Devo
Version: 4.4.2
Devo delivers real-time operational and business value from analytics on streaming and historical data to operations, IT, security and business teams.
Connect Devo with LogicHub
- Navigate to Automations > Integrations.
- Search for Devo.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- URL: Devo server URL.
- Devo cloud URLs for these two regions:
- Permission: Select permission. Devo has different tokens for read and write access.
- API Token: API Token to connect to devo instance.
- This is the OAuth token. Make sure for read, it has permission to read all tables that is, the target table should be '***' and for write, Http Send should be allowed.
Actions for Devo
Run Query
Run query in Devo instance.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Templated Query | Templated Query to execute. | Required |
Explode Results | Yes/No. Keep results in a single dict, or explode into separate rows? (default: No). | Required |
Add Info Fields | Yes/No. Add information fields to output? (default: No). | Required |
Start Time | Column name from the parent table to lookup value for start time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch start time). Note: Setting this time in the future will result in a slow query. | Optional |
End Time | Column name from the parent table to lookup value for end time (UTC). Example: 2017-05-22T10:00:00. (Default: Batch end time). | Optional |
Event Time Range | Subtract a time range from end time to calculate a new start time (ignored if Start Time column provided above). Examples: 5m, 1h, 1d, or 0.5d. | Optional |
Response Type | Select a value for response type (Default: 'JSON simple') | Optional |
Limit | Limit of rows to be returned (Default: 500, Max: 50000). | Optional |
Output
A JSON object containing multiple rows of result:
- Templated Query: from demo.ecommerce.data {{query}}
- Explode Results: No
- Add Info Fields: Yes
- Start Time: startT
- End Time: endT
- Limit: 10000
Send Events
Send Events to Devo instance. This action will send one event per row in the parent table.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | The name of your Devo domain Example: "dev@CompanyName". | Required |
Message Tag | Tag (event table) for messages sent to Devo. | Required |
Message | Column Name from parent table containing the message. Default is all columns. | Optional |
Message Hostname | Hostname to use as message source. | Optional |
Message Host IP | Host IP to use as message source | Optional |
Output
A JSON object containing multiple rows of result:
{"success": true, "error": null, "has_error": false}
List Triggered Alerts
List triggered Alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
From | Jinja-templated text containing the start time, expressed as epoch milliseconds (Default is Batch start time). Example: 1588676868908 | Optional |
To | Jinja-templated text containing the end time, expressed as epoch milliseconds (Default is Batch end time). Example: 1588676868908 | Optional |
Limit | Jinja-templated text containing the limit (Default is 500) | Optional |
Offset | Jinja-templated text containing the offset (Default is 0) | Optional |
Additional Params | Jinja-templated JSON containing the additional params to be passed in request. Values specified here will override other fields (if provided) | Optional |
Explode Results | Explode each result in a separate row. (Default is No) | Optional |
Output
JSON containing the following items:
{
"result":[
{
"id":12123,
"domain":"test",
"priority":3,
"context":"my.test_alert.test.SecOpsAwsFromLocation",
"category":"my.context",
"srcPort":null,
"srcIp":null,
"srcHost":null,
"dstIp":null,
"dstPort":null,
"dstHost":null,
"protocol":null,
"username":null,
"application":null,
"engine":"cloud-custom-aws-eu-1s",
"extraData":"{\"data\":\"null\"}"
"alertDate":null,
"creationDate":null,
"status":0,
"ack_status_date":null,
"createDate":16623455423400,
"updateDate":null,
"scaled":false,
"digest":"33003299580asdffa788b1",
"uniquedigest":"e5a56asdfa1f23acdd32",
"contexto":null,
"postAlertAction":null,
"contextLabel":null,
"contextSubscription":null,
"shouldSend":false,
"recoveryId":null,
"skipAntiflooding":false,
"useCreationDate":false,
"alertOwner":null,
"fullExtraData":null,
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"alertMitreTechniques":"Valid+Accounts",
"alertPriority":"2",
"alertDefinition":{
"id":"1245",
"creationDate":2342347000,
"name":"SecAwsActivityFromLocation",
"message":"",
"description":"$action_count actions from $country, IP $entity_sourceIP",
"categoryId":"35",
"subcategory":"lib.my.test.SectOpse1",
"subcategoryId":"35",
"isActive":false,
"isFavorite":false,
"isAlertChain":false,
"alertCorrelationContext":{
"id":"37763",
"nameId":"my.test_alert.test.SecAwsActivityFromLocation",
"ownerEmail":"testuser@example.com",
"querySourceCode":"some query",
"priority":3,
"correlationTrigger":{
"kind":"each",
"externalPeriod":6300000,
"externalOffset":0,
"internalPeriod":1200000,
"internalOffset":3500000
}
},
"actionPolicyId":[
]
},
"allExtraDataFields":{
"alertMitreTechniques":"Valid+Accounts",
"eventSources":"%5Bsso.amazon-aws.com%5D",
"country":"ES",
"regions":"%5Bus-east-1%5D",
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"city":"mumbai",
"isp":"Telefo",
"entity_sourceName":"null",
"action_count":"5",
"alertPriority":"2",
"eventdate":"2022-11-04+08%3A00%3A00.0",
"entity_sourceIP":"1.1.1",
"collectiveDefense":"False",
"uebaRiskScore":"null",
"eventNames":"%5BFelesForApplication%5D"
},
"tags":null,
"entities":null,
"commentsList":null,
"alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
}
],
"error":null,
"has_error":false
}
Get Triggered Alert
Get triggered alert by its Id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Id | Jinja-templated text containing the alert Id | Required |
Tag | Jinja-templated text containing the boolean tag (Default is 'true'). | Optional |
Annotations | Jinja-templated text containing the boolean annotation (Default is 'true'). | Optional |
Output
JSON containing the following items:
{
"result":{
"id":12123,
"domain":"test",
"priority":3,
"context":"my.test_alert.test.SecOpsAwsFromLocation",
"category":"my.context",
"srcPort":null,
"srcIp":null,
"srcHost":null,
"dstIp":null,
"dstPort":null,
"dstHost":null,
"protocol":null,
"username":null,
"application":null,
"engine":"cloud-custom-aws-eu-1s",
"extraData":"{\"data\":\"null\"}"
"alertDate":null,
"creationDate":null,
"status":0,
"ack_status_date":null,
"createDate":16623455423400,
"updateDate":null,
"scaled":false,
"digest":"33003299580asdffa788b1",
"uniquedigest":"e5a56asdfa1f23acdd32",
"contexto":null,
"postAlertAction":null,
"contextLabel":null,
"contextSubscription":null,
"shouldSend":false,
"recoveryId":null,
"skipAntiflooding":false,
"useCreationDate":false,
"alertOwner":null,
"fullExtraData":null,
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"alertMitreTechniques":"Valid+Accounts",
"alertPriority":"2",
"alertDefinition":{
"id":"1245",
"creationDate":2342347000,
"name":"SecAwsActivityFromLocation",
"message":"",
"description":"$action_count actions from $country, IP $entity_sourceIP",
"categoryId":"35",
"subcategory":"lib.my.test.SectOpse1",
"subcategoryId":"35",
"isActive":false,
"isFavorite":false,
"isAlertChain":false,
"alertCorrelationContext":{
"id":"37763",
"nameId":"my.test_alert.test.SecAwsActivityFromLocation",
"ownerEmail":"testuser@example.com",
"querySourceCode":"some query",
"priority":3,
"correlationTrigger":{
"kind":"each",
"externalPeriod":6300000,
"externalOffset":0,
"internalPeriod":1200000,
"internalOffset":3500000
}
},
"actionPolicyId":[
]
},
"allExtraDataFields":{
"alertMitreTechniques":"Valid+Accounts",
"eventSources":"%5Bsso.amazon-aws.com%5D",
"country":"ES",
"regions":"%5Bus-east-1%5D",
"alertType":"Analytics",
"alertMitreTactics":"Initial+Access",
"city":"mumbai",
"isp":"Telefo",
"entity_sourceName":"null",
"action_count":"5",
"alertPriority":"2",
"eventdate":"2022-11-04+08%3A00%3A00.0",
"entity_sourceIP":"1.1.1",
"collectiveDefense":"False",
"uebaRiskScore":"null",
"eventNames":"%5BFelesForApplication%5D"
},
"tags":null,
"entities":null,
"commentsList":null,
"alertLabel":"[test:my.test_alert.SecAwsActivityFromLocation:1201234]"
},
"error":null,
"has_error":false
}
Update Alert's Status
Update triggered alert status by ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Id | Jinja-templated text containing the alert Id | Required |
Status | Jinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD) | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Update Alert's Status in Bulk
Update triggered alert status in bulk.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Ids | Jinja-templated text containing the comma seperated alert Ids. | Required |
Status | Jinja-templated text containing the status. Must be one of the following (each number code corresponds to the status indicated next to it): 0(UNREAD), 1(UPDATED), 2(FALSE POSITIVE), 100(WATCHED), 300(CLOSED), 500(REMINDER), 600(RECOVERY), 700(ANTI-FLOOD) | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Get All Annotations of the Indicated Alerts
Get all the annotations of the indicated alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Ids | Jinja-templated text containing the comma separated alert Ids. | Required |
Output
JSON containing the following items:
{
"result": [
{
"idAlert": 1234,
"comments": [
{
"id": 43534,
"author": {
"id": 456746765,
"user": {
"id": "5sdfgsdfg13-dfg-4175-b14e-6dsfgdfg",
"email": "abc.def@devo.com",
"username": "ABC DEF",
"telephone": "",
"pwd": "**************",
"status": 0,
"validation_token": "**************",
"defaultDomain": null,
"updateDate": 1674473568000,
"creationDate": 1673343905000,
"otpSecret": "**************",
"loginAttempts": 0,
"recoveryAttempts": 0
},
"domain": {
"id": "7asdf0-9ac9-44dc-8457-asdff1d",
"name": "sandbox",
"status": 0,
"type": 13,
"updateDate": 1660758392000,
"creationDate": 1600427606000,
"subscribed": 1,
"daysLeft": 0,
"showLanding": true,
"reseller": {
"id": 68,
"name": "sandbox",
"preferences": null,
"contactInformation": null,
"pricePlans": null,
"updateDate": 1644340455000,
"creationDate": 1600372678000,
"permPolicy": null,
"menuView": "some json text",
"limits": null,
"groupId": null,
"webPreferences": null,
"authRestrictions": false
},
"groupId": null,
"alertsLastReseted": 1660758392000,
"authRestrictions": false
},
"lastTimeLogged": 1674456891000,
"status": 0,
"creationDate": 1673343905000,
"updateDate": 1674464652000,
"pwd": "**************",
"validationToken": "**************",
"roleCustom": null,
"rolesCustom": null,
"externalId": null,
"owner": false,
"alertsLastVisited": 1674464652000
},
"msg": "Hello",
"ack": "{\"ackUserList\":[\"5fasdf-26fe-4175-b14e-68aasdfc6\"]}",
"creationDate": 1674464131000,
"updateDate": 1674464131000,
"elementType": "alert",
"elementId": "134535234",
"domain": "domain detailed json",
"title": "Test",
"status": null,
"task": false
},
]
}
],
"error": null,
"has_error": false
}
Add an Annotation to an Alert
Add an annotation to a triggered alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Comment Type | Jinja-templated text containing the comment type. Example: 'ALERT'/'REPLY' | Required |
Id | Jinja-templated text containing the alert Id for Alert or comment Id for Reply. | Required |
Comment Message | Jinja-templated text containing the comment message. | Required |
Comment Title | Jinja-templated text containing the comment title. | Required |
Output
JSON containing the following items:
{
"result": true,
"error": null,
"has_error": false
}
Update an Alert Annotation
Update a triggered alert annotation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert Id | Jinja-templated text containing the alert Id. | Required |
Comment Id | Jinja-templated text containing the comment Id. | Required |
Comment Type | Jinja-templated text containing the comment type. | Required |
Comment Message | Jinja-templated text containing the comment message. | Required |
Comment Title | Jinja-templated text containing the comment title. | Required |
Output
JSON containing the following items:
{
"result": "updated successfully",
"error": null,
"has_error": false
}
Delete the Specified Alert Annotations
Delete the specified alert annotations.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Comment Ids | Jinja-templated text containing the comma seperated comment Ids. | Required |
Output
JSON containing the following items:
{
"result": true,
"error": null,
"has_error": false
}
Send a Single Event
Send Event to Devo instance. This action will send one event per row.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Message Tag | Jinja-templated text containing the tag (i.e. event table) for messages sent to Devo | Required |
Message | Jinja-templated text containing the message. | Required |
Message Hostname | Jinja-templated text containing the hostname to use as message source. | Optional |
Message Host IP | Jinja-templated text containing the hostname to use as message source. | Optional |
Output
JSON containing the following items:
{
"success": true,
"error": null,
"has_error": false
}
List Lookups
Display information on the lookups existing on a given domain.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Additional Params | Jinja templated JSON containing the additional params to be passed in request. Example {"owner": "some owner"} | Optional |
Output
JSON containing the following items:
{
"result":{
"type": "LookupMetaInfoListResponse",
"cid": "72078e04ee84",
"code": 200,
"context": null,
"id": "xxxxxxxxxx-0f74-11ee-b13b-4fc634871e5f",
"msg": "tutorial lookups.",
"lookups": [
{
"name": "Lookup_test_t",
"domain": "tutorial",
"fileSize": 12288,
"numEntries": 136,
"creationDate": "2023-03-15T13:45:57.63",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "domain",
"type": "str",
"key": true
},
{
"column": "CDNProvider",
"type": "str",
"key": false
}
],
"owner": "user@devo.com"
},
{
"name": "CDN_Providers",
"domain": "tutorial",
"fileSize": 12288,
"numEntries": 136,
"creationDate": "2023-03-15T13:45:57.806",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "domain",
"type": "str",
"key": true
},
{
"column": "CDNProvider",
"type": "str",
"key": false
}
],
"shared": false,
"owner": "user@devo.com"
},
{
"name": "test_101",
"domain": "tutorial",
"fileSize": 40960,
"numEntries": 307,
"creationDate": "2023-03-15T13:45:58.338",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "alertName",
"type": "str",
"key": true
},
{
"column": "alertType",
"type": "str",
"key": false
},
{
"column": "alertMitreTactics",
"type": "str",
"key": false
},
{
"column": "alertMitreTechniques",
"type": "str",
"key": false
},
{
"column": "alertPriority",
"type": "int4",
"key": false
}
],
"owner": "user@devo.com"
},
{
"name": "d14022023api",
"domain": "tutorial",
"fileSize": 8192,
"numEntries": 1,
"creationDate": "2023-03-15T13:46:58.05",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "key",
"type": "int4",
"key": true
},
{
"column": "fbool",
"type": "bool",
"key": false
}
],
"owner": null
}
],
"nextPageToken": -1
},
"error": null,
"has_error":false,
}
Get Lookup
Return information of a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupMetaInfoResponse",
"cid": "3c9bb672512c",
"code": 200,
"context": null,
"id": "xxxxxxxxx-0f75-11ee-b13b-636d49ade562",
"msg": "tutorial/test_101 meta information.",
"lookupMetaInfo": {
"name": "test_101",
"domain": "tutorial",
"fileSize": 40960,
"numEntries": 307,
"creationDate": "2023-03-15T13:45:58.14",
"keyType": {
"type": "first",
"columns": null,
"hasher": null
},
"deployConfig": null,
"lastStatus": null,
"fields": [
{
"column": "alertName",
"type": "str",
"key": true
},
{
"column": "alertType",
"type": "str",
"key": false
},
{
"column": "alertMitreTactics",
"type": "str",
"key": false
},
{
"column": "alertMitreTechniques",
"type": "str",
"key": false
},
{
"column": "alertPriority",
"type": "int4",
"key": false
}
],
"owner": "user@devo.com"
}
},
"error": null,
"has_error":false,
}
Get Lookup Jobs
Get job UUIDs of a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Output
JSON containing the following items:
{
"result": {
"cid": "e47f4ab72ded",
"code": 200,
"context": null,
"id": "xxxxxxxx-e37c-11ed-b5ea-0242ac120002",
"msg": "Lookup job uuids",
"jobs": [
"xxxxxxx-c9a2-489c-8794-ea656a19b822",
"xxxxxxx-9714-48a7-9976-73e41523edfd",
"xxxxxxx-48a8-46ea-ab22-e0a5458e302b",
"xxxxxxx-ad7e-4fe6-bb43-89f93e629d76"
]
},
"error": null,
"has_error":false,
}
Get Lookup Jobs Info
Get details of job for a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Lookup Job Id | Jinja-templated text containing the job Id of your lookup (e.g. "123456") | Required |
Output
JSON containing the following items:
{
"result": {
"cid": "e47f4ab72ded",
"code": 200,
"context": null,
"id": null,
"msg": "Lookup job's statuses",
"status": [
{
"eventdata": "2021-09-29T10:18:10.805",
"domain": "galactic_empire",
"lookup": "ImperialIntranetActivity",
"msg": "Lookup successfully created"
"code": "create.ok"
},
{
"eventdata": "2021-09-29T10:18:12.472",
"domain": "ImperialIntranetActivity",
"lookup": "test-schedule",
"msg": "Lookup ready to be executed"
"code": "deploy.ok"
}
]
},
"error": null,
"has_error":false,
}
Create Lookup
Create a new lookup
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Lookup Body | Jinja-templated JSON containing the body of your lookup. Example : {"id":{"creator":"rebel_alliance","name":"TotallyNotFakeData"},"recipe":{"recipeType":"once","source":{"query":"select 0 as key, false as IsDataFake, 2147483647 as RebelsImprisoned, 9223372036854775807 as CreditsOnImperialBanks, hex4('fffffff') as Hex4Emperor, hex8('fffffffffffffff') as Hex8Vader, 2.718281828459045 as EmperorClones, 3.141592653589793 as Pi, 87.219.9.157 as EmperorIP4, ip6('fe80::4492:bc4b:7a53:c0d5') as EmperorIP6, 0m as TimeAfterBattleOfYavin from siem.logtrust.web.navigation where now()-1m < eventdate < now() limit 1"},"lookupType":{"type":"normal"},"append":false,"key":{"type":"column","column":"key"},"columnFilter":["key","IsDataFake","RebelsImprisoned","CreditsOnImperialBanks","Hex4Emperor","Hex8Vader","EmperorClones","Pi","EmperorIP4","EmperorIP6","TimeAfterBattleOfYavin"],"contribution":{"type":"add"},"requiresDate":false}} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d41c91a21d56",
"code": 201,
"context": null,
"id": "xxxxxx-2201-11ec-b04a-53c6289921cb",
"msg": "Lookup sent to creation",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": "creator-only",
"recipe": {
"type": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
}
}
}
},
"error": null,
"has_error":false,
}
Create Lookup From Static Query
Create a new lookup based on a static query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Lookup Body | Jinja-templated JSON containing the body of your lookup. Example : {"visibility":{"type":"creator-only"},"query":"select userid, domain from siem.logtrust.web.navigation where now()-1d < eventdate < now()","key":{"type":"column","column":"userid"},"keepHistory":false,"columnTimeReference":null} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d5ce4eb105b2",
"code": 201,
"context": null,
"id": "c6b1e939-a57c-11ee-b1a9-a124bba45b9b",
"msg": "Lookup sent to creation. You can check the creation status using the provided id: /lookup/{domain}/{name}/job/{id}",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": {
"type": "creator-only"
},
"recipe": {
"recipeType": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
},
"secondaryIndexes": {
"type": "none"
}
},
"notifyStatus": true
}
},
"error": null,
"has_error":false,
}
Update Lookup
Update a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Lookup Body | Jinja-templated JSON containing the updated body of your lookup. Example : {"id":{"creator":"rebel_alliance","name":"TotallyNotFakeData"},"recipe":{"recipeType":"once","source":{"query":"select 0 as key, false as IsDataFake, 2147483647 as RebelsImprisoned, 9223372036854775807 as CreditsOnImperialBanks, hex4('fffffff') as Hex4Emperor, hex8('fffffffffffffff') as Hex8Vader, 2.718281828459045 as EmperorClones, 3.141592653589793 as Pi, 87.219.9.157 as EmperorIP4, ip6('fe80::4492:bc4b:7a53:c0d5') as EmperorIP6, 0m as TimeAfterBattleOfYavin from siem.logtrust.web.navigation where now()-1m < eventdate < now() limit 1"},"lookupType":{"type":"normal"},"append":false,"key":{"type":"column","column":"key"},"columnFilter":["key","IsDataFake","RebelsImprisoned","CreditsOnImperialBanks","Hex4Emperor","Hex8Vader","EmperorClones","Pi","EmperorIP4","EmperorIP6","TimeAfterBattleOfYavin"],"contribution":{"type":"add"},"requiresDate":false}} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d41c91a21d56",
"code": 201,
"context": null,
"id": "xxxxxx-2201-11ec-b04a-53c6289921cb",
"msg": "Lookup sent to creation",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": "creator-only",
"recipe": {
"type": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
}
}
}
},
"error": null,
"has_error":false,
}
Update Lookup From Static Query
Update lookup based on a static query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Lookup Body | Jinja-templated JSON containing the updated body of your lookup. Example : {"visibility":{"type":"creator-only"},"query":"select userid, domain from siem.logtrust.web.navigation where now()-1d < eventdate < now()","key":{"type":"column","column":"userid"}} | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupCreationResponse",
"cid": "d5ce4eb105b2",
"code": 201,
"context": null,
"id": "c6b1e939-a57c-11ee-b1a9-a124bba45b9b",
"msg": "Lookup sent to creation. You can check the creation status using the provided id: /lookup/{domain}/{name}/job/{id}",
"lookupDeployConfig": {
"id": {
"creator": "rebel_alliance",
"name": "GalacticEmpireActivity"
},
"visibility": {
"type": "creator-only"
},
"recipe": {
"recipeType": "once",
"source": {
"query": "select eventdate, level, domain, userid, sessionid, correlationId from siem.logtrust.web.activity where now()-1m < eventdate < now()"
},
"lookupType": {
"type": "normal"
},
"append": false,
"key": {
"type": "column",
"column": "key"
},
"columnFilter": [
"eventdate",
"level",
"domain",
"userid",
"sessionid",
"correlationId"
],
"contribution": {
"type": "add"
},
"secondaryIndexes": {
"type": "none"
}
},
"notifyStatus": true
}
},
"error": null,
"has_error":false,
}
Delete Lookup
Delete a specific lookup.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Devo Domain | Jinja-templated text containing the name of your Devo domain (e.g. "dev@CompanyName") | Required |
Lookup Name | Jinja-templated text containing the name of your lookup (e.g. "myLookup") | Required |
Output
JSON containing the following items:
{
"result": {
"type": "LookupDeletionResponse",
"cid": "f44f458f7c32",
"code": 200,
"context": null,
"id": "xxxxxx-5052-11ed-b24b-85c623a0cbd8",
"msg": "Lookup sent to deletion"
},
"error": null,
"has_error":false,
}
Release Notes
v4.4.2
- AddedTime Zone
optional field inRun Query
actionv4.4.1
- Added new lookup actions:Get Lookup
,Get Lookup Jobs
,Get Lookup Jobs Info
,Create Lookup
,Create Lookup From Static Query
,Update Lookup
,Update Lookup From Static Query
andDelete Lookup
.v4.3.11
- Optimisation:Get Alert Definitions
optimised to improve latencyv4.3.9
- AddedExplode Results
optional field inList Triggered Alerts
actionv4.3.5
- Bug fix: JSON Parsing error inGet Triggered Alert
action.v4.3.4
- Jinja issue fixed inSend Events
action.v4.3.0
- AddedMessage Host IP
optional input field inSend a Single Event
andSend Events
action.v4.2.1
- AddedResponse type
optional input field inRun Query
action.v4.1.0
- Added 1 new action:Send a Single Event
.v4.0.0
- Updated architecture to support IO via filesystemv3.3.2
- Added 6 new actions:Update Alert's Status
,Update Alert's Status in Bulk
,Get All Annotations of the Indicated Alerts
,Add an Annotation to an Alert
,Update an Alert Annotation
andDelete the Specified Alert Annotations
.v3.2.1
- Added 2 new actions:Get Triggered Alert
andList Triggered Alerts
.
Updated 4 days ago