Navigating the application
The area you first see when you access the Security Operations application is the Overview Dashboard, which offers at-a-glance monitoring information. The green top bar at the top area includes 4 icons to navigate through the different areas of the application, explained in detail in the following articles.
You can also check the items you have chosen to be added to an investigation by clicking the paper clip icon at the top right corner, check and configure your alerts, lookups, and capabilities in the content manager, and configure the application settings by clicking the gear icon next to it.
The Security Operations application has three main purposes: alert triage, user investigations, and threat hunting. All these activities are summarized in the Overview Dashboard, which is the entrance point of the app.
These are the four different areas of the application:
- Overview Dashboard - This is the first area you see when you enter the application, and offers a general overview of the system condition through a series of default widgets.
- Triage - This area allows analysts to filter and pivot both alerts and investigations by different parameters (type, name, keywords...)
- Investigations - Create and manage investigations based on suspicious alerts and assign them to the required users.
- Threat Hunting - This area allows users to perform a global search in order to identify suspicious events.
Click this iconto access the Content manager, where you can check information about different resources related to your environment: alerts, lookups, and capabilities.
This area is divided into three main sections:
The top area of this window shows a series of informative graphs that inform users about the alerts and lookups in your environment. Each group of alerts shows the total number of alerts and the ones that are activated. Next to this, you can check the total percentage of activated alerts in a group.
In the capture below, the first graph represents the Secops alerts in our environment. Currently, we have a total of 135 alerts, and 101 of them are activated. This represents 74% of the total number of alerts, as we can see in the graph.
These are the different groups of alerts:
- Built-in alerts installed - Default alerts in the Security Operations application.
- Custom alerts installed - Custom alerts defined for a specific client.
- Active alerts - Active alerts in your system.
- Main lookups alerts - Lookups in the client domain.
- Multi-lookup alerts - Generic lookups in the Multilookups domain.
- Dynamic lookups alerts - Dynamic lookups generated in the Security Operations application.
Alerts installed, lookups and capabilities
On the middle area of the window, you'll find three different tabs:
Check the list of alerts installed in your SecOps environment.
- Activate or deactivate alerts by switching on / off the toggle at the left side of each alert.
- Remove an alert by clicking the Delete button on the right side of the alert.
You can also check these alerts in the Administration → Alert Configuration area of the Devo application.
Some of the alerts in this area may be marked with a star icon next to their name. This means that these alerts are custom alerts that have been defined specifically for a client and are not included in the default SecOps alert catalog.
As explained in this section, there are 3 types of lookups in the Security Operations application: main lookups, multi-lookups, and dynamic lookups. In this tab, you can check the lookups of each type that you have installed in your environment.
- Check the lookups that are installed in your environment (they will be marked with the word Installed). Lookups that are not installed are marked with the word Missing in red.
- Apart from the status, dynamic lookups also show the number of entries (shown in orange if there are few entries), its size, and its update date.
Capabilities are Flow contexts that relate SecOps data to other external systems and perform specific operations.
- Activate or deactivate capabilities by switching on / off the toggle at the left side of each capability.
- Check if they are loaded and running in the info next to their name.
These are all the available capabilities:
|Alert to Investigation||This capability converts specific alerts to new investigations automatically.|
|Alert Enrich||Activate this capability to enrich your system alerts.|
|Investigations to Cortex XSOAR||Activate this capability to create a case in the platform Cortex XSOAR every time you define a new investigation in SecOps. This capability must be configured in the Application settings section. Learn more below.|
|Investigations to Phantom||Send investigations to the Phantom platform. This capability must be configured in the Application settings section. Learn more below.|
|Entities||This capability allows the creation of entities in the system.|
|Send investigation to email||Send closed investigations to a specific email address or addresses.|
|Investigation retrospection||This capability performs an analysis to extract additional information related to an investigation.|
|User agent distance||This capability calculates the user-agent distance. You can use it to check differences between user agents that use a browser, or two users in the system entities.|
Alert filter and configurator
Finally, in the bottom area of this window, we have the Alerts Filters and Alerts Configurator sections. These sections appear at the bottom area no matter the tab in the above section we select. In the Alerts Filter, select the required filters and check the results in the Alerts Configuration area, where you can select any number of required alerts and install them.
Unlike the alerts that appear in the Alerts installed tab above, these alerts do not appear in the Administration → Alert Configuration area of the Devo application. These are default alerts defined in the SecOps application that can be installed by users in their domains in the Alerts Configuration area.
Below are the available filters in the Alerts Filter section. Select the required ones and click Filter to see the results.
|Installable alerts||Activate this toggle if you want to filter only installable alerts, or deactivate alerts to filter non-installable alerts.|
|Apply white listing||Toggle this switch if you want to consider white-listing alerts.|
|Priority||Choose the required alert priority(ies)|
|ATT&CK Tactic||Select the required Mitre ATT&CK tactics.|
|ATT&CK Technique||Select the required Mitre ATT&CK techniques.|
|Tables||Specify the source tables of the queries that define the filtered alerts.|
|Tags||Choose the required alert tags.|
In the Alerts Configurator section, you will see the alerts matching the filter criteria selected.
In this area, you can check any number of filtered alerts you need to install, and then click the Install alerts button that appears on the right side to install them. After installation, these alerts will appear in the Administration → Alert Configuration area of the Devo app.
Note that you'll only be able to install alerts that you filtered with the Installable alerts toggle activated. If you did not have the toggle activated, the alerts filtered will not be installable, and you will only be able to download their requirements in an Excel sheet.
Click this iconat the top right corner of the application to access the following groups of configuration options:
The Security Operations application is automatically enriched by different threat platforms to get the data required to analyze and label the alerts. However, if you have your own account on one of the available platforms, you can click it, switch off its Use default toggle and specify your URL to get data from your service.
Click Save to apply any modifications.
Configure the Cortex XSOAR and Phantom connection.
File artifact storage
Switch off the toggles if you want to specify the location where you want to store the files attached to investigations. Learn more in Investigations.
Click Save to apply any modifications.
The application resolves names using default DNS. Add server names here if you want to use custom DNS.
Click Save to apply any modifications.
This is a view of the location lookup used to resolve locations and geolocations from IP addresses.