Devo
Version: 4.4.2
Devo delivers real-time operational and business value from analytics on streaming and historical data to operations, IT, security and business teams.
Connect Devo with LogicHub
- Navigate to Automations > Integrations.
- Search for Devo.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- URL: Devo server URL.
- Devo cloud URLs for these two regions:
- Permission: Select permission. Devo has different tokens for read and write access.
- API Token: API Token to connect to devo instance.
- This is the OAuth token. Make sure for read, it has permission to read all tables that is, the target table should be '***' and for write, Http Send should be allowed.
Actions for Devo
Run Query
Run query in Devo instance.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Templated Query | Templated Query to execute. | Required |
| Explode Results | Yes/No. Keep results in a single dict, or explode into separate rows? (default: No). | Required |
| Add Info Fields | Yes/No. Add information fields to output? (default: No). | Required |
| Start Time | Column name from the parent table to lookup value for start time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch start time). Note: Setting this time in the future will result in a slow query. | Optional |
| End Time | Column name from the parent table to lookup value for end time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch end time). | Optional |
| Event Time Range | Subtract a time range from end time to calculate a new start time (ignored if Start Time column provided above). Examples: 5m, 1h, 1d, or 0.5d. | Optional |
| Response Type | Select a value for response type (Default: 'JSON simple') | Optional |
| Limit | Limit of rows to be returned (Default: 500, Max: 50000). | Optional |
Output
A JSON object containing multiple rows of result:
- Templated Query: from demo.ecommerce.data {{query}}
- Explode Results: No
- Add Info Fields: Yes
- Start Time: startT
- End Time: endT
- Limit: 10000
Send Events
Send Events to Devo instance. This action will send one event per row in the parent table.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | The name of your Devo domain Example: "dev@CompanyName". | Required |
| Message Tag | Tag (event table) for messages sent to Devo. | Required |
| Message | Column Name from parent table containing the message. Default is all columns. | Optional |
| Message Hostname | Hostname to use as message source. | Optional |
| Message Host IP | Host IP to use as message source | Optional |
Output
A JSON object containing multiple rows of result:
{"success": true, "error": null, "has_error": false}
List Triggered Alerts
List triggered Alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| From | Jinja-templated text containing the start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908 | Optional |
| To | Jinja-templated text containing the end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908 | Optional |
| Limit | Jinja-templated text containing the limit (Default is 500) | Optional |
| Offset | Jinja-templated text containing the offset (Default is 0) | Optional |
| Additional Params | Jinja-templated JSON containing the additional params to be passed in request. Values specified here will override other fields (if provided) | Optional |
| Explode Results | Explode each result in a separate row. (Default is No) | Optional |
Output
JSON containing the following items:
{
"result":[
{
"id":12123,
"domain":"test",
"priority":3,
"context":"my.test_alert.test.SecOpsAwsFromLocation",
"category":"my.context",
"srcPort":null,
"srcIp":null,
"srcHost":null,
"dstIp":null,
"dstPort":null,
"dstHost":null,
"protocol":null,
"username":null,
"application":null,
"engine":"cloud-custom-aws-eu-1s",
"extraData":"{\"data\":\"null\"}"
"alertDate":null,
"creationDate":null,
"status":0,
"ack_status_date":null,
"createDate":16623455423400,
"updateDate":null,
"scaled":false,
"digest":"33003299580asdffa788b1",
"uniquedigest":"e5a56asdfa1f23acdd32",
"contexto":null,
"postAlertAction":null,
"contextLabel":null,
"contextSubscription":null,
"shouldSend":false,
"recoveryId":null,
"skipAntiflooding":false,
"useCreationDate":false,
"alertOwner":null,
"fullExtraData":null,
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"alertMitreTechniques":"Valid+Accounts",
"alertPriority":"2",
"alertDefinition":{
"id":"1245",
"creationDate":2342347000,
"name":"SecAwsActivityFromLocation",
"message":"",
"description":"$action_count actions from $country, IP $entity_sourceIP",
"categoryId":"35",
"subcategory":"lib.my.test.SectOpse1",
"subcategoryId":"35",
"isActive":false,
"isFavorite":false,
"isAlertChain":false,
"alertCorrelationContext":{
"id":"37763",
"nameId":"my.test_alert.test.SecAwsActivityFromLocation",
"ownerEmail":"testuser@example.com",
"querySourceCode":"some query",
"priority":3,
"correlationTrigger":{
"kind":"each",
"externalPeriod":6300000,
"externalOffset":0,
"internalPeriod":1200000,
"internalOffset":3500000
}
},
"actionPolicyId":[
]
},
"allExtraDataFields":{
"alertMitreTechniques":"Valid+Accounts",
"eventSources":"%5Bsso.amazon-aws.com%5D",
"country":"ES",
"regions":"%5Bus-east-1%5D",
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"city":"mumbai",
"isp":"Telefo",
"entity_sourceName":"null",
"action_count":"5",
"alertPriority":"2",
"eventdate":"2022-11-04+08%3A00%3A00.0",
"entity_sourceIP":"1.1.1",
"collectiveDefense":"False",
"uebaRiskScore":"null",
"eventNames":"%5BFelesForApplication%5D"
},
"tags":null,
"entities":null,
"commentsList":null,
"alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
}
],
"error":null,
"has_error":false
}
Get Triggered Alert
Get triggered alert by its Id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Id | Jinja-templated text containing the alert Id | Required |
| Tag | Jinja-templated text containing the boolean tag (Default is 'true'). | Optional |
| Annotations | Jinja-templated text containing the boolean annotation (Default is 'true'). | Optional |
Output
JSON containing the following items:
{
"result":{
"id":12123,
"domain":"test",
"priority":3,
"context":"my.test_alert.test.SecOpsAwsFromLocation",
"category":"my.context",
"srcPort":null,
"srcIp":null,
"srcHost":null,
"dstIp":null,
"dstPort":null,
"dstHost":null,
"protocol":null,
"username":null,
"application":null,
"engine":"cloud-custom-aws-eu-1s",
"extraData":"{\"data\":\"null\"}"
"alertDate":null,
"creationDate":null,
"status":0,
"ack_status_date":null,
"createDate":16623455423400,
"updateDate":null,
"scaled":false,
"digest":"33003299580asdffa788b1",
"uniquedigest":"e5a56asdfa1f23acdd32",
"contexto":null,
"postAlertAction":null,
"contextLabel":null,
"contextSubscription":null,
"shouldSend":false,
"recoveryId":null,
"skipAntiflooding":false,
"useCreationDate":false,
"alertOwner":null,
"fullExtraData":null,
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"alertMitreTechniques":"Valid+Accounts",
"alertPriority":"2",
"alertDefinition":{
"id":"1245",
"creationDate":2342347000,
"name":"SecAwsActivityFromLocation",
"message":"",
"description":"$action_count actions from $country, IP $entity_sourceIP",
"categoryId":"35",
"subcategory":"lib.my.test.SectOpse1",
"subcategoryId":"35",
"isActive":false,
"isFavorite":false,
"isAlertChain":false,
"alertCorrelationContext":{
"id":"37763",
"nameId":"my.test_alert.test.SecAwsActivityFromLocation",
"ownerEmail":"testuser@example.com",
"querySourceCode":"some query",
"priority":3,
"correlationTrigger":{
"kind":"each",
"externalPeriod":6300000,
"externalOffset":0,
"internalPeriod":1200000,
"internalOffset":3500000
}
},
"actionPolicyId":[
]
},
"allExtraDataFields":{
"alertMitreTechniques":"Valid+Accounts",
"eventSources":"%5Bsso.amazon-aws.com%5D",
"country":"ES",
"regions":"%5Bus-east-1%5D",
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"city":"mumbai",
"isp":"Telefo",
"entity_sourceName":"null",
"action_count":"5",
"alertPriority":"2",
"eventdate":"2022-11-04+08%3A00%3A00.0",
"entity_sourceIP":"1.1.1",
"collectiveDefense":"False",
"uebaRiskScore":"null",
"eventNames":"%5BFelesForApplication%5D"
},
"tags":null,
"entities":null,
"commentsList":null,
"alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
},
"error":null,
"has_error":false
}
Update Alert's Status
Update triggered alert status by ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Id | Jinja-templated text containing the alert Id | Required |
| Status | Jinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD) | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Update Alert's Status in Bulk
Update triggered alert status in bulk.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Ids | Jinja-templated text containing the comma seperated alert Ids. | Required |
| Status | Jinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD) | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Get All Annotations of the Indicated Alerts
Get all the annotations of the indicated alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Ids | Jinja-templated text containing the comma separated alert Ids. | Required |
Output
JSON containing the following items:
{
"result": [
{
"idAlert": 1234,
"comments": [
{
"id": 43534,
"author": {
"id": 456746765,
"user": {
"id": "5sdfgsdfg13-dfg-4175-b14e-6dsfgdfg",
"email": "abc.def@devo.com",
"username": "ABC DEF",
"telephone": "",
"pwd": "**************",
"status": 0,
"validation_token": "**************",
"defaultDomain": null,
"updateDate": 1674473568000,
"creationDate": 1673343905000,
"otpSecret": "**************",
"loginAttempts": 0,
"recoveryAttempts": 0
},
"domain": {
"id": "7asdf0-9ac9-44dc-8457-asdff1d",
"name": "sandbox",
"status": 0,
"type": 13,
"updateDate": 1660758392000,
"creationDate": 1600427606000,
"subscribed": 1,
"daysLeft": 0,
"showLanding": true,
"reseller": {
"id": 68,
"name": "sandbox",
"preferences": null,
"contactInformation": null,
"pricePlans": null,
"updateDate": 1644340455000,
"creationDate": 1600372678000,
"permPolicy": null,
"menuView": "some json text",
"limits": null,
"groupId": null,
"webPreferences": null,
"authRestrictions": false
},
"groupId": null,
"alertsLastReseted": 1660758392000,
"authRestrictions": false
},
"lastTimeLogged": 1674456891000,
"status": 0,
"creationDate": 1673343905000,
"updateDate": 1674464652000,
"pwd": "**************",
"validationToken": "**************",
"roleCustom": null,
"rolesCustom": null,
"externalId": null,
"owner": false,
"alertsLastVisited": 1674464652000
},
"msg": "Hello",
"ack": "{\"ackUserList\":[\"5fasdf-26fe-4175-b14e-68aasdfc6\"]}",
"creationDate": 1674464131000,
"updateDate": 1674464131000,
"elementType": "alert",
"elementId": "134535234",
"domain": "domain detailed json",
"title": "Test",
"status": null,
"task": false
},
]
}
],
"error": null,
"has_error": false
}
Add an Annotation to an Alert
Add an annotation to a triggered alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Comment Type | Jinja-templated text containing the comment type. Example: 'ALERT'/'REPLY' | Required |
| Id | Jinja-templated text containing the alert Id for Alert or comment Id for Reply. | Required |
| Comment Message | Jinja-templated text containing the comment message. | Required |
| Comment Title | Jinja-templated text containing the comment title. | Required |
Output
JSON containing the following items:
{
"result": true,
"error": null,
"has_error": false
}
Update an Alert Annotation
Update a triggered alert annotation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert Id | Jinja-templated text containing the alert Id. | Required |
| Comment Id | Jinja-templated text containing the comment Id. | Required |
| Comment Type | Jinja-templated text containing the comment type. | Required |
| Comment Message | Jinja-templated text containing the comment message. | Required |
| Comment Title | Jinja-templated text containing the comment title. | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Delete the Specified Alert Annotations
Delete the specified alert annotations.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Comment Ids | Jinja-templated text containing the comma seperated comment Ids. | Required |
Output
JSON containing the following items:
{
"result": true,
"error": null,
"has_error": false
}
Send a Single Event
Send Event to Devo instance. This action will send one event per row.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Message Tag | Jinja-templated text containing the tag (i.e. event table) for messages sent to Devo | Required |
| Message | Jinja-templated text containing the message. | Required |
| Message Hostname | Jinja-templated text containing the hostname to use as message source. | Optional |
| Message Host IP | Jinja-templated text containing the hostname to use as message source. | Optional |
Output
JSON containing the following items:
{
"success": true,
"error": null,
"has_error": false
}
List Lookups
Display information on the lookups existing on a given domain.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Additional Params | Jinja templated JSON containing the additional params to be passed in request. Example {"owner": "some owner"} | Optional |
Output
JSON containing the following items:
{
"result":{
"type": "LookupMetaInfoListResponse",
"cid": "72078e04ee84",
"code": 200,
"context": null,
"id": "xxxxxxxxxx-0f74-11ee-b13b-4fc634871e5f",
"msg": "tutorial lookups.",
"lookups": [
{
"name": "Lookup_test_t",
"domain": "tutorial",
"fileSize": 12288,
"numEntries": 136,
"creationDate": "2023-03-15T13:45:57.63",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "domain",
"type": "str",
"key": true
},
{
"column": "CDNProvider",
"type": "str",
"key": false
}
],
"owner": "user@devo.com"
},
{
"name": "CDN_Providers",
"domain": "tutorial",
"fileSize": 12288,
"numEntries": 136,
"creationDate": "2023-03-15T13:45:57.806",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "domain",
"type": "str",
"key": true
},
{
"column": "CDNProvider",
"type": "str",
"key": false
}
],
"shared": false,
"owner": "user@devo.com"
},
{
"name": "test_101",
"domain": "tutorial",
"fileSize": 40960,
"numEntries": 307,
"creationDate": "2023-03-15T13:45:58.338",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "alertName",
"type": "str",
"key": true
},
{
"column": "alertType",
"type": "str",
"key": false
},
{
"column": "alertMitreTactics",
"type": "str",
"key": false
},
{
"column": "alertMitreTechniques",
"type": "str",
"key": false
},
{
"column": "alertPriority",
"type": "int4",
"key": false
}
],
"owner": "user@devo.com"
},
{
"name": "d14022023api",
"domain": "tutorial",
"fileSize": 8192,
"numEntries": 1,
"creationDate": "2023-03-15T13:46:58.05",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "key",
"type": "int4",
"key": true
},
{
"column": "fbool",
"type": "bool",
"key": false
}
],
"owner": null
}
],
"nextPageToken": -1
},
"error": null,
"has_error":false,
}
Get Lookup
Return information of a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupMetaInfoResponse",
"cid": "3c9bb672512c",
"code": 200,
"context": null,
"id": "xxxxxxxxx-0f75-11ee-b13b-636d49ade562",
"msg": "tutorial/test_101 meta information.",
"lookupMetaInfo": {
"name": "test_101",
"domain": "tutorial",
"fileSize": 40960,
"numEntries": 307,
"creationDate": "2023-03-15T13:45:58.14",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "alertName",
"type": "str",
"key": true
},
{
"column": "alertType",
"type": "str",
"key": false
},
{
"column": "alertMitreTactics",
"type": "str",
"key": false
},
{
"column": "alertMitreTechniques",
"type": "str",
"key": false
},
{
"column": "alertPriority",
"type": "int4",
"key": false
}
],
"owner": "user@devo.com"
}
},
"error": null,
"has_error":false,
}
Get Lookup Jobs
Get job UUIDs of a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Output
JSON containing the following items:
{
"result": {
"cid": "e47f4ab72ded",
"code": 200,
"context": null,
"id": "xxxxxxxx-e37c-11ed-b5ea-0242ac120002",
"msg": "Lookup job uuids",
"jobs": [
"xxxxxxx-c9a2-489c-8794-ea656a19b822",
"xxxxxxx-9714-48a7-9976-73e41523edfd",
"xxxxxxx-48a8-46ea-ab22-e0a5458e302b",
"xxxxxxx-ad7e-4fe6-bb43-89f93e629d76"
]
},
"error": null,
"has_error":false,
}
Get Lookup Jobs Info
Get details of job for a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
| Lookup Job Id | Jinja-templated text containing the job Id of your lookup (e.g. "123456") | Required |
Output
JSON containing the following items:
{
"result": {
"cid": "e47f4ab72ded",
"code": 200,
"context": null,
"id": null,
"msg": "Lookup job's statuses",
"status": [
{
"eventdata": "2021-09-29T10:18:10.805",
"domain": "galactic_empire",
"lookup": "ImperialIntranetActivity",
"msg": "Lookup successfully created"
"code": "create.ok"
},
{
"eventdata": "2021-09-29T10:18:12.472",
"domain": "ImperialIntranetActivity",
"lookup": "test-schedule",
"msg": "Lookup ready to be executed"
"code": "deploy.ok"
}
]
},
"error": null,
"has_error":false,
}
Create Lookup
Create a new lookup
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
| Lookup Body | Jinja-templated JSON containing the body of your lookup. Example : {"id":{"creator":"rebel_alliance","name":"TotallyNotFakeData"},"recipe":{"recipeType":"once","source":{"query":"select 0 as key, false as IsDataFake, 2147483647 as RebelsImprisoned, 9223372036854775807 as CreditsOnImperialBanks, hex4('fffffff') as Hex4Emperor, hex8('fffffffffffffff') as Hex8Vader, 2.718281828459045 as EmperorClones, 3.141592653589793 as Pi, 87.219.9.157 as EmperorIP4, ip6('fe80::4492:bc4b:7a53:c0d5') as EmperorIP6, 0m as TimeAfterBattleOfYavin from siem.logtrust.web.navigation where now()-1m < eventdate < now() limit 1"},"lookupType":{"type":"normal"},"append":false,"key":{"type":"column","column":"key"},"columnFilter":["key","IsDataFake","RebelsImprisoned","CreditsOnImperialBanks","Hex4Emperor","Hex8Vader","EmperorClones","Pi","EmperorIP4","EmperorIP6","TimeAfterBattleOfYavin"],"contribution":{"type":"add"},"requiresDate":false}} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d41c91a21d56",
"code": 201,
"context": null,
"id": "xxxxxx-2201-11ec-b04a-53c6289921cb",
"msg": "Lookup sent to creation",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": "creator-only",
"recipe": {
"type": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
}
}
}
},
"error": null,
"has_error":false,
}
Create Lookup From Static Query
Create a new lookup based on a static query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
| Lookup Body | Jinja-templated JSON containing the body of your lookup. Example : {"visibility":{"type":"creator-only"},"query":"select userid, domain from siem.logtrust.web.navigation where now()-1d < eventdate < now()","key":{"type":"column","column":"userid"},"keepHistory":false,"columnTimeReference":null} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d5ce4eb105b2",
"code": 201,
"context": null,
"id": "c6b1e939-a57c-11ee-b1a9-a124bba45b9b",
"msg": "Lookup sent to creation. You can check the creation status using the provided id: /lookup/{domain}/{name}/job/{id}",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": {
"type": "creator-only"
},
"recipe": {
"recipeType": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
},
"secondaryIndexes": {
"type": "none"
}
},
"notifyStatus": true
}
},
"error": null,
"has_error":false,
}
Update Lookup
Update a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
| Lookup Body | Jinja-templated JSON containing the updated body of your lookup. Example : {"id":{"creator":"rebel_alliance","name":"TotallyNotFakeData"},"recipe":{"recipeType":"once","source":{"query":"select 0 as key, false as IsDataFake, 2147483647 as RebelsImprisoned, 9223372036854775807 as CreditsOnImperialBanks, hex4('fffffff') as Hex4Emperor, hex8('fffffffffffffff') as Hex8Vader, 2.718281828459045 as EmperorClones, 3.141592653589793 as Pi, 87.219.9.157 as EmperorIP4, ip6('fe80::4492:bc4b:7a53:c0d5') as EmperorIP6, 0m as TimeAfterBattleOfYavin from siem.logtrust.web.navigation where now()-1m < eventdate < now() limit 1"},"lookupType":{"type":"normal"},"append":false,"key":{"type":"column","column":"key"},"columnFilter":["key","IsDataFake","RebelsImprisoned","CreditsOnImperialBanks","Hex4Emperor","Hex8Vader","EmperorClones","Pi","EmperorIP4","EmperorIP6","TimeAfterBattleOfYavin"],"contribution":{"type":"add"},"requiresDate":false}} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d41c91a21d56",
"code": 201,
"context": null,
"id": "xxxxxx-2201-11ec-b04a-53c6289921cb",
"msg": "Lookup sent to creation",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": "creator-only",
"recipe": {
"type": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
}
}
}
},
"error": null,
"has_error":false,
}
Update Lookup From Static Query
Update lookup based on a static query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
| Lookup Body | Jinja-templated JSON containing the updated body of your lookup. Example : {"visibility":{"type":"creator-only"},"query":"select userid, domain from siem.logtrust.web.navigation where now()-1d < eventdate < now()","key":{"type":"column","column":"userid"}} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d5ce4eb105b2",
"code": 201,
"context": null,
"id": "c6b1e939-a57c-11ee-b1a9-a124bba45b9b",
"msg": "Lookup sent to creation. You can check the creation status using the provided id: /lookup/{domain}/{name}/job/{id}",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": {
"type": "creator-only"
},
"recipe": {
"recipeType": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
},
"secondaryIndexes": {
"type": "none"
}
},
"notifyStatus": true
}
},
"error": null,
"has_error":false,
}
Delete Lookup
Delete a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
| Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupDeletionResponse",
"cid": "f44f458f7c32",
"code": 200,
"context": null,
"id": "xxxxxx-5052-11ed-b24b-85c623a0cbd8",
"msg": "Lookup sent to deletion"
},
"error": null,
"has_error":false,
}
Release Notes
v4.4.2- AddedTime Zoneoptional field inRun Queryactionv4.4.1- Added new lookup actions:Get Lookup,Get Lookup Jobs,Get Lookup Jobs Info,Create Lookup,Create Lookup From Static Query,Update Lookup,Update Lookup From Static QueryandDelete Lookup.v4.3.11- Optimisation:Get Alert Definitionsoptimised to improve latencyv4.3.9- AddedExplode Resultsoptional field inList Triggered Alertsactionv4.3.5- Bug fix: JSON Parsing error inGet Triggered Alertaction.v4.3.4- Jinja issue fixed inSend Eventsaction.v4.3.0- AddedMessage Host IPoptional input field inSend a Single EventandSend Eventsaction.v4.2.1- AddedResponse typeoptional input field inRun Queryaction.v4.1.0- Added 1 new action:Send a Single Event.v4.0.0- Updated architecture to support IO via filesystemv3.3.2- Added 6 new actions:Update Alert's Status,Update Alert's Status in Bulk,Get All Annotations of the Indicated Alerts,Add an Annotation to an Alert,Update an Alert AnnotationandDelete the Specified Alert Annotations.v3.2.1- Added 2 new actions:Get Triggered AlertandList Triggered Alerts.
Updated 4 days ago