Create Event Types
An event type specifies a query that you run to bring data into Devo SOAR for analysis and scoring. Event types can draw from any of the following source types:
Results of a query on an external source, such as Splunk, SumoLogic, or Elasticsearch.
Results from a step in a Devo SOAR playbook.
System events created by Devo SOAR to ingest data from activity in the Devo SOAR system. For more information, see System Event Types.
Note
To view or set up event types, you must be in a group that has Event Type permission. For more information, see Manage Users.
Before you Begin
If you're setting up an event based on a query to an external source, you must first set up a connection to the source. For instructions, see Create Connections.
Create an Event Type
To create an event type:
Select My Library > Event Types.
Click New. A New Event Type form opens up.
Enter the following details in the new event type form:
Name: Enter a name to identify the event type. The name can consist of alphanumeric characters and underscores ( _ ). The first character can't be a number.
Source: Click Playbook/Node to based the event type on a playbook step or click Query to base the event type on a query to an external connection.
Connection: Enter or choose a connection from the drop-down.
Query: Enter a query for the connection.
Key Columns (Optional): Enter a time range or manually add your custom date range. Based on the selected time range the list of available columns will load in the Selected Columns. Choose the columns and click Save.
A new event type is successfully created.
The Event Types page opens to show the list of event types. Click an entry to edit the settings, or click the trash can icon to delete an entry.
The event type is now available for use when creating a playbook. When using Easy Mode to create a playbook, you can search for the event type by name and add it. See Create Playbooks in Easy Mode. In Advanced Mode, a playbook typically starts with an event type. See Create Playbooks in Advanced Mode.
Example: Elasticsearch
When you add an event type based on ElasticSearch 6 or ElasticSearch 7, the default query is filled in automatically:
select * from <index_name> where <timestamp_field> >= {{start_time}} and <timestamp_field> <= {{end_time}} *
where
<index_name>
is the Elasticsearch index
<timestamp_field>
is the timestamp field
start_time
and end_time
are the playbook or batch start and end time
Example:
select * from testindex where timestamp >= {{start_time}} and timestamp <= {{end_time}}
Alternatively, you can use the following Elasticsearch query:
Note
Applicable for both ElasticSearch 6 and ElasticSearch 7).
Query
{
"bool":{
"must":{
"terms":{
"_index":[
"testindex"
]
}
},
"filter":{
"range":{
"timestamp":{
"gte": {{ start_time }},
"lte": {{ end_time }}
}
}
}
}
}
Example: Devo
When you add an event type based on Devo, the following default query is filled in automatically. You can accept or modify the query.
from all.data select *
Example: Directory
The JSON specification of the directory data source type has the following schema. Learn more.
{json}{
timestampColumn: Option[String] (optional name of the timestamp column)
timestampPattern: Option[String] (optional Java date/time format string)
additionalFiles: Array[String] (array of files constituting the data source)
extractAsRaw: Boolean (applicable ONLY to json file types - extract as json events with a message time field)
}
Manage Event Types
To manage your event types, go to the My Library > Commands page. See Manage Content in your Library. For information on sharing event types with other users and groups, see Share Content from your Library.