• Services & Support
  • Devo.com
  • Contact
    • Contact Us
    • Request a Demo
    • Partner Inquiry
  • Log In
    • USA Devo
    • EU Devo
  • The Devo data analytics platform
    • How Devo indexes data
    • How Devo works
    • Key concepts
  • Getting started
    • Sign up and log in
    • Navigating the Devo app
    • User preferences
    • Devo video tutorials
  • Domain administration
    • Users and roles
      • Managing users
      • Monitoring user activity
      • Managing roles
        • Assign resources to a role
      • Role permissions
      • Role mapping
    • Security credentials
      • Access keys
      • X.509 certificates
      • Authentication tokens
    • Applications gallery
    • Domain preferences
    • User authentication
      • Password
      • SAML
        • Google as an identity provider
        • Okta as an identity provider
        • OneLogin as an identity provider
        • O365/Azure AD as an identity provider
      • OpenID
    • Data processes and feeds
      • Aggregation tasks
      • Injections
      • Permalinks
      • API & OData feeds
  • Sending data to Devo
    • The Devo In-House Relay
      • Installing the Devo Relay
        • Install the Relay on an Ubuntu box (v1.4.2)
        • Install the Relay on a Red Hat or CentOS box (v1.4.2)
        • Install with Docker
      • Configuring the In-House Relay
        • Relay rules
          • Defining a relay rule
          • The 4 predefined relay rules
          • 5 common relay rule scenarios
            • Scenario 1: Apply a fixed tag to all events
            • Scenario 2: Apply a Devo tag based on data found in the inbound event
            • Scenario 3: Filter out unwanted events
            • Scenario 4: Assign dynamic Devo tag using inbound source data
            • Scenario 5: Appending the inbound syslog tag to the outbound Devo tag
          • Using regex in relay rules
        • Customizing In-House Relay settings
        • Managing the relay on the command line
        • Setting up High-Availability with Keepalived (v1.4.2)
        • Relay buffers
      • Relay migration
      • Sending SSL/TLS encrypted events to the Devo relay
      • Relay troubleshooting tips (v1.4.2)
        • Relay troubleshooting tips (v1.4.0)
        • Relay troubleshooting tips (for versions prior to 1.4.0)
    • Event sources
      • Unix-like machines
        • Installing Devo packages for *nix
        • Third-party syslog tools configuration
          • rsyslog
            • Simple sending using rsyslog
            • Secure sending using rsyslog
            • Monitoring files using rsyslog
            • Obsolete legacy format
              • Simple sending using rsyslog (Obsolete legacy format)
              • Secure sending using rsyslog (Obsolete legacy format)
              • Monitoring files using rsyslog (Obsolete legacy format)
          • syslog-ng
            • Simple sending using syslog-ng
            • Secure sending using syslog-ng
            • Monitoring files using syslog-ng
          • syslog/syslogd
        • SELinux configuration conflicts
      • Windows
        • Devo Agent for Windows
        • Configuring WMI for Devo file monitoring
        • NXLog for Windows event collection
      • MacOS X
      • Cloud services
        • AWS S3 Buckets
        • Microsoft Azure
      • Commercial products
      • Custom apps
        • Java apps
          • JDK java.util.logging
          • Scoja client library
          • Sample code
        • Node.js apps
        • Python apps
    • Other data collection methods
      • HTTP endpoint
      • Logstash
      • Fluentd
      • NXLog
    • Uploading log files
    • Devo software
  • Searching data
    • Accessing data tables
      • Run a search using a finder
        • Use a custom finder
          • Create a custom finder
          • Assign a custom finder to a role
          • Edit a custom finder
        • Use the aliased finder
          • Add a query to your aliased finder
      • Run a global search
      • Run a LINQ free text query
      • Run a search with selected columns only
        • Selecting specific columns in LINQ
        • Selecting specific columns with the Finder
        • Selecting unrevealed columns
    • Building a query
      • Data types in Devo
      • Build a query in the search window
        • Filter data
        • Filter column data using the OR selector
        • Create columns
        • Group data
        • Aggregate data
      • Build a query using LINQ
        • LINQ query examples
      • Working with JSON objects in data tables
      • Subqueries
      • Operations reference
        • Aggregation operations
          • Average (avg)
          • Count (count)
          • First (first)
          • First not null (nnfirst)
          • HyperLogLog++ (hllpp)
          • HyperLogLog++ Count Estimation (hllppcount)
          • Last (last)
          • Last not null (nnlast)
          • Maximum (max)
          • Median / 2nd quartile / Percentile 50 (median)
          • Minimum (min)
          • Non-null average (nnavg)
          • Non-null standard deviation (biased) (nnstddev)
          • Non-null standard deviation (unbiased) (nnustddev)
          • Non-null variance (biased) (nnvar)
          • Non-null variance (unbiased) (nnuvar)
          • Percentile 10 (percentile10)
          • Percentile 25 / 1st quartile (percentile25)
          • Percentile 5 (percentile5)
          • Percentile 75 / 3rd quartile (percentile75)
          • Percentile 90 (percentile90)
          • Percentile 95 (percentile95)
          • Standard deviation (biased) (stddev)
          • Standard deviation (unbiased) (ustddev)
          • Sum (sum)
          • Sum Square (sum2)
          • Variance (biased) (var)
          • Variance (unbiased) (uvar)
        • Arithmetic group
          • Absolute value (abs)
          • Addition, sum, plus / Concatenation (add, +)
          • Ceiling (ceil)
          • Cube root (cbrt)
          • Division (div, \)
          • Division remainder (rem, %)
          • Floor (floor)
          • Modulo (mod, %%)
          • Multiplication, product (mul, *)
          • Power (pow)
          • Real division (rdiv, /)
          • Rounding (round)
          • Sign (signum)
          • Square root (sqrt)
          • Subtraction, minus / Additive inverse (sub, -)
        • Conversion group
          • Duration (duration)
          • Format date (formatdate)
          • From base16, b16, hex (from16)
          • From base64, b64 (from64)
          • From UTF8 (fromutf8)
          • From Z85, base85 (fromz85)
          • Human size (humanSize)
          • Make byte array (mkboxar)
          • Parse date (parsedate)
          • Regular expression, regexp (re)
          • Template (template)
          • Timestamp (timestamp)
          • To base16, b16, hex (to16)
          • To base64, b64, hex (to64)
          • To BigInt (bigint)
          • To boolean (bool)
          • To Float (float)
          • To image (image)
          • To Int (int)
          • To IPv4 (ip4)
          • To IPv4 net (net4)
          • To IPv6 (ip6)
          • To IPv6 compatible (compatible)
          • To IPv6 mapped (mapped)
          • To IPv6 net (net6)
          • To IPv6 translated (translated)
          • To MAC address (mac)
          • To string (str)
          • To string (stringify)
          • To UTF8 (toutf8)
          • To Z85, base85 (toz85)
        • Cryptography group
          • MD5 hash function (md5)
          • SHA1 hash function (sha1)
          • SHA256 hash function (sha256)
          • SHA512 hash function (sha512)
        • Date group
          • Day / Day of the month (day)
          • Day of the week (dayofweek)
          • Day of the year (dayofyear)
          • Epoch milliseconds (epoch)
          • Hour (hour)
          • Millisecond (millisecond)
          • Minute (minute)
          • Month (month)
          • Period (period)
          • Second (second)
          • Today (today)
          • Tomorrow (tomorrow)
          • Year (year)
          • Yesterday (yesterday)
        • Flow group
          • Conditional (ifthenelse)
          • Decode, switch (decode)
          • Null value locator (nvl)
        • General group
          • Is not null (isnotnull)
          • Is null (isnull)
        • Geolocation group
          • Coordinates distance (distance)
          • Geocoord (geocoord)
          • Geographic coordinate system (coordsystem)
          • Geohash (geohash)
          • Geohash string (geohashstr)
          • Geolocated Accuracy Radius with MaxMind GeoIP2 (mm2accuracyradius)
          • Geolocated ASN (mmasn)
          • Geolocated ASN with MaxMind GeoIP2 (mm2asn)
          • Geolocated AS Organization Name with MaxMind GeoIP2 (mm2asorg)
          • Geolocated AS owner (mmasowner)
          • Geolocated City (mmcity)
          • Geolocated City with MaxMind GeoIP2 (mm2city)
          • Geolocated Connection Speed (mmspeed)
          • Geolocated connection type with MaxMind GeoIP2 (mm2con)
          • Geolocated Coordinates (mmcoordinates)
          • Geolocated coordinates with MaxMind GeoIP2 (mm2coordinates)
          • Geolocated Country (mmcountry)
          • Geolocated Country with MaxMind GeoIP2 (mm2country)
          • Geolocated ISP (mmisp)
          • Geolocated ISP name with MaxMind GeoIP2 (mm2isp)
          • Geolocated Latitude (mmlatitude)
          • Geolocated Latitude with MaxMind GeoIP2 (mm2latitude)
          • Geolocated Level 1 Subdivision with MaxMind GeoIP2 (mm2subdivision1)
          • Geolocated Level 2 Subdivision with MaxMind GeoIP2 (mm2subdivision2)
          • Geolocated Longitude (mmlongitude)
          • Geolocated Longitude with MaxMind GeoIP2 (mm2longitude)
          • Geolocated Organization (mmorg)
          • Geolocated organization name with MaxMind GeoIP2 (mm2org)
          • Geolocated Postal Code (mmpostalcode)
          • Geolocated Postal Code with MaxMind GeoIP2 (mm2postalcode)
          • Geolocated Region (mmregion)
          • Geolocated Region Name (mmregionname)
          • ISO-3166-1 Continent Alpha-2 Code (continentalpha2)
          • ISO-3166-1 Continent Name (continentname)
          • ISO-3166-1 Country Alpha-2 Code (countryalpha2)
          • ISO-3166-1 Country Alpha-2 Continent (countrycontinent)
          • ISO-3166-1 Country Alpha-3 Code (countryalpha3)
          • ISO-3166-1 Country Latitude (countrylatitude)
          • ISO-3166-1 Country Longitude (countrylongitude)
          • ISO-3166-1 Country Name (countryname)
          • Latitude (latitude)
          • Latitude and longitude coordinates (latlon)
          • Longitude (longitude)
          • Parse geocoord format (parsegeo)
          • Represent geocoord format (reprgeo)
          • Round coordinates (gridlatlon)
        • JSON group
          • Jq evaluation (jqeval)
          • Jq filter compilation (jqcompile)
          • Json value type (label)
          • To json (jsonparse)
        • Logic group
          • And (and)
          • Not (not)
          • Or (or)
        • Mathematical group
          • Arc cosine (acos)
          • Arc sine (asin)
          • Arc tangent (atan)
          • Bitwise AND (band, &)
          • Bitwise left shift (lshift, <<)
          • Bitwise NOT (bnot, ~)
          • Bitwise OR (bor, |)
          • Bitwise right shift (rshift, >>)
          • Bitwise unsigned right shift (urshift, >>>)
          • Bitwise XOR (bxor, ^)
          • Cosine (cos)
          • e (mathematical constant) (e)
          • Exponential: base e (exp)
          • Hyperbolic cosine (cosh)
          • Hyperbolic sine (sinh)
          • Hyperbolic tangent (tanh)
          • Logarithm: base 2 (log2)
          • Logarithm: base 10 (log10)
          • Logarithm: natural / arbitrary base (log)
          • Pi (mathematical constant) (pi)
          • Sine (sin)
          • Tangent (tan)
        • Meta Analysis group
          • Pragma value (pragmavalue)
          • Table name (tablename)
        • Name group
          • Any name matches (anymatches)
          • Glob pattern on names (nameglob)
        • Network group
          • HTTP Status Description (httpstatusdescription)
          • HTTP Status Type (httpstatustype)
          • IP Protocol (ipprotocol)
          • IP Reputation Score (reputationscore)
          • IP Reputation Tags (reputation)
          • IPv4 legal use (purpose)
          • IPv6 host number (host)
          • IPv6 routing number (routing)
          • Is IPv4 (ipip4)
          • Is Private IPv4 (isprivate)
          • Is Public IPv4 (ispublic)
          • Squid Black Lists Flags (sbl)
        • Order group
          • Equal (eq, =)
          • Equal - case insensitive (eqic)
          • Greater or equal (ge, >=)
          • Greater than (gt, >)
          • Less or equal (le, <=)
          • Less than (lt, <)
          • Not equal (ne, /=)
        • Packet group
          • Ethernet destination MAC address (etherdst)
          • Ethernet payload (etherpayload)
          • Ethernet source MAC address (ethersrc)
          • Ethernet status (etherstatus)
          • Ethernet tag (ethertag)
          • EtherType (ethertype)
          • Has Ethernet frame (hasether)
          • Has IPv4 datagram (hasip4)
          • Has TCP segment (hastcp)
          • Has UDP datagram (hasudp)
          • IPv4 destination address (ip4dst)
          • IPv4 differentiated services (ip4ds)
          • IPv4 explicit congestion notification (ip4ecn)
          • IPv4 flags (ip4flags)
          • IPv4 fragment offset (ip4fragment)
          • IPv4 header checksum (ip4cs)
          • IPv4 header length (ip4hl)
          • IPv4 identification (ip4ident)
          • IPv4 payload (ip4payload)
          • IPv4 protocol (ip4proto)
          • IPv4 source address (ip4src)
          • IPv4 status (ip4status)
          • IPv4 time to live (ip4ttl)
          • IPv4 total length (ip4len)
          • IPv4 type of service (ip4tos)
          • TCP ACK (tcpack)
          • TCP checksum (tcpcs)
          • TCP destination port (tcpdst)
          • TCP flags (tcpflags)
          • TCP header length (tcphl)
          • TCP payload (tcppayload)
          • TCP sequence number (tcpseq)
          • TCP source port (tcpsrc)
          • TCP status (tcpstatus)
          • TCP urgent pointer (tcpurg)
          • TCP window size (tcpwin)
          • UDP checksum (udpcs)
          • UDP destination port (udpdst)
          • UDP length (udplen)
          • UDP payload (udppayload)
          • UDP source port (udpsrc)
          • UDP status (udpstatus)
        • Statistical group
          • Approximated estimation (estimation)
          • HyperLogLog++ pack (pack)
          • HyperLogLog++ unpack (unpackhllpp)
        • String group
          • Contains (has, ->)
          • Contains - case insensitive (weakhas)
          • Contains tokens (toktains)
          • Contains tokens - case insensitive (weaktoktains)
          • Edit distance: Damerau (damerau)
          • Edit distance: Hamming (hamming)
          • Edit distance: Levenshtein (levenshtein)
          • Edit distance: OSA (osa)
          • Ends with (endswith)
          • Format number (formatnumber)
          • Hostname public suffix (publicsuffix)
          • Hostname root domain (rootdomain)
          • Hostname root prefix (rootprefix)
          • Hostname root suffix (rootsuffix)
          • Hostname subdomains (subdomain)
          • Hostname top level domain (topleveldomain)
          • Is empty (isempty)
          • Is in (`in`, <-)
          • Is in - case insensitive (weakin)
          • Length (length)
          • Locate (locate)
          • Lower case (lower)
          • Matches (matches, ~)
          • Peek (peek)
          • Replace all (replaceall)
          • Replace first (replace)
          • Shannon entropy (shannonentropy)
          • Split (split)
          • Split regexp (splitre)
          • Starts with (startswith)
          • Substitute (subs)
          • Substitute all (subsall)
          • Substring (substring)
          • Trim both sides (trim)
          • Trim the left side (ltrim)
          • Trim the right side (rtrim)
          • Upper case (upper)
        • Web group
          • Absolute URI (absoluteuri)
          • Opaque URI (opaqueuri)
          • URI authority (uriauthority)
          • URI fragment (urifragment)
          • URI host (urihost)
          • URI path (uripath)
          • URI port (uriport)
          • URI query (uriquery)
          • URI scheme (urischeme)
          • URI ssp (urissp)
          • URI user (uriuser)
          • URL decode (urldecode)
          • User Agent Company (uacompany)
          • User Agent Company URL (uacompanyurl)
          • User Agent Device Icon (uadeviceicon)
          • User Agent Device Information URL (uadeviceinfourl)
          • User Agent Device Type (uadevicetype)
          • User Agent Family (uafamily)
          • User Agent Icon (uaicon)
          • User Agent Information URL (uainfourl)
          • User Agent is Robot (uaisrobot)
          • User Agent Name (uaname)
          • User Agent OS Company (uaoscompany)
          • User Agent OS Company URL (uaoscompanyurl)
          • User Agent OS Family (uaosfamily)
          • User Agent OS Icon (uaosicon)
          • User Agent OS Name (uaosname)
          • User Agent OS URL (uaosurl)
          • User Agent Type (uatype)
          • User Agent URL (uaurl)
          • User Agent Version (uaversion)
    • Working in the search window
      • Generate charts
        • Affinity chord diagram
        • Availability timeline
        • Bipartite chord diagram
        • Bubble chart
        • Chart aggregation
        • Custom date chart aggregation
        • Flame graph
        • Flat world map by coordinates
        • Flat world map by country
        • Google animated heat map
        • Google area map
        • Google heat map
        • Graph diagram
          • Creating a graph diagram
          • Working in the graph diagram
          • Monitor intranet traffic to dangerous websites
        • Histogram
        • Pew Pew map
        • Pie chart
        • Pie layered chart
        • Punch card
        • Robust Random Cut Forest chart
        • Sankey diagram
        • Scatter plot
        • Time heatmap
        • Triple exponential chart
        • Voronoi treemap
      • Data enrichment
        • Upload a lookup table
        • Create a lookup table from a query
        • Add lookup values to your query
        • Manage and edit lookup tables
        • Threat lookups
      • Setting up a data table
        • Modifying the column layout
          • Arrange and resize columns
          • Hide and show columns
          • Change the position of column headers
          • Sort data
          • Setting a default table layout
        • Add a description to a data table
        • Autoparser
          • Autoparse a JSON object
      • Advanced data operations
        • Graphical correlation
          • Cross-Search Graph Diagram
          • Cross-Search Table Join
          • Cross-Search Sankey Diagram
          • Cross-Search Line Chart
        • Custom and union tables
          • Create a custom table
          • Create a union table
          • Manage custom and union tables
        • Set up a data source
        • Inject data to a new table
        • Drill downs
        • Manipulate your data using CyberChef
        • Time series report
      • Use case: eCommerce behavior analysis
        • Step 1. Error analysis using status codes
          • Specific analysis for 404 codes
          • Custom alerts for 404 errors
        • Step 2. Operating system ranking
          • Get the usage share of operating systems
          • Visualize the usage share of operating systems
        • Step 3. Country distribution
          • Build a histogram displaying country distribution
          • Geolocate IP addresses
    • Managing your queries
      • Rename a query
      • Favorite queries
      • Query history
      • Check currently running queries
      • Add a description to your query
      • Block a query
      • Share a query
      • Download query data
      • Close a query
      • Load query data into Excel using the Devo Connector add-in
      • Query priority
    • Best practices for data search
    • Monitoring tables
      • Web application monitoring
      • Alerts monitoring
  • Parsers and collectors
    • About Devo tags
    • Special Devo tags and data tables
    • List of Devo parsers
      • Business & Consumer
      • Cloud technologies
        • cdn.akamai
        • cloud.aws.cloudtrail.events
          • Forwarding the events using Node.js
          • Forwarding the events using Python
        • cloud.aws.cloudwatch.events
        • cloud.office365.siem
      • Databases
        • db.mysql
      • Host and Operating Systems
        • box.unix
        • box.vmware
        • box.win
        • box.win_nxlog
        • box.win_snare
      • Network and application security
        • auth.secureauth
        • auth.securenvoy
        • av.mcafee
        • av.sophos
        • box.iptables
        • edr.cylance
        • edr.fireeye.alerts
        • edr.minervalabs.events
        • endpoint.symantec
        • firewall.checkpoint
        • firewall.cisco firepower and vpn.cisco
        • firewall.fortinet
        • firewall.huawei
        • firewall.juniper
        • firewall.paloalto
          • Sending Palo Alto events to Devo relay using SSL
        • firewall.pfsense
        • firewall.sonicwall
        • firewall.sophos
        • firewall.sophos.xgfirewall
        • firewall.stonegate
        • firewall.windows
        • mail.proofpoint
        • nac.aruba
        • network.meraki
        • network.versa
        • proxy.bluecoat
        • proxy.forcepoint
        • proxy.squid
        • uba.varonis
        • vuln.beyondtrust
        • vpn.pulsesecure.sa
      • Network connectivity
        • netstat.netflow
        • dns.bind
        • dns.windows
        • ftp.iis
      • Web servers
        • web.apache
        • web.apache.mod-security
        • web.iis
        • web.jboss
        • web.nginx
        • web.tomcat
      • Technologies supported in CEF syslog format
    • Collectors
      • AWS collector
      • Google Cloud Platform collector
      • G Suite collectors
        • G Suite Alerts collector
        • G Suite Reports collector
      • Microsoft Azure collector
      • Microsoft Graph collector
      • Okta collectors
        • Okta collector
        • Okta Advanced Server Access collector
      • OneLogin collector
      • Rapid7 InsightVM collector
      • Salesforce collector
  • Activeboards
    • Creating an Activeboard
    • Working with Activeboard widgets
      • Area chart widgets
      • Column chart widgets
      • Donut chart widgets
      • Heatmap widgets
      • Line chart widgets
      • Pie chart widgets
      • Simple value widgets
      • Table widgets
      • Voronoi diagram widgets
    • Working with Activeboard inputs
    • LINQ syntax differences between Activeboards and the search window
    • Setting a time range in Activeboards
    • Working with Activeboards
      • Active Refresh
    • Sharing Activeboards
  • Dashboards
    • Create a new dashboard
    • Working with dashboard widgets
      • Availability timeline widget
      • Chord diagram widget
      • Circle world map widget
      • Color key value widget
      • Color world map widget
      • Column chart widget
      • Comparative chart widget
      • Funnel widget
      • Gauge meter widget
      • Google heatmap widget
      • Heat calendar widget
      • Line chart widget
        • Customize your Line chart
      • Monitoring widget
      • Pie chart widget
      • Punch card widget
      • Sectored pie chart widget
      • Table widget
      • Time heatmap widget
      • Tree diagram widget
      • Voronoi tree widget
    • Configuring and sharing dashboards
  • Alerts and notifications
    • Creating new alerts
      • Alert trigger methods
        • Each alert type
        • Several alert type
        • Low alert type
          • Inactivity alert
        • Rolling alert type
        • Deviation alert type
        • Gradient alert type
      • Create an alert based on triggered alerts
    • Configuring alerts
      • Manage defined alerts
      • Manage sending policies
      • Manage delivery methods
        • Email delivery methods
        • HTTP-JSON delivery methods
        • Service Desk delivery methods
        • Jira delivery methods
        • Pushover delivery methods
        • PagerDuty delivery methods
        • Slack delivery methods
      • Manage anti-flooding policies
      • Make an alert available for panels
      • Pre-installed alert reference
    • Managing triggered alerts
      • Add a comment to a triggered alert
      • Apply a filter for post-processing
  • Panels
    • Create and customize a panel
    • Adding an alert to a panel
    • Adding a query to a panel
    • Using panels
  • Applications
    • Devo Security Operations
      • Overview Dashboard
      • Triage
        • Triaging alerts
        • Triaging investigations
      • Investigations
      • Threat Hunting
      • Use cases
        • Phishing attack
        • Command & Control
        • Alerting system status
    • Devo Stats
      • Working in the Devo Stats application
      • Application tabs and widgets
        • User tab
        • Volume tab
        • Query tab
          • User Query Info
          • CPU Query Info
          • CPU Query Info Multidomain
        • Status tab
    • Security Insights
      • Installing Security Insights
        • Security Insights lookups
      • Configuring Security Insights
      • Navigating Security Insights
        • Overview tab
        • Threats tab
        • Network tab
        • DNS tab
        • Firewall tab
        • Proxy tab
        • Access tab
        • Web tab
        • IDS tab
    • Service operations
      • Basic concepts
      • Installation
      • Global models
      • Technologies configuration
      • Models configuration
      • Service overview
      • Incidents viewer
      • Monitors
      • User experience management
      • Use case for service operations
        • Initial analysis
        • Model configuration
        • Running the model
        • Incidents
    • Systems Monitoring
      • Basic monitoring
      • Advanced monitoring
  • Tools
    • Data Explorer
    • Query App
    • Time Series Analytics
  • Social Intelligence
  • API reference
    • REST API
      • Authorizing REST API requests
      • Running queries with the REST API
        • Forward response to HDFS
        • Forward response to Amazon S3
        • Forward response to SNMP
        • Forward response to email
        • Send requests with Postman
      • Job requests
    • Provisioning API
      • Authorizing Provisioning API requests
      • Common operations
        • User operations
        • Domain operations
        • Certificates
        • Role management
        • Domain resources management
      • Reseller operations
        • Price plans
      • Role specification and examples
    • Alerting API
      • Working with alert definitions
    • Using and managing OData feeds
      • Connecting with Excel
      • Connecting with Tableau
      • Connecting with Power BI
  • Release notes
    • 6.0.0
    • 6.0.1
    • 6.1.0
    • 6.1.1
    • 6.1.2
    • 6.1.3
    • 6.1.4
    • 6.2.0
    • 6.3.0
    • 6.3.1
    • 6.3.2
    • 6.3.3-1
    • 6.4.0
    • 6.4.1
    • 6.4.3
    • 6.5.0
    • 6.5.1
    • 6.5.2
    • 6.6.0
    • 6.6.1
    • 6.6.2
    • 6.7.0
PREVIOUS
Triaging investigations
NEXT
Threat Hunting

Applications / Devo Security Operations / Investigations

Download as PDF

Investigations

We have already talked about the importance of the sources and the alerts. Both are the base for the Security Operations app, but once we start using the interface, the alerts triage and the threat hunting are the main actions to do, and all these actions are related to the investigations.

Investigations are the base for knowledge sharing in the Security Operations application. Users will create an investigation when something strange is detected on the Overview Dashboard, or in the Triage or Hunting areas, and then can perform a deeper investigation around the problem or simply write the first impressions and assign the investigation to a specialist in this kind of threat.

Click this icon  in the top navigation bar to access the Investigations area.

Create a new investigation or add information to an existing one

You can create new investigations or add new information to existing ones in three different ways:

  • In the Investigations area, clicking the yellow + icon. In this case, you can only create investigations from scratch.
  • In the Triage area, after filtering alerts, you can click the Add to investigation button next to each group of alerts to create an investigation related to those alerts. All the elements you add to an investigation in this way will be added to the Evidence Bucket, which you can access by clicking the paper clip icon at the top right corner of the application. Learn more about the Evidence Bucket below.

          

  • In the Hunting area, click the Add to investigation button after performing a search. In this case, elements will be also added to the Evidence Bucket. Learn more about this in the Threat Hunting article.

          

Evidence Bucket

Before creating a new investigation or updating an old one with elements added from the Triage and Hunting areas, there is always an intermediate step. All the elements that you add to an investigation from those areas go to the Evidence Bucket, where you can review and manage all the alerts and entities before defining the investigation. To access the Evidence Bucket, just click the paper clip icon that you can find at the top right corner of the application. The number next to the icon indicates the current number of alert, entities and queries in the bucket.

Using the Evidence Bucket, you can review all the elements added from the Triage and Hunting areas together, and check if any other evidence is needed before finally creating or updating an investigation. Before defining the investigation, you can delete the alerts or entities that you don't need by clicking the trash bin icon next to them. You can also click the Clean button to delete all the elements in the bucket.

You can also add enrichments to entities before opening an investigation. To do it, click the + button at the bottom of each alert, choose the entities you want to enrich, and select the required enrichments. The application will suggest you some enrichments for the selected entities, but you can mark the ones you need. Finally, click Run enrichment to add them. 

To delete an enrichment from an entity, click it, select the - icon that appears, and click OK in the confirmation dialog window.

Once you have all the required elements in the bucket, you can create a new investigation or update an existing one. To decide it, use the toggle at the right part of the bucket window.

  • With the toggle in the New investigation position, just click the Create investigation button. You will be redirected to the investigation parameters window, where you can set all the details of the new investigation. Learn more about these settings below.

  • With the toggle in the Add to investigation position, choose the investigation to be updated from the dropdown list and click Add to investigation. You will be redirected to the investigation parameters window. Change any parameter if required and save it. Learn more about these settings below.

Investigation parameters

In all the cases, you will be prompted to enter the details of the new investigation or edit the information on the investigation you decided to modify. The information of an investigation is divided into three different categories:

  • Details
  • Evidence
  • Investigation timeline

Saving, downloading and closing investigations

Remember to click the Save button at the top right corner of the area after performing any modification in an investigation, or creating a new one.

You can download a report with the investigation contents and close it by clicking the ellipsis icon next to the Save button.

Details

This is the basic information of your investigation and is located in the left panel of the New investigation screen.

NameEnter a name for the investigation.
ImportanceChoose the importance level of the investigation (Low, Medium or High).
ImpactImpact level of the investigation.
Status

Choose the status of the investigation between Active state, False positive, Closed, Open or Under review.

Assigned toChoose the user you want to assign the investigation to. This will be automatically assigned to your user by default, but you can assign the investigation to any other user selecting it from the dropdown list.
MITRE TacticsSelect the required Mitre ATT&CK tactics.
MITRE TechniquesSelect the required Mitre ATT&CK techniques.
DetailsEnter any details you consider necessary for the investigation.
Labels

Enter a word and hit the ENTER key to add it as a label. You can use labels to filter specific investigations in the Investigation area. 

Labels are also used in the Investigation label word cloud widget of the Overview Dashboard, which shows the most used labels.

Keywords

Enter a word and hit the ENTER key to add it as a keyword. You can use keywords to filter specific investigations in the Triage and Investigation areas. 

Evidence

This is the main section of the investigation, where users can check the alerts or hunting queries that have initiated the investigation. The alerts are stored in specific fields depending on the type.

Comments

Users can add comments related to the investigation in this section. A good practice is adding a comment here any time you make a modification to the investigation. Simply write the comment in the text field and click Add. New comments will appear first.

You can easily edit and delete comments by clicking the pencil and - icons.

Detections

If the investigation contains Detection-type alerts, you can check them here.

Observations

If the investigation contains Observationon-type alerts, you can check them here.

ModelsIf the investigation contains Model-type alerts, you can check them here.
Analytics

If the investigation contains Analytics-type alerts, you can check them here.

Related investigationsManually linked current investigations or investigations opened automatically by flows.
QueriesQueries obtained from hunting.
EnrichmentEnrichment obtained from the alerts involved in this investigation, from internal or external enrichment servers.
EntitiesEntities involved in this investigation.
AssociationsClick this button to check the associations of each entity involved in the investigation in a graph. This graph is the same that appears when you access the details of an alert in the Triage area. Learn more about it here.

Investigation Timeline

Users can check all the modifications or edits made to the investigation, and when they were made. The timeline at the top shows all the alerts involved so that you can compare incidences. You can display or hide any of each type of alerts using the buttons under the timeline. In the bottom area, you can check the events that occurred during the investigation, user comments, and when the alerts were thrown.

Filter investigations

You can use the filters at the top of the Investigations area to filter specific investigations.

  1. First, choose the time range you want to apply to your search by clicking the time selector at the top of the area. You can either choose an absolute time range selecting the start and end dates in the calendar or select a preset interval. You can also select a start date and activate the Now toggle to set the ending date to the current time. Click OK after choosing the time range. 

    You can click the arrow icon next to the OK button and click OK and filter to filter your data directly with the selected time range.

    After applying a specific time range, you can click the play button next to the selector to activate real-time. This will allow new results to keep appearing as time passes.

  2. Then, set the conditions you want to filter by. These are the available options:

    Importance

    Choose the importance of the filtered investigation (Low, Medium and/or High).

    Investigation name

    Filter investigations by name.

    Assigned to

    Select the user who was assigned the investigation.

    Entity / Filter value

    Choose the required type of entity from the drop-down list and enter the value you want to filter by. For example, if you want to get elements related to IP addresses that contain the value 10, choose ip from the Entity drop-down and enter the value 10 in the Filter value box. Click the + button to add the required entity/filter value pairs.

    StatusSelect the status of the investigations (Active state, Closed, False positive, Open and/or Under review).
  3. You can also select the Advanced Filters button to filter by the following criteria:

    Labels

    Enter the labels you want to filter by.

    Keywords

    Enter the keywords you want to filter by.

    ATT&CK Tactic

    Filter by one or several ATT&CK Tactics.

  4. Click Filter.

After applying the filter, the investigations that match the specified criteria will be listed below. You can access and edit their details by clicking their names. 

Manage filters

You can save commonly used filters to reuse them anytime, and set as favorite the one you use the most.

Default filter

If you access the Investigation area and have not applied any custom filter, a default filter will be always applied, which returns both alerts and investigations from the last 24 hours. 

Save a filter

Select the required criteria and click the save icon . Enter a name for the filter in the window that appears and click OK to save it. Click this icon  to access your saved filters.

Mark a filter as favorite

Click this icon  and select the heart next to the icon you want to mark as favorite. Note that you can only mark one filter as favorite.

If you start defining a new filter or start defining a new filter, you can click Reset filters to ❤ to set your favorite filter.

Delete a filter

Click this icon  and select the bin icon next to the saved filter you want to remove. Click OK in the confirmation window that appears.

Download as PDF

Did you find what you were looking for?

If not, please let us know what you need. Your feedback will help us to improve.

PREVIOUS
Triaging investigations
NEXT
Threat Hunting

Export

See what Devo can do for you. Request a demo!
Discover what's new (Release notes)
  • Services & Support
  • Devo.com
  • Contact
    • Contact Us
    • Request a Demo
    • Partner Inquiry
  • Log In
    • USA Devo
    • EU Devo
  • +1 888 6830910 (USA)
  • +34 900 838 880 (Spain)
Copyright © 2019 Legal Terms Privacy Policy Cookies Policy

Powered by Confluence and Scroll Viewport