Skip to main content

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! Devo Behavior Analytics 1.9 introduces a new step in the configuration process to allow for the definition of Whitlists.  This enables users to input the values for Users, Devices and Domains they want whitelisted during the creation process.  This new process is significantly improved by the ability to upload csv lists to your whitelists as well!

Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here.

 

Geo Availability

Region Status
CA Released
US Released
EU Released
APAC Released

 

Table of Contents

New Features

Whitelist functionality

Whitelisting is critically important for behavior analytics models to be able to remove well known or noisy entities from the detection and find the true threat lingers as changes in behavior.

The new Whitelist section looks like this:

Each section is further explained in this table:

Name Description
Users

Displays all the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV.  Users are all direct match string values.

Example users:

Devices

Displays all the current devices are whitelisted from the current use cases.  Additionally, devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses and CIDR Blocks.

Example devices

  • Hostname:  MacBookPro_0002
  • IP Address:  174.1.54.54
  • IP Address Range:  173.1.54.100-173.1.54.130
  • CIDR Block:  172.16.14.128/25
Domains

Displays all the current domains that are whitelisted from the current use cases. Additionally, domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values.

Example Domain:

  • poc.shadydealings.com

 

Note: User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case.  If the use case does not include ones of entity types then a warning message like the one below is displayed:

Upload Whitelist CSV

The upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them.  The upload section provides a couple of tools to make working CSVs easier.  

  • The CSV can be dropped in and previewed within the screen.  
  • If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist.  Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV.    
  • The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist.  
  • The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values.

 

Haven’t tried Behavior Analytics yet? You should, it is part of the Devo Platform!  Let us know what you think below!

Be the first to reply!