Popular Updates

featured-image

Devo Exchange 2.0

Welcome everyone to the grand unveiling of Devo Exchange 2.0!   We have some massive updates to the Exchange marketplace, including a new section for Multitenant content, a completely revamped Search engine that allows you to hunt for individual alerts and a redesign of Alert packs to give you even more flexibility and visibility into the pack's contents. The road to version 2.0 brought with it tons of great improvements as well,  including amazing performance improvements, enhanced access control and improvements to the amazing alert management tool, the MITRE ATT&CK Adviser! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Search 2.0 Recent Searches Full Search with new Category Filters Search inside Packaged Content Alert Pack Redesign Multi-Tenant Content   New FeaturesSearch 2.0This massive undertaking brings about a host of new features to help you find content quickly through the expanded marketplace.  In detail:Recent SearchesRecent Searches will contain the last 5 searches you performed in order to find commonly used content quickly.  You can also clear any of the individual search entries.  Full match, partial match strings, the search will find anything.Full Search with new Category FiltersYou can now filter your search results by sources, tactics and techniques.  Along with these filters, we have improved all parameters of the search engine as well as the order in which results are presented. The search filters are also additive, for example if you wanted to find any alert packs with alerts that cover different tactics you can add those to the filters.Search inside Packaged ContentIn a past release we enabled the installation of any content individually within an Alert Pack. With Search 2.0 you can search for any alert inside alert packs by name or partial name.Searching for “O365” you can see all the alert packs that contain alerts with this string in the name.  When you enter the pack, the search string will be highlighted and moved to the top.As you can see, priority and sources have been added as additional information inside pack content on Devo Exchange. This helps power the new search filters and add new context for faster decision making! Alert Pack RedesignAlert packs now have Priority and Source information for each alert inside the pack as seen above.  We also have a new counter on the top right showing how many alerts in the Alert Pack you have installed.Multi-Tenant Content All OOTB content in Devo Exchange has been updated to be Multi-tenant capable. This includes all 119 Alert Packs, more than 500 Alerts! We are currently working on Activeboards and Applications to have this new capability.   User Tracking Activeboard joins the MITRE ATT&CK Advisor application in Multi-Tenant capabilities.If your domain is the parent domain of a Multi-Tenant structure you will see a new category filter in the Exchange homepage. Applications and Activeboards will have domain selectors for you to manage the information displayed. 

Related products:Devo Exchange
featured-image
featured-image
featured-image
featured-image
featured-image

Devo Collector Catalog Update for June

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Qualys FIM v1.0.1 Google Workspace for BigQuery v1.0.0 Updated Collectors Github v2.3.0 CyberReason v1.4.0 Proofpoint CASB v1.1.0 Snowflake v1.2.0 MimeCast v1.2.0 CrowdStrike API Resources v1.7.0 Cortex XDR v1.3.0 SpyCloud v1.1.0 Office365 Exchange Reports v0.4.1-beta Netskope API V2 v1.1.0 Wiz v1.6.2 AWS v1.10.0  New CollectorsQualys FIM v1.0.1Documentation will be available soonGoogle Workspace for BigQuery v1.0.0Documentation will be available soon. Updated CollectorsGithub v2.3.0View full documentation in our Docs.CyberReason v1.4.0View full documentation in our Docs.Proofpoint CASB v1.1.0View full documentation in our Docs.Snowflake v1.2.0View full documentation in our Docs.MimeCast v1.2.0View full documentation in our Docs.CrowdStrike API Resources v1.7.0View full documentation in our Docs.Cortex XDR v1.3.0View full documentation in our Docs.SpyCloud v1.1.0View full documentation in our Docs.Office365 Exchange Reports v0.4.1-betaView full documentation in our Docs.Netskope API V2 v1.1.0View full documentation in our Docs.Wiz v1.6.2View full documentation in our Docs.AWS v1.10.0View full documentation in our Docs.     

Related products:Devo Integrations
featured-image

Devo Platform 8.10.8

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.8 adds a new type of alert for your growing toolkit.  The Inactivity Alerts will help you detect when normal activities like ingestion stop working, among other use cases.  This is a great tool to keep the information flowing and be notified immediately when possible issues occur. They are also available in the Alerts API!  Along with the new Alert, the team has added new API audit features as well as our continued work to deliver the best in class performance to you, our customers!  Start using the new Alert, and make use of those audit logs today! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features New Inactivity Alert is available Updated Feature API key “Read” and “Delete” operations added to audit logs Token “Read” operation added to audit logs  New FeaturesNew Inactivity Alert is availableThis new alert type follows the same principles of the Several and Low Alerts: An alert type that counts events during a period of time.   Here’s how all 3 differ:Low Alert threshold: When after a rolling time period, the counter of the selected events (query) has not exceeded a specific threshold. Several Alert: when within a rolling time period, any of the current period counters (query + current period key values) exceeds a specific threshold. Inactivity Alert: When after a rolling time period, any of the previous period counters (query + previous period key values) has not exceeded the 0 threshold (has been equal to 0) that is, when any of the counters had no events (a different Alert from any of those counters without events).If you want to create an alert to notify you when a collector has stopped ingesting during a period of time, Inactivity Alerts are the solution! And the inactivity alerts are available in the Alerts API!Learn more about Inactivity Alerts and all the parameters on our Docs page! Updated FeatureAPI key “Read” and “Delete” operations added to audit logsAPI Key audit logs have been improved by adding “read” and “delete” operations to the audit tabledevo.internal.audit.logsActions for all users are recorded. The API key itself will be logged as obfuscated Token “Read” operation added to audit logsImproved audit actions by adding the “read” operation to the audit table:devo.internal.audit.logsActions for all users are recorded. The token will be logged as obfuscated

Related products:Devo Platform
featured-image

Devo SOAR M124 & M125 released

The Devo team has released the latest version of Devo SOAR! This product update combines two releases, M124 and M125.   In these updates we have added 4 new JSON operators, 3 new integrations, updated integrations with new capabilities as well as bug fixes and enhancements.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features 5 New JSON Operations New Integrations added Updated Features Enhancements Bug Fixes  New Features5 New JSON OperationsWe are happy to introduce 5 new JSON Operations for use in SOAR Playbooks:addFieldInJSON extractFieldInJSON removeFieldInJSON replaceFieldInJSON parseJsonNew Integrations addedKnowBe4 is the world’s largest integrated platform for security awareness training combined with simulated phishing attacks. Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero-trust principles to protect data. Cyberark EPM provides holistic endpoint protection to secure all endpoints and enforce least privilege without disrupting business.Updated FeaturesEnhancementsRun action node when explicitly requested in the playbook. Updated action Download URL to support usage of custom headers while downloading in File Tools integration. Trend Micro Workload Security integration has added 6 new actions List Scheduled Task, Create Scheduled Task, Describe Scheduled Task, Modify Scheduled Task, Delete Scheduled Task, Search Scheduled Task. Removed Assistance mode functionality. Shodan integration has added 17 new actions based on on-demand scanning and network alerts.Bug FixesThe dynamic recipient field is not working when the form is added to a case. We have fixed this now. Page number information is lost when opening the batch detail page and returning to the batch listing page. We have fixed this now. Missing Jinja support for hostname in Send Events action in Devo integration. We have fixed this now. Issue with Default limit in Search IOCs action in CrowdStrike Falcon Host (OAuth Based) integration. We have fixed this now. Timestamp type-based timezone has rendering issues in easy mode. We have fixed this now.  

Related products:Devo SOAR
featured-image

Devo Exchange 1.9

Hello everyone, the Exchange team has a new update for you with tons of great improvements. Release 1.9 is no different!  In this release, a new notification system has been implemented to let you know when there is an update available to your installed OOTB content.  Along with this new system, there is a new filter added to All Content to allow you to see all the content already installed with an available update, a new audit table and updated navigation.  We’ve also improved performance for all users, with those with slower connections benefiting the most! Don’t forget to  visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Features Update Notifications New Filter for All Content: “Update Available” New audit table added Updated Navigation Additional Updates Improved performance  New FeaturesUpdate NotificationsDevo Exchange now has a notification center to let you know when you have updates available for your installed Out-Of-The-Box content.  Located on the top right of Devo Exchange, you can view individual notifications, jump to the content or clear notifications.You can delete notifications individually or you can delete all notifications. New Filter for All Content: “Update Available”Open Devo Exchange and switch the primary filter from Discover to All Content, now on the right you can sort by Update Available!This filter will order content by Update Available first, then relevance.  You can quickly review all the updates to installed content from one place! New audit table addedAll audit information for Devo Exchange is each domain is sent to this new table:devo.internal.audit.logsView and discover user navigations, content installs, and other statistics for your users. Updated NavigationTo improve the navigation experience, when you open installed content from Devo Exchange it will launch in a new tab. This action pertains to activeboards, apps, lookups or alert sections. This way you can always return to where you were in Exchange or continue to work in the launched resource in the new tab. Additional UpdatesImproved performanceProcess compression has been implemented when loading items in Exchange. Users with fast connections will see some improvement in speed, however users with slower connections will see a massive speed increase to loading Exchange content. 

Related products:Devo Exchange
featured-image

Parser Catalog Update: May

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers dmp.cohesity mail.all.threats waf.kemp Updated Parsers proxy.zscaler cloud.office365 box.win_nxlog cloud.azure firewall.juniper edr.all.threats casb.netskope firewall.cisco sig.cisco dhcp.all  New Parsersdmp.cohesityLink to Documentationmail.all.threatsDocumentation in progresswaf.kempLink to Documentation Updated Parsersproxy.zscalerLink to Documentationcloud.office365Link to Documentationbox.win_nxlogLink to Documentationcloud.azureLink to Documentationfirewall.juniperLink to Documentationedr.all.threatsLink to Documentationcasb.netskopeLink to Documentationfirewall.ciscoLink to Documentationsig.ciscoLink to Documentationdhcp.allLink to Documentation 

Related products:Devo Integrations
featured-image

Collector Catalog Update for May

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Colortokens xshield v1.0.0 Airlock Digital v1.0.0 Vectra 365 Updated Collectors Microsoft Azure v2.0.0-beta6 Crowdstrike API resources v1.6.0 Cisco Meraki v1.6.0 Cyberark Identify v1.1.3 Salesforce v2.3.0 Qualys V2.1.0 Microsoft Graph v2.0.0 Tenable.IO v1.4.0 Taxii v1.1.0 Proofpoint on Demand v1.0.1 Office 365 Management 1.0.0 Google Cloud Platform v1.6.0  New CollectorsColortokens xshield v1.0.0Link to DocumentationAirlock Digital v1.0.0Link to DocumentationVectra 365Link to Documentation Updated CollectorsMicrosoft Azure v2.0.0-beta6This is a beta collector, as soon as it is out of beta the documentation will be available.Crowdstrike API resources v1.6.0Link to DocumentationCisco Meraki v1.6.0Link to DocumentationCyberark Identify v1.1.3Link to DocumentationSalesforce v2.3.0Link to DocumentationQualys V2.1.0Link to DocumentationMicrosoft Graph v2.0.0Link to DocumentationTenable.IO v1.4.0Link to DocumentationTaxii v1.1.0Link to DocumentationProofpoint on Demand v1.0.1Link to DocumentationOffice 365 Management 1.0.0This collector was rebuilt from the ground up, find the documentation here.Google Cloud Platform v1.6.0Link to Documentation 

Related products:Devo Integrations
featured-image

Devo Platform Release 8.10.0

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.0 brings the new Scheduled Tasks functionality, a new complex type operation for Data Search, and a collection of UI and performance improvements.   Scheduled Tasks allow you to set the periodic execution of a query of your choosing of time, date, and frequency.  Admins will find this feature and allow access through roles and permissions.  The new complex operation type is the Tuple, and it works like an array, except it does not convert its contents to the same type.  Lastly, this update contains UI improvements and performance enhancements that you are going to love! AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Scheduled Tasks Data Search: New Complex Type operation added Lookups with CIDR as key first release Nested Annotations for Alerts New Auditing Table for Alert Annotations New Rolling And Each Alerts with Subqueries parameter limits Additional Improvements New FeaturesScheduled TasksThe first release of Scheduled tasks is now available for all Devo users! This new feature will allow you to schedule the periodic execution of a query with query results being automatically sent to defined email addresses as CSV files.This feature is enabled by default for Admin users and then to users of your choosing with the right roles and permissions.  You will find the permissions under Admin→ Resources->Scheduled Tasks.Scheduled Tasks can be created with the following intervals:Daily - at a specific time of day Weekly - on specified days of a week at a specific time of day. Monthly - on specified days of a month at a specific time of day Yearly - on specified months of a year, on specified day s of each month, at a specific time of day.You can also set the query execution time period with two possible choices:Predefined Range (“Yesterday”, “Last 7 days”...) Custom Range period (“From”, “To”) using the Query API date syntaxGet all the details of Scheduled Tasks in our Documentation Data Search: New Complex Type operation addedThe “tuple” complex type operation is now available for use!  A tuple is a collection of sorted elements of any type (repeated or not).The difference between an array and a tuple lies in the fact that in the array all the elements are internally converted to the same type, while in the tuple they are not (each tuple element retains its type).Operation Meaning Syntax mktuple or () Creates a tuple from elements mktuple (ele_1,…,Ele_n) (ele_1,…,ele_n) at or [] Returns the n-th element in a tuple at (tuple,n) tuple [n] at0 Returns first element in a tuple at0 (tuple) at1 Returns second element in a tuple at1 (tuple) atend Returns the last element in a tuple atend (tuple) add(+) Concatenates two tuples add (tuple_1, tuple_2)  Additionally, you can use this complex type of operation in Alerts and Lookups as well. Here is a great example of this new complex type in use:from siem.logtrust.web.activity //create a tuple with multiple types    select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple    select (username ,srcPort, ip4(srcHost), true) as tuple2//some ways to select the fist item from a tuple    select tuple[0] as first_item_from_tuple    select at(tuple,0) as first_item_from_tuple2    select at0(tuple) as first_item_from_tuple3//retrieve the last item from a tuple    select atend(tuple) as last_item_from_tuple//concatenates two tuples    select tuple + tuple2 as tuple_concatenation//it is posible to filter each item by the underlying data type    where tuple[0] -> ""@""    where tuple[1] not in (ip4(95.63.39.51))    where atend(tuple) is true Lookups with CIDR as key first releaseAs part of a multi-step release for this functionality, Lookups now recognize 3 new key types:ipv6 net4 net6Nested Annotations for AlertsYou are now able to reply to existing annotations in Alerts, as well as edit and delete you own annotations.View the detailed options in our Documentation New Auditing Table for Alert Annotationsdevo.audit.alert.triggered table was added to audit actions concerning annotations. View the details of the new table in our Documentation New Rolling And Each Alerts with Subqueries parameter limitsA restriction has been implemented for rolling-type alerts and each-type alerts with subqueries. This is done to prevent excessively frequent queries over short periods of time. A ratio of 120 is enforced between period and frequency.  For example:For Each Alerts with Subqueries: Valid ratio → external offset 1m, internal period 2h(=120m) → 120/1 → 120 Valid ratio → external offset 2h, internal period 5d(=120h) → 120/2 → 60 Invalid ratio → external offset 1m, internal period 3h(=180m) → 180/1 → 180 See the full description and examples for Each Alerts with Subqueries in our Documentation See the full description and examples for Rolling Alerts with Subqueries in our Documentation New information included in Alerts Details windowThe Alerts details window in the triggered Alerts area now shows the timezone as well as the specific settings corresponding to the triggering method used when configured. Additional ImprovementsImproved messaging in Data Search Adjusted spacing in Roles page UI Alerts Filter by Name enhanced with Multi-selection dropdown containing all available options. Adjusted text boxes and descriptions in Roles Mapping UI Redesigned filter results message when no results found in Roles Mapping UI Flow now accepts HTTP codes greater than 599 Performance improvements 

Related products:Devo Platform
featured-image

Devo Behavior Analytics Release 1.9

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! Devo Behavior Analytics 1.9 introduces a new step in the configuration process to allow for the definition of Whitlists.  This enables users to input the values for Users, Devices and Domains they want whitelisted during the creation process.  This new process is significantly improved by the ability to upload csv lists to your whitelists as well!Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Whitelist functionality Upload Whitelist CSV New FeaturesWhitelist functionalityWhitelisting is critically important for behavior analytics models to be able to remove well known or noisy entities from the detection and find the true threat lingers as changes in behavior. The new Whitelist section looks like this:Each section is further explained in this table:Name Description Users Displays all the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV.  Users are all direct match string values. Example users: David Dark david.dark@shadydealings.com Ddark Devices Displays all the current devices are whitelisted from the current use cases.  Additionally, devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses and CIDR Blocks. Example devices Hostname:  MacBookPro_0002 IP Address:  174.1.54.54 IP Address Range:  173.1.54.100-173.1.54.130 CIDR Block:  172.16.14.128/25 Domains Displays all the current domains that are whitelisted from the current use cases. Additionally, domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values. Example Domain: poc.shadydealings.com  Note: User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case.  If the use case does not include ones of entity types then a warning message like the one below is displayed: Upload Whitelist CSVThe upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them.  The upload section provides a couple of tools to make working CSVs easier.  The CSV can be dropped in and previewed within the screen.   If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist.  Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV.     The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist.   The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values. Haven’t tried Behavior Analytics yet? You should, it is part of the Devo Platform!  Let us know what you think below!

Related products:Devo Behavior Analytics
featured-image
featured-image

Collector Catalog Update for April

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors Rapid7 InsightVM Cloud v1.0.0 Updated Collectors AWS v1.8.2 Microsoft Graph v2.0.0-beta2 Microsoft Defender ATP Endpoint v1.2.0 Rubrik v1.1.2 Cisco Umbrella S2 v1.2.0 Wiz v1.6.1 Okta V1.8.1 Azure v2.0.0-beta3 CyberArk Identity v1.1.2 Extrahop Revealx v1.2.0 AWS SQS V1.2.0  New CollectorsRapid7 InsightVM Cloud v1.0.0Link to Documentation Updated CollectorsAWS v1.8.2Link to DocumentationMicrosoft Graph v2.0.0-beta2Link to DocumentationMicrosoft Defender ATP Endpoint v1.2.0Link to DocumentationRubrik v1.1.2Link to DocumentationCisco Umbrella S2 v1.2.0Link to DocumentationWiz v1.6.1Link to DocumentationOkta V1.8.1Link to DocumentationAzure v2.0.0-beta3Link to DocumentationCyberArk Identity v1.1.2Documentation coming soonExtrahop Revealx v1.2.0Link to DocumentationAWS SQS V1.2.0Link to Documentation 

Related products:Devo Integrations
featured-image

Devo Exchange: MITRE ATT&CK Adviser 1.8

The MITRE ATT&CK Adviser is your alert coverage command center, and this new release brings with it more capabilities for you to manage your alert coverage. This release is available now for all geos! New to this release is the ability to update Alerts! We are always updating our alerts with the latest detections, and you can update them from Devo Exchange or Security Operations, now you can update them from the Adviser as well! You will also be able to compare the old and updated alerts with this update. We have also added additional bulk actions to allow you to enable and disable groups of alerts. Managing your alert coverage has never been easier! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Update Alerts in the Adviser Compare Alert Contents New Bulk Actions Added  New FeaturesUpdate Alerts in the AdviserAlerts that are provided by Devo are constantly kept up to date with the latest MITRE ATT&CK versions, parser field changes, query operators, etc.  These changes are push to Devo domain on a periodic basis to ensure that our customers are taking use of the latest and greatest our platform has to offer in their detection stack.  The ability to update alerts to these latest versions is present in Devo Exchange and Security Operations and now with the latest release of MITRE ATT&CK Adviser users will be able to update their alerts for their existing coverage as well.   Compare Alert ContentsWe have provide a view into the difference between the old alert and the new alert, giving the user confidence about the changes the update will make to their Devo Domain. New Bulk Actions AddedThe MITRE ATT&CK Adviser now includes additional bulk actions for alerts within the Alert coverage table.  Today the application allows users to bulk install and uninstall alerts and now with this release users will be able to bulk enable / disable alerts as well, causing alerts to trigger or not.  If you haven’t installed the MITRE ATT&CK Adviser,  get it here, for free!: Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange

Related products:Devo Exchange
featured-image

Devo Platform Release 8.9.0

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.9.0 expands the availability of the TimeLine Widgets first introduced in Release 8.7.0 with the new Alerts Page. We also have created additional enhancements on the default activeboard loading process, giving you full control over what activeboard gets loaded on launch. Next, enhancement adds more control over your widget by adding new running operations at the widget level. Finally, we have improved user interactions in the activeboard contextual menus. These Activeboard improvements help speed up and empower your visualization of your data!Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features TimeLine Widget Running operations at the widget level Enhancements Enhanced Activeboard loading behavior on open Activeboard Menu options improved  New FeaturesTimeLine WidgetThe popular Timeline widget introduced in the Alert Page revamp from Release 8.7.0 is now available for you to use in your own Activeboards!  The Timeline widget is a graphic representation of items sequenced in chronological order along a time line. This chart will allow you to monitor how dated items are located over time.Features:Time line is represented through a horizontal axis from left (oldest) to right (most recent) 2 Item Types Date: items that represent data in a specific date or a point. Duration: items that represent data with a specific “from … to” duration Item Groups can be used to visually group selected items.  Groups and subgroups are represented on the vertical axis.This new widget has many customization options covered in our documentation.(link when doc pages are released) Running operations at the widget levelWe have added running operations at the Widget level to improve performance even further.  These new operations are accessible through new clickable icons and are located at the right side of the widget header.Real-time allows the user to run the widget query in real-time mode. Refresh allows the user to run the widget query again. Abort allows the user to stop a widget query that is currently running. EnhancementsEnhanced Activeboard loading behavior on openOpening the Activeboard section will now be an easier and faster process to navigate and use.   This update adds new behaviors for opening the Activeboard page if you have a default Activeboard selected or if you do not, Here is the breakdown:Default Active Board set? Behavior on page load Yes The default Activeboard is loaded. No The Activeboad manager will open and the user can choose which to load.  Activeboard Menu options improvedThe contextual menus now have enabled the following in edit mode.Edit details Clone Delete Documentation pages are coming online shortly.  This is a release preview until the release date and it is subject to change.  Release date is April 02, 2024.

Related products:Devo Platform
featured-image
featured-image

Devo Security Operations: OOTB Alerts Release 24

We're thrilled to announce the latest updates and additions to our alerting system with Release 24. This release introduces a significant enhancement to our SIEM detection framework, focusing on improving threat detection accuracy and simplifying threat hunting for users. The key highlights of this release include the introduction of a new alert, SecOpsWinDnsExcessiveEmptyOrRefusedQueries, and the migration of existing alerts to the Devo Cyber Data Model, a common information model designed to streamline threat investigation processes.To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsNew Detections SecOpsWinDnsExcessiveEmptyOrRefusedQueries Updated Detections Migration to Devo Cyber Data Model  New DetectionsSecOpsWinDnsExcessiveEmptyOrRefusedQueriesA new alert has been added to detect instances of excessive empty or refused DNS queries on Windows systems. This alert aims to provide proactive detection of potential malicious activities related to DNS, enhancing overall threat visibility.Detection Description Devo Tables/ Data Src /Category Changes made SecOpsWinDnsExcessiveEmptyOrRefusedQueries Detects excessive empty or refused Windows DNS tunneling. The threshold for excessive query count should be modified to suit organizational needs. dns.windows New Alert  Updated DetectionsMigration to Devo Cyber Data ModelExisting alerts have been migrated to the Devo Cyber Data Model. This migration aims to standardize data representation across alerts, facilitating easier correlation and analysis of threat data. Users can now benefit from a unified schema for conducting comprehensive threat investigations.SecOpsAuthPasswordSprayHostSecOpsAuthPasswordSprayIpSecOpsCDPossibleIocIpFoundInAuthDataSecOpsLoginFailAttemptsSecOpsLoginFailCombinedSuccessedSecOpsO365AuthExcessiveFailedLoginsSingleSourceSecOpsSimultaneouslyLoginbyIPSecOpsEntityBehaviorEntropyUserSecOpsEntityNewServerSecOpsAzureUserAddedToRoleNonPIMSecOpsAzureUserInfoDownloadSecOpsAWSInstancesCreatedOrDeletedO365SecOpsActivityInfrequentCountryO365SecOpsActivityPerformedByTerminatedUserO365SecOpsAdministrativeActivityFromNonCorporateIPO365SecOpsAnomalousBehaviorDiscoveredUsersO365SecOpsArrowAdminFailedLogonO365SecOpsAzureADThreatIntelligenceO365SecOpsCloudDiscoveryAnomalyDetectionO365SecOpsGroupMembershipModifiedO365SecOpsMFADisabledAlertO365SecOpsMaliciousOAuthAppConsentO365SecOpsMalwareDetectionO365SecOpsMultipleDeleteVMO365SecOpsMultipleStorageDeletionActivitiesO365SecOpsMultipleVMCreationActivitiesO365SecOpsPermissionsAddedMailboxFolderO365SecOpsRansomwareActivityO365SecOpsSuspiciousEmailDeletionActivityO365SecOpsSuspiciousInboxForwardingO365SecOpsSuspiciousInboxManipulationRuleO365SecOpsSuspiciousOAuthAppFileDownloadO365SecOpsUnusualAdministrativeActivityO365SecOpsUnusualFileDeletionActivityO365SecOpsUnusualFileDownloadO365SecOpsUnusualImpersonatedActivityO365SecOpsHAFNIUMUserAgentsTargetingExchangeServersSecOpsLog4ShellVulnOverDomainsUnionTableConnectionsSecOpsPossibleDnsEncodingQuerySecOpsTLDFromDomainNotInMozillaTLDSecOpsUnusualUseragentLengthSecOpsAnonymousConnectionSecOpsCDFWSrcIpIsPossibleIocSecOpsCDHuntFWdstIpIsPossibleIocSecOpsFWEmbargoedCountryInboundTrafficDetectedSecOpsFWEmbargoedCountryOutboundTrafficDetectedSecOpsFWExcessFirewallDeniesSecOpsFWExcessFirewallDeniesOutboundSecOpsFWExternalSMBTrafficDetectedFirewallSecOpsFWIcmpExcessivePacketsSecOpsFWIpScanExternalSecOpsFWIpScanInternalSecOpsFWIrcTrafficExternalDestinationSecOpsFWPortScanExternalSourceSecOpsFWPortScanInternalSourceSecOpsFWPortSweepInternalSourceSecOpsFWRDPExternalAccessSecOpsFWSMBInboundScanningDetectedSecOpsFWSMBInternalScanningDetectedSecOpsFWSMBTrafficOutboundSecOpsFWSigredSecOpsFWTrafficForeignDestinationSecOpsFWTrafficOnUnassignedLowPortSecOpsFwTftpOutboundTrafficSecOpsHAFNIUMNetworkActivityTargetingExchangeServersSecOpsLog4ShellVulnOverFirewallTrafficConnectionsSecOpsPossibleTrafficMirroringSecOpsRevilKaseyaNetworkActivitySecOpsVNCPortOpenSecOpsPossiblePortKnockingSecOpsCDIocUrlSuspiciousProxyDataSecOpsCDProxyDstIpSecOpsCDProxySrcIpSecOpsDynamicDNSDetectedSecOpsIPInsteadADomaInInURLSecOpsLog4ShellVulnerabilityOverProxyConnectionsSecOpsMultipleHTTPMethodsUsedSecOpsNonStandardHTTPMethodSecOpsOutboundTrafficToDeviceFlaggedAsThreatSecOpsOutcomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsPortIntoURLSecOpsProxyHighRiskFileExtensionSecOpsProxyHttpSingleCharacterFileNameRequestSecOpsREvilKaseyaWebShellsUploadConnSecOpsSeveralAccessByProxySecOpsUserBlockedbyProxySecOpsHAFNIUMHashFoundFileTargetingExchangeServersSecOpsREvilKaseyaHashFoundSecOpsRemoteDesktopProtocolScanSecOpsBackupFileAccessAttemptSecOpsCDIocIpSuspiciousWebDataSecOpsCDWebSrcIpSecOpsConfigurationFileAccessAttemptSecOpsCredentialsFileAccessAttemptSecOpsDatabaseFileAccessAttemptSecOpsDiscoveringPasswordFilesSecOpsExplotationAttemptF5BigIpSecOpsHAFNIUMHttpPostTargetingExchangeServersSecOpsHAFNIUMWebShellsTargetingExchangeServersSecOpsHTTPQueryNonStandardMethodSecOpsHTTPQueryUserAgentLengthOutsizeSecOpsIncomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsLog4ShellVulnerabilityOverWebServerConnectionsSecOpsLogRelatedFileAccessAttemptSecOpsMalwareFileAccessAttemptSecOpsPossibleFuzzingAttackSecOpsPossibleInjectionUserAgentSecOpsPossiblePathTrasversalInjectionSecOpsPossiblePhishingKitByRefererSecOpsREvilKaseyaWebShellsSecOpsRobotFileAskingByNoRobotSecOpsSeveralError4xxSecOpsSoftwareInfoAccessAttemptSecOpsWebShellFileSuspiciousSecOpsADAccountNoExpiresSecOpsADPasswdNoExpiresSecOpsAPT29byGoogleUpdateServiceInstallSecOpsAccountsCreatedRemovedWithinFourHoursSecOpsAppInitDLLsLoadedSecOpsBlackByteRansomwareRegChangesPowershellSecOpsBlackByteRansomwareRegistryChangesSecOpsBlackKingdomWebshellInstalationSecOpsBlankPasswordAskSecOpsBypassUserAccountControlSecOpsChangesAccessibilityBinariesSecOpsDLLWithNonUsualPathSecOpsDeletingMassAmountOfFilesSecOpsFailLogOnSecOpsFsutilSuspiciousInvocationSecOpsGenericRansomwareBehaviorIpScannerSecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServersSecOpsIntegrityProblemSecOpsLocalUserCreationSecOpsLolbinBitsadminTransferSecOpsLolbinCertocexecutionSecOpsLolbinCertreqSecOpsLolbinCertutilSecOpsLolbinConfigsecuritypolicySecOpsLolbinDatasvcutilSecOpsLolbinMshtaSecOpsMaliciousPowerShellCommandletNamesSecOpsMaliciousPowerShellPrebuiltCommandletSecOpsMaliciousServiceInstallationsSecOpsMultipleMachineAccessedbyUserSecOpsNewAccountCreatedSecOpsNtdsSecOpsOsCredentialDumpingGsecdumpSecOpsPassTheHashActivityLoginBehaviourSecOpsPersistenceAndExecutionViaGPOScheduledTaskSecOpsPsExecToolExecutionSecOpsRansomwareBehaviorMazeSecOpsRansomwareBehaviorNotPetyaSecOpsRansomwareBehaviorRyukSecOpsRareServiceInstallsSecOpsResetPasswordAttemptSecOpsRevilKaseyaRegistryKeySecOpsSIGRedExploitMicrosoftWindowsDNSSecOpsSecurityEnabledLocalGroupChangedSecOpsSeveralPasswordChangesSecOpsShadowCopiesDeletionSecOpsStoneDrillServiceInstallSecOpsStopSqlServicesRunningSecOpsSuspiciousBehaviorAppInitDLLSecOpsSuspiciousEventlogClearUsingWevtutilSecOpsSuspiciousWMIExecutionSecOpsTurlaPNGDropperServiceSecOpsTurlaServiceInstallSecOpsUserAccountChangedSecOpsWINWmiMOFProcessExecutionSecOpsWannaCryBehaviorSecOpsWermgrConnectingToIPCheckWebServicesSecOpsWinADDomainEnumerationSecOpsWinActivateNoCloseGroupPolicyFeatureSecOpsWinActivateNoControlPanelGroupPolicyFeatureSecOpsWinActivateNoFileMenuGroupPolicyFeatureSecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeatureSecOpsWinActivateNoSetTaskbarGroupPolicyFeatureSecOpsWinActivateNoTrayContextMenuGroupPolicyFeatureSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetworkSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetworkSecOpsWinAdminRemoteLogonSecOpsWinAdminShareSuspiciousUseSecOpsWinAnonymousAccountCreatedSecOpsWinAppInstallerExecutionSecOpsWinAttackerToolsOnEndpointSecOpsWinAttemptToAddCertificateToStoreSecOpsWinAuditLogClearedSecOpsWinAutomatedCollectionCmdSecOpsWinAutomatedCollectionPowershellSecOpsWinBackupCatalogDeletedSecOpsWinCompressEncryptDataSecOpsWinCredentialDumpingNppspySecOpsWinCritServiceStoppedSecOpsWinCurlSecOpsWinDcShadowDetectedSecOpsWinDefenderDownloadActivitySecOpsWinDisableAntispywareRegistrySecOpsWinDisableUacSecOpsWinDnsExeParentProcessSecOpsWinDomainTrustActivitySecOpsWinExcessiveUserInteractiveLoginSecOpsWinExternalDeviceInstallationDeniedSecOpsWinFTPScriptExecutionSecOpsWinFakeProcessesSecOpsWinFsutilDeleteChangeJournalSecOpsWinGatherVictimIdentitySAMInfoSecOpsWinGoldenSamlCertificateExportSecOpsWinIISWebRootProcessExecutionSecOpsWinIcmpExfiltrationSecOpsWinInvokewebrequestUseSecOpsWinKerberosUserEnumerationSecOpsWinLocalSystemExecuteWhoamiSecOpsWinLockoutsEndpointSecOpsWinLsassKeyModificationSecOpsWinLsassMemDumpSecOpsWinMapSmbShareSecOpsWinMemoryCorruptionVulnerabilitySecOpsWinMimikatzLsadumpSecOpsWinModifyShowCompressColorAndInfoTipRegistrySecOpsWinMsiExecInstallWebSecOpsWinNetworkShareCreatedSecOpsWinNewPsDriveSecOpsWinOfficeBrowserLaunchingShellSecOpsWinPermissionGroupDiscoverySecOpsWinPotentialPassTheHashSecOpsWinPowerSettingsSecOpsWinPowershellKeylogginSecOpsWinPowershellProcessDiscoverySecOpsWinPowershellSetExecutionPolicyBypassSecOpsWinRcloneExecutionSecOpsWinRegUtilityHiveExportSecOpsWinRegistryModificationActivateNoRunGroupPolicySecOpsWinRegistryModificationDisableCMDAppSecOpsWinRegistryModificationDisableChangePasswdFeatureSecOpsWinRegistryModificationDisableLockWSFeatureSecOpsWinRegistryModificationDisableLogOffButtonSecOpsWinRegistryModificationDisableNotificationCenterSecOpsWinRegistryModificationDisableRegistryToolSecOpsWinRegistryModificationDisableShutdownButtonSecOpsWinRegistryModificationDisableTaskmgrSecOpsWinRegistryModificationGlobalFolderOptionsSecOpsWinRegistryModificationHideClockGroupPolicyFeatureSecOpsWinRegistryModificationHideSCAHealthSecOpsWinRegistryModificationHideSCANetworkSecOpsWinRegistryModificationHideSCAPowerSecOpsWinRegistryModificationHideSCAVolumeSecOpsWinRegistryModificationIExplorerSecZoneSecOpsWinRegistryModificationNewTrustedSiteSecOpsWinRegistryModificationNoDesktopGroupPolicySecOpsWinRegistryModificationNoFindGroupPolicyFeatureSecOpsWinRegistryModificationPowershellLoggingDisabledSecOpsWinRegistryModificationRunKeyAddedSecOpsWinRegistryModificationStoreLogonCredSecOpsWinRegistryQuerySecOpsWinRemoteSystemDiscoverySecOpsWinRunasCommandExecutionSecOpsWinSamStoppedSecOpsWinScheduledTaskCreationSecOpsWinSchtasksForcedRebootSecOpsWinSchtasksRemoteSystemSecOpsWinSensitiveFilesSecOpsWinServiceCreatedNonStandardPathSecOpsWinShadowCopyDetectedSecOpsWinSmtpExfiltrationSecOpsWinSpoolsvExeAbnormalProcessSpawnSecOpsWinSuspiciousExternalDeviceInstallationSecOpsWinSuspiciousWritesToRecycleBinSecOpsWinSysInfoGatheringUsingDxdiagSecOpsWinSysInternalsActivityDetectedSecOpsWinSysTimeDiscoverySecOpsWinTFTPExecutionSecOpsWinUserAddedPrivlegedSecGroupSecOpsWinUserAddedSelfToSecGroupSecOpsWinUserAddedToLocalSecurityEnabledGroupSecOpsWinUserCreationAbnormalNamingConventionSecOpsWinUserCredentialDumpRegistrySecOpsWinWMIPermanentEventSubscriptionSecOpsWinWMIReconRunningProcessOrSrvcsSecOpsWinWebclientClassUseSecOpsWinWifiCredHarvestNetshSecOpsWinWmiExecVbsScriptSecOpsWinWmiLaunchingShellSecOpsWinWmiProcessCallCreateSecOpsWinWmiScriptExecutionSecOpsWinWmiTemporaryEventSubscriptionSecOpsWinWmiprvseSpawningProcessSecOpsMoveitWebShellSecOpsWinDnsExcessiveEmptyOrRefusedQueries

Related products:Devo SecOps
featured-image

Devo Platform Release 8.8.20

Hello everyone, the latest Devo Platform release is here! Release 8.8.20 brings a whole host of updates for Alerts! Starting with the new triggered Alerts details page increasing the number of actions you can take from one location.  Next we have a new capability to find Alerts by Alert ID with the newly integrated ID search feature.  The Alerts type field has received new values to better match the creation of the alert.  An new field was added to the audit table devo.audit.alert.definition called “info” as well as a new audit table for Alert triggered operations.  Find the full details of this release in this article. Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features New Triggered Alerts Details page Searcy by Alert ID Redefined Type field when Grouping Alerts New “info” field added to audit table devo.audit.alert.definition New audit table devo.audit.alert.triggered Bug Fixes Alert Bug Fixes Flow Bug Fixes  New FeaturesNew Triggered Alerts Details pageThis functionality is launched from the triggered alert ID, and opens up the alert in full detail.  This new page is available even if the alert is grouped.   New page has 2 tabs:Overview tab: Alert details management Annotations tab: Alert annotations managementSearcy by Alert IDA new search box was added to the Triggered Alert page to allow you to search by full or partial Alert ID.   Find your alerts quickly with this new feature!Redefined Type field when Grouping AlertsRebuilt for clarity of purpose, now when grouping alerts you get new options in the type field that match better to the actions being taken.Old Type Values New Type Values api_custom each default several custom low etcetera gradient   deviation   rolling   generic  New “info” field added to audit table devo.audit.alert.definitionNew JSON field “info” has been added to this audit table and will include the JSON corresponding to the Alert request operations. Containing:Operation Content Creation  Entire JSON of the Alert creation request Edit Entire JSON of the Alert editing request Enable/Disable an empty JSON Deletion an empty JSON  Here how it looks: New audit table devo.audit.alert.triggeredThis new audit table is now available in all domains where the System will log (for audit purposes)all the user activities related to triggered Alert operations made in the domain.  The table will have the same structure as “devo.audit.alert.definition” except that the “info” field will now contain only the changed value.The tracked changed values areTriggered Alert Status Triggered Alert Priority Triggered Alert DeleteBug FixesAlert Bug FixesFixed alert creation/cloning when Alerts running limit is reached Fixed error when clicking “go to query” on Monitoring Alerts.Flow Bug FixesFixed duplicated triggered alerts after restart Fixed alert recovery after upgrading flow Fixed null creation date on some contexts 

Related products:Devo Platform
featured-image
featured-image

Devo Parser Catalog Update for March

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsNew Parsers soar.devo cef0.pcysys cef0.cyberark itdr.oort storage.huawei dlp.cososys seg.checkpoint mail.all.messages cloud.rubrik Updated Parsers cloud.aws cloud.alibaba cloud.azure waf.f5 firewall.paloalto web.all.access devo.ea proxy.all.access box.all.win network.vmware db.oracle mail.darktrace vuln.beyondtrust iam.sailpoint auth.jumpcloud web.all.access casb.microsoft_defender entity.behavior dns.bind firewall.cisco firewall.velocloud firewall.all.webfilter firewall.juniper network.dell  New Parserssoar.devoLink to Documentationcef0.pcysysLink to Documentationcef0.cyberarkDocumentation in progressitdr.oortLink to Documentationstorage.huaweiLink to Documentationdlp.cososysLink to Documentationseg.checkpointLink to Documentationmail.all.messagesDocumentation in progresscloud.rubrikLink to DocumentationUpdated Parserscloud.awsLink to Documentationcloud.alibabaLink to Documentationcloud.azureLink to Documentationwaf.f5Link to Documentationfirewall.paloaltoLink to Documentationweb.all.accessLink to Documentationdevo.eaLink to Documentationproxy.all.accessLink to Documentationbox.all.winLink to Documentationnetwork.vmwareLink to Documentationdb.oracleLink to Documentationmail.darktraceLink to Documentationvuln.beyondtrustLink to Documentationiam.sailpointLink to Documentationauth.jumpcloudLink to Documentationweb.all.accessLink to Documentationcasb.microsoft_defenderLink to Documentationentity.behaviorLink to Documentationdns.bindLink to Documentationfirewall.ciscoLink to Documentationfirewall.velocloudLink to Documentationfirewall.all.webfilterLink to Documentationfirewall.juniperLink to Documentationnetwork.dellLink to Documentation

Related products:Devo Integrations
featured-image

Devo Collector Catalog Update for March

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors Fastly Next-Gen WAF v1.0.0 Gen+WAF+collector  Extrahop Reveal(x) v1.1.0 Mulesoft Anypoint v1.0.0 Cisco Amp v1.0.0 Updated Collectors ServiceNow API v1.4.0 Microsoft Defender Cloud Apps v1.3.0 Thinkst Canary v1.1.0 Microsoft Azure v2.0.0-beta1 Akamai SIEM Collector v2.1.0 Wiz v1.5.0 AWS SQS v1.1.1 Salesforce v2.2.0 Proofpoint Tap v2.2.1 Netskope Web Transaction Events v1.0.0b1 Cisco Umbrella v1.1.0 AWS v1.8.2 Microsoft Graph v2.0.0-beta2  New CollectorsFastly Next-Gen WAF v1.0.0Link to DocumentationGen+WAF+collector Documentation in progress.Extrahop Reveal(x) v1.1.0Link to DocumentationMulesoft Anypoint v1.0.0Link to DocumentationCisco Amp v1.0.0Link to Documentation Updated CollectorsServiceNow API v1.4.0Link to DocumentationMicrosoft Defender Cloud Apps v1.3.0Link to DocumentationThinkst Canary v1.1.0Link to DocumentationMicrosoft Azure v2.0.0-beta1Link to DocumentationAkamai SIEM Collector v2.1.0Documentation in ProgressWiz v1.5.0Link to DocumentationJumpcloud v1.3.1AWS SQS v1.1.1Link to DocumentationSalesforce v2.2.0Link to DocumentationProofpoint Tap v2.2.1Link to DocumentationNetskope Web Transaction Events v1.0.0b1Documentation in progressCisco Umbrella v1.1.0Link to DocumentationAWS v1.8.2Link to DocumentationMicrosoft Graph v2.0.0-beta2Link to Documentation 

Related products:Devo Integrations
featured-image

Devo Behavior Analytics release 1.8

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! In this release, the team delivers Entity Timeline improvements to help you emphasize the most essential information about an entity’s risk. Additionally, in this update, the team delivered a collection of dashboard improvements, including the data search pivot, entity risk group edit page, Improved error handling, and UI optimizations. Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo Availability:Region Status CA Released US Released EU Released APAC Released  Table of ContentsImprovements Entity Timeline Dashboard ImprovementsEntity TimelineThe Entity Timelines layout has been improved to emphasize the most essential information about an entity’s risk.You can now select the most relevant parts of an entity’s timeline to get a deeper understanding of what is driving the risk score. Users can also use the entity metrics count to filter the graph and timeline. Drill down into all necessary risky event details from a single screen: DashboardThe Behavior Analytics dashboard has been enhanced with the following features and fixes:Data Search Pivot - The alert data search pivot now now isolates to the specific entities that were involved in the alert.  Entity Risk Group Edit page - The entity risk page is better configured to manage large lists.  UI Optimization -  Improved responsiveness to common user workflows across the entire applications with API and UI performance improvements Improved Error Handling - Fixed several alert notification error scenarios around bad data inputs for alert priority, lookup errors, etc.   

Related products:Devo Behavior Analytics
featured-image

Devo Security Operations: OOTB Alerts Release 23

We're thrilled to announce the latest updates and additions to our alerting system with Release 23. This release brings enhancements to alert logic, and improved summaries, and introduces new alerts to bolster your security operations.  To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content. Table of ContentsImproved Alerts: SecOpsWinUserAddedToLocalSecurityEnabledGroup: SecOpsLinuxIrregularLoginSsh: SecOpsO365AuthExcessiveFailedLoginsSingleSource: SecOpsO365ImpossibleTravel: New Alerts: SecOpsSlackPossibleSessionHijacking: SecOpsWinPowerSettings for MITRE Technique T1653: Improved Alerts: SecOpsWinUserAddedToLocalSecurityEnabledGroup: Enhanced alert logic for detecting user additions to local security-enabled groups on Windows systems. Improved summary for better understanding and faster response. SecOpsLinuxIrregularLoginSsh: Updated alert logic to identify irregular login activities via SSH on Linux systems. Refined summaries to provide clearer insights into potential security threats. SecOpsO365AuthExcessiveFailedLoginsSingleSource: Updates to mmcity operation for Office 365 authentication alerts related to excessive failed logins from a single source. Streamlined summaries to facilitate quicker identification of suspicious activities. SecOpsO365ImpossibleTravel: Revised alert logic for Office 365 impossible travel scenarios. Improved operation of mmcity for more accurate detection. Enhanced summaries to highlight impossible travel incidents effectively. New Alerts: SecOpsSlackPossibleSessionHijacking: Introducing a new alert to detect potential session hijacking in Slack environments. Monitors for suspicious activities indicating unauthorized access to Slack accounts. Provides detailed insights into possible session compromise for swift remediation. SecOpsWinPowerSettings for MITRE Technique T1653: Brand new alert targeting MITRE technique T1653 focusing on Windows power settings manipulation. Alerts on suspicious changes to power settings indicative of potential adversary actions. Enables proactive defense against tactics aiming to manipulate power configurations for malicious purposes. Stay vigilant with these upgraded alerts and leverage the new additions to strengthen your security posture. For further details, consult the documentation or reach out to our support team for assistance. Upgrade to Release 23 now and fortify your defenses against evolving threats. 

Related products:Devo SecOps