Product Updates

The Integration team prepared and released a new Activeboard to help users monitor and be informed on the status of their collectors along with any warnings or errors that may be occurring.  We have also released a companion Alert Pack that works in conjunction with the Activeboard to provide full visibility around your Collectors. This combination will give you visibility into Collector uptime, warning errors, general activity and message types. You also see all credential errors as well as API limits and server errors.   This is a must have Activeboard that provides full visibility into the health of your Data Ingestion.Table of ContentsCollector Monitoring Activeboard Collector Alert Pack What does it look like? Go Check it out on Devo Exchange Devo Collector Monitoring Activeboard Devo Collector Alert Pack Collector Monitoring ActiveboardHaving good supervision in data flow is key in Devo. It’s important to give customers good insights, alerts and security use cases, but insight into any problem with Collectors was missing.  This activeboard solves this, providing complete visibility of your collector health.  In this activeboard you can find:Number of collectors active / failing. Collectors that stop sending data in the last hour. Errors Warnings distribution by collector. General activity and types of messages. Errors in credentials (401/403) Errors for API limits retries (429) Server errors (500, 501, 503)Use this activeboard to detect credential, server failures or problems in data flow. The Collector Alert Pack works in conjunction with this activeboard to provide all the details. Collector Alert PackUse this Alert Pack to monitor your collectors, detect credentials failures (401/403) and any problem in data flow. It is recommended to complement this content with AB Collectors Error Control.SecOpsCollectorCredentials: Detects any credential problem (401 or 403 error) in any collector running in the domain, and also warnings that could mean error as well. What does it look like? Go Check it out on Devo ExchangeDevo Collector Monitoring ActiveboardDirect links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Devo Collector Alert PackDirect links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.29 focuses on Activeboard improvements from improved loading options to enhancements for your favorite tools. Among the updates in this release are the new “Load on Demand” options at the widget level and the Activeboard level. Scheduled tasks no longer require tokens to create a task. Multiple enhancements to the Line/Area widget. New background process tab for Usage Analytics  Better Error messages for Aggregation tasks and fixes to customer-reported bugs. Check out the full release notes here as well as links to relevant documentation. Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsUpdated Features New options for “Load on Demand” feature for Activeboards Activeboard Line/Area widget: All points visibility Scheduled Tasks: No Tokens required! Usage Analytics new Background processes tab Activeboards: Better error messages for Aggregation Tasks. Bug Fixes Updated FeaturesNew options for “Load on Demand” feature for ActiveboardsPerformance is key in Devo with the release of 8.8.16 we released the “load on demand” feature for widgets. In this release we are expanding this feature by adding more data loading options, not just on the widget level but also at the Activeboard level.Activeboard LevelThese updates where created to reduce system resources load, reduce Activeboard loading times and give the user a greater control over the Activeboard/Widget load.Learn more about Load on Demand at the Activeboards level in our Docs.Learn more about Load on Demand at the Widget level in our Docs. Activeboard Line/Area widget: All points visibilityEnhancing the At-a-Glance understanding of this widget, users will now have the ability to chose to display all the line/chart area widget points. Scheduled Tasks: No Tokens required!In order to simplify the user experience, we have removed the authentication user token needed to create a Scheduled Task.  This also means that the scheduled task email can now be sent to any email address. You will still need a token for the following tasks:Scheduled tasks CRUD operations need a user session token. Scheduled task execution will generate and use a new service token. Usage Analytics new Background processes tabThe new Background processes tab gives the user the ability to monitor the running and failed background processes in the last 24 hours of the following entities:Alerts Injections Aggregation Tasks Query LookupsLearn more in our Documentation Activeboards: Better error messages for Aggregation Tasks.Improvement to Aggregation task error messages, providing more information about the specific error that has occurred so you can take the appropriate actions. Bug FixesFixed widget description in Export to PDF Fixed Line/Area widget’s Dash Style Fixed Stacked Line/Area setting the stacked scale as percentage Fixed Yearly periodicity display in Scheduled Tasks.  Check out the full Release Notes in our Documentation

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.28 focuses on Alert Improvements and features along with new API calls.  Starting off with the Alert improvements, filters you apply to the Alerts page will automatically be added to the URL so you can save repeat searches and jump directly into them.  A new API delivery method was added in order to get the Sending Policies.  Alert Pagination improvement, now your pagination tools stay on the page with you, giving you access to those controls instantly. The Delete Bulk action now has a double confirmation for peace of mind and more!   Read on! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsNew Features Alert Page URL Filters Updated Features Delete Alert confirmation dialog Improvements to Alert Pagination New FeaturesNew to the Alerts Delivery method API: Get Sending Policies.   Available Operations:GET all the policies defined in the domain GET a specific policy in the domain indentified by it’s ID.Learn more in our docs! Alert Page URL FiltersEnabling you to save Alert Pages with predefined filters, now when you chose your filtering from the Alerts page, the filter information will be added to the URL in the address bar.   Saving the URL will allow you to jump directly to the pre-filtered results. Updated FeaturesDelete Alert confirmation dialogThe confirmation dialog that appears after performing bulk actions has been improved with a loading indicator. This gives users a visual confirmation that the action is actually in progress. Improvements to Alert PaginationTo improve review of a large group of alerts, pagination tools are now pinned in order to provide access these tools as you go through the selected list. Check out the Full Release notes in our Documentation

 The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!  Table of ContentsNew Parsers cnapp.orca firewall.sangfor network.riverbed Updated Parsers ips.all.alerts web.aws proxy.zscaler cdn.akamai network.meraki dns.windows edr.crowdstrike firewall.cisco dlp.code42 network.hp cef0.paloAltoNetworks dhcp.microsoft edr.cisco firewall.all.traffic cef0.ibm ids.corelight box.win_nxlog  New Parserscnapp.orcaView Documentationfirewall.sangforView Documentationnetwork.riverbedView Documentation Updated Parsersips.all.alertsView Documentationweb.awsView Documentationproxy.zscalerView Documentationcdn.akamaiView Documentationnetwork.merakiView Documentationdns.windowsView Documentationedr.crowdstrikeView Documentationfirewall.ciscoView Documentationdlp.code42View Documentationnetwork.hpView Documentationcef0.paloAltoNetworksView Documentationdhcp.microsoftView Documentationedr.ciscoView Documentationfirewall.all.trafficView Documentationcef0.ibmView Documentationids.corelightView Documentationbox.win_nxlogView Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources!  Table of ContentsNew Collectors Lark Collector V1.0.0 Cato Collector V1.0.0 Google Workspace for BigQuery v1.0.0 Updated Collectors Cisco Amp v1.1.1 Office365 Management API v2.2.0 Snowflake V1.3.1 AWS SQS v1.4.0 Microsoft Defender for Endpoint (ATP) v1.3.0 Workday v1.1.0 Rapid7 InsightVM v1.6.0 Google Cloud Platform (GCP) v1.7.0 Qualys v2.2.0  New CollectorsLark Collector V1.0.0Documentation in progress.Cato Collector V1.0.0Documentation in Progress.Google Workspace for BigQuery v1.0.0Documentation in Progress. Updated CollectorsCisco Amp v1.1.1View DocumentationOffice365 Management API v2.2.0View DocumentationSnowflake V1.3.1View DocumentationAWS SQS v1.4.0View DocumentationMicrosoft Defender for Endpoint (ATP) v1.3.0View DocumentationWorkday v1.1.0View DocumentationRapid7 InsightVM v1.6.0View DocumentationGoogle Cloud Platform (GCP) v1.7.0View DocumentationQualys v2.2.0Documentation in Progress.

Devo Exchange regularly updates content and approves content submitted by the Devo team as well as Customers to enhance the OOTB catalog offering to our entire user base.  Yes, if you have a great activeboard or vapp you can submit it to the Exchange team for verification and inclusion in the content catalog!  In this catalog update you will find dozens of new OOTB alerts, activeboards, lookups, synthetic data and use cases.  You will also find updated content from Activeboards to individual alerts. The new search functionality introduced in  Exchange release 2.0 will be able to find exactly what you need quickly!  Table of ContentsNew Additions Alert packs: Activeboards: Lookups: Synthetic data: Use case: Updated Catalog Content Alert packs: Applications: Activeboards: Content packs:  New Additions Alert packs: Remote System Discovery (MITRE T1018) Command and Scripting Interpreter (MITRE T1059) Software Deployment Tools (MITRE T1072) Data Staged (MITRE T1074) System Information Discovery (MITRE T1082) Exploit Public-Facing Application (MITRE T1190) Exploitation for Defense Evasion (MITRE T1211) Resource_Hijacking_(MITRE T1496) Non-Standard Port (MITRE T1571) Protocol Tunneling (MITRE T1572) Establish Accounts (MITRE T1585) Develop Capabilities (MITRE T1587) Activeboards: AWS Security Lake Cloud Azure Audit Cloud Azure Sign in Collective Defense Overview Devo Alert Auditing Proofpoint email protection Web Analytics Lookups: IANAPortAssignment AwsAuthorizedApiUsers Synthetic data: Web Apache injection Use case: Web Analytics AB  Updated Catalog Content Alert packs: SIEM detection capabilities enhanced. Performance enhanced with improved filters. Threat detection accuracy improved. Multitenant Enabled Applications: Alert dependencies removed (now they can be installed only via Exchange alert packs), visuals improved, aggregation tasks created, and performance optimized. Devo 360 for Palo Alto → v1.1.1 Devo 360 for Crowdstrike → v1.1.1 Devo 360 for AWS → v1.1.1 Activeboards: Microsoft Active Directory → v1.1.0 → change source to box.all.win, fix keys in Voronoi, and change period to one day. Data Sources Insight → v1.0.1 → add default table before selection. Office365 Overview → v1.0.1 → fix Sharepoint widget. Windows Activity Monitoring → v1.1.0 → fix neq functions and selectors. Office365 Active Directory → v1.0.2 → fix widgets. Office365 One Drive → v1.1 → fix user agent widget and reorder widgets. OKTA Service Overview → v1.1.0 → reorganize widgets, change e-commerce sources, and delete external dependencies. OKTA Authentication Activity → v1.1.0 → change deprecated geo functions (mm by mm2). Firewall Monitoring → v1.2.0 → change map, time periods, and deprecated geo functions. Devo Users Tracking → v1.1.1 → migrate to multitenant. Content packs: Modify Mitre Tactics to add the new techniques. TA0001 → T1190 added. TA0002 → T1059 and T1072 added. TA0005 → T1211 added. TA0007 → T1018 and T1082 added. TA0009 → T1074 added. TA0011 → T1571 and 1572 added. TA0040 → T1496 added. TA0042 → T1585 and T1587 added.

Welcome everyone to the grand unveiling of Devo Exchange 2.0!   We have some massive updates to the Exchange marketplace, including a new section for Multitenant content, a completely revamped Search engine that allows you to hunt for individual alerts and a redesign of Alert packs to give you even more flexibility and visibility into the pack's contents. The road to version 2.0 brought with it tons of great improvements as well,  including amazing performance improvements, enhanced access control and improvements to the amazing alert management tool, the MITRE ATT&CK Adviser! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Search 2.0 Recent Searches Full Search with new Category Filters Search inside Packaged Content Alert Pack Redesign Multi-Tenant Content   New FeaturesSearch 2.0This massive undertaking brings about a host of new features to help you find content quickly through the expanded marketplace.  In detail:Recent SearchesRecent Searches will contain the last 5 searches you performed in order to find commonly used content quickly.  You can also clear any of the individual search entries.  Full match, partial match strings, the search will find anything.Full Search with new Category FiltersYou can now filter your search results by sources, tactics and techniques.  Along with these filters, we have improved all parameters of the search engine as well as the order in which results are presented. The search filters are also additive, for example if you wanted to find any alert packs with alerts that cover different tactics you can add those to the filters.Search inside Packaged ContentIn a past release we enabled the installation of any content individually within an Alert Pack. With Search 2.0 you can search for any alert inside alert packs by name or partial name.Searching for “O365” you can see all the alert packs that contain alerts with this string in the name.  When you enter the pack, the search string will be highlighted and moved to the top.As you can see, priority and sources have been added as additional information inside pack content on Devo Exchange. This helps power the new search filters and add new context for faster decision making! Alert Pack RedesignAlert packs now have Priority and Source information for each alert inside the pack as seen above.  We also have a new counter on the top right showing how many alerts in the Alert Pack you have installed.Multi-Tenant Content All OOTB content in Devo Exchange has been updated to be Multi-tenant capable. This includes all 119 Alert Packs, more than 500 Alerts! We are currently working on Activeboards and Applications to have this new capability.   User Tracking Activeboard joins the MITRE ATT&CK Advisor application in Multi-Tenant capabilities.If your domain is the parent domain of a Multi-Tenant structure you will see a new category filter in the Exchange homepage. Applications and Activeboards will have domain selectors for you to manage the information displayed. 

The Devo team has released the latest version of Devo SOAR!  This release include 4 new integrations and a host of new actions and bug fixes.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Integrations EnhancementsNew IntegrationsCisco Secure Endpoint: with 5 actions Anyrun with 4 actions Solarwinds Orion with 8 actions Arbor Sightline with 3 actions EnhancementsPlaybook resets to the default layout when we click on a node in advanced mode. Microsoft Graph integration has added a new action List users V2 with Jinja support. 2 additional actions added: Add Attachments and Send Draft. CrowdStrike Falcon Host (OAuth Based): Added 8 new actions based on Static Groups, Static Host Groups, Host Groups, and Host Group Members Cisco Umbrella: Added 3 new actions Zendesk: Added a new action - Get Ticket

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.19 adds a new table to help you manage Alert and Flow errors.  Along with our ongoing efforts to add clarity and context to error alerts, this new table collects all backend errors for Alerts as well as Flows on the domain where the error was triggered.  In the future this new log will expand to collect all backend error alerts so you have one place to check and resolve any errors that may come up in your normal day to day. Each of the entries in the log are actionable by you, the user, with the additional context added to the error logs.  Lets dive in! Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Features New Alerts Error log table introduced Bug Fixes Improved error messaging  New FeaturesNew Alerts Error log table introducedAlerts internal error logs have been enhanced with the introduction of the new devo.internal.log.error table.  This table will contain all Alert backend errors (from Flows and Alerts) that take place in the domain where the Flow/Alert is running  and can be solved by a customer action.Learn more about the details of this table in our documentation. Bug FixesImproved error messaging

If you haven’t benefited from our AI-Powered LInk generator, now is a great time to start.   The AI-Powered LINQ Generator was just updated with the latest and best LMM, Anthropic Sonnet 3.5.    What does this mean?When you use the AI-powered LINQ generator, the engine creating the resulting LINQ is industry-recognized as the best in class by independent benchmarks!  Better results, every time. AND you can now Refine your results! How do I get access to AI-Powered Generator?You can access it in two locations:On the Devo Platform:As soon as you load up the Devo Platform Homepage, you will see a megaphone on the top right. This is the Resource Center.  It includes announcements and Related Docs Search.  Here you will find the magic wand that accesses the AI-Powered LINQ Generator and Search. On Devo DocsHead on over to our Documentation Portal and on the bottom right you will see the floating icon for AI-Powered Search: How to Use AI-Powered SearchBe Descriptive,  the better you describe the code you want to create, the more accurate the results! Have you used it?I want to hear how AI-Powered LINQ Generator has helped you! Tell me your stories!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers dmp.pure-storage Updated Parsers cef0.fortinet backup.veeam iam.imprivata cloud.azure   New Parsersdmp.pure-storageView full documentation in our Docs. Updated Parserscef0.fortinetDocumentation will be available soon.backup.veeamView full documentation in our Docs.iam.imprivataView full documentation in our Docs.cloud.azureView full documentation in our Docs.

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Qualys FIM v1.0.1 Google Workspace for BigQuery v1.0.0 Updated Collectors Github v2.3.0 CyberReason v1.4.0 Proofpoint CASB v1.1.0 Snowflake v1.2.0 MimeCast v1.2.0 CrowdStrike API Resources v1.7.0 Cortex XDR v1.3.0 SpyCloud v1.1.0 Office365 Exchange Reports v0.4.1-beta Netskope API V2 v1.1.0 Wiz v1.6.2 AWS v1.10.0  New CollectorsQualys FIM v1.0.1Documentation will be available soonGoogle Workspace for BigQuery v1.0.0Documentation will be available soon. Updated CollectorsGithub v2.3.0View full documentation in our Docs.CyberReason v1.4.0View full documentation in our Docs.Proofpoint CASB v1.1.0View full documentation in our Docs.Snowflake v1.2.0View full documentation in our Docs.MimeCast v1.2.0View full documentation in our Docs.CrowdStrike API Resources v1.7.0View full documentation in our Docs.Cortex XDR v1.3.0View full documentation in our Docs.SpyCloud v1.1.0View full documentation in our Docs.Office365 Exchange Reports v0.4.1-betaView full documentation in our Docs.Netskope API V2 v1.1.0View full documentation in our Docs.Wiz v1.6.2View full documentation in our Docs.AWS v1.10.0View full documentation in our Docs.     

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.8 adds a new type of alert for your growing toolkit.  The Inactivity Alerts will help you detect when normal activities like ingestion stop working, among other use cases.  This is a great tool to keep the information flowing and be notified immediately when possible issues occur. They are also available in the Alerts API!  Along with the new Alert, the team has added new API audit features as well as our continued work to deliver the best in class performance to you, our customers!  Start using the new Alert, and make use of those audit logs today! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features New Inactivity Alert is available Updated Feature API key “Read” and “Delete” operations added to audit logs Token “Read” operation added to audit logs  New FeaturesNew Inactivity Alert is availableThis new alert type follows the same principles of the Several and Low Alerts: An alert type that counts events during a period of time.   Here’s how all 3 differ:Low Alert threshold: When after a rolling time period, the counter of the selected events (query) has not exceeded a specific threshold. Several Alert: when within a rolling time period, any of the current period counters (query + current period key values) exceeds a specific threshold. Inactivity Alert: When after a rolling time period, any of the previous period counters (query + previous period key values) has not exceeded the 0 threshold (has been equal to 0) that is, when any of the counters had no events (a different Alert from any of those counters without events).If you want to create an alert to notify you when a collector has stopped ingesting during a period of time, Inactivity Alerts are the solution! And the inactivity alerts are available in the Alerts API!Learn more about Inactivity Alerts and all the parameters on our Docs page! Updated FeatureAPI key “Read” and “Delete” operations added to audit logsAPI Key audit logs have been improved by adding “read” and “delete” operations to the audit tabledevo.internal.audit.logsActions for all users are recorded. The API key itself will be logged as obfuscated Token “Read” operation added to audit logsImproved audit actions by adding the “read” operation to the audit table:devo.internal.audit.logsActions for all users are recorded. The token will be logged as obfuscated

The Devo team has released the latest version of Devo SOAR! This product update combines two releases, M124 and M125.   In these updates we have added 4 new JSON operators, 3 new integrations, updated integrations with new capabilities as well as bug fixes and enhancements.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features 5 New JSON Operations New Integrations added Updated Features Enhancements Bug Fixes  New Features5 New JSON OperationsWe are happy to introduce 5 new JSON Operations for use in SOAR Playbooks:addFieldInJSON extractFieldInJSON removeFieldInJSON replaceFieldInJSON parseJsonNew Integrations addedKnowBe4 is the world’s largest integrated platform for security awareness training combined with simulated phishing attacks. Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero-trust principles to protect data. Cyberark EPM provides holistic endpoint protection to secure all endpoints and enforce least privilege without disrupting business.Updated FeaturesEnhancementsRun action node when explicitly requested in the playbook. Updated action Download URL to support usage of custom headers while downloading in File Tools integration. Trend Micro Workload Security integration has added 6 new actions List Scheduled Task, Create Scheduled Task, Describe Scheduled Task, Modify Scheduled Task, Delete Scheduled Task, Search Scheduled Task. Removed Assistance mode functionality. Shodan integration has added 17 new actions based on on-demand scanning and network alerts.Bug FixesThe dynamic recipient field is not working when the form is added to a case. We have fixed this now. Page number information is lost when opening the batch detail page and returning to the batch listing page. We have fixed this now. Missing Jinja support for hostname in Send Events action in Devo integration. We have fixed this now. Issue with Default limit in Search IOCs action in CrowdStrike Falcon Host (OAuth Based) integration. We have fixed this now. Timestamp type-based timezone has rendering issues in easy mode. We have fixed this now.  

Hello everyone, the Exchange team has a new update for you with tons of great improvements. Release 1.9 is no different!  In this release, a new notification system has been implemented to let you know when there is an update available to your installed OOTB content.  Along with this new system, there is a new filter added to All Content to allow you to see all the content already installed with an available update, a new audit table and updated navigation.  We’ve also improved performance for all users, with those with slower connections benefiting the most! Don’t forget to  visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Features Update Notifications New Filter for All Content: “Update Available” New audit table added Updated Navigation Additional Updates Improved performance  New FeaturesUpdate NotificationsDevo Exchange now has a notification center to let you know when you have updates available for your installed Out-Of-The-Box content.  Located on the top right of Devo Exchange, you can view individual notifications, jump to the content or clear notifications.You can delete notifications individually or you can delete all notifications. New Filter for All Content: “Update Available”Open Devo Exchange and switch the primary filter from Discover to All Content, now on the right you can sort by Update Available!This filter will order content by Update Available first, then relevance.  You can quickly review all the updates to installed content from one place! New audit table addedAll audit information for Devo Exchange is each domain is sent to this new table:devo.internal.audit.logsView and discover user navigations, content installs, and other statistics for your users. Updated NavigationTo improve the navigation experience, when you open installed content from Devo Exchange it will launch in a new tab. This action pertains to activeboards, apps, lookups or alert sections. This way you can always return to where you were in Exchange or continue to work in the launched resource in the new tab. Additional UpdatesImproved performanceProcess compression has been implemented when loading items in Exchange. Users with fast connections will see some improvement in speed, however users with slower connections will see a massive speed increase to loading Exchange content. 

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers dmp.cohesity mail.all.threats waf.kemp Updated Parsers proxy.zscaler cloud.office365 box.win_nxlog cloud.azure firewall.juniper edr.all.threats casb.netskope firewall.cisco sig.cisco dhcp.all  New Parsersdmp.cohesityLink to Documentationmail.all.threatsDocumentation in progresswaf.kempLink to Documentation Updated Parsersproxy.zscalerLink to Documentationcloud.office365Link to Documentationbox.win_nxlogLink to Documentationcloud.azureLink to Documentationfirewall.juniperLink to Documentationedr.all.threatsLink to Documentationcasb.netskopeLink to Documentationfirewall.ciscoLink to Documentationsig.ciscoLink to Documentationdhcp.allLink to Documentation 

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Colortokens xshield v1.0.0 Airlock Digital v1.0.0 Vectra 365 Updated Collectors Microsoft Azure v2.0.0-beta6 Crowdstrike API resources v1.6.0 Cisco Meraki v1.6.0 Cyberark Identify v1.1.3 Salesforce v2.3.0 Qualys V2.1.0 Microsoft Graph v2.0.0 Tenable.IO v1.4.0 Taxii v1.1.0 Proofpoint on Demand v1.0.1 Office 365 Management 1.0.0 Google Cloud Platform v1.6.0  New CollectorsColortokens xshield v1.0.0Link to DocumentationAirlock Digital v1.0.0Link to DocumentationVectra 365Link to Documentation Updated CollectorsMicrosoft Azure v2.0.0-beta6This is a beta collector, as soon as it is out of beta the documentation will be available.Crowdstrike API resources v1.6.0Link to DocumentationCisco Meraki v1.6.0Link to DocumentationCyberark Identify v1.1.3Link to DocumentationSalesforce v2.3.0Link to DocumentationQualys V2.1.0Link to DocumentationMicrosoft Graph v2.0.0Link to DocumentationTenable.IO v1.4.0Link to DocumentationTaxii v1.1.0Link to DocumentationProofpoint on Demand v1.0.1Link to DocumentationOffice 365 Management 1.0.0This collector was rebuilt from the ground up, find the documentation here.Google Cloud Platform v1.6.0Link to Documentation 

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.0 brings the new Scheduled Tasks functionality, a new complex type operation for Data Search, and a collection of UI and performance improvements.   Scheduled Tasks allow you to set the periodic execution of a query of your choosing of time, date, and frequency.  Admins will find this feature and allow access through roles and permissions.  The new complex operation type is the Tuple, and it works like an array, except it does not convert its contents to the same type.  Lastly, this update contains UI improvements and performance enhancements that you are going to love! AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Scheduled Tasks Data Search: New Complex Type operation added Lookups with CIDR as key first release Nested Annotations for Alerts New Auditing Table for Alert Annotations New Rolling And Each Alerts with Subqueries parameter limits Additional Improvements New FeaturesScheduled TasksThe first release of Scheduled tasks is now available for all Devo users! This new feature will allow you to schedule the periodic execution of a query with query results being automatically sent to defined email addresses as CSV files.This feature is enabled by default for Admin users and then to users of your choosing with the right roles and permissions.  You will find the permissions under Admin→ Resources->Scheduled Tasks.Scheduled Tasks can be created with the following intervals:Daily - at a specific time of day Weekly - on specified days of a week at a specific time of day. Monthly - on specified days of a month at a specific time of day Yearly - on specified months of a year, on specified day s of each month, at a specific time of day.You can also set the query execution time period with two possible choices:Predefined Range (“Yesterday”, “Last 7 days”...) Custom Range period (“From”, “To”) using the Query API date syntaxGet all the details of Scheduled Tasks in our Documentation Data Search: New Complex Type operation addedThe “tuple” complex type operation is now available for use!  A tuple is a collection of sorted elements of any type (repeated or not).The difference between an array and a tuple lies in the fact that in the array all the elements are internally converted to the same type, while in the tuple they are not (each tuple element retains its type).Operation Meaning Syntax mktuple or () Creates a tuple from elements mktuple (ele_1,…,Ele_n) (ele_1,…,ele_n) at or [] Returns the n-th element in a tuple at (tuple,n) tuple [n] at0 Returns first element in a tuple at0 (tuple) at1 Returns second element in a tuple at1 (tuple) atend Returns the last element in a tuple atend (tuple) add(+) Concatenates two tuples add (tuple_1, tuple_2)  Additionally, you can use this complex type of operation in Alerts and Lookups as well. Here is a great example of this new complex type in use:from siem.logtrust.web.activity //create a tuple with multiple types    select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple    select (username ,srcPort, ip4(srcHost), true) as tuple2//some ways to select the fist item from a tuple    select tuple[0] as first_item_from_tuple    select at(tuple,0) as first_item_from_tuple2    select at0(tuple) as first_item_from_tuple3//retrieve the last item from a tuple    select atend(tuple) as last_item_from_tuple//concatenates two tuples    select tuple + tuple2 as tuple_concatenation//it is posible to filter each item by the underlying data type    where tuple[0] -> ""@""    where tuple[1] not in (ip4(95.63.39.51))    where atend(tuple) is true Lookups with CIDR as key first releaseAs part of a multi-step release for this functionality, Lookups now recognize 3 new key types:ipv6 net4 net6Nested Annotations for AlertsYou are now able to reply to existing annotations in Alerts, as well as edit and delete you own annotations.View the detailed options in our Documentation New Auditing Table for Alert Annotationsdevo.audit.alert.triggered table was added to audit actions concerning annotations. View the details of the new table in our Documentation New Rolling And Each Alerts with Subqueries parameter limitsA restriction has been implemented for rolling-type alerts and each-type alerts with subqueries. This is done to prevent excessively frequent queries over short periods of time. A ratio of 120 is enforced between period and frequency.  For example:For Each Alerts with Subqueries: Valid ratio → external offset 1m, internal period 2h(=120m) → 120/1 → 120 Valid ratio → external offset 2h, internal period 5d(=120h) → 120/2 → 60 Invalid ratio → external offset 1m, internal period 3h(=180m) → 180/1 → 180 See the full description and examples for Each Alerts with Subqueries in our Documentation See the full description and examples for Rolling Alerts with Subqueries in our Documentation New information included in Alerts Details windowThe Alerts details window in the triggered Alerts area now shows the timezone as well as the specific settings corresponding to the triggering method used when configured. Additional ImprovementsImproved messaging in Data Search Adjusted spacing in Roles page UI Alerts Filter by Name enhanced with Multi-selection dropdown containing all available options. Adjusted text boxes and descriptions in Roles Mapping UI Redesigned filter results message when no results found in Roles Mapping UI Flow now accepts HTTP codes greater than 599 Performance improvements 

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! Devo Behavior Analytics 1.9 introduces a new step in the configuration process to allow for the definition of Whitlists.  This enables users to input the values for Users, Devices and Domains they want whitelisted during the creation process.  This new process is significantly improved by the ability to upload csv lists to your whitelists as well!Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Whitelist functionality Upload Whitelist CSV New FeaturesWhitelist functionalityWhitelisting is critically important for behavior analytics models to be able to remove well known or noisy entities from the detection and find the true threat lingers as changes in behavior. The new Whitelist section looks like this:Each section is further explained in this table:Name Description Users Displays all the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV.  Users are all direct match string values. Example users: David Dark david.dark@shadydealings.com Ddark Devices Displays all the current devices are whitelisted from the current use cases.  Additionally, devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses and CIDR Blocks. Example devices Hostname:  MacBookPro_0002 IP Address:  174.1.54.54 IP Address Range:  173.1.54.100-173.1.54.130 CIDR Block:  172.16.14.128/25 Domains Displays all the current domains that are whitelisted from the current use cases. Additionally, domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values. Example Domain: poc.shadydealings.com  Note: User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case.  If the use case does not include ones of entity types then a warning message like the one below is displayed: Upload Whitelist CSVThe upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them.  The upload section provides a couple of tools to make working CSVs easier.  The CSV can be dropped in and previewed within the screen.   If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist.  Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV.     The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist.   The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values. Haven’t tried Behavior Analytics yet? You should, it is part of the Devo Platform!  Let us know what you think below!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsNew Parsers box.ibm cef0.aruba cef0.cisco cef0.skyhighSecurity epm.beyondtrust proxy.oclc siem.devo Updated Parsers cloud.azure edr.cisco endpoint.symantec firewall.all.traffic firewall.cisco firewall.uniper sase.paloalto New Parsersbox.ibmLink to Documentationcef0.arubaDocumentation in progresscef0.ciscoLink to Documentationcef0.skyhighSecurityLink to Documentationepm.beyondtrustDocumentation in progressproxy.oclcLink to Documentationsiem.devoDocumentation in progress Updated Parserscloud.azureLink to Documentationedr.ciscoLink to Documentationendpoint.symantecLink to Documentationfirewall.all.trafficLink to Documentationfirewall.ciscoLink to Documentationfirewall.uniperLink to Documentationsase.paloaltoLink to Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors Rapid7 InsightVM Cloud v1.0.0 Updated Collectors AWS v1.8.2 Microsoft Graph v2.0.0-beta2 Microsoft Defender ATP Endpoint v1.2.0 Rubrik v1.1.2 Cisco Umbrella S2 v1.2.0 Wiz v1.6.1 Okta V1.8.1 Azure v2.0.0-beta3 CyberArk Identity v1.1.2 Extrahop Revealx v1.2.0 AWS SQS V1.2.0  New CollectorsRapid7 InsightVM Cloud v1.0.0Link to Documentation Updated CollectorsAWS v1.8.2Link to DocumentationMicrosoft Graph v2.0.0-beta2Link to DocumentationMicrosoft Defender ATP Endpoint v1.2.0Link to DocumentationRubrik v1.1.2Link to DocumentationCisco Umbrella S2 v1.2.0Link to DocumentationWiz v1.6.1Link to DocumentationOkta V1.8.1Link to DocumentationAzure v2.0.0-beta3Link to DocumentationCyberArk Identity v1.1.2Documentation coming soonExtrahop Revealx v1.2.0Link to DocumentationAWS SQS V1.2.0Link to Documentation 

The MITRE ATT&CK Adviser is your alert coverage command center, and this new release brings with it more capabilities for you to manage your alert coverage. This release is available now for all geos! New to this release is the ability to update Alerts! We are always updating our alerts with the latest detections, and you can update them from Devo Exchange or Security Operations, now you can update them from the Adviser as well! You will also be able to compare the old and updated alerts with this update. We have also added additional bulk actions to allow you to enable and disable groups of alerts. Managing your alert coverage has never been easier! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Update Alerts in the Adviser Compare Alert Contents New Bulk Actions Added  New FeaturesUpdate Alerts in the AdviserAlerts that are provided by Devo are constantly kept up to date with the latest MITRE ATT&CK versions, parser field changes, query operators, etc.  These changes are push to Devo domain on a periodic basis to ensure that our customers are taking use of the latest and greatest our platform has to offer in their detection stack.  The ability to update alerts to these latest versions is present in Devo Exchange and Security Operations and now with the latest release of MITRE ATT&CK Adviser users will be able to update their alerts for their existing coverage as well.   Compare Alert ContentsWe have provide a view into the difference between the old alert and the new alert, giving the user confidence about the changes the update will make to their Devo Domain. New Bulk Actions AddedThe MITRE ATT&CK Adviser now includes additional bulk actions for alerts within the Alert coverage table.  Today the application allows users to bulk install and uninstall alerts and now with this release users will be able to bulk enable / disable alerts as well, causing alerts to trigger or not.  If you haven’t installed the MITRE ATT&CK Adviser,  get it here, for free!: Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.9.0 expands the availability of the TimeLine Widgets first introduced in Release 8.7.0 with the new Alerts Page. We also have created additional enhancements on the default activeboard loading process, giving you full control over what activeboard gets loaded on launch. Next, enhancement adds more control over your widget by adding new running operations at the widget level. Finally, we have improved user interactions in the activeboard contextual menus. These Activeboard improvements help speed up and empower your visualization of your data!Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features TimeLine Widget Running operations at the widget level Enhancements Enhanced Activeboard loading behavior on open Activeboard Menu options improved  New FeaturesTimeLine WidgetThe popular Timeline widget introduced in the Alert Page revamp from Release 8.7.0 is now available for you to use in your own Activeboards!  The Timeline widget is a graphic representation of items sequenced in chronological order along a time line. This chart will allow you to monitor how dated items are located over time.Features:Time line is represented through a horizontal axis from left (oldest) to right (most recent) 2 Item Types Date: items that represent data in a specific date or a point. Duration: items that represent data with a specific “from … to” duration Item Groups can be used to visually group selected items.  Groups and subgroups are represented on the vertical axis.This new widget has many customization options covered in our documentation.(link when doc pages are released) Running operations at the widget levelWe have added running operations at the Widget level to improve performance even further.  These new operations are accessible through new clickable icons and are located at the right side of the widget header.Real-time allows the user to run the widget query in real-time mode. Refresh allows the user to run the widget query again. Abort allows the user to stop a widget query that is currently running. EnhancementsEnhanced Activeboard loading behavior on openOpening the Activeboard section will now be an easier and faster process to navigate and use.   This update adds new behaviors for opening the Activeboard page if you have a default Activeboard selected or if you do not, Here is the breakdown:Default Active Board set? Behavior on page load Yes The default Activeboard is loaded. No The Activeboad manager will open and the user can choose which to load.  Activeboard Menu options improvedThe contextual menus now have enabled the following in edit mode.Edit details Clone Delete Documentation pages are coming online shortly.  This is a release preview until the release date and it is subject to change.  Release date is April 02, 2024.

The Devo team has released the latest version of Devo SOAR!  This release includes new enhancements to existing features as well as critical bug fixes.   Devo SOAR has a large library for automations and integrations to fit all your needs.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  We have tutorials on the community to help you get started as well as Devo SOAR Documentation.   You can also use the guided playbook builder to interactively create a no-code automation! Table of ContentsEnhancements 2 New Actions for Microsoft Defender for Endpoint Bug Fixes CrowdStrike Falcon Host (OAuth Based)  Enhancements2 New Actions for Microsoft Defender for EndpointYou can now do more with this automation with these new actions:Get Live Response Results Run Live Response ActionBug FixesCrowdStrike Falcon Host (OAuth Based)Fixed an error with the default limit set in Search IOC’s action

We're thrilled to announce the latest updates and additions to our alerting system with Release 24. This release introduces a significant enhancement to our SIEM detection framework, focusing on improving threat detection accuracy and simplifying threat hunting for users. The key highlights of this release include the introduction of a new alert, SecOpsWinDnsExcessiveEmptyOrRefusedQueries, and the migration of existing alerts to the Devo Cyber Data Model, a common information model designed to streamline threat investigation processes.To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsNew Detections SecOpsWinDnsExcessiveEmptyOrRefusedQueries Updated Detections Migration to Devo Cyber Data Model  New DetectionsSecOpsWinDnsExcessiveEmptyOrRefusedQueriesA new alert has been added to detect instances of excessive empty or refused DNS queries on Windows systems. This alert aims to provide proactive detection of potential malicious activities related to DNS, enhancing overall threat visibility.Detection Description Devo Tables/ Data Src /Category Changes made SecOpsWinDnsExcessiveEmptyOrRefusedQueries Detects excessive empty or refused Windows DNS tunneling. The threshold for excessive query count should be modified to suit organizational needs. dns.windows New Alert  Updated DetectionsMigration to Devo Cyber Data ModelExisting alerts have been migrated to the Devo Cyber Data Model. This migration aims to standardize data representation across alerts, facilitating easier correlation and analysis of threat data. Users can now benefit from a unified schema for conducting comprehensive threat investigations.SecOpsAuthPasswordSprayHostSecOpsAuthPasswordSprayIpSecOpsCDPossibleIocIpFoundInAuthDataSecOpsLoginFailAttemptsSecOpsLoginFailCombinedSuccessedSecOpsO365AuthExcessiveFailedLoginsSingleSourceSecOpsSimultaneouslyLoginbyIPSecOpsEntityBehaviorEntropyUserSecOpsEntityNewServerSecOpsAzureUserAddedToRoleNonPIMSecOpsAzureUserInfoDownloadSecOpsAWSInstancesCreatedOrDeletedO365SecOpsActivityInfrequentCountryO365SecOpsActivityPerformedByTerminatedUserO365SecOpsAdministrativeActivityFromNonCorporateIPO365SecOpsAnomalousBehaviorDiscoveredUsersO365SecOpsArrowAdminFailedLogonO365SecOpsAzureADThreatIntelligenceO365SecOpsCloudDiscoveryAnomalyDetectionO365SecOpsGroupMembershipModifiedO365SecOpsMFADisabledAlertO365SecOpsMaliciousOAuthAppConsentO365SecOpsMalwareDetectionO365SecOpsMultipleDeleteVMO365SecOpsMultipleStorageDeletionActivitiesO365SecOpsMultipleVMCreationActivitiesO365SecOpsPermissionsAddedMailboxFolderO365SecOpsRansomwareActivityO365SecOpsSuspiciousEmailDeletionActivityO365SecOpsSuspiciousInboxForwardingO365SecOpsSuspiciousInboxManipulationRuleO365SecOpsSuspiciousOAuthAppFileDownloadO365SecOpsUnusualAdministrativeActivityO365SecOpsUnusualFileDeletionActivityO365SecOpsUnusualFileDownloadO365SecOpsUnusualImpersonatedActivityO365SecOpsHAFNIUMUserAgentsTargetingExchangeServersSecOpsLog4ShellVulnOverDomainsUnionTableConnectionsSecOpsPossibleDnsEncodingQuerySecOpsTLDFromDomainNotInMozillaTLDSecOpsUnusualUseragentLengthSecOpsAnonymousConnectionSecOpsCDFWSrcIpIsPossibleIocSecOpsCDHuntFWdstIpIsPossibleIocSecOpsFWEmbargoedCountryInboundTrafficDetectedSecOpsFWEmbargoedCountryOutboundTrafficDetectedSecOpsFWExcessFirewallDeniesSecOpsFWExcessFirewallDeniesOutboundSecOpsFWExternalSMBTrafficDetectedFirewallSecOpsFWIcmpExcessivePacketsSecOpsFWIpScanExternalSecOpsFWIpScanInternalSecOpsFWIrcTrafficExternalDestinationSecOpsFWPortScanExternalSourceSecOpsFWPortScanInternalSourceSecOpsFWPortSweepInternalSourceSecOpsFWRDPExternalAccessSecOpsFWSMBInboundScanningDetectedSecOpsFWSMBInternalScanningDetectedSecOpsFWSMBTrafficOutboundSecOpsFWSigredSecOpsFWTrafficForeignDestinationSecOpsFWTrafficOnUnassignedLowPortSecOpsFwTftpOutboundTrafficSecOpsHAFNIUMNetworkActivityTargetingExchangeServersSecOpsLog4ShellVulnOverFirewallTrafficConnectionsSecOpsPossibleTrafficMirroringSecOpsRevilKaseyaNetworkActivitySecOpsVNCPortOpenSecOpsPossiblePortKnockingSecOpsCDIocUrlSuspiciousProxyDataSecOpsCDProxyDstIpSecOpsCDProxySrcIpSecOpsDynamicDNSDetectedSecOpsIPInsteadADomaInInURLSecOpsLog4ShellVulnerabilityOverProxyConnectionsSecOpsMultipleHTTPMethodsUsedSecOpsNonStandardHTTPMethodSecOpsOutboundTrafficToDeviceFlaggedAsThreatSecOpsOutcomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsPortIntoURLSecOpsProxyHighRiskFileExtensionSecOpsProxyHttpSingleCharacterFileNameRequestSecOpsREvilKaseyaWebShellsUploadConnSecOpsSeveralAccessByProxySecOpsUserBlockedbyProxySecOpsHAFNIUMHashFoundFileTargetingExchangeServersSecOpsREvilKaseyaHashFoundSecOpsRemoteDesktopProtocolScanSecOpsBackupFileAccessAttemptSecOpsCDIocIpSuspiciousWebDataSecOpsCDWebSrcIpSecOpsConfigurationFileAccessAttemptSecOpsCredentialsFileAccessAttemptSecOpsDatabaseFileAccessAttemptSecOpsDiscoveringPasswordFilesSecOpsExplotationAttemptF5BigIpSecOpsHAFNIUMHttpPostTargetingExchangeServersSecOpsHAFNIUMWebShellsTargetingExchangeServersSecOpsHTTPQueryNonStandardMethodSecOpsHTTPQueryUserAgentLengthOutsizeSecOpsIncomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsLog4ShellVulnerabilityOverWebServerConnectionsSecOpsLogRelatedFileAccessAttemptSecOpsMalwareFileAccessAttemptSecOpsPossibleFuzzingAttackSecOpsPossibleInjectionUserAgentSecOpsPossiblePathTrasversalInjectionSecOpsPossiblePhishingKitByRefererSecOpsREvilKaseyaWebShellsSecOpsRobotFileAskingByNoRobotSecOpsSeveralError4xxSecOpsSoftwareInfoAccessAttemptSecOpsWebShellFileSuspiciousSecOpsADAccountNoExpiresSecOpsADPasswdNoExpiresSecOpsAPT29byGoogleUpdateServiceInstallSecOpsAccountsCreatedRemovedWithinFourHoursSecOpsAppInitDLLsLoadedSecOpsBlackByteRansomwareRegChangesPowershellSecOpsBlackByteRansomwareRegistryChangesSecOpsBlackKingdomWebshellInstalationSecOpsBlankPasswordAskSecOpsBypassUserAccountControlSecOpsChangesAccessibilityBinariesSecOpsDLLWithNonUsualPathSecOpsDeletingMassAmountOfFilesSecOpsFailLogOnSecOpsFsutilSuspiciousInvocationSecOpsGenericRansomwareBehaviorIpScannerSecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServersSecOpsIntegrityProblemSecOpsLocalUserCreationSecOpsLolbinBitsadminTransferSecOpsLolbinCertocexecutionSecOpsLolbinCertreqSecOpsLolbinCertutilSecOpsLolbinConfigsecuritypolicySecOpsLolbinDatasvcutilSecOpsLolbinMshtaSecOpsMaliciousPowerShellCommandletNamesSecOpsMaliciousPowerShellPrebuiltCommandletSecOpsMaliciousServiceInstallationsSecOpsMultipleMachineAccessedbyUserSecOpsNewAccountCreatedSecOpsNtdsSecOpsOsCredentialDumpingGsecdumpSecOpsPassTheHashActivityLoginBehaviourSecOpsPersistenceAndExecutionViaGPOScheduledTaskSecOpsPsExecToolExecutionSecOpsRansomwareBehaviorMazeSecOpsRansomwareBehaviorNotPetyaSecOpsRansomwareBehaviorRyukSecOpsRareServiceInstallsSecOpsResetPasswordAttemptSecOpsRevilKaseyaRegistryKeySecOpsSIGRedExploitMicrosoftWindowsDNSSecOpsSecurityEnabledLocalGroupChangedSecOpsSeveralPasswordChangesSecOpsShadowCopiesDeletionSecOpsStoneDrillServiceInstallSecOpsStopSqlServicesRunningSecOpsSuspiciousBehaviorAppInitDLLSecOpsSuspiciousEventlogClearUsingWevtutilSecOpsSuspiciousWMIExecutionSecOpsTurlaPNGDropperServiceSecOpsTurlaServiceInstallSecOpsUserAccountChangedSecOpsWINWmiMOFProcessExecutionSecOpsWannaCryBehaviorSecOpsWermgrConnectingToIPCheckWebServicesSecOpsWinADDomainEnumerationSecOpsWinActivateNoCloseGroupPolicyFeatureSecOpsWinActivateNoControlPanelGroupPolicyFeatureSecOpsWinActivateNoFileMenuGroupPolicyFeatureSecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeatureSecOpsWinActivateNoSetTaskbarGroupPolicyFeatureSecOpsWinActivateNoTrayContextMenuGroupPolicyFeatureSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetworkSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetworkSecOpsWinAdminRemoteLogonSecOpsWinAdminShareSuspiciousUseSecOpsWinAnonymousAccountCreatedSecOpsWinAppInstallerExecutionSecOpsWinAttackerToolsOnEndpointSecOpsWinAttemptToAddCertificateToStoreSecOpsWinAuditLogClearedSecOpsWinAutomatedCollectionCmdSecOpsWinAutomatedCollectionPowershellSecOpsWinBackupCatalogDeletedSecOpsWinCompressEncryptDataSecOpsWinCredentialDumpingNppspySecOpsWinCritServiceStoppedSecOpsWinCurlSecOpsWinDcShadowDetectedSecOpsWinDefenderDownloadActivitySecOpsWinDisableAntispywareRegistrySecOpsWinDisableUacSecOpsWinDnsExeParentProcessSecOpsWinDomainTrustActivitySecOpsWinExcessiveUserInteractiveLoginSecOpsWinExternalDeviceInstallationDeniedSecOpsWinFTPScriptExecutionSecOpsWinFakeProcessesSecOpsWinFsutilDeleteChangeJournalSecOpsWinGatherVictimIdentitySAMInfoSecOpsWinGoldenSamlCertificateExportSecOpsWinIISWebRootProcessExecutionSecOpsWinIcmpExfiltrationSecOpsWinInvokewebrequestUseSecOpsWinKerberosUserEnumerationSecOpsWinLocalSystemExecuteWhoamiSecOpsWinLockoutsEndpointSecOpsWinLsassKeyModificationSecOpsWinLsassMemDumpSecOpsWinMapSmbShareSecOpsWinMemoryCorruptionVulnerabilitySecOpsWinMimikatzLsadumpSecOpsWinModifyShowCompressColorAndInfoTipRegistrySecOpsWinMsiExecInstallWebSecOpsWinNetworkShareCreatedSecOpsWinNewPsDriveSecOpsWinOfficeBrowserLaunchingShellSecOpsWinPermissionGroupDiscoverySecOpsWinPotentialPassTheHashSecOpsWinPowerSettingsSecOpsWinPowershellKeylogginSecOpsWinPowershellProcessDiscoverySecOpsWinPowershellSetExecutionPolicyBypassSecOpsWinRcloneExecutionSecOpsWinRegUtilityHiveExportSecOpsWinRegistryModificationActivateNoRunGroupPolicySecOpsWinRegistryModificationDisableCMDAppSecOpsWinRegistryModificationDisableChangePasswdFeatureSecOpsWinRegistryModificationDisableLockWSFeatureSecOpsWinRegistryModificationDisableLogOffButtonSecOpsWinRegistryModificationDisableNotificationCenterSecOpsWinRegistryModificationDisableRegistryToolSecOpsWinRegistryModificationDisableShutdownButtonSecOpsWinRegistryModificationDisableTaskmgrSecOpsWinRegistryModificationGlobalFolderOptionsSecOpsWinRegistryModificationHideClockGroupPolicyFeatureSecOpsWinRegistryModificationHideSCAHealthSecOpsWinRegistryModificationHideSCANetworkSecOpsWinRegistryModificationHideSCAPowerSecOpsWinRegistryModificationHideSCAVolumeSecOpsWinRegistryModificationIExplorerSecZoneSecOpsWinRegistryModificationNewTrustedSiteSecOpsWinRegistryModificationNoDesktopGroupPolicySecOpsWinRegistryModificationNoFindGroupPolicyFeatureSecOpsWinRegistryModificationPowershellLoggingDisabledSecOpsWinRegistryModificationRunKeyAddedSecOpsWinRegistryModificationStoreLogonCredSecOpsWinRegistryQuerySecOpsWinRemoteSystemDiscoverySecOpsWinRunasCommandExecutionSecOpsWinSamStoppedSecOpsWinScheduledTaskCreationSecOpsWinSchtasksForcedRebootSecOpsWinSchtasksRemoteSystemSecOpsWinSensitiveFilesSecOpsWinServiceCreatedNonStandardPathSecOpsWinShadowCopyDetectedSecOpsWinSmtpExfiltrationSecOpsWinSpoolsvExeAbnormalProcessSpawnSecOpsWinSuspiciousExternalDeviceInstallationSecOpsWinSuspiciousWritesToRecycleBinSecOpsWinSysInfoGatheringUsingDxdiagSecOpsWinSysInternalsActivityDetectedSecOpsWinSysTimeDiscoverySecOpsWinTFTPExecutionSecOpsWinUserAddedPrivlegedSecGroupSecOpsWinUserAddedSelfToSecGroupSecOpsWinUserAddedToLocalSecurityEnabledGroupSecOpsWinUserCreationAbnormalNamingConventionSecOpsWinUserCredentialDumpRegistrySecOpsWinWMIPermanentEventSubscriptionSecOpsWinWMIReconRunningProcessOrSrvcsSecOpsWinWebclientClassUseSecOpsWinWifiCredHarvestNetshSecOpsWinWmiExecVbsScriptSecOpsWinWmiLaunchingShellSecOpsWinWmiProcessCallCreateSecOpsWinWmiScriptExecutionSecOpsWinWmiTemporaryEventSubscriptionSecOpsWinWmiprvseSpawningProcessSecOpsMoveitWebShellSecOpsWinDnsExcessiveEmptyOrRefusedQueries