Alerting system status
Let's say that you, as a management user, want to check the status of the Devo alerting system today.
Access the Security Operations application by clicking Applications → Security Operations in the Devo navigation pane. The first thing you see is the Overview Dashboard, where a collection of widgets with the most relevant and recent information is displayed. In the Most Critical & Not Triaged Alerts widget, at the top of the Alerts group, you can see that there are some alerts that have not been triaged. You can also check the activity of each entity in the Entities by Impact widget of the Analytics group.
To start working with the not triaged critical alerts, click the Critical button in the Most Critical & Not Triaged Alerts widget. In the window that appears, click Triage to apply the filter and access the Triage area of the application directly.
In the Triage area, you will see only critical alerts detected in the last 24 hours, ordered by criticality and date, and grouped by entities (IP address, host, user...). Alerts without entities appear at the end of the list. Triggered alerts always appear grouped.
A group of Power Shell Exec Bypass alerts is found, and we want to triage them. To do it, click the alert name to check the individual triggered alerts in that group. In the Alerts Timeline, we see that the alerts are related to the IP address 10.52.60.69, which phished and downloaded attack tools to compromise other systems.
We want to add these alerts to an investigation, so click the +Add (N Alerts and N Entities) to Investigation button at the top of the window. Then, click the Investigation list button at the top right, which is now enabled and displaying the number of objects added to the bucket and waiting to be included in an investigation. In the window that appears, keep the default option New investigation and click Create investigation.
You are redirected to the Investigations area, where you set the parameters for the new investigation (Name, Importance, Impact, MITRE Tactics, MITRE techniques, Details...). You can call the investigation RDP Infection Test. All the alerts assigned to the investigation can be seen under the Detections group of the Evidence area since Detection is the type of the alerts added. Click Save to create the investigation.
You may have noticed that the IP address 10.52.60.69 is causing some problems, so you can look for other alerts that may be related to that IP. To do this, go back to the Triage area, enter the IP address as a Keyword and select All in the Alert Priority field to check all the incidences related to the IP. Then, click Filter.
Before, the user filtered only Critical alerts, so now he finds other alerts related to the suspicious IP with another priority level. The filter returns an alert called New Domain Observed Client, which contains the previously detected suspicious IP as an entity, together with another one: 220.127.116.11.
After this discovery, we want to add this alert to the previously created investigation, so click the +Add to Investigation button. Then, click the Investigation list button at the top right, which is now enabled and displaying the number of objects added to the bucket and waiting to be included in an investigation. Switch the toggle to Add to investigation, select the investigation created before (RDP Infection Test) and click +Add to Investigation.
The investigation has now two different groups of alerts. The first group included alerts of the Detection type, and the new group has alerts of the Observation type (you can find these under the Observations group in the Evidence area of the investigation).
You can now go to the Entities and Associations sections to see all the different entities (IP addresses, hostnames, etc) of the alerts added, as well as the different relationships between them.
Finally, click Save to apply these modifications to the investigation, otherwise, the second alert added in the previous step will be lost.
Now that we know that the IP address 18.104.22.168 is related to suspicious events, go to the Hunting area to check events that contain that IP. Enter the table ids.bro.http as Target table, choose destHost as Filter key and enter 22.214.171.124 as Filter value.
Click Add to add the filter to the query, then click Filter to see the results that match the specified criteria.
Finally, add the results of the hunting to the investigation created before (RDP Test Infection). Click +Add to investigation and then click the Investigation list button at the top right, which is now enabled and displaying the number of objects added to the bucket and waiting to be included in an investigation. Switch the toggle to Add to investigation, select the investigation created before (RDP Infection Test) and click +Add to Investigation. Click Save to apply these modifications to the investigation, otherwise, the results of the hunting will be lost.