The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo's amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!
Table of Contents
Updated Parsers
cloud.office365
- Added
- Added parsing support to few new fields:
- cloud.office365.management.securitycompliancecenter
- Added parsing support to few new fields:
entity.behavior
- Added
- Added parsing of nested context fields:
- entity.behavior.signals.filtered
- Added parsing of nested context fields:
ips.all
- Added
- Addition of cef0.checkPoint.smartdefense table to ips.all.alerts union:
- ips.all.alerts
- cef0.checkPoint.smartdefense
- Addition of cef0.checkPoint.smartdefense table to ips.all.alerts union:
firewall.all
- Added
- Addition of cef0.checkPoint.smartdefense table to union firewall.all.ips:
- firewall.all.ips
- cef0.checkPoint.smartdefense
- Addition of cef0.checkPoint.smartdefense table to union firewall.all.ips:
cspm.crowdstrike
- Added
- Added parsing of new fields in cspm.crowdstrike.cloudsec.container_compliance:
- cspm.crowdstrike.cloudsec.container_compliance
- Added parsing of new fields in cspm.crowdstrike.cloudsec.container_compliance:
iam.cyberark
- Added
- Added parsing support to additional fields in iam.cyberark.identity.event table:
- iam.cyberark.identity.event
- Added parsing support to additional fields in iam.cyberark.identity.event table:
epm.ninjaone
- Added
- Added new tables:
- epm.ninjaone.endpoint.activity
- epm.ninjaone.endpoint.av_threat
- epm.ninjaone.endpoint.alert
- epm.ninjaone.endpoint.software
- epm.ninjaone.endpoint.inventory
- Added new tables:
my.app
- Added
- Added parsing support to all nested fields of payload:
- my.app.equifax.snowflake.customsql
- my.app.equifax_dev.snowflake.customsql
- my.app.agenticsoc.falconstreaming.vulnerabilities
- my.app.agenticsoc.falcon_spotlight.vulnerabilities
- my.app.equifax.box.unix
- Added parsing support to all nested fields of payload:
firewall.fortinet
- Added
- Added new tables:
- firewall.fortinet.fortiedr.audit
- firewall.fortinet.fortiedr.event
- firewall.fortinet.fortiedr.product
- Added new tables:
crm.salesforce
- Added
- Added new tables:
- crm.salesforce.permissionupdate
- Added new tables:
threatintel.group_ib
- Added
- Added new tables:
- threatintel.group_ib.drp.violation
- Added new tables:
directory.redhat
- Added
- Added new tables:
- directory.redhat.ansible_controller.event
- Added new tables:
cloud.azure
- Added
- Added support to parse new fields in cloud.azure.vm.subassessment table:
- cloud.azure.vm.subassessment
- Added new tables:
- cloud.azure.appconfiguration.activity
- cloud.azure.databricks.activity
- cloud.azure.cognitiveservices.activity
- Added support to parse new fields in cloud.azure.vm.subassessment table:
edr.crowdstrike
- Added
- Added support to parse new fields:
- edr.crowdstrike.falcon_spotlight.vulnerabilities
- Added support to parse new fields:
ftp.crushftp
- Improvements
- Fixed parsing support of ACCEPT and MDTM logs in ftp.crushftp.event table:
- ftp.crushftp.event
- Fixed parsing support of ACCEPT and MDTM logs in ftp.crushftp.event table:
endpoint.symantec
- Added
- Added new parsers:
- endpoint.symantec.ses_event_stream
- endpoint.symantec.ses_event_stream.scan
- endpoint.symantec.ses_event_stream.host_compliance_scan
- endpoint.symantec.ses_event_stream.network_detection
- endpoint.symantec.ses_event_stream.peripheral_device_detection
- endpoint.symantec.ses_event_stream.host_process_detection
- endpoint.symantec.ses_event_stream.registry_key_detection
- Added new parsers:
edr.microsoft_defender
- Improvements
- Fixed LastEventTime Parsing Issue in edr.microsoft_defender.endpoint.alerts to support different time format:
- edr.microsoft_defender.endpoint.alerts
- Fixed LastEventTime Parsing Issue in edr.microsoft_defender.endpoint.alerts to support different time format:
box.vmware
- Added
- Added new tables:
- box.vmware.vcenter_events
- box.vmware.vcenter
- Added new tables:
firewall.all.traffic
- Added
- New parser created:
- firewall.all.traffic
- New parser created:
mdm.kandji
- Added
- Parsed new field:
- mdm.kandji.audit.event
- Parsed new field:
monitor.dynatrace
- Added
- Parsed new field:
- monitor.dynatrace.api.grail_query
- Parsed new field:
firewall.all
- Added
- Added new fields:
- firewall.all.vpn.traffic
- Added new fields:
cdn.akamai
- Added
- Added new fields:
- cdn.akamai.siem
- Added new fields: