Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Devo delivers real-time operational and business value from analytics on streaming and historical data to operations, IT, security and business teams.

Connect Devo with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Devo.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: Devo server URL.

  9. Permission: Select permission. Devo has different tokens for read and write access.

  10. API Token: API Token to connect to devo instance.

    • This is the OAuth token. Make sure for read, it has permission to read all tables that is, the target table should be '***' and for write, Http Send should be allowed.

Actions for Devo

Run Query

Run query in Devo instance.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Templated Query

Templated Query to execute.

Required

Explode Results

Yes/No. Keep results in a single dict, or explode into separate rows? (default: No).

Required

Add Info Fields

Yes/No. Add information fields to output? (default: No).

Required

Start Time

Column name from the parent table to lookup value for start time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch start time). Note: Setting this time in the future will result in a slow query.

Optional

End Time

Column name from the parent table to lookup value for end time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch end time).

Optional

Event Time Range

Subtract a time range from end time to calculate a new start time (ignored if Start Time column provided above). Examples: 5m, 1h, 1d, or 0.5d.

Optional

Response Type

Select a value for response type (Default: 'JSON simple')

Optional

Limit

Limit of rows to be returned (Default: 500, Max: 50000).

Optional

Output

A JSON object containing multiple rows of result:

  • Templated Query: from demo.ecommerce.data {{query}}

  • Explode Results: No

  • Add Info Fields: Yes

  • Start Time: startT

  • End Time: endT

  • Limit: 10000

...

Send Events

Send Events to Devo instance. This action will send one event per row in the parent table.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Devo Domain

The name of your Devo domain Example: "dev@CompanyName".

Required

Message Tag

Tag (event table) for messages sent to Devo.

Required

Message

Column Name from parent table containing the message. Default is all columns.

Optional

Message Hostname

Hostname to use as message source.

Optional

Message Host IP

Host IP to use as message source

Optional

Output

A JSON object containing multiple rows of result:
{"success": true, "error": null, "has_error": false}

List Triggered Alerts

List triggered Alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

From

Jinja-templated text containing the start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908

Optional

To

Jinja-templated text containing the end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908

Optional

Limit

Jinja-templated text containing the limit (Default is 500)

Optional

Offset

Jinja-templated text containing the offset (Default is 0)

Optional

Additional Params

Jinja-templated JSON containing the additional params to be passed in request. Values specified here will override other fields (if provided)

Optional

Output

JSON containing the following items:

...

Code Block
## Get Triggered Alert

Get triggered alert by its Id.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name  | Description                                                                                       | Required |
| :---------- | :------------------------------------------------------------------------------------------------ | :------- |
| Id          | [Jinja-templated](doc:jinja-template) text containing the alert Id                                | Required |
| Tag         | [Jinja-templated](doc:jinja-template) text containing the boolean tag (Default is 'true').        | Optional |
| Annotations | [Jinja-templated](doc:jinja-template) text containing the boolean annotation (Default is 'true'). | Optional |

### Output

JSON containing the following items:


``` {json}{
   "result":{
         "id":12123,
         "domain":"test",
         "priority":3,
         "context":"my.test_alert.test.SecOpsAwsFromLocation",
         "category":"my.context",
         "srcPort":null,
         "srcIp":null,
         "srcHost":null,
         "dstIp":null,
         "dstPort":null,
         "dstHost":null,
         "protocol":null,
         "username":null,
         "application":null,
         "engine":"cloud-custom-aws-eu-1s",
         "extraData":"{\"data\":\"null\"}"
         "alertDate":null,
         "creationDate":null,
         "status":0,
         "ack_status_date":null,
         "createDate":16623455423400,
         "updateDate":null,
         "scaled":false,
         "digest":"33003299580asdffa788b1",
         "uniquedigest":"e5a56asdfa1f23acdd32",
         "contexto":null,
         "postAlertAction":null,
         "contextLabel":null,
         "contextSubscription":null,
         "shouldSend":false,
         "recoveryId":null,
         "skipAntiflooding":false,
         "useCreationDate":false,
         "alertOwner":null,
         "fullExtraData":null,
         "alertType":"Analytics",
         "alertMitreTactics":"Initial+Access",
         "alertMitreTechniques":"Valid+Accounts",
         "alertPriority":"2",
         "alertDefinition":{
            "id":"1245",
            "creationDate":2342347000,
            "name":"SecAwsActivityFromLocation",
            "message":"",
            "description":"$action_count actions from $country, IP $entity_sourceIP",
            "categoryId":"35",
            "subcategory":"lib.my.test.SectOpse1",
            "subcategoryId":"35",
            "isActive":false,
            "isFavorite":false,
            "isAlertChain":false,
            "alertCorrelationContext":{
               "id":"37763",
               "nameId":"my.test_alert.test.SecAwsActivityFromLocation",
               "ownerEmail":"testuser@example.com",
               "querySourceCode":"some query",
               "priority":3,
               "correlationTrigger":{
                  "kind":"each",
                  "externalPeriod":6300000,
                  "externalOffset":0,
                  "internalPeriod":1200000,
                  "internalOffset":3500000
               }
            },
            "actionPolicyId":[

            ]
         },
         "allExtraDataFields":{
            "alertMitreTechniques":"Valid+Accounts",
            "eventSources":"%5Bsso.amazon-aws.com%5D",
            "country":"ES",
            "regions":"%5Bus-east-1%5D",
            "alertType":"Analytics",
            "alertMitreTactics":"Initial+Access",
            "city":"mumbai",
            "isp":"Telefo",
            "entity_sourceName":"null",
            "action_count":"5",
            "alertPriority":"2",
            "eventdate":"2022-11-04+08%3A00%3A00.0",
            "entity_sourceIP":"1.1.1",
            "collectiveDefense":"False",
            "uebaRiskScore":"null",
            "eventNames":"%5BFelesForApplication%5D"
         },
         "tags":null,
         "entities":null,
         "commentsList":null,
         "alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
      },
   "error":null,
   "has_error":false
}

Update Alert's Status

Update triggered alert status by ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Id

Jinja-templated text containing the alert Id

Required

Status

Jinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD)

Required

Output

JSON containing the following items:

...

Code Block
## Update Alert's Status in Bulk

Update triggered alert status in bulk.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description                                                                                                                                                                                                                                                                          | Required |
| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Ids        | [Jinja-templated](doc:jinja-template) text containing the comma seperated alert Ids.                                                                                                                                                                                                 | Required |
| Status     | [Jinja-templated](doc:jinja-template) text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD) | Required |

### Output

JSON containing the following items:


``` {json}{
  "result": "updated successfully",
  "error": null,
  "has_error": false
}

Get All Annotations of the Indicated Alerts

Get all the annotations of the indicated alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Ids

Jinja-templated text containing the comma separated alert Ids.

Required

Output

JSON containing the following items:

...

Code Block
## Add an Annotation to an Alert

Add an annotation to a triggered alert.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name      | Description                                                                                           | Required |
| :-------------- | :---------------------------------------------------------------------------------------------------- | :------- |
| Comment Type    | [Jinja-templated](doc:jinja-template) text containing the comment type. Example: 'ALERT'/'REPLY'      | Required |
| Id              | [Jinja-templated](doc:jinja-template) text containing the alert Id for Alert or comment Id for Reply. | Required |
| Comment Message | [Jinja-templated](doc:jinja-template) text containing the comment message.                            | Required |
| Comment Title   | [Jinja-templated](doc:jinja-template) text containing the comment title.                              | Required |

### Output

JSON containing the following items:


``` {json}{
  "result": true,
  "error": null,
  "has_error": false
}

Update an Alert Annotation

Update a triggered alert annotation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Alert Id

Jinja-templated text containing the alert Id.

Required

Comment Id

Jinja-templated text containing the comment Id.

Required

Comment Type

Jinja-templated text containing the comment type.

Required

Comment Message

Jinja-templated text containing the comment message.

Required

Comment Title

Jinja-templated text containing the comment title.

Required

Output

JSON containing the following items:

...

Code Block
## Delete the Specified Alert Annotations

Delete the specified alert annotations.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name  | Description                                                                            | Required |
| :---------- | :------------------------------------------------------------------------------------- | :------- |
| Comment Ids | [Jinja-templated](doc:jinja-template) text containing the comma seperated comment Ids. | Required |

### Output

JSON containing the following items:


``` {json}{
  "result": true,
  "error": null,
  "has_error": false
}

Send a Single Event

Send Event to Devo instance. This action will send one event per row.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Devo Domain

Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")

Required

Message Tag

Jinja-templated text containing the tag (i.e. event table) for messages sent to Devo

Required

Message

Jinja-templated text containing the message.

Required

Message Hostname

Jinja-templated text containing the hostname to use as message source.

Optional

Message Host IP

Jinja-templated text containing the hostname to use as message source.

Optional

Output

JSON containing the following items:

{json}{ "success": true, "error": null, "has_error": false }

Release Notes

  • v4.3.4- Jinja issue fixed in Send Events action.

  • v4.3.0- AddedMessage Host IPoptional input field inSend a Single EventandSend Events action.

  • v4.2.1 - Added Response type optional input field in Run Query action.

  • v4.1.0 - Added 1 new action: Send a Single Event.

  • v4.0.0 - Updated architecture to support IO via filesystem

  • v3.3.2 - Added 6 new actions: Update Alert's Status, Update Alert's Status in Bulk, Get All Annotations of the Indicated Alerts, Add an Annotation to an Alert, Update an Alert Annotation and Delete the Specified Alert Annotations.

  • v3.2.1 - Added 2 new actions: Get Triggered Alert and List Triggered Alerts.

...