Devo

Version: 4.4.2

Devo delivers real-time operational and business value from analytics on streaming and historical data to operations, IT, security and business teams.

Connect Devo with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Devo.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • URL: Devo server URL.
    • Permission: Select permission. Devo has different tokens for read and write access.
    • API Token: API Token to connect to devo instance.
      • This is the OAuth token. Make sure for read, it has permission to read all tables that is, the target table should be '***' and for write, Http Send should be allowed.

Actions for Devo

Run Query

Run query in Devo instance.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Templated QueryTemplated Query to execute.Required
Explode ResultsYes/No. Keep results in a single dict, or explode into separate rows? (default: No).Required
Add Info FieldsYes/No. Add information fields to output? (default: No).Required
Start TimeColumn name from the parent table to lookup value for start time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch start time). Note: Setting this time in the future will result in a slow query.Optional
End TimeColumn name from the parent table to lookup value for end time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch end time).Optional
Event Time RangeSubtract a time range from end time to calculate a new start time (ignored if Start Time column provided above). Examples: 5m, 1h, 1d, or 0.5d.Optional
Response TypeSelect a value for response type (Default: 'JSON simple')Optional
LimitLimit of rows to be returned (Default: 500, Max: 50000).Optional

Output

A JSON object containing multiple rows of result:

  • Templated Query: from demo.ecommerce.data {{query}}
  • Explode Results: No
  • Add Info Fields: Yes
  • Start Time: startT
  • End Time: endT
  • Limit: 10000

Send Events

Send Events to Devo instance. This action will send one event per row in the parent table.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainThe name of your Devo domain Example: "dev@CompanyName".Required
Message TagTag (event table) for messages sent to Devo.Required
MessageColumn Name from parent table containing the message. Default is all columns.Optional
Message HostnameHostname to use as message source.Optional
Message Host IPHost IP to use as message sourceOptional

Output

A JSON object containing multiple rows of result:
{"success": true, "error": null, "has_error": false}

List Triggered Alerts

List triggered Alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FromJinja-templated text containing the start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908Optional
ToJinja-templated text containing the end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908Optional
LimitJinja-templated text containing the limit (Default is 500)Optional
OffsetJinja-templated text containing the offset (Default is 0)Optional
Additional ParamsJinja-templated JSON containing the additional params to be passed in request. Values specified here will override other fields (if provided)Optional
Explode ResultsExplode each result in a separate row. (Default is No)Optional

Output

JSON containing the following items:

{
   "result":[
      {
         "id":12123,
         "domain":"test",
         "priority":3,
         "context":"my.test_alert.test.SecOpsAwsFromLocation",
         "category":"my.context",
         "srcPort":null,
         "srcIp":null,
         "srcHost":null,
         "dstIp":null,
         "dstPort":null,
         "dstHost":null,
         "protocol":null,
         "username":null,
         "application":null,
         "engine":"cloud-custom-aws-eu-1s",
         "extraData":"{\"data\":\"null\"}"
         "alertDate":null,
         "creationDate":null,
         "status":0,
         "ack_status_date":null,
         "createDate":16623455423400,
         "updateDate":null,
         "scaled":false,
         "digest":"33003299580asdffa788b1",
         "uniquedigest":"e5a56asdfa1f23acdd32",
         "contexto":null,
         "postAlertAction":null,
         "contextLabel":null,
         "contextSubscription":null,
         "shouldSend":false,
         "recoveryId":null,
         "skipAntiflooding":false,
         "useCreationDate":false,
         "alertOwner":null,
         "fullExtraData":null,
         "alertType":"Analytics",
         "alertMitreTactics":"Initial+Access",
         "alertMitreTechniques":"Valid+Accounts",
         "alertPriority":"2",
         "alertDefinition":{
            "id":"1245",
            "creationDate":2342347000,
            "name":"SecAwsActivityFromLocation",
            "message":"",
            "description":"$action_count actions from $country, IP $entity_sourceIP",
            "categoryId":"35",
            "subcategory":"lib.my.test.SectOpse1",
            "subcategoryId":"35",
            "isActive":false,
            "isFavorite":false,
            "isAlertChain":false,
            "alertCorrelationContext":{
               "id":"37763",
               "nameId":"my.test_alert.test.SecAwsActivityFromLocation",
               "ownerEmail":"testuser@example.com",
               "querySourceCode":"some query",
               "priority":3,
               "correlationTrigger":{
                  "kind":"each",
                  "externalPeriod":6300000,
                  "externalOffset":0,
                  "internalPeriod":1200000,
                  "internalOffset":3500000
               }
            },
            "actionPolicyId":[
               
            ]
         },
         "allExtraDataFields":{
            "alertMitreTechniques":"Valid+Accounts",
            "eventSources":"%5Bsso.amazon-aws.com%5D",
            "country":"ES",
            "regions":"%5Bus-east-1%5D",
            "alertType":"Analytics",
            "alertMitreTactics":"Initial+Access",
            "city":"mumbai",
            "isp":"Telefo",
            "entity_sourceName":"null",
            "action_count":"5",
            "alertPriority":"2",
            "eventdate":"2022-11-04+08%3A00%3A00.0",
            "entity_sourceIP":"1.1.1",
            "collectiveDefense":"False",
            "uebaRiskScore":"null",
            "eventNames":"%5BFelesForApplication%5D"
         },
         "tags":null,
         "entities":null,
         "commentsList":null,
         "alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
      }
   ],
   "error":null,
   "has_error":false
}

Get Triggered Alert

Get triggered alert by its Id.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
IdJinja-templated text containing the alert IdRequired
TagJinja-templated text containing the boolean tag (Default is 'true').Optional
AnnotationsJinja-templated text containing the boolean annotation (Default is 'true').Optional

Output

JSON containing the following items:

{
   "result":{
         "id":12123,
         "domain":"test",
         "priority":3,
         "context":"my.test_alert.test.SecOpsAwsFromLocation",
         "category":"my.context",
         "srcPort":null,
         "srcIp":null,
         "srcHost":null,
         "dstIp":null,
         "dstPort":null,
         "dstHost":null,
         "protocol":null,
         "username":null,
         "application":null,
         "engine":"cloud-custom-aws-eu-1s",
         "extraData":"{\"data\":\"null\"}"
         "alertDate":null,
         "creationDate":null,
         "status":0,
         "ack_status_date":null,
         "createDate":16623455423400,
         "updateDate":null,
         "scaled":false,
         "digest":"33003299580asdffa788b1",
         "uniquedigest":"e5a56asdfa1f23acdd32",
         "contexto":null,
         "postAlertAction":null,
         "contextLabel":null,
         "contextSubscription":null,
         "shouldSend":false,
         "recoveryId":null,
         "skipAntiflooding":false,
         "useCreationDate":false,
         "alertOwner":null,
         "fullExtraData":null,
         "alertType":"Analytics",
         "alertMitreTactics":"Initial+Access",
         "alertMitreTechniques":"Valid+Accounts",
         "alertPriority":"2",
         "alertDefinition":{
            "id":"1245",
            "creationDate":2342347000,
            "name":"SecAwsActivityFromLocation",
            "message":"",
            "description":"$action_count actions from $country, IP $entity_sourceIP",
            "categoryId":"35",
            "subcategory":"lib.my.test.SectOpse1",
            "subcategoryId":"35",
            "isActive":false,
            "isFavorite":false,
            "isAlertChain":false,
            "alertCorrelationContext":{
               "id":"37763",
               "nameId":"my.test_alert.test.SecAwsActivityFromLocation",
               "ownerEmail":"testuser@example.com",
               "querySourceCode":"some query",
               "priority":3,
               "correlationTrigger":{
                  "kind":"each",
                  "externalPeriod":6300000,
                  "externalOffset":0,
                  "internalPeriod":1200000,
                  "internalOffset":3500000
               }
            },
            "actionPolicyId":[
               
            ]
         },
         "allExtraDataFields":{
            "alertMitreTechniques":"Valid+Accounts",
            "eventSources":"%5Bsso.amazon-aws.com%5D",
            "country":"ES",
            "regions":"%5Bus-east-1%5D",
            "alertType":"Analytics",
            "alertMitreTactics":"Initial+Access",
            "city":"mumbai",
            "isp":"Telefo",
            "entity_sourceName":"null",
            "action_count":"5",
            "alertPriority":"2",
            "eventdate":"2022-11-04+08%3A00%3A00.0",
            "entity_sourceIP":"1.1.1",
            "collectiveDefense":"False",
            "uebaRiskScore":"null",
            "eventNames":"%5BFelesForApplication%5D"
         },
         "tags":null,
         "entities":null,
         "commentsList":null,
         "alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
      },
   "error":null,
   "has_error":false
}

Update Alert's Status

Update triggered alert status by ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
IdJinja-templated text containing the alert IdRequired
StatusJinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD)Required

Output

JSON containing the following items:

{
  "result": "updated successfully",
  "error": null,
  "has_error": false
}

Update Alert's Status in Bulk

Update triggered alert status in bulk.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
IdsJinja-templated text containing the comma seperated alert Ids.Required
StatusJinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD)Required

Output

JSON containing the following items:

{
  "result": "updated successfully",
  "error": null,
  "has_error": false
}

Get All Annotations of the Indicated Alerts

Get all the annotations of the indicated alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
IdsJinja-templated text containing the comma separated alert Ids.Required

Output

JSON containing the following items:

{
  "result": [
    {
      "idAlert": 1234,
      "comments": [
        {
          "id": 43534,
          "author": {
            "id": 456746765,
            "user": {
              "id": "5sdfgsdfg13-dfg-4175-b14e-6dsfgdfg",
              "email": "abc.def@devo.com",
              "username": "ABC DEF",
              "telephone": "",
              "pwd": "**************",
              "status": 0,
              "validation_token": "**************",
              "defaultDomain": null,
              "updateDate": 1674473568000,
              "creationDate": 1673343905000,
              "otpSecret": "**************",
              "loginAttempts": 0,
              "recoveryAttempts": 0
            },
            "domain": {
              "id": "7asdf0-9ac9-44dc-8457-asdff1d",
              "name": "sandbox",
              "status": 0,
              "type": 13,
              "updateDate": 1660758392000,
              "creationDate": 1600427606000,
              "subscribed": 1,
              "daysLeft": 0,
              "showLanding": true,
              "reseller": {
                "id": 68,
                "name": "sandbox",
                "preferences": null,
                "contactInformation": null,
                "pricePlans": null,
                "updateDate": 1644340455000,
                "creationDate": 1600372678000,
                "permPolicy": null,
                "menuView": "some json text",
                "limits": null,
                "groupId": null,
                "webPreferences": null,
                "authRestrictions": false
              },
              "groupId": null,
              "alertsLastReseted": 1660758392000,
              "authRestrictions": false
            },
            "lastTimeLogged": 1674456891000,
            "status": 0,
            "creationDate": 1673343905000,
            "updateDate": 1674464652000,
            "pwd": "**************",
            "validationToken": "**************",
            "roleCustom": null,
            "rolesCustom": null,
            "externalId": null,
            "owner": false,
            "alertsLastVisited": 1674464652000
          },
          "msg": "Hello",
          "ack": "{\"ackUserList\":[\"5fasdf-26fe-4175-b14e-68aasdfc6\"]}",
          "creationDate": 1674464131000,
          "updateDate": 1674464131000,
          "elementType": "alert",
          "elementId": "134535234",
          "domain": "domain detailed json",
          "title": "Test",
          "status": null,
          "task": false
        },
      ]
    }
  ],
  "error": null,
  "has_error": false
}

Add an Annotation to an Alert

Add an annotation to a triggered alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Comment TypeJinja-templated text containing the comment type. Example: 'ALERT'/'REPLY'Required
IdJinja-templated text containing the alert Id for Alert or comment Id for Reply.Required
Comment MessageJinja-templated text containing the comment message.Required
Comment TitleJinja-templated text containing the comment title.Required

Output

JSON containing the following items:

{
  "result": true,
  "error": null,
  "has_error": false
}

Update an Alert Annotation

Update a triggered alert annotation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IdJinja-templated text containing the alert Id.Required
Comment IdJinja-templated text containing the comment Id.Required
Comment TypeJinja-templated text containing the comment type.Required
Comment MessageJinja-templated text containing the comment message.Required
Comment TitleJinja-templated text containing the comment title.Required

Output

JSON containing the following items:

{
  "result": "updated successfully",
  "error": null,
  "has_error": false
}

Delete the Specified Alert Annotations

Delete the specified alert annotations.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Comment IdsJinja-templated text containing the comma seperated comment Ids.Required

Output

JSON containing the following items:

{
  "result": true,
  "error": null,
  "has_error": false
}

Send a Single Event

Send Event to Devo instance. This action will send one event per row.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Message TagJinja-templated text containing the tag (i.e. event table) for messages sent to DevoRequired
MessageJinja-templated text containing the message.Required
Message HostnameJinja-templated text containing the hostname to use as message source.Optional
Message Host IPJinja-templated text containing the hostname to use as message source.Optional

Output

JSON containing the following items:

{
	"success": true,
  "error": null,
  "has_error": false
}

List Lookups

Display information on the lookups existing on a given domain.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Additional ParamsJinja templated JSON containing the additional params to be passed in request. Example {"owner": "some owner"}Optional

Output

JSON containing the following items:

{
"result":{
  "type": "LookupMetaInfoListResponse",
  "cid": "72078e04ee84",
  "code": 200,
  "context": null,
  "id": "xxxxxxxxxx-0f74-11ee-b13b-4fc634871e5f",
  "msg": "tutorial lookups.",
  "lookups": [
    {
      "name": "Lookup_test_t",
      "domain": "tutorial",
      "fileSize": 12288,
      "numEntries": 136,
      "creationDate": "2023-03-15T13:45:57.63",
      "keyType": {
        "type": "first",
        "columns": null,
        "hasher": null
      },
      "deployConfig": null,
      "lastStatus": null,
      "fields": [
        {
          "column": "domain",
          "type": "str",
          "key": true
        },
        {
          "column": "CDNProvider",
          "type": "str",
          "key": false
        }
      ],
      "owner": "user@devo.com"
    },
    {
      "name": "CDN_Providers",
      "domain": "tutorial",
      "fileSize": 12288,
      "numEntries": 136,
      "creationDate": "2023-03-15T13:45:57.806",
      "keyType": {
        "type": "first",
        "columns": null,
        "hasher": null
      },
      "deployConfig": null,
      "lastStatus": null,
      "fields": [
        {
          "column": "domain",
          "type": "str",
          "key": true
        },
        {
          "column": "CDNProvider",
          "type": "str",
          "key": false
        }
      ],
      "shared": false,
      "owner": "user@devo.com"
    },
    {
      "name": "test_101",
      "domain": "tutorial",
      "fileSize": 40960,
      "numEntries": 307,
      "creationDate": "2023-03-15T13:45:58.338",
      "keyType": {
        "type": "first",
        "columns": null,
        "hasher": null
      },
      "deployConfig": null,
      "lastStatus": null,
      "fields": [
        {
          "column": "alertName",
          "type": "str",
          "key": true
        },
        {
          "column": "alertType",
          "type": "str",
          "key": false
        },
        {
          "column": "alertMitreTactics",
          "type": "str",
          "key": false
        },
        {
          "column": "alertMitreTechniques",
          "type": "str",
          "key": false
        },
        {
          "column": "alertPriority",
          "type": "int4",
          "key": false
        }
      ],
      "owner": "user@devo.com"
    },
    {
      "name": "d14022023api",
      "domain": "tutorial",
      "fileSize": 8192,
      "numEntries": 1,
      "creationDate": "2023-03-15T13:46:58.05",
      "keyType": {
        "type": "first",
        "columns": null,
        "hasher": null
      },
      "deployConfig": null,
      "lastStatus": null,
      "fields": [
        {
          "column": "key",
          "type": "int4",
          "key": true
        },
        {
          "column": "fbool",
          "type": "bool",
          "key": false
        }
      ],
      "owner": null
    }
  ],
  "nextPageToken": -1
},
"error": null,
"has_error":false,
}

Get Lookup

Return information of a specific lookup.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required

Output

JSON containing the following items:

{
"result": {
  "type": "LookupMetaInfoResponse",
  "cid": "3c9bb672512c",
  "code": 200,
  "context": null,
  "id": "xxxxxxxxx-0f75-11ee-b13b-636d49ade562",
  "msg": "tutorial/test_101 meta information.",
  "lookupMetaInfo": {
    "name": "test_101",
    "domain": "tutorial",
    "fileSize": 40960,
    "numEntries": 307,
    "creationDate": "2023-03-15T13:45:58.14",
    "keyType": {
      "type": "first",
      "columns": null,
      "hasher": null
    },
    "deployConfig": null,
    "lastStatus": null,
    "fields": [
      {
        "column": "alertName",
        "type": "str",
        "key": true
      },
      {
        "column": "alertType",
        "type": "str",
        "key": false
      },
      {
        "column": "alertMitreTactics",
        "type": "str",
        "key": false
      },
      {
        "column": "alertMitreTechniques",
        "type": "str",
        "key": false
      },
      {
        "column": "alertPriority",
        "type": "int4",
        "key": false
      }
    ],
    "owner": "user@devo.com"
  }
},
"error": null,
"has_error":false,
}

Get Lookup Jobs

Get job UUIDs of a specific lookup.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required

Output

JSON containing the following items:

{
"result": {
  "cid": "e47f4ab72ded",
  "code": 200,
  "context": null,
  "id": "xxxxxxxx-e37c-11ed-b5ea-0242ac120002",
  "msg": "Lookup job uuids",
  "jobs": [
    "xxxxxxx-c9a2-489c-8794-ea656a19b822",
    "xxxxxxx-9714-48a7-9976-73e41523edfd",
    "xxxxxxx-48a8-46ea-ab22-e0a5458e302b",
    "xxxxxxx-ad7e-4fe6-bb43-89f93e629d76"
  ]
},
"error": null,
"has_error":false,
}

Get Lookup Jobs Info

Get details of job for a specific lookup.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required
Lookup Job IdJinja-templated text containing the job Id of your lookup (e.g. "123456")Required

Output

JSON containing the following items:

{
"result": {
  "cid": "e47f4ab72ded",
  "code": 200,
  "context": null,
  "id": null,
  "msg": "Lookup job's statuses",
  "status": [
    {
      "eventdata": "2021-09-29T10:18:10.805",
      "domain": "galactic_empire",
      "lookup": "ImperialIntranetActivity",
      "msg": "Lookup successfully created"
      "code": "create.ok"
    },
    {
      "eventdata": "2021-09-29T10:18:12.472",
      "domain": "ImperialIntranetActivity",
      "lookup": "test-schedule",
      "msg": "Lookup ready to be executed"
      "code": "deploy.ok"
    }
  ]
},
"error": null,
"has_error":false,
}

Create Lookup

Create a new lookup

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required
Lookup BodyJinja-templated JSON containing the body of your lookup. Example : {"id":{"creator":"rebel_alliance","name":"TotallyNotFakeData"},"recipe":{"recipeType":"once","source":{"query":"select 0 as key, false as IsDataFake, 2147483647 as RebelsImprisoned, 9223372036854775807 as CreditsOnImperialBanks, hex4('fffffff') as Hex4Emperor, hex8('fffffffffffffff') as Hex8Vader, 2.718281828459045 as EmperorClones, 3.141592653589793 as Pi, 87.219.9.157 as EmperorIP4, ip6('fe80::4492:bc4b:7a53:c0d5') as EmperorIP6, 0m as TimeAfterBattleOfYavin from siem.logtrust.web.navigation where now()-1m < eventdate < now() limit 1"},"lookupType":{"type":"normal"},"append":false,"key":{"type":"column","column":"key"},"columnFilter":["key","IsDataFake","RebelsImprisoned","CreditsOnImperialBanks","Hex4Emperor","Hex8Vader","EmperorClones","Pi","EmperorIP4","EmperorIP6","TimeAfterBattleOfYavin"],"contribution":{"type":"add"},"requiresDate":false}}Required

Output

JSON containing the following items:

{
"result": {
  "type": "LookupCreationResponse",
  "cid": "d41c91a21d56",
  "code": 201,
  "context": null,
  "id": "xxxxxx-2201-11ec-b04a-53c6289921cb",
  "msg": "Lookup sent to creation",
  "lookupDeployConfig": {
    "id": {
      "creator": "rebel_alliance",
      "name": "GalacticEmpireActivity"
    },
    "visibility": "creator-only",
    "recipe": {
      "type": "once",
      "source": {
        "query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
      },
      "lookupType": {
        "type": "normal"
      },
      "append": false,
      "key": {
        "type": "column",
        "column": "key"
      },
      "columnFilter": [
        "eventdate",
        "level",
        "domain",
        "userid",
        "sessionid",
        "correlationId"
      ],
      "contribution": {
        "type": "add"
      }
    }
  }
},
"error": null,
"has_error":false,
}

Create Lookup From Static Query

Create a new lookup based on a static query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required
Lookup BodyJinja-templated JSON containing the body of your lookup. Example : {"visibility":{"type":"creator-only"},"query":"select userid, domain from siem.logtrust.web.navigation where now()-1d < eventdate < now()","key":{"type":"column","column":"userid"},"keepHistory":false,"columnTimeReference":null}Required

Output

JSON containing the following items:

{
"result": {
  "type": "LookupCreationResponse",
  "cid": "d5ce4eb105b2",
  "code": 201,
  "context": null,
  "id": "c6b1e939-a57c-11ee-b1a9-a124bba45b9b",
  "msg": "Lookup sent to creation. You can check the creation status using the provided id: /lookup/{domain}/{name}/job/{id}",
  "lookupDeployConfig": {
    "id": {
      "creator": "rebel_alliance",
      "name": "GalacticEmpireActivity"
    },
    "visibility": {
      "type": "creator-only"
    },
    "recipe": {
      "recipeType": "once",
      "source": {
        "query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
      },
      "lookupType": {
        "type": "normal"
      },
      "append": false,
      "key": {
        "type": "column",
        "column": "key"
      },
      "columnFilter": [
        "eventdate",
        "level",
        "domain",
        "userid",
        "sessionid",
        "correlationId"
      ],
      "contribution": {
        "type": "add"
      },
      "secondaryIndexes": {
        "type": "none"
      }
    },
    "notifyStatus": true
  }
},
"error": null,
"has_error":false,
}

Update Lookup

Update a specific lookup.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required
Lookup BodyJinja-templated JSON containing the updated body of your lookup. Example : {"id":{"creator":"rebel_alliance","name":"TotallyNotFakeData"},"recipe":{"recipeType":"once","source":{"query":"select 0 as key, false as IsDataFake, 2147483647 as RebelsImprisoned, 9223372036854775807 as CreditsOnImperialBanks, hex4('fffffff') as Hex4Emperor, hex8('fffffffffffffff') as Hex8Vader, 2.718281828459045 as EmperorClones, 3.141592653589793 as Pi, 87.219.9.157 as EmperorIP4, ip6('fe80::4492:bc4b:7a53:c0d5') as EmperorIP6, 0m as TimeAfterBattleOfYavin from siem.logtrust.web.navigation where now()-1m < eventdate < now() limit 1"},"lookupType":{"type":"normal"},"append":false,"key":{"type":"column","column":"key"},"columnFilter":["key","IsDataFake","RebelsImprisoned","CreditsOnImperialBanks","Hex4Emperor","Hex8Vader","EmperorClones","Pi","EmperorIP4","EmperorIP6","TimeAfterBattleOfYavin"],"contribution":{"type":"add"},"requiresDate":false}}Required

Output

JSON containing the following items:

{
"result": {
  "type": "LookupCreationResponse",
  "cid": "d41c91a21d56",
  "code": 201,
  "context": null,
  "id": "xxxxxx-2201-11ec-b04a-53c6289921cb",
  "msg": "Lookup sent to creation",
  "lookupDeployConfig": {
    "id": {
      "creator": "rebel_alliance",
      "name": "GalacticEmpireActivity"
    },
    "visibility": "creator-only",
    "recipe": {
      "type": "once",
      "source": {
        "query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
      },
      "lookupType": {
        "type": "normal"
      },
      "append": false,
      "key": {
        "type": "column",
        "column": "key"
      },
      "columnFilter": [
        "eventdate",
        "level",
        "domain",
        "userid",
        "sessionid",
        "correlationId"
      ],
      "contribution": {
        "type": "add"
      }
    }
  }
},
"error": null,
"has_error":false,
}

Update Lookup From Static Query

Update lookup based on a static query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required
Lookup BodyJinja-templated JSON containing the updated body of your lookup. Example : {"visibility":{"type":"creator-only"},"query":"select userid, domain from siem.logtrust.web.navigation where now()-1d < eventdate < now()","key":{"type":"column","column":"userid"}}Required

Output

JSON containing the following items:

{
"result": {
  "type": "LookupCreationResponse",
  "cid": "d5ce4eb105b2",
  "code": 201,
  "context": null,
  "id": "c6b1e939-a57c-11ee-b1a9-a124bba45b9b",
  "msg": "Lookup sent to creation. You can check the creation status using the provided id: /lookup/{domain}/{name}/job/{id}",
  "lookupDeployConfig": {
    "id": {
      "creator": "rebel_alliance",
      "name": "GalacticEmpireActivity"
    },
    "visibility": {
      "type": "creator-only"
    },
    "recipe": {
      "recipeType": "once",
      "source": {
        "query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
      },
      "lookupType": {
        "type": "normal"
      },
      "append": false,
      "key": {
        "type": "column",
        "column": "key"
      },
      "columnFilter": [
        "eventdate",
        "level",
        "domain",
        "userid",
        "sessionid",
        "correlationId"
      ],
      "contribution": {
        "type": "add"
      },
      "secondaryIndexes": {
        "type": "none"
      }
    },
    "notifyStatus": true
  }
},
"error": null,
"has_error":false,
}

Delete Lookup

Delete a specific lookup.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Devo DomainJinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName")Required
Lookup NameJinja-templated text containing the name of your lookup (e.g. "myLookup")Required

Output

JSON containing the following items:

{
"result": {
  "type": "LookupDeletionResponse",
  "cid": "f44f458f7c32",
  "code": 200,
  "context": null,
  "id": "xxxxxx-5052-11ed-b24b-85c623a0cbd8",
  "msg": "Lookup sent to deletion"
},
"error": null,
"has_error":false,
}

Release Notes

  • v4.4.2- Added Time Zone optional field in Run Query action
  • v4.4.1 - Added new lookup actions: Get Lookup, Get Lookup Jobs, Get Lookup Jobs Info, Create Lookup, Create Lookup From Static Query, Update Lookup, Update Lookup From Static Query and Delete Lookup.
  • v4.3.11- Optimisation:Get Alert Definitions optimised to improve latency
  • v4.3.9- Added Explode Results optional field in List Triggered Alerts action
  • v4.3.5- Bug fix: JSON Parsing error in Get Triggered Alert action.
  • v4.3.4- Jinja issue fixed in Send Events action.
  • v4.3.0- AddedMessage Host IPoptional input field inSend a Single EventandSend Events action.
  • v4.2.1 - Added Response type optional input field in Run Query action.
  • v4.1.0 - Added 1 new action: Send a Single Event.
  • v4.0.0 - Updated architecture to support IO via filesystem
  • v3.3.2 - Added 6 new actions: Update Alert's Status, Update Alert's Status in Bulk, Get All Annotations of the Indicated Alerts, Add an Annotation to an Alert, Update an Alert Annotation and Delete the Specified Alert Annotations.
  • v3.2.1 - Added 2 new actions: Get Triggered Alert and List Triggered Alerts.

© Devo Technology Inc. All Rights Reserved.