The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!
Table of Contents
Updated Parsers
firewall.barracuda
- Improvements
- Added a new field
- Updated the parser logic to extract destination_host from raw logs where it appears after the destination_port field:
- firewall.barracuda.threat
iam.imprivata
- Improvements
- Reassessed and updated the iam.imprivata.events parser to handle additional event types:
- iam.imprivata.events
- Reassessed and updated the iam.imprivata.events parser to handle additional event types:
oem.gitlab
- Added
- Added new fields:
- oem.gitlab.railslog
- Added new fields:
box.win_nxlog
- Fixed
- Fixed an issue causing some fields to return null:
- box.win_nxlog.dns
- Fixed an issue causing some fields to return null:
cloud.aws
- Improvements
- Update field type:
- cloud.aws.guardduty.findings
- Update field type:
edr.cybereason
- Improvements
- Update table to parse json:
- edr.cybereason
- Update table to parse json:
edr.crowdstrike
- Fixed
- Fixed field not parsing:
- edr.crowdstrike.falconstreaming.detection_summary
- Fixed field not parsing:
bps.markmonitor
- Improvements
- Updated bps.markmonitor.domain_management.domain parser to be compatible with new logs:
- bps.markmonitor.domain_management.domain
- Updated bps.markmonitor.domain_management.domain parser to be compatible with new logs:
network.hp
- Improvements
- Added 15 new 4th level tables
- Made 3rd level network.hp.switch parser compatible to process certain logs:
- network.hp.switch.activate
- network.hp.switch.event_802_1x
- network.hp.switch.dhcp_snoop
- network.hp.switch.captive_portal
- network.hp.switch.crypto
- network.hp.switch.idm
- network.hp.switch.ntp
- network.hp.switch.oobm
- network.hp.switch.snmp
- network.hp.switch.ssl
- network.hp.switch.stacking
- network.hp.switch.srcip
- network.hp.switch.intfd
- network.hp.switch.lldpd
- network.hp.switch.portAccessd
firewall.watchguard
- Improvements
- Added support for DHCPACK events:
- firewall.watchguard.event
- Added support for DHCPACK events:
adn.f5
- Fixed
- Fixed parser to support logs for certain event IDs:
- adn.f5.bigip.apm
- Fixed parser to support logs for certain event IDs:
firewall.all
- Improvements
- Added firewall.barracuda.audit table to firewall.all.traffic and firewall.all.webfilter
- Added firewall.barracuda.threat table to firewall.all.ips and firewall.all.virus:
- firewall.all.traffic
- firewall.all.webfilter
- firewall.all.ips
- firewall.all.virus
auth.ping
- Improvements
- Updated parsing logic to parse new fields:
- auth.ping.federate.security_audit
- Updated parsing logic to parse new fields:
firewall.checkpoint
- Improvements
- Updated parsing logic to include a new field criticality:
- firewall.checkpoint.log_exporter
- Updated parsing logic to include a new field criticality:
Created Parsers
auth.okta
- Created
- Created new parser auth.okta.devices
iam.openldap
- Created
- New table added:
- iam.openldap.slapd
- New table added:
box.win_nxlog
- Created
- Added new tables:
- box.win_nxlog.devicesetupmanager
- box.win_nxlog.taskscheduler
- box.win_nxlog.wmiactivity
- Added new tables:
mail.preveil
- Created
- New table added:
- mail.preveil.siemconnector.event
- New table added:
storage.hpe
- Created
- Added new table for storage.hpe.msa.events:
- storage.hpe.msa.events
- Added new table for storage.hpe.msa.events: