Alerting system status
Let's imagine a management user wants to check the status of the Devo alerting system today.
The user access the Security Operations application by clicking Applications → Security Operations in the Devo navigation pane. The first thing that the user sees is the Overview Dashboard, which shows that there are some alerts that have not been triaged. This information can be easily seen in the Most Critical & Not Triaged Alerts widget, at the top of the Alerts group. The user also checks the activity of each entity in the Entities by Impact widget of the Analytics group.
To start working with the not triaged critical alerts, the user clicks the Critical button in the Most Critical & Not Triaged Alerts widget. In the window that appears, he clicks Triage to apply the filter and access the Triage area of the application directly.
In the Triage area, the user will see only critical alerts detected in the last 24 hours, ordered by criticality and date, and grouped by entities (IP address, host, user...). Alerts without entities appear at the end of the list. Triggered alerts always appear grouped.
A group of Power Shell Exec Bypass alerts is found, and we want to triage them. To do it, the user clicks the alert name to check the individual triggered alerts in that group. In the Alerts Timeline, we see that the alerts are related to the IP address 10.52.60.69, which phished and downloaded attack tools to compromise other systems.
The user wants to add these alerts to an investigation, so he clicks the + button at the top of the window. In the window that appears, he keeps the default option New investigation and clicks Create investigation.
The user is redirected to the Investigations area, where he set the parameters for the new investigation (Name, Importance, ATT&CK Behavior, Details...). He names the investigation RDP Infection Test. All the alerts assigned to the investigation can be seen under the Detections group of the Evidence area since Detection is the type of the alerts added. The user clicks Save to record the investigation.
The user has noticed that the IP address 10.52.60.69 is causing some problems, so he proceeds to look for other alerts that may be related to that IP. To do it, the user goes back to the Triage area, enters the IP address as a Keyword and selects All in the Alert Priority field to check all the incidences related to the IP. Then, he clicks Filter.
Before, the user filtered only Critical alerts, so now he finds other alerts related to the suspicious IP with another priority level. The filter returns an alert called New Domain Observed Client, which has the previously detected suspicious IP as an entity, but also another one: 184.108.40.206.
The user wants to add this alert to the previously created investigation, so he clicks the + icon, switches the toggle to Add to investigation, and selects the investigation he created (RDP Name Investigation).
The investigation has now two different groups of alerts. The first group included alerts of the Detection type, and the new group has alerts of the Observation type (you can find these under the Observations group in the Evidence area of the investigation).
The user can now go to the Entities and Associations sections to see all the different entities (IP addresses, hostnames, etc) of the alerts added, as well as the different relationships between them.
Finally, the user clicks Save to save any modification in the investigation.
Now that the user knows that the IP address 220.127.116.11 is related to suspicious events, the user goes to the Hunting area to check events that contain that IP. To do it, the user enters the table ids.bro.http as Target table, choose destHost as Filter key and enters 18.104.22.168 as Filter value.
Click Add to add the filter to the query, then click Filter to see the results that match the specified criteria.
Finally, the user adds the results of the hunting to the investigation he created before (RDP Name Investigation). He clicks Add to investigation, switches the toggle to Add to investigation and selects the required investigation from the list. To end the process, he clicks Add to investigation.