Product Updates

The Devo Collector team is happy to present the latest release of the Cloud Collector. Release 1.5.0 introduces significant enhancements to the Cloud Collector vertical application that provide greater visibility and control over your collector infrastructure. This release introduces unified viewing capabilities for both self-service and legacy collectors within a single interface. Now you can manage your full collector inventory, manage and plan migrations of old collectors into the new infrastructure, and directly operate your ingestion architecture.  Review your collectors with the Cloud Collector app, and if you still have older collectors, plan those migrations! Geo AvailabilityRegion Status CA Released US Released EU Released APAC Released  Table of ContentsNew Features Enhanced Collector Visibility Important Notes Legacy Collector Functionality Upgrade Path Benefits Improved Operational Visibility Streamlined Migration Planning Getting Started Support  New FeaturesEnhanced Collector VisibilityUnified Collector ViewView all your collectors in one centralized location Browse your existing legacy collectors directly within the applicationFor Legacy CollectorsCurrent State: View-only access Post-Upgrade:  Self-service capabilities are automatically enabled when upgraded Clear visual indicators distinguishing legacy from self-service collectorsImportant NotesLegacy Collector FunctionalityLegacy collectors currently appear in read-only mode Management actions (start/stop/configure) are not available until upgrade completionUpgrade PathWhen legacy collectors are upgraded, they automatically inherit full self-service functionality Upgraded collectors seamlessly integrate with existing self-service workflowsBenefitsImproved Operational VisibilitySingle pane of glass for all collector infrastructure Comprehensive view of both current and legacy environments Enhanced  capabilities for infrastructure modernizationStreamlined Migration PlanningClear visibility into legacy collector inventoryGetting StartedLog into your Cloud Collector application Navigate to the main collectors dashboard View your complete collector inventory with clear type indicators Use filtering options to focus on specific collector categories Plan your legacy collector upgrades using the new visibility toolsSupportFor questions about this release or assistance with legacy collector upgrades, please contact our support team or refer to the updated documentation in the Help section.

The Devo Security Alerts team has published OOTB Alerts Release 36! This release delivers improvements to 577 Out-of-the-Box (OOTB) alerts, representing the entire OOTB alert catalog available to you from Devo Exchange. Release 36  focuses on 3 themes: Optimized query performance, Integration of device data, and restructuring of mm2 operations to use the new functions. These updates provide more precise, faster, and actionable alerting, improving your overall security posture. To access this content, Devo Exchange has added easy-to-navigate notifications when updates to your installed alerts are available. Changes included in this update:Rewritten Lookups & Optimized Queries: All 577 OOTB alerts now feature re-engineered lookup operations and optimized query performance (filtering before grouping). Integrated Device Data: Comprehensive device data is now included in all OOTB alerts, providing richer context for quicker and more effective investigation. Refactored mm2 Operations: The mm2 operations have been restructured to the new operations released by the development team.  Sample of Alerts update by ClassAuthenticationSecOpsAuthPasswordSprayHostSecOpsAuthPasswordSprayIpSecOpsCDPossibleIocIpFoundInAuthData AWSSecOpsAWSCreateloginprofileSecOpsAWSDetectStsAssumeRoleAbuseSecOpsAWSDetectUsersCreatingKeysWithEncryptPolicyWithoutMFA AzureSecOpsAzureDevOpsAuditDisabledSecOpsAzureDevOpsPATMisuseSecOpsAzureDevOpsProjectVisibilityChanged GoogleSecOpsGCPGCPloitExploitationFrameworkActivitySecOpsGCPGCSBucketEnumeratedSecOpsGCPGCSBucketModified Office365SecOpsActivityPerformedByTerminatedUserO365SecOpsAdministrativeActivityFromNonCorporateIPO365SecOpsAnomalousBehaviorDiscoveredUsersO365 LinuxSecOpsLinuxCommandExecutionWebUserSecOpsLinuxCompressEncryptDataSecOpsLinuxCurlExecution DNSSecOpsLog4ShellVulnOverDomainsUnionTableConnectionsWithLookupSecOpsPossibleDnsEncodingQuerySecOpsREvilKaseyaDomainConnection Firewallnetwork/firewall/SecOpsFWPortScanExternalSourcenetwork/firewall/SecOpsFWPortScanInternalSourcenetwork/firewall/SecOpsFWPortSweepInternalSource ProxySecOpsLog4ShellVulnerabilityCloudAzureSecOpsLog4ShellVulnerabilityOverProxyConnectionsSecOpsMoveitPotentialNetworkActivityExploitation EDRSecOpsHAFNIUMHashFoundFileTargetingExchangeServersSecOpsLog4ShellVulnerabilityOverCrowdStrikeSecOpsMoveitWindowsEvtxFileCreation WindowsSecOpsDeletingMassAmountOfFilesSecOpsEnumerationFor3rdPartyCredsFromCliSecOpsFailLogOn

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers cloud.azure auth.all ids.calyptix proxy.calyptix network.meraki cloud.meraki box.win_snare box.all.win firewall.paloalto box.vmware cloud.alibaba firewall.barracuda cspm.sysdig.secure.event edr.all.threats firewall.cisco box.all.win network.hp  Updated Parserscloud.azureAdded new field cloud.azure.ad.signin_all auth.allUpdated Replace cloud.azure.ad.signin table by cloud.azure.ad.signin_all union that includes all Azure AD (Entra ID) signing tables ids.calyptixAdded new field ids.calyptix.snort.alert proxy.calyptixAdded new field proxy.calyptix.webfilter.event network.merakiAdded new fields network.meraki.security_event network.meraki.switch cloud.merakiAdded new field cloud.meraki.api.changelog box.win_snareAdded missing fields box.win_snare box.win_snare.sysmon box.all.winAdded missing fields box.all.win firewall.paloaltoAdded support to LEEF 2.0 format firewall.paloalto.traffic box.vmwareFixed parsing issue for UDP and ICMP logs box.vmware.firewall_packet cloud.alibabaAdded missing fields cloud.alibaba.log_service.access_log firewall.barracudaFixed the null values issue firewall.barracuda.audit cspm.sysdig.secure.eventCreated a new table cspm.sysdig.secure.event edr.all.threatsNew table added to the union (ids.wazuh.alerts) Ids.wazuh.alerts New table added to the union (cef0.kaspersky.kasperskyEndpointSecurityForWindows) cef0.kaspersky.kasperskyEndpointSecurityForWindows firewall.ciscoFixed parser to parse SFIMS events firewall.cisco.fmc box.all.winAdded box.win_wincollect tables to support WinCollectnetwork.hpFixed parsing issue for unsuccessful events network.hp.switch.mgr network.hp.switch.auth

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Collectors Crowdstrike Api collector v1.13.0 Snowflake Collector v3.1.0 Tencent Collector v1.2.0 OnePassword Collector v1.2.0 Cloudflare Collector v1.2.0 GCP Collector v2.3.0 Google Workspace Reports Collector v1.11.0 Google Workspace Logs Bigquery Collector v1.1.0 AWS SQS Collector v1.8.0 SentineOne Collector v1.6.0 Tenable Collector v2.1.0 Snowflake Collector v4.0.1 Microsoft Office365 Management Collector v2.5.0 Cloudflare Collector v1.3.0 Malwarebytes Nebula Collector v1.1.0 Cylance Collector v1.3.0 Office365 Exchange Reports Collector v1.1.0 Cortex XDR Collector v2.1.0 Tencent Collector v1.3.0 AWS Collector v1.13.0 ExtraHop Revealx Collector v1.3.0 Cybereason Collector v1.5.0 Box Collector v2.1.0 Trellix Epo v1.1.0 Salesforce Collector v3.3.0 Servicenow Collector v2.1.0 AWS Collector v1.13.1 AWS SQS Collector v1.9.0 Cisco Meraki Collector v2.0.0 Trend Micro Vision One collector 1.4.0 Sophos Central Collector v2.1.0 Fastly Nextgen WAF v1.3.0  Updated CollectorsCrowdstrike Api collector v1.13.0Fixed Fixed data loss issue for the vulnerabilities service Changed The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.13.1" to "1.15.0" The DCSDK Docker base image has been updated from "1.3.1" to "1.4.1" Added optional field time_buffer_seconds to adjust time delay while pulling data Snowflake Collector v3.1.0Fixes Fixed the huge memory issue by sending messages in batches Improvements Fixed unit tests Upgraded the DCSDK from 1.13.1 to 1.15.0 Tencent Collector v1.2.0Fixes Fixed the issue of wrong time parsing when receiving in seconds instead of milliseconds Fixed the persistence reset steps Features Provided an optional field in user config to manage the number of consumer threads to improve ingestion speed OnePassword Collector v1.2.0Improvements The DCSDK Docker base image has been updated from "1.3.0" to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.12.4" to "1.15.0" Cloudflare Collector v1.2.0Improvements The DCSDK Docker base image has been updated from "1.3.0" to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.12.4" to "1.15.0" GCP Collector v2.3.0Improvements The DCSDK Docker base image has been updated from "1.4.0" to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.14.0" to "1.15.0" Google Workspace Reports Collector v1.11.0Improvements The DCSDK Docker base image has been updated from "1.3.0" to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.12.4" to "1.15.0" Google Workspace Logs Bigquery Collector v1.1.0Improvements The DCSDK Docker base image has been updated to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.13.1" to "1.15.0" AWS SQS Collector v1.8.0Improvements The DCSDK Docker base image has been updated to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.13.1" to "1.15.0" SentineOne Collector v1.6.0Improvements The DCSDK Docker base image has been updated to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.10.2" to "1.15.0" Tenable Collector v2.1.0Improvements The DCSDK Docker base image has been updated from "1.3.1" to "1.4.1" The DevoCollectorSDK Python package (devo-collector-sdk) has been updated from "1.13.1" to "1.15.0" Snowflake Collector v4.0.1Improvements Updated Authentication method to Key-pair authentication Bug Fixes Fixed no module name import error Microsoft Office365 Management Collector v2.5.0Improvements Updated DCSDK from 1.12.4 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Cloudflare Collector v1.3.0Fixes Validation restriction for id to be an integer is removed API key type is changed to string from integer Fixed persistence reset logic Malwarebytes Nebula Collector v1.1.0Improvements Updated DevoCollectorSDK version from 1.7.2 to 1.16.1 Updated dcsdk-docker-base-image to 1.5.0 Cylance Collector v1.3.0Improvements Upgraded DevoCollectorSDK version from 1.10.0 to 1.16.1 Updated dcsdk-docker-base-image to 1.5.0 Office365 Exchange Reports Collector v1.1.0Improvements Updated DevoCollectorSDK version from 1.11.1 to 1.16.1 Updated dcsdk-docker-base-image to 1.5.0 Cortex XDR Collector v2.1.0Improvements Upgraded DevoCollectorSDK version from 1.13.1 to 1.16.1 Updated dcsdk-docker-base-image to 1.5.0 Tencent Collector v1.3.0Improvements Upgraded DevoCollectorSDK version from 1.15.0 to 1.16.1 Updated dcsdk-docker-base-image to 1.5.0 Fixes Fixed the issue of the collector fetching data from the current time and not the time specified Features Added support for 3 different log types, making the code generic AWS Collector v1.13.0Improvements Upgraded DCSDK from 1.15.0 to 1.16.1 Updated dcsdk-docker-base-image to 1.5.0 Fixes Fixed the bug related to the throttling issue ExtraHop Revealx Collector v1.3.0Improvements Updated Docker base image from "1.2.0" to "1.5.0" Updated DCSDK from "1.11.1" to "1.16.1" Cybereason Collector v1.5.0Improvements Updated Docker base image from version "1.2.0" to "1.5.0" Updated DCSDK from version "1.11.1" to "1.16.1" Box Collector v2.1.0Improvements Upgraded docker base image to 1.5.0 Upgraded the DCSDK to 1.16.1 Trellix Epo v1.1.0Improvements Upgraded docker base image to 1.5.0 Upgraded the DCSDK to 1.16.1 Salesforce Collector v3.3.0Improvements Added input field to override value of root domain Updated DCSDK to 1.16.1 Updated docker base image to 1.5.0 Servicenow Collector v2.1.0Improvements Updated DCSDK to 1.16.1 Updated docker base image to 1.5.0 Fixes Fixed initialization error in custom service AWS Collector v1.13.1Fixes Added a param delay_in_minutes to fix missing logs issue in guardduty service AWS SQS Collector v1.9.0Improvements Updated DCSDK from 1.15.0 to 1.16.1 Updated docker base image to 1.5.0 Fixes Fixed local variable 'record_fields' referenced before assignment Error in sqs_fdr_puller Cisco Meraki Collector v2.0.0Improvements Refactored the code to the latest template and improved error handling Upgraded the DCSDK to 1.16.1 Upgraded the docker base image to 1.5.0 Added unit tests Trend Micro Vision One collector 1.4.0Improvements Upgraded the DCSDK to 1.16.1 Upgraded SDK image base to 1.5.0 Fixes Fixed Audit logs wrong parameter issue Sophos Central Collector v2.1.0Improvements Updated DCSDK from 1.15.0 to 1.16.1 Updated docker base image to 1.5.0 Fixes Fixed Initialisation error on collector restart Fastly Nextgen WAF v1.3.0Improvements Updated DCSDK from 1.15.0 to 1.16.1 Updated docker base image to 1.5.0 Fixes Fixed Initialisation error on collector restart

The latest release of the Devo Platform is here! Release 8.16.3 brings one new feature and a few improvements.  The primary change is in Devo’s ability to empower you to search your Alerts.  We’ve added Advanced Pro Filtering to the Alerts page that allows you to write queries to search your entire Alert library. You can start your filtering with the Simple Filter drop-downs, then switch to Pro filtering, and your simple filters will be automatically translated into a Pro filter query with real-time auto-complete. Check out the full details below! Remember, we also have ProdCasts so you can listen while you work!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Feature Alerts Advance Search with Pro Filters Improvements Updated permissions for “Current Queries”  New FeatureAlerts Advance Search with Pro FiltersA normal environment can have thousands of alerts! With this release, we introduce Pro filters to help you find the exact alert or group of alerts you need to update.Alert Search Filters now include:Simple Filters: dropdown-based filters Pro Filters: custom written intuitive queries with real-time auto complete suggestion to filter alerts.Additional functionality was added to automatically convert your chose Simple filters to an equivalent Pro filter query. Learn more in our Documentation. ImprovementsUpdated permissions for “Current Queries”We’ve updated this permission to be based on User Roles.Admin Users: will view/manage all queries running on the domain. Non-Admin Users: can view and manage only their own queries within the domain.Learn more in our documentation.

The Devo Relay is a critical feature of Devo that receives inbound events from your data sources and then sends them to your Devo instance with all the tagging and processing rules that make Devo work as fast as it does.   Release 2.15.1 adds automations and new OS support.  The first automation added removes the additional steps to launch the relay after setup.  With this next feature, all certificates will automatically renew 1.5 months before expiration. This is a huge usability improvement and greatly received!  Lastly, support for Ubuntu 24, aka Noble Numbat, and support for Ubuntu 20 has been retired.  Learn more below!  Table of ContentsEnhancements Automatic activation Automatic renewal of Relay Certificates Support for Ubuntu 24 Removed support for Ubuntu 20 Bug Fixes Source tag capture groups  EnhancementsAutomatic activationThe relay is now automatically activated after setup. No need to go to the UI to click on the activation button.Learn more in our documentation Automatic renewal of Relay CertificatesRelay certificates are now automatically renewed before expiration, yay! One and a half months before the expiration date, the certificate will be automatically renewed. Support for Ubuntu 24Added support for Ubuntu 24, also known as Noble Numbat. Please note, you need to upgrade to devo-monitor v2.1.2 as a requirement. Removed support for Ubuntu 20Support for this outdated version of Ubuntu is discontinued.Read more in our documentation. Bug FixesSource tag capture groupsBug stopping this tag in rules from working has now been corrected.

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers box.audit storage.synology network.meraki cef0.checkPoint cef0.cyberark Ddos.arbor firewall.fortinet firewall.watchguard   Updated Parsers box.audit Fixed for: box.audit.unix.auditd Fixed: Fixed additional trailing quote issue for OUID, OGID and FSGID fields. storage.synology Added new field: storage.synology.dsm.connection network.meraki Fixed issue for: network.meraki.events cef0.checkPoint Added new field: cef0.checkPoint.queryDatabase cef0.cyberark Added new field: cef0.cyberark.pta Ddos.arbor Fixed parsing issues and added support for legacy messages for: ddos.arbor.pravail.aps firewall.fortinet Fixed issue for: firewall.fortinet.event.system firewall.watchguard Fixed issue for: firewall.watchguard.event

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Collectors Fastly Next-gen WAF v1.2.0 Alibaba Cloud collector v1.4.0 Big ID collector v1.1.0 Microsoft Defender ATP for Endpoint collector v2.1.0 Google Workspace Alerts collector v1.10.0 Proofpoint TAP collector v3.3.0 CyberArk Identity collector v1.3.0 Salesforce Collector v3.2.1 Wiz Collector v1.8.0 Okta collector v2.1.0 Zscaler collector v2.0.3 Office365 Exchange Message Tracing Collector v2.4.0 Microsoft Defender ATP (Endpoint) collector v2.1.1 Sailpoint IdentityNow collector v1.1.1  Updated CollectorsFastly Next-gen WAF v1.2.0Fixed Fixed init variable error for fastly event services Handled invalid start time condition for feed_request service Updated default request_period_in_seconds to avoid invalid time interval issue for feed_request service Changed Upgraded DCSDK from 1.12.4 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Alibaba Cloud collector v1.4.0Added Added custom service for pulling data from log stores Big ID collector v1.1.0Bug Fixes Modification of the endpoint that returned data in an incorrect format Improvements Updated DCSDK from 1.13.1 to 1.15.0 Microsoft Defender ATP for Endpoint collector v2.1.0Improvements Improved the pull logic of the alerts service, reducing the time to send the alerts data Bug Fixes Fixed the issue of api/alerts/{"id"]}/user endpoint, handling 404 error Google Workspace Alerts collector v1.10.0Improvements Updated DCSDK from 1.13.1 to 1.15.0 Bug Fixes Fixed a concurrency issue in which multiple threads could attempt to read the credentials file before it was fully written, resulting in an "Expecting value…" JSON parsing error. Now, both read and write operations for the credentials file are protected by the same global lock, ensuring the file is correctly created before it is accessed in concurrent environments. Proofpoint TAP collector v3.3.0Improvements Improvements of the request limit for every service Optimized the pull logic and flatten logic of the threat service CyberArk Identity collector v1.3.0Improvements Updated base URL Updated DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Salesforce Collector v3.2.1Improvements Fixed unit tests Added internal user guide Fixes Fixed the persistence logic to avoid getting stuck in loop Wiz Collector v1.8.0Feature Provided an option to override auth token in user config Bug fixes Made changes for latest WIZ certification requirements Improvements Upgraded DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Added unit tests Added internal user guide Okta collector v2.1.0Improvements Added support for obfuscation functionality Updated DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Zscaler collector v2.0.3Fixes Fixed the issue for Waiting until setup will be executed Office365 Exchange Message Tracing Collector v2.4.0Changed Upgraded DCSDK from v1.13.1 to v1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Fixed Fixed authentication issue Microsoft Defender ATP (Endpoint) collector v2.1.1Bug Fix Fixed issue for recommendation and machine service was getting stuck Sailpoint IdentityNow collector v1.1.1Bug fixing Fixed issue with status code error Fixed issue with missing logs Improvements DCSDK update from 1.8.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1

The latest release of the Devo Platform is here! Release 8.15.17 brings one main improvement and a few bug fixes.  The primary change is in the Data Search page, we’ve moved the Lookup Management and Current queries tab to the administration section.  This change was done for functional consistency, keeping in mind some great to come in the future.  In support of this change the Role permissions for these two tabs where also moved, now under the Data Section.  In addition to this main change, we also have some small improvements and bug fixes. Remember we also have ProdCasts so you can listen while you work! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsImprovements Relocation of “Lookup Management” and “Current queries” from Data Search Small changes Bug fixesImprovementsRelocation of “Lookup Management” and “Current queries” from Data SearchWe’ve moved these two tabs to improve navigation and functional consistency.  You can find both Lookups and Current queries under Administration→ Data management.For more details, see our documentation.In support of this change the Role permissions for Lookups and Current querries have been moved from Data Search section to the Data Section.Small changes  Menu: Previously, the main menu’s submenu tooltips did not always disappear when the user moved the mouse pointer out of the area. This has been corrected, and unnecessary tooltips removed.  Bug fixes  Notifications: Previously, notifications were not displayed on the notifications page. Now all relevant notifications are displayed. Data search: Previously, when a time period with no data was selected, an error notification was displayed. Now, a clear message indicating “no data to display“ appears directly within the table.  

The latest release of the Devo Platform is here! Release 8.15.15 brings a pair of usability improvements and bug fixes. With this release, users who use Single Sign-On will be able to quickly return to their session after they log out with the new Session Recovery system. For Data Search, you now have more control over how you Download Data, be it directly on the browser or as a background process, providing new flexibility for large data sets.  New download formats were also added to improve the flexibility of this tool.  Lastly, a new wait period is introduced to the automatic token deletion system of 30 days.  Learn more here! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Recover Session functionality added for SSO logins Improvement Improvements to Download Data form in Data Search Token Deletion Delay Bug Fixes New FeatureRecover Session functionality added for SSO loginsUser who log out of an Single Singe-On session will have a new option to recover their session from the log in page.  This functionality will be remain available until the browser is refreshed.Learn more in our Documentation.ImprovementImprovements to Download Data form in Data SearchWe have improved the Download Data function to provide greater clarity regarding how downloads are executed.  The system has be optimized as follows:Two new Radio Buttons:Attachment - Lets you download the data immediately via browser. Download Link - Lets you download the data as a background task.A secondary list of available file formats is additionally presented based on your chosen radial button option.Learn more in our Documentation. Token Deletion DelayWhen tokens expire, the system now waits 30 days after expiration before automatically deleting the token. Bug Fixes Audit logs: Previously, the audit log displayed the actual token when a user accessed its details. Now, for enhanced security, the log shows the hashed value of the token. Data search: Previously, when a time period with no data was selected, an error notification was displayed. Now, a clear message indicating “no data to display“ appears directly within the table.   

Devo Documentation is a live repository of information, how-to’s, troubleshooting guides, and installation instructions for every part of Devo solutions. It is a large repository of information with many moving parts and authors and it gets updated daily. These articles will help highlight some of the key updates that provide the most impact or improvements to your existing workflow. The highlight of these updates is rebuilt documentation for a variety of SQS collectors and JSON pages. If you have any questions or suggestions for our documentation team, post them in the comments below! In March, we updated 177 Articles!Here are some highlightsTable of ContentsData Search Best practice for data search Data Search Error Codes Collectors Microsoft Azure Events Hub Collector Microsoft Graph Collector Wiz Collector CroudStrike Intelligence Collector Entra ID collector (Formerly Azure Active Directory) Microsoft 365 Management API Collector  Data SearchBest practice for data searchThis handy article collects all the useful tips and best workflows from across Devo to enhance your Data Search practical knowhow. Data Search Error CodesA complete list of error codes and their meaning.  Very handy! CollectorsMicrosoft Azure Events Hub CollectorAre you feeling overwhelmed by the 80 line configuration file for the Azure Event Hub collector?  If you use the example from the public documentation, they only need to fill out five fields in a 20 line file, and there's a graphic that will guide them.Use the Azure Event Hub collector for authentication data to avoid API delays and limits.  Customers should still use the Graph collector to get intelligence about the authentication data.Microsoft Graph CollectorOne of Devo’s top 5 collectors. Customers should use it to import Microsoft's security intelligence into Devo.  Customers should upgrade to 3.2.0 using the migration guide. Instructions were simplified, no longer do you need redirect URI’s Wiz CollectorThe Devo Wiz collector allows customers to retrieve Wiz cloud security issues into Devo to query, correlate, analyze, and visualize to enable Enterprise IT and Cybersecurity teams to take the most impactful decisions at the petabyte scale.CroudStrike Intelligence CollectorUse this to detect when a rootkit tries to tamper with Crowdstrike sensors.Entra ID collector (Formerly Azure Active Directory)Entra ID data is critical to detecting authentication threats for those customers who use it to manage a authentications in all their apps. Customers can export Microsoft's AI-based risk analysis to Devo and use it to find threats in their non-Microsoft data sources.Microsoft 365 Management API CollectorThis updated documentation simplifies the enablement process in addition to providing useful use cases and troubleshooting tips to secure their data. 

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers auth.all edr.all.threats Cloud.azure ftp.crushftp Seg.checkpoint DDOS.arbor  Updated Parsersauth.allLink to DocumentationChange Log Added New fields for: cloud.azure.ad.signin New mapping added for: box.win_snare  edr.all.threatsLink to DocumentationChange Log Added New tables: cloud.sophos.central.alerts Cloud.sophos.central.events Edr.crowdstrike.falconstreaming.detection_summary edr.microsoft_defender.endpoint.alerts Updated table: edr.crowdstrike.falconstreaming.epp_detection_summary  Cloud.azureLink to DocumentationChange Log Added New tables for Advanced Hunting sent by Azure: cloud.azure.ah.alert_evidence cloud.azure.ah.alert_info cloud.azure.ah.cloud_app_event cloud.azure.ah.device_event cloud.azure.ah.device_file_certificate cloud.azure.ah.device_file_event cloud.azure.ah.device_image_load_event cloud.azure.ah.device_info cloud.azure.ah.device_logon_event cloud.azure.ah.device_network_event cloud.azure.ah.device_network_info cloud.azure.ah.device_process_event cloud.azure.ah.device_registry_event cloud.azure.ah.device_identity_logon_event cloud.azure.ah.mail_atteachment_info cloud.azure.ah.mail_event cloud.azure.ah.mail_post_delivery_event cloud.azure.ah.mail_url_info cloud.azure.ah.url_click_event ftp.crushftpLink to DocumentationChange Log Fixed parsing issues for: ftp.crushftp.event  Seg.checkpointLink to DocumentationChange Log Fixed parsing issues for: seg.checkpoint.harmony.event DDOS.arborLink to DocumentationChange Log Fixed parsing issues and added support for legacy messages for: ddos.arbor.pravail.aps

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Collectors Spidersilk Collector v1.0.0 Updated Collectors IBM Cloud logs v2.0.1 (previously IBM Cloud Activity Tracker) Microsoft Graph Collector v3.0.0 Google Cloud Platform Collector v2.2.0 Cyble Vision Collector v1.1.0 Tencent Collector v1.1.0 Zscaler Collector v2.0.0 Alibaba Cloud Collector v1.3.0 Microsoft Azure Collector v2.5.0 Menlo Collector v1.4.0 Salesforce Collector v3.1.0 Microsoft Defender ATP Endpoint v2.0.0 Proofpoint TAP v3.2.0 Microsoft Graph v3.2.0 Alibaba Collector v1.3.1 Salesforce Collector v3.2.0 Zscaler Collector v2.0.1  New CollectorsSpidersilk Collector v1.0.0Link to DocumentationChange LogA new collector for Spidersilk has been introduced, designed around a snapshot-based data retrieval approach. This collector enables targeted gathering and analysis of information from several key services: Threats: Delivers periodic snapshots to help you monitor and address potential security issues.  Assets: Provides scheduled snapshots of your assets, supporting continuous asset tracking and visibility. Darkweb: Supplies consolidated snapshots of dark web activity relevant to your organization, aiding proactive risk awareness. DCSDK version: 1.14.0  Updated CollectorsIBM Cloud logs v2.0.1 (previously IBM Cloud Activity Tracker)Link to DocumentationChange Log Changed the name of the collector to `IBM CLoud Logs` Updated the migration_guide accordingly.  Microsoft Graph Collector v3.0.0Link to DocumentationChange Log Updated DCSDK solves bug INT-3340 Updated DCSDK from 1.13.1 to 1.14.0  Google Cloud Platform Collector v2.2.0Link to DocumentationChange Log Added a logging filter to handle `ValueError` related to closed RPC channels. This error occurs when an RPC call is attempted on a closed connection, usually due to normal service shutdowns or transient network issues. Since these cases do not indicate a critical failure, the error is now logged as a warning instead of raising an exception. DCSDK version: 1.14.0  Cyble Vision Collector v1.1.0Link to DocumentationChange Log Updated DevoCollectorSDK version from 1.9.2 to 1.15.0 Upgrade Docker image base to version v1.4.1 in Dockerfile  Tencent Collector v1.1.0Link to DocumentationChange Log Upgraded DCSDK from 1.13.1 to 1.15.0. Upgraded Dockerfile base image to 1.4.1. Created a separate table for cloudaudit logs.  Zscaler Collector v2.0.0Link to DocumentationChange Log  Refactor code and upgraded DCSDK to 1.15.0  Upgraded docker base image to 1.4.0  Sending data to new table `sse.zscaler.zia.audit`  Alibaba Cloud Collector v1.3.0Link to DocumentationChange Log Updated DCSDK from 1.14.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Added new smq service  Microsoft Azure Collector v2.5.0Link to DocumentationChange Log New autocategorization rules for several tables: cloud.azure.ah.alert_info cloud.azure.ah.alert_evidence cloud.azure.sql.securityauditevents cloud.azure.vm.subassessment cloud.azure.virtualnetwork.net_sec_group_event cloud.azure.eh.metrics cloud.azure.firewall.network_rule cloud.azure.firewall.application_rule cloud.azure.firewall.dns_query cloud.azure.storage.storageread cloud.azure.storage.storagewrite cloud.azure.storage.storagedelete cloud.azure.traffic_manager.probe_health_status The timezone of pendulum.now() is explicitly set to UTC now Corrected typo in rules of: cloud.azure.intune.operation Updated SDK from 1.12.2 to 1.15.0:Differentiated error codes for SdkPersistenceServiceError.  Menlo Collector v1.4.0Link to DocumentationChange Log Upgraded the DCSDK from 1.14.0 to 1.15.0. Upgraded dcsdk-docker-base-image to 1.4.1 Fixed the Setup Error issue caused by the start date in the config.  Salesforce Collector v3.1.0Link to DocumentationChange Log Upgraded the DCSDK from 1.13.1 to 1.15.0. Upgraded dcsdk-docker-base-image to 1.4.1. Fixed the custom fields not showing up bug in custom query.  Microsoft Defender ATP Endpoint v2.0.0Link to DocumentationChange Log Added a new endpoint for the service assessments (/SoftwareVulnerabilityChangesByMachine) Changed the name of the assessments service from assessments_beta to assessments Updated Docker image to 1.4.1 Updated DevoCollectorSDK from v1.12.4 to v1.15.0: Added a new endpoint for the service assessments  Proofpoint TAP v3.2.0Link to DocumentationChange Log Refactor code and upgraded DCSDK to 1.15.0 Upgraded docker base image to 1.4.1 Fixed the OOMK bug causing the collector to restart  Microsoft Graph v3.2.0Link to DocumentationChange Log Fixing bug with pendulum and TZ causing re-authentication to fail Updated DCSDK from 1.14.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1  Alibaba Collector v1.3.1Link to DocumentationChange Log  Fixed issue with handling byte values in access_log service response  Salesforce Collector v3.2.0Link to DocumentationChange Log Made skip_export user configurable in the custom service query.  Zscaler Collector v2.0.1Link to DocumentationChange Log Fixed the issue for invalid session error.        

The latest release of the Devo Platform is here! Release 8.15.13 brings improvements through many components of the Platform and introduces a new feature! The Multitenant Content Manager for Devo Exchange makes its debut! You can now manage the available Exchange content for your tenant domains using tailored content plans. The Alerts workflow has also been improved by introducing the new Rules tab on the Alerts page. Manage and perform bulk actions from the Alert Page home! Additionally, a wide variety of smaller improvements and bug fixes are introduced with this release. Read on to learn more!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Listen to this Release in Podcast format in the latest Devo ProdCast! Table of ContentsNew Features Devo Exchange Multitenant Content Manager Alerts New Rules tab in Alerts homepage View Raw event data “Go to query” renamed “Source query” Improvements Scheduled Reports Relative Date Bug fixes and small changes Activeboards Activeboard Manager Scheduled reports Scheduled tasks Devo Platform Data Search Alerts  New Features Devo ExchangeMultitenant Content ManagerThis new vertical app, designed for MSSPs and resellers to administer Devo Exchange content for their tenant domains, allows domain administrations to manage what OOTB Alerts, Activeboards and applications that are available to your tenant domains. You do this by creating and customizing content plans that you then assign to your tenant domains. This allows you to have full flexibility in catering to your diverse client needs with a clean user experience for both the client and the administrator.  Learn more about it in our Documentation.AlertsNew Rules tab in Alerts homepageA new tab called “Rules” is introduced to the Alerts page to allow you to view, activate, deactivate and fine tune your alerts rules directly from the Alert page.  This improves the workflow of Alert management by placing the Alert Rules in the same page as the Alerts triggered.The Rules tab includes the following new actions:Bulk Actions - Activate, deactivate or delete multiple rules at once. New Columns - Includes source table and priority columns for increased clarity. New Filter section - Filter by status, priority, owner, sources, delivery policy, type, category and subcategory.You can also create Each type alerts from this section.  Other alert types are still constructed from Data Search for now.Learn more in our Documentation View Raw event dataTwo new actions have been added to triggered alerts to help you view the source data that caused the alert to trigger.  DownloadThe Download quick action will download a CSV file containing the events that triggered the alert.Raw EventsThe Raw Event option from the Elipsis menu allows you to view the raw events associated with the alerts in the same page or a new tab.Learn more in our Documentation. “Go to query” renamed “Source query”This change was added to improve clarity. ImprovementsScheduled ReportsRelative DateWe’ve improved Scheduled Reports to use the same Relative Date functionality available across Devo Platform features. Bug fixes and small changesActiveboards The “Relative to“ option was not shown in the widget calendar. Now it is. The “Relative to“ option was not shown in the widget calendar. Now it is. The table widget broke when a query including a sparkline and custom range operations was used. The error has since been fixed. The calendar permitted the entry of incorrect dates, which led to widget errors. These invalid dates are now detected. The error within the ‘_getEdgesPoints’ function has been resolved. Calendar chart didn’t show start/end empty spaces. Now it does.  Activeboard Manager Previously, within the Activeboard Manager, users had to select all tags of a row for that row to appear. Now, all activeboards containing the selected tags are displayed. In the Activeboard Manager, closing the manager without using the cross icon would reset the row colors. Now, reopening the AB Manager restores the row colors to their default. Previously, the Activeboard Manager would refresh the user interface when activeboards were modified. Now, the “Created by” filter functions correctly based on the user and the action performed.  Scheduled reports In Scheduled Reports, the “Save” and “Edit” buttons on the interface used to stay active even when errors occurred. This issue has now been resolved. From Scheduled Reports, the “At” dropdown was displayed incompletely. This has been fixed. In Scheduled Reports, the “Export to PDF” button was incorrectly enabled even when the activeboard was empty. It is now disabled under such circumstances. Previously, in Scheduled Reports, clicking the “on” input while 'repeat monthly' was selected would cause the page to break. Now, the input options are displayed correctly, and no errors occur.  Scheduled tasks From Scheduled Tasks, a flickering effect appeared in the table width. Now, this has been fixed. Previously, Scheduled Tasks would briefly show an empty list while loading. Now, a loading status is displayed during this time. The email input design and content differed between the Scheduled Tasks and Scheduled Reports sections. This design has now been unified.  Devo Platform Previously, in the audit logs, the object_name column did not display the token name. This has been corrected. On the Tokens page, it was not possible for users to edit and save the Credentials Token. A “Save” button now enables this functionality. In Notifications, the Relays notification message was displayed with incorrect formatting. This issue has been resolved. From Roles, the tooltips text related to Token permissions have been updated. From Roles, the tooltips text related to Finder permissions have been updated. From Tokens, the 'Target table' selector has been translated. Data Search From Data Search, a partial data message appears in the notifications. Now the complete message appears. Within Data Search, the 'Too many points in the graph' dialog message had untranslated button text. This has now been corrected. From Data Search, the “Download all data” button was not working. Now it does. Previously, Data Search would display a persistent “Getting” message when no events were available in the table. Now, an “Empty table” indication is shown instead. Alerts Users can now open “Go to query” for alerts with subqueries. The __devo_when__ field has been introduced to alert extra. This new field replicates the “when” value from the triggered alerts table, allowing users to utilize it within post-filters. Users without alert configuration permissions couldn't filter triggered alerts by name. Now they can. Entity attributes were not displayed correctly when duplicates were present. Now they display correctly. An issue has been resolved where opening the “Edit alert” dialog and then clicking Edit in the search window without any modifications would incorrectly trigger the confirmation dialog. Calendar allowed incorrect dates and displayed widget errors. These invalid dates are now corrected. An error in function ‘_getEdgesPoints’ is fixed. The calendar chart didn’t show start/end empty spaces. Now it does.  

The latest release of the Devo Platform is here! Release 8.15.3 brings a collection of improvements to the Alerts page and bug fixes.  Starting with the addition of MITRE Tactics and Techniques added to all Alert Definitions.  Add single or multi-technique tags to alerts and filter by them in the triggered alerts view. We have also added available Entity Attributes in Alert creation. Opening an Alert in the Query Editor has been improved to use available Extra Data, particularly useful for our MSSP’s as they can edit alerts with the appropriate client information in extra data. Read on to learn more!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Listen to this Product Update in our new ProdCasts audio format!  Table of ContentsNew Features Add MITRE Tactics and Techniques to Alert Definitions Search for MITRE Tactics and Techniques in Triggered Alerts Updated Features Entity Attributes in Alert Creation, Edit, and Clone forms Alert Extra Data is added as filtering when “Go to Query” is called Enhanced Alert Auditing with Post filtering information Improved Column Visibility control Improved Extra Data Visibility   New FeaturesAdd MITRE Tactics and Techniques to Alert DefinitionsUsers can now add MITRE Tactics, Techniques and Sub-Techniques in Alert Definitions. You can add multiple Techniques under each Tactic. Search for MITRE Tactics and Techniques in Triggered AlertsSupporting the addition of MITRE Tactics and Techniques, these new search filters allows you to find specific alerts by these new attributes. Updated FeaturesEntity Attributes in Alert Creation, Edit, and Clone formsWe have added a new section to inform users about the available entity attributes based on the data source table and query in their alerts. Attribures highlited in blue will appear in triggered alerts, while those in gray are availabe in the table but not currently part of the alert definition.Learn more in our Documentation. Alert Extra Data is added as filtering when “Go to Query” is calledWhen information is available in the Extra Data of an alert, it is used to filter the data when it is opened in the query editor.  This is particularly useful for MSSP Alerts, as you can the client information Extra Data and open the query with the correct filtering every time. Enhanced Alert Auditing with Post filtering information We’ve enhanced the devo.audit.alert.triggered table by adding information about post-filters. Users can now see if a post-filter was applied to a triggered alert.  We are also recording events for triggered alerts that have been deleted via post-filter. Improved Column Visibility controlQuickly hide columns by right clicking on any column header to reveal the Hide Column command.  You can manage visibility of columns on the Ellipse menu at the right end of the table. Improved Extra Data VisibilityWe’ve added color formatting to extra data for enhanced readability. View our full release notes in our Documentation.    

Devo Documentation is a live repository of information, how-to’s, troubleshooting guides, and installation instructions for every part of Devo solutions. It is a large repository of information with many moving parts and authors and it gets updated daily. These articles will help highlight some of the key updates that provide the most impact or improvements to your existing workflow. The highlight of these updates is rebuilt documentation for a variety of SQS collectors and JSON pages. If you have any questions or suggestions for our documentation team, post them in the comments below! Table of ContentsSite Wide Improvements Send to Devo Individual Page updates Authorize SQS Data Access CloudTrail Audit Logs Collector CloudFront SQS Collector GuardDuty Threat SQS Collector WAF ACL Firewall Access SQS Collector JSON Troubleshooting  Site Wide ImprovementsSend to DevoThe Send to Devo instructions have been reviewed and updated where appropriate for the vast majority of authentication, firewall, and CEF0 parser pages.  These are important changes to highlight as they cover most of our high ingestion tables and frequently queried tables. Individual Page updatesAuthorize SQS Data AccessSQS is Devo’s most popular collector but have you ever been confused about how to authorize a collector to use SQS? This update is for you! We have created new instructions for this complex process that sure to make it an easier and straight forward task. CloudTrail Audit Logs CollectorWe have created new step-by-step instructions on how to ingest this must-have Collector for anyone using AWS.  In the event your AWS account is compromised, this data will tell you what actions the attacker was able to take in your environment. CloudFront SQS CollectorDid you or your customer purchase content delivery services from Amazon? You can monitor network requests using this new step-by-step guide to this critical collector. GuardDuty Threat SQS CollectorAmazon-provided Threat intelligence service, GuardDuty, is a must-have for any customers who use Amazon services. Make use of threats identified by Amazon to stop attacks in your systems. WAF ACL Firewall Access SQS CollectorInstructions have been rewritten for ease of use and clarity, making it much simpler to send data from AWS to Devo. JSON TroubleshootingWe have recreated this page to provide clearer troubleshooting instructions for JSON arguments along with improvement delivered in the Devo Platform Release 8.15.0. And more!  Visit your favorite Devo Doc’s pages!

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Parsers cloud.azure Change Log box.win_nxlog Change Log box.win_snare Change Log firewall.sophos Change Log firewall.cisco Change Log box.all.win Change Log firewall.fortinet Change Log Iam.pingdentity Change Log cef0.checkpoint Change Log  Updated Parserscloud.azureLink to DocumentationChange Log New fields added to the union for cloud.zure.ad.audit  box.win_nxlogLink to DocumentationChange Log Added new fields for box.win_nxlog*  box.win_snareLink to DocumentationChange Log Added new table for box.win_snare.fim Added new fields and refactored powershell logs for box.win_snare* Parser adapted to variable number of spaces between keys and values Two new event types parsed New log source added Sysmon  firewall.sophosLink to DocumentationChange Log Made timestamp a string so timezone is preserved for firewall.sophos.securenet.packetfilter  firewall.ciscoLink to DocumentationChange Log Added new types for firewall.cisco.ftd  box.all.winLink to DocumentationChange Log Added new fields for box.all.win  firewall.fortinetLink to DocumentationChange Log Added missing fields from tables: firewall.fortinet.event firewall.fortinet.event.connector firewall.fortinet.event.dhcp  Iam.pingdentityDocumentation in ProgressChange Log Added new table for iam.pingidentity.pingaccess.server  cef0.checkpointLink to DocumentationChange Log Added a new fields for:  cef0.checkPoint.unknown cef0.checkPoint.connectra        

Every month, the integrations team work on new and updated collectors for you, and I collect them all in this Catalog Update.   This post contains new and updated collector information as well as links to their respective pages in our Documentation portal.  Be advised that some pages in Documentation may not be available at the time of posting but will be added as soon as they are available. To request new collectors or an update to an existing collector, please open a support ticket through the Support Portal. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsUpdated Collectors Netskope API V2 v2.0.1 Change Log Microsoft Graph v3.1.0 Change Log AWS SQS v1.7.4 Change Log ServiceNow v2.0.0 Change Log Google Cloud Platform v2.1.0 Change Log IBM Cloud Activity Tracker v2.0.0 Change Log Alibaba Cloud v1.2.0 Change Log AWS v1.12.0 Change Log Menlo Security v1.3.0 Change Log  Updated CollectorsNetskope API V2 v2.0.1Link to DocumentationChange Log Improvements  Refactored collector , check migration guide  Updated the DCSDK from 1.11.1 to 1.13.1 Bugs Fixed Duplication and Delay issue. Fixed 409 Error by adding wait time.  Microsoft Graph v3.1.0Link to DocumentationChange Log Improvements  Alerts categorisation for alerts_v2 service (this change can break compatibility with previous versions) New optional flattening for alerts_v2 service, new separate table for "evidences" Automatic recovery from error 400 "Invalid Skiptoken" returned from Graph API Updated DCSDK from 1.13.1 to 1.14.0  AWS SQS v1.7.4Link to DocumentationChange Log Bugs Fixed bug with log operations Made decorators to be optional. To enable set debug to true.  ServiceNow v2.0.0Link to DocumentationChange Log Improvements  Migrated API to v2 version Implemented OAUTH.  Google Cloud Platform v2.1.0Link to DocumentationChange LogImprovements New Features  Complete Refactor: The collector has been completely redesigned to provide a more flexible and powerful solution for ingesting data from Google Cloud Pub/Sub. Support for Multiple Data Sources: The collector now supports generic ingestion from Pub/Sub, allowing seamless data collection from any GCP service, including Logging and Security Command Center Findings. New Service: Netskope Web Transactions: Added support for Netskope Web Transactions, enabling seamless data ingestion from Pub/Sub Lite. Streaming Data Collection: The collector now works in streaming mode, significantly reducing latency and improving efficiency. Optimized Performance: The entire codebase has been optimized, reducing memory usage and increasing stability in high-load environments. Enhanced Auto-Categorization: Improved the event auto-categorization mechanism to ensure accurate and efficient tagging. Refactored Codebase: The internal architecture has been restructured, improving maintainability, scalability, and overall performance. Better Error Handling & Logging: Improved error handling mechanisms and log traceability to facilitate troubleshooting. Deployed with DCSDK v1.14.0: Ensuring compatibility with the latest SDK enhancements.  IBM Cloud Activity Tracker v2.0.0Link to DocumentationChange Log Improvements  Migrated the collector to get data from IBM Cloud Activity Tracker to IBM Cloud Logs (Kafka - event streaming). Added unit tests and user guide. Updated DCSDK base Docker image to 1.4.0. Updated DCSDK from 1.10.0 to 1.14.0  Alibaba Cloud v1.2.0Link to DocumentationChange Log Improvements  Updated the DCSDK from 1.7.2 to 1.14.0. Bugs Fixed unexpected PullError in actiontrail log service for missing eventVersion New Features Fixed Added new services for access logs, db logs, internal audit service logs  AWS v1.12.0Link to DocumentationChange Log Improvements  Updated DCSDK from 1.13.1 to 1.14.0 Fixed the bug related to delay in ingestion for Guard Duty  Menlo Security v1.3.0Link to DocumentationChange Log Improvements  Upgraded the DCSDK from 1.13.1 to 1.14.0 Fixed the persistence logic.    

 The latest release of the Devo Platform is here! Release 8.15.0 brings enhancements to Activeboards, Data Search, and Query API.  Activeboards UI has been upgraded, providing a variety of benefits including enhanced UI performance, a new Activeboard Manager and time range controls in Widget queries.  Data Search has improved the Field Viewer's ability to handle tens of thousands of rows, making it very snappy, as well as bringing JSON parsing, Agnostic Geolocation operators and casting maps to JSON directly within Data Search.  Lastly, the Query API has new calls for relative time-ranges, new output format: AVRO and Public Swagger Docs.  Let’s dive in!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Features Activeboards New UI for Activeboard Manager Updated UI benefiting Date selector and UI performance New Time-Range selector Time Range for Queries in Widgets Data Search Rebuilt Field Viewer JSON operation available in Data Search Simplified JSON Parsing Agnostic Geolocation operations Query API New output format AVRO Relative time-range Public Swagger documentation  New FeaturesActiveboardsNew UI for Activeboard ManagerImprovements to Filtering, UI speed and Information-at-a-Glance.New Activeboard manager streamlines AB information by adding the Activeboard description as a tool tip when you hover over the name.  We have also added more filters for each column and a general filter for searching the entire available catalog.   UI has also been updated for Favorite, Shared and Scheduled indicators. Updated UI benefiting Date selector and UI performanceWe have updated the underlying UI engine used on the Activeboards page. This has allowed us to provide additional UI performance benefits and:New Time-Range selectorCompletely manipulate the start and end times as fast as you can scroll your mouse wheel!Time Range for Queries in WidgetsYou can now include the time range selected in the activeboard in your widget queries!  Use the DATARANGE_FROM and DATARANGE_TO parameters when you edit your Widget Query source! Data SearchRebuilt Field ViewerFast loading and snappy response from the Field viewer even when loading 30,000+ rows of data! JSON operation available in Data SearchYou can now use the json() operator in Data Search!  Here is an example:Example from siem.logtrust.web.activity select (“name”:”john”,”age”:30,”country”:”US”) as map1 select json(map1) as json  To learn more about JSON and its capabilities visit this Doc page. Simplified JSON ParsingThis exciting update simplifies the operation to parse or extract JSON fields.Old Operation New Operation select jqeval(jqcompile(“.p”), json) select json[“p”]  Example from siem.logtrust.web.activity select jsonparse(“{\”p\”: [1, 2, 3]}”) as json select jqeval(jqcompile(“.p”), json) //current way to extract “p” select json[“p”] as retrieve_by_param_name //new way to extract “p” select at(json, “p”) as retrieve_with_at //another new way to extract “p”  To learn more about JSON Parse, visit this Doc Page. Agnostic Geolocation operationsTo provide a solution for geolocation operations that get updated over time (mm->mm2->mm?), we have developed agnostic Geolocation operations to future-proof your code and continue to receive the benefits of future updates. Example (Old) Example (New) mm2country countrycode The full list of new agnostic operations is available here in our Docs.Update and future-proof your queries! Query APINew output format AVROApache AVRO is an open-source, row-based data serialization format commonly used for big data sets and is now available through the Query API.Note: Exclusively for the Query API, not currently available in Data Search.Relative time-rangeAPI now supports relative time-range calls! Here are a few examples of what you can do with these new calls:Time Expression Description Resulting Time now() - 60m 60 minutes ago Sunday, 05 February 2017, 12:37:05 now() @ 1h Now (rounded to the beginning of the hour) Sunday, 05 February 2017, 13:00:00 now() - 24h 24 hours ago Saturday, 04 February 2017, 13:37:05 (now() - 1d) @ 1d Yesterday (rounded to the beginning of the day) Saturday, 04 February 2017, 00:00:00 (now() - 2d) @ 1d 2 days ago (rounded to the beginning of the day) Friday, 03 February 2017, 00:00:00 (now() - 2d) @ 1m 2 days ago (rounded to the beginning of the minute) Friday, 03 February 2017, 13:37:00 Learn more about these new calls in our Doc page here. Public Swagger documentationIntroducing Swagger Docs for the Query API available here.

The latest release of the Devo Platform is here! Release 8.14.22 brings enhancements to Lookup Management, Role Management Credentials Tab, and Landing Page preferences. Starting with Lookup Management, we have enhanced the interface to include a new column “History” that reflects the stats of the API setting “keepHistory”. Along with this change, we have updated the available types. We have also cleaned up Role Management permissions and improved column consistency in the Credentials Tab. Next up is the Landing Page, you can select your preferred landing page from the newly alphabetized drop-down!  Learn more below!  Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew Features Lookup Management page Alignment with API New History Column New Type names Updated Features Role Management->Security->Permission unification Credentials Token tab consistency change Added Credentials API to Token creation Landing Page preference Sort order Bug Fixes New FeaturesLookup Management page Alignment with APITwo changes to the Lookup Management page to bring all the features in alignment with that is available through the Lookup Management API.  New History ColumnThis is a Boolean value reflecting the API parameter KeepHistory which allows you to store all historic data, enabling historic search.New Type namesTo align with this new change the Type field names have been updated.Old Type New Type History Column Value Dynamic query Periodic query No (False) Historic dynamic query  Periodic query Yes (True) Static query Static query No (False) Historic static query Static query Yes (True) Upload CSV data No (False)  Updated FeaturesRole Management->Security->Permission unificationRole management permission for API Key has been updated to API Credentials and controls the user’s ability to view, create and delete API key as well as use of the Credentials API. Credentials Token tab consistency changeFor different base languages the Token tab had different names. for consistency this tab is now called “Token” for all languages. Added Credentials API to Token creationYou can now set the Type of token to a new type “Credentials API”.  These tokens do not require permissions on tables. Landing Page preference Sort orderNow you can chose your landing page from an alphabetically sorted list! Bug FixesRole Mapping no longer allows group names to start with a white space. A user deactivated in all domains cannot log in with SAML

The latest release of the Devo Platform is here! Release 8.14.21 brings a powerful new tools set with the Token Management API. With this new API, you can manage, creat,e and edit account credential tokens directly through API calls. This lets you manage access to your environment with API calls, allowing automation and bulk actions to accelerate your reaction time.  A great new tool particularly for our MSSP and partner clients to manage their customer environments. To learn more about what API’s are available you can visit this page in our Documentation. Read on to learn more about the Token Management API! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released  Table of ContentsNew Feature Token Management API  New FeatureToken Management APIThis new set of API calls will allow you to manage account credential tokens completely and in bulk! The token Management API can be used to:Create Tokens Retrieve Tokens Rename Tokens Enable / Disable Tokens Delete TokensThis new API is a great tool, particularly for our MSSP clients and partners! Learn more in our Documentation. Please Note the Token Management API was renamed the Credentials API at release. 

Devo ThreatLink, an integral part of Case Management, automates alert triage, reducing the analyst workload from thousands of alerts to tens of daily cases. This streamlined process allows security teams to focus on the most critical incidents, significantly improving efficiency and reducing alert fatigue. Release 1.4 brings with it new playbooks, updated error handling and updates to the case template and Audit logging.  If you want to learn more about Threat Link, view this article. The benefits of Threatlink need to be seen, if would like to see a demonstration, speak with your Devo Representative! Table of ContentsNew Features and Updates New Playbook available Upgrade for Fetch Alerts Updates to ThreatLink Case Template fields Updated SOAR Audit Logging Updated ThreatLink Dashboard: Past 7 Days  New Features and UpdatesNew Playbook availableIntroducing the “Close Linked SIEM Alerts on Case Closure”.  This playbook will run ever [customer defined] minutes to “close” alerts in the SIEM once a case is closed.RequirementsThreatlink 1.4 or greater Updated case setting templateUpgrade for Fetch AlertsFetch Alerts now uses FetchAlertsV2 Integration. Updates to ThreatLink Case Template fieldsWe’ve added a new field called “siem_alerts_closed”. This field needs to be added to the system tab in the case template.  We have also added a new field called “resolution_notes”. This needs to be added to the workflow section in the case template. Updated SOAR Audit LoggingWe’ve updated SOAR Audit Logging to version 1.7, the main changes in this update are:Added comments to the output Added case title to the outputUpdated ThreatLink Dashboard: Past 7 DaysThe Past 7 Days dashboard has been upgraded to v1.1.0 

The latest release of the Devo Platform is here! Release 8.14.19 brings a collection of API and Alert improvements. Starting with new functionality allowing you to manage your Anti-Flooding policy through API calls with the new Anti-Flooding API. Next, we have added new entity attributes through a new column where available. We also added a new filter corresponding to the entity attributes and a new source table column to help you identify the source tables without needing to dive deeper into the alert. Along with a collection of bug fixes and visual improvements, this release is sure to enhance your Alert workflow! Read on to view details! Geo AvailabilityRegion Status CA Released US Released US3 Released EU Released APAC Released   Table of ContentsNew features Anti-Flooding API Entity Attributes New Filter added for entity attributes​​​​​​​ New source table columns Improvements Update to Alert Priority statuses   New featuresAnti-Flooding APIUsers can now create and manage anti-flooding policy through API calls. Entity AttributesAdded a new column and filter to view and search the entity attributes associated with alerts. Note that not all alerts will have entity attributes depending on the table the alert was created from and the query used.New Filter added for entity attributes​​​​​​​New filter criteria was added to find specific alerts based on their entity attributes.  This filter appears in Simple search as well as Advance Search. New source table columnsUsers can now see which table an alert was triggered from directly in the triggered alerts table, without needing to navigate to the alert details, query or view definition  ImprovementsUpdate to Alert Priority statusesUpdated colors and names to improve clarity. See the full release notes in our documentation. 

Devo Exchange is happy to announce the availability of a new activeboard called Threat Hunting by DNS. The activeboard allows you to identify and investigate potential threats by analyzing patterns in DNS (Domain Name System) queries and responses. This activeboard not only aids in uncovering advanced threats but also provides actionable insights to improve your organization's overall security posture. Some great use cases for this new Activeboard include Traffic Optimization in IT Operations.  in Security, you can use it for Anomaly Detection and Risk Assessment!  Learn more below!  Threat Hunting by DNS Direct Exchange LinksUS Exchange US3 Exchange CA Exchange EU Exchange APAC Exchange  Required Data Sourcesnetwork.dnsSecurity Multidomain Lookups:UmbrellaTop1M mispIndicator CollectiveDefense DynamicDNSUse Cases IT Operations   Traffic Optimization: Monitor DNS traffic trends to identify and optimize traffic flow within the network. Resource Utilization: Track top queried domains and geolocation data to ensure efficient resource allocation and load balancing. Troubleshooting: Diagnose issues such as DNS misconfigurations, service outages, or latency problems. Security Operations   Anomaly Detection: Identify unusual behaviors such as DNS tunneling or dynamic domain usage that could indicate malicious activities. Threat Intelligence Correlation: Detect known malicious domains and integrate them with external threat feeds for proactive defense. Risk Assessment: Generate risk scores based on DNS query characteristics, such as domain length, entropy, and patterns. Incident Response: Use investigation tools and DNS data correlations to facilitate faster and more accurate incident investigations. Learn more in our Docs

The Devo Parser is one of the secret spices of our unique Hyperstream technology. The Parsers organize raw events stored in tags in different columns and display them in the corresponding tables. This method completely bypasses data indexing and contributes to Devo’s amazing search speeds. Every data source is unique, so we have a great catalog of existing parsers. Our teams review parser performance, build new parsers and update parsers on a regular basis. This article covers all the updated and new parsers available this month. If you require a new parser, please open a support ticket through the support portal located here. You can also visit the new Resources Portal, a single page for all your customer resources! Table of ContentsNew Parsers itam.netwrix Updated Parsers cloud.aws Change log box.win_nxlog Change Log mail.postfix Change log ftp.crushftp Change log firewall.paloalto Change log edr.crowdstrike Change log endpoint.symantec Change log cef0.infoblox Change log ips.all.alerts Change log endpoint.bitdefender Change log  New Parsersitam.netwrixDocumentation in progress Updated Parserscloud.awsLink to DocumentationChange logSupport for JSON in cloud.aws.vpc.flow box.win_nxlogLink to DocumentationChange LogAdded parser for box.win_nxlog.ntlm mail.postfixLink to DocumentationChange logAdded new fields ftp.crushftpLink to DocumentationChange logAdded new fields for ftp.crushftp.event firewall.paloaltoLink to DocumentationChange logAdded a new field to firewall.paloalto.* edr.crowdstrikeLink to DocumentationChange logAdded new fields for edr.crowdstrike.cannon endpoint.symantecLink to DocumentationChange logAdded new parser for endpoint.symantec.sepm.system cef0.infobloxLink to DocumentationChange logAdded new fields for cef0infoblox.dataConnector ips.all.alertsLink to DocumentationChange logAdded a new field endpoint.bitdefenderLink to DocumentationChange logModified fields for endpoint.bitdefender.agent.edr_alert