Devo
Version: 4.0.0
Devo delivers real-time operational and business value from analytics on streaming and historical data to operations, IT, security and business teams.
Connect Devo with LogicHub
- Navigate to Automations > Integrations.
- Search for Devo.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- URL: Devo server URL.
- Devo cloud URLs for these two regions:
- Permission: Select permission. Devo has different tokens for read and write access.
- API Token: API Token to connect to devo instance.
- This is the OAuth token. Make sure for read, it has permission to read all tables that is, the target table should be '***' and for write, Http Send should be allowed.
Actions for Devo
Run Query
Run query in Devo instance.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Templated Query | Templated Query to execute. | Required |
| Explode Results | Yes/No. Keep results in a single dict, or explode into separate rows? (default: No). | Required |
| Add Info Fields | Yes/No. Add information fields to output? (default: No). | Required |
| Start Time | Column name from the parent table to lookup value for start time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch start time). Note: Setting this time in the future will result in a slow query. | Optional |
| End Time | Column name from the parent table to lookup value for end time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch end time). | Optional |
| Event Time Range | Subtract a time range from end time to calculate a new start time (ignored if Start Time column provided above). Examples: 5m, 1h, 1d, or 0.5d. | Optional |
| Limit | Limit of rows to be returned (Default: 500, Max: 50000). | Optional |
Output
A JSON object containing multiple rows of result:
- Templated Query: from demo.ecommerce.data {{query}}
- Explode Results: No
- Add Info Fields: Yes
- Start Time: startT
- End Time: endT
- Limit: 10000
Send Events
Send Events to Devo instance. This action will send one event per row in the parent table.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Devo Domain | The name of your Devo domain Example: "[email protected]". | Required |
| Message Tag | Tag (event table) for messages sent to Devo. | Required |
| Message | Column Name from parent table containing the message. Default is all columns. | Optional |
| Message Hostname | Hostname to use as message source. | Optional |
Output
A JSON object containing multiple rows of result:
{"success": true, "error": null, "has_error": false}
List Triggered Alerts
List triggered Alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| From | Jinja-templated text containing the start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908 | Optional |
| To | Jinja-templated text containing the end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908 | Optional |
| Limit | Jinja-templated text containing the limit (Default is 500) | Optional |
| Offset | Jinja-templated text containing the offset (Default is 0) | Optional |
| Additional Params | Jinja-templated JSON containing the additional params to be passed in request. Values specified here will override other fields (if provided) | Optional |
Output
JSON containing the following items:
{
"result":[
{
"id":12123,
"domain":"test",
"priority":3,
"context":"my.test_alert.test.SecOpsAwsFromLocation",
"category":"my.context",
"srcPort":null,
"srcIp":null,
"srcHost":null,
"dstIp":null,
"dstPort":null,
"dstHost":null,
"protocol":null,
"username":null,
"application":null,
"engine":"cloud-custom-aws-eu-1s",
"extraData":"{\"data\":\"null\"}"
"alertDate":null,
"creationDate":null,
"status":0,
"ack_status_date":null,
"createDate":16623455423400,
"updateDate":null,
"scaled":false,
"digest":"33003299580asdffa788b1",
"uniquedigest":"e5a56asdfa1f23acdd32",
"contexto":null,
"postAlertAction":null,
"contextLabel":null,
"contextSubscription":null,
"shouldSend":false,
"recoveryId":null,
"skipAntiflooding":false,
"useCreationDate":false,
"alertOwner":null,
"fullExtraData":null,
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"alertMitreTechniques":"Valid+Accounts",
"alertPriority":"2",
"alertDefinition":{
"id":"1245",
"creationDate":2342347000,
"name":"SecAwsActivityFromLocation",
"message":"",
"description":"$action_count actions from $country, IP $entity_sourceIP",
"categoryId":"35",
"subcategory":"lib.my.test.SectOpse1",
"subcategoryId":"35",
"isActive":false,
"isFavorite":false,
"isAlertChain":false,
"alertCorrelationContext":{
"id":"37763",
"nameId":"my.test_alert.test.SecAwsActivityFromLocation",
"ownerEmail":"[email protected]",
"querySourceCode":"some query",
"priority":3,
"correlationTrigger":{
"kind":"each",
"externalPeriod":6300000,
"externalOffset":0,
"internalPeriod":1200000,
"internalOffset":3500000
}
},
"actionPolicyId":[
]
},
"allExtraDataFields":{
"alertMitreTechniques":"Valid+Accounts",
"eventSources":"%5Bsso.amazon-aws.com%5D",
"country":"ES",
"regions":"%5Bus-east-1%5D",
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"city":"mumbai",
"isp":"Telefo",
"entity_sourceName":"null",
"action_count":"5",
"alertPriority":"2",
"eventdate":"2022-11-04+08%3A00%3A00.0",
"entity_sourceIP":"1.1.1",
"collectiveDefense":"False",
"uebaRiskScore":"null",
"eventNames":"%5BFelesForApplication%5D"
},
"tags":null,
"entities":null,
"commentsList":null,
"alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
}
],
"error":null,
"has_error":false
}
Get Triggered Alert
Get triggered alert by its Id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Id | Jinja-templated text containing the alert Id | Required |
| Tag | Jinja-templated text containing the boolean tag (Default is 'true'). | Optional |
| Annotations | Jinja-templated text containing the boolean annotation (Default is 'true'). | Optional |
Output
JSON containing the following items:
{
"result":{
"id":12123,
"domain":"test",
"priority":3,
"context":"my.test_alert.test.SecOpsAwsFromLocation",
"category":"my.context",
"srcPort":null,
"srcIp":null,
"srcHost":null,
"dstIp":null,
"dstPort":null,
"dstHost":null,
"protocol":null,
"username":null,
"application":null,
"engine":"cloud-custom-aws-eu-1s",
"extraData":"{\"data\":\"null\"}"
"alertDate":null,
"creationDate":null,
"status":0,
"ack_status_date":null,
"createDate":16623455423400,
"updateDate":null,
"scaled":false,
"digest":"33003299580asdffa788b1",
"uniquedigest":"e5a56asdfa1f23acdd32",
"contexto":null,
"postAlertAction":null,
"contextLabel":null,
"contextSubscription":null,
"shouldSend":false,
"recoveryId":null,
"skipAntiflooding":false,
"useCreationDate":false,
"alertOwner":null,
"fullExtraData":null,
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"alertMitreTechniques":"Valid+Accounts",
"alertPriority":"2",
"alertDefinition":{
"id":"1245",
"creationDate":2342347000,
"name":"SecAwsActivityFromLocation",
"message":"",
"description":"$action_count actions from $country, IP $entity_sourceIP",
"categoryId":"35",
"subcategory":"lib.my.test.SectOpse1",
"subcategoryId":"35",
"isActive":false,
"isFavorite":false,
"isAlertChain":false,
"alertCorrelationContext":{
"id":"37763",
"nameId":"my.test_alert.test.SecAwsActivityFromLocation",
"ownerEmail":"[email protected]",
"querySourceCode":"some query",
"priority":3,
"correlationTrigger":{
"kind":"each",
"externalPeriod":6300000,
"externalOffset":0,
"internalPeriod":1200000,
"internalOffset":3500000
}
},
"actionPolicyId":[
]
},
"allExtraDataFields":{
"alertMitreTechniques":"Valid+Accounts",
"eventSources":"%5Bsso.amazon-aws.com%5D",
"country":"ES",
"regions":"%5Bus-east-1%5D",
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"city":"mumbai",
"isp":"Telefo",
"entity_sourceName":"null",
"action_count":"5",
"alertPriority":"2",
"eventdate":"2022-11-04+08%3A00%3A00.0",
"entity_sourceIP":"1.1.1",
"collectiveDefense":"False",
"uebaRiskScore":"null",
"eventNames":"%5BFelesForApplication%5D"
},
"tags":null,
"entities":null,
"commentsList":null,
"alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
},
"error":null,
"has_error":false
}
Update Alert's Status
Update triggered alert status by ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Id | Jinja-templated text containing the alert Id | Required |
| Status | Jinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD) | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Update Alert's Status in Bulk
Update triggered alert status in bulk.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Ids | Jinja-templated text containing the comma seperated alert Ids. | Required |
| Status | Jinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD) | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Get All Annotations of the Indicated Alerts
Get all the annotations of the indicated alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Ids | Jinja-templated text containing the comma separated alert Ids. | Required |
Output
JSON containing the following items:
{
"result": [
{
"idAlert": 1234,
"comments": [
{
"id": 43534,
"author": {
"id": 456746765,
"user": {
"id": "5sdfgsdfg13-dfg-4175-b14e-6dsfgdfg",
"email": "[email protected]",
"username": "ABC DEF",
"telephone": "",
"pwd": "**************",
"status": 0,
"validation_token": "**************",
"defaultDomain": null,
"updateDate": 1674473568000,
"creationDate": 1673343905000,
"otpSecret": "**************",
"loginAttempts": 0,
"recoveryAttempts": 0
},
"domain": {
"id": "7asdf0-9ac9-44dc-8457-asdff1d",
"name": "sandbox",
"status": 0,
"type": 13,
"updateDate": 1660758392000,
"creationDate": 1600427606000,
"subscribed": 1,
"daysLeft": 0,
"showLanding": true,
"reseller": {
"id": 68,
"name": "sandbox",
"preferences": null,
"contactInformation": null,
"pricePlans": null,
"updateDate": 1644340455000,
"creationDate": 1600372678000,
"permPolicy": null,
"menuView": "some json text",
"limits": null,
"groupId": null,
"webPreferences": null,
"authRestrictions": false
},
"groupId": null,
"alertsLastReseted": 1660758392000,
"authRestrictions": false
},
"lastTimeLogged": 1674456891000,
"status": 0,
"creationDate": 1673343905000,
"updateDate": 1674464652000,
"pwd": "**************",
"validationToken": "**************",
"roleCustom": null,
"rolesCustom": null,
"externalId": null,
"owner": false,
"alertsLastVisited": 1674464652000
},
"msg": "Hello",
"ack": "{\"ackUserList\":[\"5fasdf-26fe-4175-b14e-68aasdfc6\"]}",
"creationDate": 1674464131000,
"updateDate": 1674464131000,
"elementType": "alert",
"elementId": "134535234",
"domain": "domain detailed json",
"title": "Test",
"status": null,
"task": false
},
]
}
],
"error": null,
"has_error": false
}
Add an Annotation to an Alert
Add an annotation to a triggered alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Comment Type | Jinja-templated text containing the comment type. Example: 'ALERT'/'REPLY' | Required |
| Id | Jinja-templated text containing the alert Id for Alert or comment Id for Reply. | Required |
| Comment Message | Jinja-templated text containing the comment message. | Required |
| Comment Title | Jinja-templated text containing the comment title. | Required |
Output
JSON containing the following items:
{
"result": true,
"error": null,
"has_error": false
}
Update an Alert Annotation
Update a triggered alert annotation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert Id | Jinja-templated text containing the alert Id. | Required |
| Comment Id | Jinja-templated text containing the comment Id. | Required |
| Comment Type | Jinja-templated text containing the comment type. | Required |
| Comment Message | Jinja-templated text containing the comment message. | Required |
| Comment Title | Jinja-templated text containing the comment title. | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Delete the Specified Alert Annotations
Delete the specified alert annotations.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Comment Ids | Jinja-templated text containing the comma seperated comment Ids. | Required |
Output
JSON containing the following items:
{
"result": true,
"error": null,
"has_error": false
}
Release Notes
v4.0.0- Updated architecture to support IO via filesystemv3.3.2- Added 6 new actions:Update Alert's Status,Update Alert's Status in Bulk,Get All Annotations of the Indicated Alerts,Add an Annotation to an Alert,Update an Alert AnnotationandDelete the Specified Alert Annotations.v3.2.1- Added 2 new actions:Get Triggered AlertandList Triggered Alerts.
Updated 3 months ago