Popular Updates

Devo Platform Release 8.8.16

Hello everyone, the latest Devo Platform release is here! Release 8.8.16 brings you a wide variety of changes to streamline and speed up your workflow with the Devo Platform. Starting with a new streamlined Support Access, you now go directly to the Support portal to get the most flexibility for your ticket creation and content access. Preference and Current Queries pages have been sped up dramatically. Activeboards have received a lot of improvements, with optional widget loading, an improved autocomplete editor, and a new sorting workflow.  We have also improved the Lookup creation experience! Read on to learn about all the changes in this update.  Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Streamlined Support Access Activeboards optional widget loading Updated Features Alerts creation form update Activeboard editor improved Activeboard default sorting removed Improved Create Lookup Experience Performance Improvements Bug Fixes New Features Streamlined Support AccessWe are streamlining Support access across the Devo Ecosystem to create a better experience for all parties.   The Support portal is now you direct access to create, manage and view your case history and this is no reflected on the Devo Platform.Activeboards optional widget loadingPerformance is a key value in Devo and we know sometimes Activeboards are so detail rich that they may take longer optimal to load all those widgets.  With this update you can individually disable the launch of any widget in your Activeboard.This will reduce system resources load a swell as loading times for said Activeboard.  You gain greater control of your widgets and faster access to critical information. Updated FeaturesAlerts creation form updateEach Alert Create form default setting for “Include all fields” has been reversed and the help info has been expanded with complete information.Activeboard editor improvedBuild your activeboards faster with a new autocomplete feature for the activeboard editor! Activeboard default sorting removedNormally, when a Table widget is loaded for the first time, the rows are automatically sorted by eventdate.  With this update, no sorting algorithm will be applied to the rows regardless of the sort used in the query.    Rows will be displayed in the order they are recieved (possibly by eventdate but not guaranteed).   After loading, the user can define specific sorting choices through the column headings. Improved Create Lookup ExperienceWhen loading a CSV Lookup, all whitespaces starting/ending a Lookup column name will be automatically removed. When creating a lookup any manually typed extra spaces at starting/ending will prompt an error message letting you know where the extra whitespaces are before Lookup creation. Performance ImprovementsPreferences pages and Current Queries page performance has been significantly improved through internal code changes to increase the loading speeds. Bug FixesBlank page in “Search History” when user has only “Finders” permission “Go to Query” in triggered alerts displays a blank page in a use case Edit Alert form label Usage Analytics cache not taking into account timezones Aggregation task creation “Real-Time” value always displayed as unchecked Loxcope wizard incorrect translation when filtering null values

Related products:Devo Platform

Devo Exchange release 1.8

Hello everyone, the Exchange team has a new update for you with tons of great improvements. Two years have passed since the launch of Devo Exchange, and our content library has grown from 30 to 220 releases!! This release focuses on improved performance, increasing response times and performance in all aspects of the platform.   We have also updated the process of accessing Devo Exchange by using policies. This is a key update for MSSPs. The Alerts update process was also updated, so you can now choose which individual alerts to update from an Alert Pack. Read on to learn more about each of these updates! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features Updated Access Control Unlock individual Alert updating Performance Improvements Additional User Experience updates  New FeaturesUpdated Access ControlExchange Access control was switched from roles to policies in this release.  This means you now have more control as an admin to manage access to content on Devo Exchange. We added a Marketplace Management policy so Admins can choose to allow users to access and manage Exchange content giving greater control. Unlock individual Alert updatingNow possible with this update, you can choose which alerts inside an Alert Pack.  This significant change in instrumental in supporting alert coverage customization.  Now when a new update is available for a Alert Pack, you will see the notification on the in the Exchange card and choose which to update only the alerts you are using.We have also introduced a DIFF tool to the update process that you can use to compare the code before updating the alert.  Bringing full transparency to the update process.Performance ImprovementsStarting from our humble beginnings of 30 titles to our current 220 titles is a huge leap in content.  The system needed tuning to handle the significant growth of the last year.  From top to bottom, we have recreated the underlying structure of Exchange to handle the current catalog and make sure the gains are scalable for all future iterations of the catalog.    This results in consistently fast performance through your use of Devo Exchange. Additional User Experience updatesSupporting improvements and informational updates through the application.  

Related products:Devo Exchange

Devo Security Operations: OOTB Alerts Release 22

The Devo Threat Research Team has published OOTB Alerts Release 22! This release, available now from the Security Operations Content Manager, provides 9 updated detections and 2 new alerts.  This update introduces powerful enhancements to fortify and monitor your security infrastructure.    To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.This update features several key improvements:New Alert: OS Credential Dumping: With our latest detection capabilities, we now provide a new alert system designed to identify instances of OS credential dumping promptly. This critical security threat, often exploited by malicious actors, can compromise sensitive login credentials. By issuing alerts for potential credential dumping activities, our system empowers users to respond swiftly, minimizing the risk of unauthorized access. New Alert: Detection for Traffic to Paste Bin: Recognizing the evolving threat landscape, we've incorporated detection mechanisms to monitor and flag traffic directed toward paste bin services. These platforms are frequently leveraged by adversaries for data exfiltration and sharing of sensitive information. By detecting suspicious activities related to paste bin usage, our system enables proactive intervention, safeguarding against unauthorized data dissemination. Regex Optimized Improvements for Window and Proxy Alerts: In this update, we've optimized regular expressions (regex) to enhance the accuracy and efficiency of window and proxy alerts. These improvements refine our detection capabilities, ensuring more precise identification of suspicious activities associated with Windows and Proxy servers. By fine-tuning regex patterns, we reduce false positives and provide users with actionable insights into potential security threats. Updated Field Naming for Microsoft Office365 Detections: We've revamped field naming conventions for Microsoft Office365 detection to streamline data interpretation and analysis. This update ensures consistency and clarity in identifying and responding to security events within the Office365 environment. By aligning field names with industry standards, users can easily navigate and leverage insights from our detection system to bolster their Office365 security posture.These updates reflect our commitment to continuously enhancing our detection capabilities, empowering users to stay ahead of emerging threats, and safeguarding their digital assets effectively. New DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsOsCredentialDumpingGsecdump Detects well -known credential dumping tools execution via service execution events. box.all.win New! SecOpsProxyDataExfiltrationDetection Monitor proxy logs for connections from internal IPs to parsing or content aggregation sites known for data parsing and content. proxy.all.access New!  Updated DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsAWSCreateloginprofile Detects I fa login has been performed by a user who has been created in the last 24hrs and checks if the user creation and the login have been performed from the same IP. This behavior could indicate a privilege escalation attempt. cloud.aws.cloudtrail Tuned subquery parameters SecOpsO365PhishAttempt Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems cloud.office365.management Updated based on window logging updates SecOpsO365SusMailboxDelegation Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. cloud.office365.management Updated field naming SecOpsREvilKaseyaWebShellsUploadConn The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days, the attack was pushed out via an infected IT Management update from Kaseya proxy.all.access Optimized regex SecOpsHAFNIUMHttpPostTargetingExchangeServers Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. web.all.access Optimized regex SecOpsHAFNIUMWebShellsTargetingExchangeServers Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. web.all.access Optimized regex SecOpsREvilKaseyaWebShells The REvil Ransomware has hit 40 service proviers globally due to multiple Kaseya VSA Zero-days. The attack was pushed out via an infected IT Management update from Kaseya web.all.access Optimized regex SecOpsWinAdminRemoteLogon Detects remote logins by an administrative user account. Administrative account names are tailored to the organization’s specific naming conventions. box.all.win Updated entity mapping SecOpsWinIISWebRootProcessExecution The execution of a process from inside a web hosting directory and indicate when adversaries upload a malicious file to the web server and run the file as a process. box.all.win Optimized regex   Subscribe to Product update to never miss an update!  

Related products:Security Operations

Devo Security Operations: OOTB Alerts Release 21

The Devo Threat Research Team has published OOTB Alerts Release 21! This release, available now from the Security Operations Content Manager, provides 7 updated detections and 1 new alert.  The updates focus on improved performance, easier installation and reduction in false positive results.  If you are using these detections, this update is a must have!To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.  New DetectionName Description Devo Table/Data Source/Category Change Log SecOpsO365OneDriveDownload Detects high volume of OneDrive activity CLOUD.OFFICE365.MANAGEME New Alert!  Updated DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsAccountsCreatedRemovedWithinFTourHours Detects user accounts that are created and delete within a four time period. box.all.win Updated Alert Logic to reduce false positives SecOpsFWRDPTrafficUnauthorized Detects RDP traffic to hosts, not within an allowed list. firewall.all.traffic Remove dependency for installation SecOpsLinuxSuspciousExecutionCommand Detects relevant commands often related to malware or hacking activity. box.unix Updated to reduce false positives SecOpsCDHuntFWdstIpIsPossibleIoc This search looks for Collective Defense matches in firewall data. firewall.all.traffic Field naming updates SecOpsFWIcmpExcessivePackets Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration. firewall.all.traffic Field naming updates SecOpsFWTrafficOnUnassignedLowPort Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic. firewall.all.traffic Field naming updates SecOpsVNCPortOpen Used to identify the default port for VNC connections firewall.all.traffic Field naming updates  Subscribe to Product updates to stay informed about all updates from the Product Teams!

Related products:Security Operations

Devo Parser Catalog Update: February

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsUpdated Parsers proxy.zscaler firewall.paloalto auth.jumpcloud av.mcafee bms.humansecurity auth.auth0 cloud.office365 box.win_winlogbeat box.win_nxlog box.devo_ea dhcp.bluecat vcs.gitlab vuln.qualys edr.crowdstrike edr.darktrace edr.cisco cloud.aws cloud.gsuite crm.salesforce casb.netskope network.meraki network.vmware adn.f5 entity.behavior cdn.cloudflare cef0.fortinet ras.beyondtrust Union Tables Updated auth.all firewall.all.traffic  Updated Parsersproxy.zscalerLink to Devo Documentationfirewall.paloaltoLink to Devo Documentationauth.jumpcloudLink to Devo Documentationav.mcafeeLink to Devo Documentationbms.humansecurityLink to Devo Documentationauth.auth0Link to Devo Documentationcloud.office365Link to Devo Documentationbox.win_winlogbeatLink to Devo Documentationbox.win_nxlogLink to Devo Documentationbox.devo_eaLink to Devo Documentationdhcp.bluecatLink to Devo Documentationvcs.gitlabLink to Devo Documentationvuln.qualysLink to Devo Documentationedr.crowdstrikeLink to Devo Documentationedr.darktraceLink to Devo Documentationedr.ciscoLink to Devo Documentationcloud.awsLink to Devo Documentationcloud.gsuiteLink to Devo Documentationcrm.salesforceLink to Devo Documentationcasb.netskopeLink to Devo Documentationnetwork.merakiLink to Devo Documentationnetwork.vmwareLink to Devo Documentationadn.f5Link to Devo Documentationentity.behaviorLink to Devo Documentationcdn.cloudflareLink to Devo Documentationcef0.fortinetDocumentation in progressras.beyondtrustLink to Devo Documentation Union Tables Updatedauth.allLink to Devo Documentationfirewall.all.trafficLink to Devo Documentation

Related products:Devo Integrations

Devo Collector Catalog Update for February

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors AWS SQS v1.0.0 Fastly Next-Gen WAF v1.0.0b3 Updated Collectors Microsoft Defender Cloud Apps v1.2.0 Jumpcloud v1.2.2 Crowdstrike API v1.5.4 Proofpoint TAP v2.2.0 Akamai SIEM Collector v2.0.0 Cortex-XDR v1.2.0 Qualys v2.0.0 Google Workspace Reports v1.9.1 (Formerly Gsuite Repots) SentinelOne v1.5.0 Cybereason v1.3.0  New CollectorsAWS SQS v1.0.0Link to DocumentationFastly Next-Gen WAF v1.0.0b3Documentation is being updated Updated CollectorsMicrosoft Defender Cloud Apps v1.2.0Link to DocumentationJumpcloud v1.2.2Link to DocumentationCrowdstrike API v1.5.4Link to DocumentationProofpoint TAP v2.2.0Link to DocumentationAkamai SIEM Collector v2.0.0Documentation is being updatedCortex-XDR v1.2.0Documentation is being updatedQualys v2.0.0Documentation is being updatedGoogle Workspace Reports v1.9.1 (Formerly Gsuite Repots)Link to DocumentationSentinelOne v1.5.0Link to DocumentationCybereason v1.3.0Documentation is being updated

Related products:Devo Integrations

Devo Platform 8.8.0 Release

This post details the pre-release information for Devo Platform Release 8.8.0. This release will be pushed to production on February 1, 2024, at 11 AM UTC+1. In this release, domain Administrators will benefit from enhanced monitoring capabilities over their environment with the introduction of the Usage Analytics feature. Another item in this release is the new Conditional Formatting feature available from the Field Viewer. This will enhance the capabilities of all Data Searchers with the support of up to 5 conditional formatting conditions. Continue reading to view the full details of this update. Release InformationRelease Date: February 1, 2024 Release Time: 11:00am UTC+1Geo ReleaseRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Usage Analytics Conditional Formatting introduced to the Field Viewer New Alerts audit table added Change Alert Status in Bulk actions Change Alert Priority in Bulk actions New EACH Alert creation/editing options Bug fixes (of course)Additional information in our Documentation is here.New FeaturesUsage AnalyticsUsage Analytics is a new Dashboard inside Devo designed to help Administrators understand how Devo is being used in their environment.  Accessible from the Administration Menu on the top left, this new dashboard allows the administrator to monitor:Weekly Active Users Ingestion metrics Average daily ingestion for last 7 days Ingestion per technology for last 7 days Query count metrics Query count for the 3 most common ways to query data Data Search API queries Odata queries Number of queries by origin for last 7 days grouped by every 1 hour Resource usage distribution Shows how different areas of the product consume compute resources over time Resource usage per component during last 24 hours Conditional Formatting introduced to the Field ViewerYou can now add conditional formatting to your tables!  You can add up to a maximum of 5 conditions that specify an operator and value, along with text and background color, to apply to the matching cells.Each condition provides a preview, along with tags, that indicate the visual format and the value.  To enact the changes of the preview, be sure to click on apply!1) This icon indicates that a field has conditional formatting applied to it.2) The conditional formatting tab open with the conditions set.3) How it is shown in the data table.New Alerts audit table addedA new audit table is available for Alerts called “devo.audit.alert.definition” in all domains.  This audit table will log all user activities related with Alert definitions in reference to a domain.  The activities logged by this new table are:Alert creation Alert edition Alert enable/disable Alert deletionChange Alert Status in Bulk actionsYou can change the status of several alerts by checking the boxes next to the names, clicking the Bulk actions button next to the master checkbox, and selecting Status followed by the desired status. Change Alert Priority in Bulk actionsYou can change the priority of several alerts by checking the boxes next to the names, clicking the Bulk actions button next to the master checkbox, and selecting Priority followed by the desired priority level. New EACH Alert creation/editing optionsWhen creating an Each Alert you can now select to include all fields or only those query fields explicitly called in your alert plus the eventdate field.   Available only for EACH Alert with query without grouping clause.Select Include all fields check box to include all fields in your alert.  Bug fixes (of course) 

Related products:Devo Platform

Collector Catalog Update: January

Here are the latest additions to the Collector Library as well as the updated collectors for the month of January! Table of ContentsNew Collectors Microsoft Defender for IoT Collector v1.0.0b1 Bitwarden Collector v1.0.0b1 Cyble Vision Collector v1.0.0 Mandiant Advantage collector v1.0.0b1 IBM Cloud VPC Flow v1.0.0.b1 IBM Cloud Softlayer v1.0.0b1 IBM Cloud Activity Tracker v1.0.0b1 Updated Collectors MS Graph v1.7.0b1 Github  v2.1.0 SentinelOne  v1.4.0 Recorded Future v1.3.0 Cybereason V1.2.0 OneTrust v1.2.0 AlienVault OTX 1.1.0 Wiz Cloud Security v1.2.0 Cylance v1.1.0 Agari Phishing Defense v1.2.0 JumpCloud v1.1.0 Microsoft Azure v1.7.0 Okta Resources v1.8.0 Microsoft Defneder Cloud Apps v1.1.0 Microsoft O365 Message Tracing v2.2.0 Rapid7 INsightVM v1.4.0 Infocyte v1.3.0  New CollectorsMicrosoft Defender for IoT Collector v1.0.0b1Link to DocumentationBitwarden Collector v1.0.0b1Documentation in progressCyble Vision Collector v1.0.0Link to DocumentationMandiant Advantage collector v1.0.0b1Link to DocumentationIBM Cloud VPC Flow v1.0.0.b1Link to DocumentationIBM Cloud Softlayer v1.0.0b1Link to DocumentationIBM Cloud Activity Tracker v1.0.0b1Link to Documentation Updated CollectorsMS Graph v1.7.0b1Link to DocumentationGithub  v2.1.0Link to DocumentationSentinelOne  v1.4.0Link to DocumentationRecorded Future v1.3.0Link to DocumentationCybereason V1.2.0Documentation in progressOneTrust v1.2.0Link to DocumentationAlienVault OTX 1.1.0Link to DocumentationWiz Cloud Security v1.2.0Link to DocumentationCylance v1.1.0Link to DocumentationAgari Phishing Defense v1.2.0Link to DocumentationJumpCloud v1.1.0Link to DocumentationMicrosoft Azure v1.7.0Link to DocumentationOkta Resources v1.8.0Link to DocumentationMicrosoft Defender Cloud Apps v1.1.0Link to DocumentationMicrosoft O365 Message Tracing v2.2.0Link to DocumentationRapid7 INsightVM v1.4.0Link to DocumentationInfocyte v1.3.0Link to Documentation    

Related products:Devo Integrations

Devo Exchange: Mitre Att&ck Adviser 1.7

 Custom Threat groups have arrived for the MITRE ATT&CK Adviser!  This update allows you to define custom alert groups, design your own threat groups, and track them!Geo ReleaseRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsWhat is a Custom Threat Group? How can I use Custom Threat Groups? Where can I find Custom Threat Groups? How to configure a Custom Threat Group? Threat Groups Updated!What is a Custom Threat Group? Custom threat groups help organizations take threat groups from other security vendors and add them to the MITRE ATT&CK Adviser to quickly assess coverage of threat groups that are not tracked by MITRE. Custom threat groups enable customers to create: Custom threat groups  Alert groups for data source not tracked by MITRE  Groups to track their custom alert coverage How can I use Custom Threat Groups?Alert groups data for data source, enables organizations to map alerts for specific data sources to a group to understand what coverage specific data sources are getting them.  For example, if a customer wants to understand what coverage their AWS detections give them within Devo, they can create a group of their AWS alerts and quickly monitor their coverage. Creating a custom group to track alerts that have been created by the customer in a single location is useful for understanding what coverage an organization has brought vs. Devo provided.  Alerts can also be separated into specific groups for homegrown applications or other reasons to track coverage on more specific parts of an organization's data landscape  Where can I find Custom Threat Groups?Custom Threat Groups can be found in the App Configuration section of the MITRE ATT&CK Adviser application. How to configure a Custom Threat Group?Creating a new custom threat group is easy, just enter the following information in the UI window:Field  Description ID Unique ID for the custom Threat Group Name Name of the Custom Threat Group Description Describe the purpose or details of the group Associated Threat Groups Identify the associated MITRE Threat groups for the threat group being created Techniques Select the techniques that are associated with the new custom group.  This will enable the MITRE ATT&CK matrix filtering and coverage calculations. Alerts Used Select the alerts that are associated with the new custom threat group.  This will enable the MITRE ATT&CK matrix filtering and coverage calculations.  Threat Groups Updated!With this release, the custom Threat Groups list has been updated with a huge number of new Threat Groups to help you identify the techniques of specific known bad actors and measure your coverage against them!

Related products:Devo Exchange

Devo Platform 8.7.0

The Devo Team has packed release 8.7.0 with some amazing content for our customers.  In this release we have the long hinted Dark Mode, the new and completely rebuilt Alerts Page and finally Activeboards have become easier to use with the new Smart Editor.  Lets dive right in! Release by RegionRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Alerts Page Filter Triggered Alerts with new time ranges New Filtering options for Triggered Alerts Faster Alert Loading with new pagination New Alerts Management Page Streamlined Alert Management Expandable detail summary Edit Status Edit Priority Add Comments to single alert or multiple alerts Group Alerts by Name Dark Mode theme is here! How to switch to Dark Theme Activeboard New Features New copy icon Export To PDF improvements Bug Fixes New Alerts PageCompletely revamped with new features throughout, this is a leap forward for the Alert Page and the future of Devo!  Filter Triggered Alerts with new time rangesAbsolute - a defined interval with set beginning and ending dates, used for viewing data from a particular time frame. Relative - a time span that is determined in relation to the current date, such as “Last 5 minutes” or “Last Day”, utilized for observing data development up to the current moment. Snap to - a time period that reverts to the beginning of the chosen timeframe, enabling the analysis of data without the distortion caused by incomplete periods and ensuring a representative data sample. New Filtering options for Triggered AlertsAccess new filtering options for triggered alerts that are applied universally to the enitre Alerts Overview. This includes both the Chart representation area at the top and the Triggered alerts area at the bottom.Filter by Alert Name Filter by Status Filter by Priority Filter by Category Filter by Subcategorywith more to come in future updates!Faster Alert Loading with new paginationThe alerts list is organized into pages for faster loading and easier navigation.  This allows you to find the alerts you are interested in quickly.  Including new listing options for you to control how much detail you see for each page. New Alerts Management PageVisualize triggered alerts graphically with new options and enhance your comprehension of your alert coverage.New Graph Options:Line Voronoi Timeline Calendar charts Streamlined Alert ManagementExpandable detail summaryClicking the expandable arrow next to the alert name and you can view the Summary and Description of each triggered alert.Edit StatusThe Status column displays the degree to which a triggered alert has been acknowledged.Edit PriorityThe Priority column reflects the priority level that was assigned to the alert definition at the time of its creation.Add Comments to single alert or multiple alertsComment on a single alert or multiple alerts with this new functionality.Group Alerts by NameAs you know, an Alert can be triggered multiple times.  To better manage these events, we are providing Grouping capability by Alert Name.You can also expand the group to see all the individual alerts collected by that container.And that’s just the beginning!  The team has planned a lot more for the Alerts page and we are eager to hear your thoughts on these changes, so let us know in the comments or in Private messages! Dark Mode theme is here!In addition to the wonderful and current default Light Theme, you now have the option to switch to the Dark Theme! [Play the Imperial March]Every subcomponent and tool was aligned and streamlined to work as a single design with the new theme.  A big thank you to the entire team!How to switch to Dark ThemeGo to your user Preferences Click on Global Choose Dark! Activeboard New FeaturesNew copy iconActiveboard editor has a new copy icon that will allow you to copy to the clipboard all the content in the editor. You will find the new copy functionality in the following areas:The Query Editor The Activeboard RAW configuraiton The Widget RAW configurationExport To PDF improvementsWe are performing incremental improvements to the Export to PDF functionality over the next few releases.  In this release, an improvement was made in the display of the input type widgets list. Bug Fixes These release notes are presented before release and are collected here as a “live” document.  Check on release day for final changes! 

Related products:Devo Platform

Devo Relay 2.8.0

This Devo Relay release brings some New OS support, depreciated OS announcements as well and automatic setup features for new regions! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsCore Changes New Supported OS’s Deprecated Support for  What does Deprecated Support mean? New Feature Automatic Setup added for CA and APAC regions Core ChangesDevo Relay version 2.8.0 is expanding support for new OS’s.   Along with this functionality, support for a few older OS’s is being deprecated,  read to learn all the details of this release. New Supported OS’sUbuntu 20 Ubuntu 22 Centos/RHEL 8 Centos/RHEL 9 Deprecated Support for Ubuntu 18 Centos/RHEL 7.x Support for Ubuntu 18 and Centos/RHEL 7.x will end on June 1, 2024 What does Deprecated Support mean?Deprecated Support for an OS does not mean the Devo Relay will stop working for that OS it just means that the Devo team will not be able to certify the components for that OS going forward.  It also means there will be no updates to the latest release (Devo Relay 2.5.0) for those OS’s so if a problem arises, the OS will need to be upgraded in order to use the latest Devo Relay release.   New FeatureAutomatic Setup added for CA and APAC regionsInstaller support for automatic endpoint setup for APAC and CA regions has been added to the Devo Relay.  After launching the setup, you can select more devo Clouds using the automatic setup option.  

Related products:Devo Relay

Devo Exchange: Devo Relay Alert Packs

The Devo Relay Alert Pack is now available on Devo Exchange. The Relay Alert pack consists of alerts to help you monitor the Devo Relays and detect when there are issues.Table of contentsWhat is the Devo Relay? What is the Devo Relay Alert Pack? What Alerts are Included in the Devo Relay Alert Pack? Where do I find the Devo Relay Alert Pack? Using the Devo Relay Alert Pack Additional Resources  What is the Devo Relay?The Devo Relay is one of the primary ingestion methods for the Devo Security Data Platform.  While the relay code is provided by Devo, the relay infrastructure is typically deployed on customer premises for network routing purposes. What is the Devo Relay Alert Pack?The Devo Relay Alert Pack consists of three alerts that monitor the Devo Relay’s performance and detect when there are issues. By installing these alerts, you can ensure the function of your relay and detect issues before they arise.  What Alerts are Included in the Devo Relay Alert Pack?The alerts are:  DevoRelayConfigWarningLogs - Alerts when relays begin to show warning messages  DevoRelayErrorLogs - Alerts when relays begin to show error messages  DevoRelayLogsHearbeat - Alerts when a relay fails to continue to send data to Devo, indicating an issue with the relay, source, or networking  Each alert should be tuned for a given environment/customer domain.  For example, the time-period of warning and error message notifications can be changed to notify users once an hour, day, or week when conditions are met.  Additionally, certain relay configurations might cause a warning in a specific environment but are acceptable based on business context, in which case the alert can be configured to whitelist these conditions.   Where do I find the Devo Relay Alert Pack?On Devo Exchange!Direct links to Relay Alert PackUS Exchange CA Exchange EU Exchange APAC Exchange  Using the Devo Relay Alert PackIf an issue with the Devo Relay arises, warning and error notification alerts will trigger. The alert will showcase the first message of a given error or warning sequence and the remainder of the relevant information will be contained in the underlying table.  When an alert triggers the user should open the table to view the entire issue context.  Additional ResourcesQuestions about the Devo Relay or the Relay Alert Pack? Ask any questions you have on Devo Connect and we will be happy to assist you. Users can also reference the documentation page or open a support ticket for help.  

Related products:Devo Exchange

Devo Behavior Analytics 1.6.0

 Devo is happy to announce the latest update to Devo Behavior Analytics.  This update contains new features with Alert White Listing and Risk-based Alerting, as well as a selection of bug fixes to improve your experience.Release InformationRelease Window: Tuesday, January 2Customer Impact: None Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Alert White Listing Risk-Based Alerting Additional Development Bug fixes!  New FeaturesAlert White ListingAlert Whitelisting enables customers to attach Devo’s standard OOTB whitelisting capabilities to the alerts created as part of the behavior alert definition configuration.The Whitelist combines the SecOpsAssetRole and SecOpsGWL lookups available from Devo Exchange (see the links below). These lookups are used with the Behavior Alert Definition and the underlying model to identify the entities involved in the detection and check that they are not within the allowlist. If the entities are in the allowlist, then the alert will not fire for that particular entity.Devo Exchange Quick link: SecOpsAssetRoleUS Exchange CA Exchange EU Exchange APAC Exchange  Devo Exchange Quick link: SecOpsGWLUS Exchange CA Exchange EU Exchange APAC Exchange  Risk-Based AlertingRisk-based alerting sets thresholds for alerts within the Devo Behavior Analytics application to alert on risk events for specific entities within an organization.  Risk-based alerts can be created from the Content Manager or through data search by creating alerts on the entity. behavior.risk.events table.Learn more about this feature in this use case. Additional DevelopmentBug fixes!

Related products:Behavior Analytics

Devo Platform release 8.6.6

This Platform release brings a couple of new updates to ActiveBoards and bug fixes. Enjoy the update and I hope everyone has a great Holiday!Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsActiveBoard Improvements SimpleValue Widget expanded accuracy Export to CSV Improved user interaction Bug Fixes ActiveBoard ImprovementsSimpleValue Widget expanded accuracyThe SimpleValue Widget is now more accurate than ever before as it will now distinguish between decimal metric units and binary metric units.  To support this, the number format field in the “Visual” tab has replaced the following formats: Before Update After Update Bits Bytes - Decimal Based Bytes Bytes - Binary Based   Export to CSV Improved user interactionWe’ve cleaned up the naming logic for “Export to CSV” widget option to produce more consistent and readable outputs.  The new rules are:Special Characters will be replaced with a “-” All Upper case characters will be replaced with lower case charactersBefore UpdateWidgetID widgetName CSV file name SimpleValue77 Euros SimpleValue77_chunk_1 MarkersMap0 User in USA MarkersMap0_chunk_1  After UpdateWidgetID widgetName CSV file name SimpleValue77 Euros euros MarkersMap0 User in USA users-in-usa  Bug FixesFixed error 500 & 600 when reinjecting in Data Search New Aggregation Task - fixed optimization form month and year values that could not be modified Table widget - fixed column menu remaining open when leaving Activeboards “Type” field - fixed missing values for Logarithmic and Datetime Stacked charts - fixed float values Widget with RealTime date range - fixed real time status when using “Go to Query” command Have a great Holiday!

Related products:Devo Platform

Devo Exchange: OOTB Alerts Release 20

Hello everyone!  Our December release improves our library for multiple technologies. We used various research and pen-testing techniques to help close some gaps in coverage, so these alert improvements are extra essential to have in your library.  Table of contentsUpdated Alert packs Cloud Infrastructure Discovery (MITRE Att&ck Technique: T1580) Alert Pack: Office 365 Automated Exfiltration (MITRE Att&ck Technique: T1020) OS Credential Dumping (MITRE Att&ck Technique: T1003) Windows Log Threat Detection Suite Remote Access Software (MITRE Att&ck Technique: T1219) Updated Lookup SecOpsDomesticCountries How to update Updated Alert packs Cloud Infrastructure Discovery (MITRE Att&ck Technique: T1580)Updated content in this Pack:Detection Description Data Source Change Log SecOpsAwsCloudTrailReconEvent Analytical detection of a reconnaissance type behavior from AWS CloudTrail Log cloud.aws.cloudtrail Fix column references and some cleanup on the query to make it easier.  Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Alert Pack: Office 365Updated content in this Pack:Detection Description Data Source Change Log SecOpsActivityAnonymousIPAddressesO365 This alert shows an anonymous IP detection made by MCAS cloud.office365.siem_agent_alert Minor Changes  Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Automated Exfiltration (MITRE Att&ck Technique: T1020)Updated content in this Pack:Detection Description Data Source Change Log SecOpsFWTrafficForeignDestination Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes. firewall.all.raffic Fix dependencies.  Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  OS Credential Dumping (MITRE Att&ck Technique: T1003)Updated content in this Pack:Detection Description Data Source Change Log SecOpsWinMimikatzLsadump An adversary may attempt to dump credentials to obtain account login and credential material in the form of hashes or clear text passwords. box.all.win Improve filtering on the query to cover more cases  Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Windows Log Threat Detection SuiteUpdated content in this Pack:Detection Description Data Source Change Log SecOpsWinLsassMemDump Detecs and attempts to access lsass using mimikatz and/or a possible mimikatz driver load box.all.win Improve filtering on the query to cover more cases.  Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Remote Access Software (MITRE Att&ck Technique: T1219)Updated content in this Pack:Detection Description Data Source Change Log SecOpsFWEmbargoedCountryOutboundTrafficDetected Detects outbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes. firewall.all.traffic Fix dependencies. SecOpsFWEmbargoedCountryInboundTraffiDetected Detects inbound traffic sent to an embargoed country. The lookup table SecOpsEmbargoCountries should be modified to fit the organization's needs. firewall.all.traffic Fix dependencies.  Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Updated Lookup SecOpsDomesticCountriesThe DomesticCountries lookup adds more whitelisting functionality to your Devo Detections by allowing them to reference this lookup of expected countries within your domestic space, often used for impossible traveler-like use cases. Using this lookup will lower your false positive rate when properly configured and can help make your alerts more actionable!Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange   How to updateNavigating to the content on Devo Exchange you can verify the Version date on the top right corner: Date format is in Day-Month-Year and updated alerts will show the latest version date in December of 2023.You should also see an Upgrade button on alerts with an upgrade available to install.

Related products:Devo Exchange

Devo Exchange: Catalog Update November

Devo Exchange is your one stop shop for Out of the Box content ready to accelerate your security posture!  This months update contains tons of Security Alerts, Activeboards and critical packs to address complete technologies! Table of ContentsCollective Defense Content Collective Defense Overview Activeboard Collective Defense Alert Pack Detection Suites Netflow Log Threat Detection Suite Endpoint Detection & Response (EDR) Log Threat Detection Suite Intrusion Detection Systems (IDS) Log Threat Detection Suite Authentication Log Threat Detection Suite DNS Log Threat Detection Suite Windows Log Threat Detection Suite Email Log Threat Detection Suite Technology Alert Packs Alert Pack: GCP Alert Pack: Office 365 Alert Pack: Google Workspace Alert Pack: Linux  Collective Defense ContentCollective Defense Overview ActiveboardThis activeboard provide a complete visual breakdown of all fired alerts by key columns providing an essential visual summary of the Collective Defense intelligence gathered throughout the Devo ecosystem.Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Collective Defense Alert PackThis alert pack is made of alerts for Collective Defense matches.  Identify possible threats based simply on sightings, not any specific action or condition.Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Detection SuitesNetflow Log Threat Detection SuiteNetflow technology serves as a vital defense layer for your organization, and any breach in its security can serve as an inviting path for malicious actors seeking unauthorized access to your systems.Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Endpoint Detection & Response (EDR) Log Threat Detection SuiteDevo's EDR solutions offer an additional layer of confidence, ensuring that any vulnerability will be promptly detected and reported to your SOC and organization. Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Intrusion Detection Systems (IDS) Log Threat Detection SuiteDevo's advanced detection capabilities offer the added confidence that any vulnerability in your defense system will be promptly communicated to your Security Operations Center (SOC) and your organization. Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Authentication Log Threat Detection SuiteDevo\u2019s detection systems will deliver added certainty that any vulnerability in your access control will be promptly reported to your SOC and your organization. Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  DNS Log Threat Detection SuiteDevo's detections will offer additional assurance that any vulnerability in your DNS infrastructure will be promptly detected and reported to your SOC and your company. Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Windows Log Threat Detection SuiteAs Windows operating systems remain a prominent choice for businesses and organizations worldwide, it becomes essential to have robust monitoring and detection systems in place to safeguard against potential security breaches and malicious activitiesQuick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Email Log Threat Detection SuiteEmail stands as a formidable defense line for your company. To fortify your security posture comprehensively, Devo's Email Threat Detection Suite offers an additional layer of confidence, ensuring that any suspicious will be promptly detected and reported to your SOC and organization. Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Technology Alert PacksAlert Pack: GCPOur Google Cloud Platform Log-Based Threat Detection Suite is a powerful and comprehensive set of alerts designed to proactively detect and mitigate a wide range of cybersecurity threats that leverage Google Cloud Platform (GCP) logs. As organizations increasingly adopt cloud-based solutions for their infrastructure, it becomes essential to have robust monitoring and detection systems in place to safeguard sensitive data and critical applications hosted on GCP.Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Alert Pack: Office 365Our Cloud Office 365 Log Threat Detection Suite is an advanced and comprehensive set of alerts meticulously designed to identify and mitigate cybersecurity threats that exploit Cloud Office / Microsoft 365 logs. As businesses increasingly adopt cloud-based productivity tools like Microsoft Office 365, the need for robust security measures to safeguard sensitive data and communications becomes paramount.Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Alert Pack: Google WorkspaceOur Google Workspace Log Security Alert Suite is an advanced and comprehensive set of alerts designed to detect and neutralize cybersecurity threats that leverage Google Workspace logs. As organizations increasingly rely on cloud-based collaboration and productivity tools like Google Workspace (formerly G Suite), it becomes crucial to have robust security measures in place to protect sensitive data and communications.Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Alert Pack: LinuxOur Linux Log-Based Threat Detection Suite is a comprehensive set of alerts designed to identify and respond to an unprecedented surge of cybersecurity threats that leverage Linux logs as their primary attack vector. With the increasing adoption of Linux systems in various industries and organizations, it has become imperative to proactively monitor and safeguard these critical assets from potential breaches and unauthorized access.Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange

Related products:Devo Exchange

MITRE ATT&CK Adviser 1.6 released

The essential Alert coverage management tool, the MITRE ATT&CK Adviser, has been upgraded with new tools, customization options, and filters for all your needs.Geo ReleaseRegion Status CA Released US Released EU Released APAC Released  Table of ContentNew Features Customize your Coverage Calculation Full Alert Context included Application Version Display New Alert Coverage Export [CSV] Improved filtering across all matrix types Easier installation of Alerts in Bulk Multi filter Selectors  New FeaturesCustomize your Coverage CalculationYou can now customize what techniques, logsources and alerts are taken into account for your coverage calculation!   Full Alert Context includedAll alerts now have full Alert descriptions and resources in the Alerts Coverage Table.Application Version DisplayEasily accessible, in app, version control including Framework version and release date. New Alert Coverage Export [CSV]Export your MITRE ATT&CK Alert coverage as a CSV file! Improved filtering across all matrix typesFind your familiar and powerful Alert Filters in all tabs! Easier installation of Alerts in BulkInstall all your custom Alerts easier and all at once with more Bulk Alert upload support. Detailed process is described in this Knowledge Base Article. Multi filter Selectors Some filters like LogSource now support multiple item filters!   Better selection for each of your use cases. See the full documentation on the MITRE ATT&CK Adviser here. 

Related products:Devo Exchange

Collective Defense: Security through Community

Cyber attacks continue to increase in complexity and frequency. Talent shortage, excessive amounts of data, and the need for verified threat intelligence prevent security teams from rapidly identifying and responding to emerging threats.Collective Defense shares high-value insights and threat intelligence with Devo customers.  Devo Collective Defense is an intelligence program that leverages knowledge of threat activity and shares trends across the Devo user ecosystem. A feature of the Devo Platform, Collective Defense mines alert data and identifies insights, trends, and Indicators of Compromise (IOCs). These insights are then made available to Devo customers via real-time alert aggregations, investigations, and contained threats. Collective Defense: Analyzes customer data securely to find valuable insight, trending threats, and IOCs. Provides insights by aggregating alerts, investigations, and contained threats. Delivers a high-value, real-time feed containing insights to customers. Drives further threat research based on customer results. How does Collective Defense work?  Collective Defense:Provides early warnings on emerging threats through threat hunting analysts derived from Devo customer threat activity and trends. Accelerates investigations by providing validated and enriched threat intel to all participating Devo customers. Offers a unique advantage for Devo customers by leveraging Devo’s massive ingestion ability to scale and analyze millions of alerts across hundreds of domains. This data diversity provides a more comprehensive view of the threat landscape, and provides security teams with collective knowledge and insights, augmenting their expertise. What information does Collective Defense make available?Take a look: How can I leverage the information Collective Defense collects?You can leverage Collective Defense insights by enriching your alerts. Adding Collective Defense to your alerts is easy.  Search the IP address of the threat you are investigating and see if others have tagged it. For example, add this line to your alert:select ‘lu/CollectiveDefense’ (entity_sourceIP) as collective_defense Does Collective Defense benefit Security Operations?Yes!  The alert benefits are also included in the SecOps application. There is no need to copy/paste and pivot between websites and tabs. This eliminates manual work while providing high-value insights quickly. Is my data secure?Devo Collective Defense aggregates alert information only. No sensitive data is ever collected, stored, or shared with others. How Can I learn more about Collective Defense? Contact your CSM to learn more about Collective Defense! Available to all Devo customers, this is a great new feature to take advantage of within Devo.

Related products:Devo Platform

Devo Behavior Analytics 1.5.0

 Security teams rejoice! Devo Behavior Analytics 1.5.0 will be available this week, incorporating new features and enhancements created from your feedback! Release InformationRelease Window: Wednesday November 15Customer Impact: None Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Notable Entity List Entity Risk Groups  New FeaturesNotable Entity ListWhen a SOC Analyst comes to the Devo Behavior Analytics application and identifies an entity that looks suspicious but whose behavior is not worth an investigation, the Analyst would like to mark that entity to come back to later on and not have to remember the entity or write it down somewhere else.   Now, with the notable entity list within Devo Behavior Analytics, a user can add and remove entities from the notable list to track entities that need specific attention to ensure no further malicious behavior.  Learn more about this feature in this use case. Entity Risk GroupsEntity risk groups enables organizations identity specific sets of entities and adjust their risk score based on their own organizations context.  Let's discuss an example to showcase this new feature:Example Usecase for Entity Risk GroupsVIP Users Risk GroupVIP Users are users that are very important people to the organization such as the C-suite, administrators, etc. that have access to sensitive information or many different systems.  If these users were compromised or conducting risky behavior it is imperative to look into them sooner rather than later.  As a result, it is important to add risk multipliers to these users such that they bubble up to the top of the risk curve within Devo Behavior Analytics  Learn more about this feature in this use case. 

Related products:Behavior Analytics

Devo Platform release 8.5.0

Devo Platform release 8.5.0 contains improvements to Lookups, Flow, and continued engine improvements in preparation more feature releases.Deployment InformationRelease scheduled for 11 AM CETDuration: 2 hoursCustomer Impact: None Release by GeoRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features Persistent Error Feedback for LookUps Improved performance and responsiveness of Home Page Flow Smart Editor Flow New Unit: GameOver Vulnerabilities fixed: New FeaturesPersistent Error Feedback for LookUpsLookups displaying a Creating/Deleting/Updating status where the associatedthe operation has failed, will display an error status icon (bluebell), when you click on it, a dialog window with the corresponding error will be displayed.In the case or several errors occurring during the operation, only the last one will be displayed. Improved performance and responsiveness of Home PageNew robust backend cache system implemented to retrieve and enhance home page widget data usage.The Cache is refreshed either Manually(with browser refresh button) or Automatically (every hour). Flow Smart EditorIntegrate smart editor for query fields with syntax highlights and auto-completion for LINQ Language.Flow New Unit: GameOverThis new unit will allow a context to stop/delete itself when its task is done. This new module will be available in the PROC group. It’s components are:Ports: Stop: when an event is recieved on this port the context where the unit is used will be stopped. Delete: when an event is recieved on this port the context where the unit is used willb e deleted.  Vulnerabilities fixed:CVE-2023-2976 CVE-2023-34462 CVE-2023-2976 CVE-2023-3635 GHSA-58qw-p7qm-5rvh CVE-2023-20863 

Related products:Devo Platform