Installing the Security Insights application
To enable the Security Insights application in a domain and let users work with it, an Admin user must follow these procedures.
The Security Insights application uses firewall logs in the firewall.all.traffic table to display information, so the main requisite is having the logs you want to use in this table. This table unifies all the logs coming from firewalls automatically, so it doesn't matter the type of firewall your logs come from; any firewall integrated in Devo will work with the Security Insights application. You can see the firewall types supported by Devo here. In case your firewall is not integrated in Devo, please contact the Devo support team.
The application also uses logs from the web.all.access table (which is also a union table populated with logs from any web server) and logs from IDS for Suricata and Bro IDS servers. You don't need to have logs in these tables, but note that any web server that is integrated in Devo and its data included in these tables will be available in the Security Insights application.
Upload the installation lookup file
Devo is already pre-configured with a series of lookup tables needed to make the Security Insights application work. However, there is one lookup table that must be uploaded by an Admin user before using the application.
Click here to download the .csv file you need to upload as a lookup table. The AlertDescription file gathers all the alerts (tier 1 and tier 2) set by default by Devo, including their descriptions, parameters, priorities and weights. Users can configure the file according to their needs, adding new alerts or modifying the priorities and weight of the default ones. Learn how to do it in the below section.
Define the alerts
Two different sets of alerts specifically designed for this application must be defined in Devo in order for Admin users to receive a notification when the number of threats exceeds the limits. They complement the information offered by the app and allow Admin users to react and solve the situation.
These alerts must be defined by an advanced Admin user, or preferably by a Presales or Sales Devo consultant. See the complete alert list and learn more in Required alerts.
Edit the alerts
Once the lookup file is uploaded and the default set of alerts are installed, you can edit the AlertDescription lookup file to set different priorities and weights for the existing alerts. Note that this configuration will affect some of the Overview tab widgets, including the trends and the general threat level widget.
To edit the lookup file go to Data Search → Lookup Management, then select the ellipsis icon in the AlertDescription row and click Edit lookup.
You can edit the following parameters:
Edit the priority (1 being the highest and 5 being the lowest) depending on the priority you want to assign to the alert. It is recommended to set highest priorities to tier 2 alerts (alerts over alerts, which start with SecIntMulti).
Edit the weight (10 being the lowest and 50 being the highest) to select the importance of a specific alert over the rest.
The limit is set to 100 by default. You can also edit it, but is not recommended.
Finish the edition by clicking Save Changes and wait a few seconds for the lookup to be updated.
We recommend to edit only the priority and weight according to your needs, and leave the rest of fields as default.
Create custom alerts
Apart from the alerts offered by default, you can create your own custom alerts to be used in the application. To do it:
- Open the firewall.all.traffic, web.all.traffic or proxy.all.traffic tables, then select New Alert Definition on the query toolbar.
- Name the alert as SecInt... to set a tier 1 alert and MultiSecInt... to create a tier 2 alert.
- Once the alert is created, it is neccesary to edit the AlertDescription lookup as explained above. Add a new row entering the values of the alert: name, description and message. Select a prority and a weight for the new alert, and set the last two fields as in the rest of the alerts. Click Save changes to end the process and wait a few seconds for the lookup to be updated.
It is possible to create alerts based on any other table. The only condition to be included on Security Insights is to name them correctly.
Activate the application
The next step is activating the Security Insights application in the domain. To do it, select Administration → Applications Gallery in the navigation pane and choose Security Insights. Select the Inactive option under the application to turn it to Active.
Grant users in a role access to the application
After installing and activating the application, an Admin user must give the required roles access to the application. You can learn more about roles and how to manage them in Users and roles.
Even the Admin role has not access to the application by default, so you must also follow these steps for this role.
- Go to Administration → Roles.
- Select the role you want to give access to the application in the left panel.
- Open the Applications tab, select Security Insights in the box on the left and move it to the box on the right using the arrow icons.
- Click Apply changes.
From now on, the users that belong to the selected role will be able to access the application selecting Applications in the navigation pane, then clicking Security Insights. Note that the application will not populate data until the beginning of the next day, since most of the queries it uses start on the first hour of the day.