1 the lowest. High impact is something to take into account and makes the entity behavior more critical. The nodes in the graph are bigger when the impact is higher.
Choose an entity type (system or user) and property (between the available ones), then enter a specific value in the text field to filter by and click the Add button. Keep adding the required values to apply all the specified filters by repeating this process.
Query to trigger
Check the query that will be triggered to represent the graph.
Organize the nodes in your graph according to their Impact or PCR (Producer-Consumer Ratio). Check the corresponding toggles to apply the required organization method.
|Enter a source and a target entity in the From and To fields and click the Search button to highlight the shortest path between those elements in the graph. You can also indicate the source and target nodes by clicking them in the graph. You will find additional info about the highlighted path in the Path Info area.|
Nodes that show a + icon have incoming or outcoming relationships that are hidden by default. You can show the node relationships by right-clicking the + icon, then selecting Expand Incoming or Expand Outgoing. Note that user-type entities have only outgoing relationships.
Under the graph, you can see a timeline where you can check the history of one or several entities. Use the keys under the timeline to navigate through it and see the evolution in the graph.
Increase the sighting count of an entity
The sighting count of an entity indicates the number of times that a specific entity has appeared in an investigation. This count can be manually increased by a user after filtering alerts. To do it, click the ? symbol next to the required entity in the top part of an alerts group. You will see a window that displays the number of times that entity has appeared in an investigation, as well as the first and last time it appeared. Click Submit to sighting now to increase the count by 1.
Note that this action cannot be undone.