Product Updates

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers auth.all edr.all.threats Cloud.azure ftp.crushftp Seg.checkpoint DDOS.arbor  Updated Parsersauth.allLink to DocumentationChange Log Added New fields for: cloud.azure.ad.signin New mapping added for: box.win_snare  edr.all.threatsLink to DocumentationChange Log Added New tables: cloud.sophos.central.alerts Cloud.sophos.central.events Edr.crowdstrike.falconstreaming.detection_summary edr.microsoft_defender.endpoint.alerts Updated table: edr.crowdstrike.falconstreaming.epp_detection_summary  Cloud.azureLink to DocumentationChange Log Added New tables for Advanced Hunting sent by Azure: cloud.azure.ah.alert_evidence cloud.azure.ah.alert_info cloud.azure.ah.cloud_app_event cloud.azure.ah.device_event cloud.azure.ah.device_file_certificate cloud.azure.ah.device_file_event cloud.azure.ah.device_image_load_event cloud.azure.ah.device_info cloud.azure.ah.device_logon_event cloud.azure.ah.device_network_event cloud.azure.ah.device_network_info cloud.azure.ah.device_process_event cloud.azure.ah.device_registry_event cloud.azure.ah.device_identity_logon_event cloud.azure.ah.mail_atteachment_info cloud.azure.ah.mail_event cloud.azure.ah.mail_post_delivery_event cloud.azure.ah.mail_url_info cloud.azure.ah.url_click_event ftp.crushftpLink to DocumentationChange Log Fixed parsing issues for: ftp.crushftp.event  Seg.checkpointLink to DocumentationChange Log Fixed parsing issues for: seg.checkpoint.harmony.event DDOS.arborLink to DocumentationChange Log Fixed parsing issues and added support for legacy messages for: ddos.arbor.pravail.aps

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Spidersilk Collector v1.0.0 Updated Collectors IBM Cloud logs v2.0.1 (previously IBM Cloud Activity Tracker) Microsoft Graph Collector v3.0.0 Google Cloud Platform Collector v2.2.0 Cyble Vision Collector v1.1.0 Tencent Collector v1.1.0 Zscaler Collector v2.0.0 Alibaba Cloud Collector v1.3.0 Microsoft Azure Collector v2.5.0 Menlo Collector v1.4.0 Salesforce Collector v3.1.0 Microsoft Defender ATP Endpoint v2.0.0 Proofpoint TAP v3.2.0 Microsoft Graph v3.2.0 Alibaba Collector v1.3.1 Salesforce Collector v3.2.0 Zscaler Collector v2.0.1  New CollectorsSpidersilk Collector v1.0.0Link to DocumentationChange LogA new collector for Spidersilk has been introduced, designed around a snapshot-based data retrieval approach. This collector enables targeted gathering and analysis of information from several key services: Threats: Delivers periodic snapshots to help you monitor and address potential security issues.  Assets: Provides scheduled snapshots of your assets, supporting continuous asset tracking and visibility. Darkweb: Supplies consolidated snapshots of dark web activity relevant to your organization, aiding proactive risk awareness. DCSDK version: 1.14.0  Updated CollectorsIBM Cloud logs v2.0.1 (previously IBM Cloud Activity Tracker)Link to DocumentationChange Log Changed the name of the collector to `IBM CLoud Logs` Updated the migration_guide accordingly.  Microsoft Graph Collector v3.0.0Link to DocumentationChange Log Updated DCSDK solves bug INT-3340 Updated DCSDK from 1.13.1 to 1.14.0  Google Cloud Platform Collector v2.2.0Link to DocumentationChange Log Added a logging filter to handle `ValueError` related to closed RPC channels. This error occurs when an RPC call is attempted on a closed connection, usually due to normal service shutdowns or transient network issues. Since these cases do not indicate a critical failure, the error is now logged as a warning instead of raising an exception. DCSDK version: 1.14.0  Cyble Vision Collector v1.1.0Link to DocumentationChange Log Updated DevoCollectorSDK version from 1.9.2 to 1.15.0 Upgrade Docker image base to version v1.4.1 in Dockerfile  Tencent Collector v1.1.0Link to DocumentationChange Log Upgraded DCSDK from 1.13.1 to 1.15.0. Upgraded Dockerfile base image to 1.4.1. Created a separate table for cloudaudit logs.  Zscaler Collector v2.0.0Link to DocumentationChange Log  Refactor code and upgraded DCSDK to 1.15.0  Upgraded docker base image to 1.4.0  Sending data to new table `sse.zscaler.zia.audit`  Alibaba Cloud Collector v1.3.0Link to DocumentationChange Log Updated DCSDK from 1.14.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Added new smq service  Microsoft Azure Collector v2.5.0Link to DocumentationChange Log New autocategorization rules for several tables: cloud.azure.ah.alert_info cloud.azure.ah.alert_evidence cloud.azure.sql.securityauditevents cloud.azure.vm.subassessment cloud.azure.virtualnetwork.net_sec_group_event cloud.azure.eh.metrics cloud.azure.firewall.network_rule cloud.azure.firewall.application_rule cloud.azure.firewall.dns_query cloud.azure.storage.storageread cloud.azure.storage.storagewrite cloud.azure.storage.storagedelete cloud.azure.traffic_manager.probe_health_status The timezone of pendulum.now() is explicitly set to UTC now Corrected typo in rules of: cloud.azure.intune.operation Updated SDK from 1.12.2 to 1.15.0:Differentiated error codes for SdkPersistenceServiceError.  Menlo Collector v1.4.0Link to DocumentationChange Log Upgraded the DCSDK from 1.14.0 to 1.15.0. Upgraded dcsdk-docker-base-image to 1.4.1 Fixed the Setup Error issue caused by the start date in the config.  Salesforce Collector v3.1.0Link to DocumentationChange Log Upgraded the DCSDK from 1.13.1 to 1.15.0. Upgraded dcsdk-docker-base-image to 1.4.1. Fixed the custom fields not showing up bug in custom query.  Microsoft Defender ATP Endpoint v2.0.0Link to DocumentationChange Log Added a new endpoint for the service assessments (/SoftwareVulnerabilityChangesByMachine) Changed the name of the assessments service from assessments_beta to assessments Updated Docker image to 1.4.1 Updated DevoCollectorSDK from v1.12.4 to v1.15.0: Added a new endpoint for the service assessments  Proofpoint TAP v3.2.0Link to DocumentationChange Log Refactor code and upgraded DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Fixed the OOMK bug causing the collector to restart  Microsoft Graph v3.2.0Link to DocumentationChange Log Fixing bug with pendulum and TZ causing re-authentication to fail Updated DCSDK from 1.14.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1  Alibaba Collector v1.3.1Link to DocumentationChange Log  Fixed issue with handling byte values in access_log service response  Salesforce Collector v3.2.0Link to DocumentationChange Log Made skip_export user configurable in the custom service query.  Zscaler Collector v2.0.1Link to DocumentationChange Log Fixed the issue for invalid session error.        

The latest release of the Devo Platform is here! Release 8.15.13 brings improvements through many components of the Platform and introduces a new feature! The Multitenant Content Manager for Devo Exchange makes its debut! You can now manage the available Exchange content for your tenant domains using tailored content plans. The Alerts workflow has also been improved by introducing the new Rules tab on the Alerts page. Manage and perform bulk actions from the Alert Page home! Additionally, a wide variety of smaller improvements and bug fixes are introduced with this release. Read on to learn more!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Listen to this Release in Podcast format in the latest Devo ProdCast! Table of ContentsNew Features Devo Exchange Multitenant Content Manager Alerts New Rules tab in Alerts homepage View Raw event data “Go to query” renamed “Source query” Improvements Scheduled Reports Relative Date Bug fixes and small changes Activeboards Activeboard Manager Scheduled reports Scheduled tasks Devo Platform Data Search Alerts  New Features Devo ExchangeMultitenant Content ManagerThis new vertical app, designed for MSSPs and resellers to administer Devo Exchange content for their tenant domains, allows domain administrations to manage what OOTB Alerts, Activeboards and applications that are available to your tenant domains. You do this by creating and customizing content plans that you then assign to your tenant domains. This allows you to have full flexibility in catering to your diverse client needs with a clean user experience for both the client and the administrator.  Learn more about it in our Documentation.AlertsNew Rules tab in Alerts homepageA new tab called “Rules” is introduced to the Alerts page to allow you to view, activate, deactivate and fine tune your alerts rules directly from the Alert page.  This improves the workflow of Alert management by placing the Alert Rules in the same page as the Alerts triggered.The Rules tab includes the following new actions:Bulk Actions - Activate, deactivate or delete multiple rules at once. New Columns - Includes source table and priority columns for increased clarity. New Filter section - Filter by status, priority, owner, sources, delivery policy, type, category and subcategory.You can also create Each type alerts from this section.  Other alert types are still constructed from Data Search for now.Learn more in our Documentation View Raw event dataTwo new actions have been added to triggered alerts to help you view the source data that caused the alert to trigger.  DownloadThe Download quick action will download a CSV file containing the events that triggered the alert.Raw EventsThe Raw Event option from the Elipsis menu allows you to view the raw events associated with the alerts in the same page or a new tab.Learn more in our Documentation. “Go to query” renamed “Source query”This change was added to improve clarity. ImprovementsScheduled ReportsRelative DateWe’ve improved Scheduled Reports to use the same Relative Date functionality available across Devo Platform features. Bug fixes and small changesActiveboards The “Relative to“ option was not shown in the widget calendar. Now it is. The “Relative to“ option was not shown in the widget calendar. Now it is. The table widget broke when a query including a sparkline and custom range operations was used. The error has since been fixed. The calendar permitted the entry of incorrect dates, which led to widget errors. These invalid dates are now detected. The error within the ‘_getEdgesPoints’ function has been resolved. Calendar chart didn’t show start/end empty spaces. Now it does.  Activeboard Manager Previously, within the Activeboard Manager, users had to select all tags of a row for that row to appear. Now, all activeboards containing the selected tags are displayed. In the Activeboard Manager, closing the manager without using the cross icon would reset the row colors. Now, reopening the AB Manager restores the row colors to their default. Previously, the Activeboard Manager would refresh the user interface when activeboards were modified. Now, the “Created by” filter functions correctly based on the user and the action performed.  Scheduled reports In Scheduled Reports, the “Save” and “Edit” buttons on the interface used to stay active even when errors occurred. This issue has now been resolved. From Scheduled Reports, the “At” dropdown was displayed incompletely. This has been fixed. In Scheduled Reports, the “Export to PDF” button was incorrectly enabled even when the activeboard was empty. It is now disabled under such circumstances. Previously, in Scheduled Reports, clicking the “on” input while 'repeat monthly' was selected would cause the page to break. Now, the input options are displayed correctly, and no errors occur.  Scheduled tasks From Scheduled Tasks, a flickering effect appeared in the table width. Now, this has been fixed. Previously, Scheduled Tasks would briefly show an empty list while loading. Now, a loading status is displayed during this time. The email input design and content differed between the Scheduled Tasks and Scheduled Reports sections. This design has now been unified.  Devo Platform Previously, in the audit logs, the object_name column did not display the token name. This has been corrected. On the Tokens page, it was not possible for users to edit and save the Credentials Token. A “Save” button now enables this functionality. In Notifications, the Relays notification message was displayed with incorrect formatting. This issue has been resolved. From Roles, the tooltips text related to Token permissions have been updated. From Roles, the tooltips text related to Finder permissions have been updated. From Tokens, the 'Target table' selector has been translated. Data Search From Data Search, a partial data message appears in the notifications. Now the complete message appears. Within Data Search, the 'Too many points in the graph' dialog message had untranslated button text. This has now been corrected. From Data Search, the “Download all data” button was not working. Now it does. Previously, Data Search would display a persistent “Getting” message when no events were available in the table. Now, an “Empty table” indication is shown instead. Alerts Users can now open “Go to query” for alerts with subqueries. The __devo_when__ field has been introduced to alert extra. This new field replicates the “when” value from the triggered alerts table, allowing users to utilize it within post-filters. Users without alert configuration permissions couldn't filter triggered alerts by name. Now they can. Entity attributes were not displayed correctly when duplicates were present. Now they display correctly. An issue has been resolved where opening the “Edit alert” dialog and then clicking Edit in the search window without any modifications would incorrectly trigger the confirmation dialog. Calendar allowed incorrect dates and displayed widget errors. These invalid dates are now corrected. An error in function ‘_getEdgesPoints’ is fixed. The calendar chart didn’t show start/end empty spaces. Now it does.  

The latest release of the Devo Platform is here! Release 8.15.3 brings a collection of improvements to the Alerts page and bug fixes.  Starting with the addition of MITRE Tactics and Techniques added to all Alert Definitions.  Add single or multi-technique tags to alerts and filter by them in the triggered alerts view. We have also added available Entity Attributes in Alert creation. Opening an Alert in the Query Editor has been improved to use available Extra Data, particularly useful for our MSSP’s as they can edit alerts with the appropriate client information in extra data. Read on to learn more!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Listen to this Product Update in our new ProdCasts audio format!  Table of ContentsNew Features Add MITRE Tactics and Techniques to Alert Definitions Search for MITRE Tactics and Techniques in Triggered Alerts Updated Features Entity Attributes in Alert Creation, Edit, and Clone forms Alert Extra Data is added as filtering when “Go to Query” is called Enhanced Alert Auditing with Post filtering information Improved Column Visibility control Improved Extra Data Visibility   New FeaturesAdd MITRE Tactics and Techniques to Alert DefinitionsUsers can now add MITRE Tactics, Techniques and Sub-Techniques in Alert Definitions. You can add multiple Techniques under each Tactic. Search for MITRE Tactics and Techniques in Triggered AlertsSupporting the addition of MITRE Tactics and Techniques, these new search filters allows you to find specific alerts by these new attributes. Updated FeaturesEntity Attributes in Alert Creation, Edit, and Clone formsWe have added a new section to inform users about the available entity attributes based on the data source table and query in their alerts. Attribures highlited in blue will appear in triggered alerts, while those in gray are availabe in the table but not currently part of the alert definition.Learn more in our Documentation. Alert Extra Data is added as filtering when “Go to Query” is calledWhen information is available in the Extra Data of an alert, it is used to filter the data when it is opened in the query editor.  This is particularly useful for MSSP Alerts, as you can the client information Extra Data and open the query with the correct filtering every time. Enhanced Alert Auditing with Post filtering information We’ve enhanced the devo.audit.alert.triggered table by adding information about post-filters. Users can now see if a post-filter was applied to a triggered alert.  We are also recording events for triggered alerts that have been deleted via post-filter. Improved Column Visibility controlQuickly hide columns by right clicking on any column header to reveal the Hide Column command.  You can manage visibility of columns on the Ellipse menu at the right end of the table. Improved Extra Data VisibilityWe’ve added color formatting to extra data for enhanced readability. View our full release notes in our Documentation.    

Devo Documentation is a live repository of information, how-to’s, troubleshooting guides, and installation instructions for every part of Devo solutions. It is a large repository of information with many moving parts and authors and it gets updated daily. These articles will help highlight some of the key updates that provide the most impact or improvements to your existing workflow. The highlight of these updates is rebuilt documentation for a variety of SQS collectors and JSON pages. If you have any questions or suggestions for our documentation team, post them in the comments below! Table of ContentsSite Wide Improvements Send to Devo Individual Page updates Authorize SQS Data Access CloudTrail Audit Logs Collector CloudFront SQS Collector GuardDuty Threat SQS Collector WAF ACL Firewall Access SQS Collector JSON Troubleshooting  Site Wide ImprovementsSend to DevoThe Send to Devo instructions have been reviewed and updated where appropriate for the vast majority of authentication, firewall, and CEF0 parser pages.  These are important changes to highlight as they cover most of our high ingestion tables and frequently queried tables. Individual Page updatesAuthorize SQS Data AccessSQS is Devo’s most popular collector but have you ever been confused about how to authorize a collector to use SQS? This update is for you! We have created new instructions for this complex process that sure to make it an easier and straight forward task. CloudTrail Audit Logs CollectorWe have created new step-by-step instructions on how to ingest this must-have Collector for anyone using AWS.  In the event your AWS account is compromised, this data will tell you what actions the attacker was able to take in your environment. CloudFront SQS CollectorDid you or your customer purchase content delivery services from Amazon? You can monitor network requests using this new step-by-step guide to this critical collector. GuardDuty Threat SQS CollectorAmazon-provided Threat intelligence service, GuardDuty, is a must-have for any customers who use Amazon services. Make use of threats identified by Amazon to stop attacks in your systems. WAF ACL Firewall Access SQS CollectorInstructions have been rewritten for ease of use and clarity, making it much simpler to send data from AWS to Devo. JSON TroubleshootingWe have recreated this page to provide clearer troubleshooting instructions for JSON arguments along with improvement delivered in the Devo Platform Release 8.15.0. And more!  Visit your favorite Devo Doc’s pages!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers cloud.azure Change Log box.win_nxlog Change Log box.win_snare Change Log firewall.sophos Change Log firewall.cisco Change Log box.all.win Change Log firewall.fortinet Change Log Iam.pingdentity Change Log cef0.checkpoint Change Log  Updated Parserscloud.azureLink to DocumentationChange Log New fields added to the union for cloud.zure.ad.audit  box.win_nxlogLink to DocumentationChange Log Added new fields for box.win_nxlog*  box.win_snareLink to DocumentationChange Log Added new table for box.win_snare.fim Added new fields and refactored powershell logs for box.win_snare* Parser adapted to variable number of spaces between keys and values Two new event types parsed New log source added Sysmon  firewall.sophosLink to DocumentationChange Log Made timestamp a string so timezone is preserved for firewall.sophos.securenet.packetfilter  firewall.ciscoLink to DocumentationChange Log Added new types for firewall.cisco.ftd  box.all.winLink to DocumentationChange Log Added new fields for box.all.win  firewall.fortinetLink to DocumentationChange Log Added missing fields from tables: firewall.fortinet.event firewall.fortinet.event.connector firewall.fortinet.event.dhcp  Iam.pingdentityDocumentation in ProgressChange Log Added new table for iam.pingidentity.pingaccess.server  cef0.checkpointLink to DocumentationChange Log Added a new fields for:  cef0.checkPoint.unknown cef0.checkPoint.connectra        

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Collectors Netskope API V2 v2.0.1 Change Log Microsoft Graph v3.1.0 Change Log AWS SQS v1.7.4 Change Log ServiceNow v2.0.0 Change Log Google Cloud Platform v2.1.0 Change Log IBM Cloud Activity Tracker v2.0.0 Change Log Alibaba Cloud v1.2.0 Change Log AWS v1.12.0 Change Log Menlo Security v1.3.0 Change Log  Updated CollectorsNetskope API V2 v2.0.1Link to DocumentationChange Log Improvements  Refactored collector , check migration guide  Updated the DCSDK from 1.11.1 to 1.13.1 Bugs Fixed Duplication and Delay issue. Fixed 409 Error by adding wait time.  Microsoft Graph v3.1.0Link to DocumentationChange Log Improvements  Alerts categorisation for alerts_v2 service (this change can break compatibility with previous versions) New optional flattening for alerts_v2 service, new separate table for "evidences" Automatic recovery from error 400 "Invalid Skiptoken" returned from Graph API Updated DCSDK from 1.13.1 to 1.14.0  AWS SQS v1.7.4Link to DocumentationChange Log Bugs Fixed bug with log operations Made decorators to be optional. To enable set debug to true.  ServiceNow v2.0.0Link to DocumentationChange Log Improvements  Migrated API to v2 version Implemented OAUTH.  Google Cloud Platform v2.1.0Link to DocumentationChange LogImprovements New Features  Complete Refactor: The collector has been completely redesigned to provide a more flexible and powerful solution for ingesting data from Google Cloud Pub/Sub. Support for Multiple Data Sources: The collector now supports generic ingestion from Pub/Sub, allowing seamless data collection from any GCP service, including Logging and Security Command Center Findings. New Service: Netskope Web Transactions: Added support for Netskope Web Transactions, enabling seamless data ingestion from Pub/Sub Lite. Streaming Data Collection: The collector now works in streaming mode, significantly reducing latency and improving efficiency. Optimized Performance: The entire codebase has been optimized, reducing memory usage and increasing stability in high-load environments. Enhanced Auto-Categorization: Improved the event auto-categorization mechanism to ensure accurate and efficient tagging. Refactored Codebase: The internal architecture has been restructured, improving maintainability, scalability, and overall performance. Better Error Handling & Logging: Improved error handling mechanisms and log traceability to facilitate troubleshooting. Deployed with DCSDK v1.14.0: Ensuring compatibility with the latest SDK enhancements.  IBM Cloud Activity Tracker v2.0.0Link to DocumentationChange Log Improvements  Migrated the collector to get data from IBM Cloud Activity Tracker to IBM Cloud Logs (Kafka - event streaming). Added unit tests and user guide. Updated DCSDK base Docker image to 1.4.0. Updated DCSDK from 1.10.0 to 1.14.0  Alibaba Cloud v1.2.0Link to DocumentationChange Log Improvements  Updated the DCSDK from 1.7.2 to 1.14.0. Bugs Fixed unexpected PullError in actiontrail log service for missing eventVersion New Features Fixed Added new services for access logs, db logs, internal audit service logs  AWS v1.12.0Link to DocumentationChange Log Improvements  Updated DCSDK from 1.13.1 to 1.14.0 Fixed the bug related to delay in ingestion for Guard Duty  Menlo Security v1.3.0Link to DocumentationChange Log Improvements  Upgraded the DCSDK from 1.13.1 to 1.14.0 Fixed the persistence logic.    

 The latest release of the Devo Platform is here! Release 8.15.0 brings enhancements to Activeboards, Data Search, and Query API.  Activeboards UI has been upgraded, providing a variety of benefits including enhanced UI performance, a new Activeboard Manager and time range controls in Widget queries.  Data Search has improved the Field Viewer's ability to handle tens of thousands of rows, making it very snappy, as well as bringing JSON parsing, Agnostic Geolocation operators and casting maps to JSON directly within Data Search.  Lastly, the Query API has new calls for relative time-ranges, new output format: AVRO and Public Swagger Docs.  Let’s dive in!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Features Activeboards New UI for Activeboard Manager Updated UI benefiting Date selector and UI performance New Time-Range selector Time Range for Queries in Widgets Data Search Rebuilt Field Viewer JSON operation available in Data Search Simplified JSON Parsing Agnostic Geolocation operations Query API New output format AVRO Relative time-range Public Swagger documentation  New FeaturesActiveboardsNew UI for Activeboard ManagerImprovements to Filtering, UI speed and Information-at-a-Glance.New Activeboard manager streamlines AB information by adding the Activeboard description as a tool tip when you hover over the name.  We have also added more filters for each column and a general filter for searching the entire available catalog.   UI has also been updated for Favorite, Shared and Scheduled indicators. Updated UI benefiting Date selector and UI performanceWe have updated the underlying UI engine used on the Activeboards page. This has allowed us to provide additional UI performance benefits and:New Time-Range selectorCompletely manipulate the start and end times as fast as you can scroll your mouse wheel!Time Range for Queries in WidgetsYou can now include the time range selected in the activeboard in your widget queries!  Use the DATARANGE_FROM and DATARANGE_TO parameters when you edit your Widget Query source! Data SearchRebuilt Field ViewerFast loading and snappy response from the Field viewer even when loading 30,000+ rows of data! JSON operation available in Data SearchYou can now use the json() operator in Data Search!  Here is an example:Example from siem.logtrust.web.activity select (“name”:”john”,”age”:30,”country”:”US”) as map1 select json(map1) as json  To learn more about JSON and its capabilities visit this Doc page. Simplified JSON ParsingThis exciting update simplifies the operation to parse or extract JSON fields.Old Operation New Operation select jqeval(jqcompile(“.p”), json) select json[“p”]  Example from siem.logtrust.web.activity select jsonparse(“{\”p\”: [1, 2, 3]}”) as json select jqeval(jqcompile(“.p”), json) //current way to extract “p” select json[“p”] as retrieve_by_param_name //new way to extract “p” select at(json, “p”) as retrieve_with_at //another new way to extract “p”  To learn more about JSON Parse, visit this Doc Page. Agnostic Geolocation operationsTo provide a solution for geolocation operations that get updated over time (mm->mm2->mm?), we have developed agnostic Geolocation operations to future-proof your code and continue to receive the benefits of future updates. Example (Old) Example (New) mm2country countrycode The full list of new agnostic operations is available here in our Docs.Update and future-proof your queries! Query APINew output format AVROApache AVRO is an open-source, row-based data serialization format commonly used for big data sets and is now available through the Query API.Note: Exclusively for the Query API, not currently available in Data Search.Relative time-rangeAPI now supports relative time-range calls! Here are a few examples of what you can do with these new calls:Time Expression Description Resulting Time now() - 60m 60 minutes ago Sunday, 05 February 2017, 12:37:05 now() @ 1h Now (rounded to the beginning of the hour) Sunday, 05 February 2017, 13:00:00 now() - 24h 24 hours ago Saturday, 04 February 2017, 13:37:05 (now() - 1d) @ 1d Yesterday (rounded to the beginning of the day) Saturday, 04 February 2017, 00:00:00 (now() - 2d) @ 1d 2 days ago (rounded to the beginning of the day) Friday, 03 February 2017, 00:00:00 (now() - 2d) @ 1m 2 days ago (rounded to the beginning of the minute) Friday, 03 February 2017, 13:37:00 Learn more about these new calls in our Doc page here. Public Swagger documentationIntroducing Swagger Docs for the Query API available here.

The latest release of the Devo Platform is here! Release 8.14.22 brings enhancements to Lookup Management, Role Management Credentials Tab, and Landing Page preferences. Starting with Lookup Management, we have enhanced the interface to include a new column “History” that reflects the stats of the API setting “keepHistory”. Along with this change, we have updated the available types. We have also cleaned up Role Management permissions and improved column consistency in the Credentials Tab. Next up is the Landing Page, you can select your preferred landing page from the newly alphabetized drop-down!  Learn more below!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Features Lookup Management page Alignment with API New History Column New Type names Updated Features Role Management->Security->Permission unification Credentials Token tab consistency change Added Credentials API to Token creation Landing Page preference Sort order Bug Fixes New FeaturesLookup Management page Alignment with APITwo changes to the Lookup Management page to bring all the features in alignment with that is available through the Lookup Management API.  New History ColumnThis is a Boolean value reflecting the API parameter KeepHistory which allows you to store all historic data, enabling historic search.New Type namesTo align with this new change the Type field names have been updated.Old Type New Type History Column Value Dynamic query Periodic query No (False) Historic dynamic query  Periodic query Yes (True) Static query Static query No (False) Historic static query Static query Yes (True) Upload CSV data No (False)  Updated FeaturesRole Management->Security->Permission unificationRole management permission for API Key has been updated to API Credentials and controls the user’s ability to view, create and delete API key as well as use of the Credentials API. Credentials Token tab consistency changeFor different base languages the Token tab had different names. for consistency this tab is now called “Token” for all languages. Added Credentials API to Token creationYou can now set the Type of token to a new type “Credentials API”.  These tokens do not require permissions on tables. Landing Page preference Sort orderNow you can chose your landing page from an alphabetically sorted list! Bug FixesRole Mapping no longer allows group names to start with a white space. A user deactivated in all domains cannot log in with SAML

The latest release of the Devo Platform is here! Release 8.14.21 brings a powerful new tools set with the Token Management API. With this new API, you can manage, creat,e and edit account credential tokens directly through API calls. This lets you manage access to your environment with API calls, allowing automation and bulk actions to accelerate your reaction time.  A great new tool particularly for our MSSP and partner clients to manage their customer environments. To learn more about what API’s are available you can visit this page in our Documentation. Read on to learn more about the Token Management API! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Token Management API  New FeatureToken Management APIThis new set of API calls will allow you to manage account credential tokens completely and in bulk! The token Management API can be used to:Create Tokens Retrieve Tokens Rename Tokens Enable / Disable Tokens Delete TokensThis new API is a great tool, particularly for our MSSP clients and partners! Learn more in our Documentation. Please Note the Token Management API was renamed the Credentials API at release. 

Devo ThreatLink, an integral part of Case Management, automates alert triage, reducing the analyst workload from thousands of alerts to tens of daily cases. This streamlined process allows security teams to focus on the most critical incidents, significantly improving efficiency and reducing alert fatigue. Release 1.4 brings with it new playbooks, updated error handling and updates to the case template and Audit logging.  If you want to learn more about Threat Link, view this article. The benefits of Threatlink need to be seen, if would like to see a demonstration, speak with your Devo Representative! Table of ContentsNew Features and Updates New Playbook available Upgrade for Fetch Alerts Updates to ThreatLink Case Template fields Updated SOAR Audit Logging Updated ThreatLink Dashboard: Past 7 Days  New Features and UpdatesNew Playbook availableIntroducing the “Close Linked SIEM Alerts on Case Closure”.  This playbook will run ever [customer defined] minutes to “close” alerts in the SIEM once a case is closed.RequirementsThreatlink 1.4 or greater Updated case setting templateUpgrade for Fetch AlertsFetch Alerts now uses FetchAlertsV2 Integration. Updates to ThreatLink Case Template fieldsWe’ve added a new field called “siem_alerts_closed”. This field needs to be added to the system tab in the case template.  We have also added a new field called “resolution_notes”. This needs to be added to the workflow section in the case template. Updated SOAR Audit LoggingWe’ve updated SOAR Audit Logging to version 1.7, the main changes in this update are:Added comments to the output Added case title to the outputUpdated ThreatLink Dashboard: Past 7 DaysThe Past 7 Days dashboard has been upgraded to v1.1.0 

The latest release of the Devo Platform is here! Release 8.14.19 brings a collection of API and Alert improvements. Starting with new functionality allowing you to manage your Anti-Flooding policy through API calls with the new Anti-Flooding API. Next, we have added new entity attributes through a new column where available. We also added a new filter corresponding to the entity attributes and a new source table column to help you identify the source tables without needing to dive deeper into the alert. Along with a collection of bug fixes and visual improvements, this release is sure to enhance your Alert workflow! Read on to view details! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew features Anti-Flooding API Entity Attributes New Filter added for entity attributes​​​​​​​ New source table columns Improvements Update to Alert Priority statuses   New featuresAnti-Flooding APIUsers can now create and manage anti-flooding policy through API calls. Entity AttributesAdded a new column and filter to view and search the entity attributes associated with alerts. Note that not all alerts will have entity attributes depending on the table the alert was created from and the query used.New Filter added for entity attributes​​​​​​​New filter criteria was added to find specific alerts based on their entity attributes.  This filter appears in Simple search as well as Advance Search. New source table columnsUsers can now see which table an alert was triggered from directly in the triggered alerts table, without needing to navigate to the alert details, query or view definition  ImprovementsUpdate to Alert Priority statusesUpdated colors and names to improve clarity. See the full release notes in our documentation. 

Devo Exchange is happy to announce the availability of a new activeboard called Threat Hunting by DNS. The activeboard allows you to identify and investigate potential threats by analyzing patterns in DNS (Domain Name System) queries and responses. This activeboard not only aids in uncovering advanced threats but also provides actionable insights to improve your organization's overall security posture. Some great use cases for this new Activeboard include Traffic Optimization in IT Operations.  in Security, you can use it for Anomaly Detection and Risk Assessment!  Learn more below!  Threat Hunting by DNS Direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Required Data Sourcesnetwork.dnsSecurity Multidomain Lookups:UmbrellaTop1M mispIndicator CollectiveDefense DynamicDNSUse Cases IT Operations   Traffic Optimization: Monitor DNS traffic trends to identify and optimize traffic flow within the network. Resource Utilization: Track top queried domains and geolocation data to ensure efficient resource allocation and load balancing. Troubleshooting: Diagnose issues such as DNS misconfigurations, service outages, or latency problems. Security Operations   Anomaly Detection: Identify unusual behaviors such as DNS tunneling or dynamic domain usage that could indicate malicious activities. Threat Intelligence Correlation: Detect known malicious domains and integrate them with external threat feeds for proactive defense. Risk Assessment: Generate risk scores based on DNS query characteristics, such as domain length, entropy, and patterns. Incident Response: Use investigation tools and DNS data correlations to facilitate faster and more accurate incident investigations. Learn more in our Docs

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers itam.netwrix Updated Parsers cloud.aws Change log box.win_nxlog Change Log mail.postfix Change log ftp.crushftp Change log firewall.paloalto Change log edr.crowdstrike Change log endpoint.symantec Change log cef0.infoblox Change log ips.all.alerts Change log endpoint.bitdefender Change log  New Parsersitam.netwrixDocumentation in progress Updated Parserscloud.awsLink to DocumentationChange logSupport for JSON in cloud.aws.vpc.flow box.win_nxlogLink to DocumentationChange LogAdded parser for box.win_nxlog.ntlm mail.postfixLink to DocumentationChange logAdded new fields ftp.crushftpLink to DocumentationChange logAdded new fields for ftp.crushftp.event firewall.paloaltoLink to DocumentationChange logAdded a new field to firewall.paloalto.* edr.crowdstrikeLink to DocumentationChange logAdded new fields for edr.crowdstrike.cannon endpoint.symantecLink to DocumentationChange logAdded new parser for endpoint.symantec.sepm.system cef0.infobloxLink to DocumentationChange logAdded new fields for cef0infoblox.dataConnector ips.all.alertsLink to DocumentationChange logAdded a new field endpoint.bitdefenderLink to DocumentationChange logModified fields for endpoint.bitdefender.agent.edr_alert   

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collector Tencent Cloud v1.0.0 Updated Collectors VMWare Carbon Black v1.5.0 Change Log ServiceNow v1.6.0 Change Log Cortex XDR v2.0.3 Change Log Trend Micro Vision One v1.3.0 Change Log CyberArk EPM v1.2.0 Change Log   New CollectorTencent Cloud v1.0.0Link to Documentation  Updated CollectorsVMWare Carbon Black v1.5.0Link to DocumentationChange Log Improvements  Refactored collector to the latest DCSDK 1.13.1.  Refactored code for the livequery, alerts and audit service in accordance with template1 Eliminated the use of while loops in the pull logic Added Unit Tests for the livequery, alerts and audit services Bugs Fixed the 400 API error received when collector was invoking the carbon black live query API ServiceNow v1.6.0Link to DocumentationChange Log Improvements  Updated SDK to the latest version, 1.13.1.  Remove vulnerabilities in libexpat1, expat Cortex XDR v2.0.3Link to DocumentationChange Log Improvements  Refactored the puller logic to enhance code readability and optimize performance. Introduce a new base puller to centralize shared functionality. Expanded unit tests with additional scenarios to improve coverage and reliability. Added validations for start_time, ensuring it is not set to a future date, preventing configuration errors. Bugs Fixed an issue where puller variables were not resetting after encountering an error, which caused the collector to freeze and stop gathering data. Trend Micro Vision One v1.3.0Link to DocumentationChange Log New Features  New endpoints for risk insights: discovered_device vulnerable_device account_compromise_indicator risk_event_definition device_risk_profile user_risk_profile  CyberArk EPM v1.2.0Link to DocumentationChange Log Improvements  Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performance Bug fixing Fixed the services names in example params.

Devo Exchange is happy to announce the availability of a new activeboard called Alert Triage Metrics. The activeboard provides an overview of security alerts, focusing on detection, response, and resolution performance. It includes metrics on alert actions, severity, accuracy, and insights into adversarial techniques mapped to the MITRE ATT&CK framework. This new activeboard is the first in a series of new metric visualizations coming in the new year. Be sure to check it out and let us know what you think, what you would like to see next and any improvements you can think off!  Happy Holidays and Happy new year to all! Alert Triage Alert Metrics Alert Triage Metrics direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Let us know what you think!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!   Table of ContentsNew Parsers ndr.darktrace Change log box.cisco Change log box.all.unix Change Log Update Parsers firewall.fortinet Change log proxy.zscaler Change log network.meraki Change log crm.salesforce Change log ddi.infoblox Change log vpn.soft_ether Change log endpoint.symantec Change log firewall.watchguard Change log firewall.paloalto Change log  New Parsersndr.darktraceDocumentation in ProgressChange logSupport for Darktrace NDRbox.ciscoDocumentation in ProgressChange logSupport for Cisco UCS manager box.all.unixDocumentation in ProgressChange LogNew union table to gather together any event coming from a linux system no matter how they aregathered.  Update Parsersfirewall.fortinetLink to DocumentationChange logNew table firewall.fortinet.utm.wafproxy.zscalerLink to DocumentationChange logAdded new field cdfqdn to table proxy.zscaler.zia.firewallnetwork.merakiLink to DocumentationChange logAdded more log types to network.meraki.eventscrm.salesforceLink to DocumentationChange logNew tables added (JSON format)  DCDM partially implemented ddi.infobloxLink to DocumentationChange logAdded new table ddi.infoblox.nios.lease_eventsvpn.soft_etherLink to DocumentationChange logAdded support for more events including more fields to the parserendpoint.symantecLink to DocumentationChange logNew table endpoint.symantec.sepm.systemfirewall.watchguardLink to DocumentationChange logNew table firewall.watchguard.event firewall.paloaltoLink to DocumentationChange logAdded JSON support to the parsers

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources!  Table of ContentsUpdated Collectors Menlo Security v1.2.0 Improvements  Bugs Microsoft Defender Cloud Apps v1.4.0 Improvements Bugs Sendmarc v1.0.1 Bugs Cyberark Identity v1.2.0 Improvements  Bugs Trend Micro Deep Security v1.4.0 Improvements  Cortex XDR v2.0.2 Improvements  Bugs Cohesity v1.2.0 Improvements  Lark v1.3.0 New Features Improvements  Trend Micro Vision One v1.3.0 Improvements  Bug fixing Tenable IO v2.0.0 Improvements  Bug fixing Darktrace v1.1.0 Improvements  Gsuite Workspace Alerts v1.9.0 Improvements  Bug fixing Duo v2.1.0 Improvements  Security  Spycloud v1.2.0 Improvements  Security  MS Graph v2.1.0 Improvements  Security   Updated CollectorsMenlo Security v1.2.0Documentation in progress.Improvements Refactored collector to the latest DCSDK 1.13.1.  Increase the quality of the collector adding more unit testsBugsFixed an issue related to missing logs for audit and smtp service.Microsoft Defender Cloud Apps v1.4.0Link to DocumentationImprovementsUpdated SDK to the latest version, 1.13.1.  Several improvements on stabilityBugsFixed an issue related to files service not workingSendmarc v1.0.1Link to DocumentationBugsInput error due to missing inputs example params.Cyberark Identity v1.2.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector by adding more unit tests.BugsFixed the user config and schemas to allow overrides.Trend Micro Deep Security v1.4.0Documentation in progressImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector adding more unit tests Several improvements on stabilityCortex XDR v2.0.2Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector adding more unit testsBugsFixed the behavior when stopping the collector.Cohesity v1.2.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stability Lark v1.3.0Link to DocumentationNew FeaturesAdded two new services Aud Admin logs DLP Executive logsImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stability Trend Micro Vision One v1.3.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stabilityBug fixingAdded parameter fetch_gap_seconds to better control the delay on the source Tenable IO v2.0.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceBug fixingFixed issues related to memory usage causing the collector to stopDarktrace v1.1.0Link to Documentation Improvements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performance Gsuite Workspace Alerts v1.9.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability and performance Increase the quality of the collector adding more unit testsBug fixingFixed the ingestion stoppage issue.  Fixed the user config. Duo v2.1.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilities Spycloud v1.2.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilitiesMS Graph v2.1.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilities

The latest release of the Devo Platform is here! Release 8.14.12 brings with it a key improvement to Activeboards. We have created a diagnostic tool that informs you when your Activeboard performance can be optimized! As you launch your Activeboards, will you notice a new bell icon presented inline with each widget, if it has notifications pending, then it has detected ways for you to optimize that widget and get the best performance for your Activeboard! Currently, this new tool has diagnostic outputs for 4 suggestions with more coming in the next updates!  Review your Activeboards and optimize like a pro!  Learn more below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Automatic Optimization Suggestions per widget  New FeatureAutomatic Optimization Suggestions per widgetActiveboards do the hard lifting in visualizing data and sometimes it’s not easy to understand what can be done to tune your widgets so they perform optimally.  This release adds self-diagnostics that output suggestions to an inline notification bell per widget.  this first release comes with the following rules:Unused Columns Unnecessary Time Grouping Duplicate Columns Add Aggregation Task (used to be the rocket icon, now part of this system)More rules will be added in the coming releases.

The latest release of the Devo Platform is here! Release 8.14.11 focuses on Alert improvements and bug fixes.  A small but impactful quality of life improvement, now all your alert Dates in Extra data, summary, and description are in your local time zone. We have added the ability to launch alert details in a new tab for a faster workflow. The recently launched Alert Streaming mode also got improvements in the form of inheriting Column visibility settings, highlighting incoming alerts and visibility improvements. We’ve also squashed a selection of bugs listed in the article.  Check it out below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsEnhancements Dates in Local times Open in new Tab Streaming Mode Improvements Bug Fixes EnhancementsDates in Local timesWe can now see dates in Extra Data, Summary, and Description displayed in their timezone instead of in UTC.Open in new TabLaunch Alert Details in a new tab or continue viewing them on the same page; now you have the option that best suits your work flow.  Right click on the alert ID to see these new options. Streaming Mode ImprovementsColumn visibility settings are now inherited by the streaming mode view. Incoming alerts are now highlighted in a different color when added to the list to improve readability. Improved visibility of Pause popupBug FixesFixed permissions for new post-filter button Fixed decoding errors due to incorrectly formatted characters in Extra Data. Fixed display of large summary and description texts Improved readability of cells with long text Improved DevoSource retry attempts and sleep mode handling

The Devo Exchange team is happy to introduce a release filled with features and content! Release 2.2 adds a new content type: Queries! This new content category is launching with 130 queries in 5 categories. We have also updated the content submission tool to accept queries. Synthetic data, an amazing tool for testing your defenses has received a great new feature: Runtime settings!  You can now set the Synthetic Data injection to run for a variable length of up to 30 days. Along with more great improvements the team also also delivered a huge collection of new content.  Learn more below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Features New Content Type: Queries Updated Content Proposal Tool Synthetic Data Runtime Settings Improvements Copy Alert button in Alert Packs Improved Newest Sort New content Available 10 Activeboards have been upgraded with Multitenancy support New Activeboards Cloud Gsuite Reports Ingestion Volume Zscaler Zia Proxy New Alert Packs VCS Github Audit Ping Identity MFA Remote System Discovery New Synthetic Data and Use Cases  The Synthetic Data Pack New Synthetic Data and Use cases  New FeaturesNew Content Type: QueriesWe have gathered around 130 queries and organized them into 5 categories for use as part of training and collaboration. You will find these query packs in their own category under All Content.Math Built-in Operations Event Day Built-in Operations Geolocation Built-In Operations Collector Ingestion Monitoring Active Directory Threat DetectionEach of these category packs contain a collection of LINQ queries for use in learning or helping you understand and build new queries. Updated Content Proposal ToolYou can now share your queries using the Content Proposal Tool. Not only will sharing demonstrate your mastery of LINQ but you will help others discover, innovate and share new creations.As with all submissions, it will go through a full evaluation before becoming available on Devo Exchange. Synthetic Data Runtime Settings2 major new additions improvements. First we added a dialog to allow you to set the duration of the Synthetic data injection, up to a maximum of 30 days.  ImprovementsCopy Alert button in Alert PacksWith this new copy button, you can test alerts before installing them! Improved Newest SortSorting by Newest will now exclude updated content, focusing only on the newest released content. New content Available10 Activeboards have been upgraded with Multitenancy supportYou can now use the following Activeboards in multitenancy environments to get detailed insight into your managed environments.Ingest Volume Collector Monitoring DataSource Monitoring Active Directory Relay Monitoring Firewall Monitoring Web Activity Monitoring Windows System Audit AWS Account Activity DataSources InsightNew ActiveboardsCloud Gsuite ReportsCloud Gsuite Reports direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Ingestion VolumeIngestion Volume direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Zscaler Zia ProxyZscaler Zia Proxy direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  New Alert PacksThree new alert packs are available:VCS Github AuditVCS Github Audit direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Ping Identity MFAPing Identity MFA direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Remote System DiscoveryRemote System Discovery direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  New Synthetic Data and Use Cases The Synthetic Data PackWe have also added a content pack of Injections so you can quickly test a new client’s environment with a full breath of synthetic data.  With a single button, you can have your environment be alive with the following Synthetic data:VPN Cisco ASA Injection AWS Cloudtrail S3 Injection VPN Pulse Secure Injection CDN Akamai Cloudmonitor Injection Palo Alto Traffic Injection Windows Snare Injection Injection for Windows Activity AB Unix Events Injection Auth Okta Systems InjectionNew Synthetic Data and Use casesOkta Authentication Use case v1.0.0 Firewall Juniper SSG Injection v1.0.0 Auth Okta System Injection v1.0.0 Box Unix Events Injection v1.0.0 SentinelOne Av Events Injection v1.0.0 Auth DUO Authentication Injection v1.0.0 VPN Cisco ASA AnyConnect Injection v1.0.0 Cloud Gsuite Reports v1.0.0 Windows Snare Injection v1.0.0 VPN Pulse Secure Injection v1.0.0 CDN Akamai CloudMonitor Injection v1.0.0 Juniper SSG traffic Injection v1.0.0     

The Devo Relay is a critical feature of Devo that receives inbound events from your data sources and then sends them to your Devo instance with all the tagging and processing rules that make Devo work as fast as it does.   This release collects updates to the Devo Relay from version 2.9.2 to 2.13.3.  The main feature added allows you to manage data ingestion across child domains in your multitenancy environment. Additionally, this release contains a host of improvements including new environmental data, support for language characters, improvements to the stats measurer, and more!  Learn more below! Table of ContentsNew Features Domain Impersonation for Multitenancy (v2.11.0) Improvements Fixes New FeaturesDomain Impersonation for Multitenancy (v2.11.0)This new feature allows you to manage data ingestion across multiple domains within your multitenant structure using a single certificate.Learn more in our Documentation Improvements Menu in Devo Relay CLI includes the variables to select the new US3 environment and not need to input it manually. (v2.10.0) New environment data: (v2.10.0) Devo ELB: collector-us3.devo.io:443 Query API: https://api-us3.devo.com/search Relay API: https://api-us3.devo.com/maduro Added internal filter for relay troubleshooting. (v2.11.0) Improved support for Chinese / Japanese characters. (v2.12.0) Improvements on stats measurer. (v2.12.0) Output TLS connection requires TLS 1.3 (v2.13.3) Fixes Fixes a previous behavior of Devo Relay where several critical OS services are not accounted before booting. This could cause a condition when the relay service tries to get started before the OS essential services are up and running. (v2.9.2) Vulnerability Fixes v2.9.2 logback-classic (CVE-2023-6378) logback-core (CVE-2023-6378, CVE-2023-6481) libcrypto3 & libssl3 (CVE-2023-5363) v2.10..0 commons-compress (CVE-2024-26308 & CVE-2024-25710) spring-core (CVE-2024-22233) amazon-corretto:openssl (CVE-2024-0727 & CVE-2023-6129)  For all the release notes to every version of the Devo Relay, see the Documentation

Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.8 brings a variety of improvements to the Login and Homepage. We have improved our Login experience by removing the domain list limits entirely!  You can now view the full list of all the domains you have access to with search and pagination capabilities.  With this new feature, we have also added a new visual distinguishing mark for Root domains so you can find them more easily.  Following your feedback, we have made some improvements to the new HomePage including permanently hiding the top banner. Learn more below!  Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released   Table of ContentsNew Features Limitless domain switching Easily Identify Root domains Improvements Usability Improvements to new Home Page Bug Fixes New FeaturesLimitless domain switchingYou can now view the full list of domains you have access to and switch to without domain list limitations.  The feature comes complete with a full count of available domains and pagination controls to quickly navigate across the full breadth of your available domains. Easily Identify Root domainsWith so many domains to choose from, it’s important to chose the right one!  Now you can easily pick out the root domains with this new label. ImprovementsUsability Improvements to new Home PageWe have made some changes to the Homepage based on customer feedback. Improvements by numbers:The Welcome title has been moved to make more screen space available. Button styles changed to blend in better. You can now close the top banner group for this session. Or use this check mark to close it permanently. The shortcut to Usage Analytics has been cleaned up for a cleaner look.Bug FixesFixed a problem with the usage analytics footer appearing for users without access to the tool. Fixed a problem with visibility permissions for top banner in Home.See the full release notes in our Documentation  

We're thrilled to announce the latest updates and additions to our alerting system with Release 32. This release enhances the functionality and accuracy of several firewall and threat detection alerts. A key improvement is the addition of sourceIP and hostname fields, improving the contextual information available for faster incident triage and response.Updated alerts include FWIpScanInternal, FWPortScanExternalSource, FWSMBTrafficOutbound, and advanced threat detection rules like REvilKaseyaWebShellsUploadConn and HAFNIUMWebShellsTargetingExchangeServers. These changes enhance the detection capabilities for network scans, unauthorized SMB traffic, RDP external access, and specific threats like REvil and HAFNIUM.To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsAlerts Updated Firewall Alerts FWIpScanInternal FWIrcTrafficExternalDestination FWPortScanInternalSource FWPortSweepInternalSource FWExternalSMBTrafficDetectedFirewall FWPortScanExternalSource FWRDPExternalAccess FWSMBTrafficOutbound FwTftpOutboundTraffic Proxy Alerts REvilKaseyaWebShellsUploadConn REvilKaseyaWebShells Public Facing Application Exploit Alert HAFNIUMHttpPostTargetingExchangeServers External Remote Services Alert HAFNIUMWebShellsTargetingExchangeServers Alerts UpdatedFirewall AlertsThe following Alerts are available in Alert Pack: FirewallUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange FWIpScanInternalFWIrcTrafficExternalDestinationFWPortScanInternalSourceFWPortSweepInternalSourceFWExternalSMBTrafficDetectedFirewallFWPortScanExternalSourceFWRDPExternalAccessFWSMBTrafficOutboundFwTftpOutboundTraffic Proxy AlertsThe following alerts are available in Alert Pack: ProxyUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange REvilKaseyaWebShellsUploadConnREvilKaseyaWebShells Public Facing Application Exploit AlertThis alert is available in Alert Pack: Exploit Public-Facing ApplicationUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange HAFNIUMHttpPostTargetingExchangeServersExternal Remote Services AlertThis alert is available in Alert Pack: Exploit Public-Facing ApplicationUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange HAFNIUMWebShellsTargetingExchangeServers  

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers cloud.azure firewall.watchguard ftp.crushftp mail.mimecast firewall.all.traffic vcs.github cloud.office365 cef0.netsckope cef0.fortinet db.oracle firewall.all.ips box.unix firewall.cisco ids.suricata cloud.office365.management Updated Parserscloud.azureLink to Documentationfirewall.watchguardLink to Documentationftp.crushftpLink to Documentationmail.mimecastLink to Documentationfirewall.all.trafficLink to Documentationvcs.githubLink to Documentationcloud.office365Link to Documentationcef0.netsckopeLink to Documentationcef0.fortinetLink to Documentationdb.oracleLink to Documentationfirewall.all.ipsLink to Documentationbox.unixLink to Documentationfirewall.ciscoLink to Documentationids.suricataLink to Documentationcloud.office365.managementLink to Documentation