Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.0 brings the new Scheduled Tasks functionality, a new complex type operation for Data Search, and a collection of UI and performance improvements. Scheduled Tasks allow you to set the periodic execution of a query of your choosing of time, date, and frequency. Admins will find this feature and allow access through roles and permissions. The new complex operation type is the Tuple, and it works like an array, except it does not convert its contents to the same type. Lastly, this update contains UI improvements and performance enhancements that you are going to love!
Availability
Region | Status |
---|---|
CA | Released |
US | Released |
EU | Released |
APAC | Released |
Table of Contents
New Features
Scheduled Tasks
The first release of Scheduled tasks is now available for all Devo users! This new feature will allow you to schedule the periodic execution of a query with query results being automatically sent to defined email addresses as CSV files.
This feature is enabled by default for Admin users and then to users of your choosing with the right roles and permissions. You will find the permissions under Admin→ Resources->Scheduled Tasks.
Scheduled Tasks can be created with the following intervals:
- Daily - at a specific time of day
- Weekly - on specified days of a week at a specific time of day.
- Monthly - on specified days of a month at a specific time of day
- Yearly - on specified months of a year, on specified day s of each month, at a specific time of day.
You can also set the query execution time period with two possible choices:
- Predefined Range (“Yesterday”, “Last 7 days”...)
- Custom Range period (“From”, “To”) using the Query API date syntax
Get all the details of Scheduled Tasks in our Documentation
Data Search: New Complex Type operation added
The “tuple” complex type operation is now available for use! A tuple is a collection of sorted elements of any type (repeated or not).The difference between an array and a tuple lies in the fact that in the array all the elements are internally converted to the same type, while in the tuple they are not (each tuple element retains its type).
Operation | Meaning | Syntax |
---|---|---|
mktuple or () | Creates a tuple from elements | mktuple (ele_1,…,Ele_n) (ele_1,…,ele_n) |
at or ,] | Returns the n-th element in a tuple | at (tuple,n) tuple tn] |
at0 | Returns first element in a tuple | at0 (tuple) |
at1 | Returns second element in a tuple | at1 (tuple) |
atend | Returns the last element in a tuple | atend (tuple) |
add(+) | Concatenates two tuples | add (tuple_1, tuple_2) |
Additionally, you can use this complex type of operation in Alerts and Lookups as well.
Here is a great example of this new complex type in use:
from siem.logtrust.web.activity
//create a tuple with multiple types
select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple
select (username ,srcPort, ip4(srcHost), true) as tuple2
//some ways to select the fist item from a tuple
select tuplet0] as first_item_from_tuple
select at(tuple,0) as first_item_from_tuple2
select at0(tuple) as first_item_from_tuple3
//retrieve the last item from a tuple
select atend(tuple) as last_item_from_tuple
//concatenates two tuples
select tuple + tuple2 as tuple_concatenation
//it is posible to filter each item by the underlying data type
where tupler0] -> ""@""
where tupleg1] not in (ip4(95.63.39.51))
where atend(tuple) is true
Lookups with CIDR as key first release
As part of a multi-step release for this functionality, Lookups now recognize 3 new key types:
- ipv6
- net4
- net6
Nested Annotations for Alerts
You are now able to reply to existing annotations in Alerts, as well as edit and delete you own annotations.
View the detailed options in our Documentation
New Auditing Table for Alert Annotations
devo.audit.alert.triggered table was added to audit actions concerning annotations.
View the details of the new table in our Documentation
New Rolling And Each Alerts with Subqueries parameter limits
A restriction has been implemented for rolling-type alerts and each-type alerts with subqueries. This is done to prevent excessively frequent queries over short periods of time. A ratio of 120 is enforced between period and frequency. For example:
For Each Alerts with Subqueries:
-
Valid ratio → external offset 1m, internal period 2h(=120m) → 120/1 → 120
-
Valid ratio → external offset 2h, internal period 5d(=120h) → 120/2 → 60
-
Invalid ratio → external offset 1m, internal period 3h(=180m) → 180/1 → 180
See the full description and examples for Each Alerts with Subqueries in our Documentation
See the full description and examples for Rolling Alerts with Subqueries in our Documentation
New information included in Alerts Details window
The Alerts details window in the triggered Alerts area now shows the timezone as well as the specific settings corresponding to the triggering method used when configured.
Additional Improvements
- Improved messaging in Data Search
- Adjusted spacing in Roles page UI
- Alerts Filter by Name enhanced with Multi-selection dropdown containing all available options.
- Adjusted text boxes and descriptions in Roles Mapping UI
- Redesigned filter results message when no results found in Roles Mapping UI
- Flow now accepts HTTP codes greater than 599
- Performance improvements