Skip to main content

Popular Updates

featured-image
featured-image

Devo Platform Release 8.14.11

The latest release of the Devo Platform is here! Release 8.14.11 focuses on Alert improvements and bug fixes.  A small but impactful quality of life improvement, now all your alert Dates in Extra data, summary, and description are in your local time zone. We have added the ability to launch alert details in a new tab for a faster workflow. The recently launched Alert Streaming mode also got improvements in the form of inheriting Column visibility settings, highlighting incoming alerts and visibility improvements. We’ve also squashed a selection of bugs listed in the article.  Check it out below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsEnhancements Dates in Local times Open in new Tab Streaming Mode Improvements Bug Fixes EnhancementsDates in Local timesWe can now see dates in Extra Data, Summary, and Description displayed in their timezone instead of in UTC.Open in new TabLaunch Alert Details in a new tab or continue viewing them on the same page; now you have the option that best suits your work flow.  Right click on the alert ID to see these new options. Streaming Mode ImprovementsColumn visibility settings are now inherited by the streaming mode view. Incoming alerts are now highlighted in a different color when added to the list to improve readability. Improved visibility of Pause popupBug FixesFixed permissions for new post-filter button Fixed decoding errors due to incorrectly formatted characters in Extra Data. Fixed display of large summary and description texts Improved readability of cells with long text Improved DevoSource retry attempts and sleep mode handling

Related products:Devo Platform
featured-image

Devo Exchange Release 2.2

The Devo Exchange team is happy to introduce a release filled with features and content! Release 2.2 adds a new content type: Queries! This new content category is launching with 130 queries in 5 categories. We have also updated the content submission tool to accept queries. Synthetic data, an amazing tool for testing your defenses has received a great new feature: Runtime settings!  You can now set the Synthetic Data injection to run for a variable length of up to 30 days. Along with more great improvements the team also also delivered a huge collection of new content.  Learn more below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Features New Content Type: Queries Updated Content Proposal Tool Synthetic Data Runtime Settings Improvements Copy Alert button in Alert Packs Improved Newest Sort New content Available 10 Activeboards have been upgraded with Multitenancy support New Activeboards Cloud Gsuite Reports Ingestion Volume Zscaler Zia Proxy New Alert Packs VCS Github Audit Ping Identity MFA Remote System Discovery New Synthetic Data and Use Cases  The Synthetic Data Pack New Synthetic Data and Use cases  New FeaturesNew Content Type: QueriesWe have gathered around 130 queries and organized them into 5 categories for use as part of training and collaboration. You will find these query packs in their own category under All Content.Math Built-in Operations Event Day Built-in Operations Geolocation Built-In Operations Collector Ingestion Monitoring Active Directory Threat DetectionEach of these category packs contain a collection of LINQ queries for use in learning or helping you understand and build new queries. Updated Content Proposal ToolYou can now share your queries using the Content Proposal Tool. Not only will sharing demonstrate your mastery of LINQ but you will help others discover, innovate and share new creations.As with all submissions, it will go through a full evaluation before becoming available on Devo Exchange. Synthetic Data Runtime Settings2 major new additions improvements. First we added a dialog to allow you to set the duration of the Synthetic data injection, up to a maximum of 30 days.  ImprovementsCopy Alert button in Alert PacksWith this new copy button, you can test alerts before installing them! Improved Newest SortSorting by Newest will now exclude updated content, focusing only on the newest released content. New content Available10 Activeboards have been upgraded with Multitenancy supportYou can now use the following Activeboards in multitenancy environments to get detailed insight into your managed environments.Ingest Volume Collector Monitoring DataSource Monitoring Active Directory Relay Monitoring Firewall Monitoring Web Activity Monitoring Windows System Audit AWS Account Activity DataSources InsightNew ActiveboardsCloud Gsuite ReportsCloud Gsuite Reports direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Ingestion VolumeIngestion Volume direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Zscaler Zia ProxyZscaler Zia Proxy direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  New Alert PacksThree new alert packs are available:VCS Github AuditVCS Github Audit direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Ping Identity MFAPing Identity MFA direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Remote System DiscoveryRemote System Discovery direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  New Synthetic Data and Use Cases The Synthetic Data PackWe have also added a content pack of Injections so you can quickly test a new client’s environment with a full breath of synthetic data.  With a single button, you can have your environment be alive with the following Synthetic data:VPN Cisco ASA Injection AWS Cloudtrail S3 Injection VPN Pulse Secure Injection CDN Akamai Cloudmonitor Injection Palo Alto Traffic Injection Windows Snare Injection Injection for Windows Activity AB Unix Events Injection Auth Okta Systems InjectionNew Synthetic Data and Use casesOkta Authentication Use case v1.0.0 Firewall Juniper SSG Injection v1.0.0 Auth Okta System Injection v1.0.0 Box Unix Events Injection v1.0.0 SentinelOne Av Events Injection v1.0.0 Auth DUO Authentication Injection v1.0.0 VPN Cisco ASA AnyConnect Injection v1.0.0 Cloud Gsuite Reports v1.0.0 Windows Snare Injection v1.0.0 VPN Pulse Secure Injection v1.0.0 CDN Akamai CloudMonitor Injection v1.0.0 Juniper SSG traffic Injection v1.0.0     

Related products:Devo Exchange
featured-image

Devo Relay 2.9.2-2.13.3

The Devo Relay is a critical feature of Devo that receives inbound events from your data sources and then sends them to your Devo instance with all the tagging and processing rules that make Devo work as fast as it does.   This release collects updates to the Devo Relay from version 2.9.2 to 2.13.3.  The main feature added allows you to manage data ingestion across child domains in your multitenancy environment. Additionally, this release contains a host of improvements including new environmental data, support for language characters, improvements to the stats measurer, and more!  Learn more below! Table of ContentsNew Features Domain Impersonation for Multitenancy (v2.11.0) Improvements Fixes New FeaturesDomain Impersonation for Multitenancy (v2.11.0)This new feature allows you to manage data ingestion across multiple domains within your multitenant structure using a single certificate.Learn more in our Documentation Improvements Menu in Devo Relay CLI includes the variables to select the new US3 environment and not need to input it manually. (v2.10.0) New environment data: (v2.10.0) Devo ELB: collector-us3.devo.io:443 Query API: https://api-us3.devo.com/search Relay API: https://api-us3.devo.com/maduro Added internal filter for relay troubleshooting. (v2.11.0) Improved support for Chinese / Japanese characters. (v2.12.0) Improvements on stats measurer. (v2.12.0) Output TLS connection requires TLS 1.3 (v2.13.3) Fixes Fixes a previous behavior of Devo Relay where several critical OS services are not accounted before booting. This could cause a condition when the relay service tries to get started before the OS essential services are up and running. (v2.9.2) Vulnerability Fixes v2.9.2 logback-classic (CVE-2023-6378) logback-core (CVE-2023-6378, CVE-2023-6481) libcrypto3 & libssl3 (CVE-2023-5363) v2.10..0 commons-compress (CVE-2024-26308 & CVE-2024-25710) spring-core (CVE-2024-22233) amazon-corretto:openssl (CVE-2024-0727 & CVE-2023-6129)  For all the release notes to every version of the Devo Relay, see the Documentation

Related products:Devo Relay
featured-image

Devo Platform 8.14.8

Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.8 brings a variety of improvements to the Login and Homepage. We have improved our Login experience by removing the domain list limits entirely!  You can now view the full list of all the domains you have access to with search and pagination capabilities.  With this new feature, we have also added a new visual distinguishing mark for Root domains so you can find them more easily.  Following your feedback, we have made some improvements to the new HomePage including permanently hiding the top banner. Learn more below!  Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released   Table of ContentsNew Features Limitless domain switching Easily Identify Root domains Improvements Usability Improvements to new Home Page Bug Fixes New FeaturesLimitless domain switchingYou can now view the full list of domains you have access to and switch to without domain list limitations.  The feature comes complete with a full count of available domains and pagination controls to quickly navigate across the full breadth of your available domains. Easily Identify Root domainsWith so many domains to choose from, it’s important to chose the right one!  Now you can easily pick out the root domains with this new label. ImprovementsUsability Improvements to new Home PageWe have made some changes to the Homepage based on customer feedback. Improvements by numbers:The Welcome title has been moved to make more screen space available. Button styles changed to blend in better. You can now close the top banner group for this session. Or use this check mark to close it permanently. The shortcut to Usage Analytics has been cleaned up for a cleaner look.Bug FixesFixed a problem with the usage analytics footer appearing for users without access to the tool. Fixed a problem with visibility permissions for top banner in Home.See the full release notes in our Documentation  

Related products:Devo Platform
featured-image

Devo Security Operations: OOTB Alert Release 32

We're thrilled to announce the latest updates and additions to our alerting system with Release 32. This release enhances the functionality and accuracy of several firewall and threat detection alerts. A key improvement is the addition of sourceIP and hostname fields, improving the contextual information available for faster incident triage and response.Updated alerts include FWIpScanInternal, FWPortScanExternalSource, FWSMBTrafficOutbound, and advanced threat detection rules like REvilKaseyaWebShellsUploadConn and HAFNIUMWebShellsTargetingExchangeServers. These changes enhance the detection capabilities for network scans, unauthorized SMB traffic, RDP external access, and specific threats like REvil and HAFNIUM.To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsAlerts Updated Firewall Alerts FWIpScanInternal FWIrcTrafficExternalDestination FWPortScanInternalSource FWPortSweepInternalSource FWExternalSMBTrafficDetectedFirewall FWPortScanExternalSource FWRDPExternalAccess FWSMBTrafficOutbound FwTftpOutboundTraffic Proxy Alerts REvilKaseyaWebShellsUploadConn REvilKaseyaWebShells Public Facing Application Exploit Alert HAFNIUMHttpPostTargetingExchangeServers External Remote Services Alert HAFNIUMWebShellsTargetingExchangeServers Alerts UpdatedFirewall AlertsThe following Alerts are available in Alert Pack: FirewallUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange FWIpScanInternalFWIrcTrafficExternalDestinationFWPortScanInternalSourceFWPortSweepInternalSourceFWExternalSMBTrafficDetectedFirewallFWPortScanExternalSourceFWRDPExternalAccessFWSMBTrafficOutboundFwTftpOutboundTraffic Proxy AlertsThe following alerts are available in Alert Pack: ProxyUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange REvilKaseyaWebShellsUploadConnREvilKaseyaWebShells Public Facing Application Exploit AlertThis alert is available in Alert Pack: Exploit Public-Facing ApplicationUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange HAFNIUMHttpPostTargetingExchangeServersExternal Remote Services AlertThis alert is available in Alert Pack: Exploit Public-Facing ApplicationUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange HAFNIUMWebShellsTargetingExchangeServers  

Related products:Devo SecOps
featured-image

Devo Parser Catalog update for November

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers cloud.azure firewall.watchguard ftp.crushftp mail.mimecast firewall.all.traffic vcs.github cloud.office365 cef0.netsckope cef0.fortinet db.oracle firewall.all.ips box.unix firewall.cisco ids.suricata cloud.office365.management Updated Parserscloud.azureLink to Documentationfirewall.watchguardLink to Documentationftp.crushftpLink to Documentationmail.mimecastLink to Documentationfirewall.all.trafficLink to Documentationvcs.githubLink to Documentationcloud.office365Link to Documentationcef0.netsckopeLink to Documentationcef0.fortinetLink to Documentationdb.oracleLink to Documentationfirewall.all.ipsLink to Documentationbox.unixLink to Documentationfirewall.ciscoLink to Documentationids.suricataLink to Documentationcloud.office365.managementLink to Documentation

Related products:Devo Integrations
featured-image

Devo Collector Catalog update for November

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Dynatrace v1.0.0 Sendmarc v1.0.0 Absolute 1.0.0 Updated Collectors AWS SQS v1.7.0 Lark v1.2.0 Proofpoint POD v1.2.2 Trend Micro Vision One v1.2.2 Cyberark EPM v1.1.0 Citrix Cloud v1.2.0 Workday v1.3.0 Office 365 Exchange Message Tracing v3.2.2 Tenable v1.6.0 Trellix DLP v1.1.0 Crowdstrike API Resources v1.11.0 Azure EH v2.4.0 Mimecast v2.2.1 Proofpoint TAP v3.1.1 New CollectorsDynatrace v1.0.0Link to DocumentationSendmarc v1.0.0Documentation in progressAbsolute 1.0.0Documentation in progress Updated CollectorsAWS SQS v1.7.0Link to DocumentationLark v1.2.0Link to DocumentationProofpoint POD v1.2.2Link to DocumentationTrend Micro Vision One v1.2.2Link to DocumentationCyberark EPM v1.1.0Link to DocumentationCitrix Cloud v1.2.0Link to DocumentationWorkday v1.3.0Link to DocumentationOffice 365 Exchange Message Tracing v3.2.2Link to DocumentationTenable v1.6.0Link to DocumentationTrellix DLP v1.1.0Link to DocumentationCrowdstrike API Resources v1.11.0Link to DocumentationAzure EH v2.4.0Link to DocumentationMimecast v2.2.1Link to DocumentationProofpoint TAP v3.1.1Link to Documentation 

Related products:Devo Integrations
featured-image

Platform Release 8.14.4

Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.4 brings a variety of improvements to Data Search. A new Search button has been added to streamline Data Search workflows. You can launch new searches directly from a search results page without needing to travel to the finder. This will speed up threat hunting efforts dramatically! We have also enhanced error management with a persistent icon that you can refer to, and when possible allows you to reload the data from the error details. Read on to learn more about these features, improvements, and bug fixes!  Geo AvailabilityRegion Status GovCloud Pending CA Released US Released EU Released APAC Released   Table of ContentsNew Features Search Button in Data Search New Error Handling menu in Data Search Bug Fixes New FeaturesSearch Button in Data SearchYou are now able to run a new search from within an existing search results window without having to access the finders area!   The new search button is located on the right hand and will launch a new search window.  The query will be continuously checked for validation while you write, activating the run button only when a valid query is specified.Learn more in our Documentation New Error Handling menu in Data SearchWhen an error occurs in a search, a new error icon appears in the toolbar and will persist there for reference. Clicking on the icon will reveal the details of the error and when possible offer a reload data button.Learn more in our Documentation Bug Fixes Data Search - Fixed an occasional error when the query editor ended up being so tiny that the user had to expand it again. Data Search - Cloned query loses refinements. After cloning a query (when the user is in incognito), the newly created query wasn’t identical to the original one. Data Search - The transformation of an old lookup syntax with a literal does not preserve quotes. Some users had the problem that the suggested query using the new lookup syntax wasn’t working because of a minor bug translating a string type. Data Search - z-index issue for date picker. Sometimes the date picker is overlaid by a floating window. Now, the date picker is always on top of other resources inside Data Search. There are some scenarios where this is still an issue and requires extra attention, but the problem is reduced.

Related products:Devo Platform
featured-image

Platform Release 8.14.3

Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.3 brings a variety of improvements to Alerts. I’m excited to announce streaming mode for Alerts! Once you turn it on, you no longer have to manually refresh the triggered Alerts list; you can engage in real-time with your triggered Alerts! Auditing becomes easier with a new Post-Filter auditing table. We have also added a new Column Visibility to Triggered Alerts table that allows you to show, hide, and reorder columns to create a customized view. Read on to learn more about these features, improvements, and bug fixes! Geo AvailabilityRegion Status GovCloud Pending CA Released US Released EU Released APAC Released   Table of ContentsNew Features in Alerts Streaming Mode for Alerts New Post-Filter Auditing New Custom Column Visibility In Activeboards Improved Error Messages Improvements Bug Fixes New Featuresin AlertsStreaming Mode for AlertsTurn on Streaming mode in Alerts to see triggered alerts in Real-Time with out having to manually click on load new! New Post-Filter AuditingTrack the creation or deletion of post filters in the new table devo.audit.alert.definition New Custom Column VisibilityThis new feature in the Triggered Alerts table lets users show, hide and reorder columns for a customized viewIn ActiveboardsImproved Error MessagesError handling has been changed to improve messages displayed, providing a more comprehensive output that clearly informs users about the problem and points them in the right direction in search of a potential solution. ImprovementsTriggered alerts tables are now using the new UI so now you need to double-click to edit the status and priority of cells. Bug FixesFixed a but that did not allow you to open the Alert details if the Alert definition was deleted. Fixed Anti-flooding bug. Fixed Jira and Service-Now notifications.  

Related products:Devo Platform
featured-image

Devo Security Operations: OOTB Alerts Release 31

We're thrilled to announce the latest updates and additions to our alerting system with Release 31. This release introduces a significant enhancement to our alerting system. First, alert templates were updated to ensure more accurate and comprehensive notifications. Second, we developed a Ransomware MOVEit Vulnerability alert pack to detect and respond to potential exploitation attempts, covering the key attack vectors related to this threat.To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts and alert packs visit Devo Exchange. Table of ContentsNew Alert Pack: Ransomware MOVEit Updated Alerts available in the Ransomware MOVEit Vulnerability Alert Pack: Additionally updated Alerts AzureUserLoginSuspiciousRisk LinuxMaxSessionsPerUser TLDFromDomainNotInMozillaTLD WinAdminRemoteLogon  New Alert Pack: Ransomware MOVEitTo help detect and mitigate the threat posed by CL0P, we are offering a comprehensive set of alerts designed to identify key indicators of compromise (IOCs) and suspicious activities linked to this ransomware. These alerts are tailored to detect behaviors such as unusual file modifications, exfiltration attempts, and known malicious binaries, giving security teams the ability to respond rapidly to potential incidents.Devo Exchange links by DomainUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Updated Alerts available in the Ransomware MOVEit Vulnerability Alert Pack:MoveitPotentialNetworkActivityExploitationPotentialThreatConnectionRansomBehaviourRansomBehaviorShadowCopyDeletionAndResizingMoveitWindowsEvtxFileCreationSuspiciousCmdExecDirChangeUserReconnStopWindowsServiceViaNetDomainReconnADEnumerationAndTrustMappingPhishingEmailRansomDistributionCampaignVolumeShadowCopyDeletionHighVolumeFileDeletionBcdModificationRecoveryAndBootFailureSuppressionMoveitCmdlineFileCreationMoveitDynamicCompilationViaCscExeMoveitFilePotentialActivityTransferExploitation Additionally updated AlertsAzureUserLoginSuspiciousRiskAvailable in the Azure Alert Pack & Valid Accounts Alert PackLinuxMaxSessionsPerUserAvailable in Linux Log-Based Threat Detection Suite Alert Pack & Valid Accounts Alert PackTLDFromDomainNotInMozillaTLDAvailable in the Dynamic Resolution Alert PackWinAdminRemoteLogonAvailable in the Windows Log Threat Detection Suite Alert Pack & Valid Accounts Alert Pack Find them directly on Devo Exchange!

Related products:Devo SecOps
featured-image

Devo Platform 8.14.0

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.0 brings in a new Home Page redesign that makes it more lightweight and relevant to all our users! Jump directly into useful resources with the new top-row cards. Return to your tasks faster with quick launch windows containing all your recent and favorite searches and activeboards. Or start querying your data with the integration of the query window in the center of the page!  A new tab in Usage Analytics for Injestion and Licensing and login and table improvements round up the release.  Read on to learn more! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Homepage Redesign Quick Action Cards Query and Recent Alerts Recent Searches and My Favorites Set your HomePage in preferences New Permissions available for HomePage New Ingestion and Licensing metrics in Usage Analytics Authentication Improvements Synthesis and Injection table alignment Bug Fixes New FeaturesHomepage RedesignWe have redesigned the homepage to make it more lightweight, relevant and useful to all our customers.  Main benefits are: Jump to useful resources and features directly on Homepage View relevant information focused on your most recent activity and favorite assets. Run queries directly from the homepageWidgets that used to be on the home page have been moved to a new tab in Usage Analytics called Ingestion & Licensing. Quick Action CardsThese are launch points to additional resources, can be closed individually, hidden from view or restored if any card was closed by mistake.   Query and Recent AlertsThis section provides a quick view of your latest alerts and allows you to start querying your data without jumping out of the homepage.Keyboard shortcut to run your query is CTRL+Enter on PC and Command+Enter on MacOS Recent Searches and My FavoritesGet back to a previous search quickly or jump to your saved searches and activeboards directly from the home page! Set your HomePage in preferencesYou can also set your homepage in your preferences! New Permissions available for HomePageThe following permissions are now available to control view and usage of the Homepage widgets:Permission Element Finders (view) AND Domain search history (view) “My search history (last 24h)” widget “My favorite searches” widget Triggered alerts (view) OR Alert configuration (view) “Last 5 unread alerts” widget Data upload (manage) “Upload your data” card Activeboards (view) “My favorite Activeboards” widget Finders (view) AND Free text queries (manage) “New query” section Preferences (manage) “Go to ‘User preferences’” shortcut Usage Analytics (view) “Go to Usage Analytics” shortcut Home area (view) Entire Home section   New Ingestion and Licensing metrics in Usage AnalyticsSome of the widgets in the old homepage have been moved to Usage Analytics new tab, Ingestion and Licensing, and enhanced.  This tab gives you a detailed view of:Daily License usage summary live ingestion stats Number of events Ingestion volume Ingestion by Technology Total Daily VolumeAll measurements are now in Decimal units (GB, TB, ect) to align with licensing terminology.Learn more about Usage Analytics in our Docs Authentication ImprovementsWeb Access can now be accomplished through SAML2 using a URL that does not contain the “@” characterSynthesis and Injection table alignmentThe “_” is now allowed for tag names in new injections and new synthesis tables.  We have also updated the error messages:For Unions:The table name must contain at least one alphanumeric character andnot contain spaces or special characters (underscores are allowed).For Injections:The target table must contain at least one alphanumeric character andnot contain spaces or special characters (underscores are allowed). Bug Fixes-Remove session identifiers from User Action Logs in devo.internal.audit.logs tables.

Related products:Devo Platform
featured-image
featured-image

Devo Exchange: MITRE ATT&CK Adviser 1.10.0

Hello everyone, the latest release of the MITRE ATT&CK Adviser is now live! The MITRE ATT&CK Adviser is a key tool in understanding your alert coverage and managing your security posture. Everyone has access to this tool through Devo Exchange. Release 1.10.0 adds a few new features and User interaction improvements. Starting with the new Technique Card filter, which now filter available alerts for that card in the Alerts Section. We’ve also enhanced the Log Source Filter to additionally filter the alerts within the chosen Techniques, showing only Alerts related to the selected log source.  Read on to learn more! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsNew Features Technique Card Alert Filter Log source filter now affects both alerts and techniques Improvements Alert Filter Improvements  New FeaturesTechnique Card Alert FilterClicking on a Technique card will automatically filter the available alerts for that Technique in the Alert Window.  Speeding up alert management and improving the workflow of the MITRE ATT&CK Adviser. Log source filter now affects both alerts and techniquesMITRE ATT&CK Adviser now filters the alerts within the techniques for the selected log sources and calculates the total coverage more accurately. ImprovementsAlert Filter ImprovementsMigrated MITRE tables to new system brings customer benefits in the shape of New filter options available for the Alerts window.  You can now filter by these functions:Contains Does not contain Equals to Does not equal to Begins with Ends with Blank Not blankLearn more on Devo Docs!

Related products:Devo Exchange
featured-image

Platform 8.13.0

Hello everyone, the latest release of the Devo Platform is now live! Release 8.13.0!  This update delivers on customer-requested features with a bang!  Starting with Data Search, we have delivered on the Lookup Syntax convergence, now you can use the same syntax for Lookups in Data search AND API. We have also added a new Lookup Wizard and delivered IP/CIDR matching support in Lookups.   In Alerts, this release delivers multiple PostFiltering improvements including a new Date Picker that takes your timezone into account, parameter action types have been added to the post-filter list of actions.  We have also added Audit Logs for Delco API requests and more!  Read on to find out! Geo AvailabilityRegion Status GovCloud Pending CA Released US Released EU Released APAC Released  Table of ContentsNew Features Data Search Lookup syntax convergence Lookup wizard now available IP/CIDR matching is fully supported in Lookups Alerts Postfilter Improvements New Date Picker that uses users time zone added. Added the parameter action type to the post filter list of actions. Audit Logs for Delco API requests Alert definitions now accept the regular syntax for lookup operations Flow Allow data injection in other domains with DevoSink Bug Fixes Data Search Alerts  New FeaturesData SearchLookup syntax convergenceNo longer will Lookups require different syntax to use between Data Search and API!  This release brings the lookup syntax in line with the Data Search syntax.  The old syntax is deprecated, but can still be used. Lookup wizard now available This new functionality will help you use and configure your lookup operations! Configure the category, and available operations.  The wizard works with Regular lookups as well as Shared Lookups and contains a Lookup listing that displays the key name and key type. Additionally the wizard includes comprehensive help dialog boxes IP/CIDR matching is fully supported in LookupsAvailable now for newly created lookups.  For lookups created from the UI using a CSV, you can edit them so they are recreated and make use of this new feature. AlertsPostfilter ImprovementsNew Date Picker that uses users time zone added.Added the parameter action type to the post filter list of actions. Audit Logs for Delco API requests User can now monitor audit logs of policy requests done via Delco API in the secops.audit.api table. Alert definitions now accept the regular syntax for lookup operationsUsers can now use the regular syntax for lookup operations when creating or editing any alert query in the UI or through the Alerts API FlowAllow data injection in other domains with DevoSinkUsers can now inject data into another domain with Devo Sink inside the flow editor using the API key of that external domain.  The API keys can be found under Adminsitration->Credentials→ Access keys in the domain users want to send the data to. Bug FixesData SearchFixed edge cases where there was an issue opening a table from finder.Fixed grouping modal missing when grouping by columns is selectedFixed Column heading that stays floating indefinitlyFixed opening a query with group by with aliasFixed issue with column headers with new columnsFixed table header visualization caused by hidden columnsFixed display issue with detail column panel.AlertsFixed post filter validation with special charactersFixed view of full post filter condition for alerts with existing postfilter

Related products:Devo Platform
featured-image
featured-image

Devo Collector Catalog update for October

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Kiteworks API v1.0.0 Updated Collectors Onelogin v1.3.0 AWS SQS v1.6.1 Rubrik v1.3.1 VMware Carbon Black Cloud v1.4.2 Saleforce v2.5.0 Cortex XDR v2.0.1 Snyk v1.1.1 Google Workspace Alerts v1.8.0 Google Workspace Reports v1.10.0 Microsoft Defender ATP v1.4.1 Recorded Future v1.5.1 Cisco Umbrella v1.4.1 Crowdstrike API v1.9.1 Mimecast v2.1.1 Cloudflare v1.1.1 Box v2.0.0 Thinkst Canary v1.2.0 Azure v2.3.0  New CollectorsKiteworks API v1.0.0Link to Documentation Updated CollectorsOnelogin v1.3.0Link to DocumentationAWS SQS v1.6.1Link to DocumentationRubrik v1.3.1Link to DocumentationVMware Carbon Black Cloud v1.4.2Link to DocumentationSaleforce v2.5.0Link to DocumentationCortex XDR v2.0.1Link to DocumentationSnyk v1.1.1Link to DocumentationGoogle Workspace Alerts v1.8.0Link to DocumentationGoogle Workspace Reports v1.10.0Link to DocumentationMicrosoft Defender ATP v1.4.1Link to DocumentationRecorded Future v1.5.1Link to DocumentationCisco Umbrella v1.4.1Link to DocumentationCrowdstrike API v1.9.1Link to DocumentationMimecast v2.1.1Link to DocumentationCloudflare v1.1.1Link to DocumentationBox v2.0.0Documentation in ProgressThinkst Canary v1.2.0Link to DocumentationAzure v2.3.0Link to Documentation

Related products:Devo Integrations
featured-image

Platform 8.12.6

Hello everyone, the latest release of the Devo Platform is now live! Release 8.12.6!  This update provides enhancements to Data Search, Activeboards, Scheduled Tasks, and a selection of bug fixes.   For Data Search, we have optimized priority levels. In Activeboars we have introduced a new widget property to allow you to exclude boundary periods from your charts.   Scheduled Tasks have received increased character limits and optimized details forms.  These changes enhance and extend existing workflows and introduce new reporting capabilities with the control of the boundary periods in your charts.  Read on to learn more!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsNew Features Activeboards New Widget property to exclude boundary periods Improvements Data Search Optimization of priority levels Activeboards Enhanced Edit Mode Scheduled Tasks Increased Character Limit Redesigned details form Bug Fixes Activeboards Data Search Autoparser  New FeaturesActiveboardsNew Widget property to exclude boundary periodsIt is now possible to exclude the initial or final periods in certain widgets when grouping data, reducing potential misinterpretations derived from viewing incomplete periods. This new functionality applies to:Line Charts Area Charts Column Charts Stacked Area Charts Stacked Column Charts Time Lapse widgetsImprovementsData SearchOptimization of priority levelsSimplified priority levels to optimize resource allocations. Maximum query priority was removed.Learn more about priority levels in our Docs ActiveboardsEnhanced Edit ModeEdit mode now contains detailed descriptions of each available mode. Scheduled TasksIncreased Character LimitSelect fields in the scheduled task form now allow for larger character limits, which allows for more explanatory subjects, recipients and more complex queries. Redesigned details formWe’ve improved the design of the from to enhance readability and understanding of each field. Bug FixesActiveboards The Fill gaps property was shown in widgets even when the X-Axis was not a timestamp field. In that case, that property has no effect, so it is not shown anymore. Data Search The query previewer wasn’t showing the entire query in the Recent queries page. There were some random scenarios where the events were not shown correctly on the data table. A query with two groupings was causing issues to data downloads in data tables. Autoparser The depth selector of the JSON split option was not disappearing when selecting another option (String or JSON object). The JSON split option was returning null values when using a depth of 3.

Related products:Devo Platform
featured-image

Devo Platform 8.12.3

Hello everyone, the latest release of the Devo Platform is now live! Release 8.12.2 Packs a collection of Alert and Activeboard new features and enhancements to power your workflows. Starting with Activeboards, you can now have the option to attach the cvs’s behind your table widgets to Scheduled Reports, enhancing an already powerful mechanic with complete data points. In Alerts, we are introducing a new alert status for Suppressed Alerts. You can now set alerts to Suppressed, helping you manage your alert noise to a greater degree. Lastly I will highlight the new functionality that allows you to use my.lookup tables in Alert Definition Subqueries, opening new windows of possibilities!  Read on to get the full list of enhancements in this update! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features Activeboards Attach table widgets as CSV in Scheduled Reports Alerts Assign sending policy from the Alert definition settings New API Endpoint to assign sending policy to alert definition New API Endpoints to create, edit, and delete sending policies New Status: Suppressed Alert New API parameter to assign suppressed status to triggered alerts New functionality allows my.lookuplist tables to be used in alert definition subqueries New API Endpoint to use mylookuplist tables in alert definition subqueries Updated Features Alerts Redesigned Post-filter menu Extradata advance filter now stays open Activeboards New default layout options for legend layout Bug Fixes Activeboards Alerts & Data processing  New FeaturesActiveboardsAttach table widgets as CSV in Scheduled ReportsNow scheduled reports allow users to receive such widgets as CSV files inside a ZIP file. Enabling this option will generate a single CSV for each table widget present in the Activeboard and all of them will be inserted into a ZIP file, which will be attached to the email along with the PDF report.Learn more on Devo DocsAlertsAssign sending policy from the Alert definition settingsIt is now possible to assign sending policies to alert definitions directly in the creation and edition dialogs, making the process swifter and more efficient by centralizing all the required settings in a single dialog.Learn more on Devo Docs New API Endpoint to assign sending policy to alert definitionThe very same functionality existing in the platform interface is also available to use in the Alerts API. Now it is possible to assign a sending policy to an alert definitionLearn more on Devo Docs New API Endpoints to create, edit, and delete sending policiesThe very same functionality existing in the platform interface is also available to use in the Delivery methods API. Now it is possible to create, edit, and delete sending policies.Learn more on Devo Docs New Status: Suppressed AlertA new Suppressed status has been created to assign to triggered alerts, enriching the workflow and adapting it to the current needs of analysts. Learn more on Devo Docs New API parameter to assign suppressed status to triggered alertsSimilar to the platform interface, a new parameter can be used in the requests performed through the alerts API to be able to assign the Suppressed status to triggered alerts. Learn more on Devo Docs New functionality allows my.lookuplist tables to be used in alert definition subqueriesEach-type alert definition’s can now include in their subqueries my.lookuplist tables with certain limitations.Learn more on Devo Docs New API Endpoint to use mylookuplist tables in alert definition subqueriesEach-type alert definitions can now include in their subqueries my.lookuplist tables with certain limitations.Learn more on Devo Docs Updated FeaturesAlertsRedesigned Post-filter menuThe post-filter creation menu has been redesigned to reduce the noise and make the process more straightforward. The Basic data section has been removed as it does not apply to user-created alerts, and the Date filters section has been removed as they can be applied in the Extra data section with the eventdate. The actions in the post-filter creation menu have been rearranged, and the possibility to change to any status has been added. Learn more on Devo Docs Extradata advance filter now stays openThe dialog to add a filter condition in the extradata advanced filter remains always open until manually closed, giving users the chance to interact with the alert list without closing already entered parameters. This is especially useful to check a specific alert and its extradata to find specific values that they can even copy to include in the filter. ActiveboardsNew default layout options for legend layoutTo display these widgets with a more friendly layout that facilitates visualization and analysis, the default options for the legend layout have been changed.Learn more on Devo Docs Bug FixesActiveboards Widget versioning process was interrupted whenever one of them presented an error, leaving the remaining ones with an incorrect version. Error creating an aggregation task before the Activeboard is fully loaded. The full view option was still shown when already in full view mode. The option to create an aggregation task was shown for text inputs. Alerts & Data processing September 2024 vulnerabilities up to date. Incorrect management of post-filter creation when there are invalid characters in the name. Input present in the post-filter creation window disappears if a creation error occurs. Error when trying to add several eventdate fields in the post-filter creation window. The dialog to edit an alert definition edition from a a triggered alert closes after finding an error. Wrong error message when using an each-type alert with subqueries that present a wrong ratio between internal and external periods. In gradient-type alerts or each-type alerts with subqueries, invalid values are kept as an option when entering customized values in their settings dropdown. Error when returning to the triggered alerts area if a filter preset was applied, the time range changed with absolute dates, and the changes not saved before leaving the area via logout or domain change.

Related products:Devo Platform
featured-image

Platform 8.12.2

Hello everyone, the latest release of the Devo Platform is now live! Release 8.12.1 & 8.12.2 features a collection of small improvements and bug fixes to make your life a little easier. Includes improvements to Data Search, Lookups, Notifications, and menu enhancements as well as bug fixes.  In particular, improvements to Drag & drop functionality, Query Editor, and Injections.  These improvements come from customer feedback and we are excited to quickly provide you with these enhancements.  If you have any additional feedback please let us know below in the comments and check out the documentation links for in-depth descriptions of these improvements!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsImprovements Data Search Drag and Drop Query Editor Injections Login screen General Left Menu Lookup Notifications Lookups Centralized error notifications Failure management process redesign Notifications Counter removed and lifespan set to 7 days Bug Fixes General Single-Sign-On Data Search Table Copy to Clipboard Navigation Pane  ImprovementsData SearchDrag and DropImproved the drag-and-drop feature, which had issues when dragging a field into a wizard.Query EditorEnhanced some error messages in the query editor to make them easier to understand.InjectionsTexts displayed in the new injection form are now fully translated into the intended language when the platform language is not English.Login screenAn error message in the login screen has been improved to provide information about the cause, making it easier for users to find the solution. The specific error happens when unregistered users try to log in via SAML SSO with autoprovisioning disabled. GeneralLeft MenuThe left menu can now be opened in a new tab via right-click.Lookup NotificationsMoved some lookup notifications from the Notifications menu to the Lookups Management bell icon. LookupsCentralized error notificationsTo avoid duplicity and increase certainty about where to find lookup errors and potential solutions, global notifications are no longer generated and stored in the Notifications area. They are only registered in the Lookup management area, where specific troubleshooting is provided if available.Learn more in our documentationFailure management process redesignTo avoid confusion when a lookup gets stuck in the creating status due to an error, it remains on the list until manually deleted instead of disappearing when the lookup list is refreshed. This way, users can take their time to analyze the cause of the error and try to find a solution. Learn more in our documentationNotificationsCounter removed and lifespan set to 7 daysIn order to remove the noise and place the attention on the relevant information, notifications have been restricted to the last 7 days. Furthermore, the counter of unread/total notifications when hovering over notifications in the navigation pane and the new notifications bubble have been removed.Learn more in our documentation Bug FixesGeneralSingle-Sign-OnFixed a corner case where a single-sign-on session was restarted when clicking "Go to query" from alerts.Data SearchTableFixed an issue where the table sometimes hid certain rows from the user at first glance.Copy to ClipboardResolved a bug where copying text occasionally copied the entire raw event to the clipboard instead of just the highlighted text.Navigation PaneTooltipFixed incorrect text in the user information tooltip displayed when hovering over your profile picture.

Related products:Devo Platform
featured-image
featured-image

Devo Collector Catalog update for September

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Forcepoint SWG v1.0.0 Radware CWAF v1.0.0 Updated Collectors Proofpoint POD v2.1.1 Microsoft Graph v2.0.1 Mimecast 2.0.1 Duo v2.0.1 Flashpoint Intelligence v1.1.0 ServiceNow v1.5.1 Cisco Umbrella v1.3.0 Okta Resources v1.9.0 Office365 Exchange Message Tracing v2.3.0 Rubrik Collector v1.3.0 Cortex XDR v1.4.0 Qualys v2.2.1 Fastly Next-Gen WAF v1.1.0 Snowflake v1.4.1 AWS SQS v1.6.0 Microsoft Office365 Management API v2.4.0 Proofpoint Tap v3.0.0 Trend Micro Vision One v1.2.1  New CollectorsForcepoint SWG v1.0.0Link to DocumentationRadware CWAF v1.0.0Link to Documentation Updated CollectorsProofpoint POD v2.1.1Link to DocumentationMicrosoft Graph v2.0.1Link to DocumentationMimecast 2.0.1Link to DocumentationDuo v2.0.1Link to DocumentationFlashpoint Intelligence v1.1.0Link to DocumentationServiceNow v1.5.1Link to DocumentationCisco Umbrella v1.3.0Link to DocumentationOkta Resources v1.9.0Link to DocumentationOffice365 Exchange Message Tracing v2.3.0Link to DocumentationRubrik Collector v1.3.0Link to DocumentationCortex XDR v1.4.0Link to DocumentationQualys v2.2.1Link to DocumentationFastly Next-Gen WAF v1.1.0Link to DocumentationSnowflake v1.4.1Link to DocumentationAWS SQS v1.6.0Link to DocumentationMicrosoft Office365 Management API v2.4.0Link to DocumentationProofpoint Tap v3.0.0Link to DocumentationTrend Micro Vision One v1.2.1Link to Documentation   

Related products:Devo Integrations
featured-image

Devo Platform Release 8.12.0

Hello everyone, the latest release of the Devo Platform is now live! Release 8.12.0 introduces SubQueries to Data Search! That’s right, this powerful feature previously available through API is now available directly in Data Search and you can start using it right away! A Subquery makes it possible for you to use information from different sources in a single consultation and further restricts the data to be retrieved. We are excited to re-introduce Subqueries as a powerful tool in your Data Search toolbox. Check out the full article that lists requirements and an example LINQ query below! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released   Table of ContentsFeature Enhancement Subqueries now available in Data Search What is a subquery? Requirements Example  Feature EnhancementSubqueries now available in Data SearchSubqueries have been available for some time through other components and API but now you can use this powerful feature directly in Data Search! What is a subquery?A Subquery removes the limitations of a single search by using the result of a query (subquery) to act as a condition in another query, thus making it possible to use information from different sources in a single consultation and further restrict the data to be retrieved.RequirementsSubqueries in Data Search need to be:Non-contextual - The Subquery must be syntactically and semantically correct, if you extract it from the query it should run. There is no information transfer between query and subquery.Time-bound in the past - Subqueries must always be time-bound and defined in the past.Learn more in our documentation ExampleThe most common use case for Subqueries uses the in operator to determine if the values of a specific field in a table match any of the values in the set of results of a subquery.from siem.logtrust.web.activitywhere username in (from siem.logtrust.web.navigationwhere '2024-09-10 07:21:35' <eventdate< '2024-09-12 12:21:35'group every - by userEmail)where domain in (from siem.logtrust.web.navigationwhere '2024-09-10 07:21:35' <eventdate< '2024-09-12 12:21:35'group every - by domain)group every 10m by username, domainselect count()  If you haven’t tried them yet, please do and let us know what you think!

Related products:Devo Platform
featured-image

Platform Release 8.11.1

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.11.1 introduces Alert Page presets!  Now you can save your Alert page filters, create new ones, set them as default on a per-user level, and mange your presets!   In addition, this release introduces a few enhancements to the devo.audit.alert.triggered table.  Alert Operations have been added to this table so you can now track when every alert has been triggered among other details. Additionally we have enhanced the tracking of alert priority change with the alert priority name, giving you additional context when auditing your alerts.  Learn more about this release below! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features Introducing Alert Presets Improvements New Audited Operation field added Improved Priority Change recording  New FeaturesIntroducing Alert PresetsWith this release, you will now be able to save your Alert Page view filters ! Create, edit, save and delete your favorite filters to increase your productivity and speed up your workflow!Alert Preset operations available at user level:Create a new preset Edit a defined preset Delete a defined preset Set/Unset  a defined preset as user default (applied when entering the alerts page for first time in session) Apply a user preset or the system preset ImprovementsNew Audited Operation field addedUsers will now be able to track and audit when an alert was triggered with this new operation added to the audit table: devo.audit.alert.triggeredThe complete list of tracked elements in this table is now:User generated operations: Triggered Alert status change. Triggered Alert priority change. Triggered Alert deletion. Triggered Alert comments management (create/update/delete/reply comment). System generated operations : Triggered Alert generation (the new operation type added in this release).  Improved Priority Change recordingThe Triggered Alert priority change record in devo.audit.alert.triggered now contains the priority change name in addition to the changed status enhancing the context around this log entry. Read the full documentation of this release in our Docs!

Related products:Devo Platform
featured-image

Devo Parser Catalog update for August

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers dmp.egnyte Updated Parsers proxy.zscaler cloud.azure box.all.win firewall.cisco adn.f5 endpoint.vmware mail.fortinet box.unix network.meraki firewall.fortinet firewall.sophos box.vmware auth.cisco mail.proofpoint  New Parsersdmp.egnyteLink to Documentation Updated Parsersproxy.zscalerLink to Documentationcloud.azureLink to Documentationbox.all.winLink to Documentationfirewall.ciscoLink to Documentationadn.f5Link to Documentationendpoint.vmwareLink to Documentationmail.fortinetLink to Documentationbox.unixLink to Documentationnetwork.merakiLink to Documentationfirewall.fortinetLink to Documentationfirewall.sophosLink to Documentationbox.vmwareLink to Documentationauth.ciscoLink to Documentationmail.proofpointLink to Documentation   

Related products:Devo Integrations