Installing Security Insights
Some configuration tasks need to be carried out before you can activate Security Insights in your Devo domain.
Before you begin
Security Insights draws principally upon data stored in the firewall.all.traffic table to generate its insights, so your domain must have this table in order to use the application. This is a union table, which means that it combines the data from all firewalls that are sending data to Devo, regardless of their brand. Devo is already equipped to support several firewall types, but if your firewall is not among them, please contact the Devo support team.
The application also draws some data from the web.all.access, ids.suricata.*, ids.bro.*, proxy.all.access and box.win data tables, but these are not absolutely necessary. If you have any or all of these tables, the application will simply provide additional insights and some more powerful alerts.
The installation procedure is composed of three mandatory steps, and an optional one:
- Set up the security alerts
- Grant users/roles access to the application
- Activate the application
- Customize the application tabs
Set up the security alerts
Devo has defined a series of alerts related to network security that are meant to feed the Security Insights application and help security operations teams recognize and respond to vulnerabilities and threats. These alerts must be defined in your Devo domain manually. Note that the current version of the application is still in beta phase; future versions will allow users to install the alerts automatically, as well as definying new custom ones.
Carefully follow the detailed instructions provided in the Security alerts article to set up the alerts that you need.
We strongly recommend that only advanced Admin users or members of the Devo professional services team set up these alerts.
Tune alert priorities
Each of the alerts in the set offered by Devo has a default priority assigned. The Devo security team has carefully considered the priorities for each alert, but you can customize them if required.
To do this, you must create a .csv file named alertPrioritiesCustom.csv including the name of the required alert(s) and the new priorities to be set. You must upload this file as a lookup table in the Devo domain where the Security Insights application is installed. Add one line for each alert to be modified.
For example, this is the format of the .csv file you need to update to set the alert secIntAnonymousConnection priority to 4, and the SecIntPortIntoURL priority to 2. Click here to download it and use it as a template.
| alertName, priority |
| secIntAnonymousConnection, 4 |
| SecIntPortIntoURL, 2 |
See Upload a lookup table to learn how to upload a lookup table to Devo.
Activate the application
Now you can activate the Security Insights application in your domain. Go to Administration → Applications Gallery. Locate the tile for the Security Insights application and click Inactive to change the application status to Active.
Note that the application will not populate data until the beginning of the following day, since most of the queries it uses start on the first hour of the day.
Grant users/roles access to the application
After installing and activating the application, an Admin user needs to edit role permissions in order to grant domain users access to the application. Learn more about managing roles in Users and roles.
- Go to Administration → Roles.
- Select the Admin role, then click the Applications tab.
- Move Security Insights to the list of selected application on the right side. Click Apply changes.
Repeat this for all other roles that should have access to the application. When a user's role has permissions for Security Insights, it will appear in the Applications menu in the navigation pane.
Customize the application tabs
By default, the application is composed of 9 different tabs (Overview, Threats, Network, DNS, Firewall, Proxy, Access, Web and IDS), but Admin users can specify which tabs to display, and deactivate those ones that are not needed for the users' activity. For example, if your domain has not IDS sources, the IDS tab can be deactivated.
The process is similar to the priority customization one. You must create a .csv file named tabsCustom.csv including the name of the tab(s) to be deactivated, followed by false. You must upload this file as a lookup table in the Devo domain where the Security Insights application is installed. Add one line for each tab to be modified.
For example, this is the format of the .csv file you need to hide the IDS and Proxy tabs. Click here to download it and use it as a template.
| tab, enabled |
| ids, false |
| proxy, false |
See Upload a lookup table to learn how to upload a lookup table to Devo.