Installing Security Insights
This article describes the three required steps to installing Security Insights. However, you may want to carry out some custom configuration tasks before making the application available to your domain users in step 3 below. Check out Configuring Security Insights for more details.
Security Insights draws principally upon data stored in the firewall.all.traffic table to generate its insights, so your domain must have this table in order to use the application. This is a union table, which means that it combines the data from all firewalls that are sending data to Devo, regardless of their brand. Devo is already equipped to support several firewall types, but if your firewall is not among them, please contact the Devo support team.
The application also draws some data from the web.all.access, ids.suricata.*, ids.bro.*, proxy.all.access and box.win data tables, but these are not absolutely necessary. If you have any or all of these tables, the application will simply provide additional insights and some more powerful alerts.
Step 1: Set up the security alerts
Devo has defined a series of alerts related to network security that are meant to feed the Security Insights application and help security operations teams recognize and respond to vulnerabilities and threats.
These alerts will be defined in your Devo domain manually by the Devo security experts. The alerts based on the firewall.all.traffic table are mandatory, while the rest of the alerts will be installed only if the data tables they are based on are available in the domain.
Future versions of the application will support the automatic installation of the alerts.
Step 2: Activate the application
Now you can activate the Security Insights application in your domain. Go to Administration → Applications Gallery. Locate the tile for the Security Insights application and click Inactive to change the application status to Active.
Note that the application will not populate data until the beginning of the following day, since most of the queries it uses start on the first hour of the day.
Step 3: Grant users/roles access to the application
After installing and activating the application, an Admin user needs to edit role permissions in order to grant domain users access to the application. Learn more about managing roles in Users and roles.
- Go to Administration → Roles.
- Select the Admin role, then click the Applications tab.
- Move Security Insights to the list of selected application on the right side. Click Apply changes.
Repeat this for all other roles that should have access to the application. When a user's role has permissions for Security Insights, it will appear to them in the Applications menu in the navigation pane.