Product Updates

The latest release of the Devo Platform is here! Release 8.14.22 brings enhancements to Lookup Management, Role Management Credentials Tab, and Landing Page preferences. Starting with Lookup Management, we have enhanced the interface to include a new column “History” that reflects the stats of the API setting “keepHistory”. Along with this change, we have updated the available types. We have also cleaned up Role Management permissions and improved column consistency in the Credentials Tab. Next up is the Landing Page, you can select your preferred landing page from the newly alphabetized drop-down!  Learn more below!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Features Lookup Management page Alignment with API New History Column New Type names Updated Features Role Management->Security->Permission unification Credentials Token tab consistency change Added Credentials API to Token creation Landing Page preference Sort order Bug Fixes New FeaturesLookup Management page Alignment with APITwo changes to the Lookup Management page to bring all the features in alignment with that is available through the Lookup Management API.  New History ColumnThis is a Boolean value reflecting the API parameter KeepHistory which allows you to store all historic data, enabling historic search.New Type namesTo align with this new change the Type field names have been updated.Old Type New Type History Column Value Dynamic query Periodic query No (False) Historic dynamic query  Periodic query Yes (True) Static query Static query No (False) Historic static query Static query Yes (True) Upload CSV data No (False)  Updated FeaturesRole Management->Security->Permission unificationRole management permission for API Key has been updated to API Credentials and controls the user’s ability to view, create and delete API key as well as use of the Credentials API. Credentials Token tab consistency changeFor different base languages the Token tab had different names. for consistency this tab is now called “Token” for all languages. Added Credentials API to Token creationYou can now set the Type of token to a new type “Credentials API”.  These tokens do not require permissions on tables. Landing Page preference Sort orderNow you can chose your landing page from an alphabetically sorted list! Bug FixesRole Mapping no longer allows group names to start with a white space. A user deactivated in all domains cannot log in with SAML

The latest release of the Devo Platform is here! Release 8.14.21 brings a powerful new tools set with the Token Management API. With this new API, you can manage, creat,e and edit account credential tokens directly through API calls. This lets you manage access to your environment with API calls, allowing automation and bulk actions to accelerate your reaction time.  A great new tool particularly for our MSSP and partner clients to manage their customer environments. To learn more about what API’s are available you can visit this page in our Documentation. Read on to learn more about the Token Management API! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Token Management API  New FeatureToken Management APIThis new set of API calls will allow you to manage account credential tokens completely and in bulk! The token Management API can be used to:Create Tokens Retrieve Tokens Rename Tokens Enable / Disable Tokens Delete TokensThis new API is a great tool, particularly for our MSSP clients and partners! Learn more in our Documentation. (Documentation in progress) 

Devo ThreatLink, an integral part of Case Management, automates alert triage, reducing the analyst workload from thousands of alerts to tens of daily cases. This streamlined process allows security teams to focus on the most critical incidents, significantly improving efficiency and reducing alert fatigue. Release 1.4 brings with it new playbooks, updated error handling and updates to the case template and Audit logging.  If you want to learn more about Threat Link, view this article. The benefits of Threatlink need to be seen, if would like to see a demonstration, speak with your Devo Representative! Table of ContentsNew Features and Updates New Playbook available Upgrade for Fetch Alerts Updates to ThreatLink Case Template fields Updated SOAR Audit Logging Updated ThreatLink Dashboard: Past 7 Days  New Features and UpdatesNew Playbook availableIntroducing the “Close Linked SIEM Alerts on Case Closure”.  This playbook will run ever [customer defined] minutes to “close” alerts in the SIEM once a case is closed.RequirementsThreatlink 1.4 or greater Updated case setting templateUpgrade for Fetch AlertsFetch Alerts now uses FetchAlertsV2 Integration. Updates to ThreatLink Case Template fieldsWe’ve added a new field called “siem_alerts_closed”. This field needs to be added to the system tab in the case template.  We have also added a new field called “resolution_notes”. This needs to be added to the workflow section in the case template. Updated SOAR Audit LoggingWe’ve updated SOAR Audit Logging to version 1.7, the main changes in this update are:Added comments to the output Added case title to the outputUpdated ThreatLink Dashboard: Past 7 DaysThe Past 7 Days dashboard has been upgraded to v1.1.0 

The latest release of the Devo Platform is here! Release 8.14.19 brings a collection of API and Alert improvements. Starting with new functionality allowing you to manage your Anti-Flooding policy through API calls with the new Anti-Flooding API. Next, we have added new entity attributes through a new column where available. We also added a new filter corresponding to the entity attributes and a new source table column to help you identify the source tables without needing to dive deeper into the alert. Along with a collection of bug fixes and visual improvements, this release is sure to enhance your Alert workflow! Read on to view details! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew features Anti-Flooding API Entity Attributes New Filter added for entity attributes​​​​​​​ New source table columns Improvements Update to Alert Priority statuses   New featuresAnti-Flooding APIUsers can now create and manage anti-flooding policy through API calls. Entity AttributesAdded a new column and filter to view and search the entity attributes associated with alerts. Note that not all alerts will have entity attributes depending on the table the alert was created from and the query used.New Filter added for entity attributes​​​​​​​New filter criteria was added to find specific alerts based on their entity attributes.  This filter appears in Simple search as well as Advance Search. New source table columnsUsers can now see which table an alert was triggered from directly in the triggered alerts table, without needing to navigate to the alert details, query or view definition  ImprovementsUpdate to Alert Priority statusesUpdated colors and names to improve clarity. See the full release notes in our documentation. 

Devo Exchange is happy to announce the availability of a new activeboard called Threat Hunting by DNS. The activeboard allows you to identify and investigate potential threats by analyzing patterns in DNS (Domain Name System) queries and responses. This activeboard not only aids in uncovering advanced threats but also provides actionable insights to improve your organization's overall security posture. Some great use cases for this new Activeboard include Traffic Optimization in IT Operations.  in Security, you can use it for Anomaly Detection and Risk Assessment!  Learn more below!  Threat Hunting by DNS Direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Required Data Sourcesnetwork.dnsSecurity Multidomain Lookups:UmbrellaTop1M mispIndicator CollectiveDefense DynamicDNSUse Cases IT Operations   Traffic Optimization: Monitor DNS traffic trends to identify and optimize traffic flow within the network. Resource Utilization: Track top queried domains and geolocation data to ensure efficient resource allocation and load balancing. Troubleshooting: Diagnose issues such as DNS misconfigurations, service outages, or latency problems. Security Operations   Anomaly Detection: Identify unusual behaviors such as DNS tunneling or dynamic domain usage that could indicate malicious activities. Threat Intelligence Correlation: Detect known malicious domains and integrate them with external threat feeds for proactive defense. Risk Assessment: Generate risk scores based on DNS query characteristics, such as domain length, entropy, and patterns. Incident Response: Use investigation tools and DNS data correlations to facilitate faster and more accurate incident investigations. Learn more in our Docs

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers itam.netwrix Updated Parsers cloud.aws Change log box.win_nxlog Change Log mail.postfix Change log ftp.crushftp Change log firewall.paloalto Change log edr.crowdstrike Change log endpoint.symantec Change log cef0.infoblox Change log ips.all.alerts Change log endpoint.bitdefender Change log  New Parsersitam.netwrixDocumentation in progress Updated Parserscloud.awsLink to DocumentationChange logSupport for JSON in cloud.aws.vpc.flow box.win_nxlogLink to DocumentationChange LogAdded parser for box.win_nxlog.ntlm mail.postfixLink to DocumentationChange logAdded new fields ftp.crushftpLink to DocumentationChange logAdded new fields for ftp.crushftp.event firewall.paloaltoLink to DocumentationChange logAdded a new field to firewall.paloalto.* edr.crowdstrikeLink to DocumentationChange logAdded new fields for edr.crowdstrike.cannon endpoint.symantecLink to DocumentationChange logAdded new parser for endpoint.symantec.sepm.system cef0.infobloxLink to DocumentationChange logAdded new fields for cef0infoblox.dataConnector ips.all.alertsLink to DocumentationChange logAdded a new field endpoint.bitdefenderLink to DocumentationChange logModified fields for endpoint.bitdefender.agent.edr_alert   

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collector Tencent Cloud v1.0.0 Updated Collectors VMWare Carbon Black v1.5.0 Change Log ServiceNow v1.6.0 Change Log Cortex XDR v2.0.3 Change Log Trend Micro Vision One v1.3.0 Change Log CyberArk EPM v1.2.0 Change Log   New CollectorTencent Cloud v1.0.0Link to Documentation  Updated CollectorsVMWare Carbon Black v1.5.0Link to DocumentationChange Log Improvements  Refactored collector to the latest DCSDK 1.13.1.  Refactored code for the livequery, alerts and audit service in accordance with template1 Eliminated the use of while loops in the pull logic Added Unit Tests for the livequery, alerts and audit services Bugs Fixed the 400 API error received when collector was invoking the carbon black live query API ServiceNow v1.6.0Link to DocumentationChange Log Improvements  Updated SDK to the latest version, 1.13.1.  Remove vulnerabilities in libexpat1, expat Cortex XDR v2.0.3Link to DocumentationChange Log Improvements  Refactored the puller logic to enhance code readability and optimize performance. Introduce a new base puller to centralize shared functionality. Expanded unit tests with additional scenarios to improve coverage and reliability. Added validations for start_time, ensuring it is not set to a future date, preventing configuration errors. Bugs Fixed an issue where puller variables were not resetting after encountering an error, which caused the collector to freeze and stop gathering data. Trend Micro Vision One v1.3.0Link to DocumentationChange Log New Features  New endpoints for risk insights: discovered_device vulnerable_device account_compromise_indicator risk_event_definition device_risk_profile user_risk_profile  CyberArk EPM v1.2.0Link to DocumentationChange Log Improvements  Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performance Bug fixing Fixed the services names in example params.

Devo Exchange is happy to announce the availability of a new activeboard called Alert Triage Metrics. The activeboard provides an overview of security alerts, focusing on detection, response, and resolution performance. It includes metrics on alert actions, severity, accuracy, and insights into adversarial techniques mapped to the MITRE ATT&CK framework. This new activeboard is the first in a series of new metric visualizations coming in the new year. Be sure to check it out and let us know what you think, what you would like to see next and any improvements you can think off!  Happy Holidays and Happy new year to all! Alert Triage Alert Metrics Alert Triage Metrics direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Let us know what you think!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!   Table of ContentsNew Parsers ndr.darktrace Change log box.cisco Change log box.all.unix Change Log Update Parsers firewall.fortinet Change log proxy.zscaler Change log network.meraki Change log crm.salesforce Change log ddi.infoblox Change log vpn.soft_ether Change log endpoint.symantec Change log firewall.watchguard Change log firewall.paloalto Change log  New Parsersndr.darktraceDocumentation in ProgressChange logSupport for Darktrace NDRbox.ciscoDocumentation in ProgressChange logSupport for Cisco UCS manager box.all.unixDocumentation in ProgressChange LogNew union table to gather together any event coming from a linux system no matter how they aregathered.  Update Parsersfirewall.fortinetLink to DocumentationChange logNew table firewall.fortinet.utm.wafproxy.zscalerLink to DocumentationChange logAdded new field cdfqdn to table proxy.zscaler.zia.firewallnetwork.merakiLink to DocumentationChange logAdded more log types to network.meraki.eventscrm.salesforceLink to DocumentationChange logNew tables added (JSON format)  DCDM partially implemented ddi.infobloxLink to DocumentationChange logAdded new table ddi.infoblox.nios.lease_eventsvpn.soft_etherLink to DocumentationChange logAdded support for more events including more fields to the parserendpoint.symantecLink to DocumentationChange logNew table endpoint.symantec.sepm.systemfirewall.watchguardLink to DocumentationChange logNew table firewall.watchguard.event firewall.paloaltoLink to DocumentationChange logAdded JSON support to the parsers

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources!  Table of ContentsUpdated Collectors Menlo Security v1.2.0 Improvements  Bugs Microsoft Defender Cloud Apps v1.4.0 Improvements Bugs Sendmarc v1.0.1 Bugs Cyberark Identity v1.2.0 Improvements  Bugs Trend Micro Deep Security v1.4.0 Improvements  Cortex XDR v2.0.2 Improvements  Bugs Cohesity v1.2.0 Improvements  Lark v1.3.0 New Features Improvements  Trend Micro Vision One v1.3.0 Improvements  Bug fixing Tenable IO v2.0.0 Improvements  Bug fixing Darktrace v1.1.0 Improvements  Gsuite Workspace Alerts v1.9.0 Improvements  Bug fixing Duo v2.1.0 Improvements  Security  Spycloud v1.2.0 Improvements  Security  MS Graph v2.1.0 Improvements  Security   Updated CollectorsMenlo Security v1.2.0Documentation in progress.Improvements Refactored collector to the latest DCSDK 1.13.1.  Increase the quality of the collector adding more unit testsBugsFixed an issue related to missing logs for audit and smtp service.Microsoft Defender Cloud Apps v1.4.0Link to DocumentationImprovementsUpdated SDK to the latest version, 1.13.1.  Several improvements on stabilityBugsFixed an issue related to files service not workingSendmarc v1.0.1Link to DocumentationBugsInput error due to missing inputs example params.Cyberark Identity v1.2.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector by adding more unit tests.BugsFixed the user config and schemas to allow overrides.Trend Micro Deep Security v1.4.0Documentation in progressImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector adding more unit tests Several improvements on stabilityCortex XDR v2.0.2Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Increase the quality of the collector adding more unit testsBugsFixed the behavior when stopping the collector.Cohesity v1.2.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stability Lark v1.3.0Link to DocumentationNew FeaturesAdded two new services Aud Admin logs DLP Executive logsImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stability Trend Micro Vision One v1.3.0Link to DocumentationImprovements Updated SDK to the latest version, 1.13.1.  Several improvements on stabilityBug fixingAdded parameter fetch_gap_seconds to better control the delay on the source Tenable IO v2.0.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceBug fixingFixed issues related to memory usage causing the collector to stopDarktrace v1.1.0Link to Documentation Improvements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performance Gsuite Workspace Alerts v1.9.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability and performance Increase the quality of the collector adding more unit testsBug fixingFixed the ingestion stoppage issue.  Fixed the user config. Duo v2.1.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilities Spycloud v1.2.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilitiesMS Graph v2.1.0Link to DocumentationImprovements Refactor updating SDK to the latest version, 1.13.1.  Several improvements on stability, quality and performanceSecurity Removed some vulnerabilities

The latest release of the Devo Platform is here! Release 8.14.12 brings with it a key improvement to Activeboards. We have created a diagnostic tool that informs you when your Activeboard performance can be optimized! As you launch your Activeboards, will you notice a new bell icon presented inline with each widget, if it has notifications pending, then it has detected ways for you to optimize that widget and get the best performance for your Activeboard! Currently, this new tool has diagnostic outputs for 4 suggestions with more coming in the next updates!  Review your Activeboards and optimize like a pro!  Learn more below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Automatic Optimization Suggestions per widget  New FeatureAutomatic Optimization Suggestions per widgetActiveboards do the hard lifting in visualizing data and sometimes it’s not easy to understand what can be done to tune your widgets so they perform optimally.  This release adds self-diagnostics that output suggestions to an inline notification bell per widget.  this first release comes with the following rules:Unused Columns Unnecessary Time Grouping Duplicate Columns Add Aggregation Task (used to be the rocket icon, now part of this system)More rules will be added in the coming releases.

The latest release of the Devo Platform is here! Release 8.14.11 focuses on Alert improvements and bug fixes.  A small but impactful quality of life improvement, now all your alert Dates in Extra data, summary, and description are in your local time zone. We have added the ability to launch alert details in a new tab for a faster workflow. The recently launched Alert Streaming mode also got improvements in the form of inheriting Column visibility settings, highlighting incoming alerts and visibility improvements. We’ve also squashed a selection of bugs listed in the article.  Check it out below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsEnhancements Dates in Local times Open in new Tab Streaming Mode Improvements Bug Fixes EnhancementsDates in Local timesWe can now see dates in Extra Data, Summary, and Description displayed in their timezone instead of in UTC.Open in new TabLaunch Alert Details in a new tab or continue viewing them on the same page; now you have the option that best suits your work flow.  Right click on the alert ID to see these new options. Streaming Mode ImprovementsColumn visibility settings are now inherited by the streaming mode view. Incoming alerts are now highlighted in a different color when added to the list to improve readability. Improved visibility of Pause popupBug FixesFixed permissions for new post-filter button Fixed decoding errors due to incorrectly formatted characters in Extra Data. Fixed display of large summary and description texts Improved readability of cells with long text Improved DevoSource retry attempts and sleep mode handling

The Devo Exchange team is happy to introduce a release filled with features and content! Release 2.2 adds a new content type: Queries! This new content category is launching with 130 queries in 5 categories. We have also updated the content submission tool to accept queries. Synthetic data, an amazing tool for testing your defenses has received a great new feature: Runtime settings!  You can now set the Synthetic Data injection to run for a variable length of up to 30 days. Along with more great improvements the team also also delivered a huge collection of new content.  Learn more below!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Features New Content Type: Queries Updated Content Proposal Tool Synthetic Data Runtime Settings Improvements Copy Alert button in Alert Packs Improved Newest Sort New content Available 10 Activeboards have been upgraded with Multitenancy support New Activeboards Cloud Gsuite Reports Ingestion Volume Zscaler Zia Proxy New Alert Packs VCS Github Audit Ping Identity MFA Remote System Discovery New Synthetic Data and Use Cases  The Synthetic Data Pack New Synthetic Data and Use cases  New FeaturesNew Content Type: QueriesWe have gathered around 130 queries and organized them into 5 categories for use as part of training and collaboration. You will find these query packs in their own category under All Content.Math Built-in Operations Event Day Built-in Operations Geolocation Built-In Operations Collector Ingestion Monitoring Active Directory Threat DetectionEach of these category packs contain a collection of LINQ queries for use in learning or helping you understand and build new queries. Updated Content Proposal ToolYou can now share your queries using the Content Proposal Tool. Not only will sharing demonstrate your mastery of LINQ but you will help others discover, innovate and share new creations.As with all submissions, it will go through a full evaluation before becoming available on Devo Exchange. Synthetic Data Runtime Settings2 major new additions improvements. First we added a dialog to allow you to set the duration of the Synthetic data injection, up to a maximum of 30 days.  ImprovementsCopy Alert button in Alert PacksWith this new copy button, you can test alerts before installing them! Improved Newest SortSorting by Newest will now exclude updated content, focusing only on the newest released content. New content Available10 Activeboards have been upgraded with Multitenancy supportYou can now use the following Activeboards in multitenancy environments to get detailed insight into your managed environments.Ingest Volume Collector Monitoring DataSource Monitoring Active Directory Relay Monitoring Firewall Monitoring Web Activity Monitoring Windows System Audit AWS Account Activity DataSources InsightNew ActiveboardsCloud Gsuite ReportsCloud Gsuite Reports direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Ingestion VolumeIngestion Volume direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Zscaler Zia ProxyZscaler Zia Proxy direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  New Alert PacksThree new alert packs are available:VCS Github AuditVCS Github Audit direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Ping Identity MFAPing Identity MFA direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Remote System DiscoveryRemote System Discovery direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  New Synthetic Data and Use Cases The Synthetic Data PackWe have also added a content pack of Injections so you can quickly test a new client’s environment with a full breath of synthetic data.  With a single button, you can have your environment be alive with the following Synthetic data:VPN Cisco ASA Injection AWS Cloudtrail S3 Injection VPN Pulse Secure Injection CDN Akamai Cloudmonitor Injection Palo Alto Traffic Injection Windows Snare Injection Injection for Windows Activity AB Unix Events Injection Auth Okta Systems InjectionNew Synthetic Data and Use casesOkta Authentication Use case v1.0.0 Firewall Juniper SSG Injection v1.0.0 Auth Okta System Injection v1.0.0 Box Unix Events Injection v1.0.0 SentinelOne Av Events Injection v1.0.0 Auth DUO Authentication Injection v1.0.0 VPN Cisco ASA AnyConnect Injection v1.0.0 Cloud Gsuite Reports v1.0.0 Windows Snare Injection v1.0.0 VPN Pulse Secure Injection v1.0.0 CDN Akamai CloudMonitor Injection v1.0.0 Juniper SSG traffic Injection v1.0.0     

The Devo Relay is a critical feature of Devo that receives inbound events from your data sources and then sends them to your Devo instance with all the tagging and processing rules that make Devo work as fast as it does.   This release collects updates to the Devo Relay from version 2.9.2 to 2.13.3.  The main feature added allows you to manage data ingestion across child domains in your multitenancy environment. Additionally, this release contains a host of improvements including new environmental data, support for language characters, improvements to the stats measurer, and more!  Learn more below! Table of ContentsNew Features Domain Impersonation for Multitenancy (v2.11.0) Improvements Fixes New FeaturesDomain Impersonation for Multitenancy (v2.11.0)This new feature allows you to manage data ingestion across multiple domains within your multitenant structure using a single certificate.Learn more in our Documentation Improvements Menu in Devo Relay CLI includes the variables to select the new US3 environment and not need to input it manually. (v2.10.0) New environment data: (v2.10.0) Devo ELB: collector-us3.devo.io:443 Query API: https://api-us3.devo.com/search Relay API: https://api-us3.devo.com/maduro Added internal filter for relay troubleshooting. (v2.11.0) Improved support for Chinese / Japanese characters. (v2.12.0) Improvements on stats measurer. (v2.12.0) Output TLS connection requires TLS 1.3 (v2.13.3) Fixes Fixes a previous behavior of Devo Relay where several critical OS services are not accounted before booting. This could cause a condition when the relay service tries to get started before the OS essential services are up and running. (v2.9.2) Vulnerability Fixes v2.9.2 logback-classic (CVE-2023-6378) logback-core (CVE-2023-6378, CVE-2023-6481) libcrypto3 & libssl3 (CVE-2023-5363) v2.10..0 commons-compress (CVE-2024-26308 & CVE-2024-25710) spring-core (CVE-2024-22233) amazon-corretto:openssl (CVE-2024-0727 & CVE-2023-6129)  For all the release notes to every version of the Devo Relay, see the Documentation

Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.8 brings a variety of improvements to the Login and Homepage. We have improved our Login experience by removing the domain list limits entirely!  You can now view the full list of all the domains you have access to with search and pagination capabilities.  With this new feature, we have also added a new visual distinguishing mark for Root domains so you can find them more easily.  Following your feedback, we have made some improvements to the new HomePage including permanently hiding the top banner. Learn more below!  Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released   Table of ContentsNew Features Limitless domain switching Easily Identify Root domains Improvements Usability Improvements to new Home Page Bug Fixes New FeaturesLimitless domain switchingYou can now view the full list of domains you have access to and switch to without domain list limitations.  The feature comes complete with a full count of available domains and pagination controls to quickly navigate across the full breadth of your available domains. Easily Identify Root domainsWith so many domains to choose from, it’s important to chose the right one!  Now you can easily pick out the root domains with this new label. ImprovementsUsability Improvements to new Home PageWe have made some changes to the Homepage based on customer feedback. Improvements by numbers:The Welcome title has been moved to make more screen space available. Button styles changed to blend in better. You can now close the top banner group for this session. Or use this check mark to close it permanently. The shortcut to Usage Analytics has been cleaned up for a cleaner look.Bug FixesFixed a problem with the usage analytics footer appearing for users without access to the tool. Fixed a problem with visibility permissions for top banner in Home.See the full release notes in our Documentation  

We're thrilled to announce the latest updates and additions to our alerting system with Release 32. This release enhances the functionality and accuracy of several firewall and threat detection alerts. A key improvement is the addition of sourceIP and hostname fields, improving the contextual information available for faster incident triage and response.Updated alerts include FWIpScanInternal, FWPortScanExternalSource, FWSMBTrafficOutbound, and advanced threat detection rules like REvilKaseyaWebShellsUploadConn and HAFNIUMWebShellsTargetingExchangeServers. These changes enhance the detection capabilities for network scans, unauthorized SMB traffic, RDP external access, and specific threats like REvil and HAFNIUM.To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsAlerts Updated Firewall Alerts FWIpScanInternal FWIrcTrafficExternalDestination FWPortScanInternalSource FWPortSweepInternalSource FWExternalSMBTrafficDetectedFirewall FWPortScanExternalSource FWRDPExternalAccess FWSMBTrafficOutbound FwTftpOutboundTraffic Proxy Alerts REvilKaseyaWebShellsUploadConn REvilKaseyaWebShells Public Facing Application Exploit Alert HAFNIUMHttpPostTargetingExchangeServers External Remote Services Alert HAFNIUMWebShellsTargetingExchangeServers Alerts UpdatedFirewall AlertsThe following Alerts are available in Alert Pack: FirewallUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange FWIpScanInternalFWIrcTrafficExternalDestinationFWPortScanInternalSourceFWPortSweepInternalSourceFWExternalSMBTrafficDetectedFirewallFWPortScanExternalSourceFWRDPExternalAccessFWSMBTrafficOutboundFwTftpOutboundTraffic Proxy AlertsThe following alerts are available in Alert Pack: ProxyUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange REvilKaseyaWebShellsUploadConnREvilKaseyaWebShells Public Facing Application Exploit AlertThis alert is available in Alert Pack: Exploit Public-Facing ApplicationUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange HAFNIUMHttpPostTargetingExchangeServersExternal Remote Services AlertThis alert is available in Alert Pack: Exploit Public-Facing ApplicationUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange HAFNIUMWebShellsTargetingExchangeServers  

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers cloud.azure firewall.watchguard ftp.crushftp mail.mimecast firewall.all.traffic vcs.github cloud.office365 cef0.netsckope cef0.fortinet db.oracle firewall.all.ips box.unix firewall.cisco ids.suricata cloud.office365.management Updated Parserscloud.azureLink to Documentationfirewall.watchguardLink to Documentationftp.crushftpLink to Documentationmail.mimecastLink to Documentationfirewall.all.trafficLink to Documentationvcs.githubLink to Documentationcloud.office365Link to Documentationcef0.netsckopeLink to Documentationcef0.fortinetLink to Documentationdb.oracleLink to Documentationfirewall.all.ipsLink to Documentationbox.unixLink to Documentationfirewall.ciscoLink to Documentationids.suricataLink to Documentationcloud.office365.managementLink to Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Dynatrace v1.0.0 Sendmarc v1.0.0 Absolute 1.0.0 Updated Collectors AWS SQS v1.7.0 Lark v1.2.0 Proofpoint POD v1.2.2 Trend Micro Vision One v1.2.2 Cyberark EPM v1.1.0 Citrix Cloud v1.2.0 Workday v1.3.0 Office 365 Exchange Message Tracing v3.2.2 Tenable v1.6.0 Trellix DLP v1.1.0 Crowdstrike API Resources v1.11.0 Azure EH v2.4.0 Mimecast v2.2.1 Proofpoint TAP v3.1.1 New CollectorsDynatrace v1.0.0Link to DocumentationSendmarc v1.0.0Documentation in progressAbsolute 1.0.0Documentation in progress Updated CollectorsAWS SQS v1.7.0Link to DocumentationLark v1.2.0Link to DocumentationProofpoint POD v1.2.2Link to DocumentationTrend Micro Vision One v1.2.2Link to DocumentationCyberark EPM v1.1.0Link to DocumentationCitrix Cloud v1.2.0Link to DocumentationWorkday v1.3.0Link to DocumentationOffice 365 Exchange Message Tracing v3.2.2Link to DocumentationTenable v1.6.0Link to DocumentationTrellix DLP v1.1.0Link to DocumentationCrowdstrike API Resources v1.11.0Link to DocumentationAzure EH v2.4.0Link to DocumentationMimecast v2.2.1Link to DocumentationProofpoint TAP v3.1.1Link to Documentation 

Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.4 brings a variety of improvements to Data Search. A new Search button has been added to streamline Data Search workflows. You can launch new searches directly from a search results page without needing to travel to the finder. This will speed up threat hunting efforts dramatically! We have also enhanced error management with a persistent icon that you can refer to, and when possible allows you to reload the data from the error details. Read on to learn more about these features, improvements, and bug fixes!  Geo AvailabilityRegion Status GovCloud Pending CA Released US Released EU Released APAC Released   Table of ContentsNew Features Search Button in Data Search New Error Handling menu in Data Search Bug Fixes New FeaturesSearch Button in Data SearchYou are now able to run a new search from within an existing search results window without having to access the finders area!   The new search button is located on the right hand and will launch a new search window.  The query will be continuously checked for validation while you write, activating the run button only when a valid query is specified.Learn more in our Documentation New Error Handling menu in Data SearchWhen an error occurs in a search, a new error icon appears in the toolbar and will persist there for reference. Clicking on the icon will reveal the details of the error and when possible offer a reload data button.Learn more in our Documentation Bug Fixes Data Search - Fixed an occasional error when the query editor ended up being so tiny that the user had to expand it again. Data Search - Cloned query loses refinements. After cloning a query (when the user is in incognito), the newly created query wasn’t identical to the original one. Data Search - The transformation of an old lookup syntax with a literal does not preserve quotes. Some users had the problem that the suggested query using the new lookup syntax wasn’t working because of a minor bug translating a string type. Data Search - z-index issue for date picker. Sometimes the date picker is overlaid by a floating window. Now, the date picker is always on top of other resources inside Data Search. There are some scenarios where this is still an issue and requires extra attention, but the problem is reduced.

Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.3 brings a variety of improvements to Alerts. I’m excited to announce streaming mode for Alerts! Once you turn it on, you no longer have to manually refresh the triggered Alerts list; you can engage in real-time with your triggered Alerts! Auditing becomes easier with a new Post-Filter auditing table. We have also added a new Column Visibility to Triggered Alerts table that allows you to show, hide, and reorder columns to create a customized view. Read on to learn more about these features, improvements, and bug fixes! Geo AvailabilityRegion Status GovCloud Pending CA Released US Released EU Released APAC Released   Table of ContentsNew Features in Alerts Streaming Mode for Alerts New Post-Filter Auditing New Custom Column Visibility In Activeboards Improved Error Messages Improvements Bug Fixes New Featuresin AlertsStreaming Mode for AlertsTurn on Streaming mode in Alerts to see triggered alerts in Real-Time with out having to manually click on load new! New Post-Filter AuditingTrack the creation or deletion of post filters in the new table devo.audit.alert.definition New Custom Column VisibilityThis new feature in the Triggered Alerts table lets users show, hide and reorder columns for a customized viewIn ActiveboardsImproved Error MessagesError handling has been changed to improve messages displayed, providing a more comprehensive output that clearly informs users about the problem and points them in the right direction in search of a potential solution. ImprovementsTriggered alerts tables are now using the new UI so now you need to double-click to edit the status and priority of cells. Bug FixesFixed a but that did not allow you to open the Alert details if the Alert definition was deleted. Fixed Anti-flooding bug. Fixed Jira and Service-Now notifications.  

We're thrilled to announce the latest updates and additions to our alerting system with Release 31. This release introduces a significant enhancement to our alerting system. First, alert templates were updated to ensure more accurate and comprehensive notifications. Second, we developed a Ransomware MOVEit Vulnerability alert pack to detect and respond to potential exploitation attempts, covering the key attack vectors related to this threat.To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts and alert packs visit Devo Exchange. Table of ContentsNew Alert Pack: Ransomware MOVEit Updated Alerts available in the Ransomware MOVEit Vulnerability Alert Pack: Additionally updated Alerts AzureUserLoginSuspiciousRisk LinuxMaxSessionsPerUser TLDFromDomainNotInMozillaTLD WinAdminRemoteLogon  New Alert Pack: Ransomware MOVEitTo help detect and mitigate the threat posed by CL0P, we are offering a comprehensive set of alerts designed to identify key indicators of compromise (IOCs) and suspicious activities linked to this ransomware. These alerts are tailored to detect behaviors such as unusual file modifications, exfiltration attempts, and known malicious binaries, giving security teams the ability to respond rapidly to potential incidents.Devo Exchange links by DomainUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Updated Alerts available in the Ransomware MOVEit Vulnerability Alert Pack:MoveitPotentialNetworkActivityExploitationPotentialThreatConnectionRansomBehaviourRansomBehaviorShadowCopyDeletionAndResizingMoveitWindowsEvtxFileCreationSuspiciousCmdExecDirChangeUserReconnStopWindowsServiceViaNetDomainReconnADEnumerationAndTrustMappingPhishingEmailRansomDistributionCampaignVolumeShadowCopyDeletionHighVolumeFileDeletionBcdModificationRecoveryAndBootFailureSuppressionMoveitCmdlineFileCreationMoveitDynamicCompilationViaCscExeMoveitFilePotentialActivityTransferExploitation Additionally updated AlertsAzureUserLoginSuspiciousRiskAvailable in the Azure Alert Pack & Valid Accounts Alert PackLinuxMaxSessionsPerUserAvailable in Linux Log-Based Threat Detection Suite Alert Pack & Valid Accounts Alert PackTLDFromDomainNotInMozillaTLDAvailable in the Dynamic Resolution Alert PackWinAdminRemoteLogonAvailable in the Windows Log Threat Detection Suite Alert Pack & Valid Accounts Alert Pack Find them directly on Devo Exchange!

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.14.0 brings in a new Home Page redesign that makes it more lightweight and relevant to all our users! Jump directly into useful resources with the new top-row cards. Return to your tasks faster with quick launch windows containing all your recent and favorite searches and activeboards. Or start querying your data with the integration of the query window in the center of the page!  A new tab in Usage Analytics for Injestion and Licensing and login and table improvements round up the release.  Read on to learn more! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Homepage Redesign Quick Action Cards Query and Recent Alerts Recent Searches and My Favorites Set your HomePage in preferences New Permissions available for HomePage New Ingestion and Licensing metrics in Usage Analytics Authentication Improvements Synthesis and Injection table alignment Bug Fixes New FeaturesHomepage RedesignWe have redesigned the homepage to make it more lightweight, relevant and useful to all our customers.  Main benefits are: Jump to useful resources and features directly on Homepage View relevant information focused on your most recent activity and favorite assets. Run queries directly from the homepageWidgets that used to be on the home page have been moved to a new tab in Usage Analytics called Ingestion & Licensing. Quick Action CardsThese are launch points to additional resources, can be closed individually, hidden from view or restored if any card was closed by mistake.   Query and Recent AlertsThis section provides a quick view of your latest alerts and allows you to start querying your data without jumping out of the homepage.Keyboard shortcut to run your query is CTRL+Enter on PC and Command+Enter on MacOS Recent Searches and My FavoritesGet back to a previous search quickly or jump to your saved searches and activeboards directly from the home page! Set your HomePage in preferencesYou can also set your homepage in your preferences! New Permissions available for HomePageThe following permissions are now available to control view and usage of the Homepage widgets:Permission Element Finders (view) AND Domain search history (view) “My search history (last 24h)” widget “My favorite searches” widget Triggered alerts (view) OR Alert configuration (view) “Last 5 unread alerts” widget Data upload (manage) “Upload your data” card Activeboards (view) “My favorite Activeboards” widget Finders (view) AND Free text queries (manage) “New query” section Preferences (manage) “Go to ‘User preferences’” shortcut Usage Analytics (view) “Go to Usage Analytics” shortcut Home area (view) Entire Home section   New Ingestion and Licensing metrics in Usage AnalyticsSome of the widgets in the old homepage have been moved to Usage Analytics new tab, Ingestion and Licensing, and enhanced.  This tab gives you a detailed view of:Daily License usage summary live ingestion stats Number of events Ingestion volume Ingestion by Technology Total Daily VolumeAll measurements are now in Decimal units (GB, TB, ect) to align with licensing terminology.Learn more about Usage Analytics in our Docs Authentication ImprovementsWeb Access can now be accomplished through SAML2 using a URL that does not contain the “@” characterSynthesis and Injection table alignmentThe “_” is now allowed for tag names in new injections and new synthesis tables.  We have also updated the error messages:For Unions:The table name must contain at least one alphanumeric character andnot contain spaces or special characters (underscores are allowed).For Injections:The target table must contain at least one alphanumeric character andnot contain spaces or special characters (underscores are allowed). Bug Fixes-Remove session identifiers from User Action Logs in devo.internal.audit.logs tables.

The Devo team has released the latest version of Devo SOAR!  This release include a new admin feature to manage built-in integration connections and an assortment of bug fixes.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsEnhancement Edit built-in Connections as Admin Bug Fixes EnhancementEdit built-in Connections as AdminAdded support for administrators to upgrade and edit built-in integration connections. Bug FixesRegex_replace operator deleting characters. We have fixed this now. We have fixed the error message when an integration connection is not shared in a playbook.

Hello everyone, the latest release of the MITRE ATT&CK Adviser is now live! The MITRE ATT&CK Adviser is a key tool in understanding your alert coverage and managing your security posture. Everyone has access to this tool through Devo Exchange. Release 1.10.0 adds a few new features and User interaction improvements. Starting with the new Technique Card filter, which now filter available alerts for that card in the Alerts Section. We’ve also enhanced the Log Source Filter to additionally filter the alerts within the chosen Techniques, showing only Alerts related to the selected log source.  Read on to learn more! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsNew Features Technique Card Alert Filter Log source filter now affects both alerts and techniques Improvements Alert Filter Improvements  New FeaturesTechnique Card Alert FilterClicking on a Technique card will automatically filter the available alerts for that Technique in the Alert Window.  Speeding up alert management and improving the workflow of the MITRE ATT&CK Adviser. Log source filter now affects both alerts and techniquesMITRE ATT&CK Adviser now filters the alerts within the techniques for the selected log sources and calculates the total coverage more accurately. ImprovementsAlert Filter ImprovementsMigrated MITRE tables to new system brings customer benefits in the shape of New filter options available for the Alerts window.  You can now filter by these functions:Contains Does not contain Equals to Does not equal to Begins with Ends with Blank Not blankLearn more on Devo Docs!

Hello everyone, the latest release of the Devo Platform is now live! Release 8.13.0!  This update delivers on customer-requested features with a bang!  Starting with Data Search, we have delivered on the Lookup Syntax convergence, now you can use the same syntax for Lookups in Data search AND API. We have also added a new Lookup Wizard and delivered IP/CIDR matching support in Lookups.   In Alerts, this release delivers multiple PostFiltering improvements including a new Date Picker that takes your timezone into account, parameter action types have been added to the post-filter list of actions.  We have also added Audit Logs for Delco API requests and more!  Read on to find out! Geo AvailabilityRegion Status GovCloud Pending CA Released US Released EU Released APAC Released  Table of ContentsNew Features Data Search Lookup syntax convergence Lookup wizard now available IP/CIDR matching is fully supported in Lookups Alerts Postfilter Improvements New Date Picker that uses users time zone added. Added the parameter action type to the post filter list of actions. Audit Logs for Delco API requests Alert definitions now accept the regular syntax for lookup operations Flow Allow data injection in other domains with DevoSink Bug Fixes Data Search Alerts  New FeaturesData SearchLookup syntax convergenceNo longer will Lookups require different syntax to use between Data Search and API!  This release brings the lookup syntax in line with the Data Search syntax.  The old syntax is deprecated, but can still be used. Lookup wizard now available This new functionality will help you use and configure your lookup operations! Configure the category, and available operations.  The wizard works with Regular lookups as well as Shared Lookups and contains a Lookup listing that displays the key name and key type. Additionally the wizard includes comprehensive help dialog boxes IP/CIDR matching is fully supported in LookupsAvailable now for newly created lookups.  For lookups created from the UI using a CSV, you can edit them so they are recreated and make use of this new feature. AlertsPostfilter ImprovementsNew Date Picker that uses users time zone added.Added the parameter action type to the post filter list of actions. Audit Logs for Delco API requests User can now monitor audit logs of policy requests done via Delco API in the secops.audit.api table. Alert definitions now accept the regular syntax for lookup operationsUsers can now use the regular syntax for lookup operations when creating or editing any alert query in the UI or through the Alerts API FlowAllow data injection in other domains with DevoSinkUsers can now inject data into another domain with Devo Sink inside the flow editor using the API key of that external domain.  The API keys can be found under Adminsitration->Credentials→ Access keys in the domain users want to send the data to. Bug FixesData SearchFixed edge cases where there was an issue opening a table from finder.Fixed grouping modal missing when grouping by columns is selectedFixed Column heading that stays floating indefinitlyFixed opening a query with group by with aliasFixed issue with column headers with new columnsFixed table header visualization caused by hidden columnsFixed display issue with detail column panel.AlertsFixed post filter validation with special charactersFixed view of full post filter condition for alerts with existing postfilter