Product Updates

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Symantec Collector v1.0.0 Trellix DLP v1.0.0 Updated Collectors Github Collector v3.0.0 VMware Carbon Black Cloud EPP Collector v1.4.1 Office365 Management API Collector v2.3.2 Azure Collector v2.2.0 AWS SQS Collector v1.5.2 Wiz Collector v1.7.0 Duo Collector v2.0.0 Rapid7 InsightVM Collector v1.7.0 Lark Collector v1.1.0 Crowdstrike API Resources Collector v1.8.0 ServiceNow Collector v1.5.0 Cisco Meraki Collector v1.7.0 Salesforce Collector v2.4.0  New CollectorsSymantec Collector v1.0.0Link to DocumentationTrellix DLP v1.0.0Link to Documentation Updated CollectorsGithub Collector v3.0.0Link to DocumentationVMware Carbon Black Cloud EPP Collector v1.4.1Link to DocumentationOffice365 Management API Collector v2.3.2Link to DocumentationAzure Collector v2.2.0Link to DocumentationAWS SQS Collector v1.5.2Link to DocumentationWiz Collector v1.7.0Link to DocumentationDuo Collector v2.0.0Link to DocumentationRapid7 InsightVM Collector v1.7.0Link to DocumentationLark Collector v1.1.0Link to DocumentationCrowdstrike API Resources Collector v1.8.0Link to DocumentationServiceNow Collector v1.5.0Link to DocumentationCisco Meraki Collector v1.7.0Link to DocumentationSalesforce Collector v2.4.0Link to Documentation

The Devo team has released the latest version of Devo SOAR!  This release include 2 new integrations and a host of new actions and bug fixes.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation!  Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Integrations Enhancements New IntegrationsCISCO Ironport with 1 actionBeyond Trust with 3 actions EnhancementsWeb API now supports multipart/form-data in the bodyAbsolute new action: Get a Wipe Request.Case Management new action behavior: Create case action now has title field as required.Anomali new action parameter: Import with manual approval v2 added tags as optional parameterZendesk new action: Create Ticket V2 now supports HTML body and custom fieldsPalo Alto Panorama added authentication support using op profile alongisde config profile.EasyVista new action added: Create a Ticket.

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.43 brings some core improvements for Scheduled Reports, Autoparser and new functionality for Multitenant domains. The great Autoparser now reports when it encounters inconsistencies in the data being processed. Scheduled reports are now aligned with the RFC Standard for emails changing the way the reports are sent. Multitenant domains can now see and define my.app and my.upload tables created in their child domains. Lastly we have a collection of bug fixes in direct response to customer feedback.   Learn more in this product update and don’t forget to subscribe!  Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features Multitenant root domains can create my.app & my.upload table definitions in the finder. Updated Feature Autoparser on tables with inconsistent data Scheduled reports are sent to each recipient individually Bug Fixes  New FeaturesMultitenant root domains can create my.app & my.upload table definitions in the finder.With this release Multitenant root domains will see and define custom data from my.app and my.upload tables in their child domains directly in the finder. This new functionality to create this type of table is available from the “Add table definition” window. Updated FeatureAutoparser on tables with inconsistent dataThe Autoparser will now notify you when you ingest inconsistent data, informing you that the results where created with errors.  When this happens, it means that some fields could not be parsed correctly and you will see null values when ever the inconsistent data was found. Scheduled reports are sent to each recipient individuallyAdhering to the recent updates to the RFC Standard that state the requirement that every email must have the  TO: field filled in.   Scheduled reports send to changed form BCC to TO field.   Adhering to the new RFC Standard, each person in the TO field will receive the report individually. Bug Fixes The New lookup button on the Lookup management page was not linked to the lookups_manage policy. The condition has now been added, so the button only appears when the policy allows it. When updating a lookup, using double quotes in the middle of a cell value works correctly now, preventing an empty notification error. Certificate creation logic updated to consider only user certificates for domain limits, excluding relay certificates. This ensures accurate limit adherence and appropriate notifications when limits are reached or changed.  

We're thrilled to announce the latest updates and additions to our alerting system with Release 29. This release introduces a large collection of updates to 24 Alert Packs covering all manner of MITRE Tactics and Techniques. Additionally we have updated Detections for Linux, Windows, Network and authentication. Below you will find links to exchange for all the alert packs in your respecting geo’s.To access Updated Detections, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsUpdated Alert Packs Linux_Log-Based_Threat_Detection_Suite Windows_Log_Threat_Detection_Suite Authentication_Log_Threat_Detection_Suite Abuse_Elevation_Control_Mechanism_(MITRE_Att&ck_Technique:_T1548) Boot_or_Logon_Initialization_Scripts_(MITRE_Att&ck_Technique:_T1037) Account_Manipulation_(MITRE_Att&ck_Technique:_T1098) Command_and_Scripting_Interpreter_(MITRE_Att&ck_Technique:_T1059) Brute_Force_(MITRE_Att&ck_Technique:_T1110) Data_Encrypted_for_Impact_(MITRE_Att&ck_Technique:_T1486) Data_Destruction_(MITRE_Att&ck_Technique:_T1485) Create_Account_(MITRE_Att&ck_Technique:_T1136) Domain_Policy_Modification_(MITRE_Att&ck_Technique:_T1484) Exfiltration_Over_Alternative_Protocol_(MITRE_Att&ck_Technique:_T1048) Event_Triggered_Execution_(MITRE_Att&ck_Technique:_T1546) File_and_Directory_Permissions_Modification_(MITRE_Att&ck_Technique:_T1222) Ingress_Tool_Transfer_(MITRE_Att&ck_Technique:_T1105) Indicator_Removal_on_Host_(MITRE_Att&ck_Technique:_T1070) Impair_Defenses_(MITRE_Att&ck_Technique:_T1562) OS_Credential_Dumping_(MITRE_Att&ck_Technique:_T1003) Modify_Registry_(MITRE_Att&ck_Technique:_T1112) Obtain_Capabilities_(MITRE_Att&ck_Technique:_T1588) Scheduled_Task_Job_(MITRE_Att&ck_Technique:_T1053) Remote_Services_(MITRE_Att&ck_Technique:_T1021) Valid_Accounts_(MITRE_Att&ck_Technique:_T1078) Updated Detections Linux Windows Network Authentication  Updated Alert PacksLinux_Log-Based_Threat_Detection_SuiteDirect links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Windows_Log_Threat_Detection_SuiteDirect links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Authentication_Log_Threat_Detection_SuiteDirect links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Abuse_Elevation_Control_Mechanism_(MITRE_Att&ck_Technique:_T1548)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Boot_or_Logon_Initialization_Scripts_(MITRE_Att&ck_Technique:_T1037)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Account_Manipulation_(MITRE_Att&ck_Technique:_T1098)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Command_and_Scripting_Interpreter_(MITRE_Att&ck_Technique:_T1059)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Brute_Force_(MITRE_Att&ck_Technique:_T1110)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Data_Encrypted_for_Impact_(MITRE_Att&ck_Technique:_T1486)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Data_Destruction_(MITRE_Att&ck_Technique:_T1485)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Create_Account_(MITRE_Att&ck_Technique:_T1136)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Domain_Policy_Modification_(MITRE_Att&ck_Technique:_T1484)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Exfiltration_Over_Alternative_Protocol_(MITRE_Att&ck_Technique:_T1048)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Event_Triggered_Execution_(MITRE_Att&ck_Technique:_T1546)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange File_and_Directory_Permissions_Modification_(MITRE_Att&ck_Technique:_T1222)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Ingress_Tool_Transfer_(MITRE_Att&ck_Technique:_T1105)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Indicator_Removal_on_Host_(MITRE_Att&ck_Technique:_T1070)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Impair_Defenses_(MITRE_Att&ck_Technique:_T1562)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange OS_Credential_Dumping_(MITRE_Att&ck_Technique:_T1003)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Modify_Registry_(MITRE_Att&ck_Technique:_T1112)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Obtain_Capabilities_(MITRE_Att&ck_Technique:_T1588)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Scheduled_Task_Job_(MITRE_Att&ck_Technique:_T1053)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Remote_Services_(MITRE_Att&ck_Technique:_T1021)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange Valid_Accounts_(MITRE_Att&ck_Technique:_T1078)Direct links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange   Updated DetectionsLinuxSecOpsLinuxAddFilestoCrontabDir.json SecOpsLinuxAppendCommandToProfileConfig.json SecOpsLinuxAppendCronjobEntry.json SecOpsLinuxAuditdMaxFailedLoginAttempts.json SecOpsLinuxExtNetworkviaTelnet.json SecOpsLinuxFileCreateInitBoot.json SecOpsLinuxFileOwnerNowRoot.json SecOpsLinuxHighFileDeletesEtc.json SecOpsLinuxIntNetworkviaTelnet.json SecOpsLinuxNcUseDetected.json SecOpsLinuxNOPASSWDSudoers.json SecOpsLinuxPotentialDisableSELinux.json SecOpsLinuxSetuidUsingChmod.json SecOpsLinuxSudoFileModification.json SecOpsLinuxSystemLogFileDeletion.json SecOpsLinuxWebserverAccessLogsDeletedWindowsSecOpsOsCredentialDumpingGsecdump.json SecOpsRansomwareBehaviorMaze.json SecOpsRansomwareBehaviorNotPetya.json SecOpsRansomwareBehaviorRyuk.json SecOpsResetPasswordAttempt.json SecOpsWannaCryBehavior.json SecOpsWinMimikatzLsadump SecOpsWinAuditLogCleared.json SecOpsWinDisableUac.json SecOpsWinDisableAntispywareRegistry.json SecOpsWinLockoutsEndpoint.json SecOpsWinLsassMemDump.json SecOpsWinRegistryModificationDisableChangePasswdFeature.json SecOpsWinRegistryModificationNewTrustedSite.json SecOpsWinUserAddedSelfToSecGroup.json SecOpsWinUserAddedToLocalSecurityEnabledGroup.json SecOpsWinUserCredentialDumpRegistry.json SecOpsNewAccountCreated.json SecOpsWinAdminRemoteLogon.json SecOpsWinAnonymousAccountCreated.json SecOpsWinExcessiveUserInteractiveLogin.json SecOpsFailLogOn.jsonNetworkSecOpsFortinetCriticalAppUse.json SecOpsSuspiciousConnectionToCoinminerDomain.json SecOpsFortinetHighRiskAppUse.jsonAuthenticationSecOpsAuthPasswordSprayHost.json SecOpsO365AuthExcessiveFailedLoginsSingleSource.json SecOpsO365AuthExcessiveFailedLoginsUserAuthAll.json SecOpsLoginFailCombinedSuccessed.json SecOpsAuthPasswordSprayIp.json  

  Geo AvailabilityRegion Status GovCloudReleased CAReleased USReleased EUReleased APACReleased  Hello everyone, the latest release of the Devo Platform is now live! Release 8.11.0 delivers a wide range of improvements to Data Search that are sure you enhance the key core experience of the Devo Platform! Data Search has been re-imagined from a collection of single components to a unified architecture, delivering speed and freedom of action. With this improvement we have been able to remove Column Limits, deliver improvements to column reorganization, table navigation as well as improved data visibility and control.   In addition, we have delivered improvements to Alerts with the new ExtraData search filter. Learn more about this release below! Table of ContentsNew Features Data Search reimagined Enhancements Removed Column Limits New feedback added for query with no results Improvement to Drag & Drop Column Order Improved Table Navigation New action added to view wrapped content Streamlined cell options menu New Filter added to Alerts Added ExtraData to Triggered Alerts Info Bug Fixes Download Event Button Global Search   New FeaturesData Search reimaginedWith this release we are migrating from individual html elements to a single Canvas element to draw everything on screen.  This provides more flexibility and increased performance for large complex data sets. You are going to see huge performance improvements with large data sets. EnhancementsRemoved Column LimitsWhen you drive a faster car, you get rid of the speed limits, (or so I hear...)   Thanks to the re-imagining of Data Search, the 50 visible column limit has been removed.  Display a massive number of columns without performance trade offs. New feedback added for query with no resultsA small change to be sure, but one that helps us all!  When you create a query that has 0 results, you will know it was the intended output. Improvement to Drag & Drop Column OrderImproved drag & drop functionality to be more user-friendly and unlocked the ability to drag columns to the last position. Improved Table NavigationArrow Key navigation added to tables, now you can navigate quickly like you would in a normal spreadsheet. New action added to view wrapped contentYou can now double-click on a cell to view wrapped content.  This is particularly useful with cells that contain a large amount of information. Streamlined cell options menuHighlight action has been removed in favor of direct selection of a cell.   Learn more in our DocumentationNew Filter added to AlertsAdded a new filter criteria to find specific alerts based on their ExtraData content with two search levels.Simple Search: Allows you to find a single value within the first-level keys. Advance Search: Allows you to find one or multiple values within the first level keys and decide where and how to search for them.Learn more in our Documentation Added ExtraData to Triggered Alerts InfoTriggered Alerts expandable info has a new section for ExtraData.  It joins the Summary and Description as fields available for quick access.Learn more in our Documentation Bug FixesDownload Event Button Fixed the Download an event button from the Selected events wizard in Data Search. When pressing the space bar over an event, a wizard will open showing the details of the event. In that wizard, the Download button failed to download the event. Global Search In Global search, the links in the table all.data in the field tables did not work properly. All tables are opened correctly now.

The Integration team prepared and released a new Activeboard to help users monitor and be informed on the status of their collectors along with any warnings or errors that may be occurring.  We have also released a companion Alert Pack that works in conjunction with the Activeboard to provide full visibility around your Collectors. This combination will give you visibility into Collector uptime, warning errors, general activity and message types. You also see all credential errors as well as API limits and server errors.   This is a must have Activeboard that provides full visibility into the health of your Data Ingestion.Table of ContentsCollector Monitoring Activeboard Collector Alert Pack What does it look like? Go Check it out on Devo Exchange Devo Collector Monitoring Activeboard Devo Collector Alert Pack Collector Monitoring ActiveboardHaving good supervision in data flow is key in Devo. It’s important to give customers good insights, alerts and security use cases, but insight into any problem with Collectors was missing.  This activeboard solves this, providing complete visibility of your collector health.  In this activeboard you can find:Number of collectors active / failing. Collectors that stop sending data in the last hour. Errors Warnings distribution by collector. General activity and types of messages. Errors in credentials (401/403) Errors for API limits retries (429) Server errors (500, 501, 503)Use this activeboard to detect credential, server failures or problems in data flow. The Collector Alert Pack works in conjunction with this activeboard to provide all the details. Collector Alert PackUse this Alert Pack to monitor your collectors, detect credentials failures (401/403) and any problem in data flow. It is recommended to complement this content with AB Collectors Error Control.SecOpsCollectorCredentials: Detects any credential problem (401 or 403 error) in any collector running in the domain, and also warnings that could mean error as well. What does it look like? Go Check it out on Devo ExchangeDevo Collector Monitoring ActiveboardDirect links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  Devo Collector Alert PackDirect links on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange  

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.29 focuses on Activeboard improvements from improved loading options to enhancements for your favorite tools. Among the updates in this release are the new “Load on Demand” options at the widget level and the Activeboard level. Scheduled tasks no longer require tokens to create a task. Multiple enhancements to the Line/Area widget. New background process tab for Usage Analytics  Better Error messages for Aggregation tasks and fixes to customer-reported bugs. Check out the full release notes here as well as links to relevant documentation. Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsUpdated Features New options for “Load on Demand” feature for Activeboards Activeboard Line/Area widget: All points visibility Scheduled Tasks: No Tokens required! Usage Analytics new Background processes tab Activeboards: Better error messages for Aggregation Tasks. Bug Fixes Updated FeaturesNew options for “Load on Demand” feature for ActiveboardsPerformance is key in Devo with the release of 8.8.16 we released the “load on demand” feature for widgets. In this release we are expanding this feature by adding more data loading options, not just on the widget level but also at the Activeboard level.Activeboard LevelThese updates where created to reduce system resources load, reduce Activeboard loading times and give the user a greater control over the Activeboard/Widget load.Learn more about Load on Demand at the Activeboards level in our Docs.Learn more about Load on Demand at the Widget level in our Docs. Activeboard Line/Area widget: All points visibilityEnhancing the At-a-Glance understanding of this widget, users will now have the ability to chose to display all the line/chart area widget points. Scheduled Tasks: No Tokens required!In order to simplify the user experience, we have removed the authentication user token needed to create a Scheduled Task.  This also means that the scheduled task email can now be sent to any email address. You will still need a token for the following tasks:Scheduled tasks CRUD operations need a user session token. Scheduled task execution will generate and use a new service token. Usage Analytics new Background processes tabThe new Background processes tab gives the user the ability to monitor the running and failed background processes in the last 24 hours of the following entities:Alerts Injections Aggregation Tasks Query LookupsLearn more in our Documentation Activeboards: Better error messages for Aggregation Tasks.Improvement to Aggregation task error messages, providing more information about the specific error that has occurred so you can take the appropriate actions. Bug FixesFixed widget description in Export to PDF Fixed Line/Area widget’s Dash Style Fixed Stacked Line/Area setting the stacked scale as percentage Fixed Yearly periodicity display in Scheduled Tasks.  Check out the full Release Notes in our Documentation

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.28 focuses on Alert Improvements and features along with new API calls.  Starting off with the Alert improvements, filters you apply to the Alerts page will automatically be added to the URL so you can save repeat searches and jump directly into them.  A new API delivery method was added in order to get the Sending Policies.  Alert Pagination improvement, now your pagination tools stay on the page with you, giving you access to those controls instantly. The Delete Bulk action now has a double confirmation for peace of mind and more!   Read on! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released   Table of ContentsNew Features Alert Page URL Filters Updated Features Delete Alert confirmation dialog Improvements to Alert Pagination New FeaturesNew to the Alerts Delivery method API: Get Sending Policies.   Available Operations:GET all the policies defined in the domain GET a specific policy in the domain indentified by it’s ID.Learn more in our docs! Alert Page URL FiltersEnabling you to save Alert Pages with predefined filters, now when you chose your filtering from the Alerts page, the filter information will be added to the URL in the address bar.   Saving the URL will allow you to jump directly to the pre-filtered results. Updated FeaturesDelete Alert confirmation dialogThe confirmation dialog that appears after performing bulk actions has been improved with a loading indicator. This gives users a visual confirmation that the action is actually in progress. Improvements to Alert PaginationTo improve review of a large group of alerts, pagination tools are now pinned in order to provide access these tools as you go through the selected list. Check out the Full Release notes in our Documentation

 The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources!  Table of ContentsNew Parsers cnapp.orca firewall.sangfor network.riverbed Updated Parsers ips.all.alerts web.aws proxy.zscaler cdn.akamai network.meraki dns.windows edr.crowdstrike firewall.cisco dlp.code42 network.hp cef0.paloAltoNetworks dhcp.microsoft edr.cisco firewall.all.traffic cef0.ibm ids.corelight box.win_nxlog  New Parserscnapp.orcaView Documentationfirewall.sangforView Documentationnetwork.riverbedView Documentation Updated Parsersips.all.alertsView Documentationweb.awsView Documentationproxy.zscalerView Documentationcdn.akamaiView Documentationnetwork.merakiView Documentationdns.windowsView Documentationedr.crowdstrikeView Documentationfirewall.ciscoView Documentationdlp.code42View Documentationnetwork.hpView Documentationcef0.paloAltoNetworksView Documentationdhcp.microsoftView Documentationedr.ciscoView Documentationfirewall.all.trafficView Documentationcef0.ibmView Documentationids.corelightView Documentationbox.win_nxlogView Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources!  Table of ContentsNew Collectors Lark Collector V1.0.0 Cato Collector V1.0.0 Google Workspace for BigQuery v1.0.0 Updated Collectors Cisco Amp v1.1.1 Office365 Management API v2.2.0 Snowflake V1.3.1 AWS SQS v1.4.0 Microsoft Defender for Endpoint (ATP) v1.3.0 Workday v1.1.0 Rapid7 InsightVM v1.6.0 Google Cloud Platform (GCP) v1.7.0 Qualys v2.2.0  New CollectorsLark Collector V1.0.0Documentation in progress.Cato Collector V1.0.0Documentation in Progress.Google Workspace for BigQuery v1.0.0Documentation in Progress. Updated CollectorsCisco Amp v1.1.1View DocumentationOffice365 Management API v2.2.0View DocumentationSnowflake V1.3.1View DocumentationAWS SQS v1.4.0View DocumentationMicrosoft Defender for Endpoint (ATP) v1.3.0View DocumentationWorkday v1.1.0View DocumentationRapid7 InsightVM v1.6.0View DocumentationGoogle Cloud Platform (GCP) v1.7.0View DocumentationQualys v2.2.0Documentation in Progress.

Devo Exchange regularly updates content and approves content submitted by the Devo team as well as Customers to enhance the OOTB catalog offering to our entire user base.  Yes, if you have a great activeboard or vapp you can submit it to the Exchange team for verification and inclusion in the content catalog!  In this catalog update you will find dozens of new OOTB alerts, activeboards, lookups, synthetic data and use cases.  You will also find updated content from Activeboards to individual alerts. The new search functionality introduced in  Exchange release 2.0 will be able to find exactly what you need quickly!  Table of ContentsNew Additions Alert packs: Activeboards: Lookups: Synthetic data: Use case: Updated Catalog Content Alert packs: Applications: Activeboards: Content packs:  New Additions Alert packs: Remote System Discovery (MITRE T1018) Command and Scripting Interpreter (MITRE T1059) Software Deployment Tools (MITRE T1072) Data Staged (MITRE T1074) System Information Discovery (MITRE T1082) Exploit Public-Facing Application (MITRE T1190) Exploitation for Defense Evasion (MITRE T1211) Resource_Hijacking_(MITRE T1496) Non-Standard Port (MITRE T1571) Protocol Tunneling (MITRE T1572) Establish Accounts (MITRE T1585) Develop Capabilities (MITRE T1587) Activeboards: AWS Security Lake Cloud Azure Audit Cloud Azure Sign in Collective Defense Overview Devo Alert Auditing Proofpoint email protection Web Analytics Lookups: IANAPortAssignment AwsAuthorizedApiUsers Synthetic data: Web Apache injection Use case: Web Analytics AB  Updated Catalog Content Alert packs: SIEM detection capabilities enhanced. Performance enhanced with improved filters. Threat detection accuracy improved. Multitenant Enabled Applications: Alert dependencies removed (now they can be installed only via Exchange alert packs), visuals improved, aggregation tasks created, and performance optimized. Devo 360 for Palo Alto → v1.1.1 Devo 360 for Crowdstrike → v1.1.1 Devo 360 for AWS → v1.1.1 Activeboards: Microsoft Active Directory → v1.1.0 → change source to box.all.win, fix keys in Voronoi, and change period to one day. Data Sources Insight → v1.0.1 → add default table before selection. Office365 Overview → v1.0.1 → fix Sharepoint widget. Windows Activity Monitoring → v1.1.0 → fix neq functions and selectors. Office365 Active Directory → v1.0.2 → fix widgets. Office365 One Drive → v1.1 → fix user agent widget and reorder widgets. OKTA Service Overview → v1.1.0 → reorganize widgets, change e-commerce sources, and delete external dependencies. OKTA Authentication Activity → v1.1.0 → change deprecated geo functions (mm by mm2). Firewall Monitoring → v1.2.0 → change map, time periods, and deprecated geo functions. Devo Users Tracking → v1.1.1 → migrate to multitenant. Content packs: Modify Mitre Tactics to add the new techniques. TA0001 → T1190 added. TA0002 → T1059 and T1072 added. TA0005 → T1211 added. TA0007 → T1018 and T1082 added. TA0009 → T1074 added. TA0011 → T1571 and 1572 added. TA0040 → T1496 added. TA0042 → T1585 and T1587 added.

Welcome everyone to the grand unveiling of Devo Exchange 2.0!   We have some massive updates to the Exchange marketplace, including a new section for Multitenant content, a completely revamped Search engine that allows you to hunt for individual alerts and a redesign of Alert packs to give you even more flexibility and visibility into the pack's contents. The road to version 2.0 brought with it tons of great improvements as well,  including amazing performance improvements, enhanced access control and improvements to the amazing alert management tool, the MITRE ATT&CK Adviser! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Search 2.0 Recent Searches Full Search with new Category Filters Search inside Packaged Content Alert Pack Redesign Multi-Tenant Content   New FeaturesSearch 2.0This massive undertaking brings about a host of new features to help you find content quickly through the expanded marketplace.  In detail:Recent SearchesRecent Searches will contain the last 5 searches you performed in order to find commonly used content quickly.  You can also clear any of the individual search entries.  Full match, partial match strings, the search will find anything.Full Search with new Category FiltersYou can now filter your search results by sources, tactics and techniques.  Along with these filters, we have improved all parameters of the search engine as well as the order in which results are presented. The search filters are also additive, for example if you wanted to find any alert packs with alerts that cover different tactics you can add those to the filters.Search inside Packaged ContentIn a past release we enabled the installation of any content individually within an Alert Pack. With Search 2.0 you can search for any alert inside alert packs by name or partial name.Searching for “O365” you can see all the alert packs that contain alerts with this string in the name.  When you enter the pack, the search string will be highlighted and moved to the top.As you can see, priority and sources have been added as additional information inside pack content on Devo Exchange. This helps power the new search filters and add new context for faster decision making! Alert Pack RedesignAlert packs now have Priority and Source information for each alert inside the pack as seen above.  We also have a new counter on the top right showing how many alerts in the Alert Pack you have installed.Multi-Tenant Content All OOTB content in Devo Exchange has been updated to be Multi-tenant capable. This includes all 119 Alert Packs, more than 500 Alerts! We are currently working on Activeboards and Applications to have this new capability.   User Tracking Activeboard joins the MITRE ATT&CK Advisor application in Multi-Tenant capabilities.If your domain is the parent domain of a Multi-Tenant structure you will see a new category filter in the Exchange homepage. Applications and Activeboards will have domain selectors for you to manage the information displayed. 

The Devo team has released the latest version of Devo SOAR!  This release include 4 new integrations and a host of new actions and bug fixes.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Integrations EnhancementsNew IntegrationsCisco Secure Endpoint: with 5 actions Anyrun with 4 actions Solarwinds Orion with 8 actions Arbor Sightline with 3 actions EnhancementsPlaybook resets to the default layout when we click on a node in advanced mode. Microsoft Graph integration has added a new action List users V2 with Jinja support. 2 additional actions added: Add Attachments and Send Draft. CrowdStrike Falcon Host (OAuth Based): Added 8 new actions based on Static Groups, Static Host Groups, Host Groups, and Host Group Members Cisco Umbrella: Added 3 new actions Zendesk: Added a new action - Get Ticket

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.19 adds a new table to help you manage Alert and Flow errors.  Along with our ongoing efforts to add clarity and context to error alerts, this new table collects all backend errors for Alerts as well as Flows on the domain where the error was triggered.  In the future this new log will expand to collect all backend error alerts so you have one place to check and resolve any errors that may come up in your normal day to day. Each of the entries in the log are actionable by you, the user, with the additional context added to the error logs.  Lets dive in! Geo AvailabilityRegion Status GovCloud Released CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Features New Alerts Error log table introduced Bug Fixes Improved error messaging  New FeaturesNew Alerts Error log table introducedAlerts internal error logs have been enhanced with the introduction of the new devo.internal.log.error table.  This table will contain all Alert backend errors (from Flows and Alerts) that take place in the domain where the Flow/Alert is running  and can be solved by a customer action.Learn more about the details of this table in our documentation. Bug FixesImproved error messaging

If you haven’t benefited from our AI-Powered LInk generator, now is a great time to start.   The AI-Powered LINQ Generator was just updated with the latest and best LMM, Anthropic Sonnet 3.5.    What does this mean?When you use the AI-powered LINQ generator, the engine creating the resulting LINQ is industry-recognized as the best in class by independent benchmarks!  Better results, every time. AND you can now Refine your results! How do I get access to AI-Powered Generator?You can access it in two locations:On the Devo Platform:As soon as you load up the Devo Platform Homepage, you will see a megaphone on the top right. This is the Resource Center.  It includes announcements and Related Docs Search.  Here you will find the magic wand that accesses the AI-Powered LINQ Generator and Search. On Devo DocsHead on over to our Documentation Portal and on the bottom right you will see the floating icon for AI-Powered Search: How to Use AI-Powered SearchBe Descriptive,  the better you describe the code you want to create, the more accurate the results! Have you used it?I want to hear how AI-Powered LINQ Generator has helped you! Tell me your stories!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers dmp.pure-storage Updated Parsers cef0.fortinet backup.veeam iam.imprivata cloud.azure   New Parsersdmp.pure-storageView full documentation in our Docs. Updated Parserscef0.fortinetDocumentation will be available soon.backup.veeamView full documentation in our Docs.iam.imprivataView full documentation in our Docs.cloud.azureView full documentation in our Docs.

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Qualys FIM v1.0.1 Google Workspace for BigQuery v1.0.0 Updated Collectors Github v2.3.0 CyberReason v1.4.0 Proofpoint CASB v1.1.0 Snowflake v1.2.0 MimeCast v1.2.0 CrowdStrike API Resources v1.7.0 Cortex XDR v1.3.0 SpyCloud v1.1.0 Office365 Exchange Reports v0.4.1-beta Netskope API V2 v1.1.0 Wiz v1.6.2 AWS v1.10.0  New CollectorsQualys FIM v1.0.1Documentation will be available soonGoogle Workspace for BigQuery v1.0.0Documentation will be available soon. Updated CollectorsGithub v2.3.0View full documentation in our Docs.CyberReason v1.4.0View full documentation in our Docs.Proofpoint CASB v1.1.0View full documentation in our Docs.Snowflake v1.2.0View full documentation in our Docs.MimeCast v1.2.0View full documentation in our Docs.CrowdStrike API Resources v1.7.0View full documentation in our Docs.Cortex XDR v1.3.0View full documentation in our Docs.SpyCloud v1.1.0View full documentation in our Docs.Office365 Exchange Reports v0.4.1-betaView full documentation in our Docs.Netskope API V2 v1.1.0View full documentation in our Docs.Wiz v1.6.2View full documentation in our Docs.AWS v1.10.0View full documentation in our Docs.     

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.8 adds a new type of alert for your growing toolkit.  The Inactivity Alerts will help you detect when normal activities like ingestion stop working, among other use cases.  This is a great tool to keep the information flowing and be notified immediately when possible issues occur. They are also available in the Alerts API!  Along with the new Alert, the team has added new API audit features as well as our continued work to deliver the best in class performance to you, our customers!  Start using the new Alert, and make use of those audit logs today! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features New Inactivity Alert is available Updated Feature API key “Read” and “Delete” operations added to audit logs Token “Read” operation added to audit logs  New FeaturesNew Inactivity Alert is availableThis new alert type follows the same principles of the Several and Low Alerts: An alert type that counts events during a period of time.   Here’s how all 3 differ:Low Alert threshold: When after a rolling time period, the counter of the selected events (query) has not exceeded a specific threshold. Several Alert: when within a rolling time period, any of the current period counters (query + current period key values) exceeds a specific threshold. Inactivity Alert: When after a rolling time period, any of the previous period counters (query + previous period key values) has not exceeded the 0 threshold (has been equal to 0) that is, when any of the counters had no events (a different Alert from any of those counters without events).If you want to create an alert to notify you when a collector has stopped ingesting during a period of time, Inactivity Alerts are the solution! And the inactivity alerts are available in the Alerts API!Learn more about Inactivity Alerts and all the parameters on our Docs page! Updated FeatureAPI key “Read” and “Delete” operations added to audit logsAPI Key audit logs have been improved by adding “read” and “delete” operations to the audit tabledevo.internal.audit.logsActions for all users are recorded. The API key itself will be logged as obfuscated Token “Read” operation added to audit logsImproved audit actions by adding the “read” operation to the audit table:devo.internal.audit.logsActions for all users are recorded. The token will be logged as obfuscated

The Devo team has released the latest version of Devo SOAR! This product update combines two releases, M124 and M125.   In these updates we have added 4 new JSON operators, 3 new integrations, updated integrations with new capabilities as well as bug fixes and enhancements.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features 5 New JSON Operations New Integrations added Updated Features Enhancements Bug Fixes  New Features5 New JSON OperationsWe are happy to introduce 5 new JSON Operations for use in SOAR Playbooks:addFieldInJSON extractFieldInJSON removeFieldInJSON replaceFieldInJSON parseJsonNew Integrations addedKnowBe4 is the world’s largest integrated platform for security awareness training combined with simulated phishing attacks. Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero-trust principles to protect data. Cyberark EPM provides holistic endpoint protection to secure all endpoints and enforce least privilege without disrupting business.Updated FeaturesEnhancementsRun action node when explicitly requested in the playbook. Updated action Download URL to support usage of custom headers while downloading in File Tools integration. Trend Micro Workload Security integration has added 6 new actions List Scheduled Task, Create Scheduled Task, Describe Scheduled Task, Modify Scheduled Task, Delete Scheduled Task, Search Scheduled Task. Removed Assistance mode functionality. Shodan integration has added 17 new actions based on on-demand scanning and network alerts.Bug FixesThe dynamic recipient field is not working when the form is added to a case. We have fixed this now. Page number information is lost when opening the batch detail page and returning to the batch listing page. We have fixed this now. Missing Jinja support for hostname in Send Events action in Devo integration. We have fixed this now. Issue with Default limit in Search IOCs action in CrowdStrike Falcon Host (OAuth Based) integration. We have fixed this now. Timestamp type-based timezone has rendering issues in easy mode. We have fixed this now.  

Hello everyone, the Exchange team has a new update for you with tons of great improvements. Release 1.9 is no different!  In this release, a new notification system has been implemented to let you know when there is an update available to your installed OOTB content.  Along with this new system, there is a new filter added to All Content to allow you to see all the content already installed with an available update, a new audit table and updated navigation.  We’ve also improved performance for all users, with those with slower connections benefiting the most! Don’t forget to  visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Features Update Notifications New Filter for All Content: “Update Available” New audit table added Updated Navigation Additional Updates Improved performance  New FeaturesUpdate NotificationsDevo Exchange now has a notification center to let you know when you have updates available for your installed Out-Of-The-Box content.  Located on the top right of Devo Exchange, you can view individual notifications, jump to the content or clear notifications.You can delete notifications individually or you can delete all notifications. New Filter for All Content: “Update Available”Open Devo Exchange and switch the primary filter from Discover to All Content, now on the right you can sort by Update Available!This filter will order content by Update Available first, then relevance.  You can quickly review all the updates to installed content from one place! New audit table addedAll audit information for Devo Exchange is each domain is sent to this new table:devo.internal.audit.logsView and discover user navigations, content installs, and other statistics for your users. Updated NavigationTo improve the navigation experience, when you open installed content from Devo Exchange it will launch in a new tab. This action pertains to activeboards, apps, lookups or alert sections. This way you can always return to where you were in Exchange or continue to work in the launched resource in the new tab. Additional UpdatesImproved performanceProcess compression has been implemented when loading items in Exchange. Users with fast connections will see some improvement in speed, however users with slower connections will see a massive speed increase to loading Exchange content. 

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers dmp.cohesity mail.all.threats waf.kemp Updated Parsers proxy.zscaler cloud.office365 box.win_nxlog cloud.azure firewall.juniper edr.all.threats casb.netskope firewall.cisco sig.cisco dhcp.all  New Parsersdmp.cohesityLink to Documentationmail.all.threatsDocumentation in progresswaf.kempLink to Documentation Updated Parsersproxy.zscalerLink to Documentationcloud.office365Link to Documentationbox.win_nxlogLink to Documentationcloud.azureLink to Documentationfirewall.juniperLink to Documentationedr.all.threatsLink to Documentationcasb.netskopeLink to Documentationfirewall.ciscoLink to Documentationsig.ciscoLink to Documentationdhcp.allLink to Documentation 

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Colortokens xshield v1.0.0 Airlock Digital v1.0.0 Vectra 365 Updated Collectors Microsoft Azure v2.0.0-beta6 Crowdstrike API resources v1.6.0 Cisco Meraki v1.6.0 Cyberark Identify v1.1.3 Salesforce v2.3.0 Qualys V2.1.0 Microsoft Graph v2.0.0 Tenable.IO v1.4.0 Taxii v1.1.0 Proofpoint on Demand v1.0.1 Office 365 Management 1.0.0 Google Cloud Platform v1.6.0  New CollectorsColortokens xshield v1.0.0Link to DocumentationAirlock Digital v1.0.0Link to DocumentationVectra 365Link to Documentation Updated CollectorsMicrosoft Azure v2.0.0-beta6This is a beta collector, as soon as it is out of beta the documentation will be available.Crowdstrike API resources v1.6.0Link to DocumentationCisco Meraki v1.6.0Link to DocumentationCyberark Identify v1.1.3Link to DocumentationSalesforce v2.3.0Link to DocumentationQualys V2.1.0Link to DocumentationMicrosoft Graph v2.0.0Link to DocumentationTenable.IO v1.4.0Link to DocumentationTaxii v1.1.0Link to DocumentationProofpoint on Demand v1.0.1Link to DocumentationOffice 365 Management 1.0.0This collector was rebuilt from the ground up, find the documentation here.Google Cloud Platform v1.6.0Link to Documentation 

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.0 brings the new Scheduled Tasks functionality, a new complex type operation for Data Search, and a collection of UI and performance improvements.   Scheduled Tasks allow you to set the periodic execution of a query of your choosing of time, date, and frequency.  Admins will find this feature and allow access through roles and permissions.  The new complex operation type is the Tuple, and it works like an array, except it does not convert its contents to the same type.  Lastly, this update contains UI improvements and performance enhancements that you are going to love! AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Scheduled Tasks Data Search: New Complex Type operation added Lookups with CIDR as key first release Nested Annotations for Alerts New Auditing Table for Alert Annotations New Rolling And Each Alerts with Subqueries parameter limits Additional Improvements New FeaturesScheduled TasksThe first release of Scheduled tasks is now available for all Devo users! This new feature will allow you to schedule the periodic execution of a query with query results being automatically sent to defined email addresses as CSV files.This feature is enabled by default for Admin users and then to users of your choosing with the right roles and permissions.  You will find the permissions under Admin→ Resources->Scheduled Tasks.Scheduled Tasks can be created with the following intervals:Daily - at a specific time of day Weekly - on specified days of a week at a specific time of day. Monthly - on specified days of a month at a specific time of day Yearly - on specified months of a year, on specified day s of each month, at a specific time of day.You can also set the query execution time period with two possible choices:Predefined Range (“Yesterday”, “Last 7 days”...) Custom Range period (“From”, “To”) using the Query API date syntaxGet all the details of Scheduled Tasks in our Documentation Data Search: New Complex Type operation addedThe “tuple” complex type operation is now available for use!  A tuple is a collection of sorted elements of any type (repeated or not).The difference between an array and a tuple lies in the fact that in the array all the elements are internally converted to the same type, while in the tuple they are not (each tuple element retains its type).Operation Meaning Syntax mktuple or () Creates a tuple from elements mktuple (ele_1,…,Ele_n) (ele_1,…,ele_n) at or [] Returns the n-th element in a tuple at (tuple,n) tuple [n] at0 Returns first element in a tuple at0 (tuple) at1 Returns second element in a tuple at1 (tuple) atend Returns the last element in a tuple atend (tuple) add(+) Concatenates two tuples add (tuple_1, tuple_2)  Additionally, you can use this complex type of operation in Alerts and Lookups as well. Here is a great example of this new complex type in use:from siem.logtrust.web.activity //create a tuple with multiple types    select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple    select (username ,srcPort, ip4(srcHost), true) as tuple2//some ways to select the fist item from a tuple    select tuple[0] as first_item_from_tuple    select at(tuple,0) as first_item_from_tuple2    select at0(tuple) as first_item_from_tuple3//retrieve the last item from a tuple    select atend(tuple) as last_item_from_tuple//concatenates two tuples    select tuple + tuple2 as tuple_concatenation//it is posible to filter each item by the underlying data type    where tuple[0] -> ""@""    where tuple[1] not in (ip4(95.63.39.51))    where atend(tuple) is true Lookups with CIDR as key first releaseAs part of a multi-step release for this functionality, Lookups now recognize 3 new key types:ipv6 net4 net6Nested Annotations for AlertsYou are now able to reply to existing annotations in Alerts, as well as edit and delete you own annotations.View the detailed options in our Documentation New Auditing Table for Alert Annotationsdevo.audit.alert.triggered table was added to audit actions concerning annotations. View the details of the new table in our Documentation New Rolling And Each Alerts with Subqueries parameter limitsA restriction has been implemented for rolling-type alerts and each-type alerts with subqueries. This is done to prevent excessively frequent queries over short periods of time. A ratio of 120 is enforced between period and frequency.  For example:For Each Alerts with Subqueries: Valid ratio → external offset 1m, internal period 2h(=120m) → 120/1 → 120 Valid ratio → external offset 2h, internal period 5d(=120h) → 120/2 → 60 Invalid ratio → external offset 1m, internal period 3h(=180m) → 180/1 → 180 See the full description and examples for Each Alerts with Subqueries in our Documentation See the full description and examples for Rolling Alerts with Subqueries in our Documentation New information included in Alerts Details windowThe Alerts details window in the triggered Alerts area now shows the timezone as well as the specific settings corresponding to the triggering method used when configured. Additional ImprovementsImproved messaging in Data Search Adjusted spacing in Roles page UI Alerts Filter by Name enhanced with Multi-selection dropdown containing all available options. Adjusted text boxes and descriptions in Roles Mapping UI Redesigned filter results message when no results found in Roles Mapping UI Flow now accepts HTTP codes greater than 599 Performance improvements 

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! Devo Behavior Analytics 1.9 introduces a new step in the configuration process to allow for the definition of Whitlists.  This enables users to input the values for Users, Devices and Domains they want whitelisted during the creation process.  This new process is significantly improved by the ability to upload csv lists to your whitelists as well!Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Whitelist functionality Upload Whitelist CSV New FeaturesWhitelist functionalityWhitelisting is critically important for behavior analytics models to be able to remove well known or noisy entities from the detection and find the true threat lingers as changes in behavior. The new Whitelist section looks like this:Each section is further explained in this table:Name Description Users Displays all the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV.  Users are all direct match string values. Example users: David Dark david.dark@shadydealings.com Ddark Devices Displays all the current devices are whitelisted from the current use cases.  Additionally, devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses and CIDR Blocks. Example devices Hostname:  MacBookPro_0002 IP Address:  174.1.54.54 IP Address Range:  173.1.54.100-173.1.54.130 CIDR Block:  172.16.14.128/25 Domains Displays all the current domains that are whitelisted from the current use cases. Additionally, domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values. Example Domain: poc.shadydealings.com  Note: User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case.  If the use case does not include ones of entity types then a warning message like the one below is displayed: Upload Whitelist CSVThe upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them.  The upload section provides a couple of tools to make working CSVs easier.  The CSV can be dropped in and previewed within the screen.   If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist.  Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV.     The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist.   The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values. Haven’t tried Behavior Analytics yet? You should, it is part of the Devo Platform!  Let us know what you think below!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsNew Parsers box.ibm cef0.aruba cef0.cisco cef0.skyhighSecurity epm.beyondtrust proxy.oclc siem.devo Updated Parsers cloud.azure edr.cisco endpoint.symantec firewall.all.traffic firewall.cisco firewall.uniper sase.paloalto New Parsersbox.ibmLink to Documentationcef0.arubaDocumentation in progresscef0.ciscoLink to Documentationcef0.skyhighSecurityLink to Documentationepm.beyondtrustDocumentation in progressproxy.oclcLink to Documentationsiem.devoDocumentation in progress Updated Parserscloud.azureLink to Documentationedr.ciscoLink to Documentationendpoint.symantecLink to Documentationfirewall.all.trafficLink to Documentationfirewall.ciscoLink to Documentationfirewall.uniperLink to Documentationsase.paloaltoLink to Documentation