- The Devo data analytics platform
- Getting started
- Domain administration
-
Sending data to Devo
-
The Devo In-House Relay
- Installing the Devo Relay
- Configuring the In-House Relay
- Relay migration
- Sending SSL/TLS encrypted events to the Devo relay
- Relay troubleshooting tips (v1.4.2)
- Event sources
- Other data collection methods
- Uploading log files
- Devo software
-
The Devo In-House Relay
-
Searching data
- Accessing data tables
-
Building a query
- Data types in Devo
- Build a query in the search window
- Build a query using LINQ
- Working with JSON objects in data tables
- Subqueries
-
Operations reference
-
Aggregation operations
- Average (avg)
- Count (count)
- First (first)
- First not null (nnfirst)
- HyperLogLog++ (hllpp)
- HyperLogLog++ Count Estimation (hllppcount)
- Last (last)
- Last not null (nnlast)
- Maximum (max)
- Median / 2nd quartile / Percentile 50 (median)
- Minimum (min)
- Non-null average (nnavg)
- Non-null standard deviation (biased) (nnstddev)
- Non-null standard deviation (unbiased) (nnustddev)
- Non-null variance (biased) (nnvar)
- Non-null variance (unbiased) (nnuvar)
- Percentile 10 (percentile10)
- Percentile 25 / 1st quartile (percentile25)
- Percentile 5 (percentile5)
- Percentile 75 / 3rd quartile (percentile75)
- Percentile 90 (percentile90)
- Percentile 95 (percentile95)
- Standard deviation (biased) (stddev)
- Standard deviation (unbiased) (ustddev)
- Sum (sum)
- Sum Square (sum2)
- Variance (biased) (var)
- Variance (unbiased) (uvar)
-
Arithmetic group
- Absolute value (abs)
- Addition, sum, plus / Concatenation (add, +)
- Ceiling (ceil)
- Cube root (cbrt)
- Division (div, \)
- Division remainder (rem, %)
- Floor (floor)
- Modulo (mod, %%)
- Multiplication, product (mul, *)
- Power (pow)
- Real division (rdiv, /)
- Rounding (round)
- Sign (signum)
- Square root (sqrt)
- Subtraction, minus / Additive inverse (sub, -)
-
Conversion group
- Duration (duration)
- Format date (formatdate)
- From base16, b16, hex (from16)
- From base64, b64 (from64)
- From UTF8 (fromutf8)
- From Z85, base85 (fromz85)
- Human size (humanSize)
- Make byte array (mkboxar)
- Parse date (parsedate)
- Regular expression, regexp (re)
- Template (template)
- Timestamp (timestamp)
- To base16, b16, hex (to16)
- To base64, b64, hex (to64)
- To BigInt (bigint)
- To boolean (bool)
- To Float (float)
- To image (image)
- To Int (int)
- To IPv4 (ip4)
- To IPv4 net (net4)
- To IPv6 (ip6)
- To IPv6 compatible (compatible)
- To IPv6 mapped (mapped)
- To IPv6 net (net6)
- To IPv6 translated (translated)
- To MAC address (mac)
- To string (str)
- To string (stringify)
- To UTF8 (toutf8)
- To Z85, base85 (toz85)
- Cryptography group
- Date group
- Flow group
- General group
-
Geolocation group
- Coordinates distance (distance)
- Geocoord (geocoord)
- Geographic coordinate system (coordsystem)
- Geohash (geohash)
- Geohash string (geohashstr)
- Geolocated Accuracy Radius with MaxMind GeoIP2 (mm2accuracyradius)
- Geolocated ASN (mmasn)
- Geolocated ASN with MaxMind GeoIP2 (mm2asn)
- Geolocated AS Organization Name with MaxMind GeoIP2 (mm2asorg)
- Geolocated AS owner (mmasowner)
- Geolocated City (mmcity)
- Geolocated City with MaxMind GeoIP2 (mm2city)
- Geolocated Connection Speed (mmspeed)
- Geolocated connection type with MaxMind GeoIP2 (mm2con)
- Geolocated Coordinates (mmcoordinates)
- Geolocated coordinates with MaxMind GeoIP2 (mm2coordinates)
- Geolocated Country (mmcountry)
- Geolocated Country with MaxMind GeoIP2 (mm2country)
- Geolocated ISP (mmisp)
- Geolocated ISP name with MaxMind GeoIP2 (mm2isp)
- Geolocated Latitude (mmlatitude)
- Geolocated Latitude with MaxMind GeoIP2 (mm2latitude)
- Geolocated Level 1 Subdivision with MaxMind GeoIP2 (mm2subdivision1)
- Geolocated Level 2 Subdivision with MaxMind GeoIP2 (mm2subdivision2)
- Geolocated Longitude (mmlongitude)
- Geolocated Longitude with MaxMind GeoIP2 (mm2longitude)
- Geolocated Organization (mmorg)
- Geolocated organization name with MaxMind GeoIP2 (mm2org)
- Geolocated Postal Code (mmpostalcode)
- Geolocated Postal Code with MaxMind GeoIP2 (mm2postalcode)
- Geolocated Region (mmregion)
- Geolocated Region Name (mmregionname)
- ISO-3166-1 Continent Alpha-2 Code (continentalpha2)
- ISO-3166-1 Continent Name (continentname)
- ISO-3166-1 Country Alpha-2 Code (countryalpha2)
- ISO-3166-1 Country Alpha-2 Continent (countrycontinent)
- ISO-3166-1 Country Alpha-3 Code (countryalpha3)
- ISO-3166-1 Country Latitude (countrylatitude)
- ISO-3166-1 Country Longitude (countrylongitude)
- ISO-3166-1 Country Name (countryname)
- Latitude (latitude)
- Latitude and longitude coordinates (latlon)
- Longitude (longitude)
- Parse geocoord format (parsegeo)
- Represent geocoord format (reprgeo)
- Round coordinates (gridlatlon)
- JSON group
- Logic group
-
Mathematical group
- Arc cosine (acos)
- Arc sine (asin)
- Arc tangent (atan)
- Bitwise AND (band, &)
- Bitwise left shift (lshift, <<)
- Bitwise NOT (bnot, ~)
- Bitwise OR (bor, |)
- Bitwise right shift (rshift, >>)
- Bitwise unsigned right shift (urshift, >>>)
- Bitwise XOR (bxor, ^)
- Cosine (cos)
- e (mathematical constant) (e)
- Exponential: base e (exp)
- Hyperbolic cosine (cosh)
- Hyperbolic sine (sinh)
- Hyperbolic tangent (tanh)
- Logarithm: base 2 (log2)
- Logarithm: base 10 (log10)
- Logarithm: natural / arbitrary base (log)
- Pi (mathematical constant) (pi)
- Sine (sin)
- Tangent (tan)
- Meta Analysis group
- Name group
-
Network group
- HTTP Status Description (httpstatusdescription)
- HTTP Status Type (httpstatustype)
- IP Protocol (ipprotocol)
- IP Reputation Score (reputationscore)
- IP Reputation Tags (reputation)
- IPv4 legal use (purpose)
- IPv6 host number (host)
- IPv6 routing number (routing)
- Is IPv4 (ipip4)
- Is Private IPv4 (isprivate)
- Is Public IPv4 (ispublic)
- Squid Black Lists Flags (sbl)
- Order group
-
Packet group
- Ethernet destination MAC address (etherdst)
- Ethernet payload (etherpayload)
- Ethernet source MAC address (ethersrc)
- Ethernet status (etherstatus)
- Ethernet tag (ethertag)
- EtherType (ethertype)
- Has Ethernet frame (hasether)
- Has IPv4 datagram (hasip4)
- Has TCP segment (hastcp)
- Has UDP datagram (hasudp)
- IPv4 destination address (ip4dst)
- IPv4 differentiated services (ip4ds)
- IPv4 explicit congestion notification (ip4ecn)
- IPv4 flags (ip4flags)
- IPv4 fragment offset (ip4fragment)
- IPv4 header checksum (ip4cs)
- IPv4 header length (ip4hl)
- IPv4 identification (ip4ident)
- IPv4 payload (ip4payload)
- IPv4 protocol (ip4proto)
- IPv4 source address (ip4src)
- IPv4 status (ip4status)
- IPv4 time to live (ip4ttl)
- IPv4 total length (ip4len)
- IPv4 type of service (ip4tos)
- TCP ACK (tcpack)
- TCP checksum (tcpcs)
- TCP destination port (tcpdst)
- TCP flags (tcpflags)
- TCP header length (tcphl)
- TCP payload (tcppayload)
- TCP sequence number (tcpseq)
- TCP source port (tcpsrc)
- TCP status (tcpstatus)
- TCP urgent pointer (tcpurg)
- TCP window size (tcpwin)
- UDP checksum (udpcs)
- UDP destination port (udpdst)
- UDP length (udplen)
- UDP payload (udppayload)
- UDP source port (udpsrc)
- UDP status (udpstatus)
- Statistical group
-
String group
- Contains (has, ->)
- Contains - case insensitive (weakhas)
- Contains tokens (toktains)
- Contains tokens - case insensitive (weaktoktains)
- Edit distance: Damerau (damerau)
- Edit distance: Hamming (hamming)
- Edit distance: Levenshtein (levenshtein)
- Edit distance: OSA (osa)
- Ends with (endswith)
- Format number (formatnumber)
- Hostname public suffix (publicsuffix)
- Hostname root domain (rootdomain)
- Hostname root prefix (rootprefix)
- Hostname root suffix (rootsuffix)
- Hostname subdomains (subdomain)
- Hostname top level domain (topleveldomain)
- Is empty (isempty)
- Is in (`in`, <-)
- Is in - case insensitive (weakin)
- Length (length)
- Locate (locate)
- Lower case (lower)
- Matches (matches, ~)
- Peek (peek)
- Replace all (replaceall)
- Replace first (replace)
- Shannon entropy (shannonentropy)
- Split (split)
- Split regexp (splitre)
- Starts with (startswith)
- Substitute (subs)
- Substitute all (subsall)
- Substring (substring)
- Trim both sides (trim)
- Trim the left side (ltrim)
- Trim the right side (rtrim)
- Upper case (upper)
-
Web group
- Absolute URI (absoluteuri)
- Opaque URI (opaqueuri)
- URI authority (uriauthority)
- URI fragment (urifragment)
- URI host (urihost)
- URI path (uripath)
- URI port (uriport)
- URI query (uriquery)
- URI scheme (urischeme)
- URI ssp (urissp)
- URI user (uriuser)
- URL decode (urldecode)
- User Agent Company (uacompany)
- User Agent Company URL (uacompanyurl)
- User Agent Device Icon (uadeviceicon)
- User Agent Device Information URL (uadeviceinfourl)
- User Agent Device Type (uadevicetype)
- User Agent Family (uafamily)
- User Agent Icon (uaicon)
- User Agent Information URL (uainfourl)
- User Agent is Robot (uaisrobot)
- User Agent Name (uaname)
- User Agent OS Company (uaoscompany)
- User Agent OS Company URL (uaoscompanyurl)
- User Agent OS Family (uaosfamily)
- User Agent OS Icon (uaosicon)
- User Agent OS Name (uaosname)
- User Agent OS URL (uaosurl)
- User Agent Type (uatype)
- User Agent URL (uaurl)
- User Agent Version (uaversion)
-
Aggregation operations
-
Working in the search window
-
Generate charts
- Affinity chord diagram
- Availability timeline
- Bipartite chord diagram
- Bubble chart
- Chart aggregation
- Custom date chart aggregation
- Flame graph
- Flat world map by coordinates
- Flat world map by country
- Google animated heat map
- Google area map
- Google heat map
- Graph diagram
- Histogram
- Pew Pew map
- Pie chart
- Pie layered chart
- Punch card
- Robust Random Cut Forest chart
- Sankey diagram
- Scatter plot
- Time heatmap
- Triple exponential chart
- Voronoi treemap
- Data enrichment
- Setting up a data table
- Advanced data operations
- Use case: eCommerce behavior analysis
-
Generate charts
- Managing your queries
- Best practices for data search
- Monitoring tables
-
Parsers and collectors
- About Devo tags
- Special Devo tags and data tables
-
List of Devo parsers
- Business & Consumer
- Cloud technologies
- Databases
- Host and Operating Systems
-
Network and application security
- auth.secureauth
- auth.securenvoy
- av.mcafee
- av.sophos
- box.iptables
- edr.cylance
- edr.fireeye.alerts
- edr.minervalabs.events
- endpoint.symantec
- firewall.checkpoint
- firewall.cisco firepower and vpn.cisco
- firewall.fortinet
- firewall.huawei
- firewall.juniper
- firewall.paloalto
- firewall.pfsense
- firewall.sonicwall
- firewall.sophos
- firewall.sophos.xgfirewall
- firewall.stonegate
- firewall.windows
- mail.proofpoint
- nac.aruba
- network.meraki
- network.versa
- proxy.bluecoat
- proxy.forcepoint
- proxy.squid
- uba.varonis
- vuln.beyondtrust
- vpn.pulsesecure.sa
- Network connectivity
- Web servers
- Technologies supported in CEF syslog format
- Collectors
- Activeboards
-
Dashboards
- Create a new dashboard
-
Working with dashboard widgets
- Availability timeline widget
- Chord diagram widget
- Circle world map widget
- Color key value widget
- Color world map widget
- Column chart widget
- Comparative chart widget
- Funnel widget
- Gauge meter widget
- Google heatmap widget
- Heat calendar widget
- Line chart widget
- Monitoring widget
- Pie chart widget
- Punch card widget
- Sectored pie chart widget
- Table widget
- Time heatmap widget
- Tree diagram widget
- Voronoi tree widget
- Configuring and sharing dashboards
- Alerts and notifications
- Panels
- Applications
- Tools
- Social Intelligence
- API reference
- Release notes
Role permissions
The following table lists all the role permissions available in the Devo platform. Each permission includes View and Manage levels to better define the actions that a custom role can perform. Just select the required permission levels by checking the corresponding boxes. Read Managing roles to learn more about custom roles and permissions.
Remember that the Admin and Owner roles grant all the permissions while the No Privileges role is limited to modifying their own settings, receiving alerts, using custom finders, and view and create dashboards, as well as other general actions. Permissions included in the No Privileges role are indicated in the table.
View | Manage | Included in the No Privileges role? | |||
---|---|---|---|---|---|
Activeboards | The user can access the Activeboards area and view his/her own Activeboards | The user can access the Activeboards area, view, create, edit and delete his/her own Activeboards | |||
Aggregation tasks | Grants the user view-only access to the Aggregation Tasks tab in Administration → Data Management | Allows the user to edit, run/stop and delete tasks in the Aggregation Tasks tab of the Administration → Data Management area | |||
Alert configuration | Grants the user view-only access to the Administration → Alerts Configuration area | Allows the user to view, create, modify and delete alert definitions in Administration → Alert Configuration. The user can also define new alerts after running a search | |||
Email delivery methods | Grants the user view-only access to the Email tab in Administration → Alert configuration → Delivery Methods | Grants the user access to the Email tab in Administration → Alert configuration → Delivery Methods, and the ability to view and create new email delivery methods | |||
HTTP-JSON delivery methods | Grants the user view-only access to the HTTP-JSON tab in Administration → Alert configuration → Delivery Methods | Grants the user access to the HTTP-JSON tab in Administration → Alert configuration → Delivery Methods, and the ability to view and create new HTTP-JSON delivery methods | |||
JIRA delivery methods | Grants the user view-only access to the JIRA tab in Administration → Alert configuration → Delivery Methods | Grants the user access to the JIRA tab in Administration → Alert configuration → Delivery Methods, and the ability to view and create new JIRA delivery methods | |||
Pagerduty delivery methods | Grants the user view-only access to the Pagerduty tab in Administration → Alert configuration → Delivery Methods | Grants the user access to the Pagerduty tab in Administration → Alert configuration → Delivery Methods, and the ability to view and create new Pagerduty delivery methods | |||
Pushover delivery methods | Grants the user view-only access to the Pushover tab in Administration → Alert configuration → Delivery Methods | Grants the user access to the Pushover tab in Administration → Alert configuration → Delivery Methods, and the ability to view and create new Pushover delivery methods | |||
Service Desk delivery methods | Grants the user view-only access to the Service Desk tab in Administration → Alert configuration → Delivery Methods | Grants the user access to the Service Desk tab in Administration → Alert configuration → Delivery Methods, and the ability to view and create new Service Desk delivery methods | |||
Slack delivery methods | Grants the user view-only access to the Slack tab in Administration → Alert configuration → Delivery Methods | ||||
API keys | Grants the user view-only access to the Access Keys tab in Administration → Credentials | Allows the user to view, generate and delete API keys in the Access Keys tab of the Administration → Credentials area | |||
API v2 tokens | Allows the user to view existing APIv2 tokens in the Authentication Tokens tab of the Administration → Credentials area | Allows the user to view, create, edit and delete APIv2 tokens in the Authentication Tokens tab of the Administration → Credentials area | |||
Applications | X | Grants the user access to Administration → Applications Gallery and the ability to enable or disable applications for the domain | |||
Custom tables | X | Allows the user to create and manage custom tables after running a search | |||
Dashboards | Allows the user to view his/her own Dashboards in the Dashboards area | Allows the user to view, create, modify and delete his/her own Dashboards in the Dashboards | ✔ (Manage) | ||
Data upload | X | Makes the Data Upload area available to the user so they can upload files from Dropbox or their local machine | |||
Domain authentication | Grants the user access to the Authentication tab in Preferences → Domain Preferences and view authentication methods for domain logins | Grants the user access to the Authentication tab in Preferences → Domain Preferences and the ability to enable or disable authentication methods for domain logins | |||
Domain permalinks | The user can view all the domain permalinks in the Administration → Data Management → Permalinks area | Allows the user to view, modify, and delete permalinks created by any users in the domain in the Administration → Data Management → Permalinks area | |||
Finders | Allows the user to access the Data Search → Explore Your Data area and use the default finder. You can also select a custom finder as the default one for the role in the dropdown box that appears after selecting this permission | Allows the user to access the Data Search → Explore Your Data area and use any available finder. Besides, the user can create, modify and delete custom finders | ✔ (View) | ||
Domain query history | The user can access the most recently accessed queries in the domain in Data Search → Query History | X | |||
Free text queries | X | Allows the user to run free text queries in Data Search → Explore Your Data → Free Text Query | |||
Global searches Note that this permission will not be available if the global search feature is not enabled in your domain. | X | Allows the user to perform global searches in Data Search → Explore Your Data → Global Search | |||
Lookups | Allows the user to view upload lookups in the Lookup Management tab of the Data Search area. The user can also use these lookups to apply query operations in a search | The user can access the Lookup Management tab in the Data Search area to view, create, edit or delete upload lookups. The user can also use these lookups to apply query operations in a search | |||
Lookup restrictions | Allows the user to view, but not edit, the restrictions that dictate with which tables a lookup can be used in Data Search → Lookup Management, selecting the ellipsis menu of the required lookup and clicking Restrictions | Allows the user to view and define the restrictions that dictate with which tables a lookup can be used in Data Search → Lookup Management, selecting the ellipsis menu of the required lookup and clicking Restrictions | |||
Query lookups Note that this permission will not be available if query lookups are not enabled in your domain. | The user can view query lookups in Data Search → Lookup Management and use them to apply query operations in a search. | Allows the user to view, modify, or delete query lookup tables in the Lookup Management tab of the Data Search area. The user can also define new query lookups in the search window after running a search and use them to apply query operations in a search. | |||
Query management | Allows the user to view running queries in the Query Management tab of the Data Search area | Allows the user to view and manage running queries in the Query Management tab of the Data Search area | |||
First steps | Makes the First Steps welcome window appear each time the user logs in to the domain | Allows the user to stop the First Steps welcome window from appearing upon login | ✔ (View and Manage) | ||
Help - Contact | Grants the user access to the Help → Customer Support menu for contacting Devo customer support | X | ✔ | ||
Home area | Makes the Home area visible to the user | X | ✔ | ||
Top 10 (Last 24h) widget | Allows the user to see the Top 10 (Last 24h) widget in the Home area, and access the queries it shows | X | |||
HTTP tokens | Allows the user to view existing HTTP tokens in the Authentication Tokens tab of the Administration → Credentials area | Allows the user to view, create, enable/disable and delete HTTP tokens in the Authentication Tokens tab of the Administration → Credentials area | |||
Log autoparser | X | Allows the user to use the log autoparser in my.app tables that are not parsed | |||
My permalinks | Grants the user view-only access to the Permalinks tab in Administration → Data Management to view his/her own permalinks | Allows the user to access the Permalinks tab in Administration → Data Management to view, modify and delete his/her own permalinks. The user is also allowed to create new permalinks in the Dashboards area selecting Share → Permalinks | |||
my.app injections | Allows the user to access Administration → Data Management → Injections and view injections | Allows the user to access Administration → Data Management → Injections and view, edit or delete injections. The user can also create new injection tasks after running a search | |||
Notifications | Makes the Notifications area available to the user | X | ✔ | ||
OData | Allows the user to access the API & Odata Feeds tab in Administration → Data management to view the existing OData feeds | Allows the user to access the API & Odata Feeds tab in Administration → Data management to view, edit and delete OData feeds. Also, the user can define new OData feeds after running a search | |||
Own Flows | |||||
Domain Flows | |||||
Panels | Allows the user to view his/her own panels in the Panels area | Allows the user to view, create, modify and delete his/her own panels in the Panels area | |||
Preferences | X | Allows the user to edit his own preferences in Preferences → User Preferences. For users with the Admin role, this allows them to edit the Domain Preferences as well | ✔ | ||
Query priority Note that this permission will not be available if the query priority feature is not enabled in your domain. | X | Allows the user to set both the default and maximum query priority for each new session. In the drop-down menus below, the user can set the range for the role. | |||
Relays | Grants the user view-only access to Administration → Relays | Allows the user to manage and delete relays in Administration → Relays | |||
Roles | Grants the user view-only access to Administration → Roles | Allows the user to create, modify and delete roles in Administration → Roles | |||
User resources | X | Allows the user to view, edit and delete all the domain resources (applications, dashboards...) | |||
Show/hide columns | X | Allows the user to edit the default column configuration of a data table and save it as the default one for the domain | |||
Social Intelligence | Makes the Social Intelligence area available to the user | X | ✔ | ||
Tools | Gives access to the user to a group of query tools | X | |||
Triggered alerts | Allows the user to access Alerts → Alerts Dashboard and see the triggered alerts. Also, the user can see the Alerts tab in the Preferences area | Allows the user to view and manage triggered alerts in Alerts → Alerts Dashboard. Also, the user can see the Alerts tab in the Preferences area | ✔ (View) | ||
Unread domain alerts | X | Allows the user to reset the count of unread alerts for the entire domain in Alerts → Alerts History. | |||
Users | Grants the user view-only access to Administration → Users | Allows the user to view, create, modify and delete users in Administration → Users | |||
Domain activity | Allows the user to view the list of recent activity in the domain in Administration → Users → User Activity | X | |||
Domain connections | Allows the user to view the list of last connections in the domain in Administration → Users → User Logins | X | |||
View Help - Social links | Makes the Devo social media link visible to the user in the Help area | X | ✔ | ||
View profile | Allows the user to view his or her own user profile | X | ✔ | ||
X.509 certs | Allows the user to view and download X.509 certificates in Administration → Credentials → X.509 Certificates | Allows the user to view, generate, download and delete X.509 certificates in Administration → Credentials → X.509 Certificates |