Product Updates

The Devo team has released the latest version of Devo SOAR! This product update combines two releases, M124 and M125.   In these updates we have added 4 new JSON operators, 3 new integrations, updated integrations with new capabilities as well as bug fixes and enhancements.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  First time with Devo SOAR? We have tutorials on the community to help you get started as well as the rich Devo SOAR Documentation portal.   Devo SOAR also has a guided playbook builder to interactively create a no-code automation! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features 5 New JSON Operations New Integrations added Updated Features Enhancements Bug Fixes  New Features5 New JSON OperationsWe are happy to introduce 5 new JSON Operations for use in SOAR Playbooks:addFieldInJSON extractFieldInJSON removeFieldInJSON replaceFieldInJSON parseJsonNew Integrations addedKnowBe4 is the world’s largest integrated platform for security awareness training combined with simulated phishing attacks. Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero-trust principles to protect data. Cyberark EPM provides holistic endpoint protection to secure all endpoints and enforce least privilege without disrupting business.Updated FeaturesEnhancementsRun action node when explicitly requested in the playbook. Updated action Download URL to support usage of custom headers while downloading in File Tools integration. Trend Micro Workload Security integration has added 6 new actions List Scheduled Task, Create Scheduled Task, Describe Scheduled Task, Modify Scheduled Task, Delete Scheduled Task, Search Scheduled Task. Removed Assistance mode functionality. Shodan integration has added 17 new actions based on on-demand scanning and network alerts.Bug FixesThe dynamic recipient field is not working when the form is added to a case. We have fixed this now. Page number information is lost when opening the batch detail page and returning to the batch listing page. We have fixed this now. Missing Jinja support for hostname in Send Events action in Devo integration. We have fixed this now. Issue with Default limit in Search IOCs action in CrowdStrike Falcon Host (OAuth Based) integration. We have fixed this now. Timestamp type-based timezone has rendering issues in easy mode. We have fixed this now.  

Hello everyone, the Exchange team has a new update for you with tons of great improvements. Release 1.9 is no different!  In this release, a new notification system has been implemented to let you know when there is an update available to your installed OOTB content.  Along with this new system, there is a new filter added to All Content to allow you to see all the content already installed with an available update, a new audit table and updated navigation.  We’ve also improved performance for all users, with those with slower connections benefiting the most! Don’t forget to  visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Features Update Notifications New Filter for All Content: “Update Available” New audit table added Updated Navigation Additional Updates Improved performance  New FeaturesUpdate NotificationsDevo Exchange now has a notification center to let you know when you have updates available for your installed Out-Of-The-Box content.  Located on the top right of Devo Exchange, you can view individual notifications, jump to the content or clear notifications.You can delete notifications individually or you can delete all notifications. New Filter for All Content: “Update Available”Open Devo Exchange and switch the primary filter from Discover to All Content, now on the right you can sort by Update Available!This filter will order content by Update Available first, then relevance.  You can quickly review all the updates to installed content from one place! New audit table addedAll audit information for Devo Exchange is each domain is sent to this new table:devo.internal.audit.logsView and discover user navigations, content installs, and other statistics for your users. Updated NavigationTo improve the navigation experience, when you open installed content from Devo Exchange it will launch in a new tab. This action pertains to activeboards, apps, lookups or alert sections. This way you can always return to where you were in Exchange or continue to work in the launched resource in the new tab. Additional UpdatesImproved performanceProcess compression has been implemented when loading items in Exchange. Users with fast connections will see some improvement in speed, however users with slower connections will see a massive speed increase to loading Exchange content. 

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers dmp.cohesity mail.all.threats waf.kemp Updated Parsers proxy.zscaler cloud.office365 box.win_nxlog cloud.azure firewall.juniper edr.all.threats casb.netskope firewall.cisco sig.cisco dhcp.all  New Parsersdmp.cohesityLink to Documentationmail.all.threatsDocumentation in progresswaf.kempLink to Documentation Updated Parsersproxy.zscalerLink to Documentationcloud.office365Link to Documentationbox.win_nxlogLink to Documentationcloud.azureLink to Documentationfirewall.juniperLink to Documentationedr.all.threatsLink to Documentationcasb.netskopeLink to Documentationfirewall.ciscoLink to Documentationsig.ciscoLink to Documentationdhcp.allLink to Documentation 

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Colortokens xshield v1.0.0 Airlock Digital v1.0.0 Vectra 365 Updated Collectors Microsoft Azure v2.0.0-beta6 Crowdstrike API resources v1.6.0 Cisco Meraki v1.6.0 Cyberark Identify v1.1.3 Salesforce v2.3.0 Qualys V2.1.0 Microsoft Graph v2.0.0 Tenable.IO v1.4.0 Taxii v1.1.0 Proofpoint on Demand v1.0.1 Office 365 Management 1.0.0 Google Cloud Platform v1.6.0  New CollectorsColortokens xshield v1.0.0Link to DocumentationAirlock Digital v1.0.0Link to DocumentationVectra 365Link to Documentation Updated CollectorsMicrosoft Azure v2.0.0-beta6This is a beta collector, as soon as it is out of beta the documentation will be available.Crowdstrike API resources v1.6.0Link to DocumentationCisco Meraki v1.6.0Link to DocumentationCyberark Identify v1.1.3Link to DocumentationSalesforce v2.3.0Link to DocumentationQualys V2.1.0Link to DocumentationMicrosoft Graph v2.0.0Link to DocumentationTenable.IO v1.4.0Link to DocumentationTaxii v1.1.0Link to DocumentationProofpoint on Demand v1.0.1Link to DocumentationOffice 365 Management 1.0.0This collector was rebuilt from the ground up, find the documentation here.Google Cloud Platform v1.6.0Link to Documentation 

Hello everyone, the latest release of the Devo Platform is now live! Release 8.10.0 brings the new Scheduled Tasks functionality, a new complex type operation for Data Search, and a collection of UI and performance improvements.   Scheduled Tasks allow you to set the periodic execution of a query of your choosing of time, date, and frequency.  Admins will find this feature and allow access through roles and permissions.  The new complex operation type is the Tuple, and it works like an array, except it does not convert its contents to the same type.  Lastly, this update contains UI improvements and performance enhancements that you are going to love! AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Scheduled Tasks Data Search: New Complex Type operation added Lookups with CIDR as key first release Nested Annotations for Alerts New Auditing Table for Alert Annotations New Rolling And Each Alerts with Subqueries parameter limits Additional Improvements New FeaturesScheduled TasksThe first release of Scheduled tasks is now available for all Devo users! This new feature will allow you to schedule the periodic execution of a query with query results being automatically sent to defined email addresses as CSV files.This feature is enabled by default for Admin users and then to users of your choosing with the right roles and permissions.  You will find the permissions under Admin→ Resources->Scheduled Tasks.Scheduled Tasks can be created with the following intervals:Daily - at a specific time of day Weekly - on specified days of a week at a specific time of day. Monthly - on specified days of a month at a specific time of day Yearly - on specified months of a year, on specified day s of each month, at a specific time of day.You can also set the query execution time period with two possible choices:Predefined Range (“Yesterday”, “Last 7 days”...) Custom Range period (“From”, “To”) using the Query API date syntaxGet all the details of Scheduled Tasks in our Documentation Data Search: New Complex Type operation addedThe “tuple” complex type operation is now available for use!  A tuple is a collection of sorted elements of any type (repeated or not).The difference between an array and a tuple lies in the fact that in the array all the elements are internally converted to the same type, while in the tuple they are not (each tuple element retains its type).Operation Meaning Syntax mktuple or () Creates a tuple from elements mktuple (ele_1,…,Ele_n) (ele_1,…,ele_n) at or [] Returns the n-th element in a tuple at (tuple,n) tuple [n] at0 Returns first element in a tuple at0 (tuple) at1 Returns second element in a tuple at1 (tuple) atend Returns the last element in a tuple atend (tuple) add(+) Concatenates two tuples add (tuple_1, tuple_2)  Additionally, you can use this complex type of operation in Alerts and Lookups as well. Here is a great example of this new complex type in use:from siem.logtrust.web.activity //create a tuple with multiple types    select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple    select (username ,srcPort, ip4(srcHost), true) as tuple2//some ways to select the fist item from a tuple    select tuple[0] as first_item_from_tuple    select at(tuple,0) as first_item_from_tuple2    select at0(tuple) as first_item_from_tuple3//retrieve the last item from a tuple    select atend(tuple) as last_item_from_tuple//concatenates two tuples    select tuple + tuple2 as tuple_concatenation//it is posible to filter each item by the underlying data type    where tuple[0] -> ""@""    where tuple[1] not in (ip4(95.63.39.51))    where atend(tuple) is true Lookups with CIDR as key first releaseAs part of a multi-step release for this functionality, Lookups now recognize 3 new key types:ipv6 net4 net6Nested Annotations for AlertsYou are now able to reply to existing annotations in Alerts, as well as edit and delete you own annotations.View the detailed options in our Documentation New Auditing Table for Alert Annotationsdevo.audit.alert.triggered table was added to audit actions concerning annotations. View the details of the new table in our Documentation New Rolling And Each Alerts with Subqueries parameter limitsA restriction has been implemented for rolling-type alerts and each-type alerts with subqueries. This is done to prevent excessively frequent queries over short periods of time. A ratio of 120 is enforced between period and frequency.  For example:For Each Alerts with Subqueries: Valid ratio → external offset 1m, internal period 2h(=120m) → 120/1 → 120 Valid ratio → external offset 2h, internal period 5d(=120h) → 120/2 → 60 Invalid ratio → external offset 1m, internal period 3h(=180m) → 180/1 → 180 See the full description and examples for Each Alerts with Subqueries in our Documentation See the full description and examples for Rolling Alerts with Subqueries in our Documentation New information included in Alerts Details windowThe Alerts details window in the triggered Alerts area now shows the timezone as well as the specific settings corresponding to the triggering method used when configured. Additional ImprovementsImproved messaging in Data Search Adjusted spacing in Roles page UI Alerts Filter by Name enhanced with Multi-selection dropdown containing all available options. Adjusted text boxes and descriptions in Roles Mapping UI Redesigned filter results message when no results found in Roles Mapping UI Flow now accepts HTTP codes greater than 599 Performance improvements 

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! Devo Behavior Analytics 1.9 introduces a new step in the configuration process to allow for the definition of Whitlists.  This enables users to input the values for Users, Devices and Domains they want whitelisted during the creation process.  This new process is significantly improved by the ability to upload csv lists to your whitelists as well!Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Whitelist functionality Upload Whitelist CSV New FeaturesWhitelist functionalityWhitelisting is critically important for behavior analytics models to be able to remove well known or noisy entities from the detection and find the true threat lingers as changes in behavior. The new Whitelist section looks like this:Each section is further explained in this table:Name Description Users Displays all the current users that are whitelisted from the current use cases. Additionally users can be entered manually in the textbox or uploaded via CSV.  Users are all direct match string values. Example users: David Dark david.dark@shadydealings.com Ddark Devices Displays all the current devices are whitelisted from the current use cases.  Additionally, devices can be entered manually in the textbox or uploaded via CSV. Devices can be hostname, IP addresses, ranges of IP Addresses and CIDR Blocks. Example devices Hostname:  MacBookPro_0002 IP Address:  174.1.54.54 IP Address Range:  173.1.54.100-173.1.54.130 CIDR Block:  172.16.14.128/25 Domains Displays all the current domains that are whitelisted from the current use cases. Additionally, domains can be entered manually in the textbox or uploaded via CSV. Domains are all direct match string values. Example Domain: poc.shadydealings.com  Note: User, Device, and Domain whitelists are included in each use case whether or not they are present in the use case.  If the use case does not include ones of entity types then a warning message like the one below is displayed: Upload Whitelist CSVThe upload CSV section enables users to take a CSV they have from another tool or from lookups within Devo and upload them.  The upload section provides a couple of tools to make working CSVs easier.  The CSV can be dropped in and previewed within the screen.   If the right column is not selected then the user can utilize the “Values Column” drop down to select the correct column to be added to the whitelist.  Only one column can be selected at a time, but multiple uploads can be used to add multiple columns from the same CSV.     The user can also specify whether the CSV has a header row or not, if specified the first row in the CSV file will be ignored when adding it to the whitelist.   The last option is to add or replace the existing whitelist with the contents that are being uploaded, if add is selected then all the values will be appended to the whitelist, if replace is selected the entire whitelist will be overwritten by the uploaded values. Haven’t tried Behavior Analytics yet? You should, it is part of the Devo Platform!  Let us know what you think below!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsNew Parsers box.ibm cef0.aruba cef0.cisco cef0.skyhighSecurity epm.beyondtrust proxy.oclc siem.devo Updated Parsers cloud.azure edr.cisco endpoint.symantec firewall.all.traffic firewall.cisco firewall.uniper sase.paloalto New Parsersbox.ibmLink to Documentationcef0.arubaDocumentation in progresscef0.ciscoLink to Documentationcef0.skyhighSecurityLink to Documentationepm.beyondtrustDocumentation in progressproxy.oclcLink to Documentationsiem.devoDocumentation in progress Updated Parserscloud.azureLink to Documentationedr.ciscoLink to Documentationendpoint.symantecLink to Documentationfirewall.all.trafficLink to Documentationfirewall.ciscoLink to Documentationfirewall.uniperLink to Documentationsase.paloaltoLink to Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors Rapid7 InsightVM Cloud v1.0.0 Updated Collectors AWS v1.8.2 Microsoft Graph v2.0.0-beta2 Microsoft Defender ATP Endpoint v1.2.0 Rubrik v1.1.2 Cisco Umbrella S2 v1.2.0 Wiz v1.6.1 Okta V1.8.1 Azure v2.0.0-beta3 CyberArk Identity v1.1.2 Extrahop Revealx v1.2.0 AWS SQS V1.2.0  New CollectorsRapid7 InsightVM Cloud v1.0.0Link to Documentation Updated CollectorsAWS v1.8.2Link to DocumentationMicrosoft Graph v2.0.0-beta2Link to DocumentationMicrosoft Defender ATP Endpoint v1.2.0Link to DocumentationRubrik v1.1.2Link to DocumentationCisco Umbrella S2 v1.2.0Link to DocumentationWiz v1.6.1Link to DocumentationOkta V1.8.1Link to DocumentationAzure v2.0.0-beta3Link to DocumentationCyberArk Identity v1.1.2Documentation coming soonExtrahop Revealx v1.2.0Link to DocumentationAWS SQS V1.2.0Link to Documentation 

The MITRE ATT&CK Adviser is your alert coverage command center, and this new release brings with it more capabilities for you to manage your alert coverage. This release is available now for all geos! New to this release is the ability to update Alerts! We are always updating our alerts with the latest detections, and you can update them from Devo Exchange or Security Operations, now you can update them from the Adviser as well! You will also be able to compare the old and updated alerts with this update. We have also added additional bulk actions to allow you to enable and disable groups of alerts. Managing your alert coverage has never been easier! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Update Alerts in the Adviser Compare Alert Contents New Bulk Actions Added  New FeaturesUpdate Alerts in the AdviserAlerts that are provided by Devo are constantly kept up to date with the latest MITRE ATT&CK versions, parser field changes, query operators, etc.  These changes are push to Devo domain on a periodic basis to ensure that our customers are taking use of the latest and greatest our platform has to offer in their detection stack.  The ability to update alerts to these latest versions is present in Devo Exchange and Security Operations and now with the latest release of MITRE ATT&CK Adviser users will be able to update their alerts for their existing coverage as well.   Compare Alert ContentsWe have provide a view into the difference between the old alert and the new alert, giving the user confidence about the changes the update will make to their Devo Domain. New Bulk Actions AddedThe MITRE ATT&CK Adviser now includes additional bulk actions for alerts within the Alert coverage table.  Today the application allows users to bulk install and uninstall alerts and now with this release users will be able to bulk enable / disable alerts as well, causing alerts to trigger or not.  If you haven’t installed the MITRE ATT&CK Adviser,  get it here, for free!: Quick Link on Devo ExchangeUS Exchange CA Exchange EU Exchange APAC Exchange

 Hello everyone, the latest release of the Devo Platform is now live! Release 8.9.0 expands the availability of the TimeLine Widgets first introduced in Release 8.7.0 with the new Alerts Page. We also have created additional enhancements on the default activeboard loading process, giving you full control over what activeboard gets loaded on launch. Next, enhancement adds more control over your widget by adding new running operations at the widget level. Finally, we have improved user interactions in the activeboard contextual menus. These Activeboard improvements help speed up and empower your visualization of your data!Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features TimeLine Widget Running operations at the widget level Enhancements Enhanced Activeboard loading behavior on open Activeboard Menu options improved  New FeaturesTimeLine WidgetThe popular Timeline widget introduced in the Alert Page revamp from Release 8.7.0 is now available for you to use in your own Activeboards!  The Timeline widget is a graphic representation of items sequenced in chronological order along a time line. This chart will allow you to monitor how dated items are located over time.Features:Time line is represented through a horizontal axis from left (oldest) to right (most recent) 2 Item Types Date: items that represent data in a specific date or a point. Duration: items that represent data with a specific “from … to” duration Item Groups can be used to visually group selected items.  Groups and subgroups are represented on the vertical axis.This new widget has many customization options covered in our documentation.(link when doc pages are released) Running operations at the widget levelWe have added running operations at the Widget level to improve performance even further.  These new operations are accessible through new clickable icons and are located at the right side of the widget header.Real-time allows the user to run the widget query in real-time mode. Refresh allows the user to run the widget query again. Abort allows the user to stop a widget query that is currently running. EnhancementsEnhanced Activeboard loading behavior on openOpening the Activeboard section will now be an easier and faster process to navigate and use.   This update adds new behaviors for opening the Activeboard page if you have a default Activeboard selected or if you do not, Here is the breakdown:Default Active Board set? Behavior on page load Yes The default Activeboard is loaded. No The Activeboad manager will open and the user can choose which to load.  Activeboard Menu options improvedThe contextual menus now have enabled the following in edit mode.Edit details Clone Delete Documentation pages are coming online shortly.  This is a release preview until the release date and it is subject to change.  Release date is April 02, 2024.

The Devo team has released the latest version of Devo SOAR!  This release includes new enhancements to existing features as well as critical bug fixes.   Devo SOAR has a large library for automations and integrations to fit all your needs.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  We have tutorials on the community to help you get started as well as Devo SOAR Documentation.   You can also use the guided playbook builder to interactively create a no-code automation! Table of ContentsEnhancements 2 New Actions for Microsoft Defender for Endpoint Bug Fixes CrowdStrike Falcon Host (OAuth Based)  Enhancements2 New Actions for Microsoft Defender for EndpointYou can now do more with this automation with these new actions:Get Live Response Results Run Live Response ActionBug FixesCrowdStrike Falcon Host (OAuth Based)Fixed an error with the default limit set in Search IOC’s action

We're thrilled to announce the latest updates and additions to our alerting system with Release 24. This release introduces a significant enhancement to our SIEM detection framework, focusing on improving threat detection accuracy and simplifying threat hunting for users. The key highlights of this release include the introduction of a new alert, SecOpsWinDnsExcessiveEmptyOrRefusedQueries, and the migration of existing alerts to the Devo Cyber Data Model, a common information model designed to streamline threat investigation processes.To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, and manage your alerts.  To update or install new alerts visit Devo Exchange. Table of ContentsNew Detections SecOpsWinDnsExcessiveEmptyOrRefusedQueries Updated Detections Migration to Devo Cyber Data Model  New DetectionsSecOpsWinDnsExcessiveEmptyOrRefusedQueriesA new alert has been added to detect instances of excessive empty or refused DNS queries on Windows systems. This alert aims to provide proactive detection of potential malicious activities related to DNS, enhancing overall threat visibility.Detection Description Devo Tables/ Data Src /Category Changes made SecOpsWinDnsExcessiveEmptyOrRefusedQueries Detects excessive empty or refused Windows DNS tunneling. The threshold for excessive query count should be modified to suit organizational needs. dns.windows New Alert  Updated DetectionsMigration to Devo Cyber Data ModelExisting alerts have been migrated to the Devo Cyber Data Model. This migration aims to standardize data representation across alerts, facilitating easier correlation and analysis of threat data. Users can now benefit from a unified schema for conducting comprehensive threat investigations.SecOpsAuthPasswordSprayHostSecOpsAuthPasswordSprayIpSecOpsCDPossibleIocIpFoundInAuthDataSecOpsLoginFailAttemptsSecOpsLoginFailCombinedSuccessedSecOpsO365AuthExcessiveFailedLoginsSingleSourceSecOpsSimultaneouslyLoginbyIPSecOpsEntityBehaviorEntropyUserSecOpsEntityNewServerSecOpsAzureUserAddedToRoleNonPIMSecOpsAzureUserInfoDownloadSecOpsAWSInstancesCreatedOrDeletedO365SecOpsActivityInfrequentCountryO365SecOpsActivityPerformedByTerminatedUserO365SecOpsAdministrativeActivityFromNonCorporateIPO365SecOpsAnomalousBehaviorDiscoveredUsersO365SecOpsArrowAdminFailedLogonO365SecOpsAzureADThreatIntelligenceO365SecOpsCloudDiscoveryAnomalyDetectionO365SecOpsGroupMembershipModifiedO365SecOpsMFADisabledAlertO365SecOpsMaliciousOAuthAppConsentO365SecOpsMalwareDetectionO365SecOpsMultipleDeleteVMO365SecOpsMultipleStorageDeletionActivitiesO365SecOpsMultipleVMCreationActivitiesO365SecOpsPermissionsAddedMailboxFolderO365SecOpsRansomwareActivityO365SecOpsSuspiciousEmailDeletionActivityO365SecOpsSuspiciousInboxForwardingO365SecOpsSuspiciousInboxManipulationRuleO365SecOpsSuspiciousOAuthAppFileDownloadO365SecOpsUnusualAdministrativeActivityO365SecOpsUnusualFileDeletionActivityO365SecOpsUnusualFileDownloadO365SecOpsUnusualImpersonatedActivityO365SecOpsHAFNIUMUserAgentsTargetingExchangeServersSecOpsLog4ShellVulnOverDomainsUnionTableConnectionsSecOpsPossibleDnsEncodingQuerySecOpsTLDFromDomainNotInMozillaTLDSecOpsUnusualUseragentLengthSecOpsAnonymousConnectionSecOpsCDFWSrcIpIsPossibleIocSecOpsCDHuntFWdstIpIsPossibleIocSecOpsFWEmbargoedCountryInboundTrafficDetectedSecOpsFWEmbargoedCountryOutboundTrafficDetectedSecOpsFWExcessFirewallDeniesSecOpsFWExcessFirewallDeniesOutboundSecOpsFWExternalSMBTrafficDetectedFirewallSecOpsFWIcmpExcessivePacketsSecOpsFWIpScanExternalSecOpsFWIpScanInternalSecOpsFWIrcTrafficExternalDestinationSecOpsFWPortScanExternalSourceSecOpsFWPortScanInternalSourceSecOpsFWPortSweepInternalSourceSecOpsFWRDPExternalAccessSecOpsFWSMBInboundScanningDetectedSecOpsFWSMBInternalScanningDetectedSecOpsFWSMBTrafficOutboundSecOpsFWSigredSecOpsFWTrafficForeignDestinationSecOpsFWTrafficOnUnassignedLowPortSecOpsFwTftpOutboundTrafficSecOpsHAFNIUMNetworkActivityTargetingExchangeServersSecOpsLog4ShellVulnOverFirewallTrafficConnectionsSecOpsPossibleTrafficMirroringSecOpsRevilKaseyaNetworkActivitySecOpsVNCPortOpenSecOpsPossiblePortKnockingSecOpsCDIocUrlSuspiciousProxyDataSecOpsCDProxyDstIpSecOpsCDProxySrcIpSecOpsDynamicDNSDetectedSecOpsIPInsteadADomaInInURLSecOpsLog4ShellVulnerabilityOverProxyConnectionsSecOpsMultipleHTTPMethodsUsedSecOpsNonStandardHTTPMethodSecOpsOutboundTrafficToDeviceFlaggedAsThreatSecOpsOutcomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsPortIntoURLSecOpsProxyHighRiskFileExtensionSecOpsProxyHttpSingleCharacterFileNameRequestSecOpsREvilKaseyaWebShellsUploadConnSecOpsSeveralAccessByProxySecOpsUserBlockedbyProxySecOpsHAFNIUMHashFoundFileTargetingExchangeServersSecOpsREvilKaseyaHashFoundSecOpsRemoteDesktopProtocolScanSecOpsBackupFileAccessAttemptSecOpsCDIocIpSuspiciousWebDataSecOpsCDWebSrcIpSecOpsConfigurationFileAccessAttemptSecOpsCredentialsFileAccessAttemptSecOpsDatabaseFileAccessAttemptSecOpsDiscoveringPasswordFilesSecOpsExplotationAttemptF5BigIpSecOpsHAFNIUMHttpPostTargetingExchangeServersSecOpsHAFNIUMWebShellsTargetingExchangeServersSecOpsHTTPQueryNonStandardMethodSecOpsHTTPQueryUserAgentLengthOutsizeSecOpsIncomingUnauthenticatedArbitraryFileReadInVMwareVCenterSecOpsLog4ShellVulnerabilityOverWebServerConnectionsSecOpsLogRelatedFileAccessAttemptSecOpsMalwareFileAccessAttemptSecOpsPossibleFuzzingAttackSecOpsPossibleInjectionUserAgentSecOpsPossiblePathTrasversalInjectionSecOpsPossiblePhishingKitByRefererSecOpsREvilKaseyaWebShellsSecOpsRobotFileAskingByNoRobotSecOpsSeveralError4xxSecOpsSoftwareInfoAccessAttemptSecOpsWebShellFileSuspiciousSecOpsADAccountNoExpiresSecOpsADPasswdNoExpiresSecOpsAPT29byGoogleUpdateServiceInstallSecOpsAccountsCreatedRemovedWithinFourHoursSecOpsAppInitDLLsLoadedSecOpsBlackByteRansomwareRegChangesPowershellSecOpsBlackByteRansomwareRegistryChangesSecOpsBlackKingdomWebshellInstalationSecOpsBlankPasswordAskSecOpsBypassUserAccountControlSecOpsChangesAccessibilityBinariesSecOpsDLLWithNonUsualPathSecOpsDeletingMassAmountOfFilesSecOpsFailLogOnSecOpsFsutilSuspiciousInvocationSecOpsGenericRansomwareBehaviorIpScannerSecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServersSecOpsIntegrityProblemSecOpsLocalUserCreationSecOpsLolbinBitsadminTransferSecOpsLolbinCertocexecutionSecOpsLolbinCertreqSecOpsLolbinCertutilSecOpsLolbinConfigsecuritypolicySecOpsLolbinDatasvcutilSecOpsLolbinMshtaSecOpsMaliciousPowerShellCommandletNamesSecOpsMaliciousPowerShellPrebuiltCommandletSecOpsMaliciousServiceInstallationsSecOpsMultipleMachineAccessedbyUserSecOpsNewAccountCreatedSecOpsNtdsSecOpsOsCredentialDumpingGsecdumpSecOpsPassTheHashActivityLoginBehaviourSecOpsPersistenceAndExecutionViaGPOScheduledTaskSecOpsPsExecToolExecutionSecOpsRansomwareBehaviorMazeSecOpsRansomwareBehaviorNotPetyaSecOpsRansomwareBehaviorRyukSecOpsRareServiceInstallsSecOpsResetPasswordAttemptSecOpsRevilKaseyaRegistryKeySecOpsSIGRedExploitMicrosoftWindowsDNSSecOpsSecurityEnabledLocalGroupChangedSecOpsSeveralPasswordChangesSecOpsShadowCopiesDeletionSecOpsStoneDrillServiceInstallSecOpsStopSqlServicesRunningSecOpsSuspiciousBehaviorAppInitDLLSecOpsSuspiciousEventlogClearUsingWevtutilSecOpsSuspiciousWMIExecutionSecOpsTurlaPNGDropperServiceSecOpsTurlaServiceInstallSecOpsUserAccountChangedSecOpsWINWmiMOFProcessExecutionSecOpsWannaCryBehaviorSecOpsWermgrConnectingToIPCheckWebServicesSecOpsWinADDomainEnumerationSecOpsWinActivateNoCloseGroupPolicyFeatureSecOpsWinActivateNoControlPanelGroupPolicyFeatureSecOpsWinActivateNoFileMenuGroupPolicyFeatureSecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeatureSecOpsWinActivateNoSetTaskbarGroupPolicyFeatureSecOpsWinActivateNoTrayContextMenuGroupPolicyFeatureSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetworkSecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetworkSecOpsWinAdminRemoteLogonSecOpsWinAdminShareSuspiciousUseSecOpsWinAnonymousAccountCreatedSecOpsWinAppInstallerExecutionSecOpsWinAttackerToolsOnEndpointSecOpsWinAttemptToAddCertificateToStoreSecOpsWinAuditLogClearedSecOpsWinAutomatedCollectionCmdSecOpsWinAutomatedCollectionPowershellSecOpsWinBackupCatalogDeletedSecOpsWinCompressEncryptDataSecOpsWinCredentialDumpingNppspySecOpsWinCritServiceStoppedSecOpsWinCurlSecOpsWinDcShadowDetectedSecOpsWinDefenderDownloadActivitySecOpsWinDisableAntispywareRegistrySecOpsWinDisableUacSecOpsWinDnsExeParentProcessSecOpsWinDomainTrustActivitySecOpsWinExcessiveUserInteractiveLoginSecOpsWinExternalDeviceInstallationDeniedSecOpsWinFTPScriptExecutionSecOpsWinFakeProcessesSecOpsWinFsutilDeleteChangeJournalSecOpsWinGatherVictimIdentitySAMInfoSecOpsWinGoldenSamlCertificateExportSecOpsWinIISWebRootProcessExecutionSecOpsWinIcmpExfiltrationSecOpsWinInvokewebrequestUseSecOpsWinKerberosUserEnumerationSecOpsWinLocalSystemExecuteWhoamiSecOpsWinLockoutsEndpointSecOpsWinLsassKeyModificationSecOpsWinLsassMemDumpSecOpsWinMapSmbShareSecOpsWinMemoryCorruptionVulnerabilitySecOpsWinMimikatzLsadumpSecOpsWinModifyShowCompressColorAndInfoTipRegistrySecOpsWinMsiExecInstallWebSecOpsWinNetworkShareCreatedSecOpsWinNewPsDriveSecOpsWinOfficeBrowserLaunchingShellSecOpsWinPermissionGroupDiscoverySecOpsWinPotentialPassTheHashSecOpsWinPowerSettingsSecOpsWinPowershellKeylogginSecOpsWinPowershellProcessDiscoverySecOpsWinPowershellSetExecutionPolicyBypassSecOpsWinRcloneExecutionSecOpsWinRegUtilityHiveExportSecOpsWinRegistryModificationActivateNoRunGroupPolicySecOpsWinRegistryModificationDisableCMDAppSecOpsWinRegistryModificationDisableChangePasswdFeatureSecOpsWinRegistryModificationDisableLockWSFeatureSecOpsWinRegistryModificationDisableLogOffButtonSecOpsWinRegistryModificationDisableNotificationCenterSecOpsWinRegistryModificationDisableRegistryToolSecOpsWinRegistryModificationDisableShutdownButtonSecOpsWinRegistryModificationDisableTaskmgrSecOpsWinRegistryModificationGlobalFolderOptionsSecOpsWinRegistryModificationHideClockGroupPolicyFeatureSecOpsWinRegistryModificationHideSCAHealthSecOpsWinRegistryModificationHideSCANetworkSecOpsWinRegistryModificationHideSCAPowerSecOpsWinRegistryModificationHideSCAVolumeSecOpsWinRegistryModificationIExplorerSecZoneSecOpsWinRegistryModificationNewTrustedSiteSecOpsWinRegistryModificationNoDesktopGroupPolicySecOpsWinRegistryModificationNoFindGroupPolicyFeatureSecOpsWinRegistryModificationPowershellLoggingDisabledSecOpsWinRegistryModificationRunKeyAddedSecOpsWinRegistryModificationStoreLogonCredSecOpsWinRegistryQuerySecOpsWinRemoteSystemDiscoverySecOpsWinRunasCommandExecutionSecOpsWinSamStoppedSecOpsWinScheduledTaskCreationSecOpsWinSchtasksForcedRebootSecOpsWinSchtasksRemoteSystemSecOpsWinSensitiveFilesSecOpsWinServiceCreatedNonStandardPathSecOpsWinShadowCopyDetectedSecOpsWinSmtpExfiltrationSecOpsWinSpoolsvExeAbnormalProcessSpawnSecOpsWinSuspiciousExternalDeviceInstallationSecOpsWinSuspiciousWritesToRecycleBinSecOpsWinSysInfoGatheringUsingDxdiagSecOpsWinSysInternalsActivityDetectedSecOpsWinSysTimeDiscoverySecOpsWinTFTPExecutionSecOpsWinUserAddedPrivlegedSecGroupSecOpsWinUserAddedSelfToSecGroupSecOpsWinUserAddedToLocalSecurityEnabledGroupSecOpsWinUserCreationAbnormalNamingConventionSecOpsWinUserCredentialDumpRegistrySecOpsWinWMIPermanentEventSubscriptionSecOpsWinWMIReconRunningProcessOrSrvcsSecOpsWinWebclientClassUseSecOpsWinWifiCredHarvestNetshSecOpsWinWmiExecVbsScriptSecOpsWinWmiLaunchingShellSecOpsWinWmiProcessCallCreateSecOpsWinWmiScriptExecutionSecOpsWinWmiTemporaryEventSubscriptionSecOpsWinWmiprvseSpawningProcessSecOpsMoveitWebShellSecOpsWinDnsExcessiveEmptyOrRefusedQueries

Hello everyone, the latest Devo Platform release is here! Release 8.8.20 brings a whole host of updates for Alerts! Starting with the new triggered Alerts details page increasing the number of actions you can take from one location.  Next we have a new capability to find Alerts by Alert ID with the newly integrated ID search feature.  The Alerts type field has received new values to better match the creation of the alert.  An new field was added to the audit table devo.audit.alert.definition called “info” as well as a new audit table for Alert triggered operations.  Find the full details of this release in this article. Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features New Triggered Alerts Details page Search by Alert ID Redefined Type field when Grouping Alerts New “info” field added to audit table devo.audit.alert.definition New audit table devo.audit.alert.triggered Bug Fixes Alert Bug Fixes Flow Bug Fixes  New FeaturesNew Triggered Alerts Details pageThis functionality is launched from the triggered alert ID, and opens up the alert in full detail.  This new page is available even if the alert is grouped.   New page has 2 tabs:Overview tab: Alert details management Annotations tab: Alert annotations managementSearch by Alert IDA new search box was added to the Triggered Alert page to allow you to search by full or partial Alert ID.   Find your alerts quickly with this new feature!Redefined Type field when Grouping AlertsRebuilt for clarity of purpose, now when grouping alerts you get new options in the type field that match better to the actions being taken.Old Type Values New Type Values api_custom each default several custom low etcetera gradient   deviation   rolling   generic  New “info” field added to audit table devo.audit.alert.definitionNew JSON field “info” has been added to this audit table and will include the JSON corresponding to the Alert request operations. Containing:Operation Content Creation  Entire JSON of the Alert creation request Edit Entire JSON of the Alert editing request Enable/Disable an empty JSON Deletion an empty JSON  Here how it looks: New audit table devo.audit.alert.triggeredThis new audit table is now available in all domains where the System will log (for audit purposes)all the user activities related to triggered Alert operations made in the domain.  The table will have the same structure as “devo.audit.alert.definition” except that the “info” field will now contain only the changed value.The tracked changed values areTriggered Alert Status Triggered Alert Priority Triggered Alert DeleteBug FixesAlert Bug FixesFixed alert creation/cloning when Alerts running limit is reached Fixed error when clicking “go to query” on Monitoring Alerts.Flow Bug FixesFixed duplicated triggered alerts after restart Fixed alert recovery after upgrading flow Fixed null creation date on some contexts 

The Devo team has released the latest version of Devo SOAR!  This release includes new automations, enhancements to existing features as well as critical bug fixes.   Devo SOAR has a large library for automations and integrations to fit all your needs.  SOAR Automation is a key feature of Devo Intelligent SIEM, allowing you to automate a large number of daily tasks and give you back essential time to perform key investigations and hunts.  We have tutorials on the community to help you get started as well as Devo SOAR Documentation.   You can also use the guided playbook builder to interactively create a no-code automation! Table of ContentsNew Integration Integration for Apivoid Feature Enhancements New actions for Virus Total Bug Fixes New IntegrationIntegration for ApivoidApivoid provides JSON APIs useful for cyber threat analysis, threat detection, and threat prevention, reducing and automating the manual work of security analysts.Feature EnhancementsNew actions for Virus TotalVirus Total integration has had two new actions added: File Behavior Reports Summarize File Behavior ReportsBug FixesFixed unable to replace Custom Integration in Playbook import. Removed Json type from allowed field type change in Case Field.

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsNew Parsers soar.devo cef0.pcysys cef0.cyberark itdr.oort storage.huawei dlp.cososys seg.checkpoint mail.all.messages cloud.rubrik Updated Parsers cloud.aws cloud.alibaba cloud.azure waf.f5 firewall.paloalto web.all.access devo.ea proxy.all.access box.all.win network.vmware db.oracle mail.darktrace vuln.beyondtrust iam.sailpoint auth.jumpcloud web.all.access casb.microsoft_defender entity.behavior dns.bind firewall.cisco firewall.velocloud firewall.all.webfilter firewall.juniper network.dell  New Parserssoar.devoLink to Documentationcef0.pcysysLink to Documentationcef0.cyberarkDocumentation in progressitdr.oortLink to Documentationstorage.huaweiLink to Documentationdlp.cososysLink to Documentationseg.checkpointLink to Documentationmail.all.messagesDocumentation in progresscloud.rubrikLink to DocumentationUpdated Parserscloud.awsLink to Documentationcloud.alibabaLink to Documentationcloud.azureLink to Documentationwaf.f5Link to Documentationfirewall.paloaltoLink to Documentationweb.all.accessLink to Documentationdevo.eaLink to Documentationproxy.all.accessLink to Documentationbox.all.winLink to Documentationnetwork.vmwareLink to Documentationdb.oracleLink to Documentationmail.darktraceLink to Documentationvuln.beyondtrustLink to Documentationiam.sailpointLink to Documentationauth.jumpcloudLink to Documentationweb.all.accessLink to Documentationcasb.microsoft_defenderLink to Documentationentity.behaviorLink to Documentationdns.bindLink to Documentationfirewall.ciscoLink to Documentationfirewall.velocloudLink to Documentationfirewall.all.webfilterLink to Documentationfirewall.juniperLink to Documentationnetwork.dellLink to Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors Fastly Next-Gen WAF v1.0.0 Gen+WAF+collector  Extrahop Reveal(x) v1.1.0 Mulesoft Anypoint v1.0.0 Cisco Amp v1.0.0 Updated Collectors ServiceNow API v1.4.0 Microsoft Defender Cloud Apps v1.3.0 Thinkst Canary v1.1.0 Microsoft Azure v2.0.0-beta1 Akamai SIEM Collector v2.1.0 Wiz v1.5.0 AWS SQS v1.1.1 Salesforce v2.2.0 Proofpoint Tap v2.2.1 Netskope Web Transaction Events v1.0.0b1 Cisco Umbrella v1.1.0 AWS v1.8.2 Microsoft Graph v2.0.0-beta2  New CollectorsFastly Next-Gen WAF v1.0.0Link to DocumentationGen+WAF+collector Documentation in progress.Extrahop Reveal(x) v1.1.0Link to DocumentationMulesoft Anypoint v1.0.0Link to DocumentationCisco Amp v1.0.0Link to Documentation Updated CollectorsServiceNow API v1.4.0Link to DocumentationMicrosoft Defender Cloud Apps v1.3.0Link to DocumentationThinkst Canary v1.1.0Link to DocumentationMicrosoft Azure v2.0.0-beta1Link to DocumentationAkamai SIEM Collector v2.1.0Documentation in ProgressWiz v1.5.0Link to DocumentationJumpcloud v1.3.1AWS SQS v1.1.1Link to DocumentationSalesforce v2.2.0Link to DocumentationProofpoint Tap v2.2.1Link to DocumentationNetskope Web Transaction Events v1.0.0b1Documentation in progressCisco Umbrella v1.1.0Link to DocumentationAWS v1.8.2Link to DocumentationMicrosoft Graph v2.0.0-beta2Link to Documentation 

Devo’s product team is happy to present the latest version of our integrated EUBA, Behavior Analytics, to you! In this release, the team delivers Entity Timeline improvements to help you emphasize the most essential information about an entity’s risk. Additionally, in this update, the team delivered a collection of dashboard improvements, including the data search pivot, entity risk group edit page, Improved error handling, and UI optimizations. Devo Behavior Analytics is included in the Intelligent SIEM package and can help you quickly uncover anomalous user and entity behavior!  Read more on our main page here. Geo Availability:Region Status CA Released US Released EU Released APAC Released  Table of ContentsImprovements Entity Timeline Dashboard ImprovementsEntity TimelineThe Entity Timelines layout has been improved to emphasize the most essential information about an entity’s risk.You can now select the most relevant parts of an entity’s timeline to get a deeper understanding of what is driving the risk score. Users can also use the entity metrics count to filter the graph and timeline. Drill down into all necessary risky event details from a single screen: DashboardThe Behavior Analytics dashboard has been enhanced with the following features and fixes:Data Search Pivot - The alert data search pivot now now isolates to the specific entities that were involved in the alert.  Entity Risk Group Edit page - The entity risk page is better configured to manage large lists.  UI Optimization -  Improved responsiveness to common user workflows across the entire applications with API and UI performance improvements Improved Error Handling - Fixed several alert notification error scenarios around bad data inputs for alert priority, lookup errors, etc.   

We're thrilled to announce the latest updates and additions to our alerting system with Release 23. This release brings enhancements to alert logic, and improved summaries, and introduces new alerts to bolster your security operations.  To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content. Table of ContentsImproved Alerts: SecOpsWinUserAddedToLocalSecurityEnabledGroup: SecOpsLinuxIrregularLoginSsh: SecOpsO365AuthExcessiveFailedLoginsSingleSource: SecOpsO365ImpossibleTravel: New Alerts: SecOpsSlackPossibleSessionHijacking: SecOpsWinPowerSettings for MITRE Technique T1653: Improved Alerts: SecOpsWinUserAddedToLocalSecurityEnabledGroup: Enhanced alert logic for detecting user additions to local security-enabled groups on Windows systems. Improved summary for better understanding and faster response. SecOpsLinuxIrregularLoginSsh: Updated alert logic to identify irregular login activities via SSH on Linux systems. Refined summaries to provide clearer insights into potential security threats. SecOpsO365AuthExcessiveFailedLoginsSingleSource: Updates to mmcity operation for Office 365 authentication alerts related to excessive failed logins from a single source. Streamlined summaries to facilitate quicker identification of suspicious activities. SecOpsO365ImpossibleTravel: Revised alert logic for Office 365 impossible travel scenarios. Improved operation of mmcity for more accurate detection. Enhanced summaries to highlight impossible travel incidents effectively. New Alerts: SecOpsSlackPossibleSessionHijacking: Introducing a new alert to detect potential session hijacking in Slack environments. Monitors for suspicious activities indicating unauthorized access to Slack accounts. Provides detailed insights into possible session compromise for swift remediation. SecOpsWinPowerSettings for MITRE Technique T1653: Brand new alert targeting MITRE technique T1653 focusing on Windows power settings manipulation. Alerts on suspicious changes to power settings indicative of potential adversary actions. Enables proactive defense against tactics aiming to manipulate power configurations for malicious purposes. Stay vigilant with these upgraded alerts and leverage the new additions to strengthen your security posture. For further details, consult the documentation or reach out to our support team for assistance. Upgrade to Release 23 now and fortify your defenses against evolving threats. 

Hello everyone, the latest Devo Platform release is here! Release 8.8.16 brings you a wide variety of changes to streamline and speed up your workflow with the Devo Platform. Starting with a new streamlined Support Access, you now go directly to the Support portal to get the most flexibility for your ticket creation and content access. Preference and Current Queries pages have been sped up dramatically. Activeboards have received a lot of improvements, with optional widget loading, an improved autocomplete editor, and a new sorting workflow.  We have also improved the Lookup creation experience! Read on to learn about all the changes in this update.  Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Streamlined Support Access Activeboards optional widget loading Updated Features Alerts creation form update Activeboard editor improved Activeboard default sorting removed Automatically retry when Search returns a recoverable error in Data Search Improved Data Search with new max column visible columns Improved Create Lookup Experience Performance Improvements Bug Fixes New Features Streamlined Support AccessWe are streamlining Support access across the Devo Ecosystem to create a better experience for all parties.   The Support portal is now you direct access to create, manage and view your case history and this is no reflected on the Devo Platform.Activeboards optional widget loadingPerformance is a key value in Devo and we know sometimes Activeboards are so detail rich that they may take longer optimal to load all those widgets.  With this update you can individually disable the launch of any widget in your Activeboard.This will reduce system resources load a swell as loading times for said Activeboard.  You gain greater control of your widgets and faster access to critical information. Updated FeaturesAlerts creation form updateEach Alert Create form default setting for “Include all fields” has been reversed and the help info has been expanded with complete information.Activeboard editor improvedBuild your activeboards faster with a new autocomplete feature for the activeboard editor! Activeboard default sorting removedNormally, when a Table widget is loaded for the first time, the rows are automatically sorted by eventdate.  With this update, no sorting algorithm will be applied to the rows regardless of the sort used in the query.    Rows will be displayed in the order they are recieved (possibly by eventdate but not guaranteed).   After loading, the user can define specific sorting choices through the column headings. Automatically retry when Search returns a recoverable error in Data SearchUsers will no longer be blocked by message “Absent Data” in Data Search, the system will automatically retry action 4 times.Improved Data Search with new max column visible columnsNew limit to opening searchers with more that 50 visible columns will improve the experience and stability of Data Search.  Through out our eco system, 95% of tables have less than 50 columns.  The team will help many any existing tables in that 5% range with the clients.Improved Create Lookup ExperienceWhen loading a CSV Lookup, all whitespaces starting/ending a Lookup column name will be automatically removed. When creating a lookup any manually typed extra spaces at starting/ending will prompt an error message letting you know where the extra whitespaces are before Lookup creation. Performance ImprovementsPreferences pages and Current Queries page performance has been significantly improved through internal code changes to increase the loading speeds. Bug FixesBlank page in “Search History” when user has only “Finders” permission “Go to Query” in triggered alerts displays a blank page in a use case Edit Alert form label Usage Analytics cache not taking into account timezones Aggregation task creation “Real-Time” value always displayed as unchecked Loxcope wizard incorrect translation when filtering null values

Hello everyone, the Exchange team has a new update for you with tons of great improvements. Two years have passed since the launch of Devo Exchange, and our content library has grown from 30 to 220 releases!! This release focuses on improved performance, increasing response times and performance in all aspects of the platform.   We have also updated the process of accessing Devo Exchange by using policies. This is a key update for MSSPs. The Alerts update process was also updated, so you can now choose which individual alerts to update from an Alert Pack. Read on to learn more about each of these updates! Geo AvailabilityRegion Status GovCloud Released CA Released US Released EU Released APAC Released  Table of ContentsNew Features Updated Access Control Unlock individual Alert updating Performance Improvements Additional User Experience updates  New FeaturesUpdated Access ControlExchange Access control was switched from roles to policies in this release.  This means you now have more control as an admin to manage access to content on Devo Exchange. We added a Marketplace Management policy so Admins can choose to allow users to access and manage Exchange content giving greater control. Unlock individual Alert updatingNow possible with this update, you can choose which alerts inside an Alert Pack.  This significant change in instrumental in supporting alert coverage customization.  Now when a new update is available for a Alert Pack, you will see the notification on the in the Exchange card and choose which to update only the alerts you are using.We have also introduced a DIFF tool to the update process that you can use to compare the code before updating the alert.  Bringing full transparency to the update process.Performance ImprovementsStarting from our humble beginnings of 30 titles to our current 220 titles is a huge leap in content.  The system needed tuning to handle the significant growth of the last year.  From top to bottom, we have recreated the underlying structure of Exchange to handle the current catalog and make sure the gains are scalable for all future iterations of the catalog.    This results in consistently fast performance through your use of Devo Exchange. Additional User Experience updatesSupporting improvements and informational updates through the application.  

 The Devo Platform team has delivered a large collection of upgrades for the underlying processes resulting in overall platform performance improvements. This is part of our ongoing drive to increase speed and stability to the entire platform. Additionally, this release also adds a new workflow for Password Change, improves SSO handling, and fixes access to Usage Analytics for some customers with custom domain URL’s. We are committed to continued improvements of the platform and more platform updates are on the way!  Make sure you subscribe to Product Update to have this information delivered right to your inbox. Geo Release AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsImprovements New Password Change workflow Usage Analytics fix SSO process improvements Performance Improvements  ImprovementsNew Password Change workflowUsers will now be redirected to the Login Page for the entire password change process for a better user experience.Usage Analytics fixFor a few customers with custom domain URL’s, you can now access Usage Analytics.SSO process improvementsAdditional checks have been added to the SSO process as well as new optimization pass for the entire process.Performance ImprovementsImproved a large number of underlying processes for better performance overall, as well as deployed vulnerability fixes.     

The Devo Threat Research Team has published OOTB Alerts Release 22! This release, available now from the Security Operations Content Manager, provides 9 updated detections and 2 new alerts.  This update introduces powerful enhancements to fortify and monitor your security infrastructure.    To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.This update features several key improvements:New Alert: OS Credential Dumping: With our latest detection capabilities, we now provide a new alert system designed to identify instances of OS credential dumping promptly. This critical security threat, often exploited by malicious actors, can compromise sensitive login credentials. By issuing alerts for potential credential dumping activities, our system empowers users to respond swiftly, minimizing the risk of unauthorized access. New Alert: Detection for Traffic to Paste Bin: Recognizing the evolving threat landscape, we've incorporated detection mechanisms to monitor and flag traffic directed toward paste bin services. These platforms are frequently leveraged by adversaries for data exfiltration and sharing of sensitive information. By detecting suspicious activities related to paste bin usage, our system enables proactive intervention, safeguarding against unauthorized data dissemination. Regex Optimized Improvements for Window and Proxy Alerts: In this update, we've optimized regular expressions (regex) to enhance the accuracy and efficiency of window and proxy alerts. These improvements refine our detection capabilities, ensuring more precise identification of suspicious activities associated with Windows and Proxy servers. By fine-tuning regex patterns, we reduce false positives and provide users with actionable insights into potential security threats. Updated Field Naming for Microsoft Office365 Detections: We've revamped field naming conventions for Microsoft Office365 detection to streamline data interpretation and analysis. This update ensures consistency and clarity in identifying and responding to security events within the Office365 environment. By aligning field names with industry standards, users can easily navigate and leverage insights from our detection system to bolster their Office365 security posture.These updates reflect our commitment to continuously enhancing our detection capabilities, empowering users to stay ahead of emerging threats, and safeguarding their digital assets effectively. New DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsOsCredentialDumpingGsecdump Detects well -known credential dumping tools execution via service execution events. box.all.win New! SecOpsProxyDataExfiltrationDetection Monitor proxy logs for connections from internal IPs to parsing or content aggregation sites known for data parsing and content. proxy.all.access New!  Updated DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsAWSCreateloginprofile Detects I fa login has been performed by a user who has been created in the last 24hrs and checks if the user creation and the login have been performed from the same IP. This behavior could indicate a privilege escalation attempt. cloud.aws.cloudtrail Tuned subquery parameters SecOpsO365PhishAttempt Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems cloud.office365.management Updated based on window logging updates SecOpsO365SusMailboxDelegation Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. cloud.office365.management Updated field naming SecOpsREvilKaseyaWebShellsUploadConn The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days, the attack was pushed out via an infected IT Management update from Kaseya proxy.all.access Optimized regex SecOpsHAFNIUMHttpPostTargetingExchangeServers Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. web.all.access Optimized regex SecOpsHAFNIUMWebShellsTargetingExchangeServers Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. web.all.access Optimized regex SecOpsREvilKaseyaWebShells The REvil Ransomware has hit 40 service proviers globally due to multiple Kaseya VSA Zero-days. The attack was pushed out via an infected IT Management update from Kaseya web.all.access Optimized regex SecOpsWinAdminRemoteLogon Detects remote logins by an administrative user account. Administrative account names are tailored to the organization’s specific naming conventions. box.all.win Updated entity mapping SecOpsWinIISWebRootProcessExecution The execution of a process from inside a web hosting directory and indicate when adversaries upload a malicious file to the web server and run the file as a process. box.all.win Optimized regex   Subscribe to Product update to never miss an update!  

The Devo Threat Research Team has published OOTB Alerts Release 21! This release, available now from the Security Operations Content Manager, provides 7 updated detections and 1 new alert.  The updates focus on improved performance, easier installation and reduction in false positive results.  If you are using these detections, this update is a must have!To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.  New DetectionName Description Devo Table/Data Source/Category Change Log SecOpsO365OneDriveDownload Detects high volume of OneDrive activity CLOUD.OFFICE365.MANAGEME New Alert!  Updated DetectionsName Description Devo Table/Data Source/Category Change Log SecOpsAccountsCreatedRemovedWithinFTourHours Detects user accounts that are created and delete within a four time period. box.all.win Updated Alert Logic to reduce false positives SecOpsFWRDPTrafficUnauthorized Detects RDP traffic to hosts, not within an allowed list. firewall.all.traffic Remove dependency for installation SecOpsLinuxSuspciousExecutionCommand Detects relevant commands often related to malware or hacking activity. box.unix Updated to reduce false positives SecOpsCDHuntFWdstIpIsPossibleIoc This search looks for Collective Defense matches in firewall data. firewall.all.traffic Field naming updates SecOpsFWIcmpExcessivePackets Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration. firewall.all.traffic Field naming updates SecOpsFWTrafficOnUnassignedLowPort Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic. firewall.all.traffic Field naming updates SecOpsVNCPortOpen Used to identify the default port for VNC connections firewall.all.traffic Field naming updates  Subscribe to Product updates to stay informed about all updates from the Product Teams!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available. If you require a new parser, please open a support ticket through the support portal located here. Table of ContentsUpdated Parsers proxy.zscaler firewall.paloalto auth.jumpcloud av.mcafee bms.humansecurity auth.auth0 cloud.office365 box.win_winlogbeat box.win_nxlog box.devo_ea dhcp.bluecat vcs.gitlab vuln.qualys edr.crowdstrike edr.darktrace edr.cisco cloud.aws cloud.gsuite crm.salesforce casb.netskope network.meraki network.vmware adn.f5 entity.behavior cdn.cloudflare cef0.fortinet ras.beyondtrust Union Tables Updated auth.all firewall.all.traffic  Updated Parsersproxy.zscalerLink to Devo Documentationfirewall.paloaltoLink to Devo Documentationauth.jumpcloudLink to Devo Documentationav.mcafeeLink to Devo Documentationbms.humansecurityLink to Devo Documentationauth.auth0Link to Devo Documentationcloud.office365Link to Devo Documentationbox.win_winlogbeatLink to Devo Documentationbox.win_nxlogLink to Devo Documentationbox.devo_eaLink to Devo Documentationdhcp.bluecatLink to Devo Documentationvcs.gitlabLink to Devo Documentationvuln.qualysLink to Devo Documentationedr.crowdstrikeLink to Devo Documentationedr.darktraceLink to Devo Documentationedr.ciscoLink to Devo Documentationcloud.awsLink to Devo Documentationcloud.gsuiteLink to Devo Documentationcrm.salesforceLink to Devo Documentationcasb.netskopeLink to Devo Documentationnetwork.merakiLink to Devo Documentationnetwork.vmwareLink to Devo Documentationadn.f5Link to Devo Documentationentity.behaviorLink to Devo Documentationcdn.cloudflareLink to Devo Documentationcef0.fortinetDocumentation in progressras.beyondtrustLink to Devo Documentation Union Tables Updatedauth.allLink to Devo Documentationfirewall.all.trafficLink to Devo Documentation

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new Collectors, please open a support ticket through the Support Portal.  To update an existing Collector, the CS and Support teams are working together to schedule update windows with everyone!. Table of ContentsNew Collectors AWS SQS v1.0.0 Fastly Next-Gen WAF v1.0.0b3 Updated Collectors Microsoft Defender Cloud Apps v1.2.0 Jumpcloud v1.2.2 Crowdstrike API v1.5.4 Proofpoint TAP v2.2.0 Akamai SIEM Collector v2.0.0 Cortex-XDR v1.2.0 Qualys v2.0.0 Google Workspace Reports v1.9.1 (Formerly Gsuite Repots) SentinelOne v1.5.0 Cybereason v1.3.0  New CollectorsAWS SQS v1.0.0Link to DocumentationFastly Next-Gen WAF v1.0.0b3Documentation is being updated Updated CollectorsMicrosoft Defender Cloud Apps v1.2.0Link to DocumentationJumpcloud v1.2.2Link to DocumentationCrowdstrike API v1.5.4Link to DocumentationProofpoint TAP v2.2.0Link to DocumentationAkamai SIEM Collector v2.0.0bDocumentation is being updatedCortex-XDR v1.2.0bDocumentation is being updatedQualys v2.0.0Documentation is being updatedGoogle Workspace Reports v1.9.1 (Formerly Gsuite Repots)Link to DocumentationSentinelOne v1.5.0Link to DocumentationCybereason v1.3.0Documentation is being updated