Skip to main content

The latest release of the Devo Platform is here! Release 8.14.19 brings a collection of API and Alert improvements. Starting with new functionality allowing you to manage your Anti-Flooding policy through API calls with the new Anti-Flooding API. Next, we have added new entity attributes through a new column where available. We also added a new filter corresponding to the entity attributes and a new source table column to help you identify the source tables without needing to dive deeper into the alert. Along with a collection of bug fixes and visual improvements, this release is sure to enhance your Alert workflow! Read on to view details!

 

Geo Availability

Region Status
CA Released
US Released
US3 Released
EU Released
APAC Released

 

 

Table of Contents

 

 

New features

Anti-Flooding API

Users can now create and manage anti-flooding policy through API calls.

 

Entity Attributes

Added a new column and filter to view and search the entity attributes associated with alerts. Note that not all alerts will have entity attributes depending on the table the alert was created from and the query used.


New Filter added for entity attributes​​​​​​​

New filter criteria was added to find specific alerts based on their entity attributes.  This filter appears in Simple search as well as Advance Search.

 

New source table columns

Users can now see which table an alert was triggered from directly in the triggered alerts table, without needing to navigate to the alert details, query or view definition

 

 

Improvements

Update to Alert Priority statuses

Updated colors and names to improve clarity.

 

See the full release notes in our documentation.

 

Great additon of the source table columns to alerts. Will this information eventually be available in either the devo.audit.alert.triggered or siem.logtrust.alert.info also? This would be very helpful in some reports I’ve been working on.

Thanks!

@kfarmer Good request!  It is under discussion at Devo.  

 

This example may help.

If you create an alert that uses the manual method of creating entities:

from demo.ecommerce.data
//reduce number of alerts
where clientIpAddress = 53.83.86.111
select 
"alice@example.fishing" as entity_sourceAccount,
"alice@example.fishing" as entity_sourceEmail,
"Alice" as entity_sourceName,
"example.fishing"  as entity_sourceDomain,
"bob@example.com" as entity_destinationAccount,
"bob@example.com" as entity_destinationEmail,
"Bob" as entity_destinationName,
"example.com" as entity_destinationDomain,
"vaultSolaris" as entity_sourceHostname,
"phishingWin95" as entity_destinationHostname,
"00-00-00-00-00-00" as entity_sourceMAC,
"FF-FF-FF-FF-FF-FF" as entity_destinationMAC,
ip4(1.1.1.1) as entity_sourceIP,
ip4(2.2.2.2) as entity_destinationIP,
ip4(3.3.3.3) as entity_machineIP,
"https://example.com/secrets" as entity_sourceUrl,
"http://example.onion/phish" as entity_destinationUrl,
"malware.exe" as entity_fileName

Then you can get the entities in siem.logtrust.alert.info:

from siem.logtrust.alert.info

select jsonparse(urldecode(extraData)) as json,
    str(jqeval(jqcompile(".entity_destinationDomain"), json)) as entity_destinationDomain,
    str(jqeval(jqcompile(".entity_machineIP"), json)) as entity_machineIP,
    str(jqeval(jqcompile(".entity_sourceName"), json)) as entity_sourceName,
    str(jqeval(jqcompile(".entity_sourceDomain"), json)) as entity_sourceDomain,
    str(jqeval(jqcompile(".entity_destinationAccount"), json)) as entity_destinationAccount,
    str(jqeval(jqcompile(".eventdate"), json)) as eventdate1,
    str(jqeval(jqcompile(".entity_destinationIP"), json)) as entity_destinationIP,
    str(jqeval(jqcompile(".entity_sourceIP"), json)) as entity_sourceIP,
    str(jqeval(jqcompile(".entity_destinationMAC"), json)) as entity_destinationMAC,
    str(jqeval(jqcompile(".entity_destinationUrl"), json)) as entity_destinationUrl,
    str(jqeval(jqcompile(".entity_sourceHostname"), json)) as entity_sourceHostname,
    str(jqeval(jqcompile(".entity_sourceMAC"), json)) as entity_sourceMAC,
    str(jqeval(jqcompile(".entity_sourceUrl"), json)) as entity_sourceUrl,
    str(jqeval(jqcompile(".entity_fileName"), json)) as entity_fileName,
    str(jqeval(jqcompile(".entity_sourceEmail"), json)) as entity_sourceEmail,
    str(jqeval(jqcompile(".entity_destinationEmail"), json)) as entity_destinationEmail,
    str(jqeval(jqcompile(".entity_destinationName"), json)) as entity_destinationName,
    str(jqeval(jqcompile(".entity_sourceAccount"), json)) as entity_sourceAccount,
    str(jqeval(jqcompile(".entity_destinationHostname"), json)) as entity_destinationHostname

 

Terms & ConditionsCookie settings