Skip to main content

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.0 brings the new Scheduled Tasks functionality, a new complex type operation for Data Search, and a collection of UI and performance improvements.   Scheduled Tasks allow you to set the periodic execution of a query of your choosing of time, date, and frequency.  Admins will find this feature and allow access through roles and permissions.  The new complex operation type is the Tuple, and it works like an array, except it does not convert its contents to the same type.  Lastly, this update contains UI improvements and performance enhancements that you are going to love!

 

Availability

Region Status
CA Released
US Released
EU Released
APAC Released

 

Table of Contents

 

New Features

Scheduled Tasks

The first release of Scheduled tasks is now available for all Devo users! This new feature will allow you to schedule the periodic execution of a query with query results being automatically sent to defined email addresses as CSV files.

This feature is enabled by default for Admin users and then to users of your choosing with the right roles and permissions.  You will find the permissions under Admin→ Resources->Scheduled Tasks.

Scheduled Tasks can be created with the following intervals:

  • Daily - at a specific time of day
  • Weekly - on specified days of a week at a specific time of day.
  • Monthly - on specified days of a month at a specific time of day
  • Yearly - on specified months of a year, on specified day s of each month, at a specific time of day.

You can also set the query execution time period with two possible choices:

  • Predefined Range (“Yesterday”, “Last 7 days”...)
  • Custom Range period (“From”, “To”) using the Query API date syntax

Get all the details of Scheduled Tasks in our Documentation

 

Data Search: New Complex Type operation added

The “tuple” complex type operation is now available for use!  A tuple is a collection of sorted elements of any type (repeated or not).The difference between an array and a tuple lies in the fact that in the array all the elements are internally converted to the same type, while in the tuple they are not (each tuple element retains its type).

Operation Meaning Syntax
mktuple or () Creates a tuple from elements mktuple (ele_1,…,Ele_n)
(ele_1,…,ele_n)
at or ,] Returns the n-th element in a tuple at (tuple,n)
tuple tn]
at0 Returns first element in a tuple at0 (tuple)
at1 Returns second element in a tuple at1 (tuple)
atend Returns the last element in a tuple atend (tuple)
add(+) Concatenates two tuples add (tuple_1, tuple_2)

 

Additionally, you can use this complex type of operation in Alerts and Lookups as well. 

Here is a great example of this new complex type in use:

from siem.logtrust.web.activity 
//create a tuple with multiple types
    select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple
    select (username ,srcPort, ip4(srcHost), true) as tuple2

//some ways to select the fist item from a tuple
    select tuplet0] as first_item_from_tuple
    select at(tuple,0) as first_item_from_tuple2
    select at0(tuple) as first_item_from_tuple3

//retrieve the last item from a tuple
    select atend(tuple) as last_item_from_tuple

//concatenates two tuples
    select tuple + tuple2 as tuple_concatenation

//it is posible to filter each item by the underlying data type
    where tupler0] -> ""@""
    where tupleg1] not in (ip4(95.63.39.51))
    where atend(tuple) is true

 

Lookups with CIDR as key first release

As part of a multi-step release for this functionality, Lookups now recognize 3 new key types:

  • ipv6
  • net4
  • net6

Nested Annotations for Alerts

You are now able to reply to existing annotations in Alerts, as well as edit and delete you own annotations.

View the detailed options in our Documentation

 

New Auditing Table for Alert Annotations

devo.audit.alert.triggered table was added to audit actions concerning annotations.

 

View the details of the new table in our Documentation

 

New Rolling And Each Alerts with Subqueries parameter limits

A restriction has been implemented for rolling-type alerts and each-type alerts with subqueries. This is done to prevent excessively frequent queries over short periods of time. A ratio of 120 is enforced between period and frequency.  For example:
For Each Alerts with Subqueries:

  • Valid ratio → external offset 1m, internal period 2h(=120m) → 120/1 → 120

  • Valid ratio → external offset 2h, internal period 5d(=120h) → 120/2 → 60

  • Invalid ratio → external offset 1m, internal period 3h(=180m) → 180/1 → 180

See the full description and examples for Each Alerts with Subqueries in our Documentation

 

See the full description and examples for Rolling Alerts with Subqueries in our Documentation

 

New information included in Alerts Details window

The Alerts details window in the triggered Alerts area now shows the timezone as well as the specific settings corresponding to the triggering method used when configured.

 

Additional Improvements

  • Improved messaging in Data Search
  • Adjusted spacing in Roles page UI
  • Alerts Filter by Name enhanced with Multi-selection dropdown containing all available options.
  • Adjusted text boxes and descriptions in Roles Mapping UI
  • Redesigned filter results message when no results found in Roles Mapping UI
  • Flow now accepts HTTP codes greater than 599
  • Performance improvements

 

Be the first to reply!