Skip to main content

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!

 

Table of Contents

 

Updated Parsers

firewall.barracuda

  • Improvements
    • Added a new field
    • Updated the parser logic to extract destination_host from raw logs where it appears after the destination_port field:
      • firewall.barracuda.threat

iam.imprivata

  • Improvements
    • Reassessed and updated the iam.imprivata.events parser to handle additional event types:
      • iam.imprivata.events

oem.gitlab

  • Added
    • Added new fields:
      • oem.gitlab.railslog

box.win_nxlog

  • Fixed
    • Fixed an issue causing some fields to return null:
      • box.win_nxlog.dns

cloud.aws

  • Improvements
    • Update field type:
      • cloud.aws.guardduty.findings

edr.cybereason

  • Improvements
    • Update table to parse json:
      • edr.cybereason

edr.crowdstrike

  • Fixed
    • Fixed field not parsing:
      • edr.crowdstrike.falconstreaming.detection_summary

bps.markmonitor

  • Improvements
    • Updated bps.markmonitor.domain_management.domain parser to be compatible with new logs:
      • bps.markmonitor.domain_management.domain

network.hp

  • Improvements
    • Added 15 new 4th level tables
    • Made 3rd level network.hp.switch parser compatible to process certain logs:
      • network.hp.switch.activate
      • network.hp.switch.event_802_1x
      • network.hp.switch.dhcp_snoop
      • network.hp.switch.captive_portal
      • network.hp.switch.crypto
      • network.hp.switch.idm
      • network.hp.switch.ntp
      • network.hp.switch.oobm
      • network.hp.switch.snmp
      • network.hp.switch.ssl
      • network.hp.switch.stacking
      • network.hp.switch.srcip
      • network.hp.switch.intfd
      • network.hp.switch.lldpd
      • network.hp.switch.portAccessd

firewall.watchguard

  • Improvements
    • Added support for DHCPACK events:
      • firewall.watchguard.event

adn.f5

  • Fixed
    • Fixed parser to support logs for certain event IDs:
      • adn.f5.bigip.apm

firewall.all

  • Improvements
    • Added firewall.barracuda.audit table to firewall.all.traffic and firewall.all.webfilter
    • Added firewall.barracuda.threat table to firewall.all.ips and firewall.all.virus:
      • firewall.all.traffic
      • firewall.all.webfilter
      • firewall.all.ips
      • firewall.all.virus

auth.ping

  • Improvements
    • Updated parsing logic to parse new fields:
      • auth.ping.federate.security_audit

firewall.checkpoint

  • Improvements
    • Updated parsing logic to include a new field criticality:
      • firewall.checkpoint.log_exporter

Created Parsers

auth.okta

  • Created
    • Created new parser auth.okta.devices

iam.openldap

  • Created
    • New table added:
      • iam.openldap.slapd

box.win_nxlog

  • Created
    • Added new tables:
      • box.win_nxlog.devicesetupmanager
      • box.win_nxlog.taskscheduler
      • box.win_nxlog.wmiactivity

mail.preveil

  • Created
    • New table added:
      • mail.preveil.siemconnector.event

storage.hpe

  • Created
    • Added new table for storage.hpe.msa.events:
      • storage.hpe.msa.events
Be the first to reply!