Product Updates

The Devo Relay is a critical feature of Devo that receives inbound events from your data sources and then sends them to your Devo instance with all the tagging and processing rules that make Devo work as fast as it does.   Release 2.15.1 adds automations and new OS support.  The first automation added removes the additional steps to launch the relay after setup.  With this next feature, all certificates will automatically renew 1.5 months before expiration. This is a huge usability improvement and greatly received!  Lastly, support for Ubuntu 24, aka Noble Numbat, and support for Ubuntu 20 has been retired.  Learn more below!  Table of ContentsEnhancements Automatic activation Automatic renewal of Relay Certificates Support for Ubuntu 24 Removed support for Ubuntu 20 Bug Fixes Source tag capture groups  EnhancementsAutomatic activationThe relay is now automatically activated after setup. No need to go to the UI to click on the activation button.Learn more in our documentation Automatic renewal of Relay CertificatesRelay certificates are now automatically renewed before expiration, yay! One and a half months before the expiration date, the certificate will be automatically renewed. Support for Ubuntu 24Added support for Ubuntu 24, also known as Noble Numbat. Please note, you need to upgrade to devo-monitor v2.1.2 as a requirement. Removed support for Ubuntu 20Support for this outdated version of Ubuntu is discontinued.Read more in our documentation. Bug FixesSource tag capture groupsBug stopping this tag in rules from working has now been corrected.

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers box.audit storage.synology network.meraki cef0.checkPoint cef0.cyberark Ddos.arbor firewall.fortinet firewall.watchguard   Updated Parsers box.audit Fixed for: box.audit.unix.auditd Fixed: Fixed additional trailing quote issue for OUID, OGID and FSGID fields. storage.synology Added new field: storage.synology.dsm.connection network.meraki Fixed issue for: network.meraki.events cef0.checkPoint Added new field: cef0.checkPoint.queryDatabase cef0.cyberark Added new field: cef0.cyberark.pta Ddos.arbor Fixed parsing issues and added support for legacy messages for: ddos.arbor.pravail.aps firewall.fortinet Fixed issue for: firewall.fortinet.event.system firewall.watchguard Fixed issue for: firewall.watchguard.event

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Collectors Fastly Next-gen WAF v1.2.0 Alibaba Cloud collector v1.4.0 Big ID collector v1.1.0 Microsoft Defender ATP for Endpoint collector v2.1.0 Google Workspace Alerts collector v1.10.0 Proofpoint TAP collector v3.3.0 CyberArk Identity collector v1.3.0 Salesforce Collector v3.2.1 Wiz Collector v1.8.0 Okta collector v2.1.0 Zscaler collector v2.0.3 Office365 Exchange Message Tracing Collector v2.4.0 Microsoft Defender ATP (Endpoint) collector v2.1.1 Sailpoint IdentityNow collector v1.1.1  Updated CollectorsFastly Next-gen WAF v1.2.0Fixed Fixed init variable error for fastly event services Handled invalid start time condition for feed_request service Updated default request_period_in_seconds to avoid invalid time interval issue for feed_request service Changed Upgraded DCSDK from 1.12.4 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Alibaba Cloud collector v1.4.0Added Added custom service for pulling data from log stores Big ID collector v1.1.0Bug Fixes Modification of the endpoint that returned data in an incorrect format Improvements Updated DCSDK from 1.13.1 to 1.15.0 Microsoft Defender ATP for Endpoint collector v2.1.0Improvements Improved the pull logic of the alerts service, reducing the time to send the alerts data Bug Fixes Fixed the issue of api/alerts/{"id"]}/user endpoint, handling 404 error Google Workspace Alerts collector v1.10.0Improvements Updated DCSDK from 1.13.1 to 1.15.0 Bug Fixes Fixed a concurrency issue in which multiple threads could attempt to read the credentials file before it was fully written, resulting in an "Expecting value…" JSON parsing error. Now, both read and write operations for the credentials file are protected by the same global lock, ensuring the file is correctly created before it is accessed in concurrent environments. Proofpoint TAP collector v3.3.0Improvements Improvements of the request limit for every service Optimized the pull logic and flatten logic of the threat service CyberArk Identity collector v1.3.0Improvements Updated base URL Updated DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Salesforce Collector v3.2.1Improvements Fixed unit tests Added internal user guide Fixes Fixed the persistence logic to avoid getting stuck in loop Wiz Collector v1.8.0Feature Provided an option to override auth token in user config Bug fixes Made changes for latest WIZ certification requirements Improvements Upgraded DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Added unit tests Added internal user guide Okta collector v2.1.0Improvements Added support for obfuscation functionality Updated DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Zscaler collector v2.0.3Fixes Fixed the issue for Waiting until setup will be executed Office365 Exchange Message Tracing Collector v2.4.0Changed Upgraded DCSDK from v1.13.1 to v1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Fixed Fixed authentication issue Microsoft Defender ATP (Endpoint) collector v2.1.1Bug Fix Fixed issue for recommendation and machine service was getting stuck Sailpoint IdentityNow collector v1.1.1Bug fixing Fixed issue with status code error Fixed issue with missing logs Improvements DCSDK update from 1.8.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1

The latest release of the Devo Platform is here! Release 8.15.17 brings one main improvement and a few bug fixes.  The primary change is in the Data Search page, we’ve moved the Lookup Management and Current queries tab to the administration section.  This change was done for functional consistency, keeping in mind some great to come in the future.  In support of this change the Role permissions for these two tabs where also moved, now under the Data Section.  In addition to this main change, we also have some small improvements and bug fixes. Remember we also have ProdCasts so you can listen while you work! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsImprovements Relocation of “Lookup Management” and “Current queries” from Data Search Small changes Bug fixesImprovementsRelocation of “Lookup Management” and “Current queries” from Data SearchWe’ve moved these two tabs to improve navigation and functional consistency.  You can find both Lookups and Current queries under Administration→ Data management.For more details, see our documentation.In support of this change the Role permissions for Lookups and Current querries have been moved from Data Search section to the Data Section.Small changes  Menu: Previously, the main menu’s submenu tooltips did not always disappear when the user moved the mouse pointer out of the area. This has been corrected, and unnecessary tooltips removed.  Bug fixes  Notifications: Previously, notifications were not displayed on the notifications page. Now all relevant notifications are displayed. Data search: Previously, when a time period with no data was selected, an error notification was displayed. Now, a clear message indicating “no data to display“ appears directly within the table.  

The latest release of the Devo Platform is here! Release 8.15.15 brings a pair of usability improvements and bug fixes. With this release, users who use Single Sign-On will be able to quickly return to their session after they log out with the new Session Recovery system. For Data Search, you now have more control over how you Download Data, be it directly on the browser or as a background process, providing new flexibility for large data sets.  New download formats were also added to improve the flexibility of this tool.  Lastly, a new wait period is introduced to the automatic token deletion system of 30 days.  Learn more here! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Recover Session functionality added for SSO logins Improvement Improvements to Download Data form in Data Search Token Deletion Delay Bug Fixes New FeatureRecover Session functionality added for SSO loginsUser who log out of an Single Singe-On session will have a new option to recover their session from the log in page.  This functionality will be remain available until the browser is refreshed.Learn more in our Documentation.ImprovementImprovements to Download Data form in Data SearchWe have improved the Download Data function to provide greater clarity regarding how downloads are executed.  The system has be optimized as follows:Two new Radio Buttons:Attachment - Lets you download the data immediately via browser. Download Link - Lets you download the data as a background task.A secondary list of available file formats is additionally presented based on your chosen radial button option.Learn more in our Documentation. Token Deletion DelayWhen tokens expire, the system now waits 30 days after expiration before automatically deleting the token. Bug Fixes Audit logs: Previously, the audit log displayed the actual token when a user accessed its details. Now, for enhanced security, the log shows the hashed value of the token. Data search: Previously, when a time period with no data was selected, an error notification was displayed. Now, a clear message indicating “no data to display“ appears directly within the table.   

Devo Documentation is a live repository of information, how-to’s, troubleshooting guides, and installation instructions for every part of Devo solutions. It is a large repository of information with many moving parts and authors and it gets updated daily. These articles will help highlight some of the key updates that provide the most impact or improvements to your existing workflow. The highlight of these updates is rebuilt documentation for a variety of SQS collectors and JSON pages. If you have any questions or suggestions for our documentation team, post them in the comments below! In March, we updated 177 Articles!Here are some highlightsTable of ContentsData Search Best practice for data search Data Search Error Codes Collectors Microsoft Azure Events Hub Collector Microsoft Graph Collector Wiz Collector CroudStrike Intelligence Collector Entra ID collector (Formerly Azure Active Directory) Microsoft 365 Management API Collector  Data SearchBest practice for data searchThis handy article collects all the useful tips and best workflows from across Devo to enhance your Data Search practical knowhow. Data Search Error CodesA complete list of error codes and their meaning.  Very handy! CollectorsMicrosoft Azure Events Hub CollectorAre you feeling overwhelmed by the 80 line configuration file for the Azure Event Hub collector?  If you use the example from the public documentation, they only need to fill out five fields in a 20 line file, and there's a graphic that will guide them.Use the Azure Event Hub collector for authentication data to avoid API delays and limits.  Customers should still use the Graph collector to get intelligence about the authentication data.Microsoft Graph CollectorOne of Devo’s top 5 collectors. Customers should use it to import Microsoft's security intelligence into Devo.  Customers should upgrade to 3.2.0 using the migration guide. Instructions were simplified, no longer do you need redirect URI’s Wiz CollectorThe Devo Wiz collector allows customers to retrieve Wiz cloud security issues into Devo to query, correlate, analyze, and visualize to enable Enterprise IT and Cybersecurity teams to take the most impactful decisions at the petabyte scale.CroudStrike Intelligence CollectorUse this to detect when a rootkit tries to tamper with Crowdstrike sensors.Entra ID collector (Formerly Azure Active Directory)Entra ID data is critical to detecting authentication threats for those customers who use it to manage a authentications in all their apps. Customers can export Microsoft's AI-based risk analysis to Devo and use it to find threats in their non-Microsoft data sources.Microsoft 365 Management API CollectorThis updated documentation simplifies the enablement process in addition to providing useful use cases and troubleshooting tips to secure their data. 

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers auth.all edr.all.threats Cloud.azure ftp.crushftp Seg.checkpoint DDOS.arbor  Updated Parsersauth.allLink to DocumentationChange Log Added New fields for: cloud.azure.ad.signin New mapping added for: box.win_snare  edr.all.threatsLink to DocumentationChange Log Added New tables: cloud.sophos.central.alerts Cloud.sophos.central.events Edr.crowdstrike.falconstreaming.detection_summary edr.microsoft_defender.endpoint.alerts Updated table: edr.crowdstrike.falconstreaming.epp_detection_summary  Cloud.azureLink to DocumentationChange Log Added New tables for Advanced Hunting sent by Azure: cloud.azure.ah.alert_evidence cloud.azure.ah.alert_info cloud.azure.ah.cloud_app_event cloud.azure.ah.device_event cloud.azure.ah.device_file_certificate cloud.azure.ah.device_file_event cloud.azure.ah.device_image_load_event cloud.azure.ah.device_info cloud.azure.ah.device_logon_event cloud.azure.ah.device_network_event cloud.azure.ah.device_network_info cloud.azure.ah.device_process_event cloud.azure.ah.device_registry_event cloud.azure.ah.device_identity_logon_event cloud.azure.ah.mail_atteachment_info cloud.azure.ah.mail_event cloud.azure.ah.mail_post_delivery_event cloud.azure.ah.mail_url_info cloud.azure.ah.url_click_event ftp.crushftpLink to DocumentationChange Log Fixed parsing issues for: ftp.crushftp.event  Seg.checkpointLink to DocumentationChange Log Fixed parsing issues for: seg.checkpoint.harmony.event DDOS.arborLink to DocumentationChange Log Fixed parsing issues and added support for legacy messages for: ddos.arbor.pravail.aps

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Spidersilk Collector v1.0.0 Updated Collectors IBM Cloud logs v2.0.1 (previously IBM Cloud Activity Tracker) Microsoft Graph Collector v3.0.0 Google Cloud Platform Collector v2.2.0 Cyble Vision Collector v1.1.0 Tencent Collector v1.1.0 Zscaler Collector v2.0.0 Alibaba Cloud Collector v1.3.0 Microsoft Azure Collector v2.5.0 Menlo Collector v1.4.0 Salesforce Collector v3.1.0 Microsoft Defender ATP Endpoint v2.0.0 Proofpoint TAP v3.2.0 Microsoft Graph v3.2.0 Alibaba Collector v1.3.1 Salesforce Collector v3.2.0 Zscaler Collector v2.0.1  New CollectorsSpidersilk Collector v1.0.0Link to DocumentationChange LogA new collector for Spidersilk has been introduced, designed around a snapshot-based data retrieval approach. This collector enables targeted gathering and analysis of information from several key services: Threats: Delivers periodic snapshots to help you monitor and address potential security issues.  Assets: Provides scheduled snapshots of your assets, supporting continuous asset tracking and visibility. Darkweb: Supplies consolidated snapshots of dark web activity relevant to your organization, aiding proactive risk awareness. DCSDK version: 1.14.0  Updated CollectorsIBM Cloud logs v2.0.1 (previously IBM Cloud Activity Tracker)Link to DocumentationChange Log Changed the name of the collector to `IBM CLoud Logs` Updated the migration_guide accordingly.  Microsoft Graph Collector v3.0.0Link to DocumentationChange Log Updated DCSDK solves bug INT-3340 Updated DCSDK from 1.13.1 to 1.14.0  Google Cloud Platform Collector v2.2.0Link to DocumentationChange Log Added a logging filter to handle `ValueError` related to closed RPC channels. This error occurs when an RPC call is attempted on a closed connection, usually due to normal service shutdowns or transient network issues. Since these cases do not indicate a critical failure, the error is now logged as a warning instead of raising an exception. DCSDK version: 1.14.0  Cyble Vision Collector v1.1.0Link to DocumentationChange Log Updated DevoCollectorSDK version from 1.9.2 to 1.15.0 Upgrade Docker image base to version v1.4.1 in Dockerfile  Tencent Collector v1.1.0Link to DocumentationChange Log Upgraded DCSDK from 1.13.1 to 1.15.0. Upgraded Dockerfile base image to 1.4.1. Created a separate table for cloudaudit logs.  Zscaler Collector v2.0.0Link to DocumentationChange Log  Refactor code and upgraded DCSDK to 1.15.0  Upgraded docker base image to 1.4.0  Sending data to new table `sse.zscaler.zia.audit`  Alibaba Cloud Collector v1.3.0Link to DocumentationChange Log Updated DCSDK from 1.14.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Added new smq service  Microsoft Azure Collector v2.5.0Link to DocumentationChange Log New autocategorization rules for several tables: cloud.azure.ah.alert_info cloud.azure.ah.alert_evidence cloud.azure.sql.securityauditevents cloud.azure.vm.subassessment cloud.azure.virtualnetwork.net_sec_group_event cloud.azure.eh.metrics cloud.azure.firewall.network_rule cloud.azure.firewall.application_rule cloud.azure.firewall.dns_query cloud.azure.storage.storageread cloud.azure.storage.storagewrite cloud.azure.storage.storagedelete cloud.azure.traffic_manager.probe_health_status The timezone of pendulum.now() is explicitly set to UTC now Corrected typo in rules of: cloud.azure.intune.operation Updated SDK from 1.12.2 to 1.15.0:Differentiated error codes for SdkPersistenceServiceError.  Menlo Collector v1.4.0Link to DocumentationChange Log Upgraded the DCSDK from 1.14.0 to 1.15.0. Upgraded dcsdk-docker-base-image to 1.4.1 Fixed the Setup Error issue caused by the start date in the config.  Salesforce Collector v3.1.0Link to DocumentationChange Log Upgraded the DCSDK from 1.13.1 to 1.15.0. Upgraded dcsdk-docker-base-image to 1.4.1. Fixed the custom fields not showing up bug in custom query.  Microsoft Defender ATP Endpoint v2.0.0Link to DocumentationChange Log Added a new endpoint for the service assessments (/SoftwareVulnerabilityChangesByMachine) Changed the name of the assessments service from assessments_beta to assessments Updated Docker image to 1.4.1 Updated DevoCollectorSDK from v1.12.4 to v1.15.0: Added a new endpoint for the service assessments  Proofpoint TAP v3.2.0Link to DocumentationChange Log Refactor code and upgraded DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Fixed the OOMK bug causing the collector to restart  Microsoft Graph v3.2.0Link to DocumentationChange Log Fixing bug with pendulum and TZ causing re-authentication to fail Updated DCSDK from 1.14.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1  Alibaba Collector v1.3.1Link to DocumentationChange Log  Fixed issue with handling byte values in access_log service response  Salesforce Collector v3.2.0Link to DocumentationChange Log Made skip_export user configurable in the custom service query.  Zscaler Collector v2.0.1Link to DocumentationChange Log Fixed the issue for invalid session error.        

The latest release of the Devo Platform is here! Release 8.15.13 brings improvements through many components of the Platform and introduces a new feature! The Multitenant Content Manager for Devo Exchange makes its debut! You can now manage the available Exchange content for your tenant domains using tailored content plans. The Alerts workflow has also been improved by introducing the new Rules tab on the Alerts page. Manage and perform bulk actions from the Alert Page home! Additionally, a wide variety of smaller improvements and bug fixes are introduced with this release. Read on to learn more!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Listen to this Release in Podcast format in the latest Devo ProdCast! Table of ContentsNew Features Devo Exchange Multitenant Content Manager Alerts New Rules tab in Alerts homepage View Raw event data “Go to query” renamed “Source query” Improvements Scheduled Reports Relative Date Bug fixes and small changes Activeboards Activeboard Manager Scheduled reports Scheduled tasks Devo Platform Data Search Alerts  New Features Devo ExchangeMultitenant Content ManagerThis new vertical app, designed for MSSPs and resellers to administer Devo Exchange content for their tenant domains, allows domain administrations to manage what OOTB Alerts, Activeboards and applications that are available to your tenant domains. You do this by creating and customizing content plans that you then assign to your tenant domains. This allows you to have full flexibility in catering to your diverse client needs with a clean user experience for both the client and the administrator.  Learn more about it in our Documentation.AlertsNew Rules tab in Alerts homepageA new tab called “Rules” is introduced to the Alerts page to allow you to view, activate, deactivate and fine tune your alerts rules directly from the Alert page.  This improves the workflow of Alert management by placing the Alert Rules in the same page as the Alerts triggered.The Rules tab includes the following new actions:Bulk Actions - Activate, deactivate or delete multiple rules at once. New Columns - Includes source table and priority columns for increased clarity. New Filter section - Filter by status, priority, owner, sources, delivery policy, type, category and subcategory.You can also create Each type alerts from this section.  Other alert types are still constructed from Data Search for now.Learn more in our Documentation View Raw event dataTwo new actions have been added to triggered alerts to help you view the source data that caused the alert to trigger.  DownloadThe Download quick action will download a CSV file containing the events that triggered the alert.Raw EventsThe Raw Event option from the Elipsis menu allows you to view the raw events associated with the alerts in the same page or a new tab.Learn more in our Documentation. “Go to query” renamed “Source query”This change was added to improve clarity. ImprovementsScheduled ReportsRelative DateWe’ve improved Scheduled Reports to use the same Relative Date functionality available across Devo Platform features. Bug fixes and small changesActiveboards The “Relative to“ option was not shown in the widget calendar. Now it is. The “Relative to“ option was not shown in the widget calendar. Now it is. The table widget broke when a query including a sparkline and custom range operations was used. The error has since been fixed. The calendar permitted the entry of incorrect dates, which led to widget errors. These invalid dates are now detected. The error within the ‘_getEdgesPoints’ function has been resolved. Calendar chart didn’t show start/end empty spaces. Now it does.  Activeboard Manager Previously, within the Activeboard Manager, users had to select all tags of a row for that row to appear. Now, all activeboards containing the selected tags are displayed. In the Activeboard Manager, closing the manager without using the cross icon would reset the row colors. Now, reopening the AB Manager restores the row colors to their default. Previously, the Activeboard Manager would refresh the user interface when activeboards were modified. Now, the “Created by” filter functions correctly based on the user and the action performed.  Scheduled reports In Scheduled Reports, the “Save” and “Edit” buttons on the interface used to stay active even when errors occurred. This issue has now been resolved. From Scheduled Reports, the “At” dropdown was displayed incompletely. This has been fixed. In Scheduled Reports, the “Export to PDF” button was incorrectly enabled even when the activeboard was empty. It is now disabled under such circumstances. Previously, in Scheduled Reports, clicking the “on” input while 'repeat monthly' was selected would cause the page to break. Now, the input options are displayed correctly, and no errors occur.  Scheduled tasks From Scheduled Tasks, a flickering effect appeared in the table width. Now, this has been fixed. Previously, Scheduled Tasks would briefly show an empty list while loading. Now, a loading status is displayed during this time. The email input design and content differed between the Scheduled Tasks and Scheduled Reports sections. This design has now been unified.  Devo Platform Previously, in the audit logs, the object_name column did not display the token name. This has been corrected. On the Tokens page, it was not possible for users to edit and save the Credentials Token. A “Save” button now enables this functionality. In Notifications, the Relays notification message was displayed with incorrect formatting. This issue has been resolved. From Roles, the tooltips text related to Token permissions have been updated. From Roles, the tooltips text related to Finder permissions have been updated. From Tokens, the 'Target table' selector has been translated. Data Search From Data Search, a partial data message appears in the notifications. Now the complete message appears. Within Data Search, the 'Too many points in the graph' dialog message had untranslated button text. This has now been corrected. From Data Search, the “Download all data” button was not working. Now it does. Previously, Data Search would display a persistent “Getting” message when no events were available in the table. Now, an “Empty table” indication is shown instead. Alerts Users can now open “Go to query” for alerts with subqueries. The __devo_when__ field has been introduced to alert extra. This new field replicates the “when” value from the triggered alerts table, allowing users to utilize it within post-filters. Users without alert configuration permissions couldn't filter triggered alerts by name. Now they can. Entity attributes were not displayed correctly when duplicates were present. Now they display correctly. An issue has been resolved where opening the “Edit alert” dialog and then clicking Edit in the search window without any modifications would incorrectly trigger the confirmation dialog. Calendar allowed incorrect dates and displayed widget errors. These invalid dates are now corrected. An error in function ‘_getEdgesPoints’ is fixed. The calendar chart didn’t show start/end empty spaces. Now it does.  

The latest release of the Devo Platform is here! Release 8.15.3 brings a collection of improvements to the Alerts page and bug fixes.  Starting with the addition of MITRE Tactics and Techniques added to all Alert Definitions.  Add single or multi-technique tags to alerts and filter by them in the triggered alerts view. We have also added available Entity Attributes in Alert creation. Opening an Alert in the Query Editor has been improved to use available Extra Data, particularly useful for our MSSP’s as they can edit alerts with the appropriate client information in extra data. Read on to learn more!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Listen to this Product Update in our new ProdCasts audio format!  Table of ContentsNew Features Add MITRE Tactics and Techniques to Alert Definitions Search for MITRE Tactics and Techniques in Triggered Alerts Updated Features Entity Attributes in Alert Creation, Edit, and Clone forms Alert Extra Data is added as filtering when “Go to Query” is called Enhanced Alert Auditing with Post filtering information Improved Column Visibility control Improved Extra Data Visibility   New FeaturesAdd MITRE Tactics and Techniques to Alert DefinitionsUsers can now add MITRE Tactics, Techniques and Sub-Techniques in Alert Definitions. You can add multiple Techniques under each Tactic. Search for MITRE Tactics and Techniques in Triggered AlertsSupporting the addition of MITRE Tactics and Techniques, these new search filters allows you to find specific alerts by these new attributes. Updated FeaturesEntity Attributes in Alert Creation, Edit, and Clone formsWe have added a new section to inform users about the available entity attributes based on the data source table and query in their alerts. Attribures highlited in blue will appear in triggered alerts, while those in gray are availabe in the table but not currently part of the alert definition.Learn more in our Documentation. Alert Extra Data is added as filtering when “Go to Query” is calledWhen information is available in the Extra Data of an alert, it is used to filter the data when it is opened in the query editor.  This is particularly useful for MSSP Alerts, as you can the client information Extra Data and open the query with the correct filtering every time. Enhanced Alert Auditing with Post filtering information We’ve enhanced the devo.audit.alert.triggered table by adding information about post-filters. Users can now see if a post-filter was applied to a triggered alert.  We are also recording events for triggered alerts that have been deleted via post-filter. Improved Column Visibility controlQuickly hide columns by right clicking on any column header to reveal the Hide Column command.  You can manage visibility of columns on the Ellipse menu at the right end of the table. Improved Extra Data VisibilityWe’ve added color formatting to extra data for enhanced readability. View our full release notes in our Documentation.    

Devo Documentation is a live repository of information, how-to’s, troubleshooting guides, and installation instructions for every part of Devo solutions. It is a large repository of information with many moving parts and authors and it gets updated daily. These articles will help highlight some of the key updates that provide the most impact or improvements to your existing workflow. The highlight of these updates is rebuilt documentation for a variety of SQS collectors and JSON pages. If you have any questions or suggestions for our documentation team, post them in the comments below! Table of ContentsSite Wide Improvements Send to Devo Individual Page updates Authorize SQS Data Access CloudTrail Audit Logs Collector CloudFront SQS Collector GuardDuty Threat SQS Collector WAF ACL Firewall Access SQS Collector JSON Troubleshooting  Site Wide ImprovementsSend to DevoThe Send to Devo instructions have been reviewed and updated where appropriate for the vast majority of authentication, firewall, and CEF0 parser pages.  These are important changes to highlight as they cover most of our high ingestion tables and frequently queried tables. Individual Page updatesAuthorize SQS Data AccessSQS is Devo’s most popular collector but have you ever been confused about how to authorize a collector to use SQS? This update is for you! We have created new instructions for this complex process that sure to make it an easier and straight forward task. CloudTrail Audit Logs CollectorWe have created new step-by-step instructions on how to ingest this must-have Collector for anyone using AWS.  In the event your AWS account is compromised, this data will tell you what actions the attacker was able to take in your environment. CloudFront SQS CollectorDid you or your customer purchase content delivery services from Amazon? You can monitor network requests using this new step-by-step guide to this critical collector. GuardDuty Threat SQS CollectorAmazon-provided Threat intelligence service, GuardDuty, is a must-have for any customers who use Amazon services. Make use of threats identified by Amazon to stop attacks in your systems. WAF ACL Firewall Access SQS CollectorInstructions have been rewritten for ease of use and clarity, making it much simpler to send data from AWS to Devo. JSON TroubleshootingWe have recreated this page to provide clearer troubleshooting instructions for JSON arguments along with improvement delivered in the Devo Platform Release 8.15.0. And more!  Visit your favorite Devo Doc’s pages!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers cloud.azure Change Log box.win_nxlog Change Log box.win_snare Change Log firewall.sophos Change Log firewall.cisco Change Log box.all.win Change Log firewall.fortinet Change Log Iam.pingdentity Change Log cef0.checkpoint Change Log  Updated Parserscloud.azureLink to DocumentationChange Log New fields added to the union for cloud.zure.ad.audit  box.win_nxlogLink to DocumentationChange Log Added new fields for box.win_nxlog*  box.win_snareLink to DocumentationChange Log Added new table for box.win_snare.fim Added new fields and refactored powershell logs for box.win_snare* Parser adapted to variable number of spaces between keys and values Two new event types parsed New log source added Sysmon  firewall.sophosLink to DocumentationChange Log Made timestamp a string so timezone is preserved for firewall.sophos.securenet.packetfilter  firewall.ciscoLink to DocumentationChange Log Added new types for firewall.cisco.ftd  box.all.winLink to DocumentationChange Log Added new fields for box.all.win  firewall.fortinetLink to DocumentationChange Log Added missing fields from tables: firewall.fortinet.event firewall.fortinet.event.connector firewall.fortinet.event.dhcp  Iam.pingdentityDocumentation in ProgressChange Log Added new table for iam.pingidentity.pingaccess.server  cef0.checkpointLink to DocumentationChange Log Added a new fields for:  cef0.checkPoint.unknown cef0.checkPoint.connectra        

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Collectors Netskope API V2 v2.0.1 Change Log Microsoft Graph v3.1.0 Change Log AWS SQS v1.7.4 Change Log ServiceNow v2.0.0 Change Log Google Cloud Platform v2.1.0 Change Log IBM Cloud Activity Tracker v2.0.0 Change Log Alibaba Cloud v1.2.0 Change Log AWS v1.12.0 Change Log Menlo Security v1.3.0 Change Log  Updated CollectorsNetskope API V2 v2.0.1Link to DocumentationChange Log Improvements  Refactored collector , check migration guide  Updated the DCSDK from 1.11.1 to 1.13.1 Bugs Fixed Duplication and Delay issue. Fixed 409 Error by adding wait time.  Microsoft Graph v3.1.0Link to DocumentationChange Log Improvements  Alerts categorisation for alerts_v2 service (this change can break compatibility with previous versions) New optional flattening for alerts_v2 service, new separate table for "evidences" Automatic recovery from error 400 "Invalid Skiptoken" returned from Graph API Updated DCSDK from 1.13.1 to 1.14.0  AWS SQS v1.7.4Link to DocumentationChange Log Bugs Fixed bug with log operations Made decorators to be optional. To enable set debug to true.  ServiceNow v2.0.0Link to DocumentationChange Log Improvements  Migrated API to v2 version Implemented OAUTH.  Google Cloud Platform v2.1.0Link to DocumentationChange LogImprovements New Features  Complete Refactor: The collector has been completely redesigned to provide a more flexible and powerful solution for ingesting data from Google Cloud Pub/Sub. Support for Multiple Data Sources: The collector now supports generic ingestion from Pub/Sub, allowing seamless data collection from any GCP service, including Logging and Security Command Center Findings. New Service: Netskope Web Transactions: Added support for Netskope Web Transactions, enabling seamless data ingestion from Pub/Sub Lite. Streaming Data Collection: The collector now works in streaming mode, significantly reducing latency and improving efficiency. Optimized Performance: The entire codebase has been optimized, reducing memory usage and increasing stability in high-load environments. Enhanced Auto-Categorization: Improved the event auto-categorization mechanism to ensure accurate and efficient tagging. Refactored Codebase: The internal architecture has been restructured, improving maintainability, scalability, and overall performance. Better Error Handling & Logging: Improved error handling mechanisms and log traceability to facilitate troubleshooting. Deployed with DCSDK v1.14.0: Ensuring compatibility with the latest SDK enhancements.  IBM Cloud Activity Tracker v2.0.0Link to DocumentationChange Log Improvements  Migrated the collector to get data from IBM Cloud Activity Tracker to IBM Cloud Logs (Kafka - event streaming). Added unit tests and user guide. Updated DCSDK base Docker image to 1.4.0. Updated DCSDK from 1.10.0 to 1.14.0  Alibaba Cloud v1.2.0Link to DocumentationChange Log Improvements  Updated the DCSDK from 1.7.2 to 1.14.0. Bugs Fixed unexpected PullError in actiontrail log service for missing eventVersion New Features Fixed Added new services for access logs, db logs, internal audit service logs  AWS v1.12.0Link to DocumentationChange Log Improvements  Updated DCSDK from 1.13.1 to 1.14.0 Fixed the bug related to delay in ingestion for Guard Duty  Menlo Security v1.3.0Link to DocumentationChange Log Improvements  Upgraded the DCSDK from 1.13.1 to 1.14.0 Fixed the persistence logic.    

 The latest release of the Devo Platform is here! Release 8.15.0 brings enhancements to Activeboards, Data Search, and Query API.  Activeboards UI has been upgraded, providing a variety of benefits including enhanced UI performance, a new Activeboard Manager and time range controls in Widget queries.  Data Search has improved the Field Viewer's ability to handle tens of thousands of rows, making it very snappy, as well as bringing JSON parsing, Agnostic Geolocation operators and casting maps to JSON directly within Data Search.  Lastly, the Query API has new calls for relative time-ranges, new output format: AVRO and Public Swagger Docs.  Let’s dive in!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Features Activeboards New UI for Activeboard Manager Updated UI benefiting Date selector and UI performance New Time-Range selector Time Range for Queries in Widgets Data Search Rebuilt Field Viewer JSON operation available in Data Search Simplified JSON Parsing Agnostic Geolocation operations Query API New output format AVRO Relative time-range Public Swagger documentation  New FeaturesActiveboardsNew UI for Activeboard ManagerImprovements to Filtering, UI speed and Information-at-a-Glance.New Activeboard manager streamlines AB information by adding the Activeboard description as a tool tip when you hover over the name.  We have also added more filters for each column and a general filter for searching the entire available catalog.   UI has also been updated for Favorite, Shared and Scheduled indicators. Updated UI benefiting Date selector and UI performanceWe have updated the underlying UI engine used on the Activeboards page. This has allowed us to provide additional UI performance benefits and:New Time-Range selectorCompletely manipulate the start and end times as fast as you can scroll your mouse wheel!Time Range for Queries in WidgetsYou can now include the time range selected in the activeboard in your widget queries!  Use the DATARANGE_FROM and DATARANGE_TO parameters when you edit your Widget Query source! Data SearchRebuilt Field ViewerFast loading and snappy response from the Field viewer even when loading 30,000+ rows of data! JSON operation available in Data SearchYou can now use the json() operator in Data Search!  Here is an example:Example from siem.logtrust.web.activity select (“name”:”john”,”age”:30,”country”:”US”) as map1 select json(map1) as json  To learn more about JSON and its capabilities visit this Doc page. Simplified JSON ParsingThis exciting update simplifies the operation to parse or extract JSON fields.Old Operation New Operation select jqeval(jqcompile(“.p”), json) select json[“p”]  Example from siem.logtrust.web.activity select jsonparse(“{\”p\”: [1, 2, 3]}”) as json select jqeval(jqcompile(“.p”), json) //current way to extract “p” select json[“p”] as retrieve_by_param_name //new way to extract “p” select at(json, “p”) as retrieve_with_at //another new way to extract “p”  To learn more about JSON Parse, visit this Doc Page. Agnostic Geolocation operationsTo provide a solution for geolocation operations that get updated over time (mm->mm2->mm?), we have developed agnostic Geolocation operations to future-proof your code and continue to receive the benefits of future updates. Example (Old) Example (New) mm2country countrycode The full list of new agnostic operations is available here in our Docs.Update and future-proof your queries! Query APINew output format AVROApache AVRO is an open-source, row-based data serialization format commonly used for big data sets and is now available through the Query API.Note: Exclusively for the Query API, not currently available in Data Search.Relative time-rangeAPI now supports relative time-range calls! Here are a few examples of what you can do with these new calls:Time Expression Description Resulting Time now() - 60m 60 minutes ago Sunday, 05 February 2017, 12:37:05 now() @ 1h Now (rounded to the beginning of the hour) Sunday, 05 February 2017, 13:00:00 now() - 24h 24 hours ago Saturday, 04 February 2017, 13:37:05 (now() - 1d) @ 1d Yesterday (rounded to the beginning of the day) Saturday, 04 February 2017, 00:00:00 (now() - 2d) @ 1d 2 days ago (rounded to the beginning of the day) Friday, 03 February 2017, 00:00:00 (now() - 2d) @ 1m 2 days ago (rounded to the beginning of the minute) Friday, 03 February 2017, 13:37:00 Learn more about these new calls in our Doc page here. Public Swagger documentationIntroducing Swagger Docs for the Query API available here.

The latest release of the Devo Platform is here! Release 8.14.22 brings enhancements to Lookup Management, Role Management Credentials Tab, and Landing Page preferences. Starting with Lookup Management, we have enhanced the interface to include a new column “History” that reflects the stats of the API setting “keepHistory”. Along with this change, we have updated the available types. We have also cleaned up Role Management permissions and improved column consistency in the Credentials Tab. Next up is the Landing Page, you can select your preferred landing page from the newly alphabetized drop-down!  Learn more below!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Features Lookup Management page Alignment with API New History Column New Type names Updated Features Role Management->Security->Permission unification Credentials Token tab consistency change Added Credentials API to Token creation Landing Page preference Sort order Bug Fixes New FeaturesLookup Management page Alignment with APITwo changes to the Lookup Management page to bring all the features in alignment with that is available through the Lookup Management API.  New History ColumnThis is a Boolean value reflecting the API parameter KeepHistory which allows you to store all historic data, enabling historic search.New Type namesTo align with this new change the Type field names have been updated.Old Type New Type History Column Value Dynamic query Periodic query No (False) Historic dynamic query  Periodic query Yes (True) Static query Static query No (False) Historic static query Static query Yes (True) Upload CSV data No (False)  Updated FeaturesRole Management->Security->Permission unificationRole management permission for API Key has been updated to API Credentials and controls the user’s ability to view, create and delete API key as well as use of the Credentials API. Credentials Token tab consistency changeFor different base languages the Token tab had different names. for consistency this tab is now called “Token” for all languages. Added Credentials API to Token creationYou can now set the Type of token to a new type “Credentials API”.  These tokens do not require permissions on tables. Landing Page preference Sort orderNow you can chose your landing page from an alphabetically sorted list! Bug FixesRole Mapping no longer allows group names to start with a white space. A user deactivated in all domains cannot log in with SAML

The latest release of the Devo Platform is here! Release 8.14.21 brings a powerful new tools set with the Token Management API. With this new API, you can manage, creat,e and edit account credential tokens directly through API calls. This lets you manage access to your environment with API calls, allowing automation and bulk actions to accelerate your reaction time.  A great new tool particularly for our MSSP and partner clients to manage their customer environments. To learn more about what API’s are available you can visit this page in our Documentation. Read on to learn more about the Token Management API! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Token Management API  New FeatureToken Management APIThis new set of API calls will allow you to manage account credential tokens completely and in bulk! The token Management API can be used to:Create Tokens Retrieve Tokens Rename Tokens Enable / Disable Tokens Delete TokensThis new API is a great tool, particularly for our MSSP clients and partners! Learn more in our Documentation. Please Note the Token Management API was renamed the Credentials API at release. 

Devo ThreatLink, an integral part of Case Management, automates alert triage, reducing the analyst workload from thousands of alerts to tens of daily cases. This streamlined process allows security teams to focus on the most critical incidents, significantly improving efficiency and reducing alert fatigue. Release 1.4 brings with it new playbooks, updated error handling and updates to the case template and Audit logging.  If you want to learn more about Threat Link, view this article. The benefits of Threatlink need to be seen, if would like to see a demonstration, speak with your Devo Representative! Table of ContentsNew Features and Updates New Playbook available Upgrade for Fetch Alerts Updates to ThreatLink Case Template fields Updated SOAR Audit Logging Updated ThreatLink Dashboard: Past 7 Days  New Features and UpdatesNew Playbook availableIntroducing the “Close Linked SIEM Alerts on Case Closure”.  This playbook will run ever [customer defined] minutes to “close” alerts in the SIEM once a case is closed.RequirementsThreatlink 1.4 or greater Updated case setting templateUpgrade for Fetch AlertsFetch Alerts now uses FetchAlertsV2 Integration. Updates to ThreatLink Case Template fieldsWe’ve added a new field called “siem_alerts_closed”. This field needs to be added to the system tab in the case template.  We have also added a new field called “resolution_notes”. This needs to be added to the workflow section in the case template. Updated SOAR Audit LoggingWe’ve updated SOAR Audit Logging to version 1.7, the main changes in this update are:Added comments to the output Added case title to the outputUpdated ThreatLink Dashboard: Past 7 DaysThe Past 7 Days dashboard has been upgraded to v1.1.0 

The latest release of the Devo Platform is here! Release 8.14.19 brings a collection of API and Alert improvements. Starting with new functionality allowing you to manage your Anti-Flooding policy through API calls with the new Anti-Flooding API. Next, we have added new entity attributes through a new column where available. We also added a new filter corresponding to the entity attributes and a new source table column to help you identify the source tables without needing to dive deeper into the alert. Along with a collection of bug fixes and visual improvements, this release is sure to enhance your Alert workflow! Read on to view details! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew features Anti-Flooding API Entity Attributes New Filter added for entity attributes​​​​​​​ New source table columns Improvements Update to Alert Priority statuses   New featuresAnti-Flooding APIUsers can now create and manage anti-flooding policy through API calls. Entity AttributesAdded a new column and filter to view and search the entity attributes associated with alerts. Note that not all alerts will have entity attributes depending on the table the alert was created from and the query used.New Filter added for entity attributes​​​​​​​New filter criteria was added to find specific alerts based on their entity attributes.  This filter appears in Simple search as well as Advance Search. New source table columnsUsers can now see which table an alert was triggered from directly in the triggered alerts table, without needing to navigate to the alert details, query or view definition  ImprovementsUpdate to Alert Priority statusesUpdated colors and names to improve clarity. See the full release notes in our documentation. 

Devo Exchange is happy to announce the availability of a new activeboard called Threat Hunting by DNS. The activeboard allows you to identify and investigate potential threats by analyzing patterns in DNS (Domain Name System) queries and responses. This activeboard not only aids in uncovering advanced threats but also provides actionable insights to improve your organization's overall security posture. Some great use cases for this new Activeboard include Traffic Optimization in IT Operations.  in Security, you can use it for Anomaly Detection and Risk Assessment!  Learn more below!  Threat Hunting by DNS Direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Required Data Sourcesnetwork.dnsSecurity Multidomain Lookups:UmbrellaTop1M mispIndicator CollectiveDefense DynamicDNSUse Cases IT Operations   Traffic Optimization: Monitor DNS traffic trends to identify and optimize traffic flow within the network. Resource Utilization: Track top queried domains and geolocation data to ensure efficient resource allocation and load balancing. Troubleshooting: Diagnose issues such as DNS misconfigurations, service outages, or latency problems. Security Operations   Anomaly Detection: Identify unusual behaviors such as DNS tunneling or dynamic domain usage that could indicate malicious activities. Threat Intelligence Correlation: Detect known malicious domains and integrate them with external threat feeds for proactive defense. Risk Assessment: Generate risk scores based on DNS query characteristics, such as domain length, entropy, and patterns. Incident Response: Use investigation tools and DNS data correlations to facilitate faster and more accurate incident investigations. Learn more in our Docs

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers itam.netwrix Updated Parsers cloud.aws Change log box.win_nxlog Change Log mail.postfix Change log ftp.crushftp Change log firewall.paloalto Change log edr.crowdstrike Change log endpoint.symantec Change log cef0.infoblox Change log ips.all.alerts Change log endpoint.bitdefender Change log  New Parsersitam.netwrixDocumentation in progress Updated Parserscloud.awsLink to DocumentationChange logSupport for JSON in cloud.aws.vpc.flow box.win_nxlogLink to DocumentationChange LogAdded parser for box.win_nxlog.ntlm mail.postfixLink to DocumentationChange logAdded new fields ftp.crushftpLink to DocumentationChange logAdded new fields for ftp.crushftp.event firewall.paloaltoLink to DocumentationChange logAdded a new field to firewall.paloalto.* edr.crowdstrikeLink to DocumentationChange logAdded new fields for edr.crowdstrike.cannon endpoint.symantecLink to DocumentationChange logAdded new parser for endpoint.symantec.sepm.system cef0.infobloxLink to DocumentationChange logAdded new fields for cef0infoblox.dataConnector ips.all.alertsLink to DocumentationChange logAdded a new field endpoint.bitdefenderLink to DocumentationChange logModified fields for endpoint.bitdefender.agent.edr_alert   

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collector Tencent Cloud v1.0.0 Updated Collectors VMWare Carbon Black v1.5.0 Change Log ServiceNow v1.6.0 Change Log Cortex XDR v2.0.3 Change Log Trend Micro Vision One v1.3.0 Change Log CyberArk EPM v1.2.0 Change Log   New CollectorTencent Cloud v1.0.0Link to Documentation  Updated CollectorsVMWare Carbon Black v1.5.0Link to DocumentationChange Log Improvements  Refactored collector to the latest DCSDK 1.13.1.  Refactored code for the livequery, alerts and audit service in accordance with template1 Eliminated the use of while loops in the pull logic Added Unit Tests for the livequery, alerts and audit services Bugs Fixed the 400 API error received when collector was invoking the carbon black live query API ServiceNow v1.6.0Link to DocumentationChange Log Improvements  Updated SDK to the latest version, 1.13.1.  Remove vulnerabilities in libexpat1, expat Cortex XDR v2.0.3Link to DocumentationChange Log Improvements  Refactored the puller logic to enhance code readability and optimize performance. Introduce a new base puller to centralize shared functionality. Expanded unit tests with additional scenarios to improve coverage and reliability. Added validations for start_time, ensuring it is not set to a future date, preventing configuration errors. Bugs Fixed an issue where puller variables were not resetting after encountering an error, which caused the collector to freeze and stop gathering data. Trend Micro Vision One v1.3.0Link to DocumentationChange Log New Features  New endpoints for risk insights: discovered_device vulnerable_device account_compromise_indicator risk_event_definition device_risk_profile user_risk_profile  CyberArk EPM v1.2.0Link to DocumentationChange Log Improvements  Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performance Bug fixing Fixed the services names in example params.

Devo Exchange is happy to announce the availability of a new activeboard called Alert Triage Metrics. The activeboard provides an overview of security alerts, focusing on detection, response, and resolution performance. It includes metrics on alert actions, severity, accuracy, and insights into adversarial techniques mapped to the MITRE ATT&CK framework. This new activeboard is the first in a series of new metric visualizations coming in the new year. Be sure to check it out and let us know what you think, what you would like to see next and any improvements you can think off!  Happy Holidays and Happy new year to all! Alert Triage Alert Metrics Alert Triage Metrics direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Let us know what you think!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!   Table of ContentsNew Parsers ndr.darktrace Change log box.cisco Change log box.all.unix Change Log Update Parsers firewall.fortinet Change log proxy.zscaler Change log network.meraki Change log crm.salesforce Change log ddi.infoblox Change log vpn.soft_ether Change log endpoint.symantec Change log firewall.watchguard Change log firewall.paloalto Change log  New Parsersndr.darktraceDocumentation in ProgressChange logSupport for Darktrace NDRbox.ciscoDocumentation in ProgressChange logSupport for Cisco UCS manager box.all.unixDocumentation in ProgressChange LogNew union table to gather together any event coming from a linux system no matter how they aregathered.  Update Parsersfirewall.fortinetLink to DocumentationChange logNew table firewall.fortinet.utm.wafproxy.zscalerLink to DocumentationChange logAdded new field cdfqdn to table proxy.zscaler.zia.firewallnetwork.merakiLink to DocumentationChange logAdded more log types to network.meraki.eventscrm.salesforceLink to DocumentationChange logNew tables added (JSON format)  DCDM partially implemented ddi.infobloxLink to DocumentationChange logAdded new table ddi.infoblox.nios.lease_eventsvpn.soft_etherLink to DocumentationChange logAdded support for more events including more fields to the parserendpoint.symantecLink to DocumentationChange logNew table endpoint.symantec.sepm.systemfirewall.watchguardLink to DocumentationChange logNew table firewall.watchguard.event firewall.paloaltoLink to DocumentationChange logAdded JSON support to the parsers

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources!  Table of ContentsUpdated Collectors Menlo Security v1.2.0 Improvements  Bugs Microsoft Defender Cloud Apps v1.4.0 Improvements Bugs Sendmarc v1.0.1 Bugs Cyberark Identity v1.2.0 Improvements  Bugs Trend Micro Deep Security v1.4.0 Improvements  Cortex XDR v2.0.2 Improvements  Bugs Cohesity v1.2.0 Improvements  Lark v1.3.0 New Features Improvements  Trend Micro Vision One v1.3.0 Improvements  Bug fixing Tenable IO v2.0.0 Improvements  Bug fixing Darktrace v1.1.0 Improvements  Gsuite Workspace Alerts v1.9.0 Improvements  Bug fixing Duo v2.1.0 Improvements  Security  Spycloud v1.2.0 Improvements  Security  MS Graph v2.1.0 Improvements  Security   Updated CollectorsMenlo Security v1.2.0Documentation in progress.Improvements Refactored collector to the latest DCSDK 1.13.1.  Increase the quality of the collector adding more unit testsBugsFixed an issue related to missing logs for audit and smtp service.Microsoft Defender Cloud Apps v1.4.0Link to DocumentationImprovementsUpdated SDK to the latest version, 1.13.1.  Several improvements on stabilityBugsFixed an issue related to files service not workingSendmarc v1.0.1Link to DocumentationBugsInput error due to missing inputs example params.Cyberark Identity v1.2.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector by adding more unit tests.BugsFixed the user config and schemas to allow overrides.Trend Micro Deep Security v1.4.0Documentation in progressImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector adding more unit tests Several improvements on stabilityCortex XDR v2.0.2Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector adding more unit testsBugsFixed the behavior when stopping the collector.Cohesity v1.2.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stability Lark v1.3.0Link to DocumentationNew FeaturesAdded two new services Aud Admin logs DLP Executive logsImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stability Trend Micro Vision One v1.3.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stabilityBug fixingAdded parameter fetch_gap_seconds to better control the delay on the source Tenable IO v2.0.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceBug fixingFixed issues related to memory usage causing the collector to stopDarktrace v1.1.0Link to Documentation Improvements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performance Gsuite Workspace Alerts v1.9.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability and performance Increase the quality of the collector adding more unit testsBug fixingFixed the ingestion stoppage issue.  Fixed the user config. Duo v2.1.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilities Spycloud v1.2.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilitiesMS Graph v2.1.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilities

The latest release of the Devo Platform is here! Release 8.14.12 brings with it a key improvement to Activeboards. We have created a diagnostic tool that informs you when your Activeboard performance can be optimized! As you launch your Activeboards, will you notice a new bell icon presented inline with each widget, if it has notifications pending, then it has detected ways for you to optimize that widget and get the best performance for your Activeboard! Currently, this new tool has diagnostic outputs for 4 suggestions with more coming in the next updates!  Review your Activeboards and optimize like a pro!  Learn more below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Automatic Optimization Suggestions per widget  New FeatureAutomatic Optimization Suggestions per widgetActiveboards do the hard lifting in visualizing data and sometimes it’s not easy to understand what can be done to tune your widgets so they perform optimally.  This release adds self-diagnostics that output suggestions to an inline notification bell per widget.  this first release comes with the following rules:Unused Columns Unnecessary Time Grouping Duplicate Columns Add Aggregation Task (used to be the rocket icon, now part of this system)More rules will be added in the coming releases.