Product Updates

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! Devo Behavior Analytics 1.9 introduces a new step in the configuration process to allow for the definition of Whitlists.  This enables users to input the values for Users, Devices and Domains they want whitelisted during the creation process.  This new process is significantly improved by the ability to upload csv lists to your whitelists as well!Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of Contents New FeaturesWhitelist functionalityWhitelisting is critically important for behavior analytics models to be able to remove well known or noisy entities from the detection and find the true threat lingers as changes in behavior. The new Whitelist section looks like this:Each section is further explained in this table:Name Description Users Displays all the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV.  Users are all direct match string values. Example users: David Dark david.dark@shadydealings.com Ddark Devices Displays all the current devices are whitelisted from the current use cases.  Additionally, devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses and CIDR Blocks. Example devices Hostname:  MacBookPro_0002 IP Address:  174.1.54.54 IP Address Range:  173.1.54.100-173.1.54.130 CIDR Block:  172.16.14.128/25 Domains Displays all the current domains that are whitelisted from the current use cases. Additionally, domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values. Example Domain: poc.shadydealings.com  Note: User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case.  If the use case does not include ones of entity types then a warning message like the one below is displayed: Upload Whitelist CSVThe upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them.  The upload section provides a couple of tools to make working CSVs easier.  The CSV can be dropped in and previewed within the screen.   If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist.  Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV.     The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist.   The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values. Haven’t tried Behavior Analytics yet? You should, it is part of the Devo Platform!  Let us know what you think below!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsNew Parsers box.ibm cef0.aruba cef0.cisco cef0.skyhighSecurity epm.beyondtrust proxy.oclc siem.devo Updated Collectors cloud.azure edr.cisco endpoint.symantec firewall.all.traffic firewall.cisco firewall.uniper sase.paloalto New Parsersbox.ibmLink to Documentationcef0.arubaDocumentation in progresscef0.ciscoLink to Documentationcef0.skyhighSecurityLink to Documentationepm.beyondtrustDocumentation in progressproxy.oclcLink to Documentationsiem.devoDocumentation in progress Updated Collectorscloud.azureLink to Documentationedr.ciscoLink to Documentationendpoint.symantecLink to Documentationfirewall.all.trafficLink to Documentationfirewall.ciscoLink to Documentationfirewall.uniperLink to Documentationsase.paloaltoLink to Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors Rapid7 InsightVM Cloud v1.0.0 Updated Collectors AWS v1.8.2 Microsoft Graph v2.0.0-beta2 Microsoft Defender ATP Endpoint v1.2.0 Rubrik v1.1.2 Cisco Umbrella S2 v1.2.0 Wiz v1.6.1 Okta V1.8.1 Azure v2.0.0-beta3 CyberArk Identity v1.1.2 Extrahop Revealx v1.2.0 AWS SQS V1.2.0  New CollectorsRapid7 InsightVM Cloud v1.0.0Link to Documentation Updated CollectorsAWS v1.8.2Link to DocumentationMicrosoft Graph v2.0.0-beta2Link to DocumentationMicrosoft Defender ATP Endpoint v1.2.0Link to DocumentationRubrik v1.1.2Link to DocumentationCisco Umbrella S2 v1.2.0Link to DocumentationWiz v1.6.1Link to DocumentationOkta V1.8.1Link to DocumentationAzure v2.0.0-beta3Link to DocumentationCyberArk Identity v1.1.2Documentation coming soonExtrahop Revealx v1.2.0Link to DocumentationAWS SQS V1.2.0Link to Documentation 

The MITRE ATT&CK Adviser is your alert coverage command center, and this new release brings with it more capabilities for you to manage your alert coverage. This release is available now for all geos! New to this release is the ability to update Alerts! We are always updating our alerts with the latest detections, and you can update them from Devo Exchange or Security Operations, now you can update them from the Adviser as well! You will also be able to compare the old and updated alerts with this update. We have also added additional bulk actions to allow you to enable and disable groups of alerts. Managing your alert coverage has never been easier! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Update Alerts in the Adviser Compare Alert Contents New Bulk Actions Added  New FeaturesUpdate Alerts in the AdviserAlerts that are provided by Devo are constantly kept up to date with the latest MITRE ATT&CK versions, parser field changes, query operators, etc.  These changes are push to Devo domain on a periodic basis to ensure that our customers are taking use of the latest and greatest our platform has to offer in their detection stack.  The ability to update alerts to these latest versions is present in Devo Exchange and Security Operations and now with the latest release of MITRE ATT&CK Adviser users will be able to update their alerts for their existing coverage as well.   Compare Alert ContentsWe have provide a view into the difference between the old alert and the new alert, giving the user confidence about the changes the update will make to their Devo Domain. New Bulk Actions AddedThe MITRE ATT&CK Adviser now includes additional bulk actions for alerts within the Alert coverage table.  Today the application allows users to bulk install and uninstall alerts and now with this release users will be able to bulk enable / disable alerts as well, causing alerts to trigger or not.  If you haven’t installed the MITRE ATT&CK Adviser,  get it here, for free!: Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.9.0 expands the availability of the TimeLine Widgets first introduced in Release 8.7.0 with the new Alerts Page. We also have created additional enhancements on the default activeboard loading process, giving you full control over what activeboard gets loaded on launch. Next, enhancement adds more control over your widget by adding new running operations at the widget level. Finally, we have improved user interactions in the activeboard contextual menus. These Activeboard improvements help speed up and empower your visualization of your data!Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features TimeLine Widget Running operations at the widget level Enhancements Enhanced Activeboard loading behavior on open Activeboard Menu options improved  New FeaturesTimeLine WidgetThe popular Timeline widget introduced in the Alert Page revamp from Release 8.7.0 is now available for you to use in your own Activeboards!  The Timeline widget is a graphic representation of items sequenced in chronological order along a time line. This chart will allow you to monitor how dated items are located over time.Features:Time line is represented through a horizontal axis from left (oldest) to right (most recent) 2 Item Types Date: items that represent data in a specific date or a point. Duration: items that represent data with a specific “from … to” duration Item Groups can be used to visually group selected items.  Groups and subgroups are represented on the vertical axis.This new widget has many customization options covered in our documentation.(link when doc pages are released) Running operations at the widget levelWe have added running operations at the Widget level to improve performance even further.  These new operations are accessible through new clickable icons and are located at the right side of the widget header.Real-time allows the user to run the widget query in real-time mode. Refresh allows the user to run the widget query again. Abort allows the user to stop a widget query that is currently running. EnhancementsEnhanced Activeboard loading behavior on openOpening the Activeboard section will now be an easier and faster process to navigate and use.   This update adds new behaviors for opening the Activeboard page if you have a default Activeboard selected or if you do not, Here is the breakdown:Default Active Board set? Behavior on page load Yes The default Activeboard is loaded. No The Activeboad manager will open and the user can choose which to load.  Activeboard Menu options improvedThe contextual menus now have enabled the following in edit mode.Edit details Clone Delete Documentation pages are coming online shortly.  This is a release preview until the release date and it is subject to change.  Release date is April 02, 2024.

The Devo team has released the latest version of Devo SOAR!  This release includes new enhancements to existing features as well as critical bug fixes.   Devo SOAR has a large library for automations and integrations to fit all your needs.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  We have tutorials on the community to help you get started as well as Devo SOAR Documentation.   You can also use the guided playbook builder to interactively create a no-code automation! Table of ContentsEnhancements 2 New Actions for Microsoft Defender for Endpoint Bug Fixes CrowdStrike Falcon Host (OAuth Based)  Enhancements2 New Actions for Microsoft Defender for EndpointYou can now do more with this automation with these new actions:Get Live Response Results Run Live Response ActionBug FixesCrowdStrike Falcon Host (OAuth Based)Fixed an error with the default limit set in Search IOC’s action

We're thrilled to announce the latest updates and additions to our alerting system with Release 24. This release introduces a significant enhancement to our SIEM detection framework, focusing on improving threat detection accuracy and simplifying threat hunting for users. The key highlights of this release include the introduction of a new alert, SecOpsWinDnsExcessiveEmptyOrRefusedQueries, and the migration of existing alerts to the Devo Cyber Data Model, a common information model designed to streamline threat investigation processes.To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsNew Detections SecOpsWinDnsExcessiveEmptyOrRefusedQueries Updated Detections Migration to Devo Cyber Data Model  New DetectionsSecOpsWinDnsExcessiveEmptyOrRefusedQueriesA new alert has been added to detect instances of excessive empty or refused DNS queries on Windows systems. This alert aims to provide proactive detection of potential malicious activities related to DNS, enhancing overall threat visibility.Detection Description Devo Tables/ Data Src /Category Changes made SecOpsWinDnsExcessiveEmptyOrRefusedQueries Detects excessive empty or refused Windows DNS tunneling. The threshold for excessive query count should be modified to suit organizational needs. dns.windows New Alert  Updated DetectionsMigration to Devo Cyber Data ModelExisting alerts have been migrated to the Devo Cyber Data Model. This migration aims to standardize data representation across alerts, facilitating easier correlation and analysis of threat data. Users can now benefit from a unified schema for conducting comprehensive threat investigations.SecOpsAuthPasswordSprayHostSecOpsAuthPasswordSprayIpSecOpsCDPossibleIocIpFoundInAuthDataSecOpsLoginFailAttemptsSecOpsLoginFailCombinedSuccessedSecOpsO365AuthExcessiveFailedLoginsSingleSourceSecOpsSimultaneouslyLoginbyIPSecOpsEntityBehaviorEntropyUserSecOpsEntityNewServerSecOpsAzureUserAddedToRoleNonPIMSecOpsAzureUserInfoDownloadSecOpsAWSInstancesCreatedOrDeletedO365SecOpsActivityInfrequentCountryO365SecOpsActivityPerformedByTerminatedUserO365SecOpsAdministrativeActivityFromNonCorporateIPO365SecOpsAnomalousBehaviorDiscoveredUsersO365SecOpsArrowAdminFailedLogonO365SecOpsAzureADThreatIntelligenceO365SecOpsCloudDiscoveryAnomalyDetectionO365SecOpsGroupMembershipModifiedO365SecOpsMFADisabledAlertO365SecOpsMaliciousOAuthAppConsentO365SecOpsMalwareDetectionO365SecOpsMultipleDeleteVMO365SecOpsMultipleStorageDeletionActivitiesO365SecOpsMultipleVMCreationActivitiesO365SecOpsPermissionsAddedMailboxFolderO365SecOpsRansomwareActivityO365SecOpsSuspiciousEmailDeletionActivityO365SecOpsSuspiciousInboxForwardingO365SecOpsSuspiciousInboxManipulationRuleO365SecOpsSuspiciousOAuthAppFileDownloadO365SecOpsUnusualAdministrativeActivityO365SecOpsUnusualFileDeletionActivityO365SecOpsUnusualFileDownloadO365SecOpsUnusualImpersonatedActivityO365SecOpsHAFNIUMUserAgentsTargetingExchangeServersSecOpsLog4ShellVulnOverDomainsUnionTableConnectionsSecOpsPossibleDnsEncodingQuerySecOpsTLDFromDomainNotInMozillaTLDSecOpsUnusualUseragentLengthSecOpsAnonymousConnectionSecOpsCDFWSrcIpIsPossibleIocSecOpsCDHuntFWdstIpIsPossibleIocSecOpsFWEmbargoedCountryInboundTrafficDetectedSecOpsFWEmbargoedCountryOutboundTrafficDetectedSecOpsFWExcessFirewallDeniesSecOpsFWExcessFirewallDeniesOutboundSecOpsFWExternalSMBTrafficDetectedFirewallSecOpsFWIcmpExcessivePacketsSecOpsFWIpScanExternalSecOpsFWIpScanInternalSecOpsFWIrcTrafficExternalDestinationSecOpsFWPortScanExternalSourceSecOpsFWPortScanInternalSourceSecOpsFWPortSweepInternalSourceSecOpsFWRDPExternalAccessSecOpsFWSMBInboundScanningDetectedSecOpsFWSMBInternalScanningDetectedSecOpsFWSMBTrafficOutboundSecOpsFWSigredSecOpsFWTrafficForeignDestinationSecOpsFWTrafficOnUnassignedLowPortSecOpsFwTftpOutboundTrafficSecOpsHAFNIUMNetworkActivityTargetingExchangeServersSecOpsLog4ShellVulnOverFirewallTrafficConnectionsSecOpsPossibleTrafficMirroringSecOpsRevilKaseyaNetworkActivitySecOpsVNCPortOpenSecOpsPossiblePortKnockingSecOpsCDIocUrlSuspiciousProxyDataSecOpsCDProxyDstIpSecOpsCDProxySrcIpSecOpsDynamicDNSDetectedSecOpsIPInsteadADomaInInURLSecOpsLog4ShellVulnerabilityOverProxyConnectionsSecOpsMultipleHTTPMethodsUsedSecOpsNonStandardHTTPMethodSecOpsOutboundTrafficToDeviceFlaggedAsThreatSecOpsOutcomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsPortIntoURLSecOpsProxyHighRiskFileExtensionSecOpsProxyHttpSingleCharacterFileNameRequestSecOpsREvilKaseyaWebShellsUploadConnSecOpsSeveralAccessByProxySecOpsUserBlockedbyProxySecOpsHAFNIUMHashFoundFileTargetingExchangeServersSecOpsREvilKaseyaHashFoundSecOpsRemoteDesktopProtocolScanSecOpsBackupFileAccessAttemptSecOpsCDIocIpSuspiciousWebDataSecOpsCDWebSrcIpSecOpsConfigurationFileAccessAttemptSecOpsCredentialsFileAccessAttemptSecOpsDatabaseFileAccessAttemptSecOpsDiscoveringPasswordFilesSecOpsExplotationAttemptF5BigIpSecOpsHAFNIUMHttpPostTargetingExchangeServersSecOpsHAFNIUMWebShellsTargetingExchangeServersSecOpsHTTPQueryNonStandardMethodSecOpsHTTPQueryUserAgentLengthOutsizeSecOpsIncomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsLog4ShellVulnerabilityOverWebServerConnectionsSecOpsLogRelatedFileAccessAttemptSecOpsMalwareFileAccessAttemptSecOpsPossibleFuzzingAttackSecOpsPossibleInjectionUserAgentSecOpsPossiblePathTrasversalInjectionSecOpsPossiblePhishingKitByRefererSecOpsREvilKaseyaWebShellsSecOpsRobotFileAskingByNoRobotSecOpsSeveralError4xxSecOpsSoftwareInfoAccessAttemptSecOpsWebShellFileSuspiciousSecOpsADAccountNoExpiresSecOpsADPasswdNoExpiresSecOpsAPT29byGoogleUpdateServiceInstallSecOpsAccountsCreatedRemovedWithinFourHoursSecOpsAppInitDLLsLoadedSecOpsBlackByteRansomwareRegChangesPowershellSecOpsBlackByteRansomwareRegistryChangesSecOpsBlackKingdomWebshellInstalationSecOpsBlankPasswordAskSecOpsBypassUserAccountControlSecOpsChangesAccessibilityBinariesSecOpsDLLWithNonUsualPathSecOpsDeletingMassAmountOfFilesSecOpsFailLogOnSecOpsFsutilSuspiciousInvocationSecOpsGenericRansomwareBehaviorIpScannerSecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServersSecOpsIntegrityProblemSecOpsLocalUserCreationSecOpsLolbinBitsadminTransferSecOpsLolbinCertocexecutionSecOpsLolbinCertreqSecOpsLolbinCertutilSecOpsLolbinConfigsecuritypolicySecOpsLolbinDatasvcutilSecOpsLolbinMshtaSecOpsMaliciousPowerShellCommandletNamesSecOpsMaliciousPowerShellPrebuiltCommandletSecOpsMaliciousServiceInstallationsSecOpsMultipleMachineAccessedbyUserSecOpsNewAccountCreatedSecOpsNtdsSecOpsOsCredentialDumpingGsecdumpSecOpsPassTheHashActivityLoginBehaviourSecOpsPersistenceAndExecutionViaGPOScheduledTaskSecOpsPsExecToolExecutionSecOpsRansomwareBehaviorMazeSecOpsRansomwareBehaviorNotPetyaSecOpsRansomwareBehaviorRyukSecOpsRareServiceInstallsSecOpsResetPasswordAttemptSecOpsRevilKaseyaRegistryKeySecOpsSIGRedExploitMicrosoftWindowsDNSSecOpsSecurityEnabledLocalGroupChangedSecOpsSeveralPasswordChangesSecOpsShadowCopiesDeletionSecOpsStoneDrillServiceInstallSecOpsStopSqlServicesRunningSecOpsSuspiciousBehaviorAppInitDLLSecOpsSuspiciousEventlogClearUsingWevtutilSecOpsSuspiciousWMIExecutionSecOpsTurlaPNGDropperServiceSecOpsTurlaServiceInstallSecOpsUserAccountChangedSecOpsWINWmiMOFProcessExecutionSecOpsWannaCryBehaviorSecOpsWermgrConnectingToIPCheckWebServicesSecOpsWinADDomainEnumerationSecOpsWinActivateNoCloseGroupPolicyFeatureSecOpsWinActivateNoControlPanelGroupPolicyFeatureSecOpsWinActivateNoFileMenuGroupPolicyFeatureSecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeatureSecOpsWinActivateNoSetTaskbarGroupPolicyFeatureSecOpsWinActivateNoTrayContextMenuGroupPolicyFeatureSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetworkSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetworkSecOpsWinAdminRemoteLogonSecOpsWinAdminShareSuspiciousUseSecOpsWinAnonymousAccountCreatedSecOpsWinAppInstallerExecutionSecOpsWinAttackerToolsOnEndpointSecOpsWinAttemptToAddCertificateToStoreSecOpsWinAuditLogClearedSecOpsWinAutomatedCollectionCmdSecOpsWinAutomatedCollectionPowershellSecOpsWinBackupCatalogDeletedSecOpsWinCompressEncryptDataSecOpsWinCredentialDumpingNppspySecOpsWinCritServiceStoppedSecOpsWinCurlSecOpsWinDcShadowDetectedSecOpsWinDefenderDownloadActivitySecOpsWinDisableAntispywareRegistrySecOpsWinDisableUacSecOpsWinDnsExeParentProcessSecOpsWinDomainTrustActivitySecOpsWinExcessiveUserInteractiveLoginSecOpsWinExternalDeviceInstallationDeniedSecOpsWinFTPScriptExecutionSecOpsWinFakeProcessesSecOpsWinFsutilDeleteChangeJournalSecOpsWinGatherVictimIdentitySAMInfoSecOpsWinGoldenSamlCertificateExportSecOpsWinIISWebRootProcessExecutionSecOpsWinIcmpExfiltrationSecOpsWinInvokewebrequestUseSecOpsWinKerberosUserEnumerationSecOpsWinLocalSystemExecuteWhoamiSecOpsWinLockoutsEndpointSecOpsWinLsassKeyModificationSecOpsWinLsassMemDumpSecOpsWinMapSmbShareSecOpsWinMemoryCorruptionVulnerabilitySecOpsWinMimikatzLsadumpSecOpsWinModifyShowCompressColorAndInfoTipRegistrySecOpsWinMsiExecInstallWebSecOpsWinNetworkShareCreatedSecOpsWinNewPsDriveSecOpsWinOfficeBrowserLaunchingShellSecOpsWinPermissionGroupDiscoverySecOpsWinPotentialPassTheHashSecOpsWinPowerSettingsSecOpsWinPowershellKeylogginSecOpsWinPowershellProcessDiscoverySecOpsWinPowershellSetExecutionPolicyBypassSecOpsWinRcloneExecutionSecOpsWinRegUtilityHiveExportSecOpsWinRegistryModificationActivateNoRunGroupPolicySecOpsWinRegistryModificationDisableCMDAppSecOpsWinRegistryModificationDisableChangePasswdFeatureSecOpsWinRegistryModificationDisableLockWSFeatureSecOpsWinRegistryModificationDisableLogOffButtonSecOpsWinRegistryModificationDisableNotificationCenterSecOpsWinRegistryModificationDisableRegistryToolSecOpsWinRegistryModificationDisableShutdownButtonSecOpsWinRegistryModificationDisableTaskmgrSecOpsWinRegistryModificationGlobalFolderOptionsSecOpsWinRegistryModificationHideClockGroupPolicyFeatureSecOpsWinRegistryModificationHideSCAHealthSecOpsWinRegistryModificationHideSCANetworkSecOpsWinRegistryModificationHideSCAPowerSecOpsWinRegistryModificationHideSCAVolumeSecOpsWinRegistryModificationIExplorerSecZoneSecOpsWinRegistryModificationNewTrustedSiteSecOpsWinRegistryModificationNoDesktopGroupPolicySecOpsWinRegistryModificationNoFindGroupPolicyFeatureSecOpsWinRegistryModificationPowershellLoggingDisabledSecOpsWinRegistryModificationRunKeyAddedSecOpsWinRegistryModificationStoreLogonCredSecOpsWinRegistryQuerySecOpsWinRemoteSystemDiscoverySecOpsWinRunasCommandExecutionSecOpsWinSamStoppedSecOpsWinScheduledTaskCreationSecOpsWinSchtasksForcedRebootSecOpsWinSchtasksRemoteSystemSecOpsWinSensitiveFilesSecOpsWinServiceCreatedNonStandardPathSecOpsWinShadowCopyDetectedSecOpsWinSmtpExfiltrationSecOpsWinSpoolsvExeAbnormalProcessSpawnSecOpsWinSuspiciousExternalDeviceInstallationSecOpsWinSuspiciousWritesToRecycleBinSecOpsWinSysInfoGatheringUsingDxdiagSecOpsWinSysInternalsActivityDetectedSecOpsWinSysTimeDiscoverySecOpsWinTFTPExecutionSecOpsWinUserAddedPrivlegedSecGroupSecOpsWinUserAddedSelfToSecGroupSecOpsWinUserAddedToLocalSecurityEnabledGroupSecOpsWinUserCreationAbnormalNamingConventionSecOpsWinUserCredentialDumpRegistrySecOpsWinWMIPermanentEventSubscriptionSecOpsWinWMIReconRunningProcessOrSrvcsSecOpsWinWebclientClassUseSecOpsWinWifiCredHarvestNetshSecOpsWinWmiExecVbsScriptSecOpsWinWmiLaunchingShellSecOpsWinWmiProcessCallCreateSecOpsWinWmiScriptExecutionSecOpsWinWmiTemporaryEventSubscriptionSecOpsWinWmiprvseSpawningProcessSecOpsMoveitWebShellSecOpsWinDnsExcessiveEmptyOrRefusedQueries

Hello everyone, the latest Devo Platform release is here! Release 8.8.20 brings a whole host of updates for Alerts! Starting with the new triggered Alerts details page increasing the number of actions you can take from one location.  Next we have a new capability to find Alerts by Alert ID with the newly integrated ID search feature.  The Alerts type field has received new values to better match the creation of the alert.  An new field was added to the audit table devo.audit.alert.definition called “info” as well as a new audit table for Alert triggered operations.  Find the full details of this release in this article. Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features New Triggered Alerts Details page Searcy by Alert ID Redefined Type field when Grouping Alerts New “info” field added to audit table devo.audit.alert.definition New audit table devo.audit.alert.triggered Bug Fixes Alert Bug Fixes Flow Bug Fixes  New FeaturesNew Triggered Alerts Details pageThis functionality is launched from the triggered alert ID, and opens up the alert in full detail.  This new page is available even if the alert is grouped.   New page has 2 tabs:Overview tab: Alert details management Annotations tab: Alert annotations managementSearcy by Alert IDA new search box was added to the Triggered Alert page to allow you to search by full or partial Alert ID.   Find your alerts quickly with this new feature!Redefined Type field when Grouping AlertsRebuilt for clarity of purpose, now when grouping alerts you get new options in the type field that match better to the actions being taken.Old Type Values New Type Values api_custom each default several custom low etcetera gradient   deviation   rolling   generic  New “info” field added to audit table devo.audit.alert.definitionNew JSON field “info” has been added to this audit table and will include the JSON corresponding to the Alert request operations. Containing:Operation Content Creation  Entire JSON of the Alert creation request Edit Entire JSON of the Alert editing request Enable/Disable an empty JSON Deletion an empty JSON  Here how it looks: New audit table devo.audit.alert.triggeredThis new audit table is now available in all domains where the System will log (for audit purposes)all the user activities related to triggered Alert operations made in the domain.  The table will have the same structure as “devo.audit.alert.definition” except that the “info” field will now contain only the changed value.The tracked changed values areTriggered Alert Status Triggered Alert Priority Triggered Alert DeleteBug FixesAlert Bug FixesFixed alert creation/cloning when Alerts running limit is reached Fixed error when clicking “go to query” on Monitoring Alerts.Flow Bug FixesFixed duplicated triggered alerts after restart Fixed alert recovery after upgrading flow Fixed null creation date on some contexts 

The Devo team has released the latest version of Devo SOAR!  This release includes new automations, enhancements to existing features as well as critical bug fixes.   Devo SOAR has a large library for automations and integrations to fit all your needs.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  We have tutorials on the community to help you get started as well as Devo SOAR Documentation.   You can also use the guided playbook builder to interactively create a no-code automation! Table of ContentsNew Integration Integration for Apivoid Feature Enhancements New actions for Virus Total Bug Fixes New IntegrationIntegration for ApivoidApivoid provides JSON APIs useful for cyber threat analysis, threat detection, and threat prevention, reducing and automating the manual work of security analysts.Feature EnhancementsNew actions for Virus TotalVirus Total integration has had two new actions added: File Behavior Reports Summarize File Behavior ReportsBug FixesFixed unable to replace Custom Integration in Playbook import. Removed Json type from allowed field type change in Case Field.

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsNew Parsers soar.devo cef0.pcysys cef0.cyberark itdr.oort storage.huawei dlp.cososys seg.checkpoint mail.all.messages cloud.rubrik Updated Parsers cloud.aws cloud.alibaba cloud.azure waf.f5 firewall.paloalto web.all.access devo.ea proxy.all.access box.all.win network.vmware db.oracle mail.darktrace vuln.beyondtrust iam.sailpoint auth.jumpcloud web.all.access casb.microsoft_defender entity.behavior dns.bind firewall.cisco firewall.velocloud firewall.all.webfilter firewall.juniper network.dell  New Parserssoar.devoLink to Documentationcef0.pcysysLink to Documentationcef0.cyberarkDocumentation in progressitdr.oortLink to Documentationstorage.huaweiLink to Documentationdlp.cososysLink to Documentationseg.checkpointLink to Documentationmail.all.messagesDocumentation in progresscloud.rubrikLink to DocumentationUpdated Parserscloud.awsLink to Documentationcloud.alibabaLink to Documentationcloud.azureLink to Documentationwaf.f5Link to Documentationfirewall.paloaltoLink to Documentationweb.all.accessLink to Documentationdevo.eaLink to Documentationproxy.all.accessLink to Documentationbox.all.winLink to Documentationnetwork.vmwareLink to Documentationdb.oracleLink to Documentationmail.darktraceLink to Documentationvuln.beyondtrustLink to Documentationiam.sailpointLink to Documentationauth.jumpcloudLink to Documentationweb.all.accessLink to Documentationcasb.microsoft_defenderLink to Documentationentity.behaviorLink to Documentationdns.bindLink to Documentationfirewall.ciscoLink to Documentationfirewall.velocloudLink to Documentationfirewall.all.webfilterLink to Documentationfirewall.juniperLink to Documentationnetwork.dellLink to Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors Fastly Next-Gen WAF v1.0.0 Gen+WAF+collector  Extrahop Reveal(x) v1.1.0 Mulesoft Anypoint v1.0.0 Cisco Amp v1.0.0 Updated Collectors ServiceNow API v1.4.0 Microsoft Defender Cloud Apps v1.3.0 Thinkst Canary v1.1.0 Microsoft Azure v2.0.0-beta1 Akamai SIEM Collector v2.1.0 Wiz v1.5.0 AWS SQS v1.1.1 Salesforce v2.2.0 Proofpoint Tap v2.2.1 Netskope Web Transaction Events v1.0.0b1 Cisco Umbrella v1.1.0 AWS v1.8.2 Microsoft Graph v2.0.0-beta2  New CollectorsFastly Next-Gen WAF v1.0.0Link to DocumentationGen+WAF+collector Documentation in progress.Extrahop Reveal(x) v1.1.0Link to DocumentationMulesoft Anypoint v1.0.0Link to DocumentationCisco Amp v1.0.0Link to Documentation Updated CollectorsServiceNow API v1.4.0Link to DocumentationMicrosoft Defender Cloud Apps v1.3.0Link to DocumentationThinkst Canary v1.1.0Link to DocumentationMicrosoft Azure v2.0.0-beta1Link to DocumentationAkamai SIEM Collector v2.1.0Documentation in ProgressWiz v1.5.0Link to DocumentationJumpcloud v1.3.1AWS SQS v1.1.1Link to DocumentationSalesforce v2.2.0Link to DocumentationProofpoint Tap v2.2.1Link to DocumentationNetskope Web Transaction Events v1.0.0b1Documentation in progressCisco Umbrella v1.1.0Link to DocumentationAWS v1.8.2Link to DocumentationMicrosoft Graph v2.0.0-beta2Link to Documentation 

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! In this release, the team delivers Entity Timeline improvements to help you emphasize the most essential information about an entity’s risk. Additionally, in this update, the team delivered a collection of dashboard improvements, including the data search pivot, entity risk group edit page, Improved error handling, and UI optimizations. Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo Availability:Region Status CA Released US Released EU Released APAC Released  Table of ContentsImprovements Entity Timeline Dashboard ImprovementsEntity TimelineThe Entity Timelines layout has been improved to emphasize the most essential information about an entity’s risk.You can now select the most relevant parts of an entity’s timeline to get a deeper understanding of what is driving the risk score. Users can also use the entity metrics count to filter the graph and timeline. Drill down into all necessary risky event details from a single screen: DashboardThe Behavior Analytics dashboard has been enhanced with the following features and fixes:Data Search Pivot - The alert data search pivot now now isolates to the specific entities that were involved in the alert.  Entity Risk Group Edit page - The entity risk page is better configured to manage large lists.  UI Optimization -  Improved responsiveness to common user workflows across the entire applications with API and UI performance improvements Improved Error Handling - Fixed several alert notification error scenarios around bad data inputs for alert priority, lookup errors, etc.   

We're thrilled to announce the latest updates and additions to our alerting system with Release 23. This release brings enhancements to alert logic, and improved summaries, and introduces new alerts to bolster your security operations.  To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content. Table of ContentsImproved Alerts: SecOpsWinUserAddedToLocalSecurityEnabledGroup: SecOpsLinuxIrregularLoginSsh: SecOpsO365AuthExcessiveFailedLoginsSingleSource: SecOpsO365ImpossibleTravel: New Alerts: SecOpsSlackPossibleSessionHijacking: SecOpsWinPowerSettings for MITRE Technique T1653: Improved Alerts: SecOpsWinUserAddedToLocalSecurityEnabledGroup: Enhanced alert logic for detecting user additions to local security-enabled groups on Windows systems. Improved summary for better understanding and faster response. SecOpsLinuxIrregularLoginSsh: Updated alert logic to identify irregular login activities via SSH on Linux systems. Refined summaries to provide clearer insights into potential security threats. SecOpsO365AuthExcessiveFailedLoginsSingleSource: Updates to mmcity operation for Office 365 authentication alerts related to excessive failed logins from a single source. Streamlined summaries to facilitate quicker identification of suspicious activities. SecOpsO365ImpossibleTravel: Revised alert logic for Office 365 impossible travel scenarios. Improved operation of mmcity for more accurate detection. Enhanced summaries to highlight impossible travel incidents effectively. New Alerts: SecOpsSlackPossibleSessionHijacking: Introducing a new alert to detect potential session hijacking in Slack environments. Monitors for suspicious activities indicating unauthorized access to Slack accounts. Provides detailed insights into possible session compromise for swift remediation. SecOpsWinPowerSettings for MITRE Technique T1653: Brand new alert targeting MITRE technique T1653 focusing on Windows power settings manipulation. Alerts on suspicious changes to power settings indicative of potential adversary actions. Enables proactive defense against tactics aiming to manipulate power configurations for malicious purposes. Stay vigilant with these upgraded alerts and leverage the new additions to strengthen your security posture. For further details, consult the documentation or reach out to our support team for assistance. Upgrade to Release 23 now and fortify your defenses against evolving threats. 

Hello everyone, the latest Devo Platform release is here! Release 8.8.16 brings you a wide variety of changes to streamline and speed up your workflow with the Devo Platform. Starting with a new streamlined Support Access, you now go directly to the Support portal to get the most flexibility for your ticket creation and content access. Preference and Current Queries pages have been sped up dramatically. Activeboards have received a lot of improvements, with optional widget loading, an improved autocomplete editor, and a new sorting workflow.  We have also improved the Lookup creation experience! Read on to learn about all the changes in this update.  Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Streamlined Support Access Activeboards optional widget loading Updated Features Alerts creation form update Activeboard editor improved Activeboard default sorting removed Automatically retry when Search returns a recoverable error in Data Search Improved Data Search with new max column visible columns Improved Create Lookup Experience Performance Improvements Bug Fixes New Features Streamlined Support AccessWe are streamlining Support access across the Devo Ecosystem to create a better experience for all parties.   The Support portal is now you direct access to create, manage and view your case history and this is no reflected on the Devo Platform.Activeboards optional widget loadingPerformance is a key value in Devo and we know sometimes Activeboards are so detail rich that they may take longer optimal to load all those widgets.  With this update you can individually disable the launch of any widget in your Activeboard.This will reduce system resources load a swell as loading times for said Activeboard.  You gain greater control of your widgets and faster access to critical information. Updated FeaturesAlerts creation form updateEach Alert Create form default setting for “Include all fields” has been reversed and the help info has been expanded with complete information.Activeboard editor improvedBuild your activeboards faster with a new autocomplete feature for the activeboard editor! Activeboard default sorting removedNormally, when a Table widget is loaded for the first time, the rows are automatically sorted by eventdate.  With this update, no sorting algorithm will be applied to the rows regardless of the sort used in the query.    Rows will be displayed in the order they are recieved (possibly by eventdate but not guaranteed).   After loading, the user can define specific sorting choices through the column headings. Automatically retry when Search returns a recoverable error in Data SearchUsers will no longer be blocked by message “Absent Data” in Data Search, the system will automatically retry action 4 times.Improved Data Search with new max column visible columnsNew limit to opening searchers with more that 50 visible columns will improve the experience and stability of Data Search.  Through out our eco system, 95% of tables have less than 50 columns.  The team will help many any existing tables in that 5% range with the clients.Improved Create Lookup ExperienceWhen loading a CSV Lookup, all whitespaces starting/ending a Lookup column name will be automatically removed. When creating a lookup any manually typed extra spaces at starting/ending will prompt an error message letting you know where the extra whitespaces are before Lookup creation. Performance ImprovementsPreferences pages and Current Queries page performance has been significantly improved through internal code changes to increase the loading speeds. Bug FixesBlank page in “Search History” when user has only “Finders” permission “Go to Query” in triggered alerts displays a blank page in a use case Edit Alert form label Usage Analytics cache not taking into account timezones Aggregation task creation “Real-Time” value always displayed as unchecked Loxcope wizard incorrect translation when filtering null values

Hello everyone, the Exchange team has a new update for you with tons of great improvements. Two years have passed since the launch of Devo Exchange, and our content library has grown from 30 to 220 releases!! This release focuses on improved performance, increasing response times and performance in all aspects of the platform.   We have also updated the process of accessing Devo Exchange by using policies. This is a key update for MSSPs. The Alerts update process was also updated, so you can now choose which individual alerts to update from an Alert Pack. Read on to learn more about each of these updates! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features Updated Access Control Unlock individual Alert updating Performance Improvements Additional User Experience updates  New FeaturesUpdated Access ControlExchange Access control was switched from roles to policies in this release.  This means you now have more control as an admin to manage access to content on Devo Exchange. We added a Marketplace Management policy so Admins can choose to allow users to access and manage Exchange content giving greater control. Unlock individual Alert updatingNow possible with this update, you can choose which alerts inside an Alert Pack.  This significant change in instrumental in supporting alert coverage customization.  Now when a new update is available for a Alert Pack, you will see the notification on the in the Exchange card and choose which to update only the alerts you are using.We have also introduced a DIFF tool to the update process that you can use to compare the code before updating the alert.  Bringing full transparency to the update process.Performance ImprovementsStarting from our humble beginnings of 30 titles to our current 220 titles is a huge leap in content.  The system needed tuning to handle the significant growth of the last year.  From top to bottom, we have recreated the underlying structure of Exchange to handle the current catalog and make sure the gains are scalable for all future iterations of the catalog.    This results in consistently fast performance through your use of Devo Exchange. Additional User Experience updatesSupporting improvements and informational updates through the application.  

 The Devo Platform team has delivered a large collection of upgrades for the underlying processes resulting in overall platform performance improvements. This is part of our ongoing drive to increase speed and stability to the entire platform. Additionally, this release also adds a new workflow for Password Change, improves SSO handling, and fixes access to Usage Analytics for some customers with custom domain URL’s. We are committed to continued improvements of the platform and more platform updates are on the way!  Make sure you subscribe to Product Update to have this information delivered right to your inbox. Geo Release AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsImprovements New Password Change workflow Usage Analytics fix SSO process improvements Performance Improvements  ImprovementsNew Password Change workflowUsers will now be redirected to the Login Page for the entire password change process for a better user experience.Usage Analytics fixFor a few customers with custom domain URL’s, you can now access Usage Analytics.SSO process improvementsAdditional checks have been added to the SSO process as well as new optimization pass for the entire process.Performance ImprovementsImproved a large number of underlying processes for better performance overall, as well as deployed vulnerability fixes.     

The Devo Threat Research Team has published OOTB Alerts Release 22! This release, available now from the Security Operations Content Manager, provides 9 updated detections and 2 new alerts.  This update introduces powerful enhancements to fortify and monitor your security infrastructure.    To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.This update features several key improvements:New Alert: OS Credential Dumping: With our latest detection capabilities, we now provide a new alert system designed to identify instances of OS credential dumping promptly. This critical security threat, often exploited by malicious actors, can compromise sensitive login credentials. By issuing alerts for potential credential dumping activities, our system empowers users to respond swiftly, minimizing the risk of unauthorized access. New Alert: Detection for Traffic to Paste Bin: Recognizing the evolving threat landscape, we've incorporated detection mechanisms to monitor and flag traffic directed toward paste bin services. These platforms are frequently leveraged by adversaries for data exfiltration and sharing of sensitive information. By detecting suspicious activities related to paste bin usage, our system enables proactive intervention, safeguarding against unauthorized data dissemination. Regex Optimized Improvements for Window and Proxy Alerts: In this update, we've optimized regular expressions (regex) to enhance the accuracy and efficiency of window and proxy alerts. These improvements refine our detection capabilities, ensuring more precise identification of suspicious activities associated with Windows and Proxy servers. By fine-tuning regex patterns, we reduce false positives and provide users with actionable insights into potential security threats. Updated Field Naming for Microsoft Office365 Detections: We've revamped field naming conventions for Microsoft Office365 detection to streamline data interpretation and analysis. This update ensures consistency and clarity in identifying and responding to security events within the Office365 environment. By aligning field names with industry standards, users can easily navigate and leverage insights from our detection system to bolster their Office365 security posture.These updates reflect our commitment to continuously enhancing our detection capabilities, empowering users to stay ahead of emerging threats, and safeguarding their digital assets effectively. New DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsOsCredentialDumpingGsecdump Detects well -known credential dumping tools execution via service execution events. box.all.win New! SecOpsProxyDataExfiltrationDetection Monitor proxy logs for connections from internal IPs to parsing or content aggregation sites known for data parsing and content. proxy.all.access New!  Updated DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsAWSCreateloginprofile Detects I fa login has been performed by a user who has been created in the last 24hrs and checks if the user creation and the login have been performed from the same IP. This behavior could indicate a privilege escalation attempt. cloud.aws.cloudtrail Tuned subquery parameters SecOpsO365PhishAttempt Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems cloud.office365.management Updated based on window logging updates SecOpsO365SusMailboxDelegation Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. cloud.office365.management Updated field naming SecOpsREvilKaseyaWebShellsUploadConn The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days, the attack was pushed out via an infected IT Management update from Kaseya proxy.all.access Optimized regex SecOpsHAFNIUMHttpPostTargetingExchangeServers Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. web.all.access Optimized regex SecOpsHAFNIUMWebShellsTargetingExchangeServers Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. web.all.access Optimized regex SecOpsREvilKaseyaWebShells The REvil Ransomware has hit 40 service proviers globally due to multiple Kaseya VSA Zero-days. The attack was pushed out via an infected IT Management update from Kaseya web.all.access Optimized regex SecOpsWinAdminRemoteLogon Detects remote logins by an administrative user account. Administrative account names are tailored to the organization’s specific naming conventions. box.all.win Updated entity mapping SecOpsWinIISWebRootProcessExecution The execution of a process from inside a web hosting directory and indicate when adversaries upload a malicious file to the web server and run the file as a process. box.all.win Optimized regex   Subscribe to Product update to never miss an update!  

The Devo Threat Research Team has published OOTB Alerts Release 21! This release, available now from the Security Operations Content Manager, provides 7 updated detections and 1 new alert.  The updates focus on improved performance, easier installation and reduction in false positive results.  If you are using these detections, this update is a must have!To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.  New DetectionName Description Devo Table/Data Source/Category Change Log SecOpsO365OneDriveDownload Detects high volume of OneDrive activity CLOUD.OFFICE365.MANAGEME New Alert!  Updated DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsAccountsCreatedRemovedWithinFTourHours Detects user accounts that are created and delete within a four time period. box.all.win Updated Alert Logic to reduce false positives SecOpsFWRDPTrafficUnauthorized Detects RDP traffic to hosts, not within an allowed list. firewall.all.traffic Remove dependency for installation SecOpsLinuxSuspciousExecutionCommand Detects relevant commands often related to malware or hacking activity. box.unix Updated to reduce false positives SecOpsCDHuntFWdstIpIsPossibleIoc This search looks for Collective Defense matches in firewall data. firewall.all.traffic Field naming updates SecOpsFWIcmpExcessivePackets Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration. firewall.all.traffic Field naming updates SecOpsFWTrafficOnUnassignedLowPort Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic. firewall.all.traffic Field naming updates SecOpsVNCPortOpen Used to identify the default port for VNC connections firewall.all.traffic Field naming updates  Subscribe to Product updates to stay informed about all updates from the Product Teams!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsUpdated Parsers proxy.zscaler firewall.paloalto auth.jumpcloud av.mcafee bms.humansecurity auth.auth0 cloud.office365 box.win_winlogbeat box.win_nxlog box.devo_ea dhcp.bluecat vcs.gitlab vuln.qualys edr.crowdstrike edr.darktrace edr.cisco cloud.aws cloud.gsuite crm.salesforce casb.netskope network.meraki network.vmware adn.f5 entity.behavior cdn.cloudflare cef0.fortinet ras.beyondtrust Union Tables Updated auth.all firewall.all.traffic  Updated Parsersproxy.zscalerLink to Devo Documentationfirewall.paloaltoLink to Devo Documentationauth.jumpcloudLink to Devo Documentationav.mcafeeLink to Devo Documentationbms.humansecurityLink to Devo Documentationauth.auth0Link to Devo Documentationcloud.office365Link to Devo Documentationbox.win_winlogbeatLink to Devo Documentationbox.win_nxlogLink to Devo Documentationbox.devo_eaLink to Devo Documentationdhcp.bluecatLink to Devo Documentationvcs.gitlabLink to Devo Documentationvuln.qualysLink to Devo Documentationedr.crowdstrikeLink to Devo Documentationedr.darktraceLink to Devo Documentationedr.ciscoLink to Devo Documentationcloud.awsLink to Devo Documentationcloud.gsuiteLink to Devo Documentationcrm.salesforceLink to Devo Documentationcasb.netskopeLink to Devo Documentationnetwork.merakiLink to Devo Documentationnetwork.vmwareLink to Devo Documentationadn.f5Link to Devo Documentationentity.behaviorLink to Devo Documentationcdn.cloudflareLink to Devo Documentationcef0.fortinetDocumentation in progressras.beyondtrustLink to Devo Documentation Union Tables Updatedauth.allLink to Devo Documentationfirewall.all.trafficLink to Devo Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors AWS SQS v1.0.0 Fastly Next-Gen WAF v1.0.0b3 Updated Collectors Microsoft Defender Cloud Apps v1.2.0 Jumpcloud v1.2.2 Crowdstrike API v1.5.4 Proofpoint TAP v2.2.0 Akamai SIEM Collector v2.0.0 Cortex-XDR v1.2.0 Qualys v2.0.0 Google Workspace Reports v1.9.1 (Formerly Gsuite Repots) SentinelOne v1.5.0 Cybereason v1.3.0  New CollectorsAWS SQS v1.0.0Link to DocumentationFastly Next-Gen WAF v1.0.0b3Documentation is being updated Updated CollectorsMicrosoft Defender Cloud Apps v1.2.0Link to DocumentationJumpcloud v1.2.2Link to DocumentationCrowdstrike API v1.5.4Link to DocumentationProofpoint TAP v2.2.0Link to DocumentationAkamai SIEM Collector v2.0.0bDocumentation is being updatedCortex-XDR v1.2.0bDocumentation is being updatedQualys v2.0.0Documentation is being updatedGoogle Workspace Reports v1.9.1 (Formerly Gsuite Repots)Link to DocumentationSentinelOne v1.5.0Link to DocumentationCybereason v1.3.0Documentation is being updated

This post details the pre-release information for Devo Platform Release 8.8.0. This release will be pushed to production on February 1, 2024, at 11 AM UTC+1. In this release, domain Administrators will benefit from enhanced monitoring capabilities over their environment with the introduction of the Usage Analytics feature. Another item in this release is the new Conditional Formatting feature available from the Field Viewer. This will enhance the capabilities of all Data Searchers with the support of up to 5 conditional formatting conditions. Continue reading to view the full details of this update. Release InformationRelease Date: February 1, 2024 Release Time: 11:00am UTC+1Geo ReleaseRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Usage Analytics Conditional Formatting introduced to the Field Viewer New Alerts audit table added Change Alert Status in Bulk actions Change Alert Priority in Bulk actions New EACH Alert creation/editing options Bug fixes (of course)Additional information in our Documentation is here.New FeaturesUsage AnalyticsUsage Analytics is a new Dashboard inside Devo designed to help Administrators understand how Devo is being used in their environment.  Accessible from the Administration Menu on the top left, this new dashboard allows the administrator to monitor:Weekly Active Users Ingestion metrics Average daily ingestion for last 7 days Ingestion per technology for last 7 days Query count metrics Query count for the 3 most common ways to query data Data Search API queries Odata queries Number of queries by origin for last 7 days grouped by every 1 hour Resource usage distribution Shows how different areas of the product consume compute resources over time Resource usage per component during last 24 hours Conditional Formatting introduced to the Field ViewerYou can now add conditional formatting to your tables!  You can add up to a maximum of 5 conditions that specify an operator and value, along with text and background color, to apply to the matching cells.Each condition provides a preview, along with tags, that indicate the visual format and the value.  To enact the changes of the preview, be sure to click on apply!1) This icon indicates that a field has conditional formatting applied to it.2) The conditional formatting tab open with the conditions set.3) How it is shown in the data table.New Alerts audit table addedA new audit table is available for Alerts called “devo.audit.alert.definition” in all domains.  This audit table will log all user activities related with Alert definitions in reference to a domain.  The activities logged by this new table are:Alert creation Alert edition Alert enable/disable Alert deletionChange Alert Status in Bulk actionsYou can change the status of several alerts by checking the boxes next to the names, clicking the Bulk actions button next to the master checkbox, and selecting Status followed by the desired status. Change Alert Priority in Bulk actionsYou can change the priority of several alerts by checking the boxes next to the names, clicking the Bulk actions button next to the master checkbox, and selecting Priority followed by the desired priority level. New EACH Alert creation/editing optionsWhen creating an Each Alert you can now select to include all fields or only those query fields explicitly called in your alert plus the eventdate field.   Available only for EACH Alert with query without grouping clause.Select Include all fields check box to include all fields in your alert.  Bug fixes (of course) 

Here are the latest additions to the Collector Library as well as the updated collectors for the month of January! Table of ContentsNew Collectors Microsoft Defender for IoT Collector v1.0.0b1 Bitwarden Collector v1.0.0b1 Cyble Vision Collector v1.0.0 Mandiant Advantage collector v1.0.0b1 IBM Cloud VPC Flow v1.0.0.b1 IBM Cloud Softlayer v1.0.0b1 IBM Cloud Activity Tracker v1.0.0b1 Updated Collectors MS Graph v1.7.0b1 Github  v2.1.0 SentinelOne  v1.4.0 Recorded Future v1.3.0 Cybereason V1.2.0 OneTrust v1.2.0 AlienVault OTX 1.1.0 Wiz Cloud Security v1.2.0 Cylance v1.1.0 Agari Phishing Defense v1.2.0 JumpCloud v1.1.0 Microsoft Azure v1.7.0 Okta Resources v1.8.0 Microsoft Defneder Cloud Apps v1.1.0 Microsoft O365 Message Tracing v2.2.0 Rapid7 INsightVM v1.4.0 Infocyte v1.3.0  New CollectorsMicrosoft Defender for IoT Collector v1.0.0b1Link to DocumentationBitwarden Collector v1.0.0b1Documentation in progressCyble Vision Collector v1.0.0Link to DocumentationMandiant Advantage collector v1.0.0b1Link to DocumentationIBM Cloud VPC Flow v1.0.0.b1Link to DocumentationIBM Cloud Softlayer v1.0.0b1Link to DocumentationIBM Cloud Activity Tracker v1.0.0b1Link to Documentation Updated CollectorsMS Graph v1.7.0b1Link to DocumentationGithub  v2.1.0Link to DocumentationSentinelOne  v1.4.0Link to DocumentationRecorded Future v1.3.0Link to DocumentationCybereason V1.2.0Documentation in progressOneTrust v1.2.0Link to DocumentationAlienVault OTX 1.1.0Link to DocumentationWiz Cloud Security v1.2.0Link to DocumentationCylance v1.1.0Link to DocumentationAgari Phishing Defense v1.2.0Link to DocumentationJumpCloud v1.1.0Link to DocumentationMicrosoft Azure v1.7.0Link to DocumentationOkta Resources v1.8.0Link to DocumentationMicrosoft Defender Cloud Apps v1.1.0Link to DocumentationMicrosoft O365 Message Tracing v2.2.0Link to DocumentationRapid7 INsightVM v1.4.0Link to DocumentationInfocyte v1.3.0Link to Documentation    

 Custom Threat groups have arrived for the MITRE ATT&CK Adviser!  This update allows you to define custom alert groups, design your own threat groups, and track them!Geo ReleaseRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsWhat is a Custom Threat Group? How can I use Custom Threat Groups? Where can I find Custom Threat Groups? How to configure a Custom Threat Group? Threat Groups Updated!What is a Custom Threat Group? Custom threat groups help organizations take threat groups from other security vendors and add them to the MITRE ATT&CK Adviser to quickly assess coverage of threat groups that are not tracked by MITRE. Custom threat groups enable customers to create: Custom threat groups  Alert groups for data source not tracked by MITRE  Groups to track their custom alert coverage How can I use Custom Threat Groups?Alert groups data for data source, enables organizations to map alerts for specific data sources to a group to understand what coverage specific data sources are getting them.  For example, if a customer wants to understand what coverage their AWS detections give them within Devo, they can create a group of their AWS alerts and quickly monitor their coverage. Creating a custom group to track alerts that have been created by the customer in a single location is useful for understanding what coverage an organization has brought vs. Devo provided.  Alerts can also be separated into specific groups for homegrown applications or other reasons to track coverage on more specific parts of an organization's data landscape  Where can I find Custom Threat Groups?Custom Threat Groups can be found in the App Configuration section of the MITRE ATT&CK Adviser application. How to configure a Custom Threat Group?Creating a new custom threat group is easy, just enter the following information in the UI window:Field  Description ID Unique ID for the custom Threat Group Name Name of the Custom Threat Group Description Describe the purpose or details of the group Associated Threat Groups Identify the associated MITRE Threat groups for the threat group being created Techniques Select the techniques that are associated with the new custom group.  This will enable the MITRE ATT&CK matrix filtering and coverage calculations. Alerts Used Select the alerts that are associated with the new custom threat group.  This will enable the MITRE ATT&CK matrix filtering and coverage calculations.  Threat Groups Updated!With this release, the custom Threat Groups list has been updated with a huge number of new Threat Groups to help you identify the techniques of specific known bad actors and measure your coverage against them!

The Devo Team has packed release 8.7.0 with some amazing content for our customers.  In this release we have the long hinted Dark Mode, the new and completely rebuilt Alerts Page and finally Activeboards have become easier to use with the new Smart Editor.  Lets dive right in! Release by RegionRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Alerts Page Filter Triggered Alerts with new time ranges New Filtering options for Triggered Alerts Faster Alert Loading with new pagination New Alerts Management Page Streamlined Alert Management Expandable detail summary Edit Status Edit Priority Add Comments to single alert or multiple alerts Group Alerts by Name Dark Mode theme is here! How to switch to Dark Theme Activeboard New Features New copy icon Export To PDF improvements Bug Fixes New Alerts PageCompletely revamped with new features throughout, this is a leap forward for the Alert Page and the future of Devo!  Filter Triggered Alerts with new time rangesAbsolute - a defined interval with set beginning and ending dates, used for viewing data from a particular time frame. Relative - a time span that is determined in relation to the current date, such as “Last 5 minutes” or “Last Day”, utilized for observing data development up to the current moment. Snap to - a time period that reverts to the beginning of the chosen timeframe, enabling the analysis of data without the distortion caused by incomplete periods and ensuring a representative data sample. New Filtering options for Triggered AlertsAccess new filtering options for triggered alerts that are applied universally to the enitre Alerts Overview. This includes both the Chart representation area at the top and the Triggered alerts area at the bottom.Filter by Alert Name Filter by Status Filter by Priority Filter by Category Filter by Subcategorywith more to come in future updates!Faster Alert Loading with new paginationThe alerts list is organized into pages for faster loading and easier navigation.  This allows you to find the alerts you are interested in quickly.  Including new listing options for you to control how much detail you see for each page. New Alerts Management PageVisualize triggered alerts graphically with new options and enhance your comprehension of your alert coverage.New Graph Options:Line Voronoi Timeline Calendar charts Streamlined Alert ManagementExpandable detail summaryClicking the expandable arrow next to the alert name and you can view the Summary and Description of each triggered alert.Edit StatusThe Status column displays the degree to which a triggered alert has been acknowledged.Edit PriorityThe Priority column reflects the priority level that was assigned to the alert definition at the time of its creation.Add Comments to single alert or multiple alertsComment on a single alert or multiple alerts with this new functionality.Group Alerts by NameAs you know, an Alert can be triggered multiple times.  To better manage these events, we are providing Grouping capability by Alert Name.You can also expand the group to see all the individual alerts collected by that container.And that’s just the beginning!  The team has planned a lot more for the Alerts page and we are eager to hear your thoughts on these changes, so let us know in the comments or in Private messages! Dark Mode theme is here!In addition to the wonderful and current default Light Theme, you now have the option to switch to the Dark Theme! [Play the Imperial March]Every subcomponent and tool was aligned and streamlined to work as a single design with the new theme.  A big thank you to the entire team!How to switch to Dark ThemeGo to your user Preferences Click on Global Choose Dark! Activeboard New FeaturesNew copy iconActiveboard editor has a new copy icon that will allow you to copy to the clipboard all the content in the editor. You will find the new copy functionality in the following areas:The Query Editor The Activeboard RAW configuraiton The Widget RAW configurationExport To PDF improvementsWe are performing incremental improvements to the Export to PDF functionality over the next few releases.  In this release, an improvement was made in the display of the input type widgets list. Bug Fixes These release notes are presented before release and are collected here as a “live” document.  Check on release day for final changes! 

This Devo Relay release brings some New OS support, depreciated OS announcements as well and automatic setup features for new regions! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsCore Changes New Supported OS’s Deprecated Support for  What does Deprecated Support mean? New Feature Automatic Setup added for CA and APAC regions Core ChangesDevo Relay version 2.8.0 is expanding support for new OS’s.   Along with this functionality, support for a few older OS’s is being deprecated,  read to learn all the details of this release. New Supported OS’sUbuntu 20 Ubuntu 22 Centos/RHEL 8 Centos/RHEL 9 Deprecated Support for Ubuntu 18 Centos/RHEL 7.x Support for Ubuntu 18 and Centos/RHEL 7.x will end on June 1, 2024 What does Deprecated Support mean?Deprecated Support for an OS does not mean the Devo Relay will stop working for that OS it just means that the Devo team will not be able to certify the components for that OS going forward.  It also means there will be no updates to the latest release (Devo Relay 2.5.0) for those OS’s so if a problem arises, the OS will need to be upgraded in order to use the latest Devo Relay release.   New FeatureAutomatic Setup added for CA and APAC regionsInstaller support for automatic endpoint setup for APAC and CA regions has been added to the Devo Relay.  After launching the setup, you can select more devo Clouds using the automatic setup option.